Analysis Overview
SHA256
feb3ab1217f993d9214bb0e1a9561709bd9a1172ceee719fa9051d9fa6aa9622
Threat Level: Known bad
The file feb3ab1217f993d9214bb0e1a9561709bd9a1172ceee719fa9051d9fa6aa9622 was found to be: Known bad.
Malicious Activity Summary
Babadeda
Babadeda Crypter
Executes dropped EXE
Loads dropped DLL
Enumerates connected drives
Drops file in Windows directory
Enumerates physical storage devices
Detects BABADEDA Crypter
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2023-10-30 07:14
Signatures
Analysis: behavioral4
Detonation Overview
Submitted
2023-10-30 07:14
Reported
2023-10-30 07:17
Platform
win10v2004-20231020-en
Max time kernel
141s
Max time network
148s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Xaw-VPN\Xaw-VPN _ Secure, Fast, Free VPN service for online privacy.pdf"
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=298C30B91BCC7A1175CE5EE0D6207899 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=298C30B91BCC7A1175CE5EE0D6207899 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C90861DCD214996F7AB9B84F1430016C --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=057A5B2F1BAE70F3B95B4AEECFBECD80 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8EB65464B85D5E381B2AF5730416E06F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8EB65464B85D5E381B2AF5730416E06F --renderer-client-id=5 --mojo-platform-channel-handle=2420 --allow-no-sandbox-job /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=45A37EC662BB5A6F05E4F0F1F30C2093 --mojo-platform-channel-handle=2460 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E05E15D49C4CDC00EF0E6680CFBB3B44 --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.0.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.175.53.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 254.1.248.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | b30d3becc8731792523d599d949e63f5 |
| SHA1 | 19350257e42d7aee17fb3bf139a9d3adb330fad4 |
| SHA256 | b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3 |
| SHA512 | 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | 752a1f26b18748311b691c7d8fc20633 |
| SHA1 | c1f8e83eebc1cc1e9b88c773338eb09ff82ab862 |
| SHA256 | 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131 |
| SHA512 | a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5 |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | 2ec428e7f634c75c9ceda0c64e78646e |
| SHA1 | 832eef1a89052e08b1e79e6a6b5ff6b0c747eb70 |
| SHA256 | e27fd3829d388440f9bfb7e75d301acae4a2912c996d463351e76ef4adc8ea98 |
| SHA512 | 1e6ef1bf4daa04a83547ee912cc7533e932eac3337165aeda9d166041487e6f2dabda381eb4cabaaa9e522c40e29596bf4f703a3e55096e968ce7b7106258112 |
Analysis: behavioral5
Detonation Overview
Submitted
2023-10-30 07:14
Reported
2023-10-30 07:17
Platform
win7-20231020-en
Max time kernel
134s
Max time network
133s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "404811946" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FB54FEB1-76F3-11EE-8260-66C04E06BBC8} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005718aef034e0654ab00265bd8f8b2f5400000000020000000000106600000001000020000000a495c9db20b6f9eb2cf40ca0f9685b691e455c39be94c802e5c8ee605640b9b7000000000e80000000020000200000001ac1208c34941e688bc9270024c5274600539e16146699616fbc4d209f140ede2000000047943326234c2651e49bf74ec416d612f3d81d3a2a44a83d2b2956bce2275d31400000005f1afff080d9e9cb54bbd7a47d1e100d842b6fb63c701a119c1902b3a2a82649de0892af75b0b9f189ce409f96c993dcfc149502be43efdacdd86b7c56cbc01b | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80110bd1000bda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005718aef034e0654ab00265bd8f8b2f5400000000020000000000106600000001000020000000b127c3fbb2c00942f37b434d2301b73c56fca3e9f708b574068a1b60c8a4bcda000000000e8000000002000020000000bee0d25dbb3f8c0f2545001b4d3329233b5df46ce33aa3b085681f3a8526cf97900000009bce58711bd3d8cebe1f4d213cd36df66f62330ae3ac2b7a6da33ca5d46ce30dd8368bba02496fdaeec6b9172c88251b9421d2d683c38fb9a2a2cf39b7d4e2e87024ffd587b083371c2eeb05c18c5a0bb846736c5900c1403d3c4dd67e1de11c88eb99dc00e0fd0d2f2dc0b40a883867d58ee423278bc1c13c8579dec5da207d77bb98c801ad128d6159fea02fd176cf400000006b256d299f7166eb3ef929a453f0095bf97b91129c798a552cd96d8875f9974a4729e8509f5f8c010ed2e9ba059301fcd91a998787121eca3e519bab55c32f75 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1384 wrote to memory of 2172 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1384 wrote to memory of 2172 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1384 wrote to memory of 2172 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1384 wrote to memory of 2172 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Xaw-VPN\index.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1384 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab61F1.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar9C17.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3effff89a1d08c01f7e27b70f10c747e |
| SHA1 | bf172b859004311a33c1edd5ac0efd53bd46f7fd |
| SHA256 | 259744dbb338abc9f67a33c88746a08582b04fb9a3b56514517a236ce68a0d74 |
| SHA512 | aea0335825cb599f87ce1722cac6d4aad7989b89b7dfcd823db151b0a4bdb439a53a8c9d10124abe432733ec76052b5394f7c5b7f0acb896988d38776fc9d8ad |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7d436badd56ea263fe3b3d1b3cb22305 |
| SHA1 | 8acc8c9a75de11aa7d2e345e67a88d0fabb51756 |
| SHA256 | 966411512295baa5c7aba7043026a831dc6e20a637cf7c67861083fb4ea61bb2 |
| SHA512 | 2862b807d33e807076ff6b78acb02d6ca34df181b50d9ab7fcff4535aa670cbf04742e8310c9760babc7f45b823f232efd55d7ec074eb495d613c14a74e30746 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7a6b6fa3ed093ee2910cb7cb8b17dc5c |
| SHA1 | 552015b7e13117aa3578ce5259b772a4d59042f9 |
| SHA256 | 7c02bd1cd006c9995d6a2b576afcdb26752b8bd9f9b957f2d500061b6ed81fdf |
| SHA512 | d35260a3423b9fe098158300cb4bc89cc9f5370d2716ee210831282d9e7895fb033661f2160e84cb2c10a1751328354a9a6f85d0bbc61944a6554ab7c44e7480 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bedf463e57b7543c7d1e2c4f2251ea09 |
| SHA1 | 443f9447a214c2d5b84752389652b3b0f190af5c |
| SHA256 | 34d3d1b52ec5152dec5daa4bf7bab276bb45d2b190cfaf0ea61a5b7d0f3bef6e |
| SHA512 | 4f2aa18bcb4cd3d2d1f13099dec60c571800d3553981b9bf01a280f9485b5e02ed9008508f7e0297713963ad020c904fc345893cce4c5bd675c8412cf8d07b19 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6511f9b41cce48be9122ec8d1066c72a |
| SHA1 | e1f1bc4a296d2266691e3db6368168526ba4f9a5 |
| SHA256 | b7e178fd527455d9e803ea6767f7957ee9235bf5af527ec69af39fa9b38e9503 |
| SHA512 | d327f6685a73770e83603b9ea34d0bb7f40d0ac761c185c4148fef996d4c1a6d072199a64f9753ac1abdbc5d87ec9ed8cfe70385ac1407a4839ee6a22067b8fc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7ddb45d2c449108b2bcdd7ead19a41d6 |
| SHA1 | 11a4d7d4aeda314bf5dc0d125a6d890ee84043bd |
| SHA256 | 9a010ecda68a227f3e9c5dcde850576b07e432d7abbb5f391a498b6a94c183b2 |
| SHA512 | bf093d2cf1481bd97dd135fc2eeda143e181e4f1381d01f0c8f62bf63dd4fee6c1501d4b658e714bd65dad25f7c7c7d63faf61fe4279ef889ae270fd84e466a1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | aaff6b9ce39fe77802fb7788fc072a65 |
| SHA1 | 2605ee2ce979fa2aa55d775cfc2031fcfe95711f |
| SHA256 | 15367b7d67ece78f49a8d0eb7765639b12e9049b7060c7babce8d6dc5ad35e68 |
| SHA512 | 353aef38c91ca4430b29c84a68febb8793dbb97e7b3d4329df51919a4c8b9b496bad7ef3d132c3b508617f3ac5f108cb3d935d0a5a00b36bdd89b4f7573786b8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 540fed3037805e554449dcc26c430602 |
| SHA1 | eff102b7d61ba8dfcc05e43cef33ca741bfc3793 |
| SHA256 | 31964e4e637051dd59bdb24a976e1b7a882b20356dabe43c91e4f2a020ac2f91 |
| SHA512 | df3a78d50da207c83d9f568af8f5d71ab79322fa33ccdc27c46292ee08580e08cd3e0bc5967b0fcdad145f1517843844c9274880f71b9497d3709acf03ea3030 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eaf058e53ceebeea061ac9547358a7a9 |
| SHA1 | 0b7cc64504291c2e3272c6b18649518f02f00373 |
| SHA256 | 97f151b4bd35566f9571907d8ededc042eec75783bd7649c848111c06827b2bf |
| SHA512 | 89f5062ef4d5d1a6c99aa667eb0c11778e916a88294b8103682257f6f7a7a2ec3d3aae6c06f7d466f29da21c0f76fdcc5a6330486b6c3d284b3bee8f0fe87d52 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0c055158c194b555fc2161c82c211bb7 |
| SHA1 | 9f3ed4e39b2282a74cf0b9890cc707e6735b4198 |
| SHA256 | ca4f3d51a40226c8c0c4f2e06cd66862a1148f7462db8905239c051fc009c6a0 |
| SHA512 | 8684042146511a1c46da3720aef6d462c4b7f2b32c18abae12c6e5b8fcbd89e85e683d037b26c7d16711e6d5665138b5574345441a712caa63caa5193d10d5a7 |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-30 07:14
Reported
2023-10-30 07:17
Platform
win7-20231023-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Babadeda
Babadeda Crypter
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\KNIME Analytics Platform\DataRecovery.exe | N/A |
Loads dropped DLL
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\L: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\U: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\M: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\P: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\T: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\S: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\V: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\R: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\f76649d.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6558.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6895.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f7664a0.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f7664a0.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76649d.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI66DF.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6970.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI72C4.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\info107 | C:\Users\Admin\AppData\Local\KNIME Analytics Platform\DataRecovery.exe | N/A |
