Analysis Overview
SHA256
a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58
Threat Level: Known bad
The file a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58 was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Sality
Modifies firewall policy service
UAC bypass
UPX dump on OEP (original entry point)
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
UPX dump on OEP (original entry point)
Reads user/profile data of web browsers
UPX packed file
Checks computer location settings
ACProtect 1.3x - 1.4x DLL software
Loads dropped DLL
Executes dropped EXE
Windows security modification
Checks whether UAC is enabled
Adds Run key to start application
Enumerates connected drives
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Modifies registry class
System policy modification
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 00:06
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 00:06
Reported
2024-04-07 00:08
Platform
win7-20240221-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe
"C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
Network
Files
memory/2104-0-0x0000000000A50000-0x0000000000CD1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 00:06
Reported
2024-04-07 00:08
Platform
win10v2004-20240226-en
Max time kernel
25s
Max time network
93s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe | N/A |
Sality
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe | N/A |
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wtmps.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mscaps.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Extension = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Defender\\launch.exe\"" | C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\mscaps.exe | C:\Users\Admin\AppData\Local\Temp\wtmps.exe | N/A |
| File created | C:\Windows\SysWOW64\mscaps.exe | C:\Users\Admin\AppData\Local\Temp\wtmps.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\MountTaiSoftware\Lodop\CAOSOFT_WEB_PRINT_lodop.ocx | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| File created | C:\Program Files (x86)\MountTaiSoftware\Lodop\NPCAOSOFT_WEB_PRINT_lodop.dll | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\e573902 | C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM.INI | C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe | N/A |
| File created | C:\Windows\e5745a4 | C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe | N/A |
| File created | C:\Windows\e57633e | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings\LOCALMACHINE_CD_UNLOCK = "0" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ = "LodopX Control" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Lodop.LodopX\ = "LodopX Control" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0 | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E} | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\Version = "6.0" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ = "ILodopX" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\TypeLib | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Control\ | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Verb\0 | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED} | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\ = "Lodop" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ = "ILodopXEvents" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Lodop.LodopX\Clsid\ = "{2105C259-1E0C-4534-8141-A753534CB4CA}" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Verb | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\Version = "6.0" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB} | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Verb\0\ = "Properties,0,2" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\MiscStatus\ = "0" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\MiscStatus\1 | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ = "ILodopXEvents" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ProgID\ = "Lodop.LodopX" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Verb\ | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib\Version = "6.0" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB} | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\MiscStatus | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ToolboxBitmap32 | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Lodop.LodopX | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Version\ = "6.0" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.ocx,0" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\0\win32\ = "C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.ocx" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Lodop.LodopX\Clsid | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Version | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E} | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\InprocServer32\ = "C:\\PROGRA~2\\MOUNTT~1\\Lodop\\CAOSOF~1.OCX" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\0 | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib\Version = "6.0" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\HELPDIR\ = "C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ProgID | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA} | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\MiscStatus\1\ = "205201" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Control | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\FLAGS\ = "2" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ = "ILodopX" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe | N/A |
Processes
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe
"C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe"
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe
"C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe" /i 2032
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "
C:\Users\Admin\AppData\Local\Temp\wtmps.exe
"C:\Users\Admin\AppData\Local\Temp\wtmps.exe"
C:\Windows\SysWOW64\mscaps.exe
"C:\Windows\system32\mscaps.exe" /C:\Users\Admin\AppData\Local\Temp\wtmps.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | windowsupdate.microsoft.com | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe
| MD5 | a2a46a902064e2ad4c37efbe93f77d1f |
| SHA1 | 58ff1afc67ef5d4aa3b99a779c5dec3d61a790e4 |
| SHA256 | 62ded7af7b10cfa24cde9274965783394860251729367214ddd1cf8937a9a46b |
| SHA512 | 2126ce892d9565d63b4fd5f0da5f0e26eb3b8dfb6c0024cc2589d91e17439edd39679d2e9cb7c1ddfeb1212b6bfd13ef5bc4c2bbe652d518c67f469f5a6b2f29 |
C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe
| MD5 | f050d0a9a5883cd5e8baa26368b61996 |
| SHA1 | 8be868ffdc5b8af4c80326b0cbbbcfa2bd7a77c8 |
| SHA256 | 0e1cfe13289b0090412a0115f081b23a1df1cb1805829944fef881cdde950bc1 |
| SHA512 | ef2e11ce11658e7ada516013ae39130842b87adbd29007fb6c19f14c9245ffe173f72f5303cb85dd8c7b29917b8433b8a33a8dfcac3fe177ad8a9a6ab404f6e8 |
memory/3112-22-0x0000000000400000-0x000000000044A000-memory.dmp
memory/3112-21-0x0000000002200000-0x00000000032BA000-memory.dmp
memory/3112-26-0x0000000002200000-0x00000000032BA000-memory.dmp
memory/2596-27-0x0000000000400000-0x00000000006F7000-memory.dmp
memory/3112-29-0x0000000010000000-0x0000000010015000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\mydll.dll
| MD5 | 8d7db101a7211fe3309dc4dc8cf2dd0a |
| SHA1 | 6c2781eadf53b3742d16dab2f164baf813f7ac85 |
| SHA256 | 93db7c9699594caa19490280842fbebec3877278c92128b92e63d75fcd01397a |
| SHA512 | 8b139d447068519997f7bbc2c7c2fe3846b89ae1fba847258277c9ab92a93583b28fae7ffa444768929ed5852cc914c0270446cbf0bd20aca49bde6b6f809c83 |
