Malware Analysis Report

2025-03-14 23:11

Sample ID 240407-adwyfseh61
Target a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58
SHA256 a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58
Tags
sality backdoor evasion persistence spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58

Threat Level: Known bad

The file a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion persistence spyware stealer trojan upx

Windows security bypass

Sality

Modifies firewall policy service

UAC bypass

UPX dump on OEP (original entry point)

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

UPX dump on OEP (original entry point)

Reads user/profile data of web browsers

UPX packed file

Checks computer location settings

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

Executes dropped EXE

Windows security modification

Checks whether UAC is enabled

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Modifies registry class

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 00:06

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 00:06

Reported

2024-04-07 00:08

Platform

win7-20240221-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe C:\Windows\SysWOW64\explorer.exe
PID 2128 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe C:\Windows\SysWOW64\explorer.exe
PID 2128 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe C:\Windows\SysWOW64\explorer.exe
PID 2128 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe C:\Windows\SysWOW64\explorer.exe
PID 2128 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe C:\Windows\SysWOW64\explorer.exe
PID 2128 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe C:\Windows\SysWOW64\explorer.exe
PID 2128 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe C:\Windows\SysWOW64\explorer.exe
PID 2128 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe C:\Windows\SysWOW64\explorer.exe
PID 2128 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe

"C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

Network

N/A

Files

memory/2104-0-0x0000000000A50000-0x0000000000CD1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 00:06

Reported

2024-04-07 00:08

Platform

win10v2004-20240226-en

Max time kernel

25s

Max time network

93s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Extension = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Defender\\launch.exe\"" C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\mscaps.exe C:\Users\Admin\AppData\Local\Temp\wtmps.exe N/A
File created C:\Windows\SysWOW64\mscaps.exe C:\Users\Admin\AppData\Local\Temp\wtmps.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\MountTaiSoftware\Lodop\CAOSOFT_WEB_PRINT_lodop.ocx C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
File created C:\Program Files (x86)\MountTaiSoftware\Lodop\NPCAOSOFT_WEB_PRINT_lodop.dll C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e573902 C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
File created C:\Windows\e5745a4 C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe N/A
File created C:\Windows\e57633e C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings\LOCALMACHINE_CD_UNLOCK = "0" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ = "LodopX Control" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Lodop.LodopX\ = "LodopX Control" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0 C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E} C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\Version = "6.0" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ = "ILodopX" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\TypeLib C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Control\ C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Verb\0 C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED} C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\ = "Lodop" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ = "ILodopXEvents" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Lodop.LodopX\Clsid\ = "{2105C259-1E0C-4534-8141-A753534CB4CA}" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Verb C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\Version = "6.0" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB} C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Verb\0\ = "Properties,0,2" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\MiscStatus\ = "0" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\MiscStatus\1 C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\FLAGS C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ = "ILodopXEvents" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ProgID\ = "Lodop.LodopX" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Verb\ C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib\Version = "6.0" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB} C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\MiscStatus C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ToolboxBitmap32 C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Lodop.LodopX C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Version\ = "6.0" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.ocx,0" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\0\win32\ = "C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.ocx" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Lodop.LodopX\Clsid C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Version C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\0\win32 C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E} C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\InprocServer32\ = "C:\\PROGRA~2\\MOUNTT~1\\Lodop\\CAOSOF~1.OCX" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\0 C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib\Version = "6.0" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\HELPDIR\ = "C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ProgID C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA} C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\MiscStatus\1\ = "205201" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Control C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\FLAGS\ = "2" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ = "ILodopX" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1532 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe C:\Windows\SysWOW64\explorer.exe
PID 1532 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe C:\Windows\SysWOW64\explorer.exe
PID 1532 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe C:\Windows\SysWOW64\explorer.exe
PID 1532 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe C:\Windows\SysWOW64\explorer.exe
PID 1532 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe C:\Windows\SysWOW64\explorer.exe
PID 3356 wrote to memory of 3112 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe
PID 3356 wrote to memory of 3112 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe
PID 3356 wrote to memory of 3112 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe
PID 3356 wrote to memory of 2596 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe
PID 3356 wrote to memory of 2596 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe
PID 3356 wrote to memory of 2596 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe
PID 3112 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe C:\Windows\system32\fontdrvhost.exe
PID 3112 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe C:\Windows\system32\fontdrvhost.exe
PID 3112 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe C:\Windows\system32\dwm.exe
PID 3112 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe C:\Windows\system32\sihost.exe
PID 3112 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe C:\Windows\system32\svchost.exe
PID 3112 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe C:\Windows\system32\taskhostw.exe
PID 3112 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe C:\Windows\Explorer.EXE
PID 3112 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe C:\Windows\system32\svchost.exe
PID 3112 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe C:\Windows\system32\DllHost.exe
PID 3112 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3112 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe C:\Windows\System32\RuntimeBroker.exe
PID 3112 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3112 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe C:\Windows\System32\RuntimeBroker.exe
PID 3112 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3112 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe C:\Windows\System32\RuntimeBroker.exe
PID 3112 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3112 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe C:\Windows\SysWOW64\explorer.exe
PID 3112 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe C:\Windows\system32\BackgroundTaskHost.exe
PID 3112 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe C:\Windows\System32\RuntimeBroker.exe
PID 3112 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe
PID 3112 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe
PID 3112 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 3112 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 3112 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 3112 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 3112 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 3112 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 3700 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
PID 3700 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
PID 3700 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
PID 2032 wrote to memory of 788 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe C:\Windows\system32\fontdrvhost.exe
PID 2032 wrote to memory of 796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe C:\Windows\system32\fontdrvhost.exe
PID 2032 wrote to memory of 60 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe C:\Windows\system32\dwm.exe
PID 2032 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe C:\Windows\system32\sihost.exe
PID 2032 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe C:\Windows\system32\svchost.exe
PID 2032 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe C:\Windows\system32\taskhostw.exe
PID 2032 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe C:\Windows\Explorer.EXE
PID 2032 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe C:\Windows\system32\svchost.exe
PID 2032 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe C:\Windows\system32\DllHost.exe
PID 2032 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2032 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe C:\Windows\System32\RuntimeBroker.exe
PID 2032 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2032 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe C:\Windows\System32\RuntimeBroker.exe
PID 2032 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2032 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe C:\Windows\System32\RuntimeBroker.exe
PID 2032 wrote to memory of 856 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2032 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe C:\Windows\System32\RuntimeBroker.exe
PID 2032 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe C:\Windows\System32\Conhost.exe
PID 2032 wrote to memory of 5940 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 5940 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 5940 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe

"C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\system32\BackgroundTaskHost.exe

"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider

C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe

"C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "

C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe" /i 2032

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "

C:\Users\Admin\AppData\Local\Temp\wtmps.exe

"C:\Users\Admin\AppData\Local\Temp\wtmps.exe"

C:\Windows\SysWOW64\mscaps.exe

"C:\Windows\system32\mscaps.exe" /C:\Users\Admin\AppData\Local\Temp\wtmps.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 windowsupdate.microsoft.com udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe

MD5 a2a46a902064e2ad4c37efbe93f77d1f
SHA1 58ff1afc67ef5d4aa3b99a779c5dec3d61a790e4
SHA256 62ded7af7b10cfa24cde9274965783394860251729367214ddd1cf8937a9a46b
SHA512 2126ce892d9565d63b4fd5f0da5f0e26eb3b8dfb6c0024cc2589d91e17439edd39679d2e9cb7c1ddfeb1212b6bfd13ef5bc4c2bbe652d518c67f469f5a6b2f29

C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe

MD5 f050d0a9a5883cd5e8baa26368b61996
SHA1 8be868ffdc5b8af4c80326b0cbbbcfa2bd7a77c8
SHA256 0e1cfe13289b0090412a0115f081b23a1df1cb1805829944fef881cdde950bc1
SHA512 ef2e11ce11658e7ada516013ae39130842b87adbd29007fb6c19f14c9245ffe173f72f5303cb85dd8c7b29917b8433b8a33a8dfcac3fe177ad8a9a6ab404f6e8

memory/3112-22-0x0000000000400000-0x000000000044A000-memory.dmp

memory/3112-21-0x0000000002200000-0x00000000032BA000-memory.dmp

memory/3112-26-0x0000000002200000-0x00000000032BA000-memory.dmp

memory/2596-27-0x0000000000400000-0x00000000006F7000-memory.dmp

memory/3112-29-0x0000000010000000-0x0000000010015000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\mydll.dll

