6de13d9bc30f8a707449ff57e58fb439fcaedcf4ba13e45feeb646df3c746475

Analysis

max time kernel
141s
max time network
151s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
02/08/2023, 14:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4ddig-for-windows-bing.exe
Size

2.3MB
MD5

7f000cd309af04515d8662c488c17b09
SHA1

60e37fe67cc6fda5965c862ccd3910efe4b2c0d0
SHA256

6de13d9bc30f8a707449ff57e58fb439fcaedcf4ba13e45feeb646df3c746475
SHA512

34e2724fa884cc5487667fd2b04e6fc19403a47784481bdfee5aa49be3216d4885f86da3c93aa33ebe9c8d32a1086aea89dab55d6b2cef5b993d07e8b61f3257
SSDEEP

49152:H1OOKgkBsWP5UXpv4k6rKRIWgKEot9R2D5uDVmT1nyMxApxwGy1V9f:H1ZNKe54k6aLg9otHmIDa1vx8yHl

Score

8^/10

evasion upx

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 48 IoCs

evasion

Windows Service

T1543.003

pid	Process
792	netsh.exe
2212	netsh.exe
2356	netsh.exe
992	netsh.exe
1100	netsh.exe
2240	netsh.exe
2876	netsh.exe
2720	netsh.exe
2676	netsh.exe
2912	netsh.exe
2720	netsh.exe
2372	netsh.exe
1984	netsh.exe
2780	netsh.exe
332	netsh.exe
1632	netsh.exe
3016	netsh.exe
1728	netsh.exe
1652	netsh.exe
2548	netsh.exe
1096	netsh.exe
2748	netsh.exe
2204	netsh.exe
2996	netsh.exe
2204	netsh.exe
1592	netsh.exe
1244	netsh.exe
2536	netsh.exe
2032	netsh.exe
2780	netsh.exe
3056	netsh.exe
1028	netsh.exe
2932	netsh.exe
1556	netsh.exe
2052	netsh.exe
2128	netsh.exe
992	netsh.exe
3004	netsh.exe
964	netsh.exe
1104	netsh.exe
2316	netsh.exe
1644	netsh.exe
1696	netsh.exe
2100	netsh.exe
2656	netsh.exe
1356	netsh.exe
2608	netsh.exe
2256	netsh.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1532-54-0x0000000000400000-0x00000000008B8000-memory.dmp	upx
behavioral1/memory/1532-217-0x0000000000400000-0x00000000008B8000-memory.dmp	upx
behavioral1/memory/1532-222-0x0000000000400000-0x00000000008B8000-memory.dmp	upx
behavioral1/memory/1532-228-0x0000000000400000-0x00000000008B8000-memory.dmp	upx
behavioral1/memory/1532-275-0x0000000000400000-0x00000000008B8000-memory.dmp	upx
behavioral1/memory/1532-299-0x0000000000400000-0x00000000008B8000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\FileReport.dll	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\is-OA397.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\is-ILRF8.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Monitor\is-2BJDQ.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\is-LFFQK.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\NetFrameCheck.exe	AnyDataRecovery_4ddigbing_9.6.2.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\api-ms-win-core-datetime-l1-1-0.dll	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\is-RVII0.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\is-9O4NU.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\is-8AJ3Q.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\is-GOBGH.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\syslinux\is-VO9M2.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\RealImage\api-ms-win-core-processenvironment-l1-1-0.dll	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\is-LP9OF.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\is-I7EN3.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\RealImage\api-ms-win-core-processthreads-l1-1-0.dll	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\is-N7E2J.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\is-P00UF.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\is-VE5QC.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Monitor\is-RPEB7.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\api-ms-win-core-file-l1-1-0.dll	AnyDataRecovery_4ddigbing_9.6.2.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Monitor\ucrtbase.dll	AnyDataRecovery_4ddigbing_9.6.2.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\vcruntime140_1.dll	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\is-VR1TR.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\RealImage\is-BMKMO.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\WPFAssets.dll	AnyDataRecovery_4ddigbing_9.6.2.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\RealImage\vcruntime140.dll	AnyDataRecovery_4ddigbing_9.6.2.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\RealImage\api-ms-win-core-synch-l1-2-0.dll	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Monitor\is-PM2FN.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\libcurl.dll	AnyDataRecovery_4ddigbing_9.6.2.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DocumentPreviewService.exe	AnyDataRecovery_4ddigbing_9.6.2.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\RealImage\SRONNX_SDK.dll	AnyDataRecovery_4ddigbing_9.6.2.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\SecurityLaunchCLR.dll	AnyDataRecovery_4ddigbing_9.6.2.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\RealImage\api-ms-win-core-sysinfo-l1-1-0.dll	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\is-2JBRM.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\is-949C8.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\is-C22L1.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\RealImage\vcruntime140_1.dll	AnyDataRecovery_4ddigbing_9.6.2.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Tenorshare 4DDiG.exe	AnyDataRecovery_4ddigbing_9.6.2.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\TS.Base.dll	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\is-G1R8I.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\is-NE0UI.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Monitor\is-MLIVK.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\syslinux\is-5TBHO.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Monitor\api-ms-win-core-localization-l1-2-0.dll	AnyDataRecovery_4ddigbing_9.6.2.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\lib_TSMediaPlayerSDK.dll	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\is-L67AH.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\is-JEGQL.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Languages\is-JI0OA.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\RealImage\is-929OM.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\vccorlib140.dll	AnyDataRecovery_4ddigbing_9.6.2.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Monitor\api-ms-win-crt-private-l1-1-0.dll	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\is-F1U77.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\RealImage\ucrtbase.dll	AnyDataRecovery_4ddigbing_9.6.2.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\ffmpeg.exe	AnyDataRecovery_4ddigbing_9.6.2.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\RealImage\api-ms-win-crt-runtime-l1-1-0.dll	AnyDataRecovery_4ddigbing_9.6.2.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\lib_PSRepair_sdk.dll	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\is-F7RIT.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\is-8REAI.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\is-5IKVA.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\is-16AHJ.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\RealImage\is-6KNPO.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File created	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\RealImage\is-3U70K.tmp	AnyDataRecovery_4ddigbing_9.6.2.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Monitor\Kingsoft.Office.Interop.Ksoapi.dll	AnyDataRecovery_4ddigbing_9.6.2.tmp

