Analysis Overview
SHA256
03a97d391d604fd9f5f5dc01e7cb24bf065e72ca2d15d804af81d92c6919758c
Threat Level: Shows suspicious behavior
The file Rail.Route.v1.19.3.rar was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Enumerates connected drives
Adds Run key to start application
Checks installed software on the system
Drops file in Windows directory
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Uses Volume Shadow Copy service COM API
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-22 17:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral31
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:56
Platform
win11-20240221-en
Max time kernel
126s
Max time network
164s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\UnityCrashHandler64.exe
"C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\UnityCrashHandler64.exe"
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:55
Platform
win11-20240221-en
Max time kernel
80s
Max time network
99s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Rail Route_Data\Managed\UnityEngine.UnityWebRequestTextureModule.dll",#1
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:55
Platform
win11-20240221-en
Max time kernel
16s
Max time network
143s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Rail Route_Data\Managed\modio.UnityPlugin.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:55
Platform
win11-20240221-en
Max time kernel
120s
Max time network
155s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vc_redist.x644.exe | N/A |
Checks installed software on the system
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2524 wrote to memory of 4900 | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vc_redist.x644.exe | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vc_redist.x644.exe |
| PID 2524 wrote to memory of 4900 | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vc_redist.x644.exe | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vc_redist.x644.exe |
| PID 2524 wrote to memory of 4900 | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vc_redist.x644.exe | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vc_redist.x644.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vc_redist.x644.exe
"C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vc_redist.x644.exe"
C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vc_redist.x644.exe
"C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vc_redist.x644.exe" -burn.unelevated BurnPipe.{95918676-04F9-4A65-BE28-FCE7B0BB8C64} {309D011E-CE18-4D1A-9C08-B24247C2D6E1} 2524
Network
Files
C:\Users\Admin\AppData\Local\Temp\{e46eca4f-393b-40df-9f49-076faf788d83}\.ba1\wixstdba.dll
| MD5 | 4d20a950a3571d11236482754b4a8e76 |
| SHA1 | e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c |
| SHA256 | a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b |
| SHA512 | 8b9243d1f9edbcbd6bdaf6874dc69c806bb29e909bd733781fde8ac80ca3fff574d786ca903871d1e856e73fd58403bebb58c9f23083ea7cd749ba3e890af3d2 |
C:\Users\Admin\AppData\Local\Temp\{e46eca4f-393b-40df-9f49-076faf788d83}\.ba1\logo.png
| MD5 | d6bd210f227442b3362493d046cea233 |
| SHA1 | ff286ac8370fc655aea0ef35e9cf0bfcb6d698de |
| SHA256 | 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef |
| SHA512 | 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b |
Analysis: behavioral6
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:55
Platform
win11-20240221-en
Max time kernel
20s
Max time network
144s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Rail Route_Data\Managed\UnityEngine.UnityWebRequestWWWModule.dll",#1
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:57
Platform
win11-20240221-en
Max time kernel
68s
Max time network
284s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Rail Route_Data\Managed\UnityEngine.VRModule.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:55
Platform
win11-20240221-en
Max time kernel
124s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Rail Route_Data\Managed\UnityEngine.VehiclesModule.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:56
Platform
win11-20240221-en
Max time kernel
121s
Max time network
158s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Rail Route_Data\Managed\UnityEngine.VideoModule.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 205.178.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:55
Platform
win11-20240221-en
Max time kernel
140s
Max time network
158s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| N/A | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| N/A | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| N/A | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| N/A | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | \??\c:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF97C0CD08D8EA1C9F.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7B17.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DFC06D1E029F964021.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DFA1B992F0D6E8B442.TMP | C:\Windows\system32\msiexec.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1926E8D15D0BCE53481466615F760A7F\Patches | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1926E8D15D0BCE53481466615F760A7F\Patches\Patches = 3400440035003400300037003600430045004400340046003500420041003300320042004200440033004500350046004100440031004300440034004300390000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1926E8D15D0BCE53481466615F760A7F\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1926E8D15D0BCE53481466615F760A7F\SourceList\LastUsedSource = "n;2;c:\\5873e2c62050c7223d\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1926E8D15D0BCE53481466615F760A7F\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1926E8D15D0BCE53481466615F760A7F\SourceList\Net\2 = "c:\\5873e2c62050c7223d\\" | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| N/A | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| N/A | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| N/A | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| N/A | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| N/A | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| N/A | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| N/A | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| N/A | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| N/A | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| N/A | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| N/A | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Token: SeTcbPrivilege | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Token: SeSecurityPrivilege | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Token: SeBackupPrivilege | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Token: SeRestorePrivilege | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Token: SeShutdownPrivilege | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Token: SeDebugPrivilege | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Token: SeAuditPrivilege | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Token: SeUndockPrivilege | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | \??\c:\5873e2c62050c7223d\Setup.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2720 wrote to memory of 1240 | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x64.exe | \??\c:\5873e2c62050c7223d\Setup.exe |
| PID 2720 wrote to memory of 1240 | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x64.exe | \??\c:\5873e2c62050c7223d\Setup.exe |
| PID 2720 wrote to memory of 1240 | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x64.exe | \??\c:\5873e2c62050c7223d\Setup.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x64.exe
"C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x64.exe"
\??\c:\5873e2c62050c7223d\Setup.exe
c:\5873e2c62050c7223d\Setup.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\CompareConnect.asx"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sqm.microsoft.com | udp |
Files
C:\5873e2c62050c7223d\Setup.exe
| MD5 | 9a1141fbceeb2e196ae1ba115fd4bee6 |
| SHA1 | 922eacb654f091bc609f1b7f484292468d046bd1 |
| SHA256 | 28563d908450eb7b7e9ed07a934e0d68135b5bb48e866e0a1c913bd776a44fef |
