Malware Analysis Report

2025-03-15 04:32

Sample ID 241025-26w8gawcqg
Target e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N
SHA256 e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71
Tags
discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71

Threat Level: Shows suspicious behavior

The file e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence spyware stealer

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-25 23:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 23:12

Reported

2024-10-25 23:14

Platform

win7-20240903-en

Max time kernel

119s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\SOS = "C:\\Windows\\SOS.exe" C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.mm N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\SOS = "C:\\Windows\\SOS.exe" C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.mm N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\SOS = "C:\\Windows\\SOS.exe" C:\Windows\SOS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\SOS = "C:\\Windows\\SOS.exe" C:\Windows\SOS.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\AtBroker.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\cliconfg.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\srdelayed.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\taskkill.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\verifier.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\migwiz\migwiz.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\clip.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\getmac.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\newdev.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\relog.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\bthudtask.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\dxdiag.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\isoburn.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\runonce.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\vssadmin.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\autofmt.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\CertEnrollCtrl.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\gpupdate.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\timeout.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\wecutil.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\SystemPropertiesProtection.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\migwiz\MigSetup.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\calc.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\doskey.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\MigAutoPlay.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\rdrleakdiag.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\RunLegacyCPLElevated.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\WMIADAP.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\dllhost.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\powercfg.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\TRACERT.EXE C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\IMEJP10\imjpuexc.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\autochk.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\compact.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\fsutil.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\wowreg32.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\charmap.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\dllhst3g.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\rasphone.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\ReAgentc.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\sfc.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\UserAccountControlSettings.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\IMEJP10\IMJPDADM.EXE C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\wininit.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\dpnsvr.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\HOSTNAME.EXE C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\iexpress.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\NAPSTAT.EXE C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\taskeng.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\where.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\choice.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\cttune.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\ddodiag.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\diantz.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\eventcreate.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\net1.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\SystemPropertiesComputerName.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\whoami.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\cleanmgr.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\grpconv.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\sdbinst.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\SearchProtocolHost.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Windows Defender\MSASCui.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Windows Mail\wab.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\Chess.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmprph.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-security-syskey_31bf3856ad364e35_6.1.7600.16385_none_1838ef0586d5af46\syskey.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.1.7601.17514_none_34ce5d95ad203bbe\finger.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-whoami_31bf3856ad364e35_6.1.7600.16385_none_ce52d479e329be32\whoami.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-w..cquisition-wiawow64_31bf3856ad364e35_6.1.7600.16385_none_2874ea220a5507fd\wiawow64.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-wlan-extension_31bf3856ad364e35_6.1.7600.16385_none_55d820d53d0a8fa3\wlanext.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-basic-misc-tools_31bf3856ad364e35_6.1.7600.16385_none_7351a917d91c961e_expand.exe_f43b24c8 C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\msil_dfsvc_b03f5f7f11d50a3a_6.1.7600.16385_none_3a54952b454a8916\dfsvc.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-packagemanager_31bf3856ad364e35_6.1.7601.17514_none_eedf2e0751865eb2\PkgMgr.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-winre-recoverytools_31bf3856ad364e35_6.1.7601.17514_none_d7553e5fcf6b6373\ReAgentc.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..nfiguration-cmdline_31bf3856ad364e35_6.1.7600.16385_none_6550a9de9a702b0f\powercfg.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-rasclienttools_31bf3856ad364e35_6.1.7600.16385_none_6f1d25ec0a04d811\rasphone.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\ehexthost\6.1.0.0__31bf3856ad364e35\ehexthost.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-cttune_31bf3856ad364e35_6.1.7600.16385_none_0f797e18d8361ef2\cttune.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\aspnetca.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-synchost_31bf3856ad364e35_6.1.7600.16385_none_c575fec016436d8a\SyncHost.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_6.1.7601.17514_none_32e02520f8081891\WSManHTTPConfig.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..otservicing-utility_31bf3856ad364e35_6.1.7600.16385_none_d139a2cea567ce3f\fveupdate.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-winver_31bf3856ad364e35_6.1.7600.16385_none_b627d45ffdcc6f00\winver.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\x86_wpf-terminalserverwpfwrapperexe_31bf3856ad364e35_6.1.7600.16385_none_243595ae2cf3193f\TsWpfWrp.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\x86_wcf-m_sm_cfg_ins_exe_31bf3856ad364e35_6.1.7601.17514_none_0228c5fb7b680376\SMConfigInstaller.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-devicepairingapp_31bf3856ad364e35_6.1.7600.16385_none_cb9353551bbd8ed8\DevicePairingWizard.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..erandprintui-pmcppc_31bf3856ad364e35_6.1.7601.17514_none_698e475b97512fc9\PushPrinterConnections.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-peertopeercollab_31bf3856ad364e35_6.1.7600.16385_none_f32a402a46d391f3\p2phost.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-isoburn_31bf3856ad364e35_6.1.7601.17514_none_e83a110af77d5aa7\isoburn.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-rasconnectionmanager_31bf3856ad364e35_6.1.7601.17514_none_bd4644e077251730\cmdl32.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-legacyhwui_31bf3856ad364e35_6.1.7600.16385_none_e24a7886a9947ebf_hdwwiz.exe_b6a1c2df C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.1.7601.17514_none_da00ad1949e715ad\perfhost.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-driverquery_31bf3856ad364e35_6.1.7600.16385_none_95f92198f65d354d\driverquery.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_6.1.7601.17514_none_f71e39745cb0f950\RMActivate_ssp_isv.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_6.1.7601.17514_none_bf4980401574a899\relog.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-mediaplayer-autoplay_31bf3856ad364e35_6.1.7601.17514_none_8375605f8afb0c19\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.1.7600.16385_none_81d82fe9c216eb89\pcaui.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-ping-utilities_31bf3856ad364e35_6.1.7600.16385_none_a907fb2af12e5dc6\PATHPING.EXE C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-winver_31bf3856ad364e35_6.1.7600.16385_none_12466fe3b629e036\winver.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-ie-iexpress_31bf3856ad364e35_11.2.9600.16428_none_eab4546b9b62b250\wextract.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\bfsvc.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-commandlinehelp_31bf3856ad364e35_6.1.7600.16385_none_3020274b22e8a90f\help.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-diskraid_31bf3856ad364e35_6.1.7601.17514_none_c3afa97fae99bbe4\diskraid.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-verclsid_31bf3856ad364e35_6.1.7600.16385_none_17dbc2dd2d2552c7\verclsid.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\misc.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-wmpnss-ux_31bf3856ad364e35_6.1.7600.16385_none_13b9b4b7d327a721\wmpnscfg.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-rpc-locator_31bf3856ad364e35_6.1.7600.16385_none_2b2984d40648fbe7\Locator.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..iuminboxgames-chess_31bf3856ad364e35_6.1.7600.16385_none_d0c99374981840d5\Chess.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_wpf-terminalserverwpfwrapperexe_31bf3856ad364e35_6.1.7600.16385_none_80543131e5508a75\TsWpfWrp.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-wow64_31bf3856ad364e35_6.1.7601.22091_none_d0d0722c3bb0dc09\setup16.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-credwiz_31bf3856ad364e35_6.1.7600.16385_none_9fb106cecd28b3f9\credwiz.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_7cf343cac8a829ec\doskey.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W71daf281#\5ada68cfa2258a2d4e3c3779106faf9b\Microsoft.Workflow.Compiler.ni.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-defrag-adminui_31bf3856ad364e35_6.1.7601.17514_none_f73c142da6e47daa\dfrgui.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-findstr_31bf3856ad364e35_6.1.7601.17514_none_855590d1705431c5\findstr.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-telnet-client_31bf3856ad364e35_6.1.7600.16385_none_1426830c3ebb712d\telnet.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-htmlhelp_31bf3856ad364e35_6.1.7600.16385_none_244ae8599e6d81bb_hh.exe_f87e0044 C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-wab-app_31bf3856ad364e35_6.1.7601.17514_none_44b0c76c35d4b76d\wab.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-d..ervicing-management_31bf3856ad364e35_6.1.7600.16385_none_5e7ff93b6f0000b7\Dism.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_18a11c58aaf4d08c\migwiz.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..l-inboxgames-hearts_31bf3856ad364e35_6.1.7600.16385_none_4ffeefd67d89d45b\Hearts.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..or-native-serverbox_31bf3856ad364e35_6.1.7601.17514_none_cde4c4fd7ab159cb\RMActivate_ssp.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..pertiescomputername_31bf3856ad364e35_6.1.7600.16385_none_8c6823f855ef04a5\SystemPropertiesComputerName.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.mm N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SOS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\legend of mir2 C:\Windows\SOS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\legend of mir2\WinX = "1" C:\Windows\SOS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\legend of mir2\NowCount = "0" C:\Windows\SOS.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.mm
PID 2972 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.mm
PID 2972 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.mm
PID 2972 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.mm
PID 2260 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.mm C:\Windows\SOS.exe
PID 2260 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.mm C:\Windows\SOS.exe
PID 2260 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.mm C:\Windows\SOS.exe
PID 2260 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.mm C:\Windows\SOS.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe

"C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe"

C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.tmp

C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.tmp

C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.mm

C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.mm /zhj

C:\Windows\SOS.exe

C:\Windows\SOS.exe /zhj

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.tmp

MD5 69fec6fed212a3a310230606f4d4e9ce
SHA1 89573c0cd4933e59a0e49679246b96b34dd51b44
SHA256 6ab14e409d9d4910971d7edf973b5c25a269b50bdfc504754a127ff12e3ade8b
SHA512 964d9278a1b94792f73eb6bd8700dcc58d3a32153554390eb6f32b3525e63243905ffdeed6268b28690148e33d29fcd00fb39209580ad89581655acbad0d1497

C:\Windows\SOS.exe

MD5 48b17bcfbb1f261bdde044c7bf9c2bfc
SHA1 78cb33875ec8044d2bc9ea84bc6f375a594e8aa6
SHA256 204c6911b552609537412f935d2391726c6db09cf718ae1e0094d65b241a0329
SHA512 b7d9a99092604b466d138828d6881dea562735990625d46262a3f48ddec75387a95ae7e0586292aa623f6efbfc5d170295347c3f5af9a9b78bad5043e09518c0

memory/2260-21-0x0000000000400000-0x0000000000439000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

MD5 a41e524f8d45f0074fd07805ff0c9b12
SHA1 948deacf95a60c3fdf17e0e4db1931a6f3fc5d38
SHA256 082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7
SHA512 91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

\Program Files\7-Zip\7z.exe

MD5 9a1dd1d96481d61934dcc2d568971d06
SHA1 f136ef9bf8bd2fc753292fb5b7cf173a22675fb3
SHA256 8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525
SHA512 7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

\Program Files\7-Zip\7zFM.exe

MD5 30ac0b832d75598fb3ec37b6f2a8c86a
SHA1 6f47dbfd6ff36df7ba581a4cef024da527dc3046
SHA256 1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74
SHA512 505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

\Program Files\7-Zip\7zG.exe

MD5 50f289df0c19484e970849aac4e6f977
SHA1 3dc77c8830836ab844975eb002149b66da2e10be
SHA256 b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305
SHA512 877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

\Program Files\7-Zip\Uninstall.exe

MD5 ad782ffac62e14e2269bf1379bccbaae
SHA1 9539773b550e902a35764574a2be2d05bc0d8afc
SHA256 1c8a77db924ebeb952052334dc95add388700c02b073b07973cd8fe0a0a360b8
SHA512 a1e9d6316ffc55f4751090961733e98c93b2a391666ff50b50e9dea39783746e501d14127e7ee9343926976d7e3cd224f13736530354d8466ea995dab35c8dc2

\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

MD5 f45a7db6aec433fd579774dfdb3eaa89
SHA1 2f8773cc2b720143776a0909d19b98c4954b39cc
SHA256 2bc2372cfabd26933bc4012046e66a5d2efc9554c0835d1a0aa012d3bd1a6f9a
SHA512 03a4b7c53373ff6308a0292bb84981dc1566923e93669bbb11cb03d9f58a8d477a1a2399aac5059f477bbf1cf14b17817d208bc7c496b8675ece83cdabec5662

