Malware Analysis Report

2024-10-10 10:11

Sample ID 231016-wka58ada69
Target PandorahVNC 1.8.6 Fixed.7z
SHA256 a44158be4e5c309a426ee067132a3c82eaf700447253e7830fec9f5ce5262819
Tags
#groupname# arrowrat client persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a44158be4e5c309a426ee067132a3c82eaf700447253e7830fec9f5ce5262819

Threat Level: Known bad

The file PandorahVNC 1.8.6 Fixed.7z was found to be: Known bad.

Malicious Activity Summary

#groupname# arrowrat client persistence rat

ArrowRat

Arrowrat family

Modifies Installed Components in the registry

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Enumerates connected drives

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-16 17:58

Signatures

Arrowrat family

arrowrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-16 17:58

Reported

2023-10-16 18:02

Platform

win10v2004-20230915-en

Max time kernel

140s

Max time network

162s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed.7z"

Signatures

ArrowRat

rat arrowrat

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1056 set thread context of 3884 N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133392317458800015" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\Client.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\Client.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3796 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe C:\Windows\SysWOW64\explorer.exe
PID 3796 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe C:\Windows\SysWOW64\explorer.exe
PID 3796 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe C:\Windows\SysWOW64\explorer.exe
PID 1056 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\Client.exe C:\Windows\explorer.exe
PID 1056 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\Client.exe C:\Windows\explorer.exe
PID 1056 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1056 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1056 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1056 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1056 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1056 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1056 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1056 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3796 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe C:\Windows\SysWOW64\explorer.exe
PID 3796 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe C:\Windows\SysWOW64\explorer.exe
PID 3796 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed.7z"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\" -spe -an -ai#7zMap5714:124:7zEvent7240

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe

"C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\Client.exe

"C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\Client.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 127.0.0.1 1337 sZHtwFBDY

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 126.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp

Files

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe

MD5 f1984279714a111cb603f71457042255
SHA1 d7b0b12dba09db0bfa318a2d62a1ac6781313112
SHA256 e6986e80395ec6fb4fc2450dd4de5ea81ba8d489a1464a1108a98f6541967af6
SHA512 5f2aee19063150d540477fa920677cafac2304bbe5febbde0e0e0a299da437fa7a7eae0629f36e6cbe3cf456c686195b3acfac34a4a079c20ae9eacff9fdf33f

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe

MD5 f1984279714a111cb603f71457042255
SHA1 d7b0b12dba09db0bfa318a2d62a1ac6781313112
SHA256 e6986e80395ec6fb4fc2450dd4de5ea81ba8d489a1464a1108a98f6541967af6
SHA512 5f2aee19063150d540477fa920677cafac2304bbe5febbde0e0e0a299da437fa7a7eae0629f36e6cbe3cf456c686195b3acfac34a4a079c20ae9eacff9fdf33f

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe.config

MD5 a1c2a2870001b66db41bcb020bff1c2d
SHA1 8c54c6a3564c8892aa9baa15573682e64f3659d9
SHA256 0aa9e3ab5c88c5761120206eff5c6e35c90288290b3647a942059705ef5b75e5
SHA512 b3bf53120203cfaa951f301b532849cb382d2404c9503916bc1ca39925a9a1530b01045f341fc75d47d65130d0187dcbbf4288b9ef46aa81624b59ba7802794b

memory/3796-56-0x0000000000C70000-0x000000000117C000-memory.dmp

memory/3796-55-0x00000000750B0000-0x0000000075860000-memory.dmp

memory/3796-57-0x0000000005A80000-0x0000000005A92000-memory.dmp

memory/3796-58-0x00000000060D0000-0x0000000006674000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\DevExpress.Utils.v21.2.dll

MD5 9ce1f7fb40d7c257536b6eefbaf50fdb
SHA1 022664d1870fec449fa0fc69abc854e4ac8bf165
SHA256 6e28b52f542833d5aeacee111ebcbb35af5ab080ef542172a9dc9f0f1004da44
SHA512 14deb1593111ca6a67c41abb60ee2105286dfce34ab525d6d57b9233f083dfdd3b1a8865d5515ac23fe0f401d85dbe973e020fef015e7adb3efda8f8ab9fe572

