File name:

CustomCursor.exe

Full analysis: https://app.any.run/tasks/cd011d08-7bef-44ec-9c43-fb1c44531fb2
Verdict: Malicious activity
Analysis date: May 17, 2025, 05:37:51
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
jeefo
neshta
auto-reg
delphi
inno
installer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

09C7434DB23341FD6CB372B6FA96BF87

SHA1:

66D494381846A19DE8BE21FF7E941B4109588F86

SHA256:

AB6F13D72795266E785C34D05C9F244344607AE0B2C31413DAA60C9FE0126A77

SSDEEP:

98304:xXcwoqZ8fju8wSuBMm5lhwUoNpYxadZEHAQCdxxYl1opJNoSE0bEKx4YzZ62de7a:lUPSk8840dvZZl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NESHTA mutex has been found

      • CustomCursor.exe (PID: 7568)
      • customcursor.exe  (PID: 7748)
      • svchost.com (PID: 8076)
      • customcursor.exe  (PID: 8096)
      • svchost.com (PID: 8168)
      • svchost.com (PID: 7208)
      • customcursor.exe  (PID: 7184)
      • customcursor.exe  (PID: 8188)
      • svchost.com (PID: 7240)
      • customcursor.exe  (PID: 7220)
      • svchost.com (PID: 4180)
      • customcursor.exe  (PID: 1116)
      • svchost.com (PID: 680)
      • customcursor.exe  (PID: 4560)
      • customcursor.exe  (PID: 5892)
      • svchost.com (PID: 5640)
      • svchost.com (PID: 1228)
      • svchost.com (PID: 1512)
      • customcursor.exe  (PID: 5124)
      • customcursor.exe  (PID: 4120)
      • svchost.com (PID: 5972)
      • customcursor.exe  (PID: 7360)
      • svchost.com (PID: 7488)

    • JEEFO has been detected

      • CustomCursor.exe (PID: 7712)
      • icsys.icn.exe (PID: 7772)
      • explorer.exe (PID: 7796)
      • svchost.exe (PID: 7856)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 7796)
      • svchost.exe (PID: 7856)

    • Executing a file with an untrusted certificate

      • FileCoAuth.exe (PID: 4488)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • CustomCursor.exe (PID: 7568)
      • customcursor.exe  (PID: 7748)
      • customcursor.exe  (PID: 8096)
      • customcursor.exe  (PID: 8188)
      • customcursor.exe  (PID: 7184)
      • customcursor.exe  (PID: 7220)
      • customcursor.exe  (PID: 1116)
      • customcursor.exe  (PID: 4560)
      • customcursor.exe  (PID: 5892)
      • customcursor.exe  (PID: 4120)
      • customcursor.exe  (PID: 5124)
      • customcursor.exe  (PID: 7360)
      • customcursor.exe  (PID: 7420)

    • Mutex name with non-standard characters

      • CustomCursor.exe (PID: 7568)
      • customcursor.exe  (PID: 7748)
      • svchost.com (PID: 8076)
      • svchost.com (PID: 8168)
      • customcursor.exe  (PID: 8096)
      • customcursor.exe  (PID: 8188)
      • svchost.com (PID: 7208)
      • customcursor.exe  (PID: 7184)
      • svchost.com (PID: 7240)
      • svchost.com (PID: 4180)
      • customcursor.exe  (PID: 7220)
      • customcursor.exe  (PID: 1116)
      • svchost.com (PID: 680)
      • customcursor.exe  (PID: 4560)
      • svchost.com (PID: 1228)
      • customcursor.exe  (PID: 5892)
      • svchost.com (PID: 5640)
      • customcursor.exe  (PID: 4120)
      • svchost.com (PID: 1512)
      • customcursor.exe  (PID: 5124)
      • customcursor.exe  (PID: 7360)
      • svchost.com (PID: 5972)
      • svchost.com (PID: 7488)

    • Executable content was dropped or overwritten

      • CustomCursor.exe (PID: 7712)
      • icsys.icn.exe (PID: 7772)
      • explorer.exe (PID: 7796)
      • spoolsv.exe (PID: 7828)
      • customcursor.exe  (PID: 7748)
      • CustomCursor.exe (PID: 7568)
      • FileCoAuth.exe (PID: 6964)
      • customcursor.exe  (PID: 1748)
      • customcursor.exe  (PID: 8892)
      • CUSTOM~2.tmp (PID: 8824)