Executes dropped EXE 2 IoCs

pid	Process
1224	AnyDataRecovery_4ddigbing_9.6.2.exe
2008	AnyDataRecovery_4ddigbing_9.6.2.tmp

Loads dropped DLL 5 IoCs

pid	Process
1532	4ddig-for-windows-bing.exe
1224	AnyDataRecovery_4ddigbing_9.6.2.exe
2008	AnyDataRecovery_4ddigbing_9.6.2.tmp
2008	AnyDataRecovery_4ddigbing_9.6.2.tmp
2008	AnyDataRecovery_4ddigbing_9.6.2.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 21 IoCs

evasion

pid	Process
1780	taskkill.exe
892	taskkill.exe
2648	taskkill.exe
2960	taskkill.exe
2620	taskkill.exe
1740	taskkill.exe
2644	taskkill.exe
2740	taskkill.exe
2212	taskkill.exe
1680	taskkill.exe
1320	taskkill.exe
2140	taskkill.exe
2452	taskkill.exe
800	taskkill.exe
2892	taskkill.exe
2672	taskkill.exe
2372	taskkill.exe
1008	taskkill.exe
2500	taskkill.exe
2244	taskkill.exe
2980	taskkill.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	4ddig-for-windows-bing.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	4ddig-for-windows-bing.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	4ddig-for-windows-bing.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	4ddig-for-windows-bing.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1532	4ddig-for-windows-bing.exe
1532	4ddig-for-windows-bing.exe
2008	AnyDataRecovery_4ddigbing_9.6.2.tmp
2008	AnyDataRecovery_4ddigbing_9.6.2.tmp