| File opened for modification | C:\Windows\info108 | C:\Users\Admin\AppData\Local\KNIME Analytics Platform\DataRecovery.exe | N/A |
Enumerates physical storage devices
Detects BABADEDA Crypter
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\KNIME Analytics Platform\DataRecovery.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\KNIME Analytics Platform\DataRecovery.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\KNIME Analytics Platform\DataRecovery.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DB03868180ADCEFC29564652E929DBB4 C
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\knive.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1698390662 " AI_EUIMSI=""
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E9BAB9711A17DC863C0E247118746EFC
C:\Users\Admin\AppData\Local\KNIME Analytics Platform\DataRecovery.exe
"C:\Users\Admin\AppData\Local\KNIME Analytics Platform\DataRecovery.exe"
Network
Files
memory/1552-0-0x00000000001F0000-0x00000000001F1000-memory.dmp
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\knive.msi
| MD5 | 298d83fd666bdd880bc840ae8c7fcf8a |
| SHA1 | a876b0f6d052845c996cdd236b61956c683f0427 |
| SHA256 | ed97ffcba883cfc33d5b7e0c665d7c41964397cfd9a56ea993bd2b91c044c351 |
| SHA512 | bb0a6e49fe8f2d9056e70eeb75e21332c4407187f9532fd3ed31691fe1b1421b32ae6d0deaf86ec459fcac4d0bd982a54836eb68bc24d2dbd71890c38d11dae6 |
C:\Users\Admin\AppData\Local\Temp\MSI5F8E.tmp
| MD5 | 7380aa7a4eafd17c21cf315ae35fe288 |
| SHA1 | 886747c7526627898bd36ff8b85869c9bf6718fc |
| SHA256 | dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88 |
| SHA512 | c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1 |
\Users\Admin\AppData\Local\Temp\MSI5F8E.tmp
| MD5 | 7380aa7a4eafd17c21cf315ae35fe288 |
| SHA1 | 886747c7526627898bd36ff8b85869c9bf6718fc |
| SHA256 | dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88 |
| SHA512 | c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\knive.msi
| MD5 | 298d83fd666bdd880bc840ae8c7fcf8a |
| SHA1 | a876b0f6d052845c996cdd236b61956c683f0427 |
| SHA256 | ed97ffcba883cfc33d5b7e0c665d7c41964397cfd9a56ea993bd2b91c044c351 |
| SHA512 | bb0a6e49fe8f2d9056e70eeb75e21332c4407187f9532fd3ed31691fe1b1421b32ae6d0deaf86ec459fcac4d0bd982a54836eb68bc24d2dbd71890c38d11dae6 |
C:\Windows\Installer\MSI6558.tmp
| MD5 | 7380aa7a4eafd17c21cf315ae35fe288 |
| SHA1 | 886747c7526627898bd36ff8b85869c9bf6718fc |
| SHA256 | dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88 |
| SHA512 | c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1 |
\Windows\Installer\MSI6558.tmp
| MD5 | 7380aa7a4eafd17c21cf315ae35fe288 |
| SHA1 | 886747c7526627898bd36ff8b85869c9bf6718fc |
| SHA256 | dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88 |
| SHA512 | c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1 |
C:\Windows\Installer\MSI66DF.tmp
| MD5 | 7380aa7a4eafd17c21cf315ae35fe288 |
| SHA1 | 886747c7526627898bd36ff8b85869c9bf6718fc |
| SHA256 | dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88 |
| SHA512 | c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1 |
C:\Windows\Installer\MSI66DF.tmp
| MD5 | 7380aa7a4eafd17c21cf315ae35fe288 |
| SHA1 | 886747c7526627898bd36ff8b85869c9bf6718fc |
| SHA256 | dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88 |
| SHA512 | c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1 |
\Windows\Installer\MSI66DF.tmp
| MD5 | 7380aa7a4eafd17c21cf315ae35fe288 |
| SHA1 | 886747c7526627898bd36ff8b85869c9bf6718fc |
| SHA256 | dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88 |
| SHA512 | c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1 |
C:\Windows\Installer\MSI6895.tmp
| MD5 | 7380aa7a4eafd17c21cf315ae35fe288 |
| SHA1 | 886747c7526627898bd36ff8b85869c9bf6718fc |
| SHA256 | dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88 |
| SHA512 | c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1 |
\Windows\Installer\MSI6895.tmp
| MD5 | 7380aa7a4eafd17c21cf315ae35fe288 |
| SHA1 | 886747c7526627898bd36ff8b85869c9bf6718fc |
| SHA256 | dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88 |
| SHA512 | c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1 |
C:\Windows\Installer\MSI6970.tmp
| MD5 | ae585caebd7faece019342026b304129 |
| SHA1 | 8c512e6db9b0c9547fc0a6d3f3d1216e373d924e |
| SHA256 | 92dd2c1f1d19e1d96411d8afc81c29696d76abe6469a2d75200dd82a8fc164b4 |
| SHA512 | dbafd2b28356139f886ed7af3813bf7ee1e95709549b8bdbb3c52e17a213694af45096f369668e674a3295a1ba6ce3232dc8c213b29f24442a3c9e68e0d87313 |
\Windows\Installer\MSI6970.tmp
| MD5 | ae585caebd7faece019342026b304129 |
| SHA1 | 8c512e6db9b0c9547fc0a6d3f3d1216e373d924e |
| SHA256 | 92dd2c1f1d19e1d96411d8afc81c29696d76abe6469a2d75200dd82a8fc164b4 |
| SHA512 | dbafd2b28356139f886ed7af3813bf7ee1e95709549b8bdbb3c52e17a213694af45096f369668e674a3295a1ba6ce3232dc8c213b29f24442a3c9e68e0d87313 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\DataRecovery.exe
| MD5 | 92e03c3b1abb281cea7bf71af2b7802a |
| SHA1 | 9a6ef7a5a7d7d3e542aeee46d0f89fc953d8d683 |
| SHA256 | 73d7c930722c7a9fae7d123c556cc065b6be64b0164cd876dcf6b61343b46d69 |
| SHA512 | 4bdfb7d895137a29476caac8c21d57540cad6e51fe592e8af52537515ebb2d3e8b63a99ca3c7e78ddfafbda731959533b4a1f7ae5b9929d554d875668676a589 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\japp.dll
| MD5 | b02036b69036a4cc1f91b84693447ae7 |
| SHA1 | 84f190804e1d2d063fb679621b4a7c0483f2952f |
| SHA256 | 7f29c4ee1ce8c8d3cd04ac2bceb9a48763900e4aa298368310f3ccd9c782d86e |
| SHA512 | 445c7ef300567f9f5a106f39170dac527d68f80f2f24e7c566e7e184aabbdcc6179cb9c56d506053d44c3f7c71f91b3e86f950fe4da890d6838fc82d772da771 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\gp.chm
| MD5 | 6a50c40bc4b83338ea2ae3f05f77d1ab |
| SHA1 | 8f4108d83f2319c73dd17022f8f880f4251fb70d |
| SHA256 | 3fb64917570e3cb8d66df05dd9e5e0fe4cc4046f843b8206fd130978ebbff1e8 |
| SHA512 | db51edd44d2eb087261a2418b6a2f41b8d81af356c05026bf8211bcdcbc30a9b4a6785bfdf869fe81e0e957fd61d87380d5355db95cde627e262f0db53f531e2 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\libBasic.dll
| MD5 | 92eba8a211c2a3063d907005064ecf12 |
| SHA1 | ef5534fb193e7c5f16b63a642d2ac18e90201c54 |
| SHA256 | 13ed3739782eb2feae32aa2176cd8b0c0b5f9e45259b1c22ffe960b5fef31ffc |
| SHA512 | 2aaf82f99742aa4ddfd0015cb9a8f78c84b3f1e76af7074b5f595cbae0eaaa22a53c2500c648996fb4227c2199bb5e90b2fe2181a71e369fb6b7b232b1415c37 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\settings.dat
| MD5 | daab96fd6697cbfaa5ded2faa337058f |
| SHA1 | 745cf1565e0c5da2a088a9d1164aa21a0089eabd |
| SHA256 | 58d478108d29f9ee5864abfad4362d0be0a7b0fc1e734b9027b6accc612a43c3 |
| SHA512 | 0231e22c0cb50939184b1268875d33cc7189c4f0128e1d4239506a23bec7b0e35b96a5fd59f10c84534ca3018da220e2c523a92a16c1880e1d6e65f60204e2d6 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\mdb.dll
| MD5 | 7259be44bb84b3147e58d87e89355523 |
| SHA1 | 5f39919ea6f80daba9832438542f4c62c4f55d40 |
| SHA256 | 130944dbf10de1cacb1a2446c6c264d5266787b4840a41e55e9e1eaf99047350 |
| SHA512 | 95c16b7147a0a561fba54debc48e44dc662dbb77e0371312bf78c3395e554502e28188d56103aa34cb2b1d42f6100d8ac8b764e0d452a1c19d72d0ee2cfd2d5e |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\groceryc.dll
| MD5 | fb3461ac1e498033b08247f1ebaa5ade |
| SHA1 | e8e46582973c7bbceb2af8edbd70dc11068c0918 |
| SHA256 | 16eebcae164bf362f3fb4376fd791bc43bf42bd7f07f13924015f134cec74666 |
| SHA512 | 46b66742b556b3ec94b35eef736a17b109239900cd3e84f9af34f459076aadab56b769e3fe461492c4ef36a8f636c55de0656f20402f17903a252271ac6e7667 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\libcurl.dll
| MD5 | d3ba3c273671256834905b34f65793da |
| SHA1 | 2dddf9d49d8772ebd0ce6ff28154ea88652edbb0 |
| SHA256 | 174f21c80e25d566f401aaf84abbad8d488828627ef3a7a2ea6f75e6e257a195 |
| SHA512 | 2248e775ae877737ebe5bd987e97278cfc25cf764bf073e01c9881af074da990018cfd6c6cbca733671b38670f13929d7674830fa0085941c74addb393e90261 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\libexpat.dll
| MD5 | 1b575746671c0dcf0d23f9a84e2ac60c |
| SHA1 | d91fe664dfba0497ee82ba54d39e300c4f2fab40 |
| SHA256 | 38ae973fb8474c8d40a8c2c1abf003b6d5d1402fdb43a133b39b78a0bc545fde |
| SHA512 | d4116e49a2ce313d314d6fb819c7dfa7f9856cc144f2e5a1cdb945f28673d915bb77af8775f436b87c7c341b0930f5b5a31e75157dd82356e0a3268781e1de64 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\libIPC.dll
| MD5 | 751f6e3e3d6f267e0313fccd5ce039bb |
| SHA1 | 7fc30806afbba4bcf01a856bc1d4e1980bf02c51 |
| SHA256 | ab3373e608702ff3c0919a82f1339012fd531dc7dd96fdd0de895c6942b4ae0a |
| SHA512 | 9e01200aa7bed7147cf4a33d710268cf0c40cfad3beb986ed23b88fc177968eca016c0960a9446c1e14efa8c2e3da7e2e2ff73348bd73dff8f7b17c18695ec62 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\libpng14.dll
| MD5 | 0a7386bc5253dc46131372ce06ed37d7 |
| SHA1 | cddd0fa8121a97ba11bf4e7a3ad5fd31bdc7690a |
| SHA256 | 22ce58559e860daba2f09fe56a883110fc96dcf905327873f5b5902acb1791a0 |
| SHA512 | 26376136c7b3656f69efe22a2a3306f13bfde9fe3bac22ca30c46f0ffa289ef403e88dfb1870ce77e80a0d3217b9da9f88b33070304181bb248a366feafc1a40 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\libRG.dll