    • Starts application with an unusual extension

      • CustomCursor.exe (PID: 7712)
      • OpenWith.exe (PID: 7976)
      • svchost.com (PID: 8076)
      • svchost.com (PID: 8168)
      • customcursor.exe  (PID: 8096)
      • customcursor.exe  (PID: 8188)
      • svchost.com (PID: 7208)
      • customcursor.exe  (PID: 7184)
      • svchost.com (PID: 7240)
      • customcursor.exe  (PID: 1116)
      • customcursor.exe  (PID: 7220)
      • svchost.com (PID: 4180)
      • svchost.com (PID: 680)
      • customcursor.exe  (PID: 4560)
      • svchost.com (PID: 1228)
      • customcursor.exe  (PID: 5892)
      • svchost.com (PID: 5640)
      • customcursor.exe  (PID: 4120)
      • svchost.com (PID: 1512)
      • svchost.com (PID: 5972)
      • customcursor.exe  (PID: 7360)
      • svchost.com (PID: 7488)
      • customcursor.exe  (PID: 5124)
      • customcursor.exe  (PID: 7420)
      • svchost.com (PID: 7344)
      • svchost.com (PID: 6244)
      • customcursor.exe  (PID: 7436)
      • customcursor.exe  (PID: 5156)
      • svchost.com (PID: 7624)
      • svchost.com (PID: 7836)
      • customcursor.exe  (PID: 7784)
      • customcursor.exe  (PID: 7980)
      • svchost.com (PID: 8040)
      • svchost.com (PID: 5384)
      • customcursor.exe  (PID: 1328)
      • customcursor.exe  (PID: 2552)
      • svchost.com (PID: 4188)
      • customcursor.exe  (PID: 7684)
      • customcursor.exe  (PID: 8176)
      • svchost.com (PID: 6620)
      • customcursor.exe  (PID: 7188)
      • svchost.com (PID: 6044)
      • customcursor.exe  (PID: 7228)
      • svchost.com (PID: 4980)
      • customcursor.exe  (PID: 6404)
      • svchost.com (PID: 1628)
      • svchost.com (PID: 8100)
      • svchost.com (PID: 1088)
      • customcursor.exe  (PID: 2236)
      • svchost.com (PID: 6112)
      • customcursor.exe  (PID: 2152)
      • svchost.com (PID: 6264)
      • svchost.com (PID: 4740)
      • customcursor.exe  (PID: 7328)
      • customcursor.exe  (PID: 7428)
      • customcursor.exe  (PID: 1660)
      • customcursor.exe  (PID: 7444)
      • svchost.com (PID: 536)
      • customcursor.exe  (PID: 4920)
      • svchost.com (PID: 7692)
      • customcursor.exe  (PID: 7832)
      • svchost.com (PID: 7964)
      • svchost.com (PID: 8084)
      • svchost.com (PID: 7392)
      • customcursor.exe  (PID: 7716)
      • svchost.com (PID: 632)
      • customcursor.exe  (PID: 3896)
      • svchost.com (PID: 8156)
      • customcursor.exe  (PID: 6752)
      • svchost.com (PID: 8180)
      • customcursor.exe  (PID: 2140)
      • svchost.com (PID: 6032)
      • customcursor.exe  (PID: 8056)
      • svchost.com (PID: 7224)
      • FileCoAuth.exe (PID: 6964)
      • customcursor.exe  (PID: 4428)
      • svchost.com (PID: 1164)
      • svchost.com (PID: 5504)
      • customcursor.exe  (PID: 3888)
      • svchost.com (PID: 5728)
      • customcursor.exe  (PID: 5608)
      • customcursor.exe  (PID: 1532)
      • svchost.com (PID: 1676)
      • svchost.com (PID: 7412)
      • customcursor.exe  (PID: 7532)
      • customcursor.exe  (PID: 7696)
      • customcursor.exe  (PID: 7968)
      • svchost.com (PID: 5400)
      • customcursor.exe  (PID: 8028)
      • svchost.com (PID: 4068)
      • customcursor.exe  (PID: 5680)
      • svchost.com (PID: 7844)
      • customcursor.exe  (PID: 5984)
      • customcursor.exe  (PID: 8136)
      • svchost.com (PID: 6668)
      • customcursor.exe  (PID: 4784)
      • svchost.com (PID: 1760)
      • customcursor.exe  (PID: 2392)
      • svchost.com (PID: 6108)
      • svchost.com (PID: 8124)
      • svchost.com (PID: 920)
      • customcursor.exe  (PID: 1056)
      • customcursor.exe  (PID: 2960)
      • customcursor.exe  (PID: 7416)
      • svchost.com (PID: 7368)
      • customcursor.exe  (PID: 3884)
      • svchost.com (PID: 7464)
      • customcursor.exe  (PID: 1168)
      • svchost.com (PID: 4300)
      • svchost.com (PID: 1072)
      • customcursor.exe  (PID: 8044)
      • svchost.com (PID: 4024)
      • svchost.com (PID: 7732)
      • customcursor.exe  (PID: 6512)
      • svchost.com (PID: 6824)
      • customcursor.exe  (PID: 8164)
      • svchost.com (PID: 8140)
      • customcursor.exe  (PID: 7944)
      • customcursor.exe  (PID: 684)
      • svchost.com (PID: 7256)
      • customcursor.exe  (PID: 3304)
      • svchost.com (PID: 7152)
      • customcursor.exe  (PID: 6048)
      • customcursor.exe  (PID: 5304)
      • svchost.com (PID: 4608)
      • customcursor.exe  (PID: 5256)
      • svchost.com (PID: 2316)
      • customcursor.exe  (PID: 5552)
      • svchost.com (PID: 7476)
      • customcursor.exe  (PID: 5956)
      • customcursor.exe  (PID: 1616)
      • customcursor.exe  (PID: 7280)
      • svchost.com (PID: 2340)
      • svchost.com (PID: 7776)
      • svchost.com (PID: 7156)
      • svchost.com (PID: 6184)
      • svchost.com (PID: 1128)
      • customcursor.exe  (PID: 8104)
      • svchost.com (PID: 2420)
      • customcursor.exe  (PID: 8116)
      • svchost.com (PID: 8160)
      • svchost.com (PID: 4996)
      • customcursor.exe  (PID: 7960)
      • customcursor.exe  (PID: 2240)
      • svchost.com (PID: 5200)
      • customcursor.exe  (PID: 6468)
      • svchost.com (PID: 5344)
      • customcursor.exe  (PID: 6516)
      • svchost.com (PID: 6372)
      • customcursor.exe  (PID: 5380)
      • svchost.com (PID: 7480)
      • customcursor.exe  (PID: 6252)
      • svchost.com (PID: 3900)
      • customcursor.exe  (PID: 7148)
      • customcursor.exe  (PID: 7268)
      • svchost.com (PID: 7424)
      • svchost.com (PID: 5328)
      • customcursor.exe  (PID: 1912)
      • customcursor.exe  (PID: 7728)
      • customcursor.exe  (PID: 7636)
      • svchost.com (PID: 7720)
      • svchost.com (PID: 8032)
      • customcursor.exe  (PID: 2772)
      • svchost.com (PID: 2644)
      • customcursor.exe  (PID: 5204)
      • svchost.com (PID: 8052)
      • customcursor.exe  (PID: 7012)
      • svchost.com (PID: 6744)
      • customcursor.exe  (PID: 1052)
      • customcursor.exe  (PID: 1276)
      • svchost.com (PID: 7296)
      • customcursor.exe  (PID: 6268)
      • svchost.com (PID: 5528)
      • customcursor.exe  (PID: 516)
      • svchost.com (PID: 1764)
      • customcursor.exe  (PID: 4988)
      • svchost.com (PID: 7928)
      • svchost.com (PID: 8020)
      • customcursor.exe  (PID: 4724)
      • customcursor.exe  (PID: 1388)
      • svchost.com (PID: 6392)
      • svchost.com (PID: 7448)
      • customcursor.exe  (PID: 7628)
      • svchost.com (PID: 6940)
      • customcursor.exe  (PID: 2288)
      • customcursor.exe  (PID: 4880)
      • svchost.com (PID: 660)
      • svchost.com (PID: 6760)
      • customcursor.exe  (PID: 2852)
      • customcursor.exe  (PID: 2564)
      • svchost.com (PID: 5056)
      • svchost.com (PID: 7216)
      • customcursor.exe  (PID: 2284)
      • svchost.com (PID: 6272)
      • customcursor.exe  (PID: 5596)
      • svchost.com (PID: 7512)
      • customcursor.exe  (PID: 720)
      • svchost.com (PID: 7364)
      • customcursor.exe  (PID: 7620)
      • svchost.com (PID: 3956)
      • customcursor.exe  (PID: 8012)
      • customcursor.exe  (PID: 6828)
      • svchost.com (PID: 7200)
      • svchost.com (PID: 7500)
      • customcursor.exe  (PID: 1012)
      • customcursor.exe  (PID: 5364)
      • svchost.com (PID: 2800)
      • customcursor.exe  (PID: 496)
      • svchost.com (PID: 7724)
      • customcursor.exe  (PID: 8088)
      • svchost.com (PID: 3024)
      • customcursor.exe  (PID: 7356)
      • svchost.com (PID: 672)
      • svchost.com (PID: 7528)
      • customcursor.exe  (PID: 1600)
      • customcursor.exe  (PID: 2904)
      • customcursor.exe  (PID: 7236)
      • svchost.com (PID: 5740)
      • svchost.com (PID: 7352)
      • svchost.com (PID: 7472)
      • customcursor.exe  (PID: 5232)
      • svchost.com (PID: 7180)
      • customcursor.exe  (PID: 2064)
      • svchost.com (PID: 872)
      • customcursor.exe  (PID: 4932)
      • svchost.com (PID: 208)
      • customcursor.exe  (PID: 5164)
      • svchost.com (PID: 7768)
      • customcursor.exe  (PID: 7520)
      • customcursor.exe  (PID: 7300)
      • svchost.com (PID: 7304)
      • customcursor.exe  (PID: 3156)
      • svchost.com (PID: 3124)
      • customcursor.exe  (PID: 6988)
      • customcursor.exe  (PID: 7388)
      • svchost.com (PID: 6248)
      • customcursor.exe  (PID: 7740)
      • svchost.com (PID: 6972)
      • svchost.com (PID: 2568)
      • svchost.com (PID: 7172)
      • customcursor.exe  (PID: 7708)
      • svchost.com (PID: 8092)
      • customcursor.exe  (PID: 6676)
      • svchost.com (PID: 1132)
      • customcursor.exe  (PID: 2984)
      • svchost.com (PID: 732)
      • svchost.com (PID: 2664)
      • customcursor.exe  (PID: 4152)
      • svchost.com (PID: 4244)
      • customcursor.exe  (PID: 6852)
      • svchost.com (PID: 1804)
      • customcursor.exe  (PID: 7084)
      • svchost.com (PID: 7340)
      • customcursor.exe  (PID: 7560)
      • customcursor.exe  (PID: 8064)
      • customcursor.exe  (PID: 1020)
      • svchost.com (PID: 4944)
      • customcursor.exe  (PID: 7248)
      • svchost.com (PID: 3300)
      • customcursor.exe  (PID: 2268)
      • svchost.com (PID: 5024)
      • customcursor.exe  (PID: 2384)
      • svchost.com (PID: 8172)
      • customcursor.exe  (PID: 900)
      • svchost.com (PID: 4756)
      • customcursor.exe  (PID: 7404)
      • svchost.com (PID: 7816)
      • svchost.com (PID: 7144)
      • svchost.com (PID: 5132)
      • customcursor.exe  (PID: 2108)
      • customcursor.exe  (PID: 3396)
      • svchost.com (PID: 7484)
      • customcursor.exe  (PID: 3020)
      • customcursor.exe  (PID: 5576)
      • svchost.com (PID: 8108)
      • svchost.com (PID: 3268)
      • svchost.com (PID: 4172)
      • svchost.com (PID: 4012)
      • svchost.com (PID: 7820)
      • customcursor.exe  (PID: 5008)
      • customcursor.exe  (PID: 5720)
      • svchost.com (PID: 7408)
      • svchost.com (PID: 7336)
      • customcursor.exe  (PID: 8144)
      • customcursor.exe  (PID: 8184)
      • customcursor.exe  (PID: 6136)