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1680	taskkill.exe
Token: SeDebugPrivilege	1780	taskkill.exe
Token: SeDebugPrivilege	2960	taskkill.exe
Token: SeDebugPrivilege	2672	taskkill.exe
Token: SeDebugPrivilege	2620	taskkill.exe
Token: SeDebugPrivilege	1320	taskkill.exe
Token: SeDebugPrivilege	1740	taskkill.exe
Token: SeDebugPrivilege	892	taskkill.exe
Token: SeDebugPrivilege	2372	taskkill.exe
Token: SeDebugPrivilege	1008	taskkill.exe
Token: SeDebugPrivilege	2140	taskkill.exe
Token: SeDebugPrivilege	2648	taskkill.exe
Token: SeDebugPrivilege	2644	taskkill.exe
Token: SeDebugPrivilege	2500	taskkill.exe
Token: SeDebugPrivilege	2244	taskkill.exe
Token: SeDebugPrivilege	2452	taskkill.exe
Token: SeDebugPrivilege	2980	taskkill.exe
Token: SeDebugPrivilege	800	taskkill.exe
Token: SeDebugPrivilege	2892	taskkill.exe
Token: SeDebugPrivilege	2740	taskkill.exe
Token: SeDebugPrivilege	2212	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2008	AnyDataRecovery_4ddigbing_9.6.2.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 1224	1532	4ddig-for-windows-bing.exe	31
PID 1532 wrote to memory of 1224	1532	4ddig-for-windows-bing.exe	31
PID 1532 wrote to memory of 1224	1532	4ddig-for-windows-bing.exe	31
PID 1532 wrote to memory of 1224	1532	4ddig-for-windows-bing.exe	31
PID 1532 wrote to memory of 1224	1532	4ddig-for-windows-bing.exe	31
PID 1532 wrote to memory of 1224	1532	4ddig-for-windows-bing.exe	31
PID 1532 wrote to memory of 1224	1532	4ddig-for-windows-bing.exe	31
PID 1224 wrote to memory of 2008	1224	AnyDataRecovery_4ddigbing_9.6.2.exe	32
PID 1224 wrote to memory of 2008	1224	AnyDataRecovery_4ddigbing_9.6.2.exe	32
PID 1224 wrote to memory of 2008	1224	AnyDataRecovery_4ddigbing_9.6.2.exe	32
PID 1224 wrote to memory of 2008	1224	AnyDataRecovery_4ddigbing_9.6.2.exe	32
PID 1224 wrote to memory of 2008	1224	AnyDataRecovery_4ddigbing_9.6.2.exe	32
PID 1224 wrote to memory of 2008	1224	AnyDataRecovery_4ddigbing_9.6.2.exe	32
PID 1224 wrote to memory of 2008	1224	AnyDataRecovery_4ddigbing_9.6.2.exe	32
PID 2008 wrote to memory of 2016	2008	AnyDataRecovery_4ddigbing_9.6.2.tmp	33
PID 2008 wrote to memory of 2016	2008	AnyDataRecovery_4ddigbing_9.6.2.tmp	33
PID 2008 wrote to memory of 2016	2008	AnyDataRecovery_4ddigbing_9.6.2.tmp	33
PID 2008 wrote to memory of 2016	2008	AnyDataRecovery_4ddigbing_9.6.2.tmp	33
PID 2016 wrote to memory of 1680	2016	cmd.exe	35
PID 2016 wrote to memory of 1680	2016	cmd.exe	35
PID 2016 wrote to memory of 1680	2016	cmd.exe	35
PID 2016 wrote to memory of 1680	2016	cmd.exe	35
PID 2008 wrote to memory of 2032	2008	AnyDataRecovery_4ddigbing_9.6.2.tmp	37