| SHA512 | b044600acb16fc3be991d8a6dbc75c2ca45d392e66a4d19eacac4aee282d2ada0d411d832b76d25ef505cc542c7fa1fdb7098da01f84034f798b08baa4796168 |
\??\c:\5873e2c62050c7223d\SetupEngine.dll
| MD5 | a030c6b93740cbaa232ffaa08ccd3396 |
| SHA1 | 6f7236a30308fbf02d88e228f0b5b5ec7f61d3eb |
| SHA256 | 0507720d52ae856bbf5ff3f01172a390b6c19517cb95514cd53f4a59859e8d63 |
| SHA512 | 6787195b7e693744ce3b70c3b3ef04eaf81c39621e33d9f40b9c52f1a2c1d6094eceaebbc9b2906649351f5fc106eed085cef71bb606a9dc7890eafd200cfd42 |
C:\5873e2c62050c7223d\sqmapi.dll
| MD5 | 3f0363b40376047eff6a9b97d633b750 |
| SHA1 | 4eaf6650eca5ce931ee771181b04263c536a948b |
| SHA256 | bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c |
| SHA512 | 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8 |
\??\c:\5873e2c62050c7223d\DHTMLHeader.html
| MD5 | cd131d41791a543cc6f6ed1ea5bd257c |
| SHA1 | f42a2708a0b42a13530d26515274d1fcdbfe8490 |
| SHA256 | e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb |
| SHA512 | a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a |
C:\Users\Admin\AppData\Local\Temp\Setup_20240222_175308126.html
| MD5 | 93591e711bef8d978170968b82acef52 |
| SHA1 | 109efab7c0519ea4bc2b0c41b449ba5ef6acf7af |
| SHA256 | 395bea5371e12396ffd85db449a5dc9e80428a4af3e8646177b36dee1c7d79d9 |
| SHA512 | b84d82ec5d179efc17658ef19914a93595f2683990576d6d1adf58686fd082c61ffe875b43c3dcf164a3a87a025b8728c2b174b9430c76610c0b9b935dcccdbe |
\??\c:\5873e2c62050c7223d\UiInfo.xml
| MD5 | 4f90fcef3836f5fc49426ad9938a1c60 |
| SHA1 | 89eba3b81982d5d5c457ffa7a7096284a10de64a |
| SHA256 | 66a0299ce7ee12dd9fc2cfead3c3211e59bfb54d6c0627d044d44cef6e70367b |
| SHA512 | 4ce2731c1d32d7ca3a4f644f4b3111f06223de96c1e241fcc86f5fe665f4db18c8a241dae4e8a7e278d6afbf91b235a2c3517a40d4d22d9866880e19a7221160 |
\??\c:\5873e2c62050c7223d\ParameterInfo.xml
| MD5 | 322bedac27ce788189a7f346971656f8 |
| SHA1 | 4a5cf6ddb0bd8cb840bd4fa2bc6803d372b76f9b |
| SHA256 | e315eb9940e066be5fcbb6e7b78fb1ea37784a41e9ff4547ef7b50ad61848e54 |
| SHA512 | 0f2e657b43b0b873c62fbb369d8ae4fed94239b05067ebb0acd19c3a8f9b90ceb4b42d6091980202ff51c781f6bc518b079828049f17c8b9e6fa329a09394c11 |
\??\c:\5873e2c62050c7223d\1033\LocalizedData.xml
| MD5 | 5486ff60b072102ee3231fd743b290a1 |
| SHA1 | d8d8a1d6bf6adf1095158b3c9b0a296a037632d0 |
| SHA256 | 5ca3ecaa12ca56f955d403ca93c4cb36a7d3dcdea779fc9bdaa0cdd429dab706 |
| SHA512 | ae240eaac32edb18fd76982fc01e03bd9c8e40a9ec1b9c42d7ebd225570b7517949e045942dbb9e40e620aa9dcc9fbe0182c6cf207ac0a44d7358ad33ba81472 |
\??\c:\5873e2c62050c7223d\1028\LocalizedData.xml
| MD5 | 12df3535e4c4ef95a8cb03fd509b5874 |
| SHA1 | 90b1f87ba02c1c89c159ebf0e1e700892b85dc39 |
| SHA256 | 1c8132747dc33ccdb02345cbe706e65089a88fe32cf040684ca0d72bb9105119 |
| SHA512 | c6c8887e7023c4c1cbf849eebd17b6ad68fc14607d1c32c0d384f951e07bfaf6b61e0639f4e5978c9e3e1d52ef8a383b62622018a26fa4066eb620f584030808 |
\??\c:\5873e2c62050c7223d\1031\LocalizedData.xml
| MD5 | b13ff959adc5c3e9c4ba4c4a76244464 |
| SHA1 | 4df793626f41b92a5bc7c54757658ce30fdaeeb1 |
| SHA256 | 44945bc0ba4be653d07f53e736557c51164224c8ec4e4672dfae1280260ba73b |
| SHA512 | de78542d3bbc4c46871a8afb50fb408a59a76f6ed67e8be3cba8ba41724ea08df36400e233551b329277a7a0fe6168c5556abe9d9a735f41b29a941250bfc4d6 |
\??\c:\5873e2c62050c7223d\1036\LocalizedData.xml
| MD5 | 30dd04ce53b3f5d9363ade0359e3e0b2 |
| SHA1 | 56bc3301013a2d0b08ecd38ff0a22b1040ef558e |
| SHA256 | bf03073e0e939f3598aeb9aa19b655a24c4ad31f96065d6dc60f7c4df78653ba |
| SHA512 | 9cb1ff9ba0dc018f9e1bd301fbcb9e5c561f6a14c65290ebc0fe67cbdf59d1a09898a2f802c52339c10942c819ebb4bdd8b4c7f5f4f78af95f7c893641e41a34 |
\??\c:\5873e2c62050c7223d\1041\LocalizedData.xml
| MD5 | 6f86b79dbf15e810331df2ca77f1043a |
| SHA1 | 875ed8498c21f396cc96b638911c23858ece5b88 |
| SHA256 | f0f9dd1a9f164f4d2e73b4d23cc5742da2c39549b9c4db692283839c5313e04f |
| SHA512 | ca233a6bf55e253ebf1e8180a326667438e1124f6559054b87021095ef16ffc6b0c87361e0922087be4ca9cabd10828be3b6cc12c4032cb7f2a317fdbd76f818 |
\??\c:\5873e2c62050c7223d\1040\LocalizedData.xml
| MD5 | fe6b23186c2d77f7612bf7b1018a9b2a |
| SHA1 | 1528ec7633e998f040d2d4c37ac8a7dc87f99817 |
| SHA256 | 03bbe1a39c6716f07703d20ed7539d8bf13b87870c2c83ddda5445c82953a80a |
| SHA512 | 40c9c9f3607cab24655593fc4766829516de33f13060be09f5ee65578824ac600cc1c07fe71cdd48bff7f52b447ff37c0d161d755a69ac7db7df118da6db7649 |
\??\c:\5873e2c62050c7223d\1042\LocalizedData.xml
| MD5 | e87ad0b3bf73f3e76500f28e195f7dc0 |
| SHA1 | 716b842f6fbf6c68dc9c4e599c8182bfbb1354dc |
| SHA256 | 43b351419b73ac266c4b056a9c3a92f6dfa654328163814d17833a837577c070 |
| SHA512 | d3ea8655d42a2b0938c2189ceeab25c29939c302c2e2205e05d6059afc2a9b2039b21c083a7c17da1ce5eebdc934ff327a452034e2e715e497bcd6239395774c |
\??\c:\5873e2c62050c7223d\1049\LocalizedData.xml
| MD5 | 1290be72ed991a3a800a6b2a124073b2 |
| SHA1 | dac09f9f2ccb3b273893b653f822e3dfc556d498 |
| SHA256 | 6ba9a2e4a6a58f5bb792947990e51babd9d5151a7057e1a051cb007fea2eb41c |
| SHA512 | c0b8b4421fcb2aabe2c8c8773fd03842e3523bf2b75d6262fd8bd952adc12c06541bdae0219e89f9f9f8d79567a4fe4dff99529366c4a7c5bf66c218431f3217 |
\??\c:\5873e2c62050c7223d\2052\LocalizedData.xml
| MD5 | 150b5c3d1b452dccbe8f1313fda1b18c |
| SHA1 | 7128b6b9e84d69c415808f1d325dd969b17914cc |
| SHA256 | 6d4eb9dca1cbcd3c2b39a993133731750b9fdf5988411f4a6da143b9204c01f2 |
| SHA512 | a45a1f4f19a27558e08939c7f63894ff5754e6840db86b8c8c68d400a36fb23179caff164d8b839898321030469b56446b5a8efc5765096dee5e8a746351e949 |
\??\c:\5873e2c62050c7223d\3082\LocalizedData.xml
| MD5 | 05a95593c61c744759e52caf5e13502e |
| SHA1 | 0054833d8a7a395a832e4c188c4d012301dd4090 |
| SHA256 | 1a3e5e49da88393a71ea00d73fee7570e40edb816b72622e39c7fcd09c95ead1 |
| SHA512 | 00aee4c02f9d6374560f7d2b826503aab332e1c4bc3203f88fe82e905471ec43f92f4af4fc52e46f377e4d297c2be99daf94980df2ce7664c169552800264fd3 |
C:\5873e2c62050c7223d\SetupUi.dll
| MD5 | c744ec120e54027c57318c4720b4d6be |
| SHA1 | ab65fc4e68ad553520af049129fae4f88c7eff74 |
| SHA256 | d1610b0a94a4dadc85ee32a7e5ffd6533ea42347d6f2d6871beb03157b89a857 |
| SHA512 | 6dcd0ab7b8671e17d1c15db030ee5349ab3a123595c546019cf9391ce05f9f63806149c3ec2f2c71635cb811ab65ad47bcd7031e2eff7a59059577e47dd600a7 |
\??\c:\5873e2c62050c7223d\SetupUi.xsd
| MD5 | 2fadd9e618eff8175f2a6e8b95c0cacc |
| SHA1 | 9ab1710a217d15b192188b19467932d947b0a4f8 |
| SHA256 | 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093 |
| SHA512 | a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca |
\??\c:\5873e2c62050c7223d\1033\SetupResources.dll
| MD5 | 718ab3eb3f43c9bcf16276c1eb17f2c1 |
| SHA1 | a3091fd7784a9469309b3edb370e24a0323e30ac |
| SHA256 | e1a13f5b763d73271a1a205a88e64c6611c25d5f434cfa5da14feb8e4272ffaa |
| SHA512 | 9fa8a8d9645a9b490257c2dce3d31f1585f6d6069f9471f9e00dfaa9e457ff1db4c9176a91e02d7f0b61bae0c1fc76b56061eff04888a58aeb5ad2e8692fcf8a |
\??\c:\5873e2c62050c7223d\Strings.xml
| MD5 | 332adf643747297b9bfa9527eaefe084 |
| SHA1 | 670f933d778eca39938a515a39106551185205e9 |
| SHA256 | e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca |
| SHA512 | bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0 |
\??\c:\5873e2c62050c7223d\graphics\print.ico
| MD5 | 7e55ddc6d611176e697d01c90a1212cf |
| SHA1 | e2620da05b8e4e2360da579a7be32c1b225deb1b |
| SHA256 | ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed |
| SHA512 | 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e |
\??\c:\5873e2c62050c7223d\watermark.bmp
| MD5 | 1a5caafacfc8c7766e404d019249cf67 |
| SHA1 | 35d4878db63059a0f25899f4be00b41f430389bf |
| SHA256 | 2e87d5742413254db10f7bd0762b6cdb98ff9c46ca9acddfd9b1c2e5418638f2 |
| SHA512 | 202c13ded002d234117f08b18ca80d603246e6a166e18ba422e30d394ada7e47153dd3cce9728affe97128fdd797fe6302c74dc6882317e2ba254c8a6db80f46 |
\??\c:\5873e2c62050c7223d\header.bmp
| MD5 | 3ad1a8c3b96993bcdf45244be2c00eef |
| SHA1 | 308f98e199f74a43d325115a8e7072d5f2c6202d |
| SHA256 | 133b86a4f1c67a159167489fdaeab765bfa1050c23a7ae6d5c517188fb45f94a |
| SHA512 | 133442c4a65269f817675adf01adcf622e509aa7ec7583bca8cd9a7eb6018d2aab56066054f75657038efb947cd3b3e5dc4fe7f0863c8b3b1770a8fa4fe2e658 |
\??\c:\5873e2c62050c7223d\graphics\setup.ico
| MD5 | 3d25d679e0ff0b8c94273dcd8b07049d |
| SHA1 | a517fc5e96bc68a02a44093673ee7e076ad57308 |