      • svchost.com (PID: 3332)
      • svchost.com (PID: 5072)
      • customcursor.exe  (PID: 7020)
      • customcursor.exe  (PID: 968)
      • svchost.com (PID: 2192)
      • svchost.com (PID: 4572)
      • customcursor.exe  (PID: 5392)
      • customcursor.exe  (PID: 5776)
      • customcursor.exe  (PID: 6592)
      • customcursor.exe  (PID: 4424)
      • svchost.com (PID: 7972)
      • customcursor.exe  (PID: 7888)
      • svchost.com (PID: 6872)
      • customcursor.exe  (PID: 7460)
      • svchost.com (PID: 1096)
      • customcursor.exe  (PID: 8128)
      • svchost.com (PID: 6564)
      • svchost.com (PID: 6644)
      • svchost.com (PID: 1272)
      • svchost.com (PID: 8080)
      • customcursor.exe  (PID: 8036)
      • customcursor.exe  (PID: 6768)
      • svchost.com (PID: 5188)
      • svchost.com (PID: 668)
      • svchost.com (PID: 6944)
      • customcursor.exe  (PID: 7880)
      • customcursor.exe  (PID: 7756)
      • customcursor.exe  (PID: 4868)
      • customcursor.exe  (PID: 6040)
      • customcursor.exe  (PID: 7524)
      • svchost.com (PID: 7204)
      • customcursor.exe  (PID: 7760)
      • customcursor.exe  (PID: 5936)
      • svchost.com (PID: 5048)
      • customcursor.exe  (PID: 6068)
      • svchost.com (PID: 7704)
      • svchost.com (PID: 6656)
      • customcursor.exe  (PID: 4408)
      • svchost.com (PID: 7780)
      • customcursor.exe  (PID: 4200)
      • customcursor.exe  (PID: 5960)
      • svchost.com (PID: 5136)
      • svchost.com (PID: 5216)
      • customcursor.exe  (PID: 3676)
      • svchost.com (PID: 7872)
      • customcursor.exe  (PID: 4376)
      • svchost.com (PID: 5624)
      • svchost.com (PID: 6540)
      • customcursor.exe  (PID: 7276)
      • customcursor.exe  (PID: 5436)
      • svchost.com (PID: 7212)
      • svchost.com (PID: 896)
      • customcursor.exe  (PID: 7840)
      • customcursor.exe  (PID: 6388)
      • svchost.com (PID: 2616)
      • customcursor.exe  (PID: 7764)
      • svchost.com (PID: 4692)
      • customcursor.exe  (PID: 5512)
      • svchost.com (PID: 3968)
      • customcursor.exe  (PID: 7052)
      • svchost.com (PID: 5044)
      • customcursor.exe  (PID: 1748)
      • svchost.com (PID: 5020)
      • customcursor.exe  (PID: 5352)
      • svchost.com (PID: 2432)
      • svchost.com (PID: 5868)
      • customcursor.exe  (PID: 2516)
      • svchost.com (PID: 4008)
      • customcursor.exe  (PID: 7580)
      • svchost.com (PID: 7584)
      • customcursor.exe  (PID: 4464)
      • customcursor.exe  (PID: 3012)
      • customcursor.exe  (PID: 1300)
      • svchost.com (PID: 7232)
      • svchost.com (PID: 5952)
      • svchost.com (PID: 8112)
      • svchost.com (PID: 3140)
      • customcursor.exe  (PID: 5544)
      • svchost.com (PID: 6488)
      • svchost.com (PID: 7516)
      • svchost.com (PID: 7348)
      • customcursor.exe  (PID: 8148)
      • customcursor.exe  (PID: 7608)
      • customcursor.exe  (PID: 3016)
      • svchost.com (PID: 6436)
      • svchost.com (PID: 6584)
      • customcursor.exe  (PID: 3364)
      • svchost.com (PID: 7468)
      • svchost.com (PID: 3192)
      • customcursor.exe  (PID: 7576)
      • customcursor.exe  (PID: 7192)
      • customcursor.exe  (PID: 6576)
      • customcursor.exe  (PID: 1180)
      • svchost.com (PID: 6456)
      • customcursor.exe  (PID: 7932)
      • svchost.com (PID: 616)
      • svchost.com (PID: 4448)
      • customcursor.exe  (PID: 2084)
      • svchost.com (PID: 2344)
      • svchost.com (PID: 3176)
      • customcursor.exe  (PID: 4164)
      • customcursor.exe  (PID: 5800)
      • svchost.com (PID: 5036)
      • svchost.com (PID: 4652)
      • customcursor.exe  (PID: 7940)
      • customcursor.exe  (PID: 3976)
      • svchost.com (PID: 232)
      • svchost.com (PID: 1452)
      • customcursor.exe  (PID: 1852)
      • customcursor.exe  (PID: 2136)
      • customcursor.exe  (PID: 7176)
      • svchost.com (PID: 6800)
      • customcursor.exe  (PID: 5172)
      • svchost.com (PID: 7100)
      • customcursor.exe  (PID: 2320)
      • customcursor.exe  (PID: 2776)
      • svchost.com (PID: 6208)
      • customcursor.exe  (PID: 8016)
      • svchost.com (PID: 444)
      • svchost.com (PID: 7632)
      • customcursor.exe  (PID: 6632)
      • svchost.com (PID: 6660)
      • svchost.com (PID: 2088)
      • customcursor.exe  (PID: 6808)
      • svchost.com (PID: 7104)
      • customcursor.exe  (PID: 3796)
      • svchost.com (PID: 240)
      • customcursor.exe  (PID: 1004)
      • svchost.com (PID: 3992)
      • customcursor.exe  (PID: 5968)
      • svchost.com (PID: 6572)
      • svchost.com (PID: 2908)
      • customcursor.exe  (PID: 3800)
      • customcursor.exe  (PID: 3760)
      • svchost.com (PID: 236)
      • customcursor.exe  (PID: 3804)
      • svchost.com (PID: 3240)
      • customcursor.exe  (PID: 7868)
      • customcursor.exe  (PID: 7824)
      • svchost.com (PID: 5744)
      • customcursor.exe  (PID: 6228)
      • svchost.com (PID: 5408)
      • customcursor.exe  (PID: 4284)
      • svchost.com (PID: 1812)
      • customcursor.exe  (PID: 5280)
      • customcursor.exe  (PID: 7260)
      • svchost.com (PID: 2780)
      • svchost.com (PID: 5772)
      • customcursor.exe  (PID: 4112)
      • svchost.com (PID: 132)
      • svchost.com (PID: 6876)
      • customcursor.exe  (PID: 7452)
      • svchost.com (PID: 7284)
      • svchost.com (PID: 2092)
      • customcursor.exe  (PID: 6344)
      • customcursor.exe  (PID: 6960)
      • customcursor.exe  (PID: 6724)
      • svchost.com (PID: 7536)
      • svchost.com (PID: 2504)
      • customcursor.exe  (PID: 1040)
      • customcursor.exe  (PID: 4688)
      • svchost.com (PID: 5600)
      • customcursor.exe  (PID: 1324)
      • svchost.com (PID: 5812)
      • customcursor.exe  (PID: 1196)
      • svchost.com (PID: 6652)
      • customcursor.exe  (PID: 960)
      • customcursor.exe  (PID: 4304)
      • svchost.com (PID: 7272)
      • svchost.com (PID: 7700)
      • svchost.com (PID: 7504)
      • customcursor.exe  (PID: 7252)
      • svchost.com (PID: 4696)
      • customcursor.exe  (PID: 1136)
      • svchost.com (PID: 8212)
      • customcursor.exe  (PID: 2896)
      • customcursor.exe  (PID: 8232)
      • svchost.com (PID: 8428)
      • customcursor.exe  (PID: 8304)
      • svchost.com (PID: 8356)
      • customcursor.exe  (PID: 8376)
      • customcursor.exe  (PID: 8444)
      • svchost.com (PID: 8500)
      • svchost.com (PID: 8284)
      • customcursor.exe  (PID: 8524)
      • svchost.com (PID: 8576)
      • svchost.com (PID: 8656)
      • customcursor.exe  (PID: 8600)
      • customcursor.exe  (PID: 8676)
      • svchost.com (PID: 8728)
      • customcursor.exe  (PID: 8748)
      • svchost.com (PID: 8800)
      • customcursor.exe  (PID: 8816)
      • customcursor.exe  (PID: 8964)
      • customcursor.exe  (PID: 9036)
      • svchost.com (PID: 9088)
      • svchost.com (PID: 8872)
      • customcursor.exe  (PID: 8892)
      • svchost.com (PID: 8944)
      • svchost.com (PID: 9016)
      • customcursor.exe  (PID: 9184)
      • svchost.com (PID: 8120)
      • customcursor.exe  (PID: 7508)
      • customcursor.exe  (PID: 9108)
      • svchost.com (PID: 9160)
      • svchost.com (PID: 8256)
      • customcursor.exe  (PID: 8436)
      • svchost.com (PID: 8520)
      • customcursor.exe  (PID: 8568)
      • customcursor.exe  (PID: 8268)
      • svchost.com (PID: 8344)
      • customcursor.exe  (PID: 8312)
      • svchost.com (PID: 8416)
      • customcursor.exe  (PID: 8684)
      • svchost.com (PID: 8776)
      • customcursor.exe  (PID: 8756)
      • svchost.com (PID: 8836)
      • svchost.com (PID: 8596)
      • customcursor.exe  (PID: 8648)
      • svchost.com (PID: 8720)
      • customcursor.exe  (PID: 8984)
      • svchost.com (PID: 9020)
      • customcursor.exe  (PID: 9064)
      • customcursor.exe  (PID: 9128)
      • svchost.com (PID: 8204)
      • customcursor.exe  (PID: 8856)
      • svchost.com (PID: 9008)
      • svchost.com (PID: 9152)
      • customcursor.exe  (PID: 8328)
      • svchost.com (PID: 8320)
      • svchost.com (PID: 8368)
      • customcursor.exe  (PID: 8440)
      • customcursor.exe  (PID: 9196)
      • svchost.com (PID: 8228)
      • customcursor.exe  (PID: 8216)
      • svchost.com (PID: 8540)
      • customcursor.exe  (PID: 8644)
      • svchost.com (PID: 5324)
      • customcursor.exe  (PID: 7604)
      • svchost.com (PID: 8640)
      • svchost.com (PID: 8456)
      • customcursor.exe  (PID: 8508)
      • svchost.com (PID: 8828)
      • customcursor.exe  (PID: 8952)
      • svchost.com (PID: 456)
      • customcursor.exe  (PID: 9004)
      • customcursor.exe  (PID: 8696)
      • svchost.com (PID: 8736)
      • customcursor.exe  (PID: 8768)
      • svchost.com (PID: 9116)
      • customcursor.exe  (PID: 9172)
      • svchost.com (PID: 9188)
      • svchost.com (PID: 8300)
      • svchost.com (PID: 9072)
      • customcursor.exe  (PID: 9056)
      • customcursor.exe  (PID: 8348)
      • customcursor.exe  (PID: 8448)
      • customcursor.exe  (PID: 8556)
      • svchost.com (PID: 7596)
      • customcursor.exe  (PID: 7792)
      • customcursor.exe  (PID: 8412)
      • svchost.com (PID: 8384)
      • svchost.com (PID: 8564)
      • customcursor.exe  (PID: 8796)
      • customcursor.exe  (PID: 8808)
      • svchost.com (PID: 4620)
      • customcursor.exe  (PID: 8612)
      • svchost.com (PID: 8732)
      • svchost.com (PID: 8780)
      • svchost.com (PID: 8960)
      • svchost.com (PID: 8208)
      • customcursor.exe  (PID: 9176)
      • customcursor.exe  (PID: 8888)
      • svchost.com (PID: 8980)
      • customcursor.exe  (PID: 9084)
      • svchost.com (PID: 9068)
      • customcursor.exe  (PID: 9060)
      • svchost.com (PID: 8248)
      • svchost.com (PID: 4108)
      • customcursor.exe  (PID: 8580)
      • svchost.com (PID: 7588)
      • customcursor.exe  (PID: 8272)
      • svchost.com (PID: 8364)
      • customcursor.exe  (PID: 8492)
      • svchost.com (PID: 8552)
      • customcursor.exe  (PID: 5112)
      • customcursor.exe  (PID: 7812)
      • svchost.com (PID: 8716)