PID 2008 wrote to memory of 2032	2008	AnyDataRecovery_4ddigbing_9.6.2.tmp	37
PID 2008 wrote to memory of 2032	2008	AnyDataRecovery_4ddigbing_9.6.2.tmp	37
PID 2008 wrote to memory of 2032	2008	AnyDataRecovery_4ddigbing_9.6.2.tmp	37
PID 2032 wrote to memory of 1780	2032	cmd.exe	39
PID 2032 wrote to memory of 1780	2032	cmd.exe	39
PID 2032 wrote to memory of 1780	2032	cmd.exe	39
PID 2032 wrote to memory of 1780	2032	cmd.exe	39
PID 2008 wrote to memory of 2820	2008	AnyDataRecovery_4ddigbing_9.6.2.tmp	40
PID 2008 wrote to memory of 2820	2008	AnyDataRecovery_4ddigbing_9.6.2.tmp	40
PID 2008 wrote to memory of 2820	2008	AnyDataRecovery_4ddigbing_9.6.2.tmp	40
PID 2008 wrote to memory of 2820	2008	AnyDataRecovery_4ddigbing_9.6.2.tmp	40
PID 2820 wrote to memory of 2960	2820	cmd.exe	42
PID 2820 wrote to memory of 2960	2820	cmd.exe	42
PID 2820 wrote to memory of 2960	2820	cmd.exe	42
PID 2820 wrote to memory of 2960	2820	cmd.exe	42
PID 2008 wrote to memory of 3028	2008	AnyDataRecovery_4ddigbing_9.6.2.tmp	43
PID 2008 wrote to memory of 3028	2008	AnyDataRecovery_4ddigbing_9.6.2.tmp	43
PID 2008 wrote to memory of 3028	2008	AnyDataRecovery_4ddigbing_9.6.2.tmp	43
PID 2008 wrote to memory of 3028	2008	AnyDataRecovery_4ddigbing_9.6.2.tmp	43
PID 3028 wrote to memory of 2672	3028	cmd.exe	45
PID 3028 wrote to memory of 2672	3028	cmd.exe	45
PID 3028 wrote to memory of 2672	3028	cmd.exe	45
PID 3028 wrote to memory of 2672	3028	cmd.exe	45
PID 2008 wrote to memory of 2384	2008	AnyDataRecovery_4ddigbing_9.6.2.tmp	46
PID 2008 wrote to memory of 2384	2008	AnyDataRecovery_4ddigbing_9.6.2.tmp	46
PID 2008 wrote to memory of 2384	2008	AnyDataRecovery_4ddigbing_9.6.2.tmp	46
PID 2008 wrote to memory of 2384	2008	AnyDataRecovery_4ddigbing_9.6.2.tmp	46
PID 2384 wrote to memory of 2620	2384	cmd.exe	48
PID 2384 wrote to memory of 2620	2384	cmd.exe	48
PID 2384 wrote to memory of 2620	2384	cmd.exe	48
PID 2384 wrote to memory of 2620	2384	cmd.exe	48
PID 2008 wrote to memory of 1752	2008	AnyDataRecovery_4ddigbing_9.6.2.tmp	49
PID 2008 wrote to memory of 1752	2008	AnyDataRecovery_4ddigbing_9.6.2.tmp	49
PID 2008 wrote to memory of 1752	2008	AnyDataRecovery_4ddigbing_9.6.2.tmp	49
PID 2008 wrote to memory of 1752	2008	AnyDataRecovery_4ddigbing_9.6.2.tmp	49
PID 1752 wrote to memory of 1320	1752	cmd.exe	51
PID 1752 wrote to memory of 1320	1752	cmd.exe	51
PID 1752 wrote to memory of 1320	1752	cmd.exe	51
PID 1752 wrote to memory of 1320	1752	cmd.exe	51
PID 2008 wrote to memory of 1876	2008	AnyDataRecovery_4ddigbing_9.6.2.tmp	52
PID 2008 wrote to memory of 1876	2008	AnyDataRecovery_4ddigbing_9.6.2.tmp	52