C:\Users\Admin\AppData\Local\Temp\0E5739AD_Rar\@AE374C.tmp.exe
| MD5 | 86b87accec5ec6e6c4271b9b670054cc |
| SHA1 | 13bb9c1688577a1111f74b265f4ff13aa5197030 |
| SHA256 | 9dc916650464ef5e95f011674d1e9170fca1e2444e830f46fece885cce73fcb0 |
| SHA512 | 668ea5ca5952d7d1ea79e3d9372345a27595b72e736b5907c114f4e96e19d25e2a27eb5cf70f40a08ca892453c6780be672a80029e767c37b3df371cc3d483a1 |
memory/3112-516-0x00000000006D0000-0x00000000006D2000-memory.dmp
memory/2596-520-0x00000000025A0000-0x00000000025A1000-memory.dmp
memory/2596-519-0x0000000002530000-0x0000000002532000-memory.dmp
memory/3112-517-0x00000000006F0000-0x00000000006F1000-memory.dmp
memory/2596-521-0x0000000000850000-0x0000000000851000-memory.dmp
memory/3112-28-0x0000000002200000-0x00000000032BA000-memory.dmp
memory/2596-522-0x0000000002530000-0x0000000002532000-memory.dmp
memory/3112-527-0x0000000002200000-0x00000000032BA000-memory.dmp
C:\Program Files (x86)\MountTaiSoftware\Lodop\CAOSOFT_WEB_PRINT_lodop.ocx
| MD5 | 8ead51ea7c9febebf7b09410405cde01 |
| SHA1 | 6ee38d2e277c9f3f2e2d606f3b07c77dbe56f6a7 |
| SHA256 | f71eb25ca27f1ecc7214a5370b0a46301d4d5e638fd156e428bbc7d7098ec5a0 |
| SHA512 | 0c34ae64ad4bd2b02821b9f3de09bd1a6b0bcbec146a007b931f010342584f3e99522da3dd53346345bb0b2a9944d57ed84f361884a459ed297d3d1331e2865a |
memory/2596-528-0x0000000073080000-0x000000007358E000-memory.dmp
memory/3112-530-0x0000000002200000-0x00000000032BA000-memory.dmp
memory/3112-531-0x0000000002200000-0x00000000032BA000-memory.dmp
memory/3112-532-0x0000000002200000-0x00000000032BA000-memory.dmp
memory/3112-608-0x00000000006D0000-0x00000000006D2000-memory.dmp
memory/3112-682-0x00000000006D0000-0x00000000006D2000-memory.dmp
memory/3112-533-0x0000000002200000-0x00000000032BA000-memory.dmp
memory/3112-683-0x0000000002200000-0x00000000032BA000-memory.dmp
memory/3112-690-0x0000000002200000-0x00000000032BA000-memory.dmp
memory/3112-694-0x0000000002200000-0x00000000032BA000-memory.dmp
memory/2596-715-0x00000000006F0000-0x00000000006F1000-memory.dmp
memory/3112-717-0x0000000000400000-0x000000000044A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat
| MD5 | d1073c9b34d1bbd570928734aacff6a5 |
| SHA1 | 78714e24e88d50e0da8da9d303bec65b2ee6d903 |
| SHA256 | b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020 |
| SHA512 | 4f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f |
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat
| MD5 | bdfaecc19d199c62cd73a5dc59aea725 |
| SHA1 | fdc7a4ab71d7bf37ec634ea24c35ac85b43cbc16 |
| SHA256 | 0fd6f3ee0a9601d63058062290374c86c08c3214b1f670b393a632d654bbb534 |
| SHA512 | 93fcf118c3e97f4e2bb8d06e3dfc47a329730ffd051bfd6ddd56e7e88f4a52b5342ed0b888cc8eb26163842ec6a2f28bf411c9afb1c91d5b2d291560118d9a02 |
C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
| MD5 | 10cd54078039ec4cc42f71e47c096f99 |
| SHA1 | d2f5e83eedf5fec4fe46f5d229446c13109e46c4 |
| SHA256 | 9a11fab6e5df7374c1a2aed394599d260edb6ce1a7852a62ded511345d162016 |
| SHA512 | d8adfc9ef7aec2c1217e13b44ddd3e0007530db5e95e0851bc266b99c604a313c2a76acf7c435ef37ebdfb41438062c9a3ed19cc93a94f6a7d250af8ceda6773 |
memory/2032-724-0x0000000000400000-0x000000000044A000-memory.dmp
memory/2032-723-0x0000000002210000-0x00000000032CA000-memory.dmp
C:\Windows\SYSTEM.INI
| MD5 | f53db698c8a8efc5dd8a750739b26580 |
| SHA1 | f642fc4985c0d9c7518dad81e396ca4821b5e1ad |
| SHA256 | 439db7cedec9ff20538c399ba7f847e0e4b6619cd890e39bc4f52fe87dab3e78 |
| SHA512 | 419e3f77a8853c5dec0bf8006b7306975235cc7de8f0037a1b6847e5ebb5c85c18b4bf782d56304fe7510f9e69409218efbf9f6d398d72c64bf33794edd46a92 |
memory/2032-726-0x0000000002210000-0x00000000032CA000-memory.dmp
memory/2032-727-0x0000000002210000-0x00000000032CA000-memory.dmp
memory/2032-728-0x0000000002210000-0x00000000032CA000-memory.dmp