MD5 8d7db101a7211fe3309dc4dc8cf2dd0a
SHA1 6c2781eadf53b3742d16dab2f164baf813f7ac85
SHA256 93db7c9699594caa19490280842fbebec3877278c92128b92e63d75fcd01397a
SHA512 8b139d447068519997f7bbc2c7c2fe3846b89ae1fba847258277c9ab92a93583b28fae7ffa444768929ed5852cc914c0270446cbf0bd20aca49bde6b6f809c83

C:\Users\Admin\AppData\Local\Temp\0E5739AD_Rar\@AE374C.tmp.exe

MD5 86b87accec5ec6e6c4271b9b670054cc
SHA1 13bb9c1688577a1111f74b265f4ff13aa5197030
SHA256 9dc916650464ef5e95f011674d1e9170fca1e2444e830f46fece885cce73fcb0
SHA512 668ea5ca5952d7d1ea79e3d9372345a27595b72e736b5907c114f4e96e19d25e2a27eb5cf70f40a08ca892453c6780be672a80029e767c37b3df371cc3d483a1

memory/3112-516-0x00000000006D0000-0x00000000006D2000-memory.dmp

memory/2596-520-0x00000000025A0000-0x00000000025A1000-memory.dmp

memory/2596-519-0x0000000002530000-0x0000000002532000-memory.dmp

memory/3112-517-0x00000000006F0000-0x00000000006F1000-memory.dmp

memory/2596-521-0x0000000000850000-0x0000000000851000-memory.dmp

memory/3112-28-0x0000000002200000-0x00000000032BA000-memory.dmp

memory/2596-522-0x0000000002530000-0x0000000002532000-memory.dmp

memory/3112-527-0x0000000002200000-0x00000000032BA000-memory.dmp

C:\Program Files (x86)\MountTaiSoftware\Lodop\CAOSOFT_WEB_PRINT_lodop.ocx

MD5 8ead51ea7c9febebf7b09410405cde01
SHA1 6ee38d2e277c9f3f2e2d606f3b07c77dbe56f6a7
SHA256 f71eb25ca27f1ecc7214a5370b0a46301d4d5e638fd156e428bbc7d7098ec5a0
SHA512 0c34ae64ad4bd2b02821b9f3de09bd1a6b0bcbec146a007b931f010342584f3e99522da3dd53346345bb0b2a9944d57ed84f361884a459ed297d3d1331e2865a

memory/2596-528-0x0000000073080000-0x000000007358E000-memory.dmp

memory/3112-530-0x0000000002200000-0x00000000032BA000-memory.dmp

memory/3112-531-0x0000000002200000-0x00000000032BA000-memory.dmp

memory/3112-532-0x0000000002200000-0x00000000032BA000-memory.dmp

memory/3112-608-0x00000000006D0000-0x00000000006D2000-memory.dmp

memory/3112-682-0x00000000006D0000-0x00000000006D2000-memory.dmp

memory/3112-533-0x0000000002200000-0x00000000032BA000-memory.dmp

memory/3112-683-0x0000000002200000-0x00000000032BA000-memory.dmp

memory/3112-690-0x0000000002200000-0x00000000032BA000-memory.dmp

memory/3112-694-0x0000000002200000-0x00000000032BA000-memory.dmp

memory/2596-715-0x00000000006F0000-0x00000000006F1000-memory.dmp

memory/3112-717-0x0000000000400000-0x000000000044A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

MD5 d1073c9b34d1bbd570928734aacff6a5
SHA1 78714e24e88d50e0da8da9d303bec65b2ee6d903
SHA256 b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020
SHA512 4f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f

C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

MD5 bdfaecc19d199c62cd73a5dc59aea725
SHA1 fdc7a4ab71d7bf37ec634ea24c35ac85b43cbc16
SHA256 0fd6f3ee0a9601d63058062290374c86c08c3214b1f670b393a632d654bbb534
SHA512 93fcf118c3e97f4e2bb8d06e3dfc47a329730ffd051bfd6ddd56e7e88f4a52b5342ed0b888cc8eb26163842ec6a2f28bf411c9afb1c91d5b2d291560118d9a02

C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

MD5 10cd54078039ec4cc42f71e47c096f99
SHA1 d2f5e83eedf5fec4fe46f5d229446c13109e46c4
SHA256 9a11fab6e5df7374c1a2aed394599d260edb6ce1a7852a62ded511345d162016
SHA512 d8adfc9ef7aec2c1217e13b44ddd3e0007530db5e95e0851bc266b99c604a313c2a76acf7c435ef37ebdfb41438062c9a3ed19cc93a94f6a7d250af8ceda6773

memory/2032-724-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2032-723-0x0000000002210000-0x00000000032CA000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 f53db698c8a8efc5dd8a750739b26580
SHA1 f642fc4985c0d9c7518dad81e396ca4821b5e1ad
SHA256 439db7cedec9ff20538c399ba7f847e0e4b6619cd890e39bc4f52fe87dab3e78
SHA512 419e3f77a8853c5dec0bf8006b7306975235cc7de8f0037a1b6847e5ebb5c85c18b4bf782d56304fe7510f9e69409218efbf9f6d398d72c64bf33794edd46a92

memory/2032-726-0x0000000002210000-0x00000000032CA000-memory.dmp

memory/2032-727-0x0000000002210000-0x00000000032CA000-memory.dmp

memory/2032-728-0x0000000002210000-0x00000000032CA000-memory.dmp

memory/2032-729-0x0000000002210000-0x00000000032CA000-memory.dmp

memory/2032-1198-0x00000000005A0000-0x00000000005A1000-memory.dmp

memory/3700-1196-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

memory/2032-1199-0x0000000002210000-0x00000000032CA000-memory.dmp

memory/2032-1200-0x0000000002210000-0x00000000032CA000-memory.dmp

memory/2032-1202-0x0000000000590000-0x0000000000592000-memory.dmp

memory/2032-1201-0x0000000002210000-0x00000000032CA000-memory.dmp

memory/2032-1203-0x0000000000590000-0x0000000000592000-memory.dmp

memory/3700-1207-0x0000000000EA0000-0x0000000000EA2000-memory.dmp

memory/2032-1204-0x0000000002210000-0x00000000032CA000-memory.dmp

memory/3700-1208-0x0000000000EA0000-0x0000000000EA2000-memory.dmp

memory/2032-1209-0x0000000002210000-0x00000000032CA000-memory.dmp

memory/2032-1210-0x0000000002210000-0x00000000032CA000-memory.dmp

memory/2032-1213-0x0000000002210000-0x00000000032CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4C4B.tmp

MD5 df2c63605573c2398d796370c11cb26c
SHA1 efba97e2184ba3941edb008fcc61d8873b2b1653
SHA256 07ffcde2097d0af67464907fec6a4079b92da11583013bae7d3313fa32312fe8
SHA512 d9726e33fcfa96415cc906bdb1b0e53eba674eaf30ed77d41d245c1c59aa53e222246f691d82fa3a45f049fbf23d441768f9da21370e489232770ad5ae91d32f

C:\Users\Admin\AppData\Local\Temp\tmp4C6B.tmp

MD5 6f90e1169d19dfde14d6f753f06c862b
SHA1 e9bca93c68d7df73d000f4a6e6eb73a343682ac5
SHA256 70a392389aecd0f58251e72c3fd7e9159f481061d14209ff8708a0fd9ff584dc
SHA512 f0c898222e9578c01ebe1befac27a3fb68d8fb6e76c7d1dec7a8572c1aa3201bacf1e69aa63859e95606790cf09962bcf7dc33b770a6846bed5bd7ded957b0b3

C:\Users\Admin\AppData\Local\Temp\tmp4C7C.tmp

MD5 f558c76b0376af9273717fa24d99ebbf
SHA1 f84bcece5c6138b62ef94e9d668cf26178ee14cc
SHA256 01631353726dc51bcea311dbc012572cf96775e516b1c79a2de572ef15954b7a
SHA512 2092d1e126d0420fec5fc0311d6b99762506563f4890e4049e48e2d87dde5ac3e2e2ecc986ab305de2c6ceb619f18879a69a815d3241ccf8140bc5ea00c6768d

C:\Users\Admin\AppData\Local\Temp\tmp4C8D.tmp

MD5 02ae22335713a8f6d6adf80bf418202b
SHA1 4c40c11f43df761b92a5745f85a799db7b389215
SHA256 ae5697f849fa48db6d3d13455c224fcf6ceb0602a1e8ac443e211dd0f32d50f4
SHA512 727d16102bfc768535b52a37e4e7b5d894f5daa268d220df108382c36dcce063afdbc31fd495a7a61305263ec4cd7e92713d894faa35b585c0b379217a1d929c

C:\Users\Admin\AppData\Local\Temp\tmp4CAD.tmp

MD5 09203a9741b91f3a9ed01c82dcb8778d
SHA1 13e6f3fb169cd6aa5e4d450417a7e15665a2e140
SHA256 63149ad45db380f5dd15f65d9ceb2611d53a0a66e022483bee4ce2ff7d2610e2
SHA512 9e9e6fe0dd713417d0e28ba787cf862d55ecda9ee9f3df1eada144657f6a3b6ada1984fd05a3fffcd597a9715383225a8e40b6e5d0d8d39ec0d3a64b8dea9846

C:\Users\Admin\AppData\Local\Temp\tmp4CEC.tmp

MD5 9a27bfb55dd768ae81ca8716db2da343
SHA1 55da0f4282bd838f72f435a5d4d24ac15b04482b
SHA256 5ec8093ef5939d1abce1c576097b584fb600b94ad767c1da897f7cb7f0063d26
SHA512 d9bb49d2f282ed09c351a1d8eb2540781e6a7fb39265473fd59d146bfc162f27a4ab1405301ed7395c12929a80551a399437d7d794d7ac48650e9037b60eb69c

C:\Users\Admin\AppData\Local\Temp\tmp4CFD.tmp

MD5 2634fa3a332c297711cb59d43f54ffce
SHA1 8e2b68d0ee4e792efb1945ba86eceb87f07087d2
SHA256 27c945ccb84aa024f1f063701327e829a7ef3a7ede4a43b2febbb1dddbdf8740
SHA512 84e4799b9b18a7cc7be685c793a9b4fb135ea331d1d235fe823e1d7091130f131ab2fbad1da4dea795e82547aa16b00f4e2a9faaa96cb522d795f9abfda2fc53

C:\Users\Admin\AppData\Local\Temp\tmp4D0E.tmp

MD5 e07c6a9e595f045fadc463dfda44ab16
SHA1 e6b199272ade02613f2003c365a4cb1487431e23
SHA256 d2fa6f9686386a92253a9c5ea25ace702a111483540b60c1300789235cea7fdc
SHA512 f3c630ae8381b99519aeeadbc2918810e7fb09a909f73ee6c46f4e9d3cf8c5051a5cf763db6a775d6cd8713ccf95a63b18df9ed756fa28276e8d7ab6a47f2cbf

memory/2032-1834-0x0000000002210000-0x00000000032CA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

MD5 58be98efb09349e64113c626851cbcef
SHA1 0718f32614234e9a5045043821ab99a14e1409ec
SHA256 31c3e3a4adeb10ad24eb3ac021404721b471a3290bb51581d6d4a18fcd13fb5a
SHA512 0d400a04100f48be87a492aee07b2732d1e4fc93262c48447384d0be3d66b95a77a15a949832175d681df494144ccf47dc8b755b7e350dc419958d942159ca38

C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe

MD5 daac1781c9d22f5743ade0cb41feaebf
SHA1 e2549eeeea42a6892b89d354498fcaa8ffd9cac4
SHA256 6a7093440420306cf7de53421a67af8a1094771e0aab9535acbd748d08ed766c
SHA512 190a7d5291e20002f996edf1e04456bfdff8b7b2f4ef113178bd42a9e5fd89fe6d410ae2c505de0358c4f53f9654ac1caaa8634665afa6d9691640dd4ee86160

memory/6064-1839-0x0000000010000000-0x0000000010015000-memory.dmp

memory/2032-1842-0x0000000002210000-0x00000000032CA000-memory.dmp

memory/2032-1858-0x0000000000400000-0x000000000044A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat

MD5 3ca08f080a7a28416774d80552d4aa08
SHA1 0b5f0ba641204b27adac4140fd45dce4390dbf24
SHA256 4e7d460b8dc9f2c01b4c5a16fb956aced10127bc940e8039a80c6455901ea1f0
SHA512 0c64aa462ff70473ef763ec392296fe0ea59b5340c26978531a416732bc3845adf9ca7b673cb7b4ba40cc45674351206096995c43600fccbbbe64e51b6019f01

C:\Users\Admin\AppData\Local\Temp\wtmps.exe

MD5 75c1467042b38332d1ea0298f29fb592
SHA1 f92ea770c2ddb04cf0d20914578e4c482328f0f8
SHA256 3b20c853d4ca23240cd338b8cab16f1027c540ddfe9c4ffdca1624d2f923b373
SHA512 5c47c59ad222e2597ccdf2c100853c48f022e933f44c279154346eacf9e7e6f54214ada541d43a10424035f160b56131aab206c11512a9fd6ea614fbd3160aa0

C:\Windows\SysWOW64\mscaps.exe

MD5 78d3c8705f8baf7d34e6a6737d1cfa18
SHA1 9f09e248a29311dbeefae9d85937b13da042a010
SHA256 2c4c9ec8e9291ba5c73f641af2e0c3e1bbd257ac40d9fb9d3faab7cebc978905
SHA512 9a3c3175276da58f1bc8d1138e63238c8d8ccfbfa1a8a1338e88525eca47f8d745158bb34396b7c3f25e4296be5f45a71781da33ad0bbdf7ad88a9c305b85609

C:\Users\Admin\AppData\Local\Temp\5DFE.tmp

MD5 37512bcc96b2c0c0cf0ad1ed8cfae5cd
SHA1 edf7f17ce28e1c4c82207cab8ca77f2056ea545c
SHA256 27e678bf5dc82219d6edd744f0b82567a26e40f8a9dcd6487205e13058e3ed1f
SHA512 6d4252ab5aa441a76ce2127224fefcb221259ab4d39f06437b269bd6bfdaae009c8f34e9603ec734159553bc9f1359bdd70316cd426d73b171a9f17c41077641

memory/2596-1889-0x0000000000400000-0x00000000006F7000-memory.dmp

memory/2596-1891-0x0000000004D40000-0x0000000005DFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\windonfuw.exe

MD5 b360fa63134a63f9acfe046d2dfe10d9
SHA1 b47a7f2ad61c79e454b55e39b0d7500aca753a17
SHA256 03e0c6c4ca8a24f961477887763397045e67862e059f7494014aefc21891d40e
SHA512 575673255d389fc6667f46931301925bf4bb3030d7a3f6da3d3e7d878f86bb496ad6706e20191a1daa2e177cacda9b677424327bd9d438c1ad109c4222064102

memory/2596-1907-0x0000000002530000-0x0000000002532000-memory.dmp

memory/2596-1912-0x0000000073080000-0x000000007358E000-memory.dmp

memory/2596-1953-0x0000000004D40000-0x0000000005DFA000-memory.dmp

F:\yvmdoo.exe

MD5 2ffeacc80f90d43f8c988861c37497ab
SHA1 fa761e410cba24525a5dec343403bf1dc3a084f7
SHA256 ff85eab3a2b31664cf1eae95d8adaff1ad4b83567557b5b31fca310f704633b1
SHA512 9ea111f0751cf7a84c752bbb13babde9106fea457cde990682566d94fd2971b3ce59678be5b94fd45eb5bb947929c494533ab6e4577df235c31665099a7ee7fa

C:\Users\Admin\AppData\Local\Temp\0E5746CD_Rar\WdExt.exe

MD5 5ea2ede28b2cf2390a39810c95b89164
SHA1 43ab175a483620a15ddf3fbe7e96877e752af316
SHA256 271b69ef4dd707ee9327c028a108e3bbce8c3809ae29d1c77cc4dba523c05baf
SHA512 db5fc5be84c17b92c86e6a9f8f3a4fcea0df677150bf958e8e4b5331222e6dca43199ad7aabf6b94a14bef799340b1d1b6d6c412316316ad672fbdfd26af49c0