| MD5 | 28d3cd357afe7fb92de5c9da21d9847f |
| SHA1 | c412d3f742f6d92092b002c0a09cc8fc7c8824ed |
| SHA256 | 27b69838e6cd434f678ab14ae2632cf503bf2c857de7bc3945b3936527261056 |
| SHA512 | 931b94edf9d9d4a6d15796ac632229fe12dc526873907f31cdb6f58b7d2817543b4761dcd1bbfdcd0d09a8e5811f2b3d8c66a2283e99b7223bd504cdb9be271a |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\libUpdate.dll
| MD5 | 98688c1c345c3d781793d77fa00adbd2 |
| SHA1 | 93200955dba37aedc4a136d368667978b6885849 |
| SHA256 | 800529d279cc65351dd70c513bfdc967b18cf686b3dc929b9ed09f5aa7440f40 |
| SHA512 | 57d37f67bd12e877b5edd6d0fab21d5ba79428a870490fb65b9d63b6a6c624b489258c97971f086c96adb48e94989f98968b9324d404ae45c01fb1343e386b35 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\libxml2-2.dll
| MD5 | dc361dc3534f78afb83229bbb94f5a2b |
| SHA1 | d5f84989630cc3b240518b91d6e8d8923c088e86 |
| SHA256 | 4239ddecd0acb279786454adf91b8f1ad97f5ceb81d6e9fa430581b259de784f |
| SHA512 | 186a24d15fb51166c713f9ffa8c16543f6af97e58543379b05490fca73899d6152acf84ed1d60dcdb0ff289787641812c15da96278b49414b55b55cb37169896 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\pthreadVC2.dll
| MD5 | 01819c12d2b7a56ebc3cec57a59aee01 |
| SHA1 | 554aa7bb916b7b6a754c3d60057a61de9eccde8b |
| SHA256 | 69a85cbb337aaf764d9c66d3035f0705def8818e64a2adf01b43b5eb54bd4953 |
| SHA512 | 2647397f2d52a645d373d2170157ea4f718e9fe861c316f7b732fcdfac8b05b2f001acaf480cc8f4df0ce90c0254fbec5e02448377709746c9dbbca5c62cc00c |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\sqlite3.dll
| MD5 | a40cd00311998464f1f9e62c0f23aaf3 |
| SHA1 | fd2955400dd0c225105db0cb33bade79f327dbb8 |
| SHA256 | 95da779237273e718e2de238cceafaf727f05929ed368feb64f8eb7192d181d5 |
| SHA512 | 26dda0fae43f7fe165eec7eeb6eb4fcc8fd6ef7c1bbde0e48d976f23ddb82fc6753cffc699b9ac18ef4913734aee4a5eb14ee0842601d923bf8b404c32fd7571 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\Coolmuster iPhone Data Recovery.exe
| MD5 | a559b308dfe42e65c353a595bf69912b |
| SHA1 | 5d70427190688a177053b9a22d15be08d840a2b7 |
| SHA256 | dc5c78801206f712dd02f15160c31cc7e7143440ed942dc1af6f6c02851d7898 |
| SHA512 | 5abdc15ba45733f2be166bbc684226b1d9d738911a286b22ce3210af944e68cd2dcc800efd419913e524c0cf69f4898772f863634a63802ffae87f23897d28fb |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\iOSAssistUtility.exe
| MD5 | e3d8ab828b3648a6072b3e687070ae3c |
| SHA1 | f7ae617777dc0674b9d9cbf66c51d706643ebd22 |
| SHA256 | e85799a46dc76c285dd253bbf4ce01df106ef6378f8d2b364fcf3fbdd8540380 |
| SHA512 | abfec9421d08586227875e5f5d8b0f7b336817433684e9788631544ee7c93a9d872327a8696f7807e104667b1e89638667e993d6da079679127cda6e2b11f670 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\libView.dll
| MD5 | f3a06e1c1406f349516ffa67620ae84a |
| SHA1 | 47c6f65d5acc1b8eaaa7e786bc5a7233461923f9 |
| SHA256 | e00fd00bdfe562d91788ec832eeacb598f55f431d33bc3fa68db69376fb6c4f9 |
| SHA512 | e4c32da45b9e4d047a2bbb8596cc1e715aed4e320247056dc93788ca1d0c5e572220a640581619e6370398c3cd90b92eb280ffad641615dc7ad980d69ad2fe00 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\libHelper.dll
| MD5 | 13d4dcedd7f292702b1624e85c3f72fd |
| SHA1 | 1d34715f161d0015bed44d969ab66660247e7e52 |
| SHA256 | 804ccc898ca13ab3d6732e2df99f3bde2e5d6746ae17e948925ea49c2913bfb0 |
| SHA512 | 944070c1481905006cd612fd385dc09bea83f9af2dfd284764601fa33cd7f6bcb600fb8d0b988d8860657a49872138d965012a282414650b44466366b42d2ec0 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\Helper.iDevice.dll
| MD5 | fda4d3690b31de70167be93e131a4e08 |
| SHA1 | 9d750e89ca1c71a26e4f4601d60ea60775ca03ae |
| SHA256 | ee9c815ee3716d012b5e2cdea113feb122f54ade4579593e0d7a2394e051f3fc |
| SHA512 | e27678e76ea5e047e500917d8c9d2fa5b48c7c555f1ea0648eef2146b180e2a76f55aa1d53f795c1f32077eeeac62991bab34bdca3e66c5f85f0e5dce8cd377a |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\StormLib.dll
| MD5 | 09c4266b11233aedaff9bbb97ff7dc50 |
| SHA1 | 212f6f2df299f8f1c4c481bb92e9e958d48421e3 |
| SHA256 | f52d1ed4c1350bf7726ad3ef926329267e35bf67bd938e5e1aae324dcef31469 |
| SHA512 | b17e865ec5a8caf5bca88857ea3bad0dfc5d9fd0448ee52671876202b1870783a5de8f2d76b9d5363aeeb89b383314c8d65769674bd9b911551cdaa5c8654dcb |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\bz2.dll
| MD5 | bb1ea7cade180a0c012c2289c7d820cc |
| SHA1 | 67a17ae0aed053d8fb071450dff8f843a1255112 |
| SHA256 | 30998439b2fbc620f3f87799f8a98e8519f26b227bf498877b11dfb52147b698 |
| SHA512 | 3b10462ae03ea57bfad298c4d59da247b8ad971aeec0c9ad439a72b1756ee627fba23fe9044df9a8301b0fe1099bbb9988869ccce1102314052a49bf0cbdf317 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\libnmap.dll
| MD5 | 53634bc76f19ea065981ac1b02225df9 |
| SHA1 | 7d1cb4ae535c30d2443c4b8f14927300c8449839 |
| SHA256 | e9053b628bf89440e0ad4874a5c234fe058539f20f9bf02d36c7492fed70857a |
| SHA512 | 3b46f34b4d370f44f219f0a404ae1f9a53897ddaabfb7665197dc16b538a13d9ee89af7053fd74998dc38321af8f076759f535d5a855f6ff5212d88704c79d3a |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\concrt140.dll
| MD5 | ccadf05c27e94a9e1a9ad9794aa05514 |
| SHA1 | 6d0dd40402d62dc4e78c56605c72f700ea12a8ce |
| SHA256 | 768646418668e5b4840610305790ad6f981e85ac65123ab7a952b198c24c28fd |
| SHA512 | e0205e2f694301e4603a633691fa551911b6d42f3559ea5d57065eb73e9ca2edeee76384122724b1c9cf0f5534835172cd201f2e8491a5ae84d104c9ef3138e1 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\msvcp140_1.dll
| MD5 | 4d10412f92fa6962ea7ebfaaf17b29a4 |
| SHA1 | cef3d60b9f5f1ed81fd3fb3273f89814d9fba7bd |
| SHA256 | 72f358aa9cae44582b6207333b94655e0c41c00095b0a50879f4c2b1bdf7b5cd |
| SHA512 | a8b8508d1069f0e4171d532aba262c4fc9e45310501e6fec506b3b902945f21521b782da267ce3838beae134dbb6efc45d33bd8e672547b4b2ef6a7ae2bab14b |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\msvcp140_2.dll
| MD5 | 0e7bbf00d2659db77d82d04e64dd90fa |
| SHA1 | a121f7bfcac3e14e83eae2118a5ffe6eea439ccd |
| SHA256 | 6ff622279f62296d3aeca95c0daca7cee8fb50354f53740a1808cdc6efdcea80 |
| SHA512 | c150e80887e34b364b252ef9e4a6bd198a3586b2895bf6d5a7e872901a715db6d5f34ce6b7fdcef4b77d45380089db79543d309cf6b9ca2bd0f44bdafea12cc2 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\msvcp140_atomic_wait.dll
| MD5 | bfa69730b83fe5abc5c1a44ad71b2112 |
| SHA1 | 2917d847156758420c9782ab8e376ded3d6e9b09 |
| SHA256 | 05ec94cb5bc764418374882d1fff9050685fca86ec71101ff27f2422a2d39213 |
| SHA512 | c419255af407b4180d405823f3a3c2a5ac4cc4e8ab686ba83c0c1efad6eacb23024215918a686756a6cf96d1f170db54462cbe6a434d847204c665da8138aa9f |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\msvcp140_codecvt_ids.dll
| MD5 | 2407353dfd054b3ad48cc4c3befdc361 |
| SHA1 | 45a96fe92ed3d1b55a96bc536067a0931e2f0aeb |
| SHA256 | e723a4a146e95fcaf68b8d0d425f5641e9ebeb70afa4cc8eb658d0f27ab97327 |
| SHA512 | 352301249309919a0edd7fddde5c663dd2893a92277dc26f71d344b33f217a4182d841179035345399dd1f1356a5bb5326092db6a91cd24cc5a4468cd97c1544 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\vccorlib140.dll
| MD5 | ae13e4f8338173a979135141e0dfb02f |
| SHA1 | 6fc365c1b18d34f6c1c0a691a4e527f2748f7efd |
| SHA256 | 7e3211bfcd4698140ce90e6664e044f7c7c8100c5b7bf1cec161df32fc412056 |
| SHA512 | 22051878786454be0f8732aeab51a89651db255339ce95a358cc8f8a2072e5ef661606b58d54581186b422cbc9af7a5c4d3c45e0b9fd76efa7287f8f306fb98e |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-console-l1-2-0.dll
| MD5 | f7af7ee5d48b5540f0e67f12529def2e |
| SHA1 | 1d0a54735213f2002918784dc5fc75ee6e7c3578 |
| SHA256 | 78ff02af7995e0535ee34ddc0d28e8a2fe01404c186530cb3f2d57d683365a80 |
| SHA512 | 189d60feee6dded1d369585a4fd0305729dfc352697501e7355fba80d279d151cc0f3a3358928b05a91964d14e59eeccfbdda415cf289281c0cb2c246a7d09b2 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\API-MS-Win-core-xstate-l2-1-0.dll
| MD5 | d911ac41d48ce1f57cf82d77476960f3 |
| SHA1 | b0437d8fcc3835f642280680677fe65af70cdb90 |
| SHA256 | e98e9ea1645b11f2fe6f21bddfd6dd5d58a3f158c7501f4534793da3eaccee3a |
| SHA512 | a5edf14e0c88ffee32455ba9508d07614bbdd9cb3916c89d88a1b8dc7d6c05e9894e2ba2dbba6ccc68fda30928a078f3b650ec563f633b9ff6e3b4cba5db1c91 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\msvcp140.dll
| MD5 | fdd04dbbcf321eee5f4dd67266f476b0 |
| SHA1 | 65ffdfe2664a29a41fcf5039229ccecad5b825b9 |
| SHA256 | 21570bcb7a77e856f3113235d2b05b2b328d4bb71b4fd9ca4d46d99adac80794 |
| SHA512 | 04cfc3097fbce6ee1b7bac7bd63c3cffe7dca16f0ec9cd8fe657d8b7ebd06dcba272ff472f98c6385c3cfb9b1ac3f47be8ca6d3ea80ab4aeed44a0e2ce3185dd |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\ucrtbase.dll
| MD5 | 5dafe0bfb955e780b3d50da4524b752f |
| SHA1 | 91c0d9fabe748d373215ba21b90278671b5f8957 |
| SHA256 | 6255112c9978c07a05c6feaee01cf4be74b2920dc7017fbc1a42f8f5d23c20f9 |
| SHA512 | 37fd37f3ad87838f596d1e8e497fe66d1a1c4128625ab456ec850179dd1e1f33cf4945d0faaf6cdbd1ed586ecfb7ff3e7cf10a88a823cc5eb06c2fc4fa16bff3 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-console-l1-1-0.dll
| MD5 | 22df48515382f53b828728892c65e62d |
| SHA1 | f834220481f9acab2fce917bd6271705c3300872 |
| SHA256 | 97955d1f5134350fbe6c829061e01106304978651979f4ecd5ec146bfc70d36b |
| SHA512 | 97507029a6d0057812da1a917b14e021747a1e13e4a1406e73d4f330f0fd1b9822f6300a5030d2aca8063da6da2a5a1e6e9a5a2c8ca612401188713e779fa608 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\vcruntime140.dll
| MD5 | ba65db6bfef78a96aee7e29f1449bf8a |
| SHA1 | 06c7beb9fd1f33051b0e77087350903c652f4b77 |