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\DevExpress.Utils.v21.2.dll

MD5 9ce1f7fb40d7c257536b6eefbaf50fdb
SHA1 022664d1870fec449fa0fc69abc854e4ac8bf165
SHA256 6e28b52f542833d5aeacee111ebcbb35af5ab080ef542172a9dc9f0f1004da44
SHA512 14deb1593111ca6a67c41abb60ee2105286dfce34ab525d6d57b9233f083dfdd3b1a8865d5515ac23fe0f401d85dbe973e020fef015e7adb3efda8f8ab9fe572

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\DevExpress.Utils.v21.2.dll

MD5 9ce1f7fb40d7c257536b6eefbaf50fdb
SHA1 022664d1870fec449fa0fc69abc854e4ac8bf165
SHA256 6e28b52f542833d5aeacee111ebcbb35af5ab080ef542172a9dc9f0f1004da44
SHA512 14deb1593111ca6a67c41abb60ee2105286dfce34ab525d6d57b9233f083dfdd3b1a8865d5515ac23fe0f401d85dbe973e020fef015e7adb3efda8f8ab9fe572

memory/3796-62-0x0000000007850000-0x0000000008A14000-memory.dmp

memory/3796-63-0x0000000006000000-0x0000000006092000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\DevExpress.Data.v21.2.dll

MD5 ba67d6f97a1602d7851e13811f34b257
SHA1 5a40175c27510f1bb59f32f3fea37ff1ff5e2414
SHA256 4f6510675493bbbc8e0870245247c0219456b51d0044237c4c861a67834a337e
SHA512 57b22c6a1425e8b0e637bdc15994902e5623d1921a6a2a0bad00dec1e2f97911d9904fac0c06c3bd3ec3cf9523e263cd2e8e12fd8748f66f867ebc3dce85c22a

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\DevExpress.Data.v21.2.dll

MD5 ba67d6f97a1602d7851e13811f34b257
SHA1 5a40175c27510f1bb59f32f3fea37ff1ff5e2414
SHA256 4f6510675493bbbc8e0870245247c0219456b51d0044237c4c861a67834a337e
SHA512 57b22c6a1425e8b0e637bdc15994902e5623d1921a6a2a0bad00dec1e2f97911d9904fac0c06c3bd3ec3cf9523e263cd2e8e12fd8748f66f867ebc3dce85c22a

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\DevExpress.Data.v21.2.dll

MD5 ba67d6f97a1602d7851e13811f34b257
SHA1 5a40175c27510f1bb59f32f3fea37ff1ff5e2414
SHA256 4f6510675493bbbc8e0870245247c0219456b51d0044237c4c861a67834a337e
SHA512 57b22c6a1425e8b0e637bdc15994902e5623d1921a6a2a0bad00dec1e2f97911d9904fac0c06c3bd3ec3cf9523e263cd2e8e12fd8748f66f867ebc3dce85c22a

memory/3796-67-0x0000000006BB0000-0x00000000070D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\DevExpress.XtraEditors.v21.2.dll

MD5 e6bdc7adbfa92810e66497d3561c5e2b
SHA1 c9379603d4fcfad4e1874f956247428f27e5ce79
SHA256 19d4e54a19fc830f8f4b6911fe76d74400fe23798a40b5941114437462b90ca9
SHA512 5c9d19b6e4521386162de18004103cc4ad9e2fea91ac4434f8c125cdb5b35335e9659fd19f5507b849a768f96154db90869db336aa76d9b9e760e254f01c7dfc

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\DevExpress.XtraEditors.v21.2.dll

MD5 e6bdc7adbfa92810e66497d3561c5e2b
SHA1 c9379603d4fcfad4e1874f956247428f27e5ce79
SHA256 19d4e54a19fc830f8f4b6911fe76d74400fe23798a40b5941114437462b90ca9
SHA512 5c9d19b6e4521386162de18004103cc4ad9e2fea91ac4434f8c125cdb5b35335e9659fd19f5507b849a768f96154db90869db336aa76d9b9e760e254f01c7dfc

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\DevExpress.XtraEditors.v21.2.dll

MD5 e6bdc7adbfa92810e66497d3561c5e2b
SHA1 c9379603d4fcfad4e1874f956247428f27e5ce79
SHA256 19d4e54a19fc830f8f4b6911fe76d74400fe23798a40b5941114437462b90ca9
SHA512 5c9d19b6e4521386162de18004103cc4ad9e2fea91ac4434f8c125cdb5b35335e9659fd19f5507b849a768f96154db90869db336aa76d9b9e760e254f01c7dfc

memory/3796-71-0x00000000091B0000-0x0000000009938000-memory.dmp

memory/3796-72-0x0000000006730000-0x0000000006740000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\DevExpress.Data.Desktop.v21.2.dll

