Malware Analysis Report

2025-08-05 15:57

Sample ID 240612-fhvtva1eqd
Target PingPlotter Professional 5.24.3.8913 [Programs.TheMicroTech.Net].zip
SHA256 653d46b5d17c5fd51248e6dde5adc57a5d7621299b7561cecf2479464da44efd
Tags
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

653d46b5d17c5fd51248e6dde5adc57a5d7621299b7561cecf2479464da44efd

Threat Level: Shows suspicious behavior

The file PingPlotter Professional 5.24.3.8913 [Programs.TheMicroTech.Net].zip was found to be: Shows suspicious behavior.

Malicious Activity Summary


Enumerates connected drives

Blocklisted process makes network request

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Program crash

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Uses Volume Shadow Copy service COM API

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 04:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-12 04:52

Reported

2024-06-12 04:56

Platform

win10v2004-20240226-en

Max time kernel

137s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4076 wrote to memory of 4740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4076 wrote to memory of 4740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4076 wrote to memory of 4740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4740 -ip 4740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3948 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.201.106:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 106.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-12 04:52

Reported

2024-06-12 04:56

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1000 wrote to memory of 2632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1000 wrote to memory of 2632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1000 wrote to memory of 2632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2632 -ip 2632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-12 04:52

Reported

2024-06-12 04:56

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\dll\msi.pdb C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\wkernel32.pdb C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\ResourceCleaner.pdb C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\tmp\ResourceCleaner.pdb C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\wntdll.pdb C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\wntdll.pdb C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\msi.pdb C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\tmp\ResourceCleaner.pdb C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\wntdll.pdb C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\msi.pdb C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\DLL\wkernel32.pdb C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\DLL\wkernel32.pdb C:\Windows\syswow64\MsiExec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Http.Connections.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\PingPlotter ICMP Generator.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.FileProviders.Physical.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.EntityFrameworkCore.Design.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Remotion.Linq.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Resources\SplashBundles\cloud_agent.bundle C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\NGraphics.WPF.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.ValueTuple.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Utils.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Authentication.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Security.Permissions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Net.Sockets.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Threading.Tasks.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\PingPlotter ICMP Generator.exe.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\LiteHtmlSharp.Wpf.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\MsgPack.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Reflection.Metadata.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Collections.Specialized.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Net.WebSockets.Client.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Drawing.Primitives.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Options.ConfigurationExtensions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Text.Addons.JavaScript.Wpf.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Text.Encodings.Web.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Localization.Abstractions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Diagnostics.DiagnosticSource.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Zeroconf.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Namotion.Reflection.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Text.RegularExpressions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Threading.ThreadPool.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\MacAddressVendorLookup.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Resources\SplashBundles\trial_banner.bundle C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Jint.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.IO.FileSystem.Primitives.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Resources\SplashBundles\action_alert.bundle C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.Formatters.Json.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.ComponentModel.Annotations.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Xml.XPath.XDocument.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Security.Cryptography.Encoding.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Net.NameResolution.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Chronic.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\NGraphics.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Extensions\MOSColumn\package.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Data.Common.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.ApiExplorer.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Reflection.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\MagHubClient.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Resources\SplashBundles\new_version.bundle C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Diagnostics.Contracts.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.IO.Compression.ZipFile.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Wiry.Base32.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Html.Abstractions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Data.Sqlite.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Collections.Immutable.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\WriteableBitmapEx.Wpf.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Xml.XmlDocument.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Shared.Wpf.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Http.Extensions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Primitives.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Security.Cryptography.Cng.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.Core.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\FluentCommandLineParser.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Localization.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe N/A
File opened for modification C:\Windows\Installer\MSI125E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe N/A
File opened for modification C:\Windows\Installer\MSI1C76.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI11DF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI157D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1200.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1388.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58dc53.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2541.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1027.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID73.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe N/A
File opened for modification C:\Windows\Installer\e58dc51.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIEFD.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{CBAA9826-6D34-44FF-AEBF-E880F91CADCE} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\SystemFoldermsiexec.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1A31.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI259F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE6F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\ext.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1141.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI11BF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDE2.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\ext.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1C55.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58dc51.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\SystemFoldermsiexec.exe C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe N/A
N/A N/A C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003f3ccc8c3b3921e10000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003f3ccc8c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003f3ccc8c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3f3ccc8c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003f3ccc8c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Pingman Tools\PingPlotter 5 C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Pingman Tools C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Pingman Tools\PingPlotter 5\License = 6763060ab6cb83846512a1baf3abfa025a81f1a62a8fd8950f00e52ee03301c22f2c677f069245ba086d7acdd4620b84 C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\PackageName = "{5716629D-5364-4C67-9992-4C03A559A38F}.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\DefaultIcon\ = "C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe,1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BDE4C0E5F8F1D9E448B630CA83009281\6289AABC43D6FF44EAFB8E089FC1DAEC C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\URL Protocol C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BDE4C0E5F8F1D9E448B630CA83009281 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|PingPlotter 5|PingPlotter.exe C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\FirewallICMPforUDP = "PingPlotter5Main" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\WebInterface = "PingPlotter5Main" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\Pingman Tools.PingPlotter 5.ppws\ShellNew C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\DefaultIcon C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\DefaultIcon\ = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe,0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\Scripts = "PingPlotter5Main" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\Pingman Tools.PingPlotter 5.pp2 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\DefaultIcon C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\Pingman Tools.PingPlotter 5.pp2\ShellNew C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\ = "URL:PingPlotter Protocol Handler" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\PingPlotter5Main C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\PackageCode = "D9266175463576C49929C4305A953AF8" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Version = "85458947" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\ = "&Open PingPlotter workspace" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\ = "&Open PingPlotter Sample Set" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\ = "PingPlotter Workspace" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" \"%1\"" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\ = "open" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\DefaultIcon\ = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe,0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\pingplotter C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Downloaded Installations\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\ = "Pingman Tools.PingPlotter 5.ppws" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\ = "PingPlotter Sample Set" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\WindowsService = "\x06" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" \"%1\"" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\ = "open" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command\command = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d002000220025003100220000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Downloaded Installations\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|PingPlotter 5|PingPlotter.exe\PingPlotter,Version="5.24.3.8913",Culture="neutral",ProcessorArchitecture="MSIL" = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\ProductName = "PingPlotter 5" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\ProductIcon = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command\command = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d002000220025003100220000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\pingplotter\DefaultIcon C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\Pingman Tools.PingPlotter 5.ppws C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\ = "Pingman Tools.PingPlotter 5.pp2" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4108 wrote to memory of 1948 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4108 wrote to memory of 1948 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4108 wrote to memory of 1948 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4108 wrote to memory of 3112 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4108 wrote to memory of 3112 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4108 wrote to memory of 2620 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4108 wrote to memory of 2620 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4108 wrote to memory of 2620 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4108 wrote to memory of 4968 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4108 wrote to memory of 4968 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4108 wrote to memory of 4968 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4968 wrote to memory of 4912 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 4912 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 4912 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 4912 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4912 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4912 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4968 wrote to memory of 1132 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 1132 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 1132 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 1712 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 4968 wrote to memory of 1712 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 4968 wrote to memory of 1712 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 4108 wrote to memory of 5044 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
PID 4108 wrote to memory of 5044 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
PID 4108 wrote to memory of 4904 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
PID 4108 wrote to memory of 4904 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe

"C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding CD4260307A46ACE0967FBF6020BC780E C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 9D1F35A8187679CFA452B8AC6F18A8F4

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding DC1D9B417077D784F70220BE90416E41 E Global\MSI0000

C:\Windows\SysWOW64\cmd.exe

/C "C:\Users\Admin\AppData\Local\Temp\{FE7D9469-69FF-4AD0-A0FA-666CF8090897}.bat"

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

/C "C:\Users\Admin\AppData\Local\Temp\{FE7D9469-69FF-4AD0-A0FA-666CF8090897}.bat"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" /queue:1

C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe

"C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" regserver initializeprofile quiet

C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe

"C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" regserver quiet

Network

Files

C:\Users\Admin\AppData\Local\Temp\nsu4642.tmp\System.dll

MD5 ca332bb753b0775d5e806e236ddcec55
SHA1 f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256 df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA512 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

C:\Users\Admin\AppData\Local\Temp\nsu4642.tmp\DotNetChecker.dll

MD5 f18364fa5084add86c6e73e457404f18
SHA1 6d87c4b9dbf78af88fddf0d4d5febe845c8e4e6a
SHA256 39c43d67f546fc898f7406d213b73dcb1bc30fc811ddfa3a02b6b50c29d11f91
SHA512 716892492390fe4314f3289286f733d07b8b84de1f5af0676b26e68c0be01808682d35ad2bb9e9491247b7bb5a0ea297a6850e26de9baf88621c789206107db3

C:\Users\Admin\AppData\Local\Temp\MSI804F.tmp

MD5 ca95f207ec70ba34b46c785f7bcb5570
SHA1 25c0d45cb9f94892e2877033d06fe8909e5b9972
SHA256 8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb
SHA512 c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831

C:\Users\Admin\AppData\Local\Temp\MSI8219.tmp

MD5 5576bf4d22dc695564e49a68cbc98bc2
SHA1 80e0e045162a65d84939e22a821ecbbbde3f31d6
SHA256 20f76ffd846155a41633d75cb2e784e54f6ec77ca9ca9d52d9510c3e2e918801
SHA512 4b952ce6ef08c86d8594fadd1069c3af39c3465314716dc7e7d9937befab8f4db5e4920a901920af4f937e5bb80ca02c33406d54cc766920b8ebba3855500972

\??\Volume{8ccc3c3f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0f901d05-e6b5-4346-a3f0-c7e8795fba43}_OnDiskSnapshotProp

MD5 c2d3287eacfe9b2b84a06ecc53a06f3f
SHA1 870c4a36229db9de6a60d26a94eea102f9462417
SHA256 f1d365244c4d85454404359b41e39f3ac35c0d6dea0f3571d5813a6ab8504b7a
SHA512 38d7b5d19a4d84f588e6efbc8760880f8e90bbe89e1aa9e979d5bb323805a788abffec2ea47634e8a3567625c8e082fa98de3b4a2651acefbf739d138bcbc9ce

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 29235c8b397a0b7cc27d7e81b0279ebd
SHA1 bed43f593c3cd174514bb0c1175606bcb353e04e
SHA256 af6b1d10b043b53d07a902934665d503ab6ca270dab555e8d0bf3bac6fa7c938
SHA512 1082f31d93847b41da5152e535642ca1dd7f9ac221afeeaaf1b35f30387ad05ed4c2e24c9053f0f00c7df72aecbfbb32540e14602b6b28743f6e9bda88f962ef

C:\Windows\Installer\MSI1027.tmp

MD5 71c143221c4d2f06e495ee3f9e51a7f0
SHA1 44a3aa0ca190243d6f21becbd5b0c5e923426135
SHA256 8d245ef042215b0e9211692c7deaef442f4d46bd5323d74aa1bf25d676525bd9
SHA512 98a97a4f45cb70eb671ddc3c8d26a9a4c3d34745f0d1b6ee052a2080e1b4b3dac11303eb9a0c8d38e34df624edc28864e52f13e4d79bc16fe9223c5663372445

C:\Windows\Installer\MSI11DF.tmp

MD5 94fa9ff9c26724e0b8ac910c1e7c40aa
SHA1 0cf47957200dec349d6b6da432e24165afd590eb
SHA256 adae076f90908818d67777c050c5b1b6cc94be728017bab6c638dfc7763d4d09
SHA512 becb8229e8ef77a673829c547d2520d6fec94218abf2a21e2948ae5c156bf4a1eb64bfec38653b49902bb31708d9cf770c38f042c1f869d4d4695313b2acfefb

C:\Windows\Installer\MSI1200.tmp

MD5 99dc199a4a390a86f2728f5232a2f9a6
SHA1 21b03b2dacbc5e19f3334054703ce53c8ba4a15f
SHA256 12b9deeb6e80129593bae1439bcbc491c6f602bfff255f72eba627100a54e2f9
SHA512 8ba930b0fb37257bbb0d5ea97bbb581ec7d545b737bdce03a78e713b3ad95a2f4b2b6d101817102763100edfe8e46f4532946a7bd3ac24d2142358ac26ec45db

C:\Windows\Installer\MSI1388.tmp

MD5 e34827bf55cae867e83cc6122d25154a
SHA1 e513c23028532a6997692965765e235d42d96efa
SHA256 7f8ce80c53a7a4c3cecfbf497ee443538fd126a6e369b9930a3b021db548b55a
SHA512 506143a220f58c4236e4736f404c9421b9d5e0caaa21eff950953258ccf783de3534ea702e476acf565719964da6aeaeed787fca2d66c2b8ef5aa51c9b6e38d2

C:\Users\Admin\AppData\Local\Temp\{FE7D9469-69FF-4AD0-A0FA-666CF8090897}.bat

MD5 a937e8f48d3a6c808168c5b8ccde386d
SHA1 a5c79ce563c6976b75f3037ab544616813b1ac48
SHA256 a159304fedf73b8147af1cf80d495f9338db77bbafc822ba176eee02cab7561b
SHA512 33cf95a0dc2f57e3e9084eb3ff526c469b2372b64fef0968ac95933f8f6f50b9b7784cfc4aae63d57c02feadb9b0a4845d870f907b41dcfc1a06558fb728a55a

C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe

MD5 aea6964efb6bfc8723f85e191c6db9b0
SHA1 f213e8ae0088838ae76d9d5841f9e9a2376c78a9
SHA256 89a3e51a67ef4684952ab912be4e9fd379b4cf46991d6c17c6e59d34f6ec5eac
SHA512 84a8587ccc35cdb2392f2de20a7323bf626bfdef0cc1ba6957273921aa8336086edd58689fac446e342d3ecb9f0a00e7dd2dbb2e5de223a5b6a42e75d845ab8a

C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe.config

MD5 928b8e104bc50973bad9150c577aaa64
SHA1 33eb7ed6547d26bbb8dbb087a45baf41292d01d2
SHA256 b42eb2bb81f89946449c5b27315afec9c87070ac01a6d0d1df91bd9d46702629
SHA512 3b8ac3ce5365b27c8156dfb1ccfeff4f8a0e3b10360c2e5639d3516f2b5aa3c2dc524ddbbd6e3d1941ae0d15f8867eb2e19a0df1c31d1872d25f7758c481cff2

memory/5044-514-0x000002922A950000-0x000002922AC40000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\CoreLib.dll

MD5 4f79b56c4bebf4683f731c2fa68126ce
SHA1 be502d11260c83f3bdb67279f796b137094248b6
SHA256 28130a2c33fd8ac4a915bd2a695b1160e61ad179136860675b42bbebc878bb63
SHA512 3384c07d2378e87d9e7e85f5db6af6bbfe804b559057339b04fda64e744344255da4d309a75efed9ec3246afbb852d4b4dde9baa7d2a783230f25a56d5f6294f

memory/5044-516-0x0000029246160000-0x00000292463A2000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Docking.Wpf.dll

MD5 b9d27fbdd161b1879aa1b5bf390b8114
SHA1 1e9ffc3fcefc25581fd726087c74d257c713ffe4
SHA256 3866414e85e128dd761a894b63befed29fded32788ab79087d0abc79335f17a4
SHA512 4af0057663f74f65af501ec45bed8cc75e225395b1acbd318220cd97eb28123b3b7290c34b865129edc20255c6876c58c25308ae1a458a97f5df285f5a2444c6

C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Editors.Wpf.dll

MD5 6f0e2870c72222d5989e9842d7d9e275
SHA1 9a847f1d5efe181c945c60bcfeeb43132db3f599
SHA256 b637f6e4c87ac32276f92c609ee71bb3d482b36d5516e383e5c52d8f615359e8
SHA512 ff99918d8a8510d70d250695a583deb91953f6db2abf2a71069a2d67932532977529d3a50ec012cd4547a03601cf8f5367592187768fe4d8aa5a80d8dacfda0d

C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Shared.Wpf.dll

MD5 674447f18caace5e1163fb227e4cf08d
SHA1 62082108201e8be712cd52806a66503cf51fe714
SHA256 56dfde9007145d5f6ed21730ecbb5ac04e7c6bc1370fb317acb0e29bffaf5c84
SHA512 89fcdc36bd040a554a3bf8be205541914a00e0eed741eed066831d7564fa0f2ede717fb21d1e85e9503d9d262145d2fef837e37ed40087bb7386159fa5411bb8

memory/5044-528-0x0000029246010000-0x000002924602A000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.DataGrid.Contrib.Wpf.dll

MD5 9c43eb18df357b00aaf31b6684e57a53
SHA1 6de6fc5c23b5ef38eb2faab1eb643c3161c2e9f6
SHA256 abf2ec51aff791bee7580e77502a90b28aa034d2e729580e0d2b10d7ee296fd6
SHA512 fea50d9884aef63e24546d0947608fee8fb3aad6b0f8b5a02fdf5fead5564c2d8f16828fae1c182f1350b209a8a9b2e99201822957c36787b6ff36d266412309

memory/5044-526-0x0000029246910000-0x0000029246A26000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.SyntaxEditor.Wpf.dll

MD5 855914201fde2285b71d87c05c4bbcc2
SHA1 8bc1bdbb97c2775c0399e9d0e90a036f41357a4c
SHA256 580a06e4ff57218280a92877d2b5def390b563c86a16366882cfee5d30951bd6
SHA512 7040fcb1fa29171f10e9a6400deae3283a078899eb21c969d9fde51136ab5002d2cc95ef9b37ea1647fd28c18df1f1776bd80d12b16703a9b15f2776d97b7fbb

memory/5044-524-0x0000029246070000-0x00000292460C2000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.PropertyGrid.Wpf.dll

MD5 3e50933e28b0ac08f7158e3a783f6bf4
SHA1 2178728de734670785b749499e4cfda7e1e30f60
SHA256 7d0ee0f0aad53788758a43ccf295cad4b8e6afae6815f2a2800033b29b81c14a
SHA512 3324d40fdc9a82915b8323f5386d00361bea8ae42aa79fc85b4d9d95a087fbadfc557d9f77e34938ef4fdc8b04d0e6a9f24bbfca6569d981cf404626fb2eb7f6

memory/5044-522-0x0000029246730000-0x000002924690E000-memory.dmp

memory/5044-534-0x0000029245090000-0x0000029245098000-memory.dmp

memory/5044-537-0x0000029246040000-0x000002924604A000-memory.dmp

memory/5044-539-0x0000029246A30000-0x0000029246AE2000-memory.dmp

memory/5044-540-0x0000029246AF0000-0x0000029246B8C000-memory.dmp

memory/5044-541-0x0000029246130000-0x000002924615C000-memory.dmp

memory/5044-542-0x00000292466D0000-0x00000292466F4000-memory.dmp

memory/5044-538-0x00000292460F0000-0x00000292460FA000-memory.dmp

memory/5044-536-0x0000029246030000-0x0000029246038000-memory.dmp

memory/5044-543-0x0000029246B90000-0x0000029246BC2000-memory.dmp

memory/5044-535-0x00000292460D0000-0x00000292460EA000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\System.IO.dll

MD5 ba3845f4986d242d62641e1f6e14caba
SHA1 9278fe4d60ed3462835a90c56bf187cadc35ddda
SHA256 ab5d0fa375fd11f411293552ffa7b127a62ecc7bef74c5c3a49cad629413e38b
SHA512 4ccc206b30208cf1ceef1e7341cf7f28e36f3ba90daff5051ee706841a1f30d49d654399c33b2d336d330789b76e5d3fac39d22d6d45d6d76a3ef643750a70cf

memory/5044-544-0x00000292471F0000-0x0000029247808000-memory.dmp

memory/5044-532-0x0000029246050000-0x000002924606C000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\NGraphics.dll

MD5 36896e5b8ff559857c870c8d60470d79
SHA1 8abe9941ec44d19b2f079fa66c118d60ecd75141
SHA256 57f963ae4825b02214ccae01276708613cdda30d74c50289972f4a16bea3d823
SHA512 ddbd19c34fe0b38958778cb8e01ec0daf22882a5db774f24d5fbaf3f18938f71f48b55d6b8ed1d31ac31086d416c65f3e410168c891295412a3d67cbbf781793

memory/5044-530-0x0000029245000000-0x000002924500A000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\NGraphics.Net.dll

MD5 50f77484e5ebbab4178d226457277f61
SHA1 f9ce26a5dac69bc620481e76ff4bcaa44610b4f1
SHA256 76a4ee07ad63c27d6d95b9e0cc9a903563514e9b8fb51744646a19e00c3175a5
SHA512 f094291b6097608443d168d7cc5cd6a288f98f6bdb418e22d6f606ea2f54a6c6c166f13fedd827a79e8812d598e4fca1d59f50af17264f80e8dd3621856c77da

memory/5044-520-0x0000029246460000-0x000002924654C000-memory.dmp

memory/5044-518-0x00000292463B0000-0x000002924645E000-memory.dmp

memory/5044-545-0x0000029246BD0000-0x0000029246BE2000-memory.dmp

memory/5044-546-0x0000029246BF0000-0x0000029246C06000-memory.dmp

memory/5044-547-0x0000029246E30000-0x0000029246E48000-memory.dmp

memory/5044-548-0x0000029246EA0000-0x0000029246EEC000-memory.dmp

memory/5044-549-0x0000029246FB0000-0x000002924706A000-memory.dmp

memory/5044-550-0x0000029246EF0000-0x0000029246F14000-memory.dmp

memory/5044-551-0x0000029246F90000-0x0000029246FA2000-memory.dmp

memory/5044-554-0x0000029247B40000-0x0000029247E6E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ymbrvablvg.tmp

MD5 96a568f9af3d18ebb930331118447946
SHA1 30519320aed158e16d1db748d9a9064094593554
SHA256 6b824e9f13ee7210ccabdc81e255cf3a390e5b8fcc7b69069349d89de428994e
SHA512 b45971c7a6e3ccc4f02227f570bbd7adfbcef7ed4cf39322c272a1ce70fca4f5e048001c44cc17eddf9313770c31fc6728b9e15c56007f03b554a7f529765aab

C:\Users\Admin\AppData\Local\Temp\ymbrvablvg.tmp

MD5 2a13a6f38d9299bdfbb1d30a1cea8fde
SHA1 8a3d0cd8dcdb24b4d0b40e1de5988b6dc980ed0f
SHA256 0f0a878a2dbefb3233c75339d2b5511f0f86e54a230ae037fe3b64a87e193399
SHA512 1be095400f54a1cbab1f3f58a485aef463b019a3a55be9b07e2096d30b43676f98b97df3987a97b9a04f5b9a427ad7c26074a0feeec1002a51fb8dd156812cbb

C:\Config.Msi\e58dc52.rbs

MD5 51ed69178e2fdb90e1e101c7fef44982
SHA1 581cc6a5735e94a431680d73853762129b95d7c9
SHA256 d99be018e924eeb40c9ca4c51a38b0c58b897b737b533ed0dcc89d9cc93db62d
SHA512 5ba82b862cf56757b2009e513b62be5b7bc16afc3202ae6f1f66c318009481eaa95c5664f6a442fe8cf68809ef03f091db97f007a0bfdcf557fa27f4dea2216c

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-12 04:52

Reported

2024-06-12 04:56

Platform

win7-20240508-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DotNetChecker.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DotNetChecker.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DotNetChecker.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 220

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-12 04:52

Reported

2024-06-12 04:56

Platform

win10v2004-20240508-en

Max time kernel

61s

Max time network

52s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DotNetChecker.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3956 wrote to memory of 4688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3956 wrote to memory of 4688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3956 wrote to memory of 4688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DotNetChecker.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DotNetChecker.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4688 -ip 4688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 612