| SHA256 | 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f |
| SHA512 | 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255 |
\??\c:\5873e2c62050c7223d\graphics\save.ico
| MD5 | 7d62e82d960a938c98da02b1d5201bd5 |
| SHA1 | 194e96b0440bf8631887e5e9d3cc485f8e90fbf5 |
| SHA256 | ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5 |
| SHA512 | ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67 |
memory/1240-106-0x00000000017F0000-0x00000000017F1000-memory.dmp
memory/1240-107-0x00000000017F0000-0x00000000017F1000-memory.dmp
\??\c:\5873e2c62050c7223d\graphics\SysReqMet.ico
| MD5 | 661cbd315e9b23ba1ca19edab978f478 |
| SHA1 | 605685c25d486c89f872296583e1dc2f20465a2b |
| SHA256 | 8bfc77c6d0f27f3d0625a884e0714698acc0094a92adcb6de46990735ae8f14d |
| SHA512 | 802cc019f07fd3b78fcefdc8404b3beb5d17bfc31bded90d42325a138762cc9f9ebfd1b170ec4bbcccf9b99773bd6c8916f2c799c54b22ff6d5edd9f388a67c6 |
\??\c:\5873e2c62050c7223d\graphics\SysReqNotMet.ico
| MD5 | ee2c05cc9d14c29f586d40eb90c610a9 |
| SHA1 | e571d82e81bd61b8fe4c9ecd08869a07918ac00b |
| SHA256 | 3c9c71950857ddb82baab83ed70c496dee8f20f3bc3216583dc1ddda68aefc73 |
| SHA512 | 0f38fe9c97f2518186d5147d2c4a786b352fceca234410a94cc9d120974fc4be873e39956e10374da6e8e546aea5689e7fa0beed025687547c430e6ceffabffb |
\??\c:\5873e2c62050c7223d\graphics\Rotate1.ico
| MD5 | 26a00597735c5f504cf8b3e7e9a7a4c1 |
| SHA1 | d913cb26128d5ca1e1ac3dab782de363c9b89934 |
| SHA256 | 37026c4ea2182d7908b3cf0cef8a6f72bddca5f1cfbc702f35b569ad689cf0af |
| SHA512 | 08cefc5a2b625f261668f70cc9e1536dc4878d332792c751884526e49e7fee1ecfa6fccfddf7be80910393421cc088c0fd0b0c27c7a7eff2ae03719e06022fdf |
\??\c:\5873e2c62050c7223d\graphics\Rotate2.ico
| MD5 | 8419caa81f2377e09b7f2f6218e505ae |
| SHA1 | 2cf5ad8c8da4f1a38aab433673f4dddc7ae380e9 |
| SHA256 | db89d8a45c369303c04988322b2774d2c7888da5250b4dab2846deef58a7de22 |
| SHA512 | 74e504d2c3a8e82925110b7cfb45fde8a4e6df53a188e47cf22d664cbb805eba749d2db23456fc43a86e57c810bc3d9166e7c72468fbd736da6a776f8ca015d1 |
\??\c:\5873e2c62050c7223d\graphics\Rotate5.ico
| MD5 | 3b4861f93b465d724c60670b64fccfcf |
| SHA1 | c672d63c62e00e24fbb40da96a0cc45b7c5ef7f0 |
| SHA256 | 7237051d9af5db972a1fecf0b35cd8e9021471740782b0dbf60d3801dc9f5f75 |
| SHA512 | 2e798b0c9e80f639571525f39c2f50838d5244eeda29b18a1fae6c15d939d5c8cd29f6785d234b54bda843a645d1a95c7339707991a81946b51f7e8d5ed40d2c |
\??\c:\5873e2c62050c7223d\graphics\Rotate4.ico
| MD5 | bb55b5086a9da3097fb216c065d15709 |
| SHA1 | 1206c708bd08231961f17da3d604a8956addccfe |
| SHA256 | 8d82ff7970c9a67da8134686560fe3a6c986a160ced9d1cc1392f2ba75c698ab |
| SHA512 | de9226064680da6696976a4a320e08c41f73d127fbb81bf142048996df6206ddb1c2fe347c483cc8e0e50a00dab33db9261d03f1cd7ca757f5ca7bb84865fca9 |
\??\c:\5873e2c62050c7223d\graphics\Rotate3.ico
| MD5 | 924fd539523541d42dad43290e6c0db5 |
| SHA1 | 19a161531a2c9dbc443b0f41b97cbde7375b8983 |
| SHA256 | 02a7fe932029c6fa24d1c7cc06d08a27e84f43a0cbc47b7c43cac59424b3d1f6 |
| SHA512 | 86a4c5d981370efa20183cc4a52c221467692e91539ac38c8def1cc200140f6f3d9412b6e62faf08ca6668df401d8b842c61b1f3c2a4c4570f3b2cec79c9ee8b |
\??\c:\5873e2c62050c7223d\graphics\Rotate8.ico
| MD5 | d1c53003264dce4effaf462c807e2d96 |
| SHA1 | 92562ad5876a5d0cb35e2d6736b635cb5f5a91d9 |
| SHA256 | 5fb03593071a99c7b3803fe8424520b8b548b031d02f2a86e8f5412ac519723c |
| SHA512 | c34f8c05a50dc0de644d1f9d97696cdb0a1961c7c7e412eb3df2fd57bbd34199cf802962ca6a4b5445a317d9c7875e86e8e62f6c1df8cc3415afc0bd26e285bd |
\??\c:\5873e2c62050c7223d\graphics\Rotate7.ico
| MD5 | fb4dfebe83f554faf1a5cec033a804d9 |
| SHA1 | 6c9e509a5d1d1b8d495bbc8f57387e1e7e193333 |
| SHA256 | 4f46a9896de23a92d2b5f963bcfb3237c3e85da05b8f7660641b3d1d5afaae6f |
| SHA512 | 3caeb21177685b9054b64dec997371c4193458ff8607bce67e4fbe72c4af0e6808d344dd0d59d3d0f5ce00e4c2b8a4ffca0f7d9352b0014b9259d76d7f03d404 |
\??\c:\5873e2c62050c7223d\graphics\Rotate6.ico
| MD5 | 70006bf18a39d258012875aefb92a3d1 |
| SHA1 | b47788f3f8c5c305982eb1d0e91c675ee02c7beb |
| SHA256 | 19abcedf93d790e19fb3379cb3b46371d3cbff48fe7e63f4fdcc2ac23a9943e4 |
| SHA512 | 97fdbdd6efadbfb08161d8546299952470228a042bd2090cd49896bc31ccb7c73dab8f9de50cdaf6459f7f5c14206af7b90016deeb1220943d61c7324541fe2c |
\??\c:\5873e2c62050c7223d\vc_red.cab
| MD5 | c2b6838431748d42e247c574a191b2c2 |
| SHA1 | f01c1a083c158d9470da3919b461938560e90874 |
| SHA256 | 387e94a26165e4e5f035d89f9c6589a8a9d223978abbcc728b4c45c0115267a6 |
| SHA512 | 5cf95c3cbe10a75360bc4d02840e196c919bcd2fd42ba86192d25d781d00e8019217a9c8829f51a2924d8c95bd48e06728a3530e3344000cac79c4b0e7faff91 |
\??\c:\5873e2c62050c7223d\vc_red.msi
| MD5 | 8f21bc0dc9e66f8e9d94197ae76698b3 |
| SHA1 | b48a08fde80f739657b819b94602f861f3ff57a4 |
| SHA256 | 5763364634bdb2097b6df6cde79ac5cce6069acecf27254c589e3cabffe53c2b |
| SHA512 | 88fd8870bc0f5dbdd2cb4a6a97cf4b1ab81d7ff77c2b2a4d1f6b34a730d0347a5022ecc8ca5b2e7c5f7c2cbe0486d5046cfafcb8167e001e1ac5e1797d03278a |
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_20240222_175308360-MSI_vc_red.msi.txt
| MD5 | 1d75ba3dcd5244e62074093f07b9912d |
| SHA1 | bcdf7ba03c5f9ffed2ea464272c73f29b9a78f79 |
| SHA256 | 556bca2180c34b787518e8e4667e561bfdede32b42b0e35fdbd0cf1ac5c20aa8 |
| SHA512 | b1ef55eff71c90b8ca54d36a50f74a602be3cce3b74b4dc95770c6794306e5877e4b0a1165122416a6aeef03e562bf6e982d19944bfc1e31c37f59e5d51b3d25 |
\??\PIPE\wkssvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Config.Msi\e587a3e.rbs
| MD5 | 69d768544bb19703ac013a3b9f9a8bb2 |
| SHA1 | 2817dbe86074712a966a3de69d521c2beb6d0559 |
| SHA256 | 8a79f5eb34ff64af6dfe6de0f11da91184505a47c01b21386861b3edfa17f7ae |
| SHA512 | 463f4ba6ff3dd852c8e458062ca52c437f0ac033c97565bb3c159b98ee283c3cacef4707bb5681e56e4e5773f1b43c966060305d15618923036ac4d9ecd75d7f |
memory/876-176-0x00007FF74BF50000-0x00007FF74C048000-memory.dmp
memory/876-177-0x00007FF9888B0000-0x00007FF9888E4000-memory.dmp
memory/876-178-0x00007FF976B50000-0x00007FF976E04000-memory.dmp
memory/876-179-0x00007FF9750E0000-0x00007FF97618B000-memory.dmp
memory/876-180-0x00007FF974310000-0x00007FF974422000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:55
Platform
win11-20240221-en
Max time kernel
128s
Max time network
135s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x643.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{a2199617-3609-410f-a8e8-e8806c73545b} = "\"C:\\ProgramData\\Package Cache\\{a2199617-3609-410f-a8e8-e8806c73545b}\\vcredist_x64.exe\" /burn.log.append \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredist_amd64_20240222175308.log\" ignored /burn.runonce" | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x643.exe | N/A |
Checks installed software on the system
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000fb1a9eb37f5a4fba0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000fb1a9eb30000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900fb1a9eb3000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dfb1a9eb3000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000fb1a9eb300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v11\Dependents\{a2199617-3609-410f-a8e8-e8806c73545b} | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x643.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditional_amd64,v11\Dependents\{a2199617-3609-410f-a8e8-e8806c73545b} | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x643.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{a2199617-3609-410f-a8e8-e8806c73545b} | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x643.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{a2199617-3609-410f-a8e8-e8806c73545b}\Version = "11.0.61030.0" | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x643.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{a2199617-3609-410f-a8e8-e8806c73545b}\DisplayName = "Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030" | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x643.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimum_amd64,v11 | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x643.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimum_amd64,v11\Dependents\{a2199617-3609-410f-a8e8-e8806c73545b} | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x643.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v11 | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x643.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v11 | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x643.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditional_amd64,v11 | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x643.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v11\Dependents\{a2199617-3609-410f-a8e8-e8806c73545b} | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x643.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x643.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5056 wrote to memory of 1436 | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x643.exe | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x643.exe |
| PID 5056 wrote to memory of 1436 | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x643.exe | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x643.exe |
| PID 5056 wrote to memory of 1436 | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x643.exe | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x643.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x643.exe
"C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x643.exe"
C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x643.exe
"C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x643.exe" -burn.unelevated BurnPipe.{FF7208D9-0363-4090-8455-7AFDFD2ADEB6} {F210A40B-0DB8-44BF-9C4F-48527F1AE71A} 5056
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 16.53.126.40.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\{a2199617-3609-410f-a8e8-e8806c73545b}\.ba1\wixstdba.dll
| MD5 | d7bf29763354eda154aad637017b5483 |
| SHA1 | dfa7d296bfeecde738ef4708aaabfebec6bc1e48 |
| SHA256 | 7f5f8fcfd84132579f07e395e65b44e1b031fe01a299bce0e3dd590131c5cb93 |
| SHA512 | 1c76175732fe68b9b12cb46077daa21e086041adbd65401717a9a1b5f3c516e03c35a90897c22c7281647d6af4a1a5ffb3fbd5706ea376d8f6e574d27396019c |
C:\Users\Admin\AppData\Local\Temp\{a2199617-3609-410f-a8e8-e8806c73545b}\.ba1\logo.png
| MD5 | d6bd210f227442b3362493d046cea233 |
| SHA1 | ff286ac8370fc655aea0ef35e9cf0bfcb6d698de |
| SHA256 | 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef |
| SHA512 | 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b |
C:\Users\Admin\AppData\Local\Temp\{a2199617-3609-410f-a8e8-e8806c73545b}\.be\vcredist_x64.exe
| MD5 | dfe2eba61b580da064de8e8b7d22ba34 |
| SHA1 | 7db24c2dab99822721cc351eee3c637e01c8afd6 |
| SHA256 | 6e306e8e373529a48dfb41cb5bf797450ec336148d385db37d8e0dd0ad0f80a5 |
| SHA512 | 1b3d47b0c8ab234d4d51136a3fdef005b901598b7fbee5dbbf79dc6828084c2af53764b42550454eaf935cdd440c103e9af72851c9d31156a5bba23a839d6459 |
Analysis: behavioral30
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:56
Platform
win11-20240221-en
Max time kernel
128s
Max time network
154s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x863.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{f0080ca2-80ae-4958-b6eb-e8fa916d744a} = "\"C:\\ProgramData\\Package Cache\\{f0080ca2-80ae-4958-b6eb-e8fa916d744a}\\vcredist_x86.exe\" /burn.log.append \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredist_x86_20240222175322.log\" ignored /burn.runonce" | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x863.exe | N/A |
Checks installed software on the system
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a0b33ab3dac1b2ba0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a0b33ab30000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a0b33ab3000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da0b33ab3000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a0b33ab300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{f0080ca2-80ae-4958-b6eb-e8fa916d744a} | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x863.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{f0080ca2-80ae-4958-b6eb-e8fa916d744a}\Version = "11.0.61030.0" | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x863.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{f0080ca2-80ae-4958-b6eb-e8fa916d744a}\DisplayName = "Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030" | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x863.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimum_x86,v11 | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x863.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditional_x86,v11\Dependents\{f0080ca2-80ae-4958-b6eb-e8fa916d744a} | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x863.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v11\Dependents\{f0080ca2-80ae-4958-b6eb-e8fa916d744a} | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x863.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimum_x86,v11\Dependents\{f0080ca2-80ae-4958-b6eb-e8fa916d744a} | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x863.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v11 | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x863.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v11\Dependents\{f0080ca2-80ae-4958-b6eb-e8fa916d744a} | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x863.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditional_x86,v11 | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x863.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v11 | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x863.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x863.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4860 wrote to memory of 3392 | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x863.exe | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x863.exe |
| PID 4860 wrote to memory of 3392 | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x863.exe | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x863.exe |
| PID 4860 wrote to memory of 3392 | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x863.exe | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x863.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x863.exe
"C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x863.exe"
C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x863.exe
"C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x863.exe" -burn.unelevated BurnPipe.{0F94A828-BB17-45DF-B61E-3849811214BB} {84CB7078-A420-41F0-BC55-8F105E0CF7EB} 4860
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 1.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.178.17.96.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\{f0080ca2-80ae-4958-b6eb-e8fa916d744a}\.ba1\wixstdba.dll
| MD5 | d7bf29763354eda154aad637017b5483 |
| SHA1 | dfa7d296bfeecde738ef4708aaabfebec6bc1e48 |
| SHA256 | 7f5f8fcfd84132579f07e395e65b44e1b031fe01a299bce0e3dd590131c5cb93 |
| SHA512 | 1c76175732fe68b9b12cb46077daa21e086041adbd65401717a9a1b5f3c516e03c35a90897c22c7281647d6af4a1a5ffb3fbd5706ea376d8f6e574d27396019c |
C:\Users\Admin\AppData\Local\Temp\{f0080ca2-80ae-4958-b6eb-e8fa916d744a}\.ba1\logo.png
| MD5 | d6bd210f227442b3362493d046cea233 |
| SHA1 | ff286ac8370fc655aea0ef35e9cf0bfcb6d698de |
| SHA256 | 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef |
| SHA512 | 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b |
C:\Users\Admin\AppData\Local\Temp\{f0080ca2-80ae-4958-b6eb-e8fa916d744a}\.be\vcredist_x86.exe
| MD5 | 365aa5472c3470a4d4ab6b27de058ab4 |
| SHA1 | e3df8255bdd934f797a947e231a804671270619d |
| SHA256 | a246bf7ff8f4fcae4131415df2e35ae960cb6bfd7ff047c07dabcd3811974c88 |
| SHA512 | c42e763982bc5dbdd5f8813e1c24d2f97d067978a22341f7c4c9cbf36e09432c9905e2bc74e8829f838340cca5a7ee5b36a9729b85f222b63b2f57389a785cc4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:55
Platform
win11-20240221-en
Max time kernel
127s
Max time network
159s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Rail Route_Data\Managed\UnityEngine.UnityWebRequestAssetBundleModule.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 13.107.21.200:443 | tcp | |
| US | 20.42.65.89:443 | browser.pipe.aria.microsoft.com | tcp |
| GB | 92.123.128.187:443 | r.bing.com | tcp |
| GB | 92.123.128.187:443 | r.bing.com | tcp |
| GB | 92.123.128.187:443 | r.bing.com | tcp |
| GB | 92.123.128.187:443 | r.bing.com | tcp |
| GB | 92.123.128.187:443 | r.bing.com | tcp |
| GB | 92.123.128.187:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:55
Platform
win11-20240221-en
Max time kernel
132s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Rail Route_Data\Managed\mscorlib.dll",#1
Network
| Country | Destination | Domain | Proto |
| IE | 52.111.236.23:443 | tcp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:57
Platform
win11-20240221-en
Max time kernel
169s
Max time network
280s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vc_redist.x864.exe | N/A |
Checks installed software on the system
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3320 wrote to memory of 2096 | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vc_redist.x864.exe | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vc_redist.x864.exe |
| PID 3320 wrote to memory of 2096 | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vc_redist.x864.exe | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vc_redist.x864.exe |
| PID 3320 wrote to memory of 2096 | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vc_redist.x864.exe | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vc_redist.x864.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vc_redist.x864.exe
"C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vc_redist.x864.exe"
C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vc_redist.x864.exe
"C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vc_redist.x864.exe" -burn.unelevated BurnPipe.{D7347899-96D1-4A90-8940-C510E60F9409} {57A19EE0-6F57-4110-B596-906099A49F0F} 3320
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\wixstdba.dll
| MD5 | 4d20a950a3571d11236482754b4a8e76 |
| SHA1 | e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c |
| SHA256 | a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b |
| SHA512 | 8b9243d1f9edbcbd6bdaf6874dc69c806bb29e909bd733781fde8ac80ca3fff574d786ca903871d1e856e73fd58403bebb58c9f23083ea7cd749ba3e890af3d2 |
C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\logo.png
| MD5 | d6bd210f227442b3362493d046cea233 |
| SHA1 | ff286ac8370fc655aea0ef35e9cf0bfcb6d698de |
| SHA256 | 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef |
| SHA512 | 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b |
Analysis: behavioral26
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:55
Platform
win11-20240221-en
Max time kernel
133s
Max time network
158s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x642.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{1a63c099-febd-4eaf-83ad-a82ea4fdac49} = "\"C:\\ProgramData\\Package Cache\\{1a63c099-febd-4eaf-83ad-a82ea4fdac49}\\vcredist_x64.exe\" /burn.runonce" | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x642.exe | N/A |
Checks installed software on the system
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a0a26a5bdad282120000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a0a26a5b0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a0a26a5b000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da0a26a5b000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a0a26a5b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{1a63c099-febd-4eaf-83ad-a82ea4fdac49}\Version = "12.0.30501.0" | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x642.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{1a63c099-febd-4eaf-83ad-a82ea4fdac49}\Dependents\{1a63c099-febd-4eaf-83ad-a82ea4fdac49} | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x642.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{1a63c099-febd-4eaf-83ad-a82ea4fdac49} | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x642.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{1a63c099-febd-4eaf-83ad-a82ea4fdac49}\ = "{1a63c099-febd-4eaf-83ad-a82ea4fdac49}" | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x642.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{1a63c099-febd-4eaf-83ad-a82ea4fdac49}\DisplayName = "Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501" | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x642.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{1a63c099-febd-4eaf-83ad-a82ea4fdac49}\Dependents | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x642.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v12 | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x642.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v12\Dependents\{1a63c099-febd-4eaf-83ad-a82ea4fdac49} | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x642.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v12 | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x642.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v12\Dependents\{1a63c099-febd-4eaf-83ad-a82ea4fdac49} | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x642.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x642.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4248 wrote to memory of 5028 | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x642.exe | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x642.exe |
| PID 4248 wrote to memory of 5028 | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x642.exe | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x642.exe |
| PID 4248 wrote to memory of 5028 | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x642.exe | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x642.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x642.exe
"C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x642.exe"
C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x642.exe
"C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x642.exe" -burn.unelevated BurnPipe.{E3D12D67-373E-488C-A8B6-18791F2C915D} {3A7A27AB-9B76-4255-8C7F-10EE225ADDBC} 4248
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
Network
Files
C:\Users\Admin\AppData\Local\Temp\{1a63c099-febd-4eaf-83ad-a82ea4fdac49}\.ba1\wixstdba.dll
| MD5 | a52e5220efb60813b31a82d101a97dcb |
| SHA1 | 56e16e4df0944cb07e73a01301886644f062d79b |
| SHA256 | e7c8e7edd9112137895820e789baaaeca41626b01fb99fede82968ddb66d02cf |
| SHA512 | d6565ba18b5b9795d6bde3ef94d8f7cd77bf8bb69ba3fe7adefb80fc7c5d888cdfdc79238d86a0839846aea4a1e51fc0caed3d62f7054885e8b15fad9f6c654e |
C:\Users\Admin\AppData\Local\Temp\{1a63c099-febd-4eaf-83ad-a82ea4fdac49}\.ba1\logo.png
| MD5 | d6bd210f227442b3362493d046cea233 |
| SHA1 | ff286ac8370fc655aea0ef35e9cf0bfcb6d698de |
| SHA256 | 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef |
| SHA512 | 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b |
C:\Users\Admin\AppData\Local\Temp\{1a63c099-febd-4eaf-83ad-a82ea4fdac49}\.be\vcredist_x64.exe
| MD5 | b2e7e429bc02bf09eda25f8e159189d3 |
| SHA1 | 38eaa08098ba11076349f91bb74ff99d09c9cebd |
| SHA256 | c7be60dfc46d3ebfccae152141fdacf20ecc6d1754c5f8bc83abd4a13761f3d5 |
| SHA512 | 517878967663eb5442158903cd3255516a702b1ab662b99769170e8d3d5e3e0d2f106f734fec72ede05f5251f4e3ea4da5a46a34a240a9f15e12fafbe39f0057 |
Analysis: behavioral13
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:55
Platform
win11-20240221-en
Max time kernel
126s
Max time network
161s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Rail Route_Data\Managed\UnityEngine.XRModule.dll",#1
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:55
Platform
win11-20240221-en
Max time kernel
16s
Max time network
143s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Rail Route_Data\Managed\UnityEngine.UnityTestProtocolModule.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:56
Platform
win11-20240221-en
Max time kernel
129s
Max time network
161s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Rail Route_Data\Plugins\x86_64\lib_burst_generated.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 5.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:56
Platform
win11-20240221-en
Max time kernel
127s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Rail Route_Data\Plugins\x86_64\steam_api64.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:55
Platform
win11-20240221-en
Max time kernel
133s
Max time network