    • Starts itself from another location

      • CustomCursor.exe (PID: 7712)
      • explorer.exe (PID: 7796)
      • spoolsv.exe (PID: 7828)
      • svchost.exe (PID: 7856)
      • icsys.icn.exe (PID: 7772)
      • svchost.com (PID: 8076)
      • customcursor.exe  (PID: 8096)
      • svchost.com (PID: 8168)
      • customcursor.exe  (PID: 8188)
      • customcursor.exe  (PID: 7184)
      • svchost.com (PID: 7208)
      • svchost.com (PID: 7240)
      • customcursor.exe  (PID: 7220)
      • svchost.com (PID: 4180)
      • customcursor.exe  (PID: 1116)
      • customcursor.exe  (PID: 4560)
      • svchost.com (PID: 1228)
      • svchost.com (PID: 680)
      • customcursor.exe  (PID: 5892)
      • svchost.com (PID: 5640)
      • customcursor.exe  (PID: 4120)
      • svchost.com (PID: 1512)
      • svchost.com (PID: 5972)
      • customcursor.exe  (PID: 7360)
      • svchost.com (PID: 7488)
      • customcursor.exe  (PID: 5124)
      • customcursor.exe  (PID: 7436)
      • svchost.com (PID: 7344)
      • customcursor.exe  (PID: 5156)
      • svchost.com (PID: 6244)
      • svchost.com (PID: 7624)
      • customcursor.exe  (PID: 7684)
      • customcursor.exe  (PID: 7420)
      • customcursor.exe  (PID: 7784)
      • svchost.com (PID: 8040)
      • customcursor.exe  (PID: 7980)
      • svchost.com (PID: 5384)
      • customcursor.exe  (PID: 1328)
      • customcursor.exe  (PID: 2552)
      • svchost.com (PID: 8100)
      • svchost.com (PID: 7836)
      • svchost.com (PID: 4188)
      • svchost.com (PID: 6620)
      • customcursor.exe  (PID: 7228)
      • svchost.com (PID: 4980)
      • customcursor.exe  (PID: 6404)
      • svchost.com (PID: 1628)
      • customcursor.exe  (PID: 8176)
      • customcursor.exe  (PID: 7188)
      • svchost.com (PID: 6044)
      • svchost.com (PID: 1088)
      • customcursor.exe  (PID: 2236)
      • svchost.com (PID: 6112)
      • svchost.com (PID: 4740)
      • customcursor.exe  (PID: 2152)
      • customcursor.exe  (PID: 7328)
      • svchost.com (PID: 6264)
      • customcursor.exe  (PID: 7428)
      • customcursor.exe  (PID: 1660)
      • svchost.com (PID: 7692)
      • svchost.com (PID: 536)
      • customcursor.exe  (PID: 7832)
      • customcursor.exe  (PID: 4920)
      • svchost.com (PID: 7964)
      • svchost.com (PID: 8084)
      • customcursor.exe  (PID: 8056)
      • svchost.com (PID: 7392)
      • customcursor.exe  (PID: 7444)
      • customcursor.exe  (PID: 7716)
      • customcursor.exe  (PID: 3896)
      • svchost.com (PID: 8156)
      • customcursor.exe  (PID: 6752)
      • svchost.com (PID: 8180)
      • customcursor.exe  (PID: 2140)
      • customcursor.exe  (PID: 1532)
      • svchost.com (PID: 632)
      • svchost.com (PID: 6032)
      • FileCoAuth.exe (PID: 6964)
      • svchost.com (PID: 5728)
      • svchost.com (PID: 1164)
      • customcursor.exe  (PID: 3888)
      • svchost.com (PID: 5504)
      • customcursor.exe  (PID: 5608)
      • svchost.com (PID: 7224)
      • customcursor.exe  (PID: 4428)
      • svchost.com (PID: 7412)
      • customcursor.exe  (PID: 7532)
      • customcursor.exe  (PID: 7696)
      • svchost.com (PID: 1676)
      • svchost.com (PID: 7844)
      • customcursor.exe  (PID: 8028)
      • customcursor.exe  (PID: 7968)
      • svchost.com (PID: 5400)
      • svchost.com (PID: 4068)
      • customcursor.exe  (PID: 5680)
      • customcursor.exe  (PID: 5984)
      • svchost.com (PID: 8124)
      • customcursor.exe  (PID: 8136)
      • svchost.com (PID: 6668)
      • customcursor.exe  (PID: 4784)
      • svchost.com (PID: 1760)
      • customcursor.exe  (PID: 2392)
      • svchost.com (PID: 6108)
      • customcursor.exe  (PID: 1168)
      • customcursor.exe  (PID: 1056)
      • svchost.com (PID: 920)
      • customcursor.exe  (PID: 2960)
      • svchost.com (PID: 1072)
      • customcursor.exe  (PID: 3884)
      • svchost.com (PID: 7368)
      • customcursor.exe  (PID: 7416)
      • svchost.com (PID: 7464)
      • svchost.com (PID: 4300)
      • svchost.com (PID: 4024)
      • customcursor.exe  (PID: 8044)
      • svchost.com (PID: 7732)
      • svchost.com (PID: 6824)
      • customcursor.exe  (PID: 5256)
      • svchost.com (PID: 8140)
      • customcursor.exe  (PID: 7944)
      • customcursor.exe  (PID: 6512)
      • customcursor.exe  (PID: 8164)
      • customcursor.exe  (PID: 3304)
      • svchost.com (PID: 7152)
      • customcursor.exe  (PID: 5304)
      • svchost.com (PID: 4608)
      • customcursor.exe  (PID: 6048)
      • svchost.com (PID: 2316)
      • customcursor.exe  (PID: 684)
      • svchost.com (PID: 7256)
      • svchost.com (PID: 6184)
      • customcursor.exe  (PID: 5956)
      • svchost.com (PID: 7476)
      • customcursor.exe  (PID: 1616)
      • svchost.com (PID: 7776)
      • svchost.com (PID: 7156)
      • customcursor.exe  (PID: 5552)
      • customcursor.exe  (PID: 7280)
      • svchost.com (PID: 2340)
      • svchost.com (PID: 1128)
      • customcursor.exe  (PID: 8104)
      • svchost.com (PID: 2420)
      • customcursor.exe  (PID: 2240)
      • customcursor.exe  (PID: 8116)
      • svchost.com (PID: 8160)
      • customcursor.exe  (PID: 6252)
      • svchost.com (PID: 4996)
      • customcursor.exe  (PID: 7960)
      • svchost.com (PID: 5200)
      • customcursor.exe  (PID: 6468)
      • svchost.com (PID: 5344)
      • customcursor.exe  (PID: 6516)
      • svchost.com (PID: 6372)
      • customcursor.exe  (PID: 5380)
      • svchost.com (PID: 7480)
      • svchost.com (PID: 3900)
      • customcursor.exe  (PID: 7148)
      • svchost.com (PID: 5328)
      • customcursor.exe  (PID: 1912)
      • svchost.com (PID: 7424)
      • customcursor.exe  (PID: 7728)
      • customcursor.exe  (PID: 7636)
      • svchost.com (PID: 7720)
      • svchost.com (PID: 8032)
      • svchost.com (PID: 2644)
      • customcursor.exe  (PID: 2772)
      • customcursor.exe  (PID: 7268)
      • customcursor.exe  (PID: 5204)
      • customcursor.exe  (PID: 7012)
      • svchost.com (PID: 8052)
      • svchost.com (PID: 5528)
      • customcursor.exe  (PID: 6268)
      • customcursor.exe  (PID: 1276)
      • svchost.com (PID: 7296)
      • customcursor.exe  (PID: 1052)
      • svchost.com (PID: 6744)
      • svchost.com (PID: 7448)
      • svchost.com (PID: 1764)
      • customcursor.exe  (PID: 4988)
      • svchost.com (PID: 7928)
      • customcursor.exe  (PID: 4724)
      • svchost.com (PID: 6392)
      • customcursor.exe  (PID: 1388)
      • customcursor.exe  (PID: 516)
      • customcursor.exe  (PID: 7628)
      • svchost.com (PID: 8020)
      • customcursor.exe  (PID: 2288)
      • svchost.com (PID: 6940)
      • svchost.com (PID: 6760)
      • customcursor.exe  (PID: 2284)
      • customcursor.exe  (PID: 4880)