memory/2032-729-0x0000000002210000-0x00000000032CA000-memory.dmp
memory/2032-1198-0x00000000005A0000-0x00000000005A1000-memory.dmp
memory/3700-1196-0x0000000000EB0000-0x0000000000EB1000-memory.dmp
memory/2032-1199-0x0000000002210000-0x00000000032CA000-memory.dmp
memory/2032-1200-0x0000000002210000-0x00000000032CA000-memory.dmp
memory/2032-1202-0x0000000000590000-0x0000000000592000-memory.dmp
memory/2032-1201-0x0000000002210000-0x00000000032CA000-memory.dmp
memory/2032-1203-0x0000000000590000-0x0000000000592000-memory.dmp
memory/3700-1207-0x0000000000EA0000-0x0000000000EA2000-memory.dmp
memory/2032-1204-0x0000000002210000-0x00000000032CA000-memory.dmp
memory/3700-1208-0x0000000000EA0000-0x0000000000EA2000-memory.dmp
memory/2032-1209-0x0000000002210000-0x00000000032CA000-memory.dmp
memory/2032-1210-0x0000000002210000-0x00000000032CA000-memory.dmp
memory/2032-1213-0x0000000002210000-0x00000000032CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4C4B.tmp
| MD5 | df2c63605573c2398d796370c11cb26c |
| SHA1 | efba97e2184ba3941edb008fcc61d8873b2b1653 |
| SHA256 | 07ffcde2097d0af67464907fec6a4079b92da11583013bae7d3313fa32312fe8 |
| SHA512 | d9726e33fcfa96415cc906bdb1b0e53eba674eaf30ed77d41d245c1c59aa53e222246f691d82fa3a45f049fbf23d441768f9da21370e489232770ad5ae91d32f |
C:\Users\Admin\AppData\Local\Temp\tmp4C6B.tmp
| MD5 | 6f90e1169d19dfde14d6f753f06c862b |
| SHA1 | e9bca93c68d7df73d000f4a6e6eb73a343682ac5 |
| SHA256 | 70a392389aecd0f58251e72c3fd7e9159f481061d14209ff8708a0fd9ff584dc |
| SHA512 | f0c898222e9578c01ebe1befac27a3fb68d8fb6e76c7d1dec7a8572c1aa3201bacf1e69aa63859e95606790cf09962bcf7dc33b770a6846bed5bd7ded957b0b3 |
C:\Users\Admin\AppData\Local\Temp\tmp4C7C.tmp
| MD5 | f558c76b0376af9273717fa24d99ebbf |
| SHA1 | f84bcece5c6138b62ef94e9d668cf26178ee14cc |
| SHA256 | 01631353726dc51bcea311dbc012572cf96775e516b1c79a2de572ef15954b7a |
| SHA512 | 2092d1e126d0420fec5fc0311d6b99762506563f4890e4049e48e2d87dde5ac3e2e2ecc986ab305de2c6ceb619f18879a69a815d3241ccf8140bc5ea00c6768d |
C:\Users\Admin\AppData\Local\Temp\tmp4C8D.tmp
| MD5 | 02ae22335713a8f6d6adf80bf418202b |
| SHA1 | 4c40c11f43df761b92a5745f85a799db7b389215 |
| SHA256 | ae5697f849fa48db6d3d13455c224fcf6ceb0602a1e8ac443e211dd0f32d50f4 |
| SHA512 | 727d16102bfc768535b52a37e4e7b5d894f5daa268d220df108382c36dcce063afdbc31fd495a7a61305263ec4cd7e92713d894faa35b585c0b379217a1d929c |
C:\Users\Admin\AppData\Local\Temp\tmp4CAD.tmp
| MD5 | 09203a9741b91f3a9ed01c82dcb8778d |
| SHA1 | 13e6f3fb169cd6aa5e4d450417a7e15665a2e140 |
| SHA256 | 63149ad45db380f5dd15f65d9ceb2611d53a0a66e022483bee4ce2ff7d2610e2 |
| SHA512 | 9e9e6fe0dd713417d0e28ba787cf862d55ecda9ee9f3df1eada144657f6a3b6ada1984fd05a3fffcd597a9715383225a8e40b6e5d0d8d39ec0d3a64b8dea9846 |
C:\Users\Admin\AppData\Local\Temp\tmp4CEC.tmp
| MD5 | 9a27bfb55dd768ae81ca8716db2da343 |
| SHA1 | 55da0f4282bd838f72f435a5d4d24ac15b04482b |
| SHA256 | 5ec8093ef5939d1abce1c576097b584fb600b94ad767c1da897f7cb7f0063d26 |
| SHA512 | d9bb49d2f282ed09c351a1d8eb2540781e6a7fb39265473fd59d146bfc162f27a4ab1405301ed7395c12929a80551a399437d7d794d7ac48650e9037b60eb69c |
C:\Users\Admin\AppData\Local\Temp\tmp4CFD.tmp
| MD5 | 2634fa3a332c297711cb59d43f54ffce |
| SHA1 | 8e2b68d0ee4e792efb1945ba86eceb87f07087d2 |
| SHA256 | 27c945ccb84aa024f1f063701327e829a7ef3a7ede4a43b2febbb1dddbdf8740 |
| SHA512 | 84e4799b9b18a7cc7be685c793a9b4fb135ea331d1d235fe823e1d7091130f131ab2fbad1da4dea795e82547aa16b00f4e2a9faaa96cb522d795f9abfda2fc53 |
C:\Users\Admin\AppData\Local\Temp\tmp4D0E.tmp
| MD5 | e07c6a9e595f045fadc463dfda44ab16 |
| SHA1 | e6b199272ade02613f2003c365a4cb1487431e23 |
| SHA256 | d2fa6f9686386a92253a9c5ea25ace702a111483540b60c1300789235cea7fdc |
| SHA512 | f3c630ae8381b99519aeeadbc2918810e7fb09a909f73ee6c46f4e9d3cf8c5051a5cf763db6a775d6cd8713ccf95a63b18df9ed756fa28276e8d7ab6a47f2cbf |
memory/2032-1834-0x0000000002210000-0x00000000032CA000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat
| MD5 | 58be98efb09349e64113c626851cbcef |
| SHA1 | 0718f32614234e9a5045043821ab99a14e1409ec |
| SHA256 | 31c3e3a4adeb10ad24eb3ac021404721b471a3290bb51581d6d4a18fcd13fb5a |
| SHA512 | 0d400a04100f48be87a492aee07b2732d1e4fc93262c48447384d0be3d66b95a77a15a949832175d681df494144ccf47dc8b755b7e350dc419958d942159ca38 |
C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe
| MD5 | daac1781c9d22f5743ade0cb41feaebf |
| SHA1 | e2549eeeea42a6892b89d354498fcaa8ffd9cac4 |
| SHA256 | 6a7093440420306cf7de53421a67af8a1094771e0aab9535acbd748d08ed766c |
| SHA512 | 190a7d5291e20002f996edf1e04456bfdff8b7b2f4ef113178bd42a9e5fd89fe6d410ae2c505de0358c4f53f9654ac1caaa8634665afa6d9691640dd4ee86160 |
memory/6064-1839-0x0000000010000000-0x0000000010015000-memory.dmp
memory/2032-1842-0x0000000002210000-0x00000000032CA000-memory.dmp
memory/2032-1858-0x0000000000400000-0x000000000044A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat
| MD5 | 3ca08f080a7a28416774d80552d4aa08 |
| SHA1 | 0b5f0ba641204b27adac4140fd45dce4390dbf24 |
| SHA256 | 4e7d460b8dc9f2c01b4c5a16fb956aced10127bc940e8039a80c6455901ea1f0 |
| SHA512 | 0c64aa462ff70473ef763ec392296fe0ea59b5340c26978531a416732bc3845adf9ca7b673cb7b4ba40cc45674351206096995c43600fccbbbe64e51b6019f01 |
C:\Users\Admin\AppData\Local\Temp\wtmps.exe
| MD5 | 75c1467042b38332d1ea0298f29fb592 |
| SHA1 | f92ea770c2ddb04cf0d20914578e4c482328f0f8 |
| SHA256 | 3b20c853d4ca23240cd338b8cab16f1027c540ddfe9c4ffdca1624d2f923b373 |
| SHA512 | 5c47c59ad222e2597ccdf2c100853c48f022e933f44c279154346eacf9e7e6f54214ada541d43a10424035f160b56131aab206c11512a9fd6ea614fbd3160aa0 |
C:\Windows\SysWOW64\mscaps.exe
| MD5 | 78d3c8705f8baf7d34e6a6737d1cfa18 |
| SHA1 | 9f09e248a29311dbeefae9d85937b13da042a010 |
| SHA256 | 2c4c9ec8e9291ba5c73f641af2e0c3e1bbd257ac40d9fb9d3faab7cebc978905 |
| SHA512 | 9a3c3175276da58f1bc8d1138e63238c8d8ccfbfa1a8a1338e88525eca47f8d745158bb34396b7c3f25e4296be5f45a71781da33ad0bbdf7ad88a9c305b85609 |
C:\Users\Admin\AppData\Local\Temp\5DFE.tmp
| MD5 | 37512bcc96b2c0c0cf0ad1ed8cfae5cd |
| SHA1 | edf7f17ce28e1c4c82207cab8ca77f2056ea545c |
| SHA256 | 27e678bf5dc82219d6edd744f0b82567a26e40f8a9dcd6487205e13058e3ed1f |
| SHA512 | 6d4252ab5aa441a76ce2127224fefcb221259ab4d39f06437b269bd6bfdaae009c8f34e9603ec734159553bc9f1359bdd70316cd426d73b171a9f17c41077641 |
memory/2596-1889-0x0000000000400000-0x00000000006F7000-memory.dmp
memory/2596-1891-0x0000000004D40000-0x0000000005DFA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\windonfuw.exe
| MD5 | b360fa63134a63f9acfe046d2dfe10d9 |
| SHA1 | b47a7f2ad61c79e454b55e39b0d7500aca753a17 |
| SHA256 | 03e0c6c4ca8a24f961477887763397045e67862e059f7494014aefc21891d40e |
| SHA512 | 575673255d389fc6667f46931301925bf4bb3030d7a3f6da3d3e7d878f86bb496ad6706e20191a1daa2e177cacda9b677424327bd9d438c1ad109c4222064102 |
memory/2596-1907-0x0000000002530000-0x0000000002532000-memory.dmp
memory/2596-1912-0x0000000073080000-0x000000007358E000-memory.dmp
memory/2596-1953-0x0000000004D40000-0x0000000005DFA000-memory.dmp
F:\yvmdoo.exe
| MD5 | 2ffeacc80f90d43f8c988861c37497ab |
| SHA1 | fa761e410cba24525a5dec343403bf1dc3a084f7 |
| SHA256 | ff85eab3a2b31664cf1eae95d8adaff1ad4b83567557b5b31fca310f704633b1 |
| SHA512 | 9ea111f0751cf7a84c752bbb13babde9106fea457cde990682566d94fd2971b3ce59678be5b94fd45eb5bb947929c494533ab6e4577df235c31665099a7ee7fa |
C:\Users\Admin\AppData\Local\Temp\0E5746CD_Rar\WdExt.exe
| MD5 | 5ea2ede28b2cf2390a39810c95b89164 |
| SHA1 | 43ab175a483620a15ddf3fbe7e96877e752af316 |
| SHA256 | 271b69ef4dd707ee9327c028a108e3bbce8c3809ae29d1c77cc4dba523c05baf |
| SHA512 | db5fc5be84c17b92c86e6a9f8f3a4fcea0df677150bf958e8e4b5331222e6dca43199ad7aabf6b94a14bef799340b1d1b6d6c412316316ad672fbdfd26af49c0 |