| SHA256 | 141690572594dbd3618a4984712e9e36fc09c9906bb845ce1a9531ac8f7ad493 |
| SHA512 | ca63eeac10ef55d7e2e55479b25cf394e58aef1422951f361f762ab667f72a3454f55afc04e967e8cdd20cf3eebe97083e0438ea941916a09e7d091818ea830e |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-datetime-l1-1-0.dll
| MD5 | b669e6de4647cd31009b15d5edd7c999 |
| SHA1 | 16f05edfa04378e99d906e9162b502c99d8ddb61 |
| SHA256 | 4e560ebdfe0bc1193a0f3feaac35634b0655829d5cc7e79d113f3a994f16d3ed |
| SHA512 | afc8ac85c8fa15fbb3e72b8192314b8ca7eaa0a686ef77747adadd0b902260f2cb0482f76012cfd5023a12a7c0d89b973af97bd4f208389d8ca26005fe4e16dd |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-debug-l1-1-0.dll
| MD5 | bf8a71efcaa8260de58ab657dbf624c6 |
| SHA1 | 48a1e8fd73c0b16304f0fafd6e7f6b5efb476314 |
| SHA256 | c3003ff52917dbac5d3feec1bdea8ad4163893ec2d320f904b6d3698a6dbc7bc |
| SHA512 | e1284fe0c7f42204043320322dbbaadfe194aae4eef0aa863b25176107ec9900a2a0dfe4778b7ca5960d6b187e7cc61e028bd02ae0dae20a90591e33165dbc0f |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-file-l1-2-0.dll
| MD5 | 86279521328398e87699d248628eb13a |
| SHA1 | e4d4c39bda90635f1f5c2fc58b1304e2daac9caf |
| SHA256 | 3c9b67616fd0ceb3dd92e605918b08556683ebab5537aa76dff300fbd54b0337 |
| SHA512 | 2cc328955611ad8369ff9facf9c1aabe99a20c3ded2977ad86c69e0f54acd78fa6f572ed688625c8c63016826a10b3578e3c186ef2b39c4bf393ab5e399913a6 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-file-l2-1-0.dll
| MD5 | 422adad24e8da100f85bf3de86b5f302 |
| SHA1 | 7004b3ed8663b5890cd25e1a7899a766be912728 |
| SHA256 | e04642684dc7376839c570bc11e9b46cae14420f1a85f7562fd2c4d656a22956 |
| SHA512 | e689ecb1a1cb1e7735cb6a961fd054d87bcad01acf76950b14a3bf4e08ddb7a8d31805c203374ee081a4ec13c40b25b3dc83b3895b9bfbd9c135673e98e6ee63 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-handle-l1-1-0.dll
| MD5 | c8d52cde743f4559e6eda1472ad44277 |
| SHA1 | 09a19c5c5bc45dbf5391d882015b47cdad4b5631 |
| SHA256 | d2926dcb85ab577be75ecab1fc8dcd062318f147e0a9262a3b807bb5acb62beb |
| SHA512 | 3a031f282303cf664c6ab04c1561598595ef776799005d8ac7ae091ffd140e4d1d1e23b9f6783618c2bae4dc4d1cf741fdb3f83390d6854de97d85af4c940b23 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-heap-l1-1-0.dll
| MD5 | 6e306654a55454e40889407e9334da0c |
| SHA1 | 0612894d9fbd8f92299541535f78db05fba3a78e |
| SHA256 | eb02fc995bb92b214dd684e24c1060735f61ad4884ccb4aafa86c7c1de66d621 |
| SHA512 | f5a6980824cbfa82c47b20581658eb9fa8eeb2dbcf6bf9b148fe09099a3b131c2a4cc2a129135e708fb72f1cc43f083f93fc85a0e03209b75dfcc09106b977ac |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-interlocked-l1-1-0.dll
| MD5 | 8dcf3111501ed0a01855ebb328537bf7 |
| SHA1 | 2134bca1fa16133632a1b3f28fc38edc15e933ac |
| SHA256 | 76f092341fbef40d5f35f70bab55f2eeb3e70a9b60f46043b342ceab7f79cef1 |
| SHA512 | 4cb596ca11b4941571f3b998c98707bdf45ad608c9f661e0f0ae528fdb797190c9bb22e58ff65a98e52e3e51396f4c8b22229eefe54f0a73eb49c79d07ce1604 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-libraryloader-l1-1-0.dll
| MD5 | b0537a9eccc0f909c0715fc93b473d8d |
| SHA1 | 79e9929c83f5f73314c52f26be4147a74aa80e23 |
| SHA256 | 8784c4912a2f391d5f0c79b38f48baf88e98bf4fa61614ccb9232d9bd1e4ad54 |
| SHA512 | d68e50361566e8800afb5fae32c65c90d2ac7877f9a02f3e2e6af61ccd8f99b484c808a9ba62ec9e4727481798b3d3f4f74d19b16c6ed80536cf89351071bab6 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-memory-l1-1-0.dll
| MD5 | 98b1e6d052cee5ccbb7e5af795b9f48c |
| SHA1 | 357ef3f8011d7e7f1d4cb30beae58d24d6b05085 |
| SHA256 | 5c950723ff3118801884df67b6a14543978263a2d2a0437d8c8b2fe8ef3925d4 |
| SHA512 | 31d961ada87eedfc4c1bb8938b0c4b44842153f4450f48a0c1dc12208f5c1ba62b076ef91a0dbd1c3f98d1e96517904b95e072002c50d2873c8638ddb25417d7 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-namedpipe-l1-1-0.dll
| MD5 | a8f889870885c5784afd47f5e3d33eed |
| SHA1 | 494b86c51c8908d17e563c80da0d42350aaf1155 |
| SHA256 | 8979fe86afe23035caedd5df135786da2b28c095b69ce0179b6484fd680c9b91 |
| SHA512 | bb18675a9b311e4c34806ec834886659a95207a4ec9b48b082f5fa0e05f016b9f946db29c7aa20662b4090c7f42a606f9f3a5df48d7ed20c5b404ccf91a1b7eb |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 602a35b140d9d68d7b3e488896158365 |
| SHA1 | f1ba615abb54ff786ddbc74dffffd56394bfc892 |
| SHA256 | 43b98f74476c86107c8317749f54a107e2955696e4f79d3d02683dd7034d1d52 |
| SHA512 | 4388947f90838cae8b5f8137c9ed2a099028b4341da8c574d536c6ad096bad0e217e105f0367750c70e3d3ca4857255b674955c71ecff0fda9c47a4b1951b8b6 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-file-l1-1-0.dll
| MD5 | 977831a443ea30ac8cb70f4a069a2795 |
| SHA1 | b07313dc2760c524d1bae783e81a7f18743bff87 |
| SHA256 | f6eb872448b5147e59f373eee8a9852d1afc5eecb967f713a7f7acb4939e9a63 |
| SHA512 | 0c17bb97188b6b2aaa49fb3cef94053bf20e7b587cca9307ec4a4e166f4703d17a50c12148b3112cb5d98088bfd186adacb8c55c3d8a634ead2dad93b70b5f18 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-errorhandling-l1-1-0.dll
| MD5 | 1a456489a0e26cf602d4af97fd537b0c |
| SHA1 | fa62a55a403ee92b1d5f31ce2c5cc65e2de03247 |
| SHA256 | 3e8d67f3978e40a636c5fa86c310801d6d6b74127e556c57ff6fde8e1d7b706d |
| SHA512 | 04a61c6d79c72d729d602c4a5d069c73cd92b0586d988056b2f2cebf88bac5723c1928d4a1a08fe13151ba9905cc28aeafbe344c829fadc66f138aac43e8c147 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-processenvironment-l1-1-0.dll
| MD5 | 56813b784a1f8cdabedcc10de6e84864 |
| SHA1 | b636ba140e1ba7de5e59932702e7b4e53025d651 |
| SHA256 | 98ee724aa3f5a8ec4f3f8596be5aba5cd19b556f88ef9fbaff1569051a4d0dc1 |
| SHA512 | f11739be9ff624044035678cf39b91d28a53f1ac56342baf985a4328da4c64c81107d7e1787ee50efb382472e4d46bb21c520918b8831edc7f6b3db70befa068 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-profile-l1-1-0.dll
| MD5 | 258caf72fd7c60586b4bacfee6b37872 |
| SHA1 | 4a473ff7cdf254336cf2ff3ddeb03bd047b35af5 |
| SHA256 | 04c0a5392a18a7555635cde23f9111ea4da550c309827b725a74bb6fd4f0cc64 |
| SHA512 | 121a366f79ca1c9212d109d1f72a53b31f0bf0394b947949e2a0191629ace8ed107118e512bc8f4e9b43a84b6c936422372be2ff497f2cf13276217b15d079c5 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | a07afa26ab56a8d3b8b16591a1962005 |
| SHA1 | 2b6f3143487f747911ee20f039f1ffb1381858ac |
| SHA256 | 6be230837149dc2a8c7772142a674c3f90930a55da7f91d791942d8276d5440b |
| SHA512 | b77b277d10cf6b8d209679684ead55b4347caef3213acdccdee35b5d4fe0e3fc136daf057830512c5473c4653a8d66357927c4b7d204c07d7508f792299d7fe9 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-processthreads-l1-1-0.dll
| MD5 | 2557484c75d4507688b68a64882e0022 |
| SHA1 | ff78c6d44f7474d98402f8e17cfce5d712c41b95 |
| SHA256 | 50b3e4ffee430c1b45f0ca75959936608f756ae5eb0352e8f3f5f69c5adfaa20 |
| SHA512 | e1c502e889664a46acaf0d8cab5d5082f46ad3f6f1a24ec702ec5174d077fff51cce7f80b13c5c22704937ce380ec3b14c088955d94eef1050d293c078869870 |
C:\Config.Msi\f7664a1.rbs
| MD5 | a3942b81fe634173d90d29fabcbb6b87 |
| SHA1 | d05e2d3e44274bc7f98ef5ef7f4ea12603b38e1f |
| SHA256 | ed5542225b9564b12565f4c9faddc894b0716492eada43a41a2daf60ba855a84 |
| SHA512 | 0854cb1eeca32c3526331c46e7e3cdc5cb4ac83c9fd7ecc97383f24b8973968e1598221073b04a2fc23e6126a633634f8a4cdf81f9583c7f73bd798bf69764bb |
memory/796-275-0x0000000000210000-0x0000000000211000-memory.dmp
memory/796-276-0x0000000006D20000-0x00000000071CD000-memory.dmp
memory/796-279-0x0000000006D20000-0x00000000071CD000-memory.dmp
memory/796-280-0x0000000003440000-0x00000000034FB000-memory.dmp
memory/796-286-0x0000000070F40000-0x00000000712A4000-memory.dmp
memory/796-287-0x0000000074B50000-0x0000000074C71000-memory.dmp
memory/796-288-0x00000000748F0000-0x0000000074B48000-memory.dmp
memory/796-289-0x0000000074E40000-0x0000000074EC4000-memory.dmp
memory/796-290-0x0000000000210000-0x0000000000211000-memory.dmp
memory/796-295-0x0000000003440000-0x00000000034FB000-memory.dmp
memory/796-296-0x0000000003440000-0x00000000034FB000-memory.dmp
memory/796-298-0x0000000003440000-0x00000000034FB000-memory.dmp
memory/796-302-0x0000000003440000-0x00000000034FB000-memory.dmp
memory/796-329-0x0000000006D20000-0x00000000071CD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-30 07:14
Reported
2023-10-30 07:17
Platform
win10v2004-20231023-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Babadeda
Babadeda Crypter
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\KNIME Analytics Platform\DataRecovery.exe | N/A |
Loads dropped DLL
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\T: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\P: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\L: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\R: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\I: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\S: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\W: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\K: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\V: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\e57950c.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{AF6F7017-4E4C-4CCF-A8BF-78CA7136E10A} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\info107 | C:\Users\Admin\AppData\Local\KNIME Analytics Platform\DataRecovery.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9760.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9916.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\info108 | C:\Users\Admin\AppData\Local\KNIME Analytics Platform\DataRecovery.exe | N/A |