C:\Users\Admin\AppData\Local\Temp\4ddig-for-windows-bing.exe
"C:\Users\Admin\AppData\Local\Temp\4ddig-for-windows-bing.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Users\Admin\AppData\Local\Temp\AnyDataRecovery_4ddigbing\AnyDataRecovery_4ddigbing_9.6.2.exe
  /VERYSILENT /SP- /NORESTART /DIR="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\" /LANG=en /LOG="C:\Users\Admin\AppData\Local\Temp\Tenorshare 4DDiG_Setup_20230802140321.log" /sptrack null
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Users\Admin\AppData\Local\Temp\is-O93H2.tmp\AnyDataRecovery_4ddigbing_9.6.2.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-O93H2.tmp\AnyDataRecovery_4ddigbing_9.6.2.tmp" /SL5="$301E6,220574311,743424,C:\Users\Admin\AppData\Local\Temp\AnyDataRecovery_4ddigbing\AnyDataRecovery_4ddigbing_9.6.2.exe" /VERYSILENT /SP- /NORESTART /DIR="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\" /LANG=en /LOG="C:\Users\Admin\AppData\Local\Temp\Tenorshare 4DDiG_Setup_20230802140321.log" /sptrack null
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /f /t /im "Tenorshare 4DDiG.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im "Tenorshare 4DDiG.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /f /t /im "Monitor.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2032
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im "Monitor.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /f /t /im "SuperResolution.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im "SuperResolution.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /f /t /im "ParseRecord.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3028
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im "ParseRecord.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /f /t /im "DebugRecord.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2384
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im "DebugRecord.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /f /t /im "VideoRepairService.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1752
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im "VideoRepairService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /f /t /im "PhotosRepairService.exe"
      4⤵
      PID:1876
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im "PhotosRepairService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /f /t /im "UpdateService.exe"
      4⤵
      PID:920
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im "UpdateService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /f /t /im "DocumentPreviewService.exe"
      4⤵
      PID:1620
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im "DocumentPreviewService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /f /t /im "DocumentPreviewServiceEx.exe"
      4⤵
      PID:1652
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im "DocumentPreviewServiceEx.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /f /t /im "FrameWorkService.exe"
      4⤵
      PID:1508
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im "FrameWorkService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /f /t /im "MediaPlayerService.exe"
      4⤵
      PID:1356
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im "MediaPlayerService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /f /t /im "MediaInfoService.exe"
      4⤵
      PID:2308
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im "MediaInfoService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /f /t /im "ffmpeg.exe"
      4⤵
      PID:2256
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im "ffmpeg.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /f /t /im "DeviceViewerService.exe"
      4⤵
      PID:2100
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im "DeviceViewerService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /f /t /im "DocsRepair.exe"
      4⤵
      PID:2688
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im "DocsRepair.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /f /t /im "NASConnecter.exe"
      4⤵
      PID:2924
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im "NASConnecter.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /f /t /im "doc-repair-office.exe"
      4⤵
      PID:2828
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im "doc-repair-office.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:800
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /f /t /im "lib_USBFormatSDK.exe"
      4⤵
      PID:2904
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im "lib_USBFormatSDK.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /f /t /im "DataScanService.exe"
      4⤵
      PID:2716
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im "DataScanService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /f /t /im "PhotoPreviewService.exe"
      4⤵
      PID:2600
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im "PhotoPreviewService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Tenorshare 4DDiG.exe"
      4⤵
      PID:1664
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Tenorshare 4DDiG.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:792
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Tenorshare 4DDiG.exe" enable=yes
      4⤵
      PID:1012
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Tenorshare 4DDiG.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:2780
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Tenorshare 4DDiG.exe" enable=yes
      4⤵
      PID:432
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Tenorshare 4DDiG.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:1632
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\NetFrameCheck.exe"
      4⤵
      PID:1116
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\NetFrameCheck.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:3004
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_NetFrameCheck" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\NetFrameCheck.exe" enable=yes
      4⤵
      PID:968
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG_NetFrameCheck" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\NetFrameCheck.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:964
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_NetFrameCheck" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\NetFrameCheck.exe" enable=yes
      4⤵
      PID:616
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG_NetFrameCheck" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\NetFrameCheck.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:1728
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Monitor\Monitor.exe"
      4⤵
      PID:1320
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Monitor\Monitor.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:3016
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_Monitor" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Monitor\Monitor.exe" enable=yes
      4⤵
      PID:1424
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG_Monitor" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Monitor\Monitor.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:2676
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_Monitor" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Monitor\Monitor.exe" enable=yes
      4⤵
      PID:1324
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG_Monitor" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Monitor\Monitor.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:1984
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\ParseRecord.exe"
      4⤵
      PID:1160
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\ParseRecord.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:2372
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_ParseRecord" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\ParseRecord.exe" enable=yes
      4⤵
      PID:1628
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG_ParseRecord" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\ParseRecord.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:1696
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_ParseRecord" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\ParseRecord.exe" enable=yes
      4⤵
      PID:2140
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG_ParseRecord" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\ParseRecord.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:1104
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\UpdateService.exe"
      4⤵
      PID:1508
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\UpdateService.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:1356
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_UpdateService" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\UpdateService.exe" enable=yes
      4⤵
      PID:2108
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG_UpdateService" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\UpdateService.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:2932
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_UpdateService" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\UpdateService.exe" enable=yes
      4⤵
      PID:2144
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG_UpdateService" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\UpdateService.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:2996
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\VideoRepairService.exe"
      4⤵
      PID:748
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\VideoRepairService.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:2100
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_VideoRepairService" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\VideoRepairService.exe" enable=yes
      4⤵
      PID:2412
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG_VideoRepairService" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\VideoRepairService.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:2720
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_VideoRepairService" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\VideoRepairService.exe" enable=yes
      4⤵
      PID:2060