      • customcursor.exe  (PID: 2564)
      • svchost.com (PID: 5056)
      • customcursor.exe  (PID: 2852)
      • svchost.com (PID: 7216)
      • svchost.com (PID: 660)
      • customcursor.exe  (PID: 720)
      • customcursor.exe  (PID: 5596)
      • svchost.com (PID: 7512)
      • svchost.com (PID: 7364)
      • customcursor.exe  (PID: 7620)
      • svchost.com (PID: 3956)
      • svchost.com (PID: 7724)
      • customcursor.exe  (PID: 8012)
      • svchost.com (PID: 6272)
      • svchost.com (PID: 7500)
      • customcursor.exe  (PID: 5364)
      • svchost.com (PID: 7200)
      • customcursor.exe  (PID: 6828)
      • svchost.com (PID: 2800)
      • customcursor.exe  (PID: 496)
      • customcursor.exe  (PID: 8088)
      • svchost.com (PID: 3024)
      • customcursor.exe  (PID: 1012)
      • customcursor.exe  (PID: 7356)
      • svchost.com (PID: 672)
      • customcursor.exe  (PID: 1600)
      • svchost.com (PID: 7528)
      • svchost.com (PID: 5740)
      • customcursor.exe  (PID: 2904)
      • svchost.com (PID: 7768)
      • svchost.com (PID: 7352)
      • customcursor.exe  (PID: 7236)
      • svchost.com (PID: 7472)
      • svchost.com (PID: 7180)
      • svchost.com (PID: 872)
      • customcursor.exe  (PID: 4932)
      • svchost.com (PID: 208)
      • customcursor.exe  (PID: 5164)
      • customcursor.exe  (PID: 7520)
      • customcursor.exe  (PID: 5232)
      • customcursor.exe  (PID: 2064)
      • customcursor.exe  (PID: 7300)
      • svchost.com (PID: 7304)
      • customcursor.exe  (PID: 3156)
      • svchost.com (PID: 3124)
      • svchost.com (PID: 2568)
      • customcursor.exe  (PID: 7388)
      • svchost.com (PID: 6248)
      • customcursor.exe  (PID: 7740)
      • svchost.com (PID: 6972)
      • customcursor.exe  (PID: 6988)
      • customcursor.exe  (PID: 7708)
      • svchost.com (PID: 8092)
      • customcursor.exe  (PID: 4152)
      • customcursor.exe  (PID: 6676)
      • svchost.com (PID: 2664)
      • svchost.com (PID: 1132)
      • customcursor.exe  (PID: 2984)
      • svchost.com (PID: 732)
      • svchost.com (PID: 7172)
      • svchost.com (PID: 4244)
      • customcursor.exe  (PID: 6852)
      • svchost.com (PID: 1804)
      • customcursor.exe  (PID: 7084)
      • svchost.com (PID: 4944)
      • customcursor.exe  (PID: 7560)
      • svchost.com (PID: 7340)
      • customcursor.exe  (PID: 8064)
      • svchost.com (PID: 7816)
      • customcursor.exe  (PID: 1020)
      • svchost.com (PID: 3300)
      • svchost.com (PID: 5024)
      • customcursor.exe  (PID: 2268)
      • svchost.com (PID: 8172)
      • customcursor.exe  (PID: 2384)
      • svchost.com (PID: 4756)
      • customcursor.exe  (PID: 900)
      • customcursor.exe  (PID: 7404)
      • customcursor.exe  (PID: 7248)
      • customcursor.exe  (PID: 2108)
      • svchost.com (PID: 5132)
      • customcursor.exe  (PID: 3396)
      • customcursor.exe  (PID: 5576)
      • svchost.com (PID: 7484)
      • customcursor.exe  (PID: 3020)
      • svchost.com (PID: 3268)
      • svchost.com (PID: 8108)
      • customcursor.exe  (PID: 8184)
      • svchost.com (PID: 7144)
      • svchost.com (PID: 4172)
      • customcursor.exe  (PID: 6136)
      • customcursor.exe  (PID: 5008)
      • svchost.com (PID: 4012)
      • svchost.com (PID: 7408)
      • svchost.com (PID: 7820)
      • customcursor.exe  (PID: 5720)
      • svchost.com (PID: 7336)
      • customcursor.exe  (PID: 8144)
      • svchost.com (PID: 3332)
      • svchost.com (PID: 2192)
      • customcursor.exe  (PID: 968)
      • svchost.com (PID: 5072)
      • customcursor.exe  (PID: 7020)
      • customcursor.exe  (PID: 5392)
      • svchost.com (PID: 4572)
      • customcursor.exe  (PID: 5776)
      • customcursor.exe  (PID: 6592)
      • svchost.com (PID: 6644)
      • svchost.com (PID: 7972)
      • svchost.com (PID: 6872)
      • customcursor.exe  (PID: 8128)
      • customcursor.exe  (PID: 7460)
      • svchost.com (PID: 1096)
      • svchost.com (PID: 6564)
      • customcursor.exe  (PID: 4424)
      • customcursor.exe  (PID: 7888)
      • svchost.com (PID: 6944)
      • svchost.com (PID: 1272)
      • customcursor.exe  (PID: 8036)
      • customcursor.exe  (PID: 6768)
      • svchost.com (PID: 5188)
      • customcursor.exe  (PID: 4868)
      • svchost.com (PID: 668)
      • customcursor.exe  (PID: 7880)
      • customcursor.exe  (PID: 7756)
      • svchost.com (PID: 8080)
      • customcursor.exe  (PID: 7524)
      • customcursor.exe  (PID: 7760)
      • svchost.com (PID: 7204)
      • customcursor.exe  (PID: 5936)
      • svchost.com (PID: 7704)
      • customcursor.exe  (PID: 6068)
      • svchost.com (PID: 6656)
      • customcursor.exe  (PID: 6040)
      • svchost.com (PID: 5624)
      • svchost.com (PID: 5048)
      • customcursor.exe  (PID: 4200)
      • svchost.com (PID: 7780)
      • svchost.com (PID: 5136)
      • customcursor.exe  (PID: 5960)
      • svchost.com (PID: 5216)
      • customcursor.exe  (PID: 3676)
      • svchost.com (PID: 7872)
      • customcursor.exe  (PID: 4376)
      • customcursor.exe  (PID: 4408)
      • customcursor.exe  (PID: 7276)
      • svchost.com (PID: 6540)
      • customcursor.exe  (PID: 5436)
      • svchost.com (PID: 7212)
      • customcursor.exe  (PID: 7840)
      • svchost.com (PID: 896)
      • customcursor.exe  (PID: 6388)
      • svchost.com (PID: 2616)
      • customcursor.exe  (PID: 7764)
      • svchost.com (PID: 4692)
      • svchost.com (PID: 5868)
      • svchost.com (PID: 3968)
      • customcursor.exe  (PID: 5512)
      • customcursor.exe  (PID: 7052)
      • svchost.com (PID: 5020)
      • customcursor.exe  (PID: 1748)
      • svchost.com (PID: 2432)
      • customcursor.exe  (PID: 5352)
      • svchost.com (PID: 5044)
      • svchost.com (PID: 7232)
      • customcursor.exe  (PID: 2516)
      • svchost.com (PID: 4008)
      • customcursor.exe  (PID: 7580)
      • svchost.com (PID: 7584)
      • customcursor.exe  (PID: 4464)
      • svchost.com (PID: 5952)
      • customcursor.exe  (PID: 3012)
      • customcursor.exe  (PID: 1300)
      • customcursor.exe  (PID: 8148)
      • svchost.com (PID: 3140)
      • customcursor.exe  (PID: 7608)
      • svchost.com (PID: 6488)
      • customcursor.exe  (PID: 5544)
      • svchost.com (PID: 7516)
      • customcursor.exe  (PID: 3016)
      • svchost.com (PID: 7348)
      • svchost.com (PID: 8112)
      • svchost.com (PID: 6436)
      • customcursor.exe  (PID: 1180)
      • svchost.com (PID: 6584)
      • customcursor.exe  (PID: 3364)
      • customcursor.exe  (PID: 7576)
      • svchost.com (PID: 7468)
      • svchost.com (PID: 3192)
      • svchost.com (PID: 3176)
      • customcursor.exe  (PID: 7192)
      • customcursor.exe  (PID: 6576)
      • customcursor.exe  (PID: 4164)
