Malware Analysis Report

2025-04-03 13:01

Sample ID 241109-1x5ykstbrc
Target 1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N
SHA256 1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437
Tags
aspackv2 discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437

Threat Level: Shows suspicious behavior

The file 1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2 discovery persistence spyware stealer

Reads user/profile data of web browsers

ASPack v2.12-2.42

Adds Run key to start application

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of SetWindowsHookEx

NTFS ADS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 22:02

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 22:02

Reported

2024-11-09 22:04

Platform

win7-20241023-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\timeout.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\logman.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\sbunattend.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\grpconv.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\lodctr.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\mcbuilder.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\SndVol.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\wuapp.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\shared\IMCCPHR.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\autoconv.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\upnpcont.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\mountvol.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\TpmInit.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\ctfmon.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\ftp.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\UserAccountControlSettings.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\IMETC10\IMTCPROP.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\WMIADAP.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\clip.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\DWWIN.EXE C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\fsutil.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\openfiles.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\powercfg.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\print.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\certutil.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\sdchange.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\vssadmin.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\OptionalFeatures.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\relog.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\wermgr.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\eudcedit.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\NAPSTAT.EXE C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\msfeedssync.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\SystemPropertiesProtection.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\IMEJP10\IMJPDCT.EXE C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\eventcreate.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\prevhost.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\recover.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\WSManHTTPConfig.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\autochk.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\icsunattend.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\regini.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\tasklist.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\userinit.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\AdapterTroubleshooter.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\control.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\certreq.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\cmmon32.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\dvdupgrd.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\rrinstaller.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\sfc.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\TapiUnattend.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\IMEJP10\IMJPDSVR.EXE C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\attrib.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\wecutil.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\makecab.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\ndadmin.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\TRACERT.EXE C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\typeperf.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files\Java\jre7\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\misc.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files\Java\jre7\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{06715A9D-70D2-4C5C-9F8A-D2392905D83D}\chrome_installer.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-eudcedit_31bf3856ad364e35_6.1.7601.17514_none_b7be8a14d61db17a\eudcedit.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\537950d9c71af966e1d8c9deb550f842\WsatConfig.ni.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\LoadMxf\d09b54cd68bc772b3be3832926e940d4\LoadMxf.ni.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-diantz_31bf3856ad364e35_6.1.7600.16385_none_02bb0612dc529329\diantz.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-isoburn_31bf3856ad364e35_6.1.7601.17514_none_4458ac8eafdacbdd\isoburn.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mediafoundation_31bf3856ad364e35_6.1.7601.17514_none_fa8534ab236134c4\mfpmp.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-security-secedit_31bf3856ad364e35_6.1.7600.16385_none_0adc1fc1cb6f944b\SecEdit.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..l-inboxgames-hearts_31bf3856ad364e35_6.1.7600.16385_none_4ffeefd67d89d45b\Hearts.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.1.7600.16385_none_9ba1049ce0053bef\ShapeCollector.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\ehexthost32.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_6.1.7601.17514_none_e46b048a01806891\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-net-command-line-tool_31bf3856ad364e35_6.1.7600.16385_none_ae2743278c281682\net.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ng-server-isolation_31bf3856ad364e35_6.1.7600.16385_none_f8a40495785334a9\PrintIsolationHost.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.7601.17514_none_3eb101caec1acc2c\ie4uinit.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\iisreset.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ocsetup_31bf3856ad364e35_6.1.7601.17514_none_41a3376575e751b4\ocsetup.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\MSBuild\f4a88265ac4ad47978daef8c5482fd30\MSBuild.ni.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3337092d63596104\sdbinst.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_18a11c58aaf4d08c\migwiz.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\reset.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\537950d9c71af966e1d8c9deb550f842\WsatConfig.ni.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-registry-editor_31bf3856ad364e35_6.1.7600.16385_none_5023a70bf589ad3e\regedit.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-tpm-adminsnapin_31bf3856ad364e35_6.1.7600.16385_none_d3720895f8f22acd\TpmInit.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Speech\Common\sapisvr.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-telnet-client_31bf3856ad364e35_6.1.7600.16385_none_1426830c3ebb712d\telnet.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\ehExtHost32\c899de3549784161aa66610d5735e4f0\ehExtHost32.ni.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-ielowutil_31bf3856ad364e35_11.2.9600.16428_none_e8cd1f348648ebd1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-convert_31bf3856ad364e35_6.1.7601.17514_none_fafb502abef1be40\autoconv.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-directx-directplay8_31bf3856ad364e35_6.1.7601.17514_none_d6fc8d83d55eb77c\dpnsvr.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-netcfg_31bf3856ad364e35_6.1.7600.16385_none_6c23cd5f6b2a8dbc\netcfg.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ping-utilities_31bf3856ad364e35_6.1.7600.16385_none_052696aea98bcefc\PATHPING.EXE C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-rasconnectionmanager_31bf3856ad364e35_6.1.7601.17514_none_bd4644e077251730\cmstp.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..nboxgames-solitaire_31bf3856ad364e35_6.1.7600.16385_none_d1124c00155dfd14\Solitaire.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-tasklist_31bf3856ad364e35_6.1.7600.16385_none_843823d87402ab36\tasklist.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_6.1.7600.16385_none_31db018394805d6b\TSTheme.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-icm-ui_31bf3856ad364e35_6.1.7600.16385_none_964da911ba806d45\colorcpl.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..up-drivepreparation_31bf3856ad364e35_6.1.7601.17514_none_ff178cca7f9d03eb\BdeHdCfg.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_6.1.7600.16385_none_1ddd261c4e350476\upnpcont.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\ehome\Mcx2Prov.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-bits-bitsadmin_31bf3856ad364e35_6.1.7601.17514_none_ab379671230b963f\bitsadmin.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-services-ehrecvr_31bf3856ad364e35_6.1.7601.17514_none_1b8f8373383de46a\ehrecvr.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ftp_31bf3856ad364e35_6.1.7601.17514_none_0b11635f6f2987f7\ftp.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-powershell-exe_31bf3856ad364e35_6.1.7600.16385_none_c50af05b1be3aa2b\powershell.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-snmp-evntcmd_31bf3856ad364e35_6.1.7600.16385_none_14f9b9481db6293b\evntcmd.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\outicon.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe

"C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe"

Network

N/A

Files

memory/2124-0-0x0000000000400000-0x000000000040D000-memory.dmp

C:\905c0769f9a06c95a24ddf945\patcher.exe$

MD5 0b98265acb96312a21cc9f6cd08ed0d0
SHA1 f834054fdd8a6ccd7a91adcdb6e3b287f9effa30
SHA256 1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437
SHA512 f370b46c27af4ced2e7d74f9a05f09e02fda64ce2127bccfcabccdfb4b0286fad26f3202dd11c268f1733e29dfe3717cf62e78a9d079abe437b4a3071b547482

memory/2124-846-0x0000000000400000-0x000000000040D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 22:02

Reported

2024-11-09 22:04

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\fc.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\Fondue.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\iscsicli.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\prevhost.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\CredentialUIBroker.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\dllhst3g.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\dvdplay.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\dxdiag.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\RmClient.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\wiaacmgr.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\Register-CimProvider.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\UserAccountControlSettings.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\calc.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\dfrgui.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\Magnify.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\regini.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\ROUTE.EXE C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\SHARED\IMEPADSV.EXE C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\fontview.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\PickerHost.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\RMActivate_ssp.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\RMActivate_ssp_isv.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\shrpubw.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\shutdown.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\TSTheme.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\cmstp.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\fsutil.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\RdpSa.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\RdpSaUacHelper.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\verifiergui.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\regedit.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\srdelayed.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\WWAHost.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\sdiagnhost.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\attrib.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\dllhost.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\PATHPING.EXE C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\quickassist.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\sethc.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\systray.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\eventvwr.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\RdpSaProxy.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\replace.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\SystemPropertiesHardware.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\waitfor.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\control.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\find.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\proquota.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\SyncHost.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\runonce.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\appidtel.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\cacls.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\forfiles.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\mspaint.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\wusa.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\GamePanel.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\regedt32.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\setup16.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\w32tm.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\rasautou.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\TCPSVCS.EXE C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\SysWOW64\wscadminui.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-App.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\Integrator.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateSetup.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\3DViewer.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateSetup.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\servicing\TrustedInstaller.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe$ C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe

"C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 99.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/1592-0-0x0000000000400000-0x000000000040D000-memory.dmp

C:\905c0769f9a06c95a24ddf945\patcher.exe$

MD5 0b98265acb96312a21cc9f6cd08ed0d0
SHA1 f834054fdd8a6ccd7a91adcdb6e3b287f9effa30
SHA256 1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437
SHA512 f370b46c27af4ced2e7d74f9a05f09e02fda64ce2127bccfcabccdfb4b0286fad26f3202dd11c268f1733e29dfe3717cf62e78a9d079abe437b4a3071b547482

memory/1592-27-0x0000000000400000-0x000000000040D000-memory.dmp