95s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| N/A | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| N/A | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| N/A | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| N/A | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SystemTemp\~DFF30670120B69C52F.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | \??\c:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DFD1766190BD0DEFD0.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA6D5.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF339FAEBEA359524C.TMP | C:\Windows\system32\msiexec.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\Patches | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\Patches\Patches = 3200440030003000350038004600360046003000380041003700340033003300300039003100380034004200450031003100370038004300390035004200320000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\SourceList\LastUsedSource = "n;2;c:\\a4ae6520f98200335daf9fa1bf\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\SourceList\Net\2 = "c:\\a4ae6520f98200335daf9fa1bf\\" | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| N/A | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| N/A | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| N/A | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| N/A | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| N/A | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| N/A | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| N/A | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| N/A | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| N/A | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| N/A | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| N/A | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Token: SeTcbPrivilege | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Token: SeSecurityPrivilege | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Token: SeBackupPrivilege | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Token: SeRestorePrivilege | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Token: SeShutdownPrivilege | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Token: SeDebugPrivilege | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Token: SeAuditPrivilege | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Token: SeUndockPrivilege | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2280 wrote to memory of 2756 | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x86.exe | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe |
| PID 2280 wrote to memory of 2756 | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x86.exe | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe |
| PID 2280 wrote to memory of 2756 | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x86.exe | \??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x86.exe
"C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x86.exe"
\??\c:\a4ae6520f98200335daf9fa1bf\Setup.exe
c:\a4ae6520f98200335daf9fa1bf\Setup.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\a4ae6520f98200335daf9fa1bf\Setup.exe
| MD5 | 9a1141fbceeb2e196ae1ba115fd4bee6 |
| SHA1 | 922eacb654f091bc609f1b7f484292468d046bd1 |
| SHA256 | 28563d908450eb7b7e9ed07a934e0d68135b5bb48e866e0a1c913bd776a44fef |
| SHA512 | b044600acb16fc3be991d8a6dbc75c2ca45d392e66a4d19eacac4aee282d2ada0d411d832b76d25ef505cc542c7fa1fdb7098da01f84034f798b08baa4796168 |
\??\c:\a4ae6520f98200335daf9fa1bf\SetupEngine.dll
| MD5 | a030c6b93740cbaa232ffaa08ccd3396 |
| SHA1 | 6f7236a30308fbf02d88e228f0b5b5ec7f61d3eb |
| SHA256 | 0507720d52ae856bbf5ff3f01172a390b6c19517cb95514cd53f4a59859e8d63 |
| SHA512 | 6787195b7e693744ce3b70c3b3ef04eaf81c39621e33d9f40b9c52f1a2c1d6094eceaebbc9b2906649351f5fc106eed085cef71bb606a9dc7890eafd200cfd42 |
C:\a4ae6520f98200335daf9fa1bf\sqmapi.dll
| MD5 | 3f0363b40376047eff6a9b97d633b750 |
| SHA1 | 4eaf6650eca5ce931ee771181b04263c536a948b |
| SHA256 | bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c |
| SHA512 | 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8 |
\??\c:\a4ae6520f98200335daf9fa1bf\DHTMLHeader.html
| MD5 | cd131d41791a543cc6f6ed1ea5bd257c |
| SHA1 | f42a2708a0b42a13530d26515274d1fcdbfe8490 |
| SHA256 | e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb |
| SHA512 | a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a |
C:\Users\Admin\AppData\Local\Temp\Setup_20240222_175237781.html
| MD5 | e39ba1f81c7b0bf2ba1347a6b0446d98 |
| SHA1 | b78b0e9ad039c9b11ef8fe3ca7fadfc76bfd7204 |
| SHA256 | 55472110a403359460c42d69a35d677c3067cc143832afa8487a7831f2726ee6 |
| SHA512 | 52a00c7558f3e1c1a2d24e059b835485ef7927caaebe50e09b4f7eb8207339a9f831b10900dcf88657f828b9900be7a1cbcfad884299e0bcfa2277fb180ce5c1 |
\??\c:\a4ae6520f98200335daf9fa1bf\UiInfo.xml
| MD5 | 4f90fcef3836f5fc49426ad9938a1c60 |
| SHA1 | 89eba3b81982d5d5c457ffa7a7096284a10de64a |
| SHA256 | 66a0299ce7ee12dd9fc2cfead3c3211e59bfb54d6c0627d044d44cef6e70367b |
| SHA512 | 4ce2731c1d32d7ca3a4f644f4b3111f06223de96c1e241fcc86f5fe665f4db18c8a241dae4e8a7e278d6afbf91b235a2c3517a40d4d22d9866880e19a7221160 |
\??\c:\a4ae6520f98200335daf9fa1bf\ParameterInfo.xml
| MD5 | 46db5d342d306778cab61e413a84fece |
| SHA1 | d0885ae1f706e014015cacb0cd67ca786d0962c2 |
| SHA256 | 227bd903261486663665ba232b753781bafd7afba68b5614ad93d6d1f5a1e16b |
| SHA512 | 5de734ce86888ae41db113be13b8b6652f67de8e7ff0dc062a3e217e078ccafacf44117bbfff6e26d6c7e4fa369855e87b4926e9bdfa96f466a89a9d9c67a5bc |
\??\c:\a4ae6520f98200335daf9fa1bf\1033\LocalizedData.xml
| MD5 | d642e322d1e8b739510ca540f8e779f9 |
| SHA1 | 36279c76d9f34c09ebddc84fd33fcc7d4b9a896c |
| SHA256 | 5d90345ff74e177f6da8fb6459c1cfcac080e698215ca75feb130d0d1f2a76b9 |
| SHA512 | e1e16ae14bc7cc1608e1a08d3c92b6d0518b5fabd27f2c0eb514c87afc3d6192bf7a793a583afc65f1899f03dc419263b29174456e1ec9ab0f0110e0258e0f0d |
\??\c:\a4ae6520f98200335daf9fa1bf\1028\LocalizedData.xml
| MD5 | 7fc06a77d9aafca9fb19fafa0f919100 |
| SHA1 | e565740e7d582cd73f8d3b12de2f4579ff18bb41 |
| SHA256 | a27f809211ea1a2d5224cd01101aa3a59bf7853168e45de28a16ef7ed6acd46a |
| SHA512 | 466dcc6a5fb015be1619f5725fa62ca46eb0fb428e11f93fd9d82e5df61c3950b3fb62d4db7746cc4a2be199e5e69eaa30b6f3354e0017cfa14d127fad52f8cf |
\??\c:\a4ae6520f98200335daf9fa1bf\1031\LocalizedData.xml
| MD5 | b83c3803712e61811c438f6e98790369 |
| SHA1 | 61a0bc59388786ced045acd82621bee8578cae5a |
| SHA256 | 2aa6e8d402e44d9ee895b18195f46bf90259de1b6f44efd46a7075b110f2dcd6 |
| SHA512 | e020f93e3a082476087e690ad051f1feb210e0915924bb4548cc9f53a7ee2760211890eb6036ce9e5e4a311abc0300e89e25efbbb894c2a621ffbc9d64cc8a38 |
\??\c:\a4ae6520f98200335daf9fa1bf\1036\LocalizedData.xml
| MD5 | e382abc19294f779d2833287242e7bc6 |
| SHA1 | 1ceae32d6b24a3832f9244f5791382865b668a72 |
| SHA256 | 43f913ff28d677316f560a0f45221f35f27cfaf5fc5bd645974a82dca589edbf |
| SHA512 | 06054c8048cade36a3af54f9a07fd8fa5eb4f3228790996d2abea7ee1ee7eb563d46bd54ff97441f9610e778194082c44e66c5f566c9c50a042aba9eb9cae25e |
\??\c:\a4ae6520f98200335daf9fa1bf\1040\LocalizedData.xml
| MD5 | 0af948fe4142e34092f9dd47a4b8c275 |
| SHA1 | b3d6dd5c126280398d9055f90e2c2c26dbae4eaa |
| SHA256 | c4c7c0ddaa6d6a3a1dc260e9c5a24bdfaa98c427c69e8a65427dd7cac0a4b248 |
| SHA512 | d97b5fe2553ca78a3019d53e33d2db80c9fa1cf1d8d2501d9ddf0576c7e6ea38dab754fe4712123abf34b97e10b18fb4bbd1c76d3dacb87b4682e501f93423d9 |
\??\c:\a4ae6520f98200335daf9fa1bf\1041\LocalizedData.xml
| MD5 | 7fcfbc308b0c42dcbd8365ba62bada05 |
| SHA1 | 18a0f0e89b36818c94de0ad795cc593d0e3e29a9 |
| SHA256 | 01e7d24dd8e00b5c333e96d1bb83813e02e96f89aad0c2f28f84551d28abbbe2 |
| SHA512 | cd6f912a037e86d9e1982c73f0f8b3c4d5a9a6b5b108a7b89a46e6691e430a7cb55718de9a0c05650bb194c8d4a2e309ad6221d638cfca8e16aa5920881ba649 |
\??\c:\a4ae6520f98200335daf9fa1bf\1049\LocalizedData.xml
| MD5 | 0eeb554d0b9f9fcdb22401e2532e9cd0 |
| SHA1 | 08799520b72a1ef92ac5b94a33509d1eddf6caf8 |
| SHA256 | beef0631c17a4fb1ff0b625c50c6cb6c8ce90a1ae62c5e60e14bf3d915ad509c |
| SHA512 | 2180e46a5a2ea1f59c879b729806ca02a232c66660f29c338c1fa7fbee2afa4b13d8777d1f7b63cf831eb42f3e55282d70aa8e53f40616b8a6e4d695c36e313d |
\??\c:\a4ae6520f98200335daf9fa1bf\1042\LocalizedData.xml
| MD5 | 71dfd70ae141f1d5c1366cb661b354b2 |
| SHA1 | c4b22590e6f6dd5d39e5158b831ae217ce17a776 |
| SHA256 | cccda55294aeb4af166a8c0449bca2189ddf5aa9a43d5e939dd3803e61738331 |