| File opened for modification | C:\Windows\Installer\e57950c.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI99A4.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9655.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA667.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI95B8.tmp | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Detects BABADEDA Crypter
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\KNIME Analytics Platform\DataRecovery.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\KNIME Analytics Platform\DataRecovery.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\KNIME Analytics Platform\DataRecovery.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\KNIME Analytics Platform\DataRecovery.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\KNIME Analytics Platform\DataRecovery.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C4B868CF26DA5BDD86F07733CB2F6648 C
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\knive.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1698409461 " AI_EUIMSI=""
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 3D6F600E0EB75E351ABD1B55728D9E37
C:\Users\Admin\AppData\Local\KNIME Analytics Platform\DataRecovery.exe
"C:\Users\Admin\AppData\Local\KNIME Analytics Platform\DataRecovery.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\knive.msi
| MD5 | 298d83fd666bdd880bc840ae8c7fcf8a |
| SHA1 | a876b0f6d052845c996cdd236b61956c683f0427 |
| SHA256 | ed97ffcba883cfc33d5b7e0c665d7c41964397cfd9a56ea993bd2b91c044c351 |
| SHA512 | bb0a6e49fe8f2d9056e70eeb75e21332c4407187f9532fd3ed31691fe1b1421b32ae6d0deaf86ec459fcac4d0bd982a54836eb68bc24d2dbd71890c38d11dae6 |
C:\Users\Admin\AppData\Local\Temp\MSI922F.tmp
| MD5 | 7380aa7a4eafd17c21cf315ae35fe288 |
| SHA1 | 886747c7526627898bd36ff8b85869c9bf6718fc |
| SHA256 | dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88 |
| SHA512 | c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1 |
C:\Users\Admin\AppData\Local\Temp\MSI922F.tmp
| MD5 | 7380aa7a4eafd17c21cf315ae35fe288 |
| SHA1 | 886747c7526627898bd36ff8b85869c9bf6718fc |
| SHA256 | dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88 |
| SHA512 | c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\knive.msi
| MD5 | 298d83fd666bdd880bc840ae8c7fcf8a |
| SHA1 | a876b0f6d052845c996cdd236b61956c683f0427 |
| SHA256 | ed97ffcba883cfc33d5b7e0c665d7c41964397cfd9a56ea993bd2b91c044c351 |
| SHA512 | bb0a6e49fe8f2d9056e70eeb75e21332c4407187f9532fd3ed31691fe1b1421b32ae6d0deaf86ec459fcac4d0bd982a54836eb68bc24d2dbd71890c38d11dae6 |
C:\Windows\Installer\MSI95B8.tmp
| MD5 | 7380aa7a4eafd17c21cf315ae35fe288 |
| SHA1 | 886747c7526627898bd36ff8b85869c9bf6718fc |
| SHA256 | dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88 |
| SHA512 | c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1 |
C:\Windows\Installer\MSI95B8.tmp
| MD5 | 7380aa7a4eafd17c21cf315ae35fe288 |
| SHA1 | 886747c7526627898bd36ff8b85869c9bf6718fc |
| SHA256 | dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88 |
| SHA512 | c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1 |
C:\Windows\Installer\MSI9655.tmp
| MD5 | 7380aa7a4eafd17c21cf315ae35fe288 |
| SHA1 | 886747c7526627898bd36ff8b85869c9bf6718fc |
| SHA256 | dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88 |
| SHA512 | c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1 |
C:\Windows\Installer\MSI9655.tmp
| MD5 | 7380aa7a4eafd17c21cf315ae35fe288 |
| SHA1 | 886747c7526627898bd36ff8b85869c9bf6718fc |
| SHA256 | dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88 |
| SHA512 | c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1 |
C:\Windows\Installer\MSI9655.tmp
| MD5 | 7380aa7a4eafd17c21cf315ae35fe288 |
| SHA1 | 886747c7526627898bd36ff8b85869c9bf6718fc |
| SHA256 | dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88 |
| SHA512 | c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1 |
C:\Windows\Installer\MSI9760.tmp
| MD5 | 7380aa7a4eafd17c21cf315ae35fe288 |
| SHA1 | 886747c7526627898bd36ff8b85869c9bf6718fc |
| SHA256 | dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88 |
| SHA512 | c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1 |
C:\Windows\Installer\MSI9760.tmp
| MD5 | 7380aa7a4eafd17c21cf315ae35fe288 |
| SHA1 | 886747c7526627898bd36ff8b85869c9bf6718fc |
| SHA256 | dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88 |
| SHA512 | c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1 |
C:\Windows\Installer\MSI9916.tmp
| MD5 | 7380aa7a4eafd17c21cf315ae35fe288 |
| SHA1 | 886747c7526627898bd36ff8b85869c9bf6718fc |
| SHA256 | dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88 |
| SHA512 | c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1 |
C:\Windows\Installer\MSI9916.tmp
| MD5 | 7380aa7a4eafd17c21cf315ae35fe288 |
| SHA1 | 886747c7526627898bd36ff8b85869c9bf6718fc |
| SHA256 | dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88 |
| SHA512 | c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1 |
C:\Windows\Installer\MSI99A4.tmp
| MD5 | ae585caebd7faece019342026b304129 |
| SHA1 | 8c512e6db9b0c9547fc0a6d3f3d1216e373d924e |
| SHA256 | 92dd2c1f1d19e1d96411d8afc81c29696d76abe6469a2d75200dd82a8fc164b4 |
| SHA512 | dbafd2b28356139f886ed7af3813bf7ee1e95709549b8bdbb3c52e17a213694af45096f369668e674a3295a1ba6ce3232dc8c213b29f24442a3c9e68e0d87313 |
C:\Windows\Installer\MSI99A4.tmp
| MD5 | ae585caebd7faece019342026b304129 |
| SHA1 | 8c512e6db9b0c9547fc0a6d3f3d1216e373d924e |
| SHA256 | 92dd2c1f1d19e1d96411d8afc81c29696d76abe6469a2d75200dd82a8fc164b4 |
| SHA512 | dbafd2b28356139f886ed7af3813bf7ee1e95709549b8bdbb3c52e17a213694af45096f369668e674a3295a1ba6ce3232dc8c213b29f24442a3c9e68e0d87313 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\japp.dll
| MD5 | b02036b69036a4cc1f91b84693447ae7 |
| SHA1 | 84f190804e1d2d063fb679621b4a7c0483f2952f |
| SHA256 | 7f29c4ee1ce8c8d3cd04ac2bceb9a48763900e4aa298368310f3ccd9c782d86e |
| SHA512 | 445c7ef300567f9f5a106f39170dac527d68f80f2f24e7c566e7e184aabbdcc6179cb9c56d506053d44c3f7c71f91b3e86f950fe4da890d6838fc82d772da771 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\gp.chm
| MD5 | 6a50c40bc4b83338ea2ae3f05f77d1ab |
| SHA1 | 8f4108d83f2319c73dd17022f8f880f4251fb70d |
| SHA256 | 3fb64917570e3cb8d66df05dd9e5e0fe4cc4046f843b8206fd130978ebbff1e8 |
| SHA512 | db51edd44d2eb087261a2418b6a2f41b8d81af356c05026bf8211bcdcbc30a9b4a6785bfdf869fe81e0e957fd61d87380d5355db95cde627e262f0db53f531e2 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\mdb.dll
| MD5 | 7259be44bb84b3147e58d87e89355523 |
| SHA1 | 5f39919ea6f80daba9832438542f4c62c4f55d40 |
| SHA256 | 130944dbf10de1cacb1a2446c6c264d5266787b4840a41e55e9e1eaf99047350 |
| SHA512 | 95c16b7147a0a561fba54debc48e44dc662dbb77e0371312bf78c3395e554502e28188d56103aa34cb2b1d42f6100d8ac8b764e0d452a1c19d72d0ee2cfd2d5e |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\settings.dat
| MD5 | daab96fd6697cbfaa5ded2faa337058f |
| SHA1 | 745cf1565e0c5da2a088a9d1164aa21a0089eabd |
| SHA256 | 58d478108d29f9ee5864abfad4362d0be0a7b0fc1e734b9027b6accc612a43c3 |
| SHA512 | 0231e22c0cb50939184b1268875d33cc7189c4f0128e1d4239506a23bec7b0e35b96a5fd59f10c84534ca3018da220e2c523a92a16c1880e1d6e65f60204e2d6 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\libBasic.dll
| MD5 | 92eba8a211c2a3063d907005064ecf12 |
| SHA1 | ef5534fb193e7c5f16b63a642d2ac18e90201c54 |
| SHA256 | 13ed3739782eb2feae32aa2176cd8b0c0b5f9e45259b1c22ffe960b5fef31ffc |
| SHA512 | 2aaf82f99742aa4ddfd0015cb9a8f78c84b3f1e76af7074b5f595cbae0eaaa22a53c2500c648996fb4227c2199bb5e90b2fe2181a71e369fb6b7b232b1415c37 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\groceryc.dll
| MD5 | fb3461ac1e498033b08247f1ebaa5ade |
| SHA1 | e8e46582973c7bbceb2af8edbd70dc11068c0918 |
| SHA256 | 16eebcae164bf362f3fb4376fd791bc43bf42bd7f07f13924015f134cec74666 |
| SHA512 | 46b66742b556b3ec94b35eef736a17b109239900cd3e84f9af34f459076aadab56b769e3fe461492c4ef36a8f636c55de0656f20402f17903a252271ac6e7667 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\libcurl.dll
| MD5 | d3ba3c273671256834905b34f65793da |
| SHA1 | 2dddf9d49d8772ebd0ce6ff28154ea88652edbb0 |
| SHA256 | 174f21c80e25d566f401aaf84abbad8d488828627ef3a7a2ea6f75e6e257a195 |
| SHA512 | 2248e775ae877737ebe5bd987e97278cfc25cf764bf073e01c9881af074da990018cfd6c6cbca733671b38670f13929d7674830fa0085941c74addb393e90261 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\libexpat.dll
| MD5 | 1b575746671c0dcf0d23f9a84e2ac60c |
| SHA1 | d91fe664dfba0497ee82ba54d39e300c4f2fab40 |
| SHA256 | 38ae973fb8474c8d40a8c2c1abf003b6d5d1402fdb43a133b39b78a0bc545fde |
| SHA512 | d4116e49a2ce313d314d6fb819c7dfa7f9856cc144f2e5a1cdb945f28673d915bb77af8775f436b87c7c341b0930f5b5a31e75157dd82356e0a3268781e1de64 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\libIPC.dll
| MD5 | 751f6e3e3d6f267e0313fccd5ce039bb |
| SHA1 | 7fc30806afbba4bcf01a856bc1d4e1980bf02c51 |
| SHA256 | ab3373e608702ff3c0919a82f1339012fd531dc7dd96fdd0de895c6942b4ae0a |
| SHA512 | 9e01200aa7bed7147cf4a33d710268cf0c40cfad3beb986ed23b88fc177968eca016c0960a9446c1e14efa8c2e3da7e2e2ff73348bd73dff8f7b17c18695ec62 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\libxml2-2.dll
| MD5 | dc361dc3534f78afb83229bbb94f5a2b |
| SHA1 | d5f84989630cc3b240518b91d6e8d8923c088e86 |
| SHA256 | 4239ddecd0acb279786454adf91b8f1ad97f5ceb81d6e9fa430581b259de784f |
| SHA512 | 186a24d15fb51166c713f9ffa8c16543f6af97e58543379b05490fca73899d6152acf84ed1d60dcdb0ff289787641812c15da96278b49414b55b55cb37169896 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\libRG.dll