\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe

MD5 2abe4614a5d80878832fc7e91c8a3146
SHA1 3808489961c56e3cf49f8791c152c7db1085107a
SHA256 259be6f52760b376a5b8b53211e5405fbf4bf2339b63d341df2dd9d7a7bcf041
SHA512 f461297fde475649eb6becf576a932b6eb65f102c3674cfbcd5d4c8027d23e38c46dc8abef0d53d0b6441f5630930d34ffb5706bdaf0c19ee6c4f2cb2e59edc5

\Program Files\Google\Chrome\Application\chrome.exe

MD5 095092f4e746810c5829038d48afd55a
SHA1 246eb3d41194dddc826049bbafeb6fc522ec044a
SHA256 2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588
SHA512 7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 b65d7344b0a7faa207d2e1a7adaafb60
SHA1 755ad15b1745b0e730d658d4a92e2b754425b7db
SHA256 f4b91fbbcba8a46eefe4965e4a24c6ede3decbd1fec96e141a1953173efd1c92
SHA512 f17ac73c2df7c73a31b11ce0f533d6db91bdb0cdeea653dcd52ac72c3cf28da0c236b79586ddc7a6c825fdd171290722f888465e776f12ac2cae75be82726b22

\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe

MD5 96fb77dca3c528d80a58cc7cb671c3d9
SHA1 adad0a93fdfff795b75e6a7aaa53d68b03268fc3
SHA256 cf1002b4c27a50473e97fcc701c5c630f4e2dada4ec8d61344570e027e595a89
SHA512 13a9d0bc8891f62c63c38f20d73553fc1e467bfe20e2c7b3c61801524a897ebfecf61061bd2f51b43342f0c74e0e47d99f819aa0180f3a0adb17c138439e26d9

\Program Files\Java\jdk1.7.0_80\bin\rmid.exe

MD5 76777d98af20f1dd10a156d87112905e
SHA1 832a308d638a54fb5adb3a9e7ea26701086ebb4c
SHA256 3e2c63d90828880ae71f1c5501acff6f1654468e17a3abecd9e78dfbcd20c55c
SHA512 05f05f11b96d672f7f2379ccf2a689cc5e93886834a0566b4102ec23bc3ad3755104c99ff2b39d9bea8297d48f6220e80820c918a070f5f5f7fea1c4599b35fb

\Program Files\Java\jdk1.7.0_80\bin\rmic.exe

MD5 ecfa924fce77755d29ed3e74c050945e
SHA1 c997649bdfb2ccd5cbdd5fc207cf0b8ae6d34b6b
SHA256 ab2d9c3a0953786576541ee1f837637981afcec3e7c21203ecf9c357827220e0
SHA512 7147a269fa995582ad13b356481538329dfe7fef602d7f48ecff2fabac0201a7125844ef891e80e65acebbe5bd487fae5f12fb0376281a6e08d37306ec53075f

\Program Files\Java\jdk1.7.0_80\bin\policytool.exe

MD5 428e1e272f9e3b8915e999a8ace99a28
SHA1 80741be97448da187559cb87e698f16e587aea39
SHA256 8b6e938ae3d1a7bd3605ddd92ba075e5e4048745433230e6d13799e7cb476240
SHA512 17b964e6a7f957ae598f004c48affd13a7f6b27ecd69818a4dc02683bbafcebc6ea4919d7f0b97a76da56865ba85a0ae7406d0bbf9a9fd1b03076fd516e00aaf

\Program Files\Java\jdk1.7.0_80\bin\pack200.exe

MD5 d36e50402809536c0532e22911133833
SHA1 3e127017671725adc24de136041f83cae2f97c8e
SHA256 24fc8ae57ded1c57a5ccce10c87b45c4a125b0efcee1c0c02243128d87258c0c
SHA512 d684e799eb2b7ce55e3e3a8752970c8dd50789fc04bddfcb788aa1cd076463aa4e1adab934c468c2dab6c761bd970810fbc2aa535881e4a7f944a74b9df3bc12

\Program Files\Java\jdk1.7.0_80\bin\orbd.exe

MD5 8294c536263b2f48addddb85b9da4998
SHA1 5859bb36a6a47e1d1a6f61b1b5f0401b8182abb4
SHA256 3da11e511ff441ed5629e5b3f157abd1d5cd031608b2ac516eec955acfc05dd8
SHA512 90e33399ce89e540293403410b1f169c33675082e6363b79063753fa8230bb28afbdb0dac24ac7779ee38fc467efa2ab061eb050349bb47c9442577b4989e455

\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe

MD5 ec77c7625781b38685753eaf48e2b029
SHA1 2fc583b0557445e8c7ad2ba61011523d6e0bef79
SHA256 a5337bddf438fa53517113e61caa27e0e8290cca9ea8c619e6eeed168abcf859
SHA512 82a8a79a14dae4d41df5680e532fcb6ec83bf513fc9eda803343fb4eeda8bcbf3517cf6fdb048869689cace3d0c2f53a2532797e1ccbb9969ea67972d0dbe9aa

\Program Files\Java\jdk1.7.0_80\bin\ktab.exe

MD5 63bef325dd12e369057af89a6888109a
SHA1 9c45e44be16e685e4137412ff5c9673b83d60c58
SHA256 18967fee8faa1a46f0e5403e2e8e44c58932e91337265712e2e7bcd478c6950b
SHA512 5bf0c5b0bd2b5873f334f0b9835f03294b36bcdbe8de17720efd9a8b68a391634467077b625fde3683abba89902725be125805ae1dd54c7505a36d2c85580fbf

\Program Files\Java\jdk1.7.0_80\bin\klist.exe

MD5 ee88ee0bf50a2075eafbaf84273d756a
SHA1 e1091501d519c3ac8d81568e7f35cb6834a37e3b
SHA256 ba48764ad58238c67f78535a1df897cf9eada40a13a6f33ccdf55ba355a8ec01
SHA512 32de135a96fb43ed1b43f44a0f4ad880903d4203969a39a29432e4f42848816a9352a5dca007ad85a56769c74929406e62e8ed38b64a9b066c335700abed38de

