Analysis Overview
SHA256
21162829c287f0ffacaa0f31372995b2b78c873cea38785b1eaa89c93b33d26a
Threat Level: Shows suspicious behavior
The file 4a5783b883b52012f1b0c2852f4f71c3 was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Suspicious use of NtSetInformationThreadHideFromDebugger
Program crash
Unsigned PE
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-08 03:40
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-08 03:40
Reported
2024-01-08 03:43
Platform
win7-20231215-en
Max time kernel
94s
Max time network
125s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\4a5783b883b52012f1b0c2852f4f71c3.exe = "11001" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\4a5783b883b52012f1b0c2852f4f71c3.exe = "11001" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\InprocHandler32 | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.Application\CLSID | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\4a5783b883b52012f1b0c2852f4f71c3.exe\"" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\ = "Setup" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4a5783b883b52012f1b0c2852f4f71c3.exe" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967} | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\ProgID | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\ProgID\ = "Setup.Application" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\InprocHandler32\ = "ole32.dll" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\TypeLib | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.Application\CLSID | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\HELPDIR\ | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\TypeLib\ = "{F126C9FC-9299-40F2-BD42-C59023AD1E7F}" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90} | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\ProgID\ = "Setup.Application" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\InprocHandler32 | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.Application\CLSID\ = "{017E057B-DACF-4A07-B878-E294565E3F90}" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\4a5783b883b52012f1b0c2852f4f71c3.exe\"" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.Application\CLSID\ = "{017E057B-DACF-4A07-B878-E294565E3F90}" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\ProgID | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967} | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\TypeLib\ = "{F126C9FC-9299-40F2-BD42-C59023AD1E7F}" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.Application | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.Application\ = "Setup.Application" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F} | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0 | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\ = "Setup.Application" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\InprocHandler32\ = "ole32.dll" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\TypeLib | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\ = "ISetup" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\ = "ISetup" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe
"C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe"
C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe
"C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe" /adm /recovermode
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | s.appfuss.com | udp |
Files
memory/2600-0-0x0000000001090000-0x0000000001250000-memory.dmp
memory/2600-3-0x0000000001090000-0x0000000001250000-memory.dmp
memory/2600-4-0x0000000001090000-0x0000000001250000-memory.dmp
memory/2600-5-0x0000000001090000-0x0000000001250000-memory.dmp
memory/2600-8-0x0000000001090000-0x0000000001250000-memory.dmp
memory/2600-9-0x0000000001090000-0x0000000001250000-memory.dmp
memory/2600-10-0x0000000001090000-0x0000000001250000-memory.dmp
memory/2600-11-0x0000000001090000-0x0000000001250000-memory.dmp
memory/2600-12-0x0000000001090000-0x0000000001250000-memory.dmp
memory/2600-13-0x0000000001090000-0x0000000001250000-memory.dmp
memory/1456-14-0x0000000001090000-0x0000000001250000-memory.dmp
memory/1456-18-0x0000000001090000-0x0000000001250000-memory.dmp
memory/1456-19-0x0000000001090000-0x0000000001250000-memory.dmp
memory/1456-25-0x0000000001090000-0x0000000001250000-memory.dmp
memory/1456-26-0x0000000001090000-0x0000000001250000-memory.dmp
memory/1456-27-0x0000000001090000-0x0000000001250000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-08 03:40
Reported
2024-01-08 03:43
Platform
win10v2004-20231222-en
Max time kernel
1s
Max time network
128s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\4a5783b883b52012f1b0c2852f4f71c3.exe = "11001" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\TypeLib\ = "{F126C9FC-9299-40F2-BD42-C59023AD1E7F}" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.Application\ = "Setup.Application" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\InprocHandler32 | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F} | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.Application\CLSID\ = "{017E057B-DACF-4A07-B878-E294565E3F90}" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967} | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\TypeLib\ = "{F126C9FC-9299-40F2-BD42-C59023AD1E7F}" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967} | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\ProgID | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\ProgID\ = "Setup.Application" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\InprocHandler32\ = "ole32.dll" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\ = "Setup" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4a5783b883b52012f1b0c2852f4f71c3.exe" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.Application\CLSID | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\ = "ISetup" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\TypeLib | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\ = "Setup.Application" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0 | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.Application | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\4a5783b883b52012f1b0c2852f4f71c3.exe\"" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\HELPDIR\ | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\TypeLib | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\ = "ISetup" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90} | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe
"C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3364 -ip 3364
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 2364
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | s.appfuss.com | udp |
| US | 8.8.8.8:53 | 19.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| GB | 87.248.204.0:80 | tcp | |
| IE | 20.223.35.26:443 | tcp | |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| GB | 104.91.71.134:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp |
Files
memory/3364-0-0x00000000008A0000-0x0000000000A60000-memory.dmp
memory/3364-3-0x00000000008A0000-0x0000000000A60000-memory.dmp