| MD5 | 28d3cd357afe7fb92de5c9da21d9847f |
| SHA1 | c412d3f742f6d92092b002c0a09cc8fc7c8824ed |
| SHA256 | 27b69838e6cd434f678ab14ae2632cf503bf2c857de7bc3945b3936527261056 |
| SHA512 | 931b94edf9d9d4a6d15796ac632229fe12dc526873907f31cdb6f58b7d2817543b4761dcd1bbfdcd0d09a8e5811f2b3d8c66a2283e99b7223bd504cdb9be271a |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\libpng14.dll
| MD5 | 0a7386bc5253dc46131372ce06ed37d7 |
| SHA1 | cddd0fa8121a97ba11bf4e7a3ad5fd31bdc7690a |
| SHA256 | 22ce58559e860daba2f09fe56a883110fc96dcf905327873f5b5902acb1791a0 |
| SHA512 | 26376136c7b3656f69efe22a2a3306f13bfde9fe3bac22ca30c46f0ffa289ef403e88dfb1870ce77e80a0d3217b9da9f88b33070304181bb248a366feafc1a40 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\libUpdate.dll
| MD5 | 98688c1c345c3d781793d77fa00adbd2 |
| SHA1 | 93200955dba37aedc4a136d368667978b6885849 |
| SHA256 | 800529d279cc65351dd70c513bfdc967b18cf686b3dc929b9ed09f5aa7440f40 |
| SHA512 | 57d37f67bd12e877b5edd6d0fab21d5ba79428a870490fb65b9d63b6a6c624b489258c97971f086c96adb48e94989f98968b9324d404ae45c01fb1343e386b35 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\pthreadVC2.dll
| MD5 | 01819c12d2b7a56ebc3cec57a59aee01 |
| SHA1 | 554aa7bb916b7b6a754c3d60057a61de9eccde8b |
| SHA256 | 69a85cbb337aaf764d9c66d3035f0705def8818e64a2adf01b43b5eb54bd4953 |
| SHA512 | 2647397f2d52a645d373d2170157ea4f718e9fe861c316f7b732fcdfac8b05b2f001acaf480cc8f4df0ce90c0254fbec5e02448377709746c9dbbca5c62cc00c |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\sqlite3.dll
| MD5 | a40cd00311998464f1f9e62c0f23aaf3 |
| SHA1 | fd2955400dd0c225105db0cb33bade79f327dbb8 |
| SHA256 | 95da779237273e718e2de238cceafaf727f05929ed368feb64f8eb7192d181d5 |
| SHA512 | 26dda0fae43f7fe165eec7eeb6eb4fcc8fd6ef7c1bbde0e48d976f23ddb82fc6753cffc699b9ac18ef4913734aee4a5eb14ee0842601d923bf8b404c32fd7571 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\Coolmuster iPhone Data Recovery.exe
| MD5 | a559b308dfe42e65c353a595bf69912b |
| SHA1 | 5d70427190688a177053b9a22d15be08d840a2b7 |
| SHA256 | dc5c78801206f712dd02f15160c31cc7e7143440ed942dc1af6f6c02851d7898 |
| SHA512 | 5abdc15ba45733f2be166bbc684226b1d9d738911a286b22ce3210af944e68cd2dcc800efd419913e524c0cf69f4898772f863634a63802ffae87f23897d28fb |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\iOSAssistUtility.exe
| MD5 | e3d8ab828b3648a6072b3e687070ae3c |
| SHA1 | f7ae617777dc0674b9d9cbf66c51d706643ebd22 |
| SHA256 | e85799a46dc76c285dd253bbf4ce01df106ef6378f8d2b364fcf3fbdd8540380 |
| SHA512 | abfec9421d08586227875e5f5d8b0f7b336817433684e9788631544ee7c93a9d872327a8696f7807e104667b1e89638667e993d6da079679127cda6e2b11f670 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\vccorlib140.dll
| MD5 | ae13e4f8338173a979135141e0dfb02f |
| SHA1 | 6fc365c1b18d34f6c1c0a691a4e527f2748f7efd |
| SHA256 | 7e3211bfcd4698140ce90e6664e044f7c7c8100c5b7bf1cec161df32fc412056 |
| SHA512 | 22051878786454be0f8732aeab51a89651db255339ce95a358cc8f8a2072e5ef661606b58d54581186b422cbc9af7a5c4d3c45e0b9fd76efa7287f8f306fb98e |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | a07afa26ab56a8d3b8b16591a1962005 |
| SHA1 | 2b6f3143487f747911ee20f039f1ffb1381858ac |
| SHA256 | 6be230837149dc2a8c7772142a674c3f90930a55da7f91d791942d8276d5440b |
| SHA512 | b77b277d10cf6b8d209679684ead55b4347caef3213acdccdee35b5d4fe0e3fc136daf057830512c5473c4653a8d66357927c4b7d204c07d7508f792299d7fe9 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-processthreads-l1-1-0.dll
| MD5 | 2557484c75d4507688b68a64882e0022 |
| SHA1 | ff78c6d44f7474d98402f8e17cfce5d712c41b95 |
| SHA256 | 50b3e4ffee430c1b45f0ca75959936608f756ae5eb0352e8f3f5f69c5adfaa20 |
| SHA512 | e1c502e889664a46acaf0d8cab5d5082f46ad3f6f1a24ec702ec5174d077fff51cce7f80b13c5c22704937ce380ec3b14c088955d94eef1050d293c078869870 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-processenvironment-l1-1-0.dll
| MD5 | 56813b784a1f8cdabedcc10de6e84864 |
| SHA1 | b636ba140e1ba7de5e59932702e7b4e53025d651 |
| SHA256 | 98ee724aa3f5a8ec4f3f8596be5aba5cd19b556f88ef9fbaff1569051a4d0dc1 |
| SHA512 | f11739be9ff624044035678cf39b91d28a53f1ac56342baf985a4328da4c64c81107d7e1787ee50efb382472e4d46bb21c520918b8831edc7f6b3db70befa068 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-namedpipe-l1-1-0.dll
| MD5 | a8f889870885c5784afd47f5e3d33eed |
| SHA1 | 494b86c51c8908d17e563c80da0d42350aaf1155 |
| SHA256 | 8979fe86afe23035caedd5df135786da2b28c095b69ce0179b6484fd680c9b91 |
| SHA512 | bb18675a9b311e4c34806ec834886659a95207a4ec9b48b082f5fa0e05f016b9f946db29c7aa20662b4090c7f42a606f9f3a5df48d7ed20c5b404ccf91a1b7eb |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-memory-l1-1-0.dll
| MD5 | 98b1e6d052cee5ccbb7e5af795b9f48c |
| SHA1 | 357ef3f8011d7e7f1d4cb30beae58d24d6b05085 |
| SHA256 | 5c950723ff3118801884df67b6a14543978263a2d2a0437d8c8b2fe8ef3925d4 |
| SHA512 | 31d961ada87eedfc4c1bb8938b0c4b44842153f4450f48a0c1dc12208f5c1ba62b076ef91a0dbd1c3f98d1e96517904b95e072002c50d2873c8638ddb25417d7 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 602a35b140d9d68d7b3e488896158365 |
| SHA1 | f1ba615abb54ff786ddbc74dffffd56394bfc892 |
| SHA256 | 43b98f74476c86107c8317749f54a107e2955696e4f79d3d02683dd7034d1d52 |
| SHA512 | 4388947f90838cae8b5f8137c9ed2a099028b4341da8c574d536c6ad096bad0e217e105f0367750c70e3d3ca4857255b674955c71ecff0fda9c47a4b1951b8b6 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-libraryloader-l1-1-0.dll
| MD5 | b0537a9eccc0f909c0715fc93b473d8d |
| SHA1 | 79e9929c83f5f73314c52f26be4147a74aa80e23 |
| SHA256 | 8784c4912a2f391d5f0c79b38f48baf88e98bf4fa61614ccb9232d9bd1e4ad54 |
| SHA512 | d68e50361566e8800afb5fae32c65c90d2ac7877f9a02f3e2e6af61ccd8f99b484c808a9ba62ec9e4727481798b3d3f4f74d19b16c6ed80536cf89351071bab6 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-interlocked-l1-1-0.dll
| MD5 | 8dcf3111501ed0a01855ebb328537bf7 |
| SHA1 | 2134bca1fa16133632a1b3f28fc38edc15e933ac |
| SHA256 | 76f092341fbef40d5f35f70bab55f2eeb3e70a9b60f46043b342ceab7f79cef1 |
| SHA512 | 4cb596ca11b4941571f3b998c98707bdf45ad608c9f661e0f0ae528fdb797190c9bb22e58ff65a98e52e3e51396f4c8b22229eefe54f0a73eb49c79d07ce1604 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-heap-l1-1-0.dll
| MD5 | 6e306654a55454e40889407e9334da0c |
| SHA1 | 0612894d9fbd8f92299541535f78db05fba3a78e |
| SHA256 | eb02fc995bb92b214dd684e24c1060735f61ad4884ccb4aafa86c7c1de66d621 |
| SHA512 | f5a6980824cbfa82c47b20581658eb9fa8eeb2dbcf6bf9b148fe09099a3b131c2a4cc2a129135e708fb72f1cc43f083f93fc85a0e03209b75dfcc09106b977ac |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-handle-l1-1-0.dll
| MD5 | c8d52cde743f4559e6eda1472ad44277 |
| SHA1 | 09a19c5c5bc45dbf5391d882015b47cdad4b5631 |
| SHA256 | d2926dcb85ab577be75ecab1fc8dcd062318f147e0a9262a3b807bb5acb62beb |
| SHA512 | 3a031f282303cf664c6ab04c1561598595ef776799005d8ac7ae091ffd140e4d1d1e23b9f6783618c2bae4dc4d1cf741fdb3f83390d6854de97d85af4c940b23 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-file-l2-1-0.dll
| MD5 | 422adad24e8da100f85bf3de86b5f302 |
| SHA1 | 7004b3ed8663b5890cd25e1a7899a766be912728 |
| SHA256 | e04642684dc7376839c570bc11e9b46cae14420f1a85f7562fd2c4d656a22956 |
| SHA512 | e689ecb1a1cb1e7735cb6a961fd054d87bcad01acf76950b14a3bf4e08ddb7a8d31805c203374ee081a4ec13c40b25b3dc83b3895b9bfbd9c135673e98e6ee63 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-file-l1-2-0.dll
| MD5 | 86279521328398e87699d248628eb13a |
| SHA1 | e4d4c39bda90635f1f5c2fc58b1304e2daac9caf |
| SHA256 | 3c9b67616fd0ceb3dd92e605918b08556683ebab5537aa76dff300fbd54b0337 |
| SHA512 | 2cc328955611ad8369ff9facf9c1aabe99a20c3ded2977ad86c69e0f54acd78fa6f572ed688625c8c63016826a10b3578e3c186ef2b39c4bf393ab5e399913a6 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-file-l1-1-0.dll
| MD5 | 977831a443ea30ac8cb70f4a069a2795 |
| SHA1 | b07313dc2760c524d1bae783e81a7f18743bff87 |
| SHA256 | f6eb872448b5147e59f373eee8a9852d1afc5eecb967f713a7f7acb4939e9a63 |
| SHA512 | 0c17bb97188b6b2aaa49fb3cef94053bf20e7b587cca9307ec4a4e166f4703d17a50c12148b3112cb5d98088bfd186adacb8c55c3d8a634ead2dad93b70b5f18 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-errorhandling-l1-1-0.dll
| MD5 | 1a456489a0e26cf602d4af97fd537b0c |
| SHA1 | fa62a55a403ee92b1d5f31ce2c5cc65e2de03247 |
| SHA256 | 3e8d67f3978e40a636c5fa86c310801d6d6b74127e556c57ff6fde8e1d7b706d |
| SHA512 | 04a61c6d79c72d729d602c4a5d069c73cd92b0586d988056b2f2cebf88bac5723c1928d4a1a08fe13151ba9905cc28aeafbe344c829fadc66f138aac43e8c147 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-debug-l1-1-0.dll
| MD5 | bf8a71efcaa8260de58ab657dbf624c6 |
| SHA1 | 48a1e8fd73c0b16304f0fafd6e7f6b5efb476314 |
| SHA256 | c3003ff52917dbac5d3feec1bdea8ad4163893ec2d320f904b6d3698a6dbc7bc |
| SHA512 | e1284fe0c7f42204043320322dbbaadfe194aae4eef0aa863b25176107ec9900a2a0dfe4778b7ca5960d6b187e7cc61e028bd02ae0dae20a90591e33165dbc0f |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-datetime-l1-1-0.dll
| MD5 | b669e6de4647cd31009b15d5edd7c999 |
| SHA1 | 16f05edfa04378e99d906e9162b502c99d8ddb61 |
| SHA256 | 4e560ebdfe0bc1193a0f3feaac35634b0655829d5cc7e79d113f3a994f16d3ed |
| SHA512 | afc8ac85c8fa15fbb3e72b8192314b8ca7eaa0a686ef77747adadd0b902260f2cb0482f76012cfd5023a12a7c0d89b973af97bd4f208389d8ca26005fe4e16dd |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-console-l1-1-0.dll
| MD5 | 22df48515382f53b828728892c65e62d |
| SHA1 | f834220481f9acab2fce917bd6271705c3300872 |
| SHA256 | 97955d1f5134350fbe6c829061e01106304978651979f4ecd5ec146bfc70d36b |