\Program Files\Java\jdk1.7.0_80\bin\kinit.exe

MD5 5d3f9112c9eae4363a5d0b6a0df71486
SHA1 6ec9840609e7a9afc86465e0453701bdb13adb80
SHA256 195a691a99a2be918bef7fd99958a0a8a8b1637dda4fb2572af03a1b3ebb2ace
SHA512 f3a93980f8105e200dd2764ac30a94d33849755ba16f9671935f2f2a3260678fe6408069d985ad521507304b3dd6fc52f0232377895aabe231010e0401c5bcee

\Program Files\Java\jdk1.7.0_80\bin\keytool.exe

MD5 5dfdb82c0f4f7aacd94291367a2cfdb5
SHA1 f7fd979fd533117718e7e3521ecf3bd8b3f048eb
SHA256 22cef66555cc851733c16103a666a7a6b64f31017fa2932c9148b1a289239281
SHA512 806cadd84bdaaed41f1a4dab44c80f46f7709326ba47401057f644f8ac115be7f97323c7273f96f5cd45a838f247f626279c2a07bfac2098f0dfff797c81e69c

\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe

MD5 41c53a4c392717800ee2661796ce22fd
SHA1 20a31b7b7b39b5505d1ae7e4a901d8c0d3abc6cf
SHA256 33d32fc067d35734819f69c028335e9e9d6d24beccae12b0256403c1c89665a6
SHA512 d400dcfbf42c94201e467b984352297dcb323ff0543fe433cac9d6e7a6ae30706fe22fb17c2eb57b479d27efd8c006a3163aaddbf6152a1616316450d8d7839f

\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe

MD5 d33a2ad454c698dc6cc87ff9e484229d
SHA1 cdf4c8db79f2530bdfec32a1909be5d129a23058
SHA256 bf9aef8af2046c69ccc29ab1f9fa0f4b31cfcb1892158877c01e7b3a8c4eadb3
SHA512 682e0b292f0f0cb1613c634a99df53d242ba465f1f754058d508ba8506654ebcb35f79e6e6714a288c2018ab9cdb929ef48a544071bc3ffbf3d362bf3478a818

\Program Files\Java\jdk1.7.0_80\bin\jstat.exe

MD5 f9ae41a829d457685c00b08ea9185e1d
SHA1 54eeb13931bfdd989decb7e807996b46b75f1cd6
SHA256 d122b3df7c2b81c5eee0d3165a6741fffbc2298a8eb41740dbe0092eecf3cd47
SHA512 fef83f2670a11536b57dc3a1d86d014b49b83c720976a5592bf6fef2ec45aeb62e269ce0759b150accfc77a94a28423c833b4ad0fbec6a7e0a4132a2b152a538

\Program Files\Java\jdk1.7.0_80\bin\jstack.exe

MD5 095d24917473c666b8906e45852378f7
SHA1 2ca5842715ad03982eb9094786832775926e4b4d
SHA256 3289a0fb8c701e7eae9fc792329c0eff6cd2a42ffbf1845f4e630a3e1a019529
SHA512 fba9fe4ca6498c9fcf0d251906b537286f2e7bdb2399293c71f9b0bce379c2684da14212231535a81889928fcbe0adf7354bc83e272a3f6d9082f125494cc50c

\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe

MD5 da1c77dc8b88afc927144ac6814ffecc
SHA1 ff50b5fefd7275f3972f2e3f228384816fe22e63
SHA256 78d50c2ca489676456b3a0ccd1696dda0f1e1e144baacd26cdbc472869578b30
SHA512 02fbc972c889a71947b2671bcc7e22f9a0edce3e0462f332753d974d73035315aef7b4ae1069e309aa560f98065b792447b2ef8f1e8be1874969de916b2f3e25

\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe

MD5 c77fa8599058f2f08f6f028ad1ba3d29
SHA1 ea42e7eed011b8b71f32d4d47827a5b56198d134
SHA256 db2beff59876773d223f4813c05c65a1e582604c420ae6d7f6f3844a0a060398
SHA512 f2834be1925ca448884877e7236d2febb72190ebf43a2dab29a76b71c4976360d56df17879966ec74c60b3d62dadd81d577e3034961ed64418c0300f9710f43f

\Program Files\Java\jdk1.7.0_80\bin\jps.exe

MD5 4ce9dbe70ae911f1fef704e2c5594214
SHA1 3431c1d6fa21e04e79f0b2f48cd30b037ab009cb
SHA256 e45733934ff8c01f79a98ea2fd6b2a78fc5f0164e5d4fea7aef5119c7218a5fd
SHA512 291420138d84108ebbb8f3dc81bc4595206144b8eac0a459ae63754aa137a3d6789330dc764c6dafb5cecc76908166d93cccaecbcb3987d4cbba662980ee6359

\Program Files\Java\jdk1.7.0_80\bin\jmc.exe

MD5 c8db7998995218d59addc586ce9679d6
SHA1 694f18eef5aa6dfe1aa607ad5a08980f9656ed07
SHA256 e3712cd917e4d41696165a98233443d63dbfb28560967de92ca4e707c50d7df2
SHA512 ba7bdfae350c4b98067a2875295a20fbee1b7e9cb1f1afde1a299ca1b8d6aab3996dec59119cd83214461018e5e4ff91894ad3f0e909359382cf5183811d3d12

\Program Files\Java\jdk1.7.0_80\bin\jmap.exe

MD5 30989429490b9ccbde4fae1fc6df84e4
SHA1 64c8cf20ebb4e8dc31521f0084eb046a9e3f0500
SHA256 aa98634e3668beae535738d25c2094a7ef0d855ebd9d945b484368f9e543bc0d
SHA512 9a78ed9cd8dcf333ea240ff309e24a2e5de39bbeba4e9291b55d51fdbc10ee672c674a9f4393b13819562a0d9bc99667eb03519cefed0218444874f15729eefe

