Malware Analysis Report

2024-10-19 08:27

Sample ID 240125-v46ksscfer
Target 751aed4594b234563c560cc8a308739d
SHA256 049fd29e28518c49846313741fce7875e5c2dc80e4bf9e6f51ca427f8a027ecf
Tags
kinsing loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

049fd29e28518c49846313741fce7875e5c2dc80e4bf9e6f51ca427f8a027ecf

Threat Level: Known bad

The file 751aed4594b234563c560cc8a308739d was found to be: Known bad.

Malicious Activity Summary

kinsing loader

Kinsing

Enumerates physical storage devices

Modifies registry class

NTFS ADS

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:33

Reported

2024-01-25 17:36

Platform

win7-20231215-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\Version C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\Version\ = "1.0" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib\ = "{D99171C3-089D-4F04-8B43-6BC26B08AE1E}" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\Programmable C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\0 C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows\ = "Inst Class" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\Programmable C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ = "IBoot" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D} C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2} C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D} C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib\ = "{D99171C3-089D-4F04-8B43-6BC26B08AE1E}" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows.1\ = "Inst Class" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows\CurVer\ = "bouncily.lowbrows.1" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\751aed4594b234563c560cc8a308739d.exe" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\0 C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\751aed4594b234563c560cc8a308739d.exe:typelib" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows.1\CLSID C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\VersionIndependentProgID\ = "bouncily.lowbrows" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\TypeLib C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\ProgID C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\ProgID\ = "bouncily.lowbrows.1" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0 C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0 C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D} C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\ = "InstallerLib" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows.1\CLSID C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows\CurVer C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D} C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows.1\CLSID\ = "{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ = "IBoot" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows\CurVer C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\TypeLib C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2} C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\Version C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\ = "Inst Class" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\751aed4594b234563c560cc8a308739d.exe\"" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\TypeLib\ = "{d99171c3-089d-4f04-8b43-6bc26b08ae1e}" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E} C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe:typelib C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe

"C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.idyllicdownload.com udp

Files

memory/1708-0-0x0000000000300000-0x00000000004E3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe:typelib

MD5 f7c6ba6b4ce77d3ed810c7fb1b470e51
SHA1 1d3b0471b77204b5c0ca17ada602bed8f45a3562
SHA256 851e5f7092e0a5c5652cd48d370b13d1c2799b90d405b1dd1e5aa52b46c399a0
SHA512 da61398fc36fade218c240314a38e8b76ff815dcf9c4e0e942a485c42d849fcea7cf7f63bc82da42de8c6684589fe0f42881dc3b60ec668c368b4c785e8d4b2e

memory/1708-10-0x0000000000700000-0x0000000000701000-memory.dmp

memory/1708-13-0x0000000000300000-0x00000000004E3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:33

Reported

2024-01-25 17:36

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe"

Signatures

Kinsing

loader kinsing

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2} C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D} C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\0 C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\751aed4594b234563c560cc8a308739d.exe" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D} C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\Version C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\751aed4594b234563c560cc8a308739d.exe" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows.1\ = "Inst Class" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ = "IBoot" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\0 C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib\ = "{D99171C3-089D-4F04-8B43-6BC26B08AE1E}" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E} C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\ProgID C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\ProgID\ = "bouncily.lowbrows.1" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\Version\ = "1.0" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\Programmable C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\TypeLib C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib\ = "{D99171C3-089D-4F04-8B43-6BC26B08AE1E}" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows.1\CLSID C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows.1 C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows.1 C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\751aed4594b234563c560cc8a308739d.exe\"" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D} C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\Programmable C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\VersionIndependentProgID\ = "bouncily.lowbrows" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0 C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0 C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows\CurVer\ = "bouncily.lowbrows.1" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E} C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows.1\CLSID C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows\ = "Inst Class" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\TypeLib\ = "{d99171c3-089d-4f04-8b43-6bc26b08ae1e}" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ = "IBoot" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2} C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D} C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows\CurVer C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\751aed4594b234563c560cc8a308739d.exe:typelib" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows\CurVer C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\ProgID C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows.1\CLSID\ = "{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}" C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe:typelib C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe

"C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 www.soledownload.com udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

memory/2004-0-0x0000000000300000-0x00000000004E3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe:typelib

MD5 f7c6ba6b4ce77d3ed810c7fb1b470e51
SHA1 1d3b0471b77204b5c0ca17ada602bed8f45a3562
SHA256 851e5f7092e0a5c5652cd48d370b13d1c2799b90d405b1dd1e5aa52b46c399a0
SHA512 da61398fc36fade218c240314a38e8b76ff815dcf9c4e0e942a485c42d849fcea7cf7f63bc82da42de8c6684589fe0f42881dc3b60ec668c368b4c785e8d4b2e

memory/2004-7-0x0000000002E10000-0x0000000002E11000-memory.dmp

memory/2004-14-0x0000000000300000-0x00000000004E3000-memory.dmp