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG_VideoRepairService" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\VideoRepairService.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:2912
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\PhotosRepairService.exe"
      4⤵
      PID:3044
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\PhotosRepairService.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:3056
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_PhotosRepairService" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\PhotosRepairService.exe" enable=yes
      4⤵
      PID:2772
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG_PhotosRepairService" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\PhotosRepairService.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:2212
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\FrameWorkService.exe"
      4⤵
      PID:2736
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\FrameWorkService.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:2656
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_PhotosRepairService" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\PhotosRepairService.exe" enable=yes
      4⤵
      PID:2740
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG_PhotosRepairService" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\PhotosRepairService.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:2204
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_FrameWorkService" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\FrameWorkService.exe" enable=yes
      4⤵
      PID:1660
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG_FrameWorkService" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\FrameWorkService.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:1592
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_FrameWorkService" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\FrameWorkService.exe" enable=yes
      4⤵
      PID:2032
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG_FrameWorkService" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\FrameWorkService.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:992
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\MediaPlayerService.exe"
      4⤵
      PID:1868
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\MediaPlayerService.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:1028
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_MediaPlayerService" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\MediaPlayerService.exe" enable=yes
      4⤵
      PID:1132
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG_MediaPlayerService" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\MediaPlayerService.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:2780
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\MediaInfoService.exe"
      4⤵
      PID:1480
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\MediaInfoService.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:2608
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_MediaPlayerService" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\MediaPlayerService.exe" enable=yes
      4⤵
      PID:1368
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG_MediaPlayerService" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\MediaPlayerService.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:2356
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_MediaInfoService" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\MediaInfoService.exe" enable=yes
      4⤵
      PID:1376
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG_MediaInfoService" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\MediaInfoService.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:1244
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_MediaInfoService" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\MediaInfoService.exe" enable=yes
      4⤵
      PID:1172
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG_MediaInfoService" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\MediaInfoService.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:1100
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\preuninstall.exe"
      4⤵
      PID:2468
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\preuninstall.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:2316
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_preuninstall" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\preuninstall.exe" enable=yes
      4⤵
      PID:2516
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG_preuninstall" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\preuninstall.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:1652
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_preuninstall" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\preuninstall.exe" enable=yes
      4⤵
      PID:2676
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG_preuninstall" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\preuninstall.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:1556
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DeviceViewerService.exe"
      4⤵
      PID:2056
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DeviceViewerService.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:332
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_DeviceViewerService" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DeviceViewerService.exe" enable=yes
      4⤵
      PID:2576
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG_DeviceViewerService" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DeviceViewerService.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:2548
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DocsRepair.exe"
      4⤵
      PID:1696
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DocsRepair.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:2240
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_DeviceViewerService" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DeviceViewerService.exe" enable=yes
      4⤵
      PID:2644
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG_DeviceViewerService" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DeviceViewerService.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:2536
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_DocsRepair" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DocsRepair.exe" enable=yes
      4⤵
      PID:2452
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG_DocsRepair" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DocsRepair.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:2052
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\NASConnecter.exe"
      4⤵
      PID:2388
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\NASConnecter.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:2876
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_DocsRepair" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DocsRepair.exe" enable=yes
      4⤵
      PID:2932
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG_DocsRepair" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DocsRepair.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:2256
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DataScanService.exe"
      4⤵
      PID:2728
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DataScanService.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:2748
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_NASConnecter" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\NASConnecter.exe" enable=yes
      4⤵
      PID:2724
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG_NASConnecter" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\NASConnecter.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:2720
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_NASConnecter" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\NASConnecter.exe" enable=yes
      4⤵
      PID:2972
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG_NASConnecter" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\NASConnecter.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:1096
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\PhotoPreviewService.exe"
      4⤵
      PID:1756
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\PhotoPreviewService.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:2204
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_DataScanService" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DataScanService.exe" enable=yes
      4⤵
      PID:2212
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG_DataScanService" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DataScanService.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:1644
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_DataScanService" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DataScanService.exe" enable=yes
      4⤵
      PID:2332
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG_DataScanService" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DataScanService.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:2128
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_PhotoPreviewService" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\PhotoPreviewService.exe" enable=yes
      4⤵
      PID:2368
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG_PhotoPreviewService" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\PhotoPreviewService.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:992
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_PhotoPreviewService" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\PhotoPreviewService.exe" enable=yes
      4⤵
      PID:2840
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Tenorshare 4DDiG_PhotoPreviewService" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\PhotoPreviewService.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:2032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "702187464-147112010-2008733018151256677514637049761999556777345199179-1194606375"
1⤵
PID:1320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1160012573-200737331313761704131325688208-892207716-15025898017242900591145868262"
1⤵
PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\NetFrameCheck.exe