\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe

MD5 f499825b88d200d9348b5f97ff297ec7
SHA1 366adce5911c160fa26d6fdb4d65af357cf0e3bc
SHA256 8b2d599efa66da695e503b480f355fc5f22347fcf5c294100abaeb3e9a20c1f6
SHA512 3017bf630ba53ee0855d1e657df197732e4fe2fa6455fabad2085e5a24918589d487362fc2819fff85b3fcf7e684376d4b7a5bbc6e71ea57cc62ab397a87dba9

\Program Files\Java\jdk1.7.0_80\bin\jhat.exe

MD5 1dbd51882c2b82a5496106c31db425f1
SHA1 f47bee48a7d0da0c4930cccc6fe7a8d8600d4b05
SHA256 659fecc81e846405613c2080ac81a567df17c97449a9c2ba179ac216280223db
SHA512 81418b0510b58f782b843312069842aeeede8d35feb8f393807169398464896f281dc13bc82d51279a07adfbe97758b82143218cf9a56d653b3a9d11da62f50f

\Program Files\Java\jdk1.7.0_80\bin\jdb.exe

MD5 0b5681808a793728fc658f1e9b94ec52
SHA1 05763b10f153447edcc08afeeeee71fa2f221033
SHA256 d18fab0d0e24e8f1d9551e2667f6b2c34fcd75232c39e85ce50660588174079f
SHA512 65e64980a30285b29888b9eeb66ec1c27c98a15effd67d761c3c62358e3ec008fbda61feda4fada8f9af8bce740b8f38236495c6f1b274d98c14209cd56b414c

\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe

MD5 805f6272e5e3a80aac3540cc5b42b08e
SHA1 437bee3476647f7b55a49630cb86ed4befc34293
SHA256 910dbe44d17bd60a295a956e98e18347080cc879ed7ef7241cd2d0edfc060551
SHA512 319f8f50dfca4adf148edf878fa7c83bc6e4f1053da0c7d412645fcae9c63e67b838c876838805d9a33b28067947d3844479c9ddab11eb9e760b9df285f27041

\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe

MD5 36e8cb42bbfc16e1395a88d183caed83
SHA1 ca1c513aaa7d49adfe0f43ceec81e6d0c0ae67d8
SHA256 40ea55ebd7ef975135dafffb396871a8ab728abc24b42eaab76f08859994e996
SHA512 f7620b06a5d43d21a0d492b66b0e5bacea6918f1490fb0504e9440524b7ef02ba83d2ae3c2211113b478b8325a3a6b6c8f65939ef5a01b835451cce2e72de00f

\Program Files\Java\jdk1.7.0_80\bin\javaws.exe

MD5 bf91501c9b39c728ade2cf3788b647c8
SHA1 fbcb53c4ca9836f5bbfbb2b63e7a1a00a6bf10c6
SHA256 d602330327fd3630d625c9023131fd2318f677c67aa421631b8a4080dba38578
SHA512 01a6639a580bd418cc4d1dd2bd8794f356c08b6f7fa801245e9200c883d32c6b103aeac2615195868a8e63e3515911de2a9afcced21f62fc41edefdd0a66001c

\Program Files\Java\jdk1.7.0_80\bin\javaw.exe

MD5 0266d98252b6beee2e842d5e876031a8
SHA1 8d57c6d94835ac6b1b0f9a657af6baa4be25779d
SHA256 c5d59069dcaf86222c9c189c8ba8932ced66ab77b4baad485e1f0ac715e6037c
SHA512 7eebbff75a67a0408ff2f507d9f1b387dcfbe6765ccd4247fd78a64c2ea6090e88fd30f561e30f48bc107dd9378364fd18dba4ea22eedee76a1f993fbb1e9f32

\Program Files\Java\jdk1.7.0_80\bin\javap.exe

MD5 95cf3bf094a35c9e7434bc402c09630c
SHA1 2b4d21ee55666f0664a644ec443502a942b9e7d4
SHA256 4973b97a274648d53977499891b919f98684fdbebce10751d71ce4d2754f6622
SHA512 09db399afec354ab699701f4196e93178db613421beda9e695bc36414698f83084d05b70595d2b31fe2a0d757ba98640f7e3953defb8dd71df03e4c01391fe8e

\Program Files\Java\jdk1.7.0_80\bin\javah.exe

MD5 8ffd9b7406e8aecf1d6117606d2bd149
SHA1 edf1f0f2f1024cd0fb6b39dadca251c99ccdedcc
SHA256 dd6b65e78cb194055494bbb7736ef917d3d6da1863567afe50b8abfc8e51267d
SHA512 ee54a1bec20608477053e87c641cc59dfe3c5a77061395c9d41759c3c559d6d5e8761b75327f3a05e62c602031650ec0be375a1b2235a944048ab340efce7397

\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe

MD5 cace8f27a66ffec4f9823aa258c307a9
SHA1 dc515d29aa43d2b6b7e157f05e97e87d5f785884
SHA256 3cf626dac6e91a03f688bf5ab674871a3e0411314f261bb2c69346a1c46bc733
SHA512 4a5d5b564bd483e1949826d388e41c63a7b056236c5972c76721fd98c9b704a79622ed4c1b045080e4470340a9953595df955148999e15677f0e38e529a6a5f7

\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe

MD5 516f6320ae4d755b9ea0c7c8347f5801
SHA1 bfce7c2869725ec8f327b083be57d20671fcb2a2
SHA256 9e696aa5772e8cba27545b47b00be4a3b8fc888f8c83ca11939b753850feab14
SHA512 0e12bc2f01f2897df41e56cee150177a3cc09ca5e889b61fcb9dbe07391a6f2537454401a2ca2ad93c652303a8e5782fd9860ca83734401393e314570175a6f0