      • customcursor.exe  (PID: 7932)
      • customcursor.exe  (PID: 5800)
      • svchost.com (PID: 4448)
      • customcursor.exe  (PID: 2084)
      • svchost.com (PID: 2344)
      • customcursor.exe  (PID: 7176)
      • svchost.com (PID: 6456)
      • svchost.com (PID: 616)
      • customcursor.exe  (PID: 7940)
      • customcursor.exe  (PID: 3976)
      • svchost.com (PID: 1452)
      • svchost.com (PID: 232)
      • customcursor.exe  (PID: 1852)
      • svchost.com (PID: 5036)
      • svchost.com (PID: 4652)
      • customcursor.exe  (PID: 2136)
      • svchost.com (PID: 7100)
      • customcursor.exe  (PID: 2776)
      • svchost.com (PID: 6208)
      • customcursor.exe  (PID: 8016)
      • svchost.com (PID: 444)
      • customcursor.exe  (PID: 2320)
      • svchost.com (PID: 6800)
      • svchost.com (PID: 7632)
      • customcursor.exe  (PID: 5172)
      • customcursor.exe  (PID: 6632)
      • svchost.com (PID: 7104)
      • svchost.com (PID: 6660)
      • customcursor.exe  (PID: 6808)
      • customcursor.exe  (PID: 5968)
      • svchost.com (PID: 2088)
      • customcursor.exe  (PID: 3796)
      • svchost.com (PID: 240)
      • customcursor.exe  (PID: 1004)
      • svchost.com (PID: 3992)
      • customcursor.exe  (PID: 7868)
      • svchost.com (PID: 2908)
      • customcursor.exe  (PID: 3800)
      • svchost.com (PID: 6572)
      • svchost.com (PID: 236)
      • svchost.com (PID: 3240)
      • customcursor.exe  (PID: 3804)
      • customcursor.exe  (PID: 7260)
      • customcursor.exe  (PID: 3760)
      • svchost.com (PID: 5744)
      • customcursor.exe  (PID: 6228)
      • customcursor.exe  (PID: 5280)
      • svchost.com (PID: 5408)
      • customcursor.exe  (PID: 4284)
      • svchost.com (PID: 1812)
      • svchost.com (PID: 2092)
      • svchost.com (PID: 2780)
      • customcursor.exe  (PID: 7824)
      • customcursor.exe  (PID: 6960)
      • customcursor.exe  (PID: 4112)
      • svchost.com (PID: 132)
      • svchost.com (PID: 7284)
      • customcursor.exe  (PID: 7452)
      • svchost.com (PID: 6876)
      • customcursor.exe  (PID: 1196)
      • customcursor.exe  (PID: 6344)
      • svchost.com (PID: 5772)
      • customcursor.exe  (PID: 6724)
      • svchost.com (PID: 7536)
      • customcursor.exe  (PID: 4688)
      • svchost.com (PID: 5812)
      • svchost.com (PID: 5600)
      • customcursor.exe  (PID: 1324)
      • customcursor.exe  (PID: 2896)
      • svchost.com (PID: 6652)
      • svchost.com (PID: 2504)
      • customcursor.exe  (PID: 1040)
      • customcursor.exe  (PID: 4304)
      • svchost.com (PID: 7504)
      • customcursor.exe  (PID: 960)
      • svchost.com (PID: 4696)
      • customcursor.exe  (PID: 7252)
      • svchost.com (PID: 8212)
      • customcursor.exe  (PID: 1136)
      • customcursor.exe  (PID: 8232)
      • svchost.com (PID: 7272)
      • svchost.com (PID: 7700)
      • svchost.com (PID: 8284)
      • customcursor.exe  (PID: 8376)
      • svchost.com (PID: 8356)
      • svchost.com (PID: 8428)
      • svchost.com (PID: 8500)
      • customcursor.exe  (PID: 8524)
      • customcursor.exe  (PID: 8304)
      • svchost.com (PID: 8576)
      • customcursor.exe  (PID: 8600)
      • svchost.com (PID: 8656)
      • customcursor.exe  (PID: 8676)
      • svchost.com (PID: 8728)
      • customcursor.exe  (PID: 8748)
      • svchost.com (PID: 8800)
      • customcursor.exe  (PID: 8816)
      • svchost.com (PID: 9016)
      • customcursor.exe  (PID: 9036)
      • svchost.com (PID: 9088)
      • svchost.com (PID: 8872)
      • customcursor.exe  (PID: 8892)
      • svchost.com (PID: 8944)
      • customcursor.exe  (PID: 8964)
      • customcursor.exe  (PID: 7508)
      • svchost.com (PID: 8256)
      • customcursor.exe  (PID: 8268)
      • customcursor.exe  (PID: 9108)
      • svchost.com (PID: 9160)
      • customcursor.exe  (PID: 9184)
      • svchost.com (PID: 8120)
      • svchost.com (PID: 8416)
      • customcursor.exe  (PID: 8436)
      • svchost.com (PID: 8520)
      • customcursor.exe  (PID: 8568)
      • svchost.com (PID: 8344)
      • customcursor.exe  (PID: 8312)
      • svchost.com (PID: 8776)
      • customcursor.exe  (PID: 8756)
      • svchost.com (PID: 8596)
      • customcursor.exe  (PID: 8648)
      • svchost.com (PID: 8720)
      • customcursor.exe  (PID: 8684)
      • svchost.com (PID: 8836)
      • svchost.com (PID: 9152)
      • customcursor.exe  (PID: 9064)
      • customcursor.exe  (PID: 9128)
      • svchost.com (PID: 8204)
      • customcursor.exe  (PID: 8856)
      • svchost.com (PID: 9008)
      • customcursor.exe  (PID: 8984)
      • svchost.com (PID: 9020)
      • svchost.com (PID: 8368)
      • svchost.com (PID: 8320)
      • customcursor.exe  (PID: 8328)
      • customcursor.exe  (PID: 8440)
      • customcursor.exe  (PID: 9196)
      • svchost.com (PID: 8228)
      • customcursor.exe  (PID: 8216)
      • customcursor.exe  (PID: 8644)
      • svchost.com (PID: 5324)
      • svchost.com (PID: 8640)
      • customcursor.exe  (PID: 8696)
      • svchost.com (PID: 8456)
      • customcursor.exe  (PID: 8508)
      • svchost.com (PID: 8540)
      • customcursor.exe  (PID: 7604)
      • customcursor.exe  (PID: 8768)
      • svchost.com (PID: 8828)
      • svchost.com (PID: 456)
      • customcursor.exe  (PID: 8952)
      • customcursor.exe  (PID: 9004)
      • svchost.com (PID: 8736)
      • customcursor.exe  (PID: 9172)
      • svchost.com (PID: 9188)
      • customcursor.exe  (PID: 8348)
      • svchost.com (PID: 8300)
      • svchost.com (PID: 9072)
      • customcursor.exe  (PID: 9056)
      • svchost.com (PID: 9116)
      • customcursor.exe  (PID: 8444)
      • svchost.com (PID: 8564)
      • customcursor.exe  (PID: 8556)
      • svchost.com (PID: 4620)
      • customcursor.exe  (PID: 7792)
      • customcursor.exe  (PID: 8412)
      • svchost.com (PID: 8384)
      • customcursor.exe  (PID: 8448)
      • svchost.com (PID: 7596)
      • customcursor.exe  (PID: 8796)
      • svchost.com (PID: 8780)
      • customcursor.exe  (PID: 8888)
      • customcursor.exe  (PID: 8612)
      • svchost.com (PID: 8732)
      • customcursor.exe  (PID: 8808)
      • svchost.com (PID: 8960)
      • svchost.com (PID: 8248)
      • customcursor.exe  (PID: 9060)
      • customcursor.exe  (PID: 9176)
      • svchost.com (PID: 8208)
      • customcursor.exe  (PID: 8272)
      • svchost.com (PID: 8980)
      • customcursor.exe  (PID: 9084)
      • svchost.com (PID: 9068)
      • svchost.com (PID: 8552)
      • svchost.com (PID: 4108)
      • svchost.com (PID: 7588)
      • svchost.com (PID: 8364)
      • customcursor.exe  (PID: 8492)
      • customcursor.exe  (PID: 8580)
      • customcursor.exe  (PID: 5112)
      • customcursor.exe  (PID: 7812)

    • The process creates files with name similar to system file names

      • icsys.icn.exe (PID: 7772)
      • spoolsv.exe (PID: 7828)

    • There is functionality for taking screenshot (YARA)

      • CustomCursor.exe (PID: 7568)
      • customcursor.exe  (PID: 7748)
      • customcursor.exe  (PID: 1748)
      • customcursor.exe  (PID: 8892)

    • Process drops legitimate windows executable

      • FileCoAuth.exe (PID: 6964)
      • CUSTOM~2.tmp (PID: 8824)

    • Starts a Microsoft application from unusual location

      • FileCoAuth.exe (PID: 4488)

  • INFO

    • Reads the computer name

      • CustomCursor.exe (PID: 7568)
      • customcursor.exe  (PID: 7748)
      • svchost.exe (PID: 7856)
      • customcursor.exe  (PID: 8096)
      • customcursor.exe  (PID: 8188)
      • customcursor.exe  (PID: 7184)
      • customcursor.exe  (PID: 7220)
      • customcursor.exe  (PID: 1116)
      • customcursor.exe  (PID: 4560)
      • customcursor.exe  (PID: 4120)
      • customcursor.exe  (PID: 5892)
      • customcursor.exe  (PID: 5124)
      • customcursor.exe  (PID: 7420)
      • customcursor.exe  (PID: 7360)

    • Create files in a temporary directory

      • CustomCursor.exe (PID: 7568)
      • CustomCursor.exe (PID: 7712)
      • icsys.icn.exe (PID: 7772)
      • explorer.exe (PID: 7796)
      • spoolsv.exe (PID: 7828)
      • svchost.exe (PID: 7856)
      • spoolsv.exe (PID: 7932)

    • Checks supported languages

      • CustomCursor.exe (PID: 7568)
      • CustomCursor.exe (PID: 7712)
      • customcursor.exe  (PID: 7748)
      • icsys.icn.exe (PID: 7772)
      • explorer.exe (PID: 7796)
      • spoolsv.exe (PID: 7828)
      • svchost.exe (PID: 7856)
      • spoolsv.exe (PID: 7932)
      • svchost.com (PID: 8168)
      • svchost.com (PID: 7208)
      • customcursor.exe  (PID: 8096)
      • customcursor.exe  (PID: 7184)
      • customcursor.exe  (PID: 8188)
      • customcursor.exe  (PID: 7220)
      • svchost.com (PID: 7240)
      • svchost.com (PID: 4180)
      • customcursor.exe  (PID: 1116)
      • customcursor.exe  (PID: 4560)
      • svchost.com (PID: 1228)
      • customcursor.exe  (PID: 5892)
      • svchost.com (PID: 680)
      • svchost.com (PID: 5640)
      • customcursor.exe  (PID: 4120)
      • svchost.com (PID: 8076)
      • svchost.com (PID: 1512)
      • customcursor.exe  (PID: 5124)
      • svchost.com (PID: 5972)
      • customcursor.exe  (PID: 7360)
      • svchost.com (PID: 7488)
      • customcursor.exe  (PID: 7420)
      • customcursor.exe  (PID: 7436)

    • The sample compiled with english language support

      • CustomCursor.exe (PID: 7568)
      • FileCoAuth.exe (PID: 6964)

    • Process checks computer location settings

      • CustomCursor.exe (PID: 7568)
      • customcursor.exe  (PID: 8096)
      • customcursor.exe  (PID: 8188)
      • customcursor.exe  (PID: 7184)
      • customcursor.exe  (PID: 7220)
      • customcursor.exe  (PID: 1116)
      • customcursor.exe  (PID: 4560)
      • customcursor.exe  (PID: 5892)
      • customcursor.exe  (PID: 5124)
      • customcursor.exe  (PID: 4120)
      • customcursor.exe  (PID: 7360)
      • customcursor.exe  (PID: 7420)

    • Auto-launch of the file from Registry key

      • svchost.exe (PID: 7856)
      • explorer.exe (PID: 7796)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 7976)

    • Reads security settings of Internet Explorer

      • OpenWith.exe (PID: 7976)

    • Manual execution by a user

      • explorer.exe (PID: 660)
      • svchost.exe (PID: 2656)

    • Detects InnoSetup installer (YARA)

      • CUSTOM~2.tmp (PID: 8824)

    • Compiled with Borland Delphi (YARA)

      • CUSTOM~2.tmp (PID: 8824)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 5 (49.6)
.exe | Win32 Executable Borland Delphi 6 (28.8)
.exe | Inno Setup installer (12)
.exe | Win32 EXE PECompact compressed (generic) (4.5)
.exe | Win32 Executable Delphi generic (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 29696
InitializedDataSize: 10752
UninitializedDataSize: -
EntryPoint: 0x80e4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
714
Monitored processes
590
Malicious processes
30
Suspicious processes
539

Behavior graph

Click at the process to see the details
start #NESHTA customcursor.exe customcursor.exe no specs #JEEFO customcursor.exe #NESHTA customcursor.exe  #JEEFO icsys.icn.exe #JEEFO explorer.exe spoolsv.exe #JEEFO svchost.exe spoolsv.exe no specs openwith.exe no specs #NESHTA svchost.com no specs #NESHTA customcursor.exe  no specs #NESHTA svchost.com no specs #NESHTA customcursor.exe  no specs explorer.exe no specs svchost.exe no specs #NESHTA svchost.com no specs #NESHTA customcursor.exe  no specs #NESHTA svchost.com no specs #NESHTA customcursor.exe  no specs #NESHTA svchost.com no specs #NESHTA customcursor.exe  no specs #NESHTA svchost.com no specs #NESHTA customcursor.exe  no specs #NESHTA svchost.com no specs #NESHTA customcursor.exe  no specs #NESHTA svchost.com no specs #NESHTA customcursor.exe  no specs #NESHTA svchost.com no specs #NESHTA customcursor.exe  no specs #NESHTA svchost.com no specs #NESHTA customcursor.exe  no specs #NESHTA svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs filecoauth.exe no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs filecoauth.exe no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs slui.exe svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs svchost.com no specs customcursor.exe  no specs custom~2.tmp customcursor.exe

Process information

PID
CMD
Path
Indicators
Parent process
132"C:\WINDOWS\svchost.com" "C:\Users\admin\AppData\Local\Temp\3582-490\CUSTOM~2.EXE" C:\Windows\svchost.comcustomcursor.exe 
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\svchost.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
208"C:\WINDOWS\svchost.com" "C:\Users\admin\AppData\Local\Temp\3582-490\CUSTOM~2.EXE" C:\Windows\svchost.comcustomcursor.exe 
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\svchost.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
232"C:\WINDOWS\svchost.com" "C:\Users\admin\AppData\Local\Temp\3582-490\CUSTOM~2.EXE" C:\Windows\svchost.comcustomcursor.exe 
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\svchost.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
236"C:\WINDOWS\svchost.com" "C:\Users\admin\AppData\Local\Temp\3582-490\CUSTOM~2.EXE" C:\Windows\svchost.comcustomcursor.exe 
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\svchost.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
240"C:\WINDOWS\svchost.com" "C:\Users\admin\AppData\Local\Temp\3582-490\CUSTOM~2.EXE" C:\Windows\svchost.comcustomcursor.exe 
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\svchost.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
444"C:\WINDOWS\svchost.com" "C:\Users\admin\AppData\Local\Temp\3582-490\CUSTOM~2.EXE" C:\Windows\svchost.comcustomcursor.exe 
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\svchost.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
456"C:\WINDOWS\svchost.com" "C:\Users\admin\AppData\Local\Temp\3582-490\CUSTOM~2.EXE" C:\Windows\svchost.comcustomcursor.exe 
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\svchost.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
496C:\Users\admin\AppData\Local\Temp\3582-490\CUSTOM~2.EXE C:\Users\admin\AppData\Local\Temp\3582-490\customcursor.exe svchost.com
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\customcursor.exe 
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
516C:\Users\admin\AppData\Local\Temp\3582-490\CUSTOM~2.EXE C:\Users\admin\AppData\Local\Temp\3582-490\customcursor.exe svchost.com
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\customcursor.exe 
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
536"C:\WINDOWS\svchost.com" "C:\Users\admin\AppData\Local\Temp\3582-490\CUSTOM~2.EXE" C:\Windows\svchost.comcustomcursor.exe 
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\svchost.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
Total events
271 863
Read events
271 240
Write events
619
Delete events
4

Modification events

(PID) Process:(7748) customcursor.exe Key:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A7803901000060B81DB4E48ED2119906E49FADC173CA8D000000
(PID) Process:(7712) CustomCursor.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(7772) icsys.icn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(7796) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(7796) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(7796) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(7796) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
(PID) Process:(7856) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(7856) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(7856) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
Executable files
314
Suspicious files
18
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
7932spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DF2850F5961651090B.TMPbinary
MD5:15B9D8EE6A1B521E07B5F1954BC723AC
SHA256:686D7823895DF500DEC856CD1E929EB3DEC3439F1CE0F52B44F06920F2CA77F7
7828spoolsv.exeC:\Windows\Resources\svchost.exeexecutable
MD5:D1D9F0682B54AFC5331868C3FF82CC9D
SHA256:D018581074A4264F460F6FF5B3F50CED403BD7CD58EF9F426FF56165C622CEBA
7712CustomCursor.exeC:\Windows\Resources\Themes\icsys.icn.exeexecutable
MD5:5C032A0AB1FCB0B5C8C16A03F45DBA14
SHA256:91F5F79E640C18C1D49E27357B647681C139A2CE9B607B6E53AC09F59DDEA6E0
7772icsys.icn.exeC:\Users\admin\AppData\Local\Temp\~DF60EF92D299DD6488.TMPbinary
MD5:3D7C3BD66558D372E629732DA4C7A79D
SHA256:8CEBA01A27D0D92D9989B6A72F5C7BE0225D6AA22857604D146CFD7E9390F32A
7712CustomCursor.exeC:\Users\admin\AppData\Local\Temp\3582-490\customcursor.exe executable
MD5:D04785DB31E74872D749F0D81BBB030A
SHA256:9120311B54D0903DECD6A6061563E1FEB6D56413DBF498FCA145F6805755EEE8
7828spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DF2468F711943EAD89.TMPbinary
MD5:75FE2877B195B974726124E68B11AB06
SHA256:A6495F6F5D406382E4043DF82AEEFBB57A5EEED8C213F9EF30F37BCC4F2DCE2F
7568CustomCursor.exeC:\Users\admin\AppData\Local\Temp\3582-490\CustomCursor.exeexecutable
MD5:DC346C7A5EE453D5228607C183667753
SHA256:036468555B6B9490BD312E36F49D1A99EA71146568205BA63BCB0C68BB4D95B2
7796explorer.exeC:\Windows\Resources\spoolsv.exeexecutable
MD5:174EC19780EC44085235F4151C974D63
SHA256:8559DFB4F9F198B17AB1BA568E1384EEA22CD2266F47CC647843DACE5BE7267E
7712CustomCursor.exeC:\Users\admin\AppData\Local\Temp\~DFD4572F1432599708.TMPbinary
MD5:24BF0368CF2DCEEBBD092A440ABF1CAA
SHA256:39BBC2170755A585DBE6736E39569453A2AB548E3B00BCCB58006E392B7B439A
7772icsys.icn.exeC:\Windows\Resources\Themes\explorer.exeexecutable
MD5:41983D2E0021B6209D14E2CEC329882F
SHA256:0A16EB68081A6BCF45C213032018C6B169441D2FE37266EC4DA53BF01BEC90B0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
54
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6944
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6944
SIHClient.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
6944
SIHClient.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
6944
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
6944
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
6944
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6544
svchost.exe
20.190.160.65:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6944
SIHClient.exe
4.245.163.56:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6944
SIHClient.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.142
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
  • 23.216.77.42
  • 23.216.77.20
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 2.23.246.101
whitelisted
login.live.com
  • 20.190.160.65
  • 20.190.160.14
  • 20.190.160.132
  • 20.190.160.5
  • 40.126.32.138
  • 40.126.32.136
  • 20.190.160.66
  • 20.190.160.20
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.19
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CustomCursor.exe