MD5 6674898c963081e76c7168d45b1a57cd
SHA1 97717ef70d9bdde1568cf544fb3b2402321c1b25
SHA256 d769d543d9166e40bca4decf4b5ee758b4b652064790879780cc1521571763b2
SHA512 32021dd7e2595e2fac0bc6e6a4502d67543266714415888c267168c8ed34612a57a30ed0b07cf7cc78339626220c5d2a8770f5aeaaffd3367433046593500242

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\DevExpress.Data.Desktop.v21.2.dll

MD5 6674898c963081e76c7168d45b1a57cd
SHA1 97717ef70d9bdde1568cf544fb3b2402321c1b25
SHA256 d769d543d9166e40bca4decf4b5ee758b4b652064790879780cc1521571763b2
SHA512 32021dd7e2595e2fac0bc6e6a4502d67543266714415888c267168c8ed34612a57a30ed0b07cf7cc78339626220c5d2a8770f5aeaaffd3367433046593500242

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\DevExpress.Data.Desktop.v21.2.dll

MD5 6674898c963081e76c7168d45b1a57cd
SHA1 97717ef70d9bdde1568cf544fb3b2402321c1b25
SHA256 d769d543d9166e40bca4decf4b5ee758b4b652064790879780cc1521571763b2
SHA512 32021dd7e2595e2fac0bc6e6a4502d67543266714415888c267168c8ed34612a57a30ed0b07cf7cc78339626220c5d2a8770f5aeaaffd3367433046593500242

memory/3796-76-0x00000000069D0000-0x0000000006A80000-memory.dmp

memory/3796-77-0x0000000006B90000-0x0000000006B9A000-memory.dmp

memory/3796-78-0x0000000006730000-0x0000000006740000-memory.dmp

memory/3796-79-0x0000000008D70000-0x0000000008D9E000-memory.dmp

memory/3796-80-0x0000000008DE0000-0x0000000008E18000-memory.dmp

memory/3796-81-0x00000000750B0000-0x0000000075860000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\DevExpress.XtraBars.v21.2.dll

MD5 73b7ae515035721d1b30d3ad00628be0
SHA1 dce18955cd395858cace1ce58a29abc4fbb805de
SHA256 9f788e7aa3f1a2be7f02419a8fd74114e5e2a7bb134810aa6cf762cbc91c1a56
SHA512 4c018f1bbf3eb947410d4910208b050b60e722854066e970e9963fc79ca17fc26e64d2f3b7555657576950d036623b0d6c67a78a009feda02d4c30eeb114d1dc

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\DevExpress.XtraBars.v21.2.dll

MD5 73b7ae515035721d1b30d3ad00628be0
SHA1 dce18955cd395858cace1ce58a29abc4fbb805de
SHA256 9f788e7aa3f1a2be7f02419a8fd74114e5e2a7bb134810aa6cf762cbc91c1a56
SHA512 4c018f1bbf3eb947410d4910208b050b60e722854066e970e9963fc79ca17fc26e64d2f3b7555657576950d036623b0d6c67a78a009feda02d4c30eeb114d1dc

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\DevExpress.XtraBars.v21.2.dll

MD5 73b7ae515035721d1b30d3ad00628be0
SHA1 dce18955cd395858cace1ce58a29abc4fbb805de
SHA256 9f788e7aa3f1a2be7f02419a8fd74114e5e2a7bb134810aa6cf762cbc91c1a56
SHA512 4c018f1bbf3eb947410d4910208b050b60e722854066e970e9963fc79ca17fc26e64d2f3b7555657576950d036623b0d6c67a78a009feda02d4c30eeb114d1dc

memory/3796-85-0x000000000CD30000-0x000000000D3AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\DevExpress.XtraGrid.v21.2.dll

MD5 f65ebb9d378cf034eb5d8d0742ca95d1
SHA1 ad883ba15f66287c749239fbec20bf4fef91b0f9
SHA256 35674b0093a4134505ff3cf40c3b07ab428c152f7ba41f93dd1775b6013b87c2
SHA512 ac347de3933f3a3214a33a593ad2f963d6427b69685332982707002296b595707595a6e5e3662f44447f6247fdddb0298479d600a2672ed1dcbb50a520467609