| SHA512 | 97507029a6d0057812da1a917b14e021747a1e13e4a1406e73d4f330f0fd1b9822f6300a5030d2aca8063da6da2a5a1e6e9a5a2c8ca612401188713e779fa608 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\vcruntime140.dll
| MD5 | ba65db6bfef78a96aee7e29f1449bf8a |
| SHA1 | 06c7beb9fd1f33051b0e77087350903c652f4b77 |
| SHA256 | 141690572594dbd3618a4984712e9e36fc09c9906bb845ce1a9531ac8f7ad493 |
| SHA512 | ca63eeac10ef55d7e2e55479b25cf394e58aef1422951f361f762ab667f72a3454f55afc04e967e8cdd20cf3eebe97083e0438ea941916a09e7d091818ea830e |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\ucrtbase.dll
| MD5 | 5dafe0bfb955e780b3d50da4524b752f |
| SHA1 | 91c0d9fabe748d373215ba21b90278671b5f8957 |
| SHA256 | 6255112c9978c07a05c6feaee01cf4be74b2920dc7017fbc1a42f8f5d23c20f9 |
| SHA512 | 37fd37f3ad87838f596d1e8e497fe66d1a1c4128625ab456ec850179dd1e1f33cf4945d0faaf6cdbd1ed586ecfb7ff3e7cf10a88a823cc5eb06c2fc4fa16bff3 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\msvcp140.dll
| MD5 | fdd04dbbcf321eee5f4dd67266f476b0 |
| SHA1 | 65ffdfe2664a29a41fcf5039229ccecad5b825b9 |
| SHA256 | 21570bcb7a77e856f3113235d2b05b2b328d4bb71b4fd9ca4d46d99adac80794 |
| SHA512 | 04cfc3097fbce6ee1b7bac7bd63c3cffe7dca16f0ec9cd8fe657d8b7ebd06dcba272ff472f98c6385c3cfb9b1ac3f47be8ca6d3ea80ab4aeed44a0e2ce3185dd |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\API-MS-Win-core-xstate-l2-1-0.dll
| MD5 | d911ac41d48ce1f57cf82d77476960f3 |
| SHA1 | b0437d8fcc3835f642280680677fe65af70cdb90 |
| SHA256 | e98e9ea1645b11f2fe6f21bddfd6dd5d58a3f158c7501f4534793da3eaccee3a |
| SHA512 | a5edf14e0c88ffee32455ba9508d07614bbdd9cb3916c89d88a1b8dc7d6c05e9894e2ba2dbba6ccc68fda30928a078f3b650ec563f633b9ff6e3b4cba5db1c91 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\api-ms-win-core-console-l1-2-0.dll
| MD5 | f7af7ee5d48b5540f0e67f12529def2e |
| SHA1 | 1d0a54735213f2002918784dc5fc75ee6e7c3578 |
| SHA256 | 78ff02af7995e0535ee34ddc0d28e8a2fe01404c186530cb3f2d57d683365a80 |
| SHA512 | 189d60feee6dded1d369585a4fd0305729dfc352697501e7355fba80d279d151cc0f3a3358928b05a91964d14e59eeccfbdda415cf289281c0cb2c246a7d09b2 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\msvcp140_codecvt_ids.dll
| MD5 | 2407353dfd054b3ad48cc4c3befdc361 |
| SHA1 | 45a96fe92ed3d1b55a96bc536067a0931e2f0aeb |
| SHA256 | e723a4a146e95fcaf68b8d0d425f5641e9ebeb70afa4cc8eb658d0f27ab97327 |
| SHA512 | 352301249309919a0edd7fddde5c663dd2893a92277dc26f71d344b33f217a4182d841179035345399dd1f1356a5bb5326092db6a91cd24cc5a4468cd97c1544 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\msvcp140_atomic_wait.dll
| MD5 | bfa69730b83fe5abc5c1a44ad71b2112 |
| SHA1 | 2917d847156758420c9782ab8e376ded3d6e9b09 |
| SHA256 | 05ec94cb5bc764418374882d1fff9050685fca86ec71101ff27f2422a2d39213 |
| SHA512 | c419255af407b4180d405823f3a3c2a5ac4cc4e8ab686ba83c0c1efad6eacb23024215918a686756a6cf96d1f170db54462cbe6a434d847204c665da8138aa9f |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\msvcp140_2.dll
| MD5 | 0e7bbf00d2659db77d82d04e64dd90fa |
| SHA1 | a121f7bfcac3e14e83eae2118a5ffe6eea439ccd |
| SHA256 | 6ff622279f62296d3aeca95c0daca7cee8fb50354f53740a1808cdc6efdcea80 |
| SHA512 | c150e80887e34b364b252ef9e4a6bd198a3586b2895bf6d5a7e872901a715db6d5f34ce6b7fdcef4b77d45380089db79543d309cf6b9ca2bd0f44bdafea12cc2 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\msvcp140_1.dll
| MD5 | 4d10412f92fa6962ea7ebfaaf17b29a4 |
| SHA1 | cef3d60b9f5f1ed81fd3fb3273f89814d9fba7bd |
| SHA256 | 72f358aa9cae44582b6207333b94655e0c41c00095b0a50879f4c2b1bdf7b5cd |
| SHA512 | a8b8508d1069f0e4171d532aba262c4fc9e45310501e6fec506b3b902945f21521b782da267ce3838beae134dbb6efc45d33bd8e672547b4b2ef6a7ae2bab14b |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\concrt140.dll
| MD5 | ccadf05c27e94a9e1a9ad9794aa05514 |
| SHA1 | 6d0dd40402d62dc4e78c56605c72f700ea12a8ce |
| SHA256 | 768646418668e5b4840610305790ad6f981e85ac65123ab7a952b198c24c28fd |
| SHA512 | e0205e2f694301e4603a633691fa551911b6d42f3559ea5d57065eb73e9ca2edeee76384122724b1c9cf0f5534835172cd201f2e8491a5ae84d104c9ef3138e1 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\libnmap.dll
| MD5 | 53634bc76f19ea065981ac1b02225df9 |
| SHA1 | 7d1cb4ae535c30d2443c4b8f14927300c8449839 |
| SHA256 | e9053b628bf89440e0ad4874a5c234fe058539f20f9bf02d36c7492fed70857a |
| SHA512 | 3b46f34b4d370f44f219f0a404ae1f9a53897ddaabfb7665197dc16b538a13d9ee89af7053fd74998dc38321af8f076759f535d5a855f6ff5212d88704c79d3a |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\bz2.dll
| MD5 | bb1ea7cade180a0c012c2289c7d820cc |
| SHA1 | 67a17ae0aed053d8fb071450dff8f843a1255112 |
| SHA256 | 30998439b2fbc620f3f87799f8a98e8519f26b227bf498877b11dfb52147b698 |
| SHA512 | 3b10462ae03ea57bfad298c4d59da247b8ad971aeec0c9ad439a72b1756ee627fba23fe9044df9a8301b0fe1099bbb9988869ccce1102314052a49bf0cbdf317 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\StormLib.dll
| MD5 | 09c4266b11233aedaff9bbb97ff7dc50 |
| SHA1 | 212f6f2df299f8f1c4c481bb92e9e958d48421e3 |
| SHA256 | f52d1ed4c1350bf7726ad3ef926329267e35bf67bd938e5e1aae324dcef31469 |
| SHA512 | b17e865ec5a8caf5bca88857ea3bad0dfc5d9fd0448ee52671876202b1870783a5de8f2d76b9d5363aeeb89b383314c8d65769674bd9b911551cdaa5c8654dcb |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\Helper.iDevice.dll
| MD5 | fda4d3690b31de70167be93e131a4e08 |
| SHA1 | 9d750e89ca1c71a26e4f4601d60ea60775ca03ae |
| SHA256 | ee9c815ee3716d012b5e2cdea113feb122f54ade4579593e0d7a2394e051f3fc |
| SHA512 | e27678e76ea5e047e500917d8c9d2fa5b48c7c555f1ea0648eef2146b180e2a76f55aa1d53f795c1f32077eeeac62991bab34bdca3e66c5f85f0e5dce8cd377a |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\libHelper.dll
| MD5 | 13d4dcedd7f292702b1624e85c3f72fd |
| SHA1 | 1d34715f161d0015bed44d969ab66660247e7e52 |
| SHA256 | 804ccc898ca13ab3d6732e2df99f3bde2e5d6746ae17e948925ea49c2913bfb0 |
| SHA512 | 944070c1481905006cd612fd385dc09bea83f9af2dfd284764601fa33cd7f6bcb600fb8d0b988d8860657a49872138d965012a282414650b44466366b42d2ec0 |
C:\Users\Admin\AppData\Roaming\KNIME AG\KNIME Analytics Platform 4.1.3.0\install\136E10A\libView.dll
| MD5 | f3a06e1c1406f349516ffa67620ae84a |
| SHA1 | 47c6f65d5acc1b8eaaa7e786bc5a7233461923f9 |
| SHA256 | e00fd00bdfe562d91788ec832eeacb598f55f431d33bc3fa68db69376fb6c4f9 |
| SHA512 | e4c32da45b9e4d047a2bbb8596cc1e715aed4e320247056dc93788ca1d0c5e572220a640581619e6370398c3cd90b92eb280ffad641615dc7ad980d69ad2fe00 |
C:\Config.Msi\e57950f.rbs
| MD5 | c5d0f6851d1cbe81b18be2d7ae0b7523 |
| SHA1 | 146c546156bab4cbfda55163e5aa5b57736546d2 |
| SHA256 | 5420bd258630b0ecc2e131ce63bd21cf322774d397cb8d807fed68f7ef443676 |
| SHA512 | 5be4e5c39a6c0a01b54c4fc81166bd69db58eafb5d9069c02993e0e2c2f137c859725770c01b4ea442ba1a9da783de77434fe7f888795a3d6c7c235ec5fc2fe3 |
memory/2232-279-0x0000000003A00000-0x0000000003A01000-memory.dmp
memory/2232-280-0x00000000066F0000-0x0000000006B9D000-memory.dmp
memory/2232-281-0x00000000066F0000-0x0000000006B9D000-memory.dmp
memory/2232-284-0x0000000006BA0000-0x0000000006C5B000-memory.dmp
memory/2232-285-0x00000000066F0000-0x0000000006B9D000-memory.dmp
memory/2232-291-0x0000000003A00000-0x0000000003A01000-memory.dmp
memory/2232-292-0x0000000070F40000-0x00000000712A4000-memory.dmp
memory/2232-293-0x0000000072560000-0x0000000072681000-memory.dmp
memory/2232-294-0x00000000724A0000-0x0000000072524000-memory.dmp
memory/2232-295-0x0000000072240000-0x0000000072498000-memory.dmp
memory/2232-296-0x0000000006BA0000-0x0000000006C5B000-memory.dmp
memory/2232-300-0x0000000006BA0000-0x0000000006C5B000-memory.dmp
memory/2232-297-0x0000000006BA0000-0x0000000006C5B000-memory.dmp
memory/2232-302-0x0000000006BA0000-0x0000000006C5B000-memory.dmp
memory/2232-334-0x00000000066F0000-0x0000000006B9D000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-10-30 07:14
Reported
2023-10-30 07:17
Platform
win7-20231023-en
Max time kernel
150s
Max time network
125s
Command Line
Signatures
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Processes
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Xaw-VPN\Xaw-VPN _ Secure, Fast, Free VPN service for online privacy.pdf"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 27701103a45f5c101713182cf9b9df19 |
| SHA1 | 2727ab410eb378ee63f480ef9fdf99600bef9f73 |
| SHA256 | 50b4d576e930451620a1123546b302319352a4a28fcb8311cb31a7d6bbe497f0 |
| SHA512 | 2fccd971affe71d8183a1bfe698453e9f2191daea2810b40fbf29f3e70d292a1cec9e689d1bf90c77b75adb5782b8f9dbad79987168c076dbedf821adb9aa599 |
Analysis: behavioral6
Detonation Overview
Submitted
2023-10-30 07:14
Reported
2023-10-30 07:17
Platform