Filesize
5.2MB

MD5
34ab42a6036368ec8aa358847036ba62

SHA1
6f7fa2a1ee4718cb3d2ae4b15f568ad108d8449a

SHA256
1293e8af244c9cf358f41134ca427144e9ec533b5ef4fcaa6af2626f46384398

SHA512
764c72f585b9e6dcaa8be7f943a8537d0964b0b569a3e0d77a6e9f5513205e0b738d164c9f3cae294efe41680bfd8108f9de9615e76a428b0f1d42b77fc39638

Download Submit
C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Tenorshare 4DDiG.exe

Filesize
6.7MB

MD5
72260cae7f20153f03479e7a47fc377a

SHA1
4d4558c631558fd6b7d5c584e729c043bd85afc1

SHA256
67413491b0580ac28c17b9cae281662edf86e14278f9e6c81956f38d5a7dde94

SHA512
27f0fa0fb510c0c680d99092e0b855441cc40a14abaab2a6bb709ce9ad953717d5f0442a2c4b43ccee79540b4f472c61881ecef6d5ed340ec4c22fc95c5863d5

Download Submit
C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\unins000.exe

Filesize
1.7MB

MD5
8f5296d22e743eb9bde18c7e758ade28

SHA1
973d5611f7a9517da4acb2440c065406085423b6

SHA256
8f3ed0f96c7ee3e19202c1b337da445baae7c1b22924f78631b86034f09d8c9a

SHA512
e9aa81c6ad8e2a9317922f4d47268912f9b44a181b16cd6724f94f9519333cf6259bd1846d63cc43d7f0b2a5bc2add7c20943be6f11c33c8f072d41ca0ac66c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AnyDataRecovery_4ddigbing\AnyDataRecovery_4ddigbing_9.6.2.exe

Filesize
211.3MB

MD5
e13837c75c9192b12c41b8d62a1be614

SHA1
f3e21c87f9d3cc5a58e1eca155a925b7ccdd7a8d

SHA256
cf1d897f191ca88a1826a89f83bc2cae6fb8db930aaa1e1c8395fa7642f3b5ea

SHA512
2dbd208ffa02f4a2a73d20cae1d490d9f06e989989305761cca1f5253d3807df6d08f31756947f34cac17acb5c8e5c64dcae979a56870de1d96650c7ec578d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\AnyDataRecovery_4ddigbing\AnyDataRecovery_4ddigbing_9.6.2.exe

Filesize
211.3MB

MD5
e13837c75c9192b12c41b8d62a1be614

SHA1
f3e21c87f9d3cc5a58e1eca155a925b7ccdd7a8d

SHA256
cf1d897f191ca88a1826a89f83bc2cae6fb8db930aaa1e1c8395fa7642f3b5ea

SHA512
2dbd208ffa02f4a2a73d20cae1d490d9f06e989989305761cca1f5253d3807df6d08f31756947f34cac17acb5c8e5c64dcae979a56870de1d96650c7ec578d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\AnyDataRecovery_4ddigbing\AnyDataRecovery_4ddigbing_9.6.2.exe

Filesize
211.3MB

MD5
e13837c75c9192b12c41b8d62a1be614

SHA1
f3e21c87f9d3cc5a58e1eca155a925b7ccdd7a8d

SHA256
cf1d897f191ca88a1826a89f83bc2cae6fb8db930aaa1e1c8395fa7642f3b5ea

SHA512
2dbd208ffa02f4a2a73d20cae1d490d9f06e989989305761cca1f5253d3807df6d08f31756947f34cac17acb5c8e5c64dcae979a56870de1d96650c7ec578d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC5C1.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC660.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O93H2.tmp\AnyDataRecovery_4ddigbing_9.6.2.tmp

Filesize
1.7MB

MD5
8f5296d22e743eb9bde18c7e758ade28

SHA1
973d5611f7a9517da4acb2440c065406085423b6

SHA256
8f3ed0f96c7ee3e19202c1b337da445baae7c1b22924f78631b86034f09d8c9a

SHA512
e9aa81c6ad8e2a9317922f4d47268912f9b44a181b16cd6724f94f9519333cf6259bd1846d63cc43d7f0b2a5bc2add7c20943be6f11c33c8f072d41ca0ac66c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O93H2.tmp\AnyDataRecovery_4ddigbing_9.6.2.tmp