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\DevExpress.XtraGrid.v21.2.dll

MD5 f65ebb9d378cf034eb5d8d0742ca95d1
SHA1 ad883ba15f66287c749239fbec20bf4fef91b0f9
SHA256 35674b0093a4134505ff3cf40c3b07ab428c152f7ba41f93dd1775b6013b87c2
SHA512 ac347de3933f3a3214a33a593ad2f963d6427b69685332982707002296b595707595a6e5e3662f44447f6247fdddb0298479d600a2672ed1dcbb50a520467609

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\DevExpress.XtraGrid.v21.2.dll

MD5 f65ebb9d378cf034eb5d8d0742ca95d1
SHA1 ad883ba15f66287c749239fbec20bf4fef91b0f9
SHA256 35674b0093a4134505ff3cf40c3b07ab428c152f7ba41f93dd1775b6013b87c2
SHA512 ac347de3933f3a3214a33a593ad2f963d6427b69685332982707002296b595707595a6e5e3662f44447f6247fdddb0298479d600a2672ed1dcbb50a520467609

memory/3796-89-0x000000000D3B0000-0x000000000D744000-memory.dmp

memory/3796-90-0x0000000008F40000-0x0000000008F60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\DevExpress.XtraLayout.v21.2.dll

MD5 012422aff6771f7be353109f08bf4684
SHA1 535a3054abf0ef1f6c2a220bd9741962c8e58dbe
SHA256 dc2e06f341325a7c65c121e443d0ca3dd0a1ea5ee5ed21ae51029303394de00f
SHA512 a3ca2f8d991a3823b58f81bfa5c08b7c44a985d029d8838ac501a08bef3cb90ceee3fdbb0e6d2b66544061b05e8fe3563d3868b0d3266b3b280cc39e0b2f5c1b

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\DevExpress.XtraLayout.v21.2.dll

MD5 012422aff6771f7be353109f08bf4684
SHA1 535a3054abf0ef1f6c2a220bd9741962c8e58dbe
SHA256 dc2e06f341325a7c65c121e443d0ca3dd0a1ea5ee5ed21ae51029303394de00f
SHA512 a3ca2f8d991a3823b58f81bfa5c08b7c44a985d029d8838ac501a08bef3cb90ceee3fdbb0e6d2b66544061b05e8fe3563d3868b0d3266b3b280cc39e0b2f5c1b

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\DevExpress.XtraLayout.v21.2.dll

MD5 012422aff6771f7be353109f08bf4684
SHA1 535a3054abf0ef1f6c2a220bd9741962c8e58dbe
SHA256 dc2e06f341325a7c65c121e443d0ca3dd0a1ea5ee5ed21ae51029303394de00f
SHA512 a3ca2f8d991a3823b58f81bfa5c08b7c44a985d029d8838ac501a08bef3cb90ceee3fdbb0e6d2b66544061b05e8fe3563d3868b0d3266b3b280cc39e0b2f5c1b

memory/3796-94-0x000000000DB90000-0x000000000DD9E000-memory.dmp

memory/3796-95-0x000000000D750000-0x000000000DAA4000-memory.dmp

memory/3796-96-0x000000000E530000-0x000000000E5DA000-memory.dmp

memory/3796-97-0x0000000006730000-0x0000000006740000-memory.dmp

memory/3796-98-0x0000000006730000-0x0000000006740000-memory.dmp

memory/3796-99-0x0000000006730000-0x0000000006740000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\AsmResolver.DotNet.dll

MD5 6b6109d97c2c08e06e4fcf80d24b4dce
SHA1 a811ec710fcbb6d43b35f5a943c58258bee43d7d
SHA256 f066cdd5dcd0eb2ca082ad30b1240bdc4d9c76ef80caf81651a827238e79b226
SHA512 408a929c1c5cc0825a28dd7c129898c5b762b701fe46a0ca395c16cecf54f41b4f9b9155fbb41f0c591f4d22889a43b7d2e4c33d13314420e68366552f609cc6

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\AsmResolver.DotNet.dll

MD5 6b6109d97c2c08e06e4fcf80d24b4dce
SHA1 a811ec710fcbb6d43b35f5a943c58258bee43d7d
SHA256 f066cdd5dcd0eb2ca082ad30b1240bdc4d9c76ef80caf81651a827238e79b226
SHA512 408a929c1c5cc0825a28dd7c129898c5b762b701fe46a0ca395c16cecf54f41b4f9b9155fbb41f0c591f4d22889a43b7d2e4c33d13314420e68366552f609cc6

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\AsmResolver.DotNet.dll

MD5 6b6109d97c2c08e06e4fcf80d24b4dce
SHA1 a811ec710fcbb6d43b35f5a943c58258bee43d7d
SHA256 f066cdd5dcd0eb2ca082ad30b1240bdc4d9c76ef80caf81651a827238e79b226
SHA512 408a929c1c5cc0825a28dd7c129898c5b762b701fe46a0ca395c16cecf54f41b4f9b9155fbb41f0c591f4d22889a43b7d2e4c33d13314420e68366552f609cc6

memory/3796-103-0x000000000E750000-0x000000000E7CE000-memory.dmp

memory/3796-104-0x000000000E180000-0x000000000E19A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\AsmResolver.PE.dll

MD5 a8a09cdbacc2aaff5eba75c0f7e22635
SHA1 571facc8b653745f08bd62511106d648fa6875e4
SHA256 dfb80e5bc73b640c20d930f9ace66bd55476ea34f1027331ff6d8df0c10fbc3e
SHA512 30a33556d56acbc5e8b1ef50b3922f8624255ec95c25831e8c064efdc2e5696b5026273303213d943983136422ee500e7d2d6b0f55515ff6f5de5e1268809e30

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\AsmResolver.PE.dll

MD5 a8a09cdbacc2aaff5eba75c0f7e22635
SHA1 571facc8b653745f08bd62511106d648fa6875e4
SHA256 dfb80e5bc73b640c20d930f9ace66bd55476ea34f1027331ff6d8df0c10fbc3e
SHA512 30a33556d56acbc5e8b1ef50b3922f8624255ec95c25831e8c064efdc2e5696b5026273303213d943983136422ee500e7d2d6b0f55515ff6f5de5e1268809e30

memory/3796-108-0x000000000E6D0000-0x000000000E722000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\AsmResolver.PE.dll

MD5 a8a09cdbacc2aaff5eba75c0f7e22635
SHA1 571facc8b653745f08bd62511106d648fa6875e4
SHA256 dfb80e5bc73b640c20d930f9ace66bd55476ea34f1027331ff6d8df0c10fbc3e
SHA512 30a33556d56acbc5e8b1ef50b3922f8624255ec95c25831e8c064efdc2e5696b5026273303213d943983136422ee500e7d2d6b0f55515ff6f5de5e1268809e30

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\AsmResolver.dll

MD5 5bedce9a21e6c1177630d5109bd5a18a
SHA1 2f34c95cb011eefb0819ad7f42da86fe239b0739
SHA256 05dffab67a19f7925b13b3d68e6e8c72015ff920664c5e26a3d18fe2b10f9c47
SHA512 2c2a8a4925174ca5ac4b42434f9d7cd82d7c3a95fafd242f3435c13114a98daf4f15b1ec8c48be74341f70d800c80072f85ecec4b193e06ba379dfc0a6f02958

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\AsmResolver.dll

MD5 5bedce9a21e6c1177630d5109bd5a18a
SHA1 2f34c95cb011eefb0819ad7f42da86fe239b0739
SHA256 05dffab67a19f7925b13b3d68e6e8c72015ff920664c5e26a3d18fe2b10f9c47
SHA512 2c2a8a4925174ca5ac4b42434f9d7cd82d7c3a95fafd242f3435c13114a98daf4f15b1ec8c48be74341f70d800c80072f85ecec4b193e06ba379dfc0a6f02958

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\AsmResolver.dll

MD5 5bedce9a21e6c1177630d5109bd5a18a
SHA1 2f34c95cb011eefb0819ad7f42da86fe239b0739
SHA256 05dffab67a19f7925b13b3d68e6e8c72015ff920664c5e26a3d18fe2b10f9c47
SHA512 2c2a8a4925174ca5ac4b42434f9d7cd82d7c3a95fafd242f3435c13114a98daf4f15b1ec8c48be74341f70d800c80072f85ecec4b193e06ba379dfc0a6f02958

memory/3796-112-0x000000000E2E0000-0x000000000E2F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\AsmResolver.PE.File.dll

MD5 71437beaf0306a777814de1c56234842
SHA1 f8b1a61a07ab07c8565988b04f614aa77f28b456
SHA256 514078545cb23a0841785378d3e9fdff31d0a214e80513d630b7b95243b4d464
SHA512 7666bdb81250b8e212fe890919e2b6765ba0ae2c547192614419c3d2f066f0db63d252dab044bd72d549a638e41c7775d7efb1c7c2cd071e02ae344f789644de

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\AsmResolver.PE.File.dll

MD5 71437beaf0306a777814de1c56234842
SHA1 f8b1a61a07ab07c8565988b04f614aa77f28b456
SHA256 514078545cb23a0841785378d3e9fdff31d0a214e80513d630b7b95243b4d464
SHA512 7666bdb81250b8e212fe890919e2b6765ba0ae2c547192614419c3d2f066f0db63d252dab044bd72d549a638e41c7775d7efb1c7c2cd071e02ae344f789644de

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\AsmResolver.PE.File.dll

MD5 71437beaf0306a777814de1c56234842
SHA1 f8b1a61a07ab07c8565988b04f614aa77f28b456
SHA256 514078545cb23a0841785378d3e9fdff31d0a214e80513d630b7b95243b4d464
SHA512 7666bdb81250b8e212fe890919e2b6765ba0ae2c547192614419c3d2f066f0db63d252dab044bd72d549a638e41c7775d7efb1c7c2cd071e02ae344f789644de

memory/3796-116-0x000000000E030000-0x000000000E040000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\Stub.bin

MD5 52cf7937369803694284f5047c3ec1c5
SHA1 fae5a134b78e52e7dfd46b8bd04c01e1b044b709
SHA256 3b2ab6f350d355c4457c0e0e7cdf43f58d71259c7ca243caf75fcee5bf265a6d
SHA512 fcefb2e3bc3a51c4c94093da253231d05364084bb533ed64eb9c406e30ec9fedba9d665c4fa27c2965a7cbda82ced6a672f6b926d626d49e01ef7ed4be591efa

memory/3796-118-0x000000000E040000-0x000000000E048000-memory.dmp

memory/1056-124-0x000001EFDF900000-0x000001EFDF92E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\Client.exe

MD5 3a86bed64b2012a452fd647207b2eda6
SHA1 b720bdeeccc036fd3d0bcfff1ae75dd3ef9af9c4
SHA256 fb06e37dfdf873b4d9b6f2e8aa51a87bc7da829613ec3bc4c9b1928f6702059b
SHA512 94ca69676abd82964cb87b71e84c015fcfdc06108af76360ea9cdea4aa6c0e05747a3f3c1f00886146ba8c68fe362f0281addafc824277e1823e4861aae8ca30

C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed\Client.exe

MD5 3a86bed64b2012a452fd647207b2eda6
SHA1 b720bdeeccc036fd3d0bcfff1ae75dd3ef9af9c4
SHA256 fb06e37dfdf873b4d9b6f2e8aa51a87bc7da829613ec3bc4c9b1928f6702059b
SHA512 94ca69676abd82964cb87b71e84c015fcfdc06108af76360ea9cdea4aa6c0e05747a3f3c1f00886146ba8c68fe362f0281addafc824277e1823e4861aae8ca30

memory/3884-125-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1056-126-0x00007FF9A1650000-0x00007FF9A2111000-memory.dmp

memory/1056-127-0x000001EFF9DA0000-0x000001EFF9DB0000-memory.dmp

memory/3884-128-0x00000000750B0000-0x0000000075860000-memory.dmp

memory/3884-129-0x00000000058B0000-0x000000000594C000-memory.dmp

memory/3884-130-0x0000000005A30000-0x0000000005A40000-memory.dmp

memory/3884-131-0x0000000006090000-0x00000000060F6000-memory.dmp

memory/3884-134-0x0000000006A80000-0x0000000006AD0000-memory.dmp

memory/1056-137-0x00007FF9A1650000-0x00007FF9A2111000-memory.dmp

memory/2276-138-0x0000000003570000-0x0000000003571000-memory.dmp

memory/4628-145-0x000001DC21570000-0x000001DC21590000-memory.dmp

memory/4628-147-0x000001DC21530000-0x000001DC21550000-memory.dmp

memory/4628-150-0x000001DC21940000-0x000001DC21960000-memory.dmp

memory/1056-159-0x000001EFF9DA0000-0x000001EFF9DB0000-memory.dmp

memory/3884-160-0x00000000750B0000-0x0000000075860000-memory.dmp

memory/3884-161-0x0000000005A30000-0x0000000005A40000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133419529080987876.txt

MD5 62d81c2e1e8b21733f95af2a596e4b18
SHA1 91c005ecc5ae4171f450c43c02d1ba532b4474c6
SHA256 a5596f83717bf64653b95ffe6ec38f20e40fd928456d5e254a53a440804d80b6
SHA512 c7f349acf55694ff696750c30a25c265ff07ced95e4d2a88fa2829d047ca3b3007dc824613a8c403c7613085aca4212155afe03f8f237c0d7781fd87e1fb8a7c

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\PR67AA1Y\microsoft.windows[1].xml

MD5 82b066a0c26e9c3c026d421e012a093e
SHA1 2e4493ff239034dd93befa48a286616fa1222526
SHA256 a4c381833e51949fd261b3e7bf72873bddc61d6eaf01a83a89beda5877338d64
SHA512 4fb425137bcab122288af0df6dd2774fb9179f9c178c8c7b738e6e293d8dbe0aff97a879f42670d07c5bbc69935104b8bdcef8fd7efaee48949dd354af626feb

memory/1632-178-0x000001C231700000-0x000001C231720000-memory.dmp

memory/1632-186-0x000001C2316A0000-0x000001C2316C0000-memory.dmp

memory/1632-189-0x000001C231AB0000-0x000001C231AD0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\PR67AA1Y\microsoft.windows[1].xml

MD5 82b066a0c26e9c3c026d421e012a093e
SHA1 2e4493ff239034dd93befa48a286616fa1222526
SHA256 a4c381833e51949fd261b3e7bf72873bddc61d6eaf01a83a89beda5877338d64
SHA512 4fb425137bcab122288af0df6dd2774fb9179f9c178c8c7b738e6e293d8dbe0aff97a879f42670d07c5bbc69935104b8bdcef8fd7efaee48949dd354af626feb

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133419529080987876.txt

MD5 62d81c2e1e8b21733f95af2a596e4b18
SHA1 91c005ecc5ae4171f450c43c02d1ba532b4474c6
SHA256 a5596f83717bf64653b95ffe6ec38f20e40fd928456d5e254a53a440804d80b6
SHA512 c7f349acf55694ff696750c30a25c265ff07ced95e4d2a88fa2829d047ca3b3007dc824613a8c403c7613085aca4212155afe03f8f237c0d7781fd87e1fb8a7c

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\PR67AA1Y\microsoft.windows[1].xml

MD5 82b066a0c26e9c3c026d421e012a093e
SHA1 2e4493ff239034dd93befa48a286616fa1222526
SHA256 a4c381833e51949fd261b3e7bf72873bddc61d6eaf01a83a89beda5877338d64
SHA512 4fb425137bcab122288af0df6dd2774fb9179f9c178c8c7b738e6e293d8dbe0aff97a879f42670d07c5bbc69935104b8bdcef8fd7efaee48949dd354af626feb

memory/8-208-0x000001B0D4C40000-0x000001B0D4C60000-memory.dmp

memory/8-210-0x000001B0D4C00000-0x000001B0D4C20000-memory.dmp

memory/8-212-0x000001B0D5010000-0x000001B0D5030000-memory.dmp

memory/3796-218-0x0000000006730000-0x0000000006740000-memory.dmp

memory/4088-225-0x0000028C7F540000-0x0000028C7F560000-memory.dmp

memory/4088-227-0x0000028C7F500000-0x0000028C7F520000-memory.dmp

memory/4088-229-0x0000028C7F900000-0x0000028C7F920000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\PR67AA1Y\microsoft.windows[1].xml

MD5 82b066a0c26e9c3c026d421e012a093e
SHA1 2e4493ff239034dd93befa48a286616fa1222526
SHA256 a4c381833e51949fd261b3e7bf72873bddc61d6eaf01a83a89beda5877338d64
SHA512 4fb425137bcab122288af0df6dd2774fb9179f9c178c8c7b738e6e293d8dbe0aff97a879f42670d07c5bbc69935104b8bdcef8fd7efaee48949dd354af626feb

memory/4964-246-0x000002CF7CC70000-0x000002CF7CC90000-memory.dmp

memory/4964-249-0x000002CF7CC30000-0x000002CF7CC50000-memory.dmp

memory/4964-253-0x000002CF7D040000-0x000002CF7D060000-memory.dmp

memory/3796-260-0x0000000006730000-0x0000000006740000-memory.dmp