Malware Analysis Report

2025-03-14 22:31

Sample ID 240304-q27mvscg59
Target b2478cd5f3aed2b56783ea96127f32ee
SHA256 852ee7dbfabef158cfe8e07c9a04191b7947f31256b25380074b1a6d7ecefe81
Tags
persistence upx evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

852ee7dbfabef158cfe8e07c9a04191b7947f31256b25380074b1a6d7ecefe81

Threat Level: Known bad

The file b2478cd5f3aed2b56783ea96127f32ee was found to be: Known bad.

Malicious Activity Summary

persistence upx evasion

Modifies security service

Modifies WinLogon for persistence

Modifies Installed Components in the registry

Loads dropped DLL

Deletes itself

Executes dropped EXE

UPX packed file

Adds Run key to start application

Unsigned PE

Program crash

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-04 13:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-04 13:46

Reported

2024-03-04 13:49

Platform

win7-20240215-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\ProgramData\\aH16411NkFjF16411\\aH16411NkFjF16411.exe" C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\aH16411NkFjF16411\aH16411NkFjF16411.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\aH16411NkFjF16411\aH16411NkFjF16411.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\aH16411NkFjF16411 = "C:\\ProgramData\\aH16411NkFjF16411\\aH16411NkFjF16411.exe" C:\ProgramData\aH16411NkFjF16411\aH16411NkFjF16411.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\aH16411NkFjF16411\aH16411NkFjF16411.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe

"C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe"

C:\ProgramData\aH16411NkFjF16411\aH16411NkFjF16411.exe

"C:\ProgramData\aH16411NkFjF16411\aH16411NkFjF16411.exe" "C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe"

Network

Country Destination Domain Proto
US 212.124.109.242:80 tcp
US 212.124.109.242:80 tcp
US 212.124.109.242:80 tcp
US 212.124.109.242:80 tcp
US 212.124.109.242:80 tcp
US 212.124.109.242:80 tcp
US 212.124.109.242:80 tcp

Files

memory/2924-0-0x0000000000230000-0x0000000000233000-memory.dmp

memory/2924-1-0x0000000000400000-0x00000000004D2000-memory.dmp

memory/2924-10-0x0000000000400000-0x00000000004D2000-memory.dmp

memory/2924-29-0x0000000000400000-0x00000000004D2000-memory.dmp

C:\ProgramData\aH16411NkFjF16411\aH16411NkFjF16411.exe

MD5 29ffc1fbdbc95e9d59ef5e6de9ab2219
SHA1 704c5abdeb2aea0a30708ec8e1273b054c5370e1
SHA256 2ce45c4425feec8ee35c34144f18892fedda4f642ddd6baea0ef7b93a7d9507e
SHA512 f7e08882481ea709e985693d82e238588394a40110ce343d42ac68c0d9ccbdce19a8a5859be9a675d6fded84acf85b2eeb8faf6a24748c249e0e28c124a0cc42

memory/2880-31-0x0000000000400000-0x00000000004D2000-memory.dmp

C:\ProgramData\aH16411NkFjF16411\aH16411NkFjF16411

MD5 7c044b089393fb2ad9f2436bfde4eb70
SHA1 8550776dcd360f17492dffffed6c1ff1ebf8c1b9
SHA256 daeecd3dff540ef742361cd03f4bd987dd499a38cdceee41a272c0145d0e56f3
SHA512 96a18879aad1f262acc55a54f6c27731e802b00f6732975aa6c687ed859072083e882122e2a17cf77494dab8bbf156101c65addfee13aeb7d5f67b1713471020

memory/2880-38-0x0000000000400000-0x00000000004D2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-04 13:46

Reported

2024-03-04 13:49

Platform

win10v2004-20240226-en

Max time kernel

133s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\ProgramData\\bH16411KoChP16411\\bH16411KoChP16411.exe" C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\ProgramData\bH16411KoChP16411\bH16411KoChP16411.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\bH16411KoChP16411\bH16411KoChP16411.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\bH16411KoChP16411\bH16411KoChP16411.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bH16411KoChP16411 = "C:\\ProgramData\\bH16411KoChP16411\\bH16411KoChP16411.exe" C:\ProgramData\bH16411KoChP16411\bH16411KoChP16411.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3270530367-132075249-2153716227-1000\{B5726D64-2F62-4E6E-A8A9-DB927C1CB98B} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3270530367-132075249-2153716227-1000\{0ABB1339-8460-486C-B2D2-63E07077DF08} C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3270530367-132075249-2153716227-1000\{69633B79-B9D2-4894-BA60-76838CB5543B} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3270530367-132075249-2153716227-1000\{336B1296-4841-4BCF-9F9D-34C89F6E3513} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3270530367-132075249-2153716227-1000\{327AB1E7-E456-444E-9C6B-47E78CAC9418} C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3270530367-132075249-2153716227-1000\{80CE2779-D49D-41CF-A354-2CBB8A8F243F} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3270530367-132075249-2153716227-1000\{E802C5BD-CAE3-4305-95CA-26BBD980F69D} C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3270530367-132075249-2153716227-1000\{CC4CEB31-DB19-4CB2-9665-94FD1785A8F8} C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\bH16411KoChP16411\bH16411KoChP16411.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\sihost.exe N/A
N/A N/A C:\Windows\system32\sihost.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\system32\sihost.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\ProgramData\bH16411KoChP16411\bH16411KoChP16411.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\ProgramData\bH16411KoChP16411\bH16411KoChP16411.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe

"C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4692 -ip 4692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 872

C:\ProgramData\bH16411KoChP16411\bH16411KoChP16411.exe

"C:\ProgramData\bH16411KoChP16411\bH16411KoChP16411.exe" "C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2932 -ip 2932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 852

C:\Windows\system32\sihost.exe

sihost.exe

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\sihost.exe

sihost.exe

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\explorer.exe

explorer.exe /LOADSAVEDWINDOWS

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 212.124.109.242:80 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 212.124.109.242:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 212.124.109.242:80 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 52.111.229.19:443 tcp
US 212.124.109.242:80 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/4692-0-0x0000000000650000-0x0000000000653000-memory.dmp

memory/4692-1-0x0000000000400000-0x00000000004D2000-memory.dmp

memory/4692-10-0x0000000000400000-0x00000000004D2000-memory.dmp

C:\ProgramData\bH16411KoChP16411\bH16411KoChP16411.exe

MD5 43e7c1369f52a8b711d308d7b1b9a358
SHA1 e2b4ba9b3d13fdc6a1b5bd12ed7c02df26ed85f3
SHA256 38ba40d55ea3c1e2590e8dab03ce2e3d2d81bfe69da824e454b68f2ed921a1dd
SHA512 3a4b4c12e9f08ccecf0ea9f27a0e306a29e661fc519b0635de1c2315e65f68b5cc884153bf578818b376ba166d1cb72cc928b386464149cc91825f0206d52395

memory/4692-19-0x0000000000400000-0x00000000004D2000-memory.dmp

memory/2932-21-0x0000000000400000-0x00000000004D2000-memory.dmp

memory/2932-27-0x0000000000400000-0x00000000004D2000-memory.dmp

memory/2932-34-0x0000000000400000-0x00000000004D2000-memory.dmp

memory/2932-35-0x0000000000400000-0x00000000004D2000-memory.dmp

memory/2932-36-0x0000000000400000-0x00000000004D2000-memory.dmp

memory/2932-37-0x0000000000400000-0x00000000004D2000-memory.dmp