Filesize
1.7MB

MD5
8f5296d22e743eb9bde18c7e758ade28

SHA1
973d5611f7a9517da4acb2440c065406085423b6

SHA256
8f3ed0f96c7ee3e19202c1b337da445baae7c1b22924f78631b86034f09d8c9a

SHA512
e9aa81c6ad8e2a9317922f4d47268912f9b44a181b16cd6724f94f9519333cf6259bd1846d63cc43d7f0b2a5bc2add7c20943be6f11c33c8f072d41ca0ac66c6

Download Submit
\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\NetFrameCheck.exe

Filesize
5.2MB

MD5
34ab42a6036368ec8aa358847036ba62

SHA1
6f7fa2a1ee4718cb3d2ae4b15f568ad108d8449a

SHA256
1293e8af244c9cf358f41134ca427144e9ec533b5ef4fcaa6af2626f46384398

SHA512
764c72f585b9e6dcaa8be7f943a8537d0964b0b569a3e0d77a6e9f5513205e0b738d164c9f3cae294efe41680bfd8108f9de9615e76a428b0f1d42b77fc39638

Download Submit
\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\NetFrameCheck.exe

Filesize
5.2MB

MD5
34ab42a6036368ec8aa358847036ba62

SHA1
6f7fa2a1ee4718cb3d2ae4b15f568ad108d8449a

SHA256
1293e8af244c9cf358f41134ca427144e9ec533b5ef4fcaa6af2626f46384398

SHA512
764c72f585b9e6dcaa8be7f943a8537d0964b0b569a3e0d77a6e9f5513205e0b738d164c9f3cae294efe41680bfd8108f9de9615e76a428b0f1d42b77fc39638

Download Submit
\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\unins000.exe

Filesize
1.7MB

MD5
8f5296d22e743eb9bde18c7e758ade28

SHA1
973d5611f7a9517da4acb2440c065406085423b6

SHA256
8f3ed0f96c7ee3e19202c1b337da445baae7c1b22924f78631b86034f09d8c9a

SHA512
e9aa81c6ad8e2a9317922f4d47268912f9b44a181b16cd6724f94f9519333cf6259bd1846d63cc43d7f0b2a5bc2add7c20943be6f11c33c8f072d41ca0ac66c6

Download Submit
\Users\Admin\AppData\Local\Temp\AnyDataRecovery_4ddigbing\AnyDataRecovery_4ddigbing_9.6.2.exe

Filesize
211.3MB

MD5
e13837c75c9192b12c41b8d62a1be614

SHA1
f3e21c87f9d3cc5a58e1eca155a925b7ccdd7a8d

SHA256
cf1d897f191ca88a1826a89f83bc2cae6fb8db930aaa1e1c8395fa7642f3b5ea

SHA512
2dbd208ffa02f4a2a73d20cae1d490d9f06e989989305761cca1f5253d3807df6d08f31756947f34cac17acb5c8e5c64dcae979a56870de1d96650c7ec578d08

Download Submit
\Users\Admin\AppData\Local\Temp\is-O93H2.tmp\AnyDataRecovery_4ddigbing_9.6.2.tmp

Filesize
1.7MB

MD5
8f5296d22e743eb9bde18c7e758ade28

SHA1
973d5611f7a9517da4acb2440c065406085423b6

SHA256
8f3ed0f96c7ee3e19202c1b337da445baae7c1b22924f78631b86034f09d8c9a

SHA512
e9aa81c6ad8e2a9317922f4d47268912f9b44a181b16cd6724f94f9519333cf6259bd1846d63cc43d7f0b2a5bc2add7c20943be6f11c33c8f072d41ca0ac66c6

Download Submit
memory/1224-276-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1224-1012-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1224-286-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1532-299-0x0000000000400000-0x00000000008B8000-memory.dmp

Filesize
4.7MB

Download
memory/1532-217-0x0000000000400000-0x00000000008B8000-memory.dmp

Filesize
4.7MB

Download
memory/1532-228-0x0000000000400000-0x00000000008B8000-memory.dmp

Filesize
4.7MB

Download
memory/1532-275-0x0000000000400000-0x00000000008B8000-memory.dmp

Filesize
4.7MB

Download
memory/1532-222-0x0000000000400000-0x00000000008B8000-memory.dmp

Filesize
4.7MB

Download
memory/1532-54-0x0000000000400000-0x00000000008B8000-memory.dmp

Filesize
4.7MB

Download
memory/2008-509-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/2008-958-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/2008-989-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/2008-288-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/2008-284-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2008-1008-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/2008-1011-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download