win10v2004-20231025-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31066880" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3501509064" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3501509064" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c673c30fa5e1df4483894e0a711271f900000000020000000000106600000001000020000000d648c740b2cbf231a6ce7a1103df9bb9b671c3defa56bc42338fc67e9d511b5d000000000e800000000200002000000092d39fb2ad3d5809cf1f6977c2600331328ed634df851775e459cc65d96d129220000000c8e4d0f6e65c44ca656a5e5495959b4e06e7f51b43dfd40b2dc1821a5ad7ec3140000000426e975822024c7a64ee34fa1ecc62b7e4b6f8afbeebeb9770f0ddbf3509156226c1b670f5a70c2a435a70b65a7fd9f5dea62a4e34fa7e1b6e8b2d365b2328c9 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b02d7cd2000bda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c673c30fa5e1df4483894e0a711271f900000000020000000000106600000001000020000000b9a181ef95f40bc1d3702a805c6df44ee412dd2d985901cb33d69dfe658136b3000000000e800000000200002000000047435da3ed1647eb04756a743ff801387b95d53244e0afa99d818421b4a2b7ee2000000051720ff970eac74bd50210c212a34f43f60131f24fcc9f7130618f2c12a7bb6040000000422fabae2f703b45a1b0735227bf79581368400f91c33059bd2f469a6013e760b83cfb745bb46bdcd0539b97f758d9989bc3d889f3174e7a679a29a904098a5e | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31066880" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "405415053" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{FC59894A-76F3-11EE-8286-4E37FB7D97D4} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70fb93d2000bda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3513540905" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31066880" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4256 wrote to memory of 1700 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 4256 wrote to memory of 1700 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 4256 wrote to memory of 1700 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Xaw-VPN\index.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4256 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.22.238.8.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BRUT4RU0\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
Analysis: behavioral7
Detonation Overview
Submitted
2023-10-30 07:14
Reported
2023-10-30 07:17
Platform
win7-20231023-en
Max time kernel
134s
Max time network
133s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FC571501-76F3-11EE-A59C-6AB3CEA7FED9} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000099b8a3c6ff97044781f9dc0475faca410000000002000000000010660000000100002000000085e360ebb9bdbbc578dc566673fc13690b9a648823dfbe36e57f3523f438998b000000000e8000000002000020000000e1066c36ec879e6531be5c69c3114c35852e81da91d4b2688fde0f7cfedbdc2390000000c1e40754dda227bc5b3cfbe350dc2e617d4a0b9533ea259e41a2043562fe54b2780b308a6ca2c13c6fb6f09c005dd86ca82a319bc73541afa6ece13b1bf8d152ca8c81019635ede86288448f43781d142640082ee214525f2a8acb8329ffa958faceca788cd4ff43348fd5a77b1cb28044ef863e553edc05b8b1d9aaae64ed113937043a536e8ef6f578f178a4800a834000000036e7eb9372d6beba4230026caddb394bf6c5666c151f5132eff7db31483310fdf009f2d050a6fd061c4f855f427cfac06fd649541936d7ae931f03519b6280b5 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "404811946" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000099b8a3c6ff97044781f9dc0475faca4100000000020000000000106600000001000020000000dabab0fc7159375deed41c51c076bcb66e6450ea544b9fa8c7a50840130c9be7000000000e800000000200002000000077b42e2e3e6270b03595ba7be46a6cc68c2e78fcaf6fa58aaef318a7cc348b0020000000d4f57fc9b5a66dd9a30eb391e43ec0a1478c9deab3b4db4c92c8c6238e0a3ef0400000001be5d0ab77ee4e62869c26513dda720be25d8065d36746f7790e7f9c1e4ddc36ab3c2811ee2642e591ca227b700f339d51caad6681d90f79063273bb9c85105e | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00f957d1000bda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3012 wrote to memory of 480 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3012 wrote to memory of 480 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3012 wrote to memory of 480 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3012 wrote to memory of 480 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Xaw-VPN\index.html@n=best.free.xvpn.NetflixPage.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3012 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabDC6B.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar176E.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f5efdf3456236f0eaacc844d51e1bbac |
| SHA1 | 0debc800d4b8de432592ec393e658cd5e88c3525 |
| SHA256 | 69102a831d2eacbe27576ab41fa15076ff33718cf7bd1902b19382b44e9e80a8 |
| SHA512 | 89e28891bfd1412f5042c86ee7b750bdb4eee675ecf4eaf4fe7b2888315e3fe3da310f1211060ac1688850795dd3b832d3523980bf6fe3cc66eca408d592d999 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | aaf0292af5f9bf8f27d0572df86d3a92 |
| SHA1 | c15dba36e8beb318ffb844f1b48f9192da3aa772 |
| SHA256 | 2773293a9b6e66de7a63df02c6f3be38380e60a6077357534ea0def6a6f7ada8 |
| SHA512 | 34c4a07a3d2bc016057d0757aad112ff6436ce73e9b0514abc46103beb0cf355e01b181cd177f13de272c31cededee81cdab3c1cf77f73b6834444352000bcc8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0feeeeecea07a896a6f3468743fb7ac0 |
| SHA1 | 1bca1348e70fefbd1f083116b43f79b9322dd3ee |
| SHA256 | 4be02486324e83ff21c65c7e70f303ada2c380c7f0a993e6b10a5ba3752049b6 |
| SHA512 | bdec32e8e71f966e8aa566b75a728fd0c2d141cde93aa826ec4baa40561f1e1df2868a8df80e4bad5ebcd78e0072ab85f5ac4205d02ee00271b13693cf37e3eb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a26b4d03a1006be405a9fe1431af1c40 |
| SHA1 | 6ad27fa7fc5de474afb8e8d01d29c21f7f477ac2 |
| SHA256 | 39d5885c72f24c92e60b0b740064b9b97aaa5f06da08d29ba22d2a94372827c8 |
| SHA512 | 82bfbe8656a048c5c469c35d7606936b35d7b1640c3d1d36398e93d7e4c9af5b779c377ccc10a12b7ab46a07db75a22ef2c132678019d1909a6fd5a624791b09 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eeba621d0694936e730e7dccb48ff80e |
| SHA1 | 86f882119018a4dd0e06acdf561ee6d31ea7ff0e |
| SHA256 | a1892e9322376455a6e9488a47afd5a05663f83bc86727398e47a9ab862ff047 |
| SHA512 | b566bc9d17737fb9e7aa30f93eeb0bddfdf13e3ac5fd0e247f5851356791333496b1fd862c6a270271379f4901e0159890eeb6c3e1b420f29795cb03840213e8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6c48ab33ee06aa3c8a81a7c0f3cea647 |
| SHA1 | 87200333425d4fdf1f24b10518987daa25138956 |
| SHA256 | a6c22c55320cd98a3ee7f0f1d03f29d4b537650a5ebfb816f3ef75290c1cccc0 |
| SHA512 | 8a23e2e1e784beb1659188a15821119450bdd83b71c7046898f06bdc64d3c036482405ca021bcf32bcc8572ce0cfadebe78a6a6daaaa150a4c44e20f00680e42 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9212e3f5bdf9610b1dd932f201a30eb3 |
| SHA1 | 15a5c763681c8963d0dc42c49ac0d45b5e5c58f1 |
| SHA256 | 059fe09cb14dc861c4bcff7ba18bc4b22f6f01a41cf0ea59b0a9a111c34b1389 |
| SHA512 | f92b06e3a1a499f0cd472d3e652afdf4a0047a419d40754094df1814455e7eba03b405ab28e5d6b94fc1ebb7c214ff7a4133856a7e9c2ddb1e2fa08431f31d3b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 22ee74f0c3a2c39652526b2b32aa0fdf |
| SHA1 | 29c362b404be9866160ddcef1d38dc3e490cdfc9 |
| SHA256 | 767aebae5b6367074c94c44e09f85ad5cbc87143f551dff77eb2a17816e9ea55 |
| SHA512 | e77f0c8dcedffb0e8bc36110c1b771da0a0de96028cab105016c64f6341f947b874fc88fc84df1055a7f4fb0f8b41da0f2477d3a768483e02b6a8e2cb656788d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2cd43839ae152f033d516341754fdf91 |
| SHA1 | 3f64450fcedecc399ebe881f5afbcb16b2c88773 |
| SHA256 | a094ac8d0fe17ed15803309fc3690f3bdcfaf9911c98bd27f56119b73c93a2f1 |
| SHA512 | faccaff8e8c78d1fc4ddd33e9a7687e97217781b5a80190c15144870eb8a16aab0dfada5f00ab0921cb8a7c5fe81329a77ac63f9d96ffa201b106f963b5cdb28 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ad43860328a3adb5dd86adbe39835d25 |
| SHA1 | 0b27177f803db53ba395e11c0d6eb6ff4fc7e1d6 |
| SHA256 | aa519f9f2322838d3adbcd91c914e5fa2897d90ee4135ea06cd6250103912e00 |
| SHA512 | 36d3e084ef07042d18fd40b99093848c9239a1471a8512de7fdc370684999f631a518fa6e866cea38407363ef0c1637d0222f974d73ea659c6fb2dfcde07272e |
Analysis: behavioral8
Detonation Overview
Submitted
2023-10-30 07:14
Reported
2023-10-30 07:17
Platform
win10v2004-20231023-en
Max time kernel
134s
Max time network
152s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3556821755" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31066880" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e9837fd1e4a67340aada542b866b214e000000000200000000001066000000010000200000006a274653cea94e3ff79fe537dcee3b8059c0d7387f4a3ee6193bc39a98318b89000000000e8000000002000020000000922b9348f8a6736613bbd877b24be1d5dc2295c923fd402737c01b4816b45d7c200000003a8fd7be291c48b76b16be86445c6ef1ac46ade99a19a985dec339edea8786c540000000b13865b3a322b63921ebcd5ec370ca6311258fe22a6725f5f541b95eda458269890d0249da31539d860b694ae86d3d6baa3e1075650a68c50ee89f5e696174f9 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31066880" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00d9ebd5000bda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c01706d6000bda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "405415057" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e9837fd1e4a67340aada542b866b214e00000000020000000000106600000001000020000000527ca37b52032c98312182d458945e9ee50a30068f5c6f95813d50dfa55692a6000000000e8000000002000020000000ceaadd9d6cdf16068c7b02a0e714f5d6b16ef91b01d37db573fc28acbb62df06200000006f57986f04dac654e28938a090a69bb06f1a2dcdde37072fc8d18fd5d32eb9dd4000000031b5c08d671cb61845dd4261d5997b3d4119af8af3951e571881f6722eb3223fe584fb58315df9fe25f3cd6b1929fea0f0e6c9dbaf1a5c0b050bf2dd0c9664a8 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{FC788E9E-76F3-11EE-92AA-5E82B88FB323} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3505727649" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3505571488" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31066880" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3448 wrote to memory of 3088 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3448 wrote to memory of 3088 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3448 wrote to memory of 3088 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Xaw-VPN\index.html@n=best.free.xvpn.NetflixPage.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3448 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FG4P7PGK\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |