Analysis Overview
SHA256
116a01b1614550427748d89463cb0ef02561a0ac9dec0d76f82d5f45514aa1f0
Threat Level: Likely malicious
The file dc864cd8c60ae62c9de8a7bb7f2ce1cb was found to be: Likely malicious.
Malicious Activity Summary
Checks for common network interception software
Modifies Windows Firewall
Drops file in Drivers directory
Blocklisted process makes network request
UPX packed file
Registers COM server for autorun
Reads user/profile data of web browsers
Checks computer location settings
ACProtect 1.3x - 1.4x DLL software
Loads dropped DLL
Executes dropped EXE
Checks BIOS information in registry
Adds Run key to start application
Maps connected drives based on registry
Installs/modifies Browser Helper Object
Checks installed software on the system
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
NSIS installer
Runs net.exe
System policy modification
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of SendNotifyMessage
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-21 20:18
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-21 20:18
Reported
2024-03-21 20:21
Platform
win7-20240221-en
Max time kernel
147s
Max time network
165s
Command Line
Signatures
Checks for common network interception software
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\SysWOW64\cscript.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\InprocServer32\ = "C:\\Program Files (x86)\\SafetySearch\\FrameworkBHO64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\InprocServer32\ = "C:\\Program Files (x86)\\SafetySearch\\FrameworkBHO64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bench Settings Cleaner = "C:\\Program Files (x86)\\Bench\\Proxy\\cl.exe" | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\SafetySearch | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\SafetySearch-repairJob = "wscript.exe \"C:\\Users\\Admin\\AppData\\Local\\SafetySearch\\repair.js\" \"SafetySearch-repairJob\"" | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BService = "C:\\Program Files (x86)\\Bench\\BService\\1.1\\bservice.exe" | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BService64 = "C:\\Program Files (x86)\\Bench\\BService\\1.1\\bservice64.exe" | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Wd = "C:\\Program Files (x86)\\Bench\\Wd\\wd.exe" | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bench Communicator Watcher = "C:\\Program Files (x86)\\Bench\\Proxy\\pwdg.exe" | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\ = "SafetySearch BHO" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\NoExplorer = "1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\ = "SafetySearch BHO" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\SafetySearch\gpedit.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\SafetySearch\gpedit.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\SafetySearch\gpedit.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\SafetySearch\gpedit.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\SafetySearch\framework\browser.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\global.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\i18n.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework-ui\theme\bubble\top-middle.png | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\icons\icon32.png | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\icons\icon48.png | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Bench\NmHost\manifest.json | C:\Windows\SysWOW64\cscript.exe | N/A |
| File created | C:\Program Files (x86)\Bench\Proxy\icon.ico | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\FrameworkBHO.dll | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\utils.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework-ui\browser_button.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework-ui\theme\bubble\bottom-left.png | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework-ui\theme\bubble\bottom-middle.png | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework-ui\ui_base.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\Bench\Proxy\proc.exe | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\CanvasFramework\canvasscript_engine.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\io.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\lang.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\legacy.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework-ui\notification.html | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\config.xml | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework-ui\context_menu_item_handler.html | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\Bench\Updater\updater.exe | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\storage.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework-ui\theme\bubble\middle-right.png | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework-ui\theme\bubble\tail-bottom.png | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\Bench\NmHost\data\installer\fjnoekdlmmjagmmlchagfonjgbioomoo | C:\Windows\SysWOW64\cscript.exe | N/A |
| File created | C:\Program Files (x86)\Bench\BService\1.1\bservice64.exe | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\FrameworkBHO64.dll | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\console.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework-ui\theme\bubble\top-left.png | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\AppFramework\appAPI_content.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework-ui\options.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\Bench\BService\1.1\bhelper64.dll | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Bench\Updater\products.xml | C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe | N/A |
| File created | C:\Program Files (x86)\Bench\NmHost\nmhost.exe | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\backgroundscript_engine.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\xhr.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework-ui\theme\bubble\tail-top.png | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework-ui\theme\bubble\top-right.png | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\icons\button.png | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\AppFramework\appAPI_browseraction.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\invoke_async.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\message_target.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\timer.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework-ui\framework_api.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\background.html | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\CanvasFramework\canvas_bg.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\initialize.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework-ui\theme\bubble\bottom-right.png | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework-ui\notifications.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\Bench\Updater\products.xml | C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\base.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\framework.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\json2.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\updater.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\userscript_engine.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\CanvasFramework\md5.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\CanvasFramework\registry.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework-ui\context_menu.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework-ui\theme\bubble\tail-right.png | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File opened for modification | C:\Program Files (x86)\SafetySearch\extension_info.json | C:\Windows\SysWOW64\cscript.exe | N/A |
| File created | C:\Program Files (x86)\Bench\Wd\wd.exe | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\bench-sys.job | C:\Program Files (x86)\Bench\Updater\1.7.0.0\Updater.exe | N/A |
| File created | C:\Windows\Tasks\bench-S-1-5-21-406356229-2805545415-1236085040-1000.job | C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe | N/A |
| File opened for modification | C:\Windows\Tasks\bench-S-1-5-21-406356229-2805545415-1236085040-1000.job | C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\AppPath = "C:\\Program Files (x86)\\SafetySearch\\" | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\FrameworkEngine.exe = "10000" | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\FrameworkEngine.exe = "10000" | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\AppName = "FrameworkEngine.exe" | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A} | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\AppPath = "C:\\Program Files (x86)\\SafetySearch\\" | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\AppName = "FrameworkEngine.exe" | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_INTERNAL_SECURITY_MANAGER | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A} | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\Policy = "3" | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_INTERNAL_SECURITY_MANAGER | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{7782DBE4-75A1-453D-B9FD-643F752E4532} = "SafetySearch" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\FrameworkEngine.exe = "10000" | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_INTERNAL_SECURITY_MANAGER\iexplore.exe = "1" | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_INTERNAL_SECURITY_MANAGER\iexplore.exe = "1" | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\Policy = "3" | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{7782DBE4-75A1-453D-B9FD-643F752E4532} = "SafetySearch" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\Implemented Categories | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7720DB57-7561-457F-B689-D03FB72E3932}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\InprocServer32\ = "C:\\Program Files (x86)\\SafetySearch\\FrameworkBHO64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\Implemented Categories | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\1.0\0\win32 | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\Implemented Categories | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B5D3A0F0-0BFE-429A-A322-95F076081845}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\SafetySearch" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92CECA0E-1DCB-4F42-BA4C-368094400351}\TypeLib\ = "{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}" | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\1.0\ = "EngineLib" | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92ADCA6E-1D8C-4F50-BEBF-1480FD408251} | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\ = "SafetySearch" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7720DB57-7561-457F-B689-D03FB72E3932}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\ = "SafetySearch" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B5D3A0F0-0BFE-429A-A322-95F076081845}\1.0\0\win64 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\1.0\0\win32\ = "C:\\Program Files (x86)\\SafetySearch\\FrameworkEngine.exe" | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\InprocServer32\ = "C:\\Program Files (x86)\\SafetySearch\\FrameworkBHO.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\Implemented Categories | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92ADCA6E-1D8C-4F50-BEBF-1480FD408251}\ProxyStubClsid32 | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1EE70D1D-B150-4ACF-8498-4C5DE80CEAAC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1EE70D1D-B150-4ACF-8498-4C5DE80CEAAC}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7720DB57-7561-457F-B689-D03FB72E3932}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\Programmable | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\Version | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\1.0\0 | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1EE70D1D-B150-4ACF-8498-4C5DE80CEAAC} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92CECA0E-1DCB-4F42-BA4C-368094400351}\LocalServer32 | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\InprocServer32\ = "C:\\Program Files (x86)\\SafetySearch\\FrameworkBHO.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1EE70D1D-B150-4ACF-8498-4C5DE80CEAAC}\ = "IKangoBHO" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A} | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B5D3A0F0-0BFE-429A-A322-95F076081845}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7720DB57-7561-457F-B689-D03FB72E3932}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\TypeLib\ = "{B5D3A0F0-0BFE-429A-A322-95F076081845}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\ = "SafetySearch BHO" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92CECA0E-1DCB-4F42-BA4C-368094400351}\Version | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\SafetySearch" | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7720DB57-7561-457F-B689-D03FB72E3932} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7720DB57-7561-457F-B689-D03FB72E3932}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92CECA0E-1DCB-4F42-BA4C-368094400351}\LocalServer32\ = "\"C:\\Program Files (x86)\\SafetySearch\\FrameworkEngine.exe\"" | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92ADCA6E-1D8C-4F50-BEBF-1480FD408251}\TypeLib\Version = "1.0" | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\TypeLib\ = "{B5D3A0F0-0BFE-429A-A322-95F076081845}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7720DB57-7561-457F-B689-D03FB72E3932}\TypeLib\ = "{B5D3A0F0-0BFE-429A-A322-95F076081845}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7720DB57-7561-457F-B689-D03FB72E3932}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\Version\ = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92CECA0E-1DCB-4F42-BA4C-368094400351}\TypeLib | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92ADCA6E-1D8C-4F50-BEBF-1480FD408251} | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B5D3A0F0-0BFE-429A-A322-95F076081845}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EE70D1D-B150-4ACF-8498-4C5DE80CEAAC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B5D3A0F0-0BFE-429A-A322-95F076081845}\1.0\0\win64\ = "C:\\Program Files (x86)\\SafetySearch\\FrameworkBHO64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92CECA0E-1DCB-4F42-BA4C-368094400351}\ = "SafetySearch" | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\1.0\FLAGS\ = "0" | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92ADCA6E-1D8C-4F50-BEBF-1480FD408251}\TypeLib | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Bench\Proxy\pwdg.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Bench\Proxy\pwdg.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Bench\Proxy\pwdg.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Bench\Proxy\pwdg.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Bench\BService\1.1\bservice.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Bench\BService\1.1\bservice64.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC} = "1" | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Windows\SysWOW64\cscript.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe
"C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe"
C:\Windows\SysWOW64\cscript.exe
"C:\Windows\system32\cscript.exe" //Nologo "migrate.js" /iversion=20141023 /programfiles="C:\Program Files (x86)" /localapps="C:\Users\Admin\AppData\Local" /chrome-dir="" /firefox-dir="C:\Users\Admin\AppData\Local\SafetySearch\firefox" /ie-dir="C:\Program Files (x86)\SafetySearch" /product-name="SafetySearch" /installation-time="1711052311" /pid="2031" /zone="622410" /czoneid="" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38989" /updateip="54.225.95.126" /version="1.0" /straoi="" /enable-extensions /chrome-id="fjnoekdlmmjagmmlchagfonjgbioomoo" /chrome-update-url="http://fjnoekdlmmjagmmlchagfonjgbioomoo/check/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4" /close-chrome /close-firefox /close-ie
C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe
SoftwareDetector.exe
C:\Users\Admin\AppData\Local\SafetySearch\sqlite3.exe
"C:\Users\Admin\AppData\Local\SafetySearch\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_fjnoekdlmmjagmmlchagfonjgbioomoo_0.localstorage" "SELECT value FROM ItemTable WHERE key='_GPL_zoneid';"
C:\Users\Admin\AppData\Local\SafetySearch\sqlite3.exe
"C:\Users\Admin\AppData\Local\SafetySearch\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2bjtpec.Admin\framework-59de4a3b-cc90-6ccb-2706-5ed9618eecee.sqlite" "SELECT value FROM user_storage WHERE key='_GPL_zoneid';"
C:\Users\Admin\AppData\Local\SafetySearch\storageedit.exe
storageedit.exe ie {1EDE0D83-B129-4ABC-923B-725D5B0C0DAC} get _GPL_zoneid
C:\Windows\SysWOW64\net.exe
net.exe start schedule
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start schedule
C:\Program Files (x86)\Bench\Updater\1.7.0.0\Updater.exe
"C:\Program Files (x86)\Bench\Updater\1.7.0.0\Updater.exe" -runmode=addsystask
C:\Program Files (x86)\Bench\Updater\updater.exe
"C:\Program Files (x86)\Bench\Updater\updater.exe" -runmode=addtask
C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe
"C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe" -runmode=addtask
C:\Program Files (x86)\Bench\Updater\updater.exe
"C:\Program Files (x86)\Bench\Updater\updater.exe" -runmode=addproduct -info="C:\Users\Admin\AppData\Local\Temp\nsjCF44.tmp"
C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe
"C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe" -runmode=addproduct -info="C:\Users\Admin\AppData\Local\Temp\nsjCF44.tmp"
C:\Windows\SysWOW64\cscript.exe
"C:\Windows\system32\cscript.exe" //Nologo "main_installer.js" install /product-name="SafetySearch" /installation-time="1711052311" /pid="2031" /zone="622410" /czoneid="12199" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38989" /updateip="54.225.95.126" /version="1.0" /straoi="" /enable-extensions /chrome-id="fjnoekdlmmjagmmlchagfonjgbioomoo" /chrome-update-url="http://fjnoekdlmmjagmmlchagfonjgbioomoo/check/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4" /close-chrome /close-firefox /close-ie
C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe
SoftwareDetector.exe
C:\Windows\SysWOW64\cscript.exe
"C:\Windows\system32\cscript.exe" //Nologo "installer.js" install chrome "" /product-name="SafetySearch" /installation-time="1711052311" /pid="2031" /zone="622410" /czoneid="12199" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38989" /updateip="54.225.95.126" /version="1.0" /straoi="" /enable-extensions /chrome-id="fjnoekdlmmjagmmlchagfonjgbioomoo" /chrome-update-url="http://fjnoekdlmmjagmmlchagfonjgbioomoo/check/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4" /close-chrome /close-firefox /close-ie
C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe
SoftwareDetector.exe
C:\Users\Admin\AppData\Local\SafetySearch\gpedit.exe
gpedit.exe chrome add-extension fjnoekdlmmjagmmlchagfonjgbioomoo http://fjnoekdlmmjagmmlchagfonjgbioomoo/check/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4
C:\Windows\SysWOW64\cscript.exe
"C:\Windows\system32\cscript.exe" //Nologo "chrome_gp_update.js" /product-name="SafetySearch" /installation-time="1711052311" /pid="2031" /zone="622410" /czoneid="12199" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38989" /updateip="54.225.95.126" /version="1.0" /straoi="" /enable-extensions /chrome-id="fjnoekdlmmjagmmlchagfonjgbioomoo" /chrome-update-url="http://fjnoekdlmmjagmmlchagfonjgbioomoo/check/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4" /close-chrome /close-firefox /close-ie
C:\Program Files (x86)\Bench\BService\1.1\bservice.exe
"C:\Program Files (x86)\Bench\BService\1.1\bservice.exe"
C:\Program Files (x86)\Bench\BService\1.1\bservice64.exe
"C:\Program Files (x86)\Bench\BService\1.1\bservice64.exe"
C:\Program Files (x86)\Bench\Wd\wd.exe
"C:\Program Files (x86)\Bench\Wd\wd.exe"
C:\Windows\SysWOW64\cscript.exe
"C:\Windows\system32\cscript.exe" //Nologo "installer.js" install firefox "C:\Users\Admin\AppData\Local\SafetySearch\firefox\" /product-name="SafetySearch" /installation-time="1711052311" /pid="2031" /zone="622410" /czoneid="12199" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38989" /updateip="54.225.95.126" /version="1.0" /straoi="" /enable-extensions /chrome-id="fjnoekdlmmjagmmlchagfonjgbioomoo" /chrome-update-url="http://fjnoekdlmmjagmmlchagfonjgbioomoo/check/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4" /close-chrome /close-firefox /close-ie
C:\Windows\SysWOW64\cscript.exe
"C:\Windows\system32\cscript.exe" //Nologo "installer.js" install ie "C:\Program Files (x86)\SafetySearch\" /product-name="SafetySearch" /installation-time="1711052311" /pid="2031" /zone="622410" /czoneid="12199" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38989" /updateip="54.225.95.126" /version="1.0" /straoi="" /enable-extensions /chrome-id="fjnoekdlmmjagmmlchagfonjgbioomoo" /chrome-update-url="http://fjnoekdlmmjagmmlchagfonjgbioomoo/check/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4" /close-chrome /close-firefox /close-ie
C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe
SoftwareDetector.exe
C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe
"C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe" /RegServer
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\SafetySearch\FrameworkBHO.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\SafetySearch\FrameworkBHO64.dll"
C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\SafetySearch\FrameworkBHO64.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\SafetySearch\RequestHelper.dll"
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="proc.exe" protocol=TCP dir=in localip=127.0.0.1 remoteip=127.0.0.1 localport=3128 action=allow program="C:\Program Files (x86)\Bench\Proxy\proc.exe"
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="pwdg.exe" protocol=TCP dir=in localip=127.0.0.1 remoteip=127.0.0.1 localport=3128 action=allow program="C:\Program Files (x86)\Bench\Proxy\pwdg.exe"
C:\Program Files (x86)\Bench\Proxy\pwdg.exe
"C:\Program Files (x86)\Bench\Proxy\pwdg.exe"
C:\Program Files (x86)\Bench\Proxy\proc.exe
"C:\Program Files (x86)\Bench\Proxy\proc.exe"
C:\Program Files (x86)\Bench\Updater\updater.exe
"C:\Program Files (x86)\Bench\Updater\updater.exe" -runmode=addtask
C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe
"C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe" -runmode=addtask
C:\Program Files (x86)\Bench\Updater\updater.exe
"C:\Program Files (x86)\Bench\Updater\updater.exe" -runmode=addproduct -info="C:\Users\Admin\AppData\Local\SafetySearch\info.xml"
C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe
"C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe" -runmode=addproduct -info="C:\Users\Admin\AppData\Local\SafetySearch\info.xml"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.installping5.info | udp |
| US | 54.225.95.126:80 | tcp | |
| US | 8.8.8.8:53 | www.installping5.info | udp |
| US | 8.8.8.8:53 | safetysearch-a.akamaihd.net | udp |
| GB | 104.91.71.137:80 | safetysearch-a.akamaihd.net | tcp |
| N/A | 127.0.0.1:3128 | tcp | |
| US | 8.8.8.8:53 | contentcache-a.akamaihd.net | udp |
| GB | 88.221.134.123:80 | contentcache-a.akamaihd.net | tcp |
| N/A | 127.0.0.1:3128 | tcp | |
| GB | 88.221.134.123:80 | contentcache-a.akamaihd.net | tcp |
| US | 8.8.8.8:53 | contentcache-a.akamaihd.net | udp |
| GB | 88.221.134.81:80 | contentcache-a.akamaihd.net | tcp |
| N/A | 127.0.0.1:3128 | tcp | |
| GB | 88.221.134.81:80 | contentcache-a.akamaihd.net | tcp |
| N/A | 127.0.0.1:3128 | tcp | |
| US | 8.8.8.8:53 | contentcache-a.akamaihd.net | udp |
| GB | 88.221.134.81:80 | contentcache-a.akamaihd.net | tcp |
| N/A | 127.0.0.1:3128 | tcp | |
| N/A | 127.0.0.1:3128 | tcp | |
| GB | 88.221.134.81:80 | contentcache-a.akamaihd.net | tcp |
| N/A | 127.0.0.1:3128 | tcp | |
| US | 8.8.8.8:53 | contentcache-a.akamaihd.net | udp |
| GB | 88.221.134.123:80 | contentcache-a.akamaihd.net | tcp |
| GB | 88.221.134.123:80 | contentcache-a.akamaihd.net | tcp |
| N/A | 127.0.0.1:3128 | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsoC1F9.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
memory/2008-15-0x0000000001E50000-0x0000000001E59000-memory.dmp
memory/2008-14-0x0000000001E50000-0x0000000001E59000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsoC1F9.tmp\md5dll.dll
| MD5 | 0745ff646f5af1f1cdd784c06f40fce9 |
| SHA1 | bf7eba06020d7154ce4e35f696bec6e6c966287f |
| SHA256 | fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70 |
| SHA512 | 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da |
\Users\Admin\AppData\Local\Temp\nsoC1F9.tmp\nsDownloadCv.dll
| MD5 | f8015cfe53598e99ae8c45527b544a61 |
| SHA1 | 0b808cababb0fdb0ec4ebac25d433af82db9e9a4 |
| SHA256 | d5075a3547cc098065253dced11b018d732644e071eff174787ca27942b73139 |
| SHA512 | e1ba9a90896d00fd12ce9b76d36ecc2da5e14a0c81d58d9890ab777f0b3e90d355ac086052252876a92ac0df3a6ef9ab97fa9618ce63c4296daa7b8777be2cd4 |
\Users\Admin\AppData\Local\Temp\nsoC1F9.tmp\nsProcess.dll
| MD5 | 05450face243b3a7472407b999b03a72 |
| SHA1 | ffd88af2e338ae606c444390f7eaaf5f4aef2cd9 |
| SHA256 | 95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89 |
| SHA512 | f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b |
\Users\Admin\AppData\Local\Temp\nsoC1F9.tmp\nsProcess2.dll
| MD5 | 6e96ea8b0dfdb326c0852a5b64d920a6 |
| SHA1 | 5ea182cb6ae5c104ca064fa8464df8ed1904eaa7 |
| SHA256 | b8762c09c2b45fc836c65a9052951de05177651d278e4cf154c754d9f5573e7a |
| SHA512 | 02d0bd8f16ddad829b80764926f1e6dcfb35b60fbce02bec0a7fc2011164d86f633074af012de71fae33b90732ec4c7633f8a70ab24c19717926757f9c56fb4f |
\Users\Admin\AppData\Local\Temp\nsoC1F9.tmp\nsExec.dll
| MD5 | acc2b699edfea5bf5aae45aba3a41e96 |
| SHA1 | d2accf4d494e43ceb2cff69abe4dd17147d29cc2 |
| SHA256 | 168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e |
| SHA512 | e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe |
C:\Users\Admin\AppData\Local\SafetySearch\migrate.js
| MD5 | 7c936cb5190fc3ad0b581a562875e9a4 |
| SHA1 | ec727ee61e1598bafaf0085817151cc3a9d741c4 |
| SHA256 | 9770fd38208bf2b6e1676f833a90f0f5129bae080fd890614d719b43c290c167 |
| SHA512 | 987e4093e606d2ada424c3681f21a23cd8d4135a995c1286407aef3c1dcdbecec42be30961c9bb2fe92ac5a9ee5eb2715fc9c12192e6a328295f7dad28cbc341 |
C:\Users\Admin\AppData\Local\SafetySearch\common.js
| MD5 | 811f747d02138864aaca1ebe3f35c64c |
| SHA1 | f1eb90f7f7420f644b1e8a3c14aeeca03c88052c |
| SHA256 | 9b1da8c2dd4dd1cc9b08d92f598e12cd5a1a62898908293840f6a48d03a8eadb |
| SHA512 | 75d5b2e9834dc5f32499fa63d50c16959462d4f992ed568617ead21d162d48f31efc7e023f12712b8ac24b6928d2b4088f5b6fb94949ce3d40b944c74c00244f |
C:\Users\Admin\AppData\Local\SafetySearch\projectInstaller.js
| MD5 | 2d4d6d3c8aea670a0742f1dbfb2928d2 |
| SHA1 | f6e3fa626bd3d65e439f534ea215e477ae33f66c |
| SHA256 | 02ca4af05e5620f2bc7bd253cf002259dbf3908a8dabb941496c35b790444967 |
| SHA512 | 130969c86ecdd1dd9fa7bf88c15a526262992d93c40207e334f4774163789e3605851477480f15012b04dc678b4daa299104d63a495017a947af709fd2cb34cc |
C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe
| MD5 | 791a36c814a825fdfe596e5e7eea27b7 |
| SHA1 | 10ac78b8899a727bb3bdf924312a940b8ba0bac1 |
| SHA256 | 0186d765b4dc4132c243b20214c6fb1de49e645fc1b5acddbe954d6e5682f84f |
| SHA512 | bd13f3c19905b5a6062614267f20d054141926c3c6837e1583de6b821f310de7d48da79164a8c3c9ccb8a3a46e76292554faca4a2384cfe0a045c597a9ea3a86 |
C:\Users\Admin\AppData\Local\SafetySearch\chrome_installer.js
| MD5 | 5a5a0f074bdb4ac593b34366b37a7816 |
| SHA1 | 2b2910dd535fc8f5614b452b3df8fbdce7c566a9 |
| SHA256 | 054cd068794483350e10415f243a1b218153800f0d5e0cfbd9c20ce648f4dbce |
| SHA512 | 266c2bbbaecbf76693eb4293cff9b72e4d4c1f98d479e2d5710336e4d564c6eea21bace495501ad1f3b95e54d692c967213d018a5107d1f6191754691fa1faf5 |
C:\Users\Admin\AppData\Local\SafetySearch\chrome_workaround.js
| MD5 | 41e6e83f66032080c8de92e1b3651404 |
| SHA1 | db00ebc2c78459f45ea96bddf69c1f4c82464b60 |
| SHA256 | 3cdf74f41636466913d9be7afbc81438546881b467a574e2c74a496d9251df11 |
| SHA512 | 6efec8ea9f0197c65c3aab6f66c8a054ca347e015e3ea16d34dc10b0bfa179f6684b8578f149885cbb898b1bbf24b45c70398db8eeba559b0153d8a39d7c4ff5 |
C:\Users\Admin\AppData\Local\SafetySearch\firefox_installer.js
| MD5 | 4d5042f6859b9dd8a1e7fdcd11fe0619 |
| SHA1 | 7b9bf80954693cb94c1b83f1bd593ae88b7a7a07 |
| SHA256 | b866ec4a886d8b8448cb648a397518a1b428119cd5ee4ad88ac6c3dc5f1e17f5 |
| SHA512 | 84936a3cec375ad2028a11301b17e860096d24d2e448d50810a945e18c4a12b685564aec57663c35e02b3f4b2e3b0a1e51fb69d048b71e1383b9e0eb0e36bd22 |
C:\Program Files (x86)\SafetySearch\extension_info.json
| MD5 | d4e62f741a7eb7b4da5c26bce0f059be |
| SHA1 | a52d524a94ef7c80fcf5fe70b04132941af6bc33 |
| SHA256 | 1770f34f4ddb91defe48a3045dbcf56d7c8fa98232ec84c4b0720988488a72c7 |
| SHA512 | 4d90fda67d37e62ec34f55af517edc6d7e0edcb676d583ca80010fc8593621022b340658752867895c0f4436ce8f8b8b685721a4171486997ed2ac9365953c18 |
C:\Users\Admin\AppData\Local\SafetySearch\firefox\extension_info.json
| MD5 | 3ac715c4a0727f2189599b591f1741b4 |
| SHA1 | b983a162bb87da53690df312d6070346b8f1d350 |
| SHA256 | e41010be81d5091a279ce6225a4d90e7ca53306e6b8b74dffcd9d4023bbd4290 |
| SHA512 | 202565255c0919d25990dee2f647726b39ffd5203fd4768943325dbe6b12cc27f38825a93f558c38144b30306b446ce4686273e2aca6559bf832b03fb23f4ebb |
\Users\Admin\AppData\Local\SafetySearch\sqlite3.exe
| MD5 | 82771129b12517cf5c6e2244d14e8360 |
| SHA1 | 4e2a55e517f0e1324d3e8840e7db41f3883e4a01 |
| SHA256 | 3441036aa8be132d8476bbee2648e966db130e3fdba1eb97c9972d55248bf9bc |
| SHA512 | 862028b3ae8bf3ae8e218326a5df634b19d816bcd86b830675214713e543d7672cead28e3178ef23081d508501630e4ef622066f123681c3c6d98d19e6e20c46 |
memory/2360-189-0x0000000000400000-0x000000000047D000-memory.dmp
\Users\Admin\AppData\Local\SafetySearch\sqlite3.exe
| MD5 | 6ccab7ba770c673173364cbbb83abd3c |
| SHA1 | 2c38f182e664132f54259e46d53a9cd6ddd6db9f |
| SHA256 | fc39a15b17b68e4313285129b60cf4cb321af8eda96b659dcc0026817dbac7fc |
| SHA512 | ffda491ab5bc593d6357d067a06056074e1e91e9e0b01eb8a6e9321d46e3170bf00b331397ae39d127b1823d984d62e41888ced88872b580068d2860aae4ded5 |
memory/1592-192-0x0000000000400000-0x000000000047D000-memory.dmp
C:\Users\Admin\AppData\Local\SafetySearch\ie_installer.js
| MD5 | da5749989706af1e79ab27166492c7e3 |
| SHA1 | d9589dd40c0aea68d3a6fb3767d3ff05ae0a925d |
| SHA256 | d987ed4d0b55903993a59165b96557e79ca27054e80b0160f21c4d714ebf11b8 |
| SHA512 | 1abc3331a9343b9507c6d5b5609cba063011ef3e5bca19003185c43cd3da592ba43a727a6c47c9aa5e1fc9e9f0c618b48cd7ba9e174381ef037e19faee8dad2e |
\Users\Admin\AppData\Local\SafetySearch\storageedit.exe
| MD5 | 161f9defe2b6718d7773d964f5c6dfd2 |
| SHA1 | 969dfcda9ec0c5c2b084f9900445836422cb36fd |
| SHA256 | 578de2953c01d158c93d02a8f59933af8678be0b727b8228566c4d494b00f7a2 |
| SHA512 | 98813302ac4e8c80a755f4702a8547f526ee29d6ca294d89fd248f83fa8efb134ed40b3099f0b092eac9cfb9f9d6cc3e83b4108bb7961526576520b5cf39a656 |
\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe
| MD5 | 729975e07ead4a4b14d020c2bb446833 |
| SHA1 | a377d56bba939d9d59a51ebf2dbebe9a83ddf592 |
| SHA256 | df0722816ac196ca7b93bcfd66f2d6d1c42157735ca8c451cb09bebc27cf1c5e |
| SHA512 | a9aac9f9894afb0052466222913f1165090db85849f0d5830d43d264d3f3d6c5c5e2c4251c92ad0eb4b5e5deb75cab8c078b5eb26ed85a5be04113cbbf717d03 |
memory/2008-211-0x0000000001E50000-0x0000000001E59000-memory.dmp
\Program Files (x86)\Bench\Updater\updater.exe
| MD5 | 27862bc4eb31d1e68b866a9f32c87fd4 |
| SHA1 | 0e367886bb0a2964c9ad5990fdb598ab31d3239c |
| SHA256 | 8444ccf83e977eebb3a8372f5d4795a965feb5ff2b4b5dfc26f4c527539b139f |
| SHA512 | e17fd66383ede094bb437e119882bfb4906fcf3a49d9892366346d1c32f66bac5344985815a1c33f71aa8aecfbdd796cc68e2237ac2e1288139b03711b9c65ce |
C:\Users\Admin\AppData\Local\Temp\nsjCF44.tmp
| MD5 | 1cba3d2b2ba9f98df085d3990f07b5e6 |
| SHA1 | 8c697a51b469e81c13b47141892c737ee7bed449 |
| SHA256 | c9861cc55693ab957350696bb6293f5bfafe34f763911a50ceb1add410298485 |
| SHA512 | f303e1382388f1a4daad33363b7814d3b2c45fc38c7487e17d5be7e6b2520eff2ffb5b19fa933a89d8342ad38dbdfdbd8cac355ae78ae7af559f357e3a05bbad |
C:\Users\Admin\AppData\Local\SafetySearch\main_installer.js
| MD5 | 4ca1909eb243f179f48935c8106fdbc9 |
| SHA1 | cbc20846bb8b96fcf3b3bbb9d80709c8024a8366 |
| SHA256 | 7acaec9a466eb71fc663f6c6c3bc41ec080f544b4e864cd1e5d6d3cd06230232 |
| SHA512 | 66cc6deee36443539e6fa66ec7ef7ca0932b9b9a085296648a4448628ae21efd53a56cd592f242c5f17e88d7924b1510af1d49da220a6980aa1d004deae199a8 |
C:\Users\Admin\AppData\Local\SafetySearch\installer.js
| MD5 | 1d2e2b33ed23d2687ac7551613e3ce10 |
| SHA1 | 738fdf284c336d88f8fc178371aa073a75ac4f0f |
| SHA256 | e6bc0ed8424b80085a08df410ad0d43ba37b052ccadfb6450a2337f37ca1288f |
| SHA512 | af221b4bcb6e00015aced99bd47db97ad994441ee5f251106686a6da05d98289a6783a5c0ccd8e50b76216b53f1d4ab3cfda6c7fc8108b4e2f56f512cb4e7393 |
C:\Program Files (x86)\Bench\NmHost\manifest.json
| MD5 | e02322bc01a93b2a3f16f251cab04c7a |
| SHA1 | 7e5b3753e9250525d07dfdab47e4d018408f1af9 |
| SHA256 | 950cb2a9cff6d0227eb5533d0306eb30c7cae22b353291d3b014370308ba0864 |
| SHA512 | 2646ba80b2a592ce971deb98ce6fe9a28c96305497fb87526ba5e26a479cb55f3e8ed17dfb900a97f711ba433fd00012397a22ee51ac834a63672609f648aa5e |
\Users\Admin\AppData\Local\SafetySearch\gpedit.exe
| MD5 | 2796990b18b323edd2446efec850a354 |
| SHA1 | 3863923845554e44e7955c78053d2ba12bc2cad0 |
| SHA256 | 299df4b8e7a5957f165b706cee2741d934dfb53a8dac21761645b875b9dd45ef |
| SHA512 | e2931fcdf087f12e8aedeefa2cf529a75d91f02f6333ef7d04510e995b3e31b087c7a39312a524b2d5676aa2c3df417d9d43d1e112c82659aab61dd04fb2157d |
C:\Users\Admin\AppData\Local\SafetySearch\chrome_gp_update.js
| MD5 | c15a7afa4a3ed3464df40e6eb840cc73 |
| SHA1 | 51807d6d3f2567de9c4716b32f91ecc8839cc117 |
| SHA256 | 41fe7e7445819a935215fd0928f5bb1bb3a2e3df36f0c27111c99cb716064f18 |
| SHA512 | 90c7a06ceafc6cc7ab35254b3f394702d10881f363527b8fe2e2c6b3fec391141333fe7153a5cae83a6f8889fd55e7a478f1d979497d557fabcb4bcff9cc7ae7 |
\Program Files (x86)\Bench\BService\1.1\bservice.exe
| MD5 | e52deb34958a6b9c9defd04072ba320c |
| SHA1 | a00d6951bf22d88558fbc513bd1abb49f0cbaa3d |
| SHA256 | d617adf5f09e6797459d397209b29d5d266e7ef42c25f50e86fe23a086cd4059 |
| SHA512 | 7f383b37e12c4855972090d7d2bd245fe8a1a22e8f6204b370ab9280a297e02ecb385c2802e809af0b432faf31bd09fb25d29f86e04fc211577852b66ee87e79 |
C:\Program Files (x86)\Bench\BService\1.1\bhelper.dll
| MD5 | 8e4be86a6eb429ec81eda3e027d0d29d |
| SHA1 | bc382f609be77dc45b4e4396e6a11ebfda1f6af2 |
| SHA256 | bb6a9e41d54bb81219170d47c03f9b42667cb15ea7887d23bbd27ed0d78fb7dc |
| SHA512 | 7f9df41bc7454c072f4b463b27fff51eebf5867791f5d3a4e32b7db1aa43b3dd4388a05ea1efae2501bbd4bae72dc639cc07d086d7d799dee61e65550340e49c |
\Program Files (x86)\Bench\BService\1.1\bservice64.exe
| MD5 | ef28836ea2793d421c7801a2aaae7c9e |
| SHA1 | 0cd7f3d6001311d1221723d00af8e76716d8d1d8 |
| SHA256 | 4b71983d2b09ab00548982ac65f9d248a966da0d9433a73cab8802404a55fea5 |
| SHA512 | 1edb4bfa81cf353807aba82f6cdf7667f7e98945a64b651e087b5c93defcd730cf24f7897170b0e6e264f591c2430f70872bec7ff4e487447b16e424da0f990d |
C:\Program Files (x86)\Bench\BService\1.1\bhelper64.dll
| MD5 | 28b926636acb4a05fd76d1622afd8143 |
| SHA1 | 6fe047e26014ba50ff0fe36e62bad9adb840f357 |
| SHA256 | 2a22b9569c3c060dd6c0503d1d6874fcaafeea863247e1d9e9883ef83f13af71 |
| SHA512 | cde66fde17f9066fc4b725b659c6de82e861f18f51ff7fed99c17456509ec9cb239316988205d7c7ea87a36c747dfba5486c02d235895fe8a173e51084c6f005 |
\Program Files (x86)\Bench\Wd\wd.exe
| MD5 | 0d3f1ae3a351ae8340a03a45f6b93995 |
| SHA1 | 5058e8f74169eeecd99a49a86de683795c4899e6 |
| SHA256 | 4ef762eec1aed45d8d32aa7b156429075c593f26cafc2d8536a685ab61c7d82d |
| SHA512 | 5202df70b174f7d1ac7573fdc6d7b2e9029a1ca8c9bea8ce80d73444f104ccad9a3a7427bf871a4b07ab392e35db9f3fcb49eeefab65f509f91a9f8f48273006 |
memory/1020-317-0x00000000000F0000-0x00000000000F1000-memory.dmp
C:\Program Files (x86)\Bench\Proxy\pwdg.exe
| MD5 | 18792d4133445af44bd08f505f14efab |
| SHA1 | 60f3c4726f5ba1078c9800e588494f9e5519c45e |
| SHA256 | 91345675a1b433a065f798daa2cdf88e0a8eb57166e7a12ab295b98246f8dc63 |
| SHA512 | e5af45e2bb2039ec8813985b8e8eda138a7c546fda46054fb554b0d366eb52eb89180052d97f15956a88698d634c298b50a5442633375e668756f3a10912474c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-21 20:18
Reported
2024-03-21 20:21
Platform
win10v2004-20240226-en
Max time kernel
153s
Max time network
156s
Command Line
Signatures
Checks for common network interception software
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\SysWOW64\cscript.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Bench\Proxy\pwdg.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\InprocServer32\ = "C:\\Program Files (x86)\\SafetySearch\\FrameworkBHO64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\InprocServer32\ = "C:\\Program Files (x86)\\SafetySearch\\FrameworkBHO64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bench Settings Cleaner = "C:\\Program Files (x86)\\Bench\\Proxy\\cl.exe" | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\SafetySearch | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\SafetySearch-repairJob = "wscript.exe \"C:\\Users\\Admin\\AppData\\Local\\SafetySearch\\repair.js\" \"SafetySearch-repairJob\"" | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BService = "C:\\Program Files (x86)\\Bench\\BService\\1.1\\bservice.exe" | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BService64 = "C:\\Program Files (x86)\\Bench\\BService\\1.1\\bservice64.exe" | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Wd = "C:\\Program Files (x86)\\Bench\\Wd\\wd.exe" | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bench Communicator Watcher = "C:\\Program Files (x86)\\Bench\\Proxy\\pwdg.exe" | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\NoExplorer = "1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\ = "SafetySearch BHO" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\ = "SafetySearch BHO" | C:\Windows\system32\regsvr32.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\SafetySearch\gpedit.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\SafetySearch\gpedit.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\SafetySearch\gpedit.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\SafetySearch\gpedit.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\SafetySearch\CanvasFramework\webrequest.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\i18n.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\Bench\Wd\wd.exe | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\AppFramework\appAPI_common.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\userscript_client.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework-ui\notifications.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\io.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\CanvasFramework\md5.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\messaging.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\userscript_engine.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework-ui\notification.html | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework-ui\options.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\AppFramework\appAPI_webrequest.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\json2.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework-ui\theme\bubble\tail-right.png | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\icons\icon128.png | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\Bench\Updater\products.xml | C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe | N/A |
| File created | C:\Program Files (x86)\Bench\NmHost\data\installer\fjnoekdlmmjagmmlchagfonjgbioomoo | C:\Windows\SysWOW64\cscript.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\FrameworkBHO64.dll | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\browser.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\console.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\legacy.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework-ui\theme\bubble\middle-left.png | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework-ui\theme\bubble\tail-bottom.png | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\Bench\NmHost\nmhost.exe | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\Bench\BService\1.1\bservice.exe | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\AppFramework\appAPI_content.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\Bench\Proxy\proc.exe | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\invoke_async.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\storage.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework-ui\ui_base.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\Bench\Proxy\pwdg.exe | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\background.html | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\lang.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\utils.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework-ui\framework_api.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework-ui\theme\bubble\bottom-left.png | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework-ui\theme\bubble\top-left.png | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\icons\icon48.png | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\Bench\Updater\updater.exe | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\AppFramework\jquery.min.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\Bench\NmHost\manifest.json | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\xhr.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\icons\icon100.png | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Bench\Updater\products.xml | C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe | N/A |
| File created | C:\Program Files (x86)\Bench\Proxy\cl.exe | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\message_target.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\Bench\BService\1.1\bhelper64.dll | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\icons\icon32.png | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework-ui\theme\bubble\tail-left.png | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\Bench\Proxy\icon.ico | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\config.xml | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework-ui\theme\bubble\middle-right.png | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Bench\NmHost\manifest.json | C:\Windows\SysWOW64\cscript.exe | N/A |
| File created | C:\Program Files (x86)\Bench\BService\1.1\bservice64.exe | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\CanvasFramework\canvasscript_engine.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\global.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\updater.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework-ui\theme\bubble\bottom-right.png | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File opened for modification | C:\Program Files (x86)\SafetySearch\extension_info.json | C:\Windows\SysWOW64\cscript.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\framework\backgroundscript_engine.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\extension_info.json | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| File created | C:\Program Files (x86)\SafetySearch\AppFramework\appAPI_settings.js | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\bench-sys.job | C:\Program Files (x86)\Bench\Updater\1.7.0.0\Updater.exe | N/A |
| File created | C:\Windows\Tasks\bench-S-1-5-21-609813121-2907144057-1731107329-1000.job | C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe | N/A |
| File opened for modification | C:\Windows\Tasks\bench-S-1-5-21-609813121-2907144057-1731107329-1000.job | C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A} | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A} | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\AppPath = "C:\\Program Files (x86)\\SafetySearch\\" | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\FrameworkEngine.exe = "10000" | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_INTERNAL_SECURITY_MANAGER\iexplore.exe = "1" | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\Policy = "3" | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\Policy = "3" | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\FrameworkEngine.exe = "10000" | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_INTERNAL_SECURITY_MANAGER | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\AppName = "FrameworkEngine.exe" | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{7782DBE4-75A1-453D-B9FD-643F752E4532} = "SafetySearch" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{7782DBE4-75A1-453D-B9FD-643F752E4532} = "SafetySearch" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_INTERNAL_SECURITY_MANAGER\iexplore.exe = "1" | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\AppPath = "C:\\Program Files (x86)\\SafetySearch\\" | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\AppName = "FrameworkEngine.exe" | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\FrameworkEngine.exe = "10000" | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_INTERNAL_SECURITY_MANAGER | C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B5D3A0F0-0BFE-429A-A322-95F076081845}\1.0\0\win32\ = "C:\\Program Files (x86)\\SafetySearch\\FrameworkBHO.