| SHA512 | 5000d62f3de41c3fb0ed8a8e9c37dbf4eb427c4f1e3ad3823d4716c6fe62250bac11b7987a302b8a45d91aabcf332457f7aff7d99f15edeffe540639e9440e8a |
\??\c:\a4ae6520f98200335daf9fa1bf\2052\LocalizedData.xml
| MD5 | 52b1dc12ce4153aa759fb3bbe04d01fc |
| SHA1 | bf21f8591c473d1fce68a9faf1e5942f486f6eba |
| SHA256 | d1735c8cfd8e10ba019d70818c19fa865e7c72f30ab6421a3748408f85fb96c3 |
| SHA512 | 418903ae9a7baebf73d055e4774ff1917fbaab9ee7ed8c120c34bb10e7303f6dd7b7dae701596d4626387a30ae1b4d329a9af49b8718b360e2ff619c56c19623 |
\??\c:\a4ae6520f98200335daf9fa1bf\3082\LocalizedData.xml
| MD5 | 5397a12d466d55d566b4209e0e4f92d3 |
| SHA1 | fcffd8961fb487995543fc173521fdf5df6e243b |
| SHA256 | f124d318138ff084b6484deb354cca0f72296e1341bf01169792b3e060c89e89 |
| SHA512 | 7708f5a2ad3e4c90c4c216600435af87a1557f60caf880a3dd9b5f482e17399af9f0b9de03ff1dbdd210583e0fec5b466e35794ac24d6d37f9bbc094e52fc77b |
\??\c:\a4ae6520f98200335daf9fa1bf\SetupUi.dll
| MD5 | c744ec120e54027c57318c4720b4d6be |
| SHA1 | ab65fc4e68ad553520af049129fae4f88c7eff74 |
| SHA256 | d1610b0a94a4dadc85ee32a7e5ffd6533ea42347d6f2d6871beb03157b89a857 |
| SHA512 | 6dcd0ab7b8671e17d1c15db030ee5349ab3a123595c546019cf9391ce05f9f63806149c3ec2f2c71635cb811ab65ad47bcd7031e2eff7a59059577e47dd600a7 |
\??\c:\a4ae6520f98200335daf9fa1bf\SetupUi.xsd
| MD5 | 2fadd9e618eff8175f2a6e8b95c0cacc |
| SHA1 | 9ab1710a217d15b192188b19467932d947b0a4f8 |
| SHA256 | 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093 |
| SHA512 | a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca |
\??\c:\a4ae6520f98200335daf9fa1bf\1033\SetupResources.dll
| MD5 | 718ab3eb3f43c9bcf16276c1eb17f2c1 |
| SHA1 | a3091fd7784a9469309b3edb370e24a0323e30ac |
| SHA256 | e1a13f5b763d73271a1a205a88e64c6611c25d5f434cfa5da14feb8e4272ffaa |
| SHA512 | 9fa8a8d9645a9b490257c2dce3d31f1585f6d6069f9471f9e00dfaa9e457ff1db4c9176a91e02d7f0b61bae0c1fc76b56061eff04888a58aeb5ad2e8692fcf8a |
\??\c:\a4ae6520f98200335daf9fa1bf\Strings.xml
| MD5 | 332adf643747297b9bfa9527eaefe084 |
| SHA1 | 670f933d778eca39938a515a39106551185205e9 |
| SHA256 | e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca |
| SHA512 | bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0 |
\??\c:\a4ae6520f98200335daf9fa1bf\graphics\print.ico
| MD5 | 7e55ddc6d611176e697d01c90a1212cf |
| SHA1 | e2620da05b8e4e2360da579a7be32c1b225deb1b |
| SHA256 | ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed |
| SHA512 | 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e |
\??\c:\a4ae6520f98200335daf9fa1bf\header.bmp
| MD5 | 3ad1a8c3b96993bcdf45244be2c00eef |
| SHA1 | 308f98e199f74a43d325115a8e7072d5f2c6202d |
| SHA256 | 133b86a4f1c67a159167489fdaeab765bfa1050c23a7ae6d5c517188fb45f94a |
| SHA512 | 133442c4a65269f817675adf01adcf622e509aa7ec7583bca8cd9a7eb6018d2aab56066054f75657038efb947cd3b3e5dc4fe7f0863c8b3b1770a8fa4fe2e658 |
\??\c:\a4ae6520f98200335daf9fa1bf\watermark.bmp
| MD5 | 1a5caafacfc8c7766e404d019249cf67 |
| SHA1 | 35d4878db63059a0f25899f4be00b41f430389bf |
| SHA256 | 2e87d5742413254db10f7bd0762b6cdb98ff9c46ca9acddfd9b1c2e5418638f2 |
| SHA512 | 202c13ded002d234117f08b18ca80d603246e6a166e18ba422e30d394ada7e47153dd3cce9728affe97128fdd797fe6302c74dc6882317e2ba254c8a6db80f46 |
\??\c:\a4ae6520f98200335daf9fa1bf\graphics\setup.ico
| MD5 | 3d25d679e0ff0b8c94273dcd8b07049d |
| SHA1 | a517fc5e96bc68a02a44093673ee7e076ad57308 |
| SHA256 | 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f |
| SHA512 | 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255 |
\??\c:\a4ae6520f98200335daf9fa1bf\graphics\save.ico
| MD5 | 7d62e82d960a938c98da02b1d5201bd5 |
| SHA1 | 194e96b0440bf8631887e5e9d3cc485f8e90fbf5 |
| SHA256 | ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5 |
| SHA512 | ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67 |
memory/2756-106-0x00000000019F0000-0x00000000019F1000-memory.dmp
memory/2756-107-0x00000000019F0000-0x00000000019F1000-memory.dmp
\??\c:\a4ae6520f98200335daf9fa1bf\graphics\SysReqMet.ico
| MD5 | 661cbd315e9b23ba1ca19edab978f478 |
| SHA1 | 605685c25d486c89f872296583e1dc2f20465a2b |
| SHA256 | 8bfc77c6d0f27f3d0625a884e0714698acc0094a92adcb6de46990735ae8f14d |
| SHA512 | 802cc019f07fd3b78fcefdc8404b3beb5d17bfc31bded90d42325a138762cc9f9ebfd1b170ec4bbcccf9b99773bd6c8916f2c799c54b22ff6d5edd9f388a67c6 |
\??\c:\a4ae6520f98200335daf9fa1bf\graphics\SysReqNotMet.ico
| MD5 | ee2c05cc9d14c29f586d40eb90c610a9 |
| SHA1 | e571d82e81bd61b8fe4c9ecd08869a07918ac00b |
| SHA256 | 3c9c71950857ddb82baab83ed70c496dee8f20f3bc3216583dc1ddda68aefc73 |
| SHA512 | 0f38fe9c97f2518186d5147d2c4a786b352fceca234410a94cc9d120974fc4be873e39956e10374da6e8e546aea5689e7fa0beed025687547c430e6ceffabffb |
\??\c:\a4ae6520f98200335daf9fa1bf\graphics\Rotate2.ico
| MD5 | 8419caa81f2377e09b7f2f6218e505ae |
| SHA1 | 2cf5ad8c8da4f1a38aab433673f4dddc7ae380e9 |
| SHA256 | db89d8a45c369303c04988322b2774d2c7888da5250b4dab2846deef58a7de22 |
| SHA512 | 74e504d2c3a8e82925110b7cfb45fde8a4e6df53a188e47cf22d664cbb805eba749d2db23456fc43a86e57c810bc3d9166e7c72468fbd736da6a776f8ca015d1 |
\??\c:\a4ae6520f98200335daf9fa1bf\graphics\Rotate1.ico
| MD5 | 26a00597735c5f504cf8b3e7e9a7a4c1 |
| SHA1 | d913cb26128d5ca1e1ac3dab782de363c9b89934 |
| SHA256 | 37026c4ea2182d7908b3cf0cef8a6f72bddca5f1cfbc702f35b569ad689cf0af |
| SHA512 | 08cefc5a2b625f261668f70cc9e1536dc4878d332792c751884526e49e7fee1ecfa6fccfddf7be80910393421cc088c0fd0b0c27c7a7eff2ae03719e06022fdf |
\??\c:\a4ae6520f98200335daf9fa1bf\graphics\Rotate4.ico
| MD5 | bb55b5086a9da3097fb216c065d15709 |
| SHA1 | 1206c708bd08231961f17da3d604a8956addccfe |
| SHA256 | 8d82ff7970c9a67da8134686560fe3a6c986a160ced9d1cc1392f2ba75c698ab |
| SHA512 | de9226064680da6696976a4a320e08c41f73d127fbb81bf142048996df6206ddb1c2fe347c483cc8e0e50a00dab33db9261d03f1cd7ca757f5ca7bb84865fca9 |
\??\c:\a4ae6520f98200335daf9fa1bf\graphics\Rotate3.ico
| MD5 | 924fd539523541d42dad43290e6c0db5 |
| SHA1 | 19a161531a2c9dbc443b0f41b97cbde7375b8983 |
| SHA256 | 02a7fe932029c6fa24d1c7cc06d08a27e84f43a0cbc47b7c43cac59424b3d1f6 |
| SHA512 | 86a4c5d981370efa20183cc4a52c221467692e91539ac38c8def1cc200140f6f3d9412b6e62faf08ca6668df401d8b842c61b1f3c2a4c4570f3b2cec79c9ee8b |
\??\c:\a4ae6520f98200335daf9fa1bf\graphics\Rotate5.ico
| MD5 | 3b4861f93b465d724c60670b64fccfcf |
| SHA1 | c672d63c62e00e24fbb40da96a0cc45b7c5ef7f0 |
| SHA256 | 7237051d9af5db972a1fecf0b35cd8e9021471740782b0dbf60d3801dc9f5f75 |
| SHA512 | 2e798b0c9e80f639571525f39c2f50838d5244eeda29b18a1fae6c15d939d5c8cd29f6785d234b54bda843a645d1a95c7339707991a81946b51f7e8d5ed40d2c |
\??\c:\a4ae6520f98200335daf9fa1bf\graphics\Rotate6.ico
| MD5 | 70006bf18a39d258012875aefb92a3d1 |
| SHA1 | b47788f3f8c5c305982eb1d0e91c675ee02c7beb |
| SHA256 | 19abcedf93d790e19fb3379cb3b46371d3cbff48fe7e63f4fdcc2ac23a9943e4 |
| SHA512 | 97fdbdd6efadbfb08161d8546299952470228a042bd2090cd49896bc31ccb7c73dab8f9de50cdaf6459f7f5c14206af7b90016deeb1220943d61c7324541fe2c |
\??\c:\a4ae6520f98200335daf9fa1bf\graphics\Rotate7.ico
| MD5 | fb4dfebe83f554faf1a5cec033a804d9 |
| SHA1 | 6c9e509a5d1d1b8d495bbc8f57387e1e7e193333 |
| SHA256 | 4f46a9896de23a92d2b5f963bcfb3237c3e85da05b8f7660641b3d1d5afaae6f |
| SHA512 | 3caeb21177685b9054b64dec997371c4193458ff8607bce67e4fbe72c4af0e6808d344dd0d59d3d0f5ce00e4c2b8a4ffca0f7d9352b0014b9259d76d7f03d404 |
\??\c:\a4ae6520f98200335daf9fa1bf\graphics\Rotate8.ico
| MD5 | d1c53003264dce4effaf462c807e2d96 |
| SHA1 | 92562ad5876a5d0cb35e2d6736b635cb5f5a91d9 |
| SHA256 | 5fb03593071a99c7b3803fe8424520b8b548b031d02f2a86e8f5412ac519723c |
| SHA512 | c34f8c05a50dc0de644d1f9d97696cdb0a1961c7c7e412eb3df2fd57bbd34199cf802962ca6a4b5445a317d9c7875e86e8e62f6c1df8cc3415afc0bd26e285bd |
\??\c:\a4ae6520f98200335daf9fa1bf\vc_red.cab
| MD5 | c580a38f1a1a7d838076a1b897c37011 |
| SHA1 | c689488077d1c21820797707078af826ea676b70 |
| SHA256 | 71c0acc75eecdf39051819dc7c26503583f6be6c43ab2c320853de15bece9978 |
| SHA512 | ea3a62bd312f1ddeebe5e3c7911eb3a73bc3ee184abb7e9b55bc962214f50bbf05d2499caf151d0bd00735e2021fbea9584bf3e868a1d4502b75ec3b62c7ff56 |
\??\c:\a4ae6520f98200335daf9fa1bf\vc_red.msi
| MD5 | 3ff9acea77afc124be8454269bb7143f |
| SHA1 | 8dd6ecab8576245cd6c8617c24e019325a3b2bdc |
| SHA256 | 9ecf3980b29c6aa20067f9f45c64b45ad310a3d83606cd9667895ad35f106e66 |
