Analysis Overview
SHA256
049fd29e28518c49846313741fce7875e5c2dc80e4bf9e6f51ca427f8a027ecf
Threat Level: Known bad
The file 751aed4594b234563c560cc8a308739d was found to be: Known bad.
Malicious Activity Summary
Kinsing
Enumerates physical storage devices
Modifies registry class
NTFS ADS
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-25 17:33
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-25 17:33
Reported
2024-01-25 17:36
Platform
win7-20231215-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\Version | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib\ = "{D99171C3-089D-4F04-8B43-6BC26B08AE1E}" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\Programmable | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows\ = "Inst Class" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\Programmable | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ = "IBoot" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D} | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2} | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D} | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib\ = "{D99171C3-089D-4F04-8B43-6BC26B08AE1E}" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows.1\ = "Inst Class" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows\CurVer\ = "bouncily.lowbrows.1" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\751aed4594b234563c560cc8a308739d.exe" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\751aed4594b234563c560cc8a308739d.exe:typelib" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows.1\CLSID | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\VersionIndependentProgID\ = "bouncily.lowbrows" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\TypeLib | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\ProgID | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\ProgID\ = "bouncily.lowbrows.1" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0 | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0 | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D} | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\ = "InstallerLib" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows.1\CLSID | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows\CurVer | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D} | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows.1\CLSID\ = "{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ = "IBoot" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows\CurVer | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\TypeLib | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2} | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\Version | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\ = "Inst Class" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\751aed4594b234563c560cc8a308739d.exe\"" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\TypeLib\ = "{d99171c3-089d-4f04-8b43-6bc26b08ae1e}" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E} | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe:typelib | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe
"C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.idyllicdownload.com | udp |
Files
memory/1708-0-0x0000000000300000-0x00000000004E3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe:typelib
| MD5 | f7c6ba6b4ce77d3ed810c7fb1b470e51 |
| SHA1 | 1d3b0471b77204b5c0ca17ada602bed8f45a3562 |
| SHA256 | 851e5f7092e0a5c5652cd48d370b13d1c2799b90d405b1dd1e5aa52b46c399a0 |
| SHA512 | da61398fc36fade218c240314a38e8b76ff815dcf9c4e0e942a485c42d849fcea7cf7f63bc82da42de8c6684589fe0f42881dc3b60ec668c368b4c785e8d4b2e |
memory/1708-10-0x0000000000700000-0x0000000000701000-memory.dmp
memory/1708-13-0x0000000000300000-0x00000000004E3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-25 17:33
Reported
2024-01-25 17:36
Platform
win10v2004-20231215-en
Max time kernel
142s
Max time network
153s
Command Line
Signatures
Kinsing
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2} | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D} | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\751aed4594b234563c560cc8a308739d.exe" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D} | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\Version | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\751aed4594b234563c560cc8a308739d.exe" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows.1\ = "Inst Class" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ = "IBoot" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib\ = "{D99171C3-089D-4F04-8B43-6BC26B08AE1E}" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E} | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\ProgID | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\ProgID\ = "bouncily.lowbrows.1" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\Programmable | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\TypeLib | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib\ = "{D99171C3-089D-4F04-8B43-6BC26B08AE1E}" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows.1\CLSID | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows.1 | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows.1 | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\751aed4594b234563c560cc8a308739d.exe\"" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D} | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\Programmable | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\VersionIndependentProgID\ = "bouncily.lowbrows" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0 | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0 | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows\CurVer\ = "bouncily.lowbrows.1" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E} | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows.1\CLSID | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows\ = "Inst Class" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\TypeLib\ = "{d99171c3-089d-4f04-8b43-6bc26b08ae1e}" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ = "IBoot" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2} | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D} | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows\CurVer | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\751aed4594b234563c560cc8a308739d.exe:typelib" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows\CurVer | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\ProgID | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows.1\CLSID\ = "{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}" | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe:typelib | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe
"C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe"
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.soledownload.com | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
Files
memory/2004-0-0x0000000000300000-0x00000000004E3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe:typelib
| MD5 | f7c6ba6b4ce77d3ed810c7fb1b470e51 |
| SHA1 | 1d3b0471b77204b5c0ca17ada602bed8f45a3562 |
| SHA256 | 851e5f7092e0a5c5652cd48d370b13d1c2799b90d405b1dd1e5aa52b46c399a0 |
| SHA512 | da61398fc36fade218c240314a38e8b76ff815dcf9c4e0e942a485c42d849fcea7cf7f63bc82da42de8c6684589fe0f42881dc3b60ec668c368b4c785e8d4b2e |
memory/2004-7-0x0000000002E10000-0x0000000002E11000-memory.dmp
memory/2004-14-0x0000000000300000-0x00000000004E3000-memory.dmp