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\InprocServer32\ = "C:\\Program Files (x86)\\SafetySearch\\FrameworkBHO64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B5D3A0F0-0BFE-429A-A322-95F076081845}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\Implemented Categories | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B5D3A0F0-0BFE-429A-A322-95F076081845}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B5D3A0F0-0BFE-429A-A322-95F076081845}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EE70D1D-B150-4ACF-8498-4C5DE80CEAAC}\TypeLib\ = "{B5D3A0F0-0BFE-429A-A322-95F076081845}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7720DB57-7561-457F-B689-D03FB72E3932}\TypeLib\ = "{B5D3A0F0-0BFE-429A-A322-95F076081845}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7720DB57-7561-457F-B689-D03FB72E3932} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92CECA0E-1DCB-4F42-BA4C-368094400351}\TypeLib\ = "{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}" | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\1.0\FLAGS\ = "0" | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EE70D1D-B150-4ACF-8498-4C5DE80CEAAC} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\Implemented Categories | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B5D3A0F0-0BFE-429A-A322-95F076081845}\1.0\0\win64\ = "C:\\Program Files (x86)\\SafetySearch\\FrameworkBHO64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A} | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\TypeLib\ = "{B5D3A0F0-0BFE-429A-A322-95F076081845}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92ADCA6E-1D8C-4F50-BEBF-1480FD408251}\TypeLib | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\TypeLib\ = "{B5D3A0F0-0BFE-429A-A322-95F076081845}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EE70D1D-B150-4ACF-8498-4C5DE80CEAAC}\ = "IKangoBHO" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7720DB57-7561-457F-B689-D03FB72E3932}\TypeLib\ = "{B5D3A0F0-0BFE-429A-A322-95F076081845}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92CECA0E-1DCB-4F42-BA4C-368094400351}\Version | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92ADCA6E-1D8C-4F50-BEBF-1480FD408251}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{92ADCA6E-1D8C-4F50-BEBF-1480FD408251}\TypeLib\Version = "1.0" | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92CECA0E-1DCB-4F42-BA4C-368094400351}\Programmable | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7720DB57-7561-457F-B689-D03FB72E3932}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7720DB57-7561-457F-B689-D03FB72E3932} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7720DB57-7561-457F-B689-D03FB72E3932}\ = "IKangoToolbar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\ = "SafetySearch" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\InprocServer32\ = "C:\\Program Files (x86)\\SafetySearch\\FrameworkBHO.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EE70D1D-B150-4ACF-8498-4C5DE80CEAAC}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EE70D1D-B150-4ACF-8498-4C5DE80CEAAC}\ = "IKangoBHO" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7720DB57-7561-457F-B689-D03FB72E3932}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\1.0\ = "EngineLib" | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{92ADCA6E-1D8C-4F50-BEBF-1480FD408251}\ = "IKangoEngine" | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\ = "SafetySearch" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B5D3A0F0-0BFE-429A-A322-95F076081845}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92CECA0E-1DCB-4F42-BA4C-368094400351} | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92CECA0E-1DCB-4F42-BA4C-368094400351}\LocalServer32 | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7720DB57-7561-457F-B689-D03FB72E3932}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B5D3A0F0-0BFE-429A-A322-95F076081845} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92CECA0E-1DCB-4F42-BA4C-368094400351}\TypeLib | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\1.0\0\win32 | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B5D3A0F0-0BFE-429A-A322-95F076081845}\1.0\0\win64 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B5D3A0F0-0BFE-429A-A322-95F076081845}\1.0\ = "Framework 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B5D3A0F0-0BFE-429A-A322-95F076081845}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EE70D1D-B150-4ACF-8498-4C5DE80CEAAC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92ADCA6E-1D8C-4F50-BEBF-1480FD408251}\ProxyStubClsid32 | C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\TypeLib\ = "{B5D3A0F0-0BFE-429A-A322-95F076081845}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EE70D1D-B150-4ACF-8498-4C5DE80CEAAC}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Bench\Proxy\pwdg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Bench\Proxy\pwdg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Bench\Proxy\pwdg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Bench\Proxy\pwdg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Bench\Proxy\pwdg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Bench\Proxy\pwdg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Bench\Proxy\pwdg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Bench\Proxy\pwdg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Bench\Proxy\pwdg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Bench\Proxy\pwdg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Bench\Proxy\pwdg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Bench\Proxy\pwdg.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Bench\Proxy\pwdg.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Bench\Proxy\pwdg.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Bench\Proxy\pwdg.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Bench\Proxy\pwdg.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Bench\BService\1.1\bservice.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Bench\BService\1.1\bservice64.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Windows\SysWOW64\cscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC} = "1" | C:\Windows\SysWOW64\cscript.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe
"C:\Users\Admin\AppData\Local\Temp\dc864cd8c60ae62c9de8a7bb7f2ce1cb.exe"
C:\Windows\SysWOW64\cscript.exe
"C:\Windows\system32\cscript.exe" //Nologo "migrate.js" /iversion=20141023 /programfiles="C:\Program Files (x86)" /localapps="C:\Users\Admin\AppData\Local" /chrome-dir="" /firefox-dir="C:\Users\Admin\AppData\Local\SafetySearch\firefox" /ie-dir="C:\Program Files (x86)\SafetySearch" /product-name="SafetySearch" /installation-time="1711052315" /pid="2031" /zone="622410" /czoneid="" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38989" /updateip="54.225.95.126" /version="1.0" /straoi="" /enable-extensions /chrome-id="fjnoekdlmmjagmmlchagfonjgbioomoo" /chrome-update-url="http://fjnoekdlmmjagmmlchagfonjgbioomoo/check/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4" /close-chrome /close-firefox /close-ie
C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe
SoftwareDetector.exe
C:\Users\Admin\AppData\Local\SafetySearch\sqlite3.exe
"C:\Users\Admin\AppData\Local\SafetySearch\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_fjnoekdlmmjagmmlchagfonjgbioomoo_0.localstorage" "SELECT value FROM ItemTable WHERE key='_GPL_zoneid';"
C:\Users\Admin\AppData\Local\SafetySearch\sqlite3.exe
"C:\Users\Admin\AppData\Local\SafetySearch\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33nn83gp.Admin\framework-59de4a3b-cc90-6ccb-2706-5ed9618eecee.sqlite" "SELECT value FROM user_storage WHERE key='_GPL_zoneid';"
C:\Users\Admin\AppData\Local\SafetySearch\storageedit.exe
storageedit.exe ie {1EDE0D83-B129-4ABC-923B-725D5B0C0DAC} get _GPL_zoneid
C:\Windows\SysWOW64\net.exe
net.exe start schedule
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start schedule
C:\Program Files (x86)\Bench\Updater\1.7.0.0\Updater.exe
"C:\Program Files (x86)\Bench\Updater\1.7.0.0\Updater.exe" -runmode=addsystask
C:\Program Files (x86)\Bench\Updater\updater.exe
"C:\Program Files (x86)\Bench\Updater\updater.exe" -runmode=addtask
C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe
"C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe" -runmode=addtask
C:\Program Files (x86)\Bench\Updater\updater.exe
"C:\Program Files (x86)\Bench\Updater\updater.exe" -runmode=addproduct -info="C:\Users\Admin\AppData\Local\Temp\nss8D8D.tmp"
C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe
"C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe" -runmode=addproduct -info="C:\Users\Admin\AppData\Local\Temp\nss8D8D.tmp"
C:\Windows\SysWOW64\cscript.exe
"C:\Windows\system32\cscript.exe" //Nologo "main_installer.js" install /product-name="SafetySearch" /installation-time="1711052315" /pid="2031" /zone="622410" /czoneid="12199" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38989" /updateip="54.225.95.126" /version="1.0" /straoi="" /enable-extensions /chrome-id="fjnoekdlmmjagmmlchagfonjgbioomoo" /chrome-update-url="http://fjnoekdlmmjagmmlchagfonjgbioomoo/check/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4" /close-chrome /close-firefox /close-ie
C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe
SoftwareDetector.exe
C:\Windows\SysWOW64\cscript.exe
"C:\Windows\system32\cscript.exe" //Nologo "installer.js" install chrome "" /product-name="SafetySearch" /installation-time="1711052315" /pid="2031" /zone="622410" /czoneid="12199" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38989" /updateip="54.225.95.126" /version="1.0" /straoi="" /enable-extensions /chrome-id="fjnoekdlmmjagmmlchagfonjgbioomoo" /chrome-update-url="http://fjnoekdlmmjagmmlchagfonjgbioomoo/check/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4" /close-chrome /close-firefox /close-ie