\Program Files\Java\jdk1.7.0_80\bin\javac.exe

MD5 000b77a2ed92887856174641dfb6f485
SHA1 7872d9768f3a4b0601b91bd0b55f08c8992819e6
SHA256 1100a8d298426491aeb34288f7d6e600622f2d94fc01bfeb093fcea3ac32a8e4
SHA512 cec8642269bee8162b8d317ba61777b4005cb2dae8e9837bfd336bc6fd633066cd52b878160f4496113c147a7d0374619367e9bb451e82f7a5a39f0db3fde152

\Program Files\Java\jdk1.7.0_80\bin\java.exe

MD5 641b4ed6ab90a6f52ee512ea88a64cd1
SHA1 28d014900accc98e6089d83d0b2a8cb8735ed101
SHA256 13590945a04037dfd15d61166e0771682c7809674fca42f53fdb3afdcbe21410
SHA512 00a588556196e305dbf1714e573a5c5516c2988356b984a7284ba017a78bacb8d576b590da35be40171d6dca73580c5b9ab06808c7246c2e13c8d9b816f2ca09

\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe

MD5 a5f4cccc602a42b4ddbd8acbcf34f158
SHA1 5f26277884b2f6cdac26267f9b582ac5a5d21b08
SHA256 2d9044e9265fc09680d5f0c054c4ccac7d8d14b3a4a42e803a2097108e0f1acc
SHA512 3cb0d0028468edb1687c6142ce3ed6b594428bd209bf8b85ab2315e7992af12c4d622f26e652d6be0718d51d0d6a171c0a881b36d2e67a199998442e91621149

\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe

MD5 2f7770a34bb22b99f8f6966851331d82
SHA1 2a2860cde1482df656544e1983e957f815be4193
SHA256 f873c02b69408f905c2c0b35b188d2c0b0a7cccc98a59d18dd0c297f761d2ef7
SHA512 8611f8bace081711d6f5dcd41177f594314970c5b2f328755027383e4ad2a239bbd85e0cedf6d1a76d9d1f54afbd340c9bd4ab119bb87cfd5a11149a0cb71dfc

\Program Files\Java\jdk1.7.0_80\bin\jar.exe

MD5 3eeb342d48cfaa4c568a93ffdfc847d0
SHA1 ed5fd565c4a1867ca554314f038fc20c7de01b90
SHA256 29e65344e34c2354da05e8de64b106aa0ec99d8c5c22b58797d0047e227879ff
SHA512 db5b84233d40139c44cb8fd1a43e1c8a41c967358641e1488cc19474a8de381c5aa2c84f61b10d69d019f0d7170177cccea47ce9460d409a480c8537232a2ef0

\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

MD5 502e87232756dfacda7d1686d4bc9ea4
SHA1 6e40897d0a957783b8b88f2a6487dba028954b22
SHA256 d230ada81f3add58fd8a646d25b8f25fe6271b3eed5edef9fdc8945baabd5631
SHA512 96366e76942f6da30c02e9f6cf7cdf0cb7550455c8cbaaae7358d15a2258e1f0b2bfa960d52cb774039f2070dc8c383c3df187805f4910d40601b853e4309d9b

\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

MD5 26b70aa2ab871a72a3fd30829f2f1f29
SHA1 73934bad6bf5ca22484a88e1a4b1263ae278c419
SHA256 4e11bf944fb0a34c5cf1871fec3c8f7473e1944642cadf89a86db2eed874d35f
SHA512 40cacfff6c7f47aa0703e8cb3186f8bacbff1d56dc0547d67c44e716fc0d28705995a439a88a02ce8a262628b33cf2f6ec6f0586cdc2fc86597e3da4fb6a1d84

\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

MD5 1cb4c95888edfdedb61628680fffd415
SHA1 3336670c701c61bb8062d7620c4244dbc01756d1
SHA256 182d8ab5ec2ee2ec57d60c2d2d75df6c852810e74c50289aa9c2c99a6b050fc6
SHA512 24c8c05baef516fba5aa763c0abc603065a75e5816501c713b24ec8baddad4fc290b3973dad89ac65f09d0277c2fa72d8b00f0eb2871170dbd89a8d9062bacf3

\Program Files\Java\jdk1.7.0_80\bin\apt.exe

MD5 407d2d7dab36cdea871d4c6b9c62b258
SHA1 86cd158ad810c6772c22a5799c7acf4b9d7c9f57
SHA256 3c040679ea4be0cc5ca20c9f24caf6c13d3002560347e7446dc963b611523bd9
SHA512 dcdb53a3ca2a3637216a9d8133d1dbda336a6d3a98c6b956af42f94adbc136dc5a0245e87512d0314f23dbf3cab4900bc40ac13c79ee93a677d93a89e0cd9e17

\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

MD5 c9aaf1247944e0928d6a7eae35e8cdc4
SHA1 af91d57336d495bb220d8f72dcf59f34f5998fd3
SHA256 05b153ba07dc1a262fb1013d42bfc24d9000ce607f07d227593c975cdf0bb25b
SHA512 bf3bc64135810948626105a8f76dc4439e68ee531f20d901c3082ae2155f2ea35f34d408de44b46ede61ded832fcc61ac1cb9719e432f0f07b49479c95847e51

\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

MD5 2161730a7ae00a1fb8c5020a43be949f
SHA1 8db6b820472cdfa266c874e0d3a9395412995aa1
SHA256 07e7896b2304e3b9966294a02d2ed32f41994ee7bd0a284e4160743edaeb9e15
SHA512 aa3659b6184f4273b7fcf1f7d2cd0a5a9129b8856d15e4ca8904b709e85cd432538ce0510ca9777760a1a9d5391671232a79908860e7d665260a54910f6fea5a

\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

MD5 81664a918656ecd5e8eca90cedba1150
SHA1 580d0eb98bb2c838ff89eb54efd86535ee8882f6
SHA256 2f664c756727c321a3a0fb6c6e68842ca1a5f20575a02312ea10675dbd5dc40e
SHA512 7a211a01c674aaa5e8052dd339b412892c452309b651e835f0b8e27f15ee3fed42c58f43910a202150ca90704f522499deb7bca055451f1e6c8515b2d491df3d

\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 ec6386b63c3a5ffe0577905e94262c3a
SHA1 8f8c428d0e7f32c9d733ca28384ded413a060588
SHA256 302c968ab3e1227d54df4e72f39088d7483d25eeb3037f0b16bc39cef2728fa4
SHA512 ddbefb759858493de1f9d7addc6ff4488c8be3164374e0a88c3cbe97751510005dfe6d91c5499fcbdc35aa33a8eda2d45591a66e54ab9462277dc833faef77c3

\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

MD5 527e039ba9add8a7fac3a6bc30a6d476
SHA1 729a329265eda72cada039c1941e7c672addfc19
SHA256 4b8a72fc81b733ed2e6e70d4c5401f954002783dbf14927849ad579860780b94
SHA512 9e73e14e33a5f07a87e9c1fecfdaee09d1408471052aacfde3d1e877dad4d253b525ebefca6bddabc23cf81d8dcce0785aedcc2f135d171ecbb1feaeb922c449

memory/2972-191-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2488-192-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2488-194-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2972-196-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2488-197-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2488-199-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2488-202-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2972-201-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2488-204-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2972-333-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2488-334-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2972-359-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2488-360-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2488-361-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2488-362-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2488-363-0x0000000000400000-0x0000000000439000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 23:12

Reported

2024-10-25 23:14

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SOS = "C:\\Windows\\SOS.exe" C:\Windows\SOS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\SOS = "C:\\Windows\\SOS.exe" C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.mm N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SOS = "C:\\Windows\\SOS.exe" C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.mm N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\SOS = "C:\\Windows\\SOS.exe" C:\Windows\SOS.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\regedit.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\RdpSaProxy.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\at.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\InfDefaultInstall.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\runas.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\SystemPropertiesProtection.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\ByteCodeGenerator.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\CloudNotifications.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\extrac32.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\lodctr.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\TsWpfWrp.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\comp.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\finger.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\ieUnatt.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\net1.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\sdbinst.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\TpmInit.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\userinit.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\RmClient.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\cmstp.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\dialer.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\dtdump.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\eventvwr.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\fsquirt.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\mavinject.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\PING.EXE C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\grpconv.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\ipconfig.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\tcmsetup.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\colorcpl.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\efsui.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\mshta.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\relog.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\SystemUWPLauncher.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\ThumbnailExtractionHost.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\ttdinject.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\CheckNetIsolation.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\provlaunch.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\RpcPing.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\wextract.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\EaseOfAccessDialog.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\GameBarPresenceWriter.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\hh.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\perfmon.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\setupugc.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\upnpcont.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\wscadminui.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\dplaysvr.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\find.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\powercfg.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\calc.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\chkntfs.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\cipher.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\mspaint.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\wecutil.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\wowreg32.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\icsunattend.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\InputSwitchToastHandler.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\SysWOW64\logman.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Windows Media Player\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{4E6AEEAD-B62E-4CF8-80E5-2A66138AEFDE}\chrome_installer.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\wordpad.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoia.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateOnDemand.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\wab.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-App.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\lyncicon.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateComRegisterShell64.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-commandlinehelp_31bf3856ad364e35_10.0.19041.1_none_8a1c4327a89528e3\help.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.1_none_37ab35f7e4b21a45\PrintBrm.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.746_none_40b989c5d3ea9316\f\sethc.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.546_none_ffd303094ff1fe66\f\auditpol.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-hns-diagnosticstool_31bf3856ad364e35_10.0.19041.1_none_5c015a65c60d8097\hnsdiag.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..tegrity-diagnostics_31bf3856ad364e35_10.0.19041.985_none_4a26c2c5164ad5c7\r\CIDiag.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-container-manager_31bf3856ad364e35_10.0.19041.153_none_70cb6ca43c818606\cmdiag.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.264_none_876d2c71ceefefbb\iissetup.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..cymanagerbrokerhost_31bf3856ad364e35_10.0.19041.746_none_5cc81a54cf095c95\EASPolicyManagerBrokerHost.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.746_none_24d91ab4120e42ee\r\rstrui.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-s..opertiesperformance_31bf3856ad364e35_10.0.19041.1_none_1b1c6505d69885a4\SystemPropertiesPerformance.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dxp-deviceexperience_31bf3856ad364e35_10.0.19041.746_none_251e769058968366\f\Dxpserver.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.84_none_b5c0f628d1d661eb\f\Narrator.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.84_none_b5c0f628d1d661eb\r\Narrator.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-runas_31bf3856ad364e35_10.0.19041.1_none_15d956c7fccae922\runas.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..player-shellpreview_31bf3856ad364e35_10.0.19041.1_none_768ee0b51294e72b\wmprph.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-openwith_31bf3856ad364e35_10.0.19041.746_none_4b1a1978d1832a5f\OpenWith.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..ebviewhost.appxmain_31bf3856ad364e35_10.0.19041.264_none_e85c49c0793f9f24\Win32WebViewHost.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_f28ba6a10743aebc\f\SpeechModelDownload.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-g..ation-wincomponents_31bf3856ad364e35_10.0.19041.1_none_51b7888297a3c04e\LocationNotificationWindows.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager_31bf3856ad364e35_10.0.19041.84_none_ffbdc333a0778274\hvsirpcd.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_networking-mpssvc-netsh_31bf3856ad364e35_10.0.19041.1151_none_23c0aa3b7bd960cd\CheckNetIsolation.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-r..sistance-dcomserver_31bf3856ad364e35_10.0.19041.1110_none_a4bfcaa32abfcf0e\r\raserver.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-rasconnectionmanager_31bf3856ad364e35_10.0.19041.1_none_15114cf4ffe3136a\cmdl32.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\poqexec.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.19041.1266_none_14b8c34dbc1df417\r\runexehelper.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..t-bytecodegenerator_31bf3856ad364e35_10.0.19041.1081_none_5500d10e49b43346\f\ByteCodeGenerator.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-container-manager_31bf3856ad364e35_10.0.19041.1266_none_07a5d18b92d8b668\r\cmdiag.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-control_31bf3856ad364e35_10.0.19041.1_none_59b1b1137e3c1ce3\control.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.1_none_4eca52bc837e6422\BackgroundTransferHost.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-sctasks_31bf3856ad364e35_10.0.19041.906_none_72b8b02e4865ebca\schtasks.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.264_none_9b436d497f039d6d\smartscreen.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-b..vironment-servicing_31bf3856ad364e35_10.0.19041.1237_none_9ad73d125ac89655\r\bfsvc.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-com-dtc-runtime_31bf3856ad364e35_10.0.19041.1_none_cf441068ff6081fd\msdtc.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-ngc-trustlet_31bf3856ad364e35_10.0.19041.423_none_c3eac275ecdf7e0a\f\NgcIso.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.746_none_be3404fb0dff5d84\f\TSTheme.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.1081_none_e3f87355251e8c43\notepad.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_10.0.19041.746_none_8457b34a3423f6d0\perfmon.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-r..sistance-dcomserver_31bf3856ad364e35_10.0.19041.1110_none_af1474f55f209109\f\raserver.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_windowssearchengine_31bf3856ad364e35_7.0.19041.1151_none_f68db62a3702882b\r\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_addinprocess32_b77a5c561934e089_4.0.15805.0_none_faee98a3c711fae7\AddInProcess32.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-aarsvc_31bf3856ad364e35_10.0.19041.264_none_40d14f6c04397868\agentactivationruntimestarter.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appx-deployment-server_31bf3856ad364e35_10.0.19041.264_none_3f30ef10158954bf\r\CustomInstallExec.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-r..ckgroundmediaplayer_31bf3856ad364e35_10.0.19041.1_none_7c2bba0f7ddd8c61\Windows.Media.BackgroundPlayback.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-calc_31bf3856ad364e35_10.0.19041.1_none_5faf0ebeba197e78\calc.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..essagingcoreservice_31bf3856ad364e35_10.0.19041.1_none_98fad53f878bc04c\mqsvc.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_wpf-xamlviewer_31bf3856ad364e35_10.0.19041.1_none_0bff5a051c4a690a\XamlViewer_v0300.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..extservice.appxmain_31bf3856ad364e35_10.0.19041.1_none_04930b2bd1f9871f\Microsoft.AsyncTextService.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-icm-ui_31bf3856ad364e35_10.0.19041.1_none_f049c4ee402ced19\colorcpl.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1_none_bf506ecc66a800df\TiWorker.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_networking-mpssvc-netsh_31bf3856ad364e35_10.0.19041.1151_none_23c0aa3b7bd960cd\f\CheckNetIsolation.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_security-octagon-broker_31bf3856ad364e35_10.0.19041.546_none_380485edeba9f4c4\f\SgrmLpac.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.264_none_be8a8ad4892e651d\f\printui.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\x86_netfx35cdf-csd_cdf_installer_31bf3856ad364e35_10.0.19041.1_none_b22e8a4512f5879a\WFServicesReg.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\CExecSvc.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-c..periencehost-broker_31bf3856ad364e35_10.0.19041.746_none_1ce3c0f12fb5f8ec\r\CloudExperienceHostBroker.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..s-datausagehandlers_31bf3856ad364e35_10.0.19041.746_none_dbecc8a3cdc7c3cf\r\DataUsageLiveTileTask.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-spp-ux_31bf3856ad364e35_10.0.19041.264_none_39a33f9dfdb389ae\slui.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\msil_inspectvhddialog6.3_31bf3856ad364e35_10.0.19041.1_none_7dca23f8be8c25d6\InspectVhdDialog6.3.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_adobe-flash-for-windows_31bf3856ad364e35_10.0.19041.82_none_2dad4b68cbfd8794\FlashUtil_ActiveX.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-autofmt_31bf3856ad364e35_10.0.19041.1266_none_650ebab5a8c02ffc\autofmt.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.mm N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SOS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\legend of mir2 C:\Windows\SOS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\legend of mir2\WinX = "1" C:\Windows\SOS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\legend of mir2\NowCount = "0" C:\Windows\SOS.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A
N/A N/A C:\Windows\SOS.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3616 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.tmp
PID 3616 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.tmp
PID 3616 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.mm
PID 3616 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.mm
PID 3616 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.mm
PID 4388 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.mm C:\Windows\SOS.exe
PID 4388 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.mm C:\Windows\SOS.exe
PID 4388 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.mm C:\Windows\SOS.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe

"C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.exe"

C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.tmp

C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.tmp

C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.mm

C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.mm /zhj

C:\Windows\SOS.exe

C:\Windows\SOS.exe /zhj

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 101.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

memory/4636-6-0x00007FF6AA4A0000-0x00007FF6AA534000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.tmp

MD5 69fec6fed212a3a310230606f4d4e9ce
SHA1 89573c0cd4933e59a0e49679246b96b34dd51b44
SHA256 6ab14e409d9d4910971d7edf973b5c25a269b50bdfc504754a127ff12e3ade8b
SHA512 964d9278a1b94792f73eb6bd8700dcc58d3a32153554390eb6f32b3525e63243905ffdeed6268b28690148e33d29fcd00fb39209580ad89581655acbad0d1497

C:\Users\Admin\AppData\Local\Temp\e13acc8511ff9e1ba309e6aeb8c468da19ff3f5469c897ef57f02d30b4206c71N.mm

MD5 48b17bcfbb1f261bdde044c7bf9c2bfc
SHA1 78cb33875ec8044d2bc9ea84bc6f375a594e8aa6
SHA256 204c6911b552609537412f935d2391726c6db09cf718ae1e0094d65b241a0329
SHA512 b7d9a99092604b466d138828d6881dea562735990625d46262a3f48ddec75387a95ae7e0586292aa623f6efbfc5d170295347c3f5af9a9b78bad5043e09518c0

memory/4388-14-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4968-211-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3616-210-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4968-213-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4968-216-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3616-215-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3616-255-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4968-256-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3616-259-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4968-260-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3616-279-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4968-280-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3616-283-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4968-284-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4968-285-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4968-286-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4968-287-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4968-288-0x0000000000400000-0x0000000000439000-memory.dmp