| SHA512 | 8d51f692747cfdd59fc839918a34d2b6cbbb510c90dea83ba936b3f5f39ee4cbd48f6bb7e35ed9e0945bf724d682812532191d91c8f3c2adb6ff80a8df89ff7a |
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20240222_175237937-MSI_vc_red.msi.txt
| MD5 | 45801c5f2b813825131c55590fabf8b9 |
| SHA1 | 9940a29148c754bbb500534347cc8ffdc63b9da6 |
| SHA256 | 36be52a121803ad2126e241f7f746add34dd7e5ee1b1e70e2d7b9cc27d82bd56 |
| SHA512 | 5347f4844f81f54d139e74ebea5da1abfd102b08e79e3199eed961ea661122a2acf8dd22e2e5bd22cdc7cd594e116b679d548cf44a7644c6a76b3246d55411b3 |
\??\PIPE\wkssvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Config.Msi\e59a5be.rbs
| MD5 | 4fbd2cb03ae3f9fdfbf7801829e25ac3 |
| SHA1 | 89c210231b6b8675c9bd741d37a992716b976166 |
| SHA256 | c37c2fe1cb356d38da079a9c98a119df70502dc2ff68846a7225d2f437687ac1 |
| SHA512 | 656d240ab09a3ce0f6bd3edc2d5e3f046af27ed886d2885d486e42b41ae0a971030e66140b70221ddea286f56791cb22c635b7841ab7a729ae37f204133b1453 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:55
Platform
win11-20240221-en
Max time kernel
16s
Max time network
142s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Rail Route_Data\Managed\UnityEngine.UnityWebRequestAudioModule.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:55
Platform
win11-20240221-en
Max time kernel
141s
Max time network
159s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Rail Route_Data\Managed\netstandard.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 182.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:55
Platform
win11-20240221-en
Max time kernel
70s
Max time network
95s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Rail Route_Data\Plugins\x86_64\fmodstudio.dll",#1
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:56
Platform
win11-20240221-en
Max time kernel
128s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Rail Route_Data\Plugins\x86_64\resonanceaudio.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:55
Platform
win11-20240221-en
Max time kernel
136s
Max time network
162s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x862.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{b55f7208-e02b-4828-ac78-59c73ddf5bc7} = "\"C:\\ProgramData\\Package Cache\\{b55f7208-e02b-4828-ac78-59c73ddf5bc7}\\vcredist_x86.exe\" /burn.runonce" | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x862.exe | N/A |
Checks installed software on the system
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000004b52018b2f23ece20000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800004b52018b0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809004b52018b000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d4b52018b000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004b52018b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{b55f7208-e02b-4828-ac78-59c73ddf5bc7} | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x862.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{b55f7208-e02b-4828-ac78-59c73ddf5bc7}\Version = "12.0.30501.0" | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x862.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{b55f7208-e02b-4828-ac78-59c73ddf5bc7}\DisplayName = "Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501" | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x862.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v12 | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x862.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v12\Dependents\{b55f7208-e02b-4828-ac78-59c73ddf5bc7} | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x862.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{b55f7208-e02b-4828-ac78-59c73ddf5bc7}\ = "{b55f7208-e02b-4828-ac78-59c73ddf5bc7}" | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x862.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{b55f7208-e02b-4828-ac78-59c73ddf5bc7}\Dependents\{b55f7208-e02b-4828-ac78-59c73ddf5bc7} | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x862.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{b55f7208-e02b-4828-ac78-59c73ddf5bc7}\Dependents | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x862.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v12\Dependents\{b55f7208-e02b-4828-ac78-59c73ddf5bc7} | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x862.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v12 | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x862.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x862.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1576 wrote to memory of 5112 | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x862.exe | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x862.exe |
| PID 1576 wrote to memory of 5112 | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x862.exe | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x862.exe |
| PID 1576 wrote to memory of 5112 | N/A | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x862.exe | C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x862.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x862.exe
"C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x862.exe"
C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x862.exe
"C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Redist\vcredist_x862.exe" -burn.unelevated BurnPipe.{36FD2812-89C9-4239-AB00-DE97687F4A0C} {B72D502B-5E54-46AF-8E58-22AA84F9B9A6} 1576
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\{b55f7208-e02b-4828-ac78-59c73ddf5bc7}\.ba1\wixstdba.dll
| MD5 | a52e5220efb60813b31a82d101a97dcb |
| SHA1 | 56e16e4df0944cb07e73a01301886644f062d79b |
| SHA256 | e7c8e7edd9112137895820e789baaaeca41626b01fb99fede82968ddb66d02cf |
| SHA512 | d6565ba18b5b9795d6bde3ef94d8f7cd77bf8bb69ba3fe7adefb80fc7c5d888cdfdc79238d86a0839846aea4a1e51fc0caed3d62f7054885e8b15fad9f6c654e |
C:\Users\Admin\AppData\Local\Temp\{b55f7208-e02b-4828-ac78-59c73ddf5bc7}\.ba1\logo.png
| MD5 | d6bd210f227442b3362493d046cea233 |
| SHA1 | ff286ac8370fc655aea0ef35e9cf0bfcb6d698de |
| SHA256 | 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef |
| SHA512 | 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b |
C:\Users\Admin\AppData\Local\Temp\{b55f7208-e02b-4828-ac78-59c73ddf5bc7}\.be\vcredist_x86.exe
| MD5 | 4cefc907ade923da72c3572b581a6ff1 |
| SHA1 | c6be867bcb0796270d8e90699c79810745a292ce |
| SHA256 | e89691c5e5fb5c6501945136d91fd756a903754ab3d90935afab76e37c620817 |
| SHA512 | 6e8e979ae8d0abf76a3e6c642490d032c6553e73466f34e71c6c21c579609ac355e54fc0c5ad548346c78f2a809f5dd0854c0a342c88c602334109af6e2409a8 |
Analysis: behavioral11
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:56
Platform
win11-20240221-en
Max time kernel
123s
Max time network
154s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Rail Route_Data\Managed\UnityEngine.VirtualTexturingModule.dll",#1
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:55
Platform
win11-20240221-en
Max time kernel
75s
Max time network
93s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Rail Route_Data\Managed\UnityEngine.dll",#1
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:55
Platform
win11-20240221-en
Max time kernel
82s
Max time network
99s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Rail Route_Data\Managed\UnityEngine.VFXModule.dll",#1
Network
| Country | Destination | Domain | Proto |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:55
Platform
win11-20240221-en
Max time kernel
141s
Max time network
158s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\UnityPlayer.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:56
Platform
win11-20240221-en
Max time kernel
124s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Rail Route_Data\Managed\UnityEngine.WindModule.dll",#1
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:55
Platform
win11-20240221-en
Max time kernel
140s
Max time network
159s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Rail Route_Data\Managed\UnityEngine.UnityWebRequestModule.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-02-22 17:46
Reported
2024-02-22 17:55
Platform
win11-20240221-en
Max time kernel
124s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Rail.Route.v1.19.3\Rail.Route.v1.19.3\Rail Route_Data\Plugins\x86_64\steam_api64.dll",#1