C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe
SoftwareDetector.exe
C:\Users\Admin\AppData\Local\SafetySearch\gpedit.exe
gpedit.exe chrome add-extension fjnoekdlmmjagmmlchagfonjgbioomoo http://fjnoekdlmmjagmmlchagfonjgbioomoo/check/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4
C:\Windows\SysWOW64\cscript.exe
"C:\Windows\system32\cscript.exe" //Nologo "chrome_gp_update.js" /product-name="SafetySearch" /installation-time="1711052315" /pid="2031" /zone="622410" /czoneid="12199" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38989" /updateip="54.225.95.126" /version="1.0" /straoi="" /enable-extensions /chrome-id="fjnoekdlmmjagmmlchagfonjgbioomoo" /chrome-update-url="http://fjnoekdlmmjagmmlchagfonjgbioomoo/check/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4" /close-chrome /close-firefox /close-ie
C:\Program Files (x86)\Bench\BService\1.1\bservice.exe
"C:\Program Files (x86)\Bench\BService\1.1\bservice.exe"
C:\Program Files (x86)\Bench\BService\1.1\bservice64.exe
"C:\Program Files (x86)\Bench\BService\1.1\bservice64.exe"
C:\Program Files (x86)\Bench\Wd\wd.exe
"C:\Program Files (x86)\Bench\Wd\wd.exe"
C:\Windows\SysWOW64\cscript.exe
"C:\Windows\system32\cscript.exe" //Nologo "installer.js" install firefox "C:\Users\Admin\AppData\Local\SafetySearch\firefox\" /product-name="SafetySearch" /installation-time="1711052315" /pid="2031" /zone="622410" /czoneid="12199" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38989" /updateip="54.225.95.126" /version="1.0" /straoi="" /enable-extensions /chrome-id="fjnoekdlmmjagmmlchagfonjgbioomoo" /chrome-update-url="http://fjnoekdlmmjagmmlchagfonjgbioomoo/check/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4" /close-chrome /close-firefox /close-ie
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\SysWOW64\cscript.exe
"C:\Windows\system32\cscript.exe" //Nologo "installer.js" install ie "C:\Program Files (x86)\SafetySearch\" /product-name="SafetySearch" /installation-time="1711052315" /pid="2031" /zone="622410" /czoneid="12199" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38989" /updateip="54.225.95.126" /version="1.0" /straoi="" /enable-extensions /chrome-id="fjnoekdlmmjagmmlchagfonjgbioomoo" /chrome-update-url="http://fjnoekdlmmjagmmlchagfonjgbioomoo/check/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4" /close-chrome /close-firefox /close-ie
C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe
SoftwareDetector.exe
C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe
"C:\Program Files (x86)\SafetySearch\FrameworkEngine.exe" /RegServer
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\SafetySearch\FrameworkBHO.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\SafetySearch\FrameworkBHO64.dll"
C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\SafetySearch\FrameworkBHO64.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\SafetySearch\RequestHelper.dll"
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="proc.exe" protocol=TCP dir=in localip=127.0.0.1 remoteip=127.0.0.1 localport=3128 action=allow program="C:\Program Files (x86)\Bench\Proxy\proc.exe"
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="pwdg.exe" protocol=TCP dir=in localip=127.0.0.1 remoteip=127.0.0.1 localport=3128 action=allow program="C:\Program Files (x86)\Bench\Proxy\pwdg.exe"
C:\Program Files (x86)\Bench\Proxy\pwdg.exe
"C:\Program Files (x86)\Bench\Proxy\pwdg.exe"
C:\Program Files (x86)\Bench\Proxy\proc.exe
"C:\Program Files (x86)\Bench\Proxy\proc.exe"
C:\Program Files (x86)\Bench\Updater\updater.exe
"C:\Program Files (x86)\Bench\Updater\updater.exe" -runmode=addtask
C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe
"C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe" -runmode=addtask
C:\Program Files (x86)\Bench\Updater\updater.exe
"C:\Program Files (x86)\Bench\Updater\updater.exe" -runmode=addproduct -info="C:\Users\Admin\AppData\Local\SafetySearch\info.xml"
C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe
"C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe" -runmode=addproduct -info="C:\Users\Admin\AppData\Local\SafetySearch\info.xml"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 84.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.installping5.info | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 54.225.95.126:80 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.225.79.178.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.installping5.info | udp |
| US | 8.8.8.8:53 | safetysearch-a.akamaihd.net | udp |
| GB | 104.91.71.138:80 | safetysearch-a.akamaihd.net | tcp |
| US | 8.8.8.8:53 | 138.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | contentcache-a.akamaihd.net | udp |
| GB | 88.221.134.81:80 | contentcache-a.akamaihd.net | tcp |
| US | 8.8.8.8:53 | 81.134.221.88.in-addr.arpa | udp |
| N/A | 127.0.0.1:3128 | tcp | |
| GB | 88.221.134.81:80 | contentcache-a.akamaihd.net | tcp |
| N/A | 127.0.0.1:3128 | tcp | |
| N/A | 127.0.0.1:3128 | tcp | |
| US | 8.8.8.8:53 | 195.177.78.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:3128 | tcp | |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | contentcache-a.akamaihd.net | udp |
| N/A | 127.0.0.1:3128 | tcp | |
| GB | 88.221.134.81:80 | contentcache-a.akamaihd.net | tcp |
| N/A | 127.0.0.1:3128 | tcp | |
| N/A | 127.0.0.1:3128 | tcp | |
| N/A | 127.0.0.1:3128 | tcp | |
| N/A | 127.0.0.1:3128 | tcp | |
| N/A | 127.0.0.1:3128 | tcp | |
| N/A | 127.0.0.1:3128 | tcp | |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| N/A | 127.0.0.1:3128 | tcp | |
| N/A | 127.0.0.1:3128 | tcp | |
| N/A | 127.0.0.1:3128 | tcp | |
| N/A | 127.0.0.1:3128 | tcp | |
| N/A | 127.0.0.1:3128 | tcp | |
| N/A | 127.0.0.1:3128 | tcp | |
| N/A | 127.0.0.1:3128 | tcp | |
| N/A | 127.0.0.1:3128 | tcp | |
| US | 8.8.8.8:53 | 59.134.221.88.in-addr.arpa | udp |
| N/A | 127.0.0.1:3128 | tcp | |
| N/A | 127.0.0.1:3128 | tcp | |
| N/A | 127.0.0.1:3128 | tcp | |
| GB | 88.221.134.81:80 | contentcache-a.akamaihd.net | tcp |
| N/A | 127.0.0.1:3128 | tcp | |
| N/A | 127.0.0.1:3128 | tcp | |
| N/A | 127.0.0.1:3128 | tcp | |
| N/A | 127.0.0.1:3128 | tcp | |
| N/A | 127.0.0.1:3128 | tcp | |
| N/A | 127.0.0.1:3128 | tcp | |
| N/A | 127.0.0.1:3128 | tcp | |
| N/A | 127.0.0.1:3128 | tcp | |
| US | 8.8.8.8:53 | 72.135.221.88.in-addr.arpa | udp |
| N/A | 127.0.0.1:3128 | tcp | |
| US | 8.8.8.8:53 | contentcache-a.akamaihd.net | udp |
| N/A | 127.0.0.1:3128 | tcp | |
| GB | 88.221.134.81:80 | contentcache-a.akamaihd.net | tcp |
| N/A | 127.0.0.1:3128 | tcp | |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:3128 | tcp | |
| GB | 88.221.134.81:80 | contentcache-a.akamaihd.net | tcp |
| N/A | 127.0.0.1:3128 | tcp | |
| N/A | 127.0.0.1:3128 | tcp | |
| US | 8.8.8.8:53 | 90.135.221.88.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsi80E9.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nsi80E9.tmp\md5dll.dll
| MD5 | 0745ff646f5af1f1cdd784c06f40fce9 |
| SHA1 | bf7eba06020d7154ce4e35f696bec6e6c966287f |
| SHA256 | fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70 |
| SHA512 | 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da |
C:\Users\Admin\AppData\Local\Temp\nsi80E9.tmp\nsDownloadCv.dll
| MD5 | f8015cfe53598e99ae8c45527b544a61 |
| SHA1 | 0b808cababb0fdb0ec4ebac25d433af82db9e9a4 |
| SHA256 | d5075a3547cc098065253dced11b018d732644e071eff174787ca27942b73139 |
| SHA512 | e1ba9a90896d00fd12ce9b76d36ecc2da5e14a0c81d58d9890ab777f0b3e90d355ac086052252876a92ac0df3a6ef9ab97fa9618ce63c4296daa7b8777be2cd4 |
memory/848-22-0x0000000002350000-0x0000000002359000-memory.dmp
memory/848-25-0x0000000002350000-0x0000000002359000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsi80E9.tmp\nsProcess.dll
| MD5 | 05450face243b3a7472407b999b03a72 |
| SHA1 | ffd88af2e338ae606c444390f7eaaf5f4aef2cd9 |
| SHA256 | 95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89 |
| SHA512 | f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b |
C:\Users\Admin\AppData\Local\Temp\nsi80E9.tmp\nsProcess2.dll
| MD5 | 6e96ea8b0dfdb326c0852a5b64d920a6 |
| SHA1 | 5ea182cb6ae5c104ca064fa8464df8ed1904eaa7 |
| SHA256 | b8762c09c2b45fc836c65a9052951de05177651d278e4cf154c754d9f5573e7a |
| SHA512 | 02d0bd8f16ddad829b80764926f1e6dcfb35b60fbce02bec0a7fc2011164d86f633074af012de71fae33b90732ec4c7633f8a70ab24c19717926757f9c56fb4f |
C:\Users\Admin\AppData\Local\Temp\nsi80E9.tmp\nsExec.dll
| MD5 | acc2b699edfea5bf5aae45aba3a41e96 |
| SHA1 | d2accf4d494e43ceb2cff69abe4dd17147d29cc2 |
| SHA256 | 168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e |
| SHA512 | e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe |
C:\Users\Admin\AppData\Local\SafetySearch\migrate.js
| MD5 | 7c936cb5190fc3ad0b581a562875e9a4 |
| SHA1 | ec727ee61e1598bafaf0085817151cc3a9d741c4 |
| SHA256 | 9770fd38208bf2b6e1676f833a90f0f5129bae080fd890614d719b43c290c167 |
| SHA512 | 987e4093e606d2ada424c3681f21a23cd8d4135a995c1286407aef3c1dcdbecec42be30961c9bb2fe92ac5a9ee5eb2715fc9c12192e6a328295f7dad28cbc341 |
C:\Users\Admin\AppData\Local\SafetySearch\common.js
| MD5 | 811f747d02138864aaca1ebe3f35c64c |
| SHA1 | f1eb90f7f7420f644b1e8a3c14aeeca03c88052c |
| SHA256 | 9b1da8c2dd4dd1cc9b08d92f598e12cd5a1a62898908293840f6a48d03a8eadb |
| SHA512 | 75d5b2e9834dc5f32499fa63d50c16959462d4f992ed568617ead21d162d48f31efc7e023f12712b8ac24b6928d2b4088f5b6fb94949ce3d40b944c74c00244f |
C:\Users\Admin\AppData\Local\SafetySearch\projectInstaller.js
| MD5 | 2d4d6d3c8aea670a0742f1dbfb2928d2 |
| SHA1 | f6e3fa626bd3d65e439f534ea215e477ae33f66c |
| SHA256 | 02ca4af05e5620f2bc7bd253cf002259dbf3908a8dabb941496c35b790444967 |
| SHA512 | 130969c86ecdd1dd9fa7bf88c15a526262992d93c40207e334f4774163789e3605851477480f15012b04dc678b4daa299104d63a495017a947af709fd2cb34cc |
C:\Users\Admin\AppData\Local\SafetySearch\SoftwareDetector.exe
| MD5 | 791a36c814a825fdfe596e5e7eea27b7 |
| SHA1 | 10ac78b8899a727bb3bdf924312a940b8ba0bac1 |
| SHA256 | 0186d765b4dc4132c243b20214c6fb1de49e645fc1b5acddbe954d6e5682f84f |
| SHA512 | bd13f3c19905b5a6062614267f20d054141926c3c6837e1583de6b821f310de7d48da79164a8c3c9ccb8a3a46e76292554faca4a2384cfe0a045c597a9ea3a86 |
C:\Users\Admin\AppData\Local\SafetySearch\chrome_installer.js
| MD5 | 5a5a0f074bdb4ac593b34366b37a7816 |
| SHA1 | 2b2910dd535fc8f5614b452b3df8fbdce7c566a9 |
| SHA256 | 054cd068794483350e10415f243a1b218153800f0d5e0cfbd9c20ce648f4dbce |
| SHA512 | 266c2bbbaecbf76693eb4293cff9b72e4d4c1f98d479e2d5710336e4d564c6eea21bace495501ad1f3b95e54d692c967213d018a5107d1f6191754691fa1faf5 |
C:\Users\Admin\AppData\Local\SafetySearch\chrome_workaround.js
| MD5 | 41e6e83f66032080c8de92e1b3651404 |
| SHA1 | db00ebc2c78459f45ea96bddf69c1f4c82464b60 |
| SHA256 | 3cdf74f41636466913d9be7afbc81438546881b467a574e2c74a496d9251df11 |
| SHA512 | 6efec8ea9f0197c65c3aab6f66c8a054ca347e015e3ea16d34dc10b0bfa179f6684b8578f149885cbb898b1bbf24b45c70398db8eeba559b0153d8a39d7c4ff5 |
C:\Users\Admin\AppData\Local\SafetySearch\firefox_installer.js
| MD5 | 4d5042f6859b9dd8a1e7fdcd11fe0619 |
| SHA1 | 7b9bf80954693cb94c1b83f1bd593ae88b7a7a07 |
| SHA256 | b866ec4a886d8b8448cb648a397518a1b428119cd5ee4ad88ac6c3dc5f1e17f5 |
| SHA512 | 84936a3cec375ad2028a11301b17e860096d24d2e448d50810a945e18c4a12b685564aec57663c35e02b3f4b2e3b0a1e51fb69d048b71e1383b9e0eb0e36bd22 |
C:\Program Files (x86)\SafetySearch\extension_info.json
| MD5 | d4e62f741a7eb7b4da5c26bce0f059be |
| SHA1 | a52d524a94ef7c80fcf5fe70b04132941af6bc33 |
| SHA256 | 1770f34f4ddb91defe48a3045dbcf56d7c8fa98232ec84c4b0720988488a72c7 |
| SHA512 | 4d90fda67d37e62ec34f55af517edc6d7e0edcb676d583ca80010fc8593621022b340658752867895c0f4436ce8f8b8b685721a4171486997ed2ac9365953c18 |
C:\Users\Admin\AppData\Local\SafetySearch\firefox\extension_info.json
| MD5 | 3ac715c4a0727f2189599b591f1741b4 |
| SHA1 | b983a162bb87da53690df312d6070346b8f1d350 |
| SHA256 | e41010be81d5091a279ce6225a4d90e7ca53306e6b8b74dffcd9d4023bbd4290 |
| SHA512 | 202565255c0919d25990dee2f647726b39ffd5203fd4768943325dbe6b12cc27f38825a93f558c38144b30306b446ce4686273e2aca6559bf832b03fb23f4ebb |
C:\Users\Admin\AppData\Local\SafetySearch\sqlite3.exe
| MD5 | 82771129b12517cf5c6e2244d14e8360 |
| SHA1 | 4e2a55e517f0e1324d3e8840e7db41f3883e4a01 |
| SHA256 | 3441036aa8be132d8476bbee2648e966db130e3fdba1eb97c9972d55248bf9bc |
| SHA512 | 862028b3ae8bf3ae8e218326a5df634b19d816bcd86b830675214713e543d7672cead28e3178ef23081d508501630e4ef622066f123681c3c6d98d19e6e20c46 |
memory/3200-196-0x0000000000400000-0x000000000047D000-memory.dmp
memory/3648-198-0x0000000000400000-0x000000000047D000-memory.dmp
C:\Users\Admin\AppData\Local\SafetySearch\ie_installer.js
| MD5 | da5749989706af1e79ab27166492c7e3 |
| SHA1 | d9589dd40c0aea68d3a6fb3767d3ff05ae0a925d |
| SHA256 | d987ed4d0b55903993a59165b96557e79ca27054e80b0160f21c4d714ebf11b8 |
| SHA512 | 1abc3331a9343b9507c6d5b5609cba063011ef3e5bca19003185c43cd3da592ba43a727a6c47c9aa5e1fc9e9f0c618b48cd7ba9e174381ef037e19faee8dad2e |
C:\Users\Admin\AppData\Local\SafetySearch\storageedit.exe
| MD5 | 161f9defe2b6718d7773d964f5c6dfd2 |
| SHA1 | 969dfcda9ec0c5c2b084f9900445836422cb36fd |
| SHA256 | 578de2953c01d158c93d02a8f59933af8678be0b727b8228566c4d494b00f7a2 |
| SHA512 | 98813302ac4e8c80a755f4702a8547f526ee29d6ca294d89fd248f83fa8efb134ed40b3099f0b092eac9cfb9f9d6cc3e83b4108bb7961526576520b5cf39a656 |
C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe
| MD5 | 729975e07ead4a4b14d020c2bb446833 |
| SHA1 | a377d56bba939d9d59a51ebf2dbebe9a83ddf592 |
| SHA256 | df0722816ac196ca7b93bcfd66f2d6d1c42157735ca8c451cb09bebc27cf1c5e |
| SHA512 | a9aac9f9894afb0052466222913f1165090db85849f0d5830d43d264d3f3d6c5c5e2c4251c92ad0eb4b5e5deb75cab8c078b5eb26ed85a5be04113cbbf717d03 |
C:\Program Files (x86)\Bench\Updater\updater.exe
| MD5 | 27862bc4eb31d1e68b866a9f32c87fd4 |
| SHA1 | 0e367886bb0a2964c9ad5990fdb598ab31d3239c |
| SHA256 | 8444ccf83e977eebb3a8372f5d4795a965feb5ff2b4b5dfc26f4c527539b139f |
| SHA512 | e17fd66383ede094bb437e119882bfb4906fcf3a49d9892366346d1c32f66bac5344985815a1c33f71aa8aecfbdd796cc68e2237ac2e1288139b03711b9c65ce |
C:\Users\Admin\AppData\Local\Temp\nss8D8D.tmp
| MD5 | 1cba3d2b2ba9f98df085d3990f07b5e6 |
| SHA1 | 8c697a51b469e81c13b47141892c737ee7bed449 |
| SHA256 | c9861cc55693ab957350696bb6293f5bfafe34f763911a50ceb1add410298485 |
| SHA512 | f303e1382388f1a4daad33363b7814d3b2c45fc38c7487e17d5be7e6b2520eff2ffb5b19fa933a89d8342ad38dbdfdbd8cac355ae78ae7af559f357e3a05bbad |
C:\Users\Admin\AppData\Local\SafetySearch\main_installer.js
| MD5 | 4ca1909eb243f179f48935c8106fdbc9 |
| SHA1 | cbc20846bb8b96fcf3b3bbb9d80709c8024a8366 |
| SHA256 | 7acaec9a466eb71fc663f6c6c3bc41ec080f544b4e864cd1e5d6d3cd06230232 |
| SHA512 | 66cc6deee36443539e6fa66ec7ef7ca0932b9b9a085296648a4448628ae21efd53a56cd592f242c5f17e88d7924b1510af1d49da220a6980aa1d004deae199a8 |
C:\Users\Admin\AppData\Local\SafetySearch\installer.js
| MD5 | 1d2e2b33ed23d2687ac7551613e3ce10 |
| SHA1 | 738fdf284c336d88f8fc178371aa073a75ac4f0f |
| SHA256 | e6bc0ed8424b80085a08df410ad0d43ba37b052ccadfb6450a2337f37ca1288f |
| SHA512 | af221b4bcb6e00015aced99bd47db97ad994441ee5f251106686a6da05d98289a6783a5c0ccd8e50b76216b53f1d4ab3cfda6c7fc8108b4e2f56f512cb4e7393 |
memory/848-248-0x0000000002350000-0x0000000002359000-memory.dmp
memory/848-249-0x0000000002350000-0x0000000002359000-memory.dmp
memory/848-250-0x0000000002350000-0x0000000002359000-memory.dmp
memory/848-251-0x0000000002350000-0x0000000002359000-memory.dmp
C:\Program Files (x86)\Bench\NmHost\manifest.json
| MD5 | d798b5de9d598afb1e9dd21521a4308c |
| SHA1 | c236226789af80e154f853cbb6b8543776bb63bc |
| SHA256 | 56f54003c56306ef97e0867c3804125790855d5b61a3fd2902d5fb4407f9ab99 |
| SHA512 | 52e61e30f09ee9c5fda129b8df1e6b8379d6b78c2b5be1577f119525cb31a9fc9b82a8b8750dedc6d2d29fbf65af50f5c1c8ff34e235f7ff94c3fdf12f14f06d |
C:\Users\Admin\AppData\Local\SafetySearch\gpedit.exe
| MD5 | 2796990b18b323edd2446efec850a354 |
| SHA1 | 3863923845554e44e7955c78053d2ba12bc2cad0 |
| SHA256 | 299df4b8e7a5957f165b706cee2741d934dfb53a8dac21761645b875b9dd45ef |
| SHA512 | e2931fcdf087f12e8aedeefa2cf529a75d91f02f6333ef7d04510e995b3e31b087c7a39312a524b2d5676aa2c3df417d9d43d1e112c82659aab61dd04fb2157d |
C:\Users\Admin\AppData\Local\SafetySearch\chrome_gp_update.js
| MD5 | c15a7afa4a3ed3464df40e6eb840cc73 |
| SHA1 | 51807d6d3f2567de9c4716b32f91ecc8839cc117 |
| SHA256 | 41fe7e7445819a935215fd0928f5bb1bb3a2e3df36f0c27111c99cb716064f18 |
| SHA512 | 90c7a06ceafc6cc7ab35254b3f394702d10881f363527b8fe2e2c6b3fec391141333fe7153a5cae83a6f8889fd55e7a478f1d979497d557fabcb4bcff9cc7ae7 |
C:\Program Files (x86)\Bench\BService\1.1\bservice.exe
| MD5 | e52deb34958a6b9c9defd04072ba320c |
| SHA1 | a00d6951bf22d88558fbc513bd1abb49f0cbaa3d |
| SHA256 | d617adf5f09e6797459d397209b29d5d266e7ef42c25f50e86fe23a086cd4059 |
| SHA512 | 7f383b37e12c4855972090d7d2bd245fe8a1a22e8f6204b370ab9280a297e02ecb385c2802e809af0b432faf31bd09fb25d29f86e04fc211577852b66ee87e79 |
C:\Program Files (x86)\Bench\BService\1.1\bhelper.dll
| MD5 | 8e4be86a6eb429ec81eda3e027d0d29d |
| SHA1 | bc382f609be77dc45b4e4396e6a11ebfda1f6af2 |
| SHA256 | bb6a9e41d54bb81219170d47c03f9b42667cb15ea7887d23bbd27ed0d78fb7dc |
| SHA512 | 7f9df41bc7454c072f4b463b27fff51eebf5867791f5d3a4e32b7db1aa43b3dd4388a05ea1efae2501bbd4bae72dc639cc07d086d7d799dee61e65550340e49c |
C:\Program Files (x86)\Bench\BService\1.1\bservice64.exe
| MD5 | ef28836ea2793d421c7801a2aaae7c9e |
| SHA1 | 0cd7f3d6001311d1221723d00af8e76716d8d1d8 |
| SHA256 | 4b71983d2b09ab00548982ac65f9d248a966da0d9433a73cab8802404a55fea5 |
| SHA512 | 1edb4bfa81cf353807aba82f6cdf7667f7e98945a64b651e087b5c93defcd730cf24f7897170b0e6e264f591c2430f70872bec7ff4e487447b16e424da0f990d |
C:\Program Files (x86)\Bench\BService\1.1\bhelper64.dll
| MD5 | 28b926636acb4a05fd76d1622afd8143 |
| SHA1 | 6fe047e26014ba50ff0fe36e62bad9adb840f357 |
| SHA256 | 2a22b9569c3c060dd6c0503d1d6874fcaafeea863247e1d9e9883ef83f13af71 |
| SHA512 | cde66fde17f9066fc4b725b659c6de82e861f18f51ff7fed99c17456509ec9cb239316988205d7c7ea87a36c747dfba5486c02d235895fe8a173e51084c6f005 |
C:\Program Files (x86)\Bench\Wd\wd.exe
| MD5 | 0d3f1ae3a351ae8340a03a45f6b93995 |
| SHA1 | 5058e8f74169eeecd99a49a86de683795c4899e6 |
| SHA256 | 4ef762eec1aed45d8d32aa7b156429075c593f26cafc2d8536a685ab61c7d82d |
| SHA512 | 5202df70b174f7d1ac7573fdc6d7b2e9029a1ca8c9bea8ce80d73444f104ccad9a3a7427bf871a4b07ab392e35db9f3fcb49eeefab65f509f91a9f8f48273006 |
memory/1740-329-0x0000000001290000-0x0000000001291000-memory.dmp