Network

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-12 04:52

Reported

2024-06-12 04:56

Platform

win7-20240221-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 224

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-12 04:52

Reported

2024-06-12 04:56

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4768 wrote to memory of 4956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4768 wrote to memory of 4956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4768 wrote to memory of 4956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4956 -ip 4956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-12 04:52

Reported

2024-06-12 04:56

Platform

win7-20240611-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 224

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-12 04:52

Reported

2024-06-12 04:56

Platform

win7-20240221-en

Max time kernel

119s

Max time network

123s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\$_4_.msi

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PingPlotter 5\System.Globalization.Calendars.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Net.Security.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Collections.Specialized.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\SQLitePCLRaw.core.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Buffers.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Extensions\RemoteAgentScript\package.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Caching.Memory.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.IO.Pipes.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\IpHlpApidotnet.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Diagnostics.TextWriterTraceListener.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.SignalR.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\LiteHtmlSharp.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Http.Features.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\x86\e_sqlite3.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.EntityFrameworkCore.Proxies.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Authorization.Policy.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.ServiceModel.Primitives.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\qvsntoj3kv.dat C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Extensions\AlertAction_LaunchAnExecutable\launchanexecutable.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Resources\pngcrush.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Diagnostics.Tracing.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Server.Kestrel.Https.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\PingPlotter ICMP Generator.exe.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Persistence.Sqlite.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\GalaSoft.MvvmLight.Platform.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Http.Extensions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Xml.XmlDocument.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\MathNet.Numerics.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\ExposedObject.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Numerics.Vectors.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Windows.Interactivity.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.IO.Pipelines.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Authentication.Cookies.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Linq.Expressions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Threading.Tasks.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Collections.NonGeneric.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Nito.AsyncEx.Tasks.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Extensions\AlertAction_LaunchAnExecutable\launchanexecutable.meta.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.DataAnnotations.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\MessagePack.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\protobuf-net.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\netstandard.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Threading.Overlapped.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Configuration.Binder.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Resources.Reader.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Diagnostics.Runtime.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\ParallelExtensionsExtras.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.EntityFrameworkCore.Design.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Globalization.Extensions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.IO.Compression.ZipFile.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\PingPlotter ICMP Generator.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Shared.Wpf.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.DataGrid.Contrib.Wpf.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.Formatters.Json.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.ComponentModel.TypeConverter.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Runtime.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Runtime.Serialization.Xml.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Alert Audio\buzzer.mp3 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Threading.ThreadPool.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.PropertyGrid.Wpf.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Extensions\MOSColumn\default_settings.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Castle.Core.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI1864.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\ext.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA6B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4DA.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI34F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI46C.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe N/A
File opened for modification C:\Windows\Installer\MSI17E5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI3BE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\SystemFoldermsiexec.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76fd82.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI5B7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI39E.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76fd84.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB28.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe N/A
File opened for modification C:\Windows\Installer\f76fd81.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76fd82.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI529.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIED.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB08.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe N/A
File opened for modification C:\Windows\Installer\MSI207.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\ext.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6D1.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\SystemFoldermsiexec.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76fd81.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3FE.tmp C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe N/A
N/A N/A C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Pingman Tools\PingPlotter 5\License = 411880bf66de892c79882f0f97e6657ac089c5e1a2397a1bb845404a4d3d5c5fe316ae9f04f117193f7ca22880d48a77 C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Pingman Tools\PingPlotter 5 C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Pingman Tools\PingPlotter 5 C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Pingman Tools C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\DefaultIcon\ = "C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe,1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" \"%1\"" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\ = "URL:PingPlotter Protocol Handler" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\WebInterface = "PingPlotter5Main" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\DefaultIcon\ = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe,0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\ = "open" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\PingPlotter5Main C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\PackageCode = "D9266175463576C49929C4305A953AF8" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\ProductIcon = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BDE4C0E5F8F1D9E448B630CA83009281 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\ = "&Open PingPlotter Sample Set" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\pingplotter C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Version = "85458947" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\PackageName = "$_4_.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\ = "Pingman Tools.PingPlotter 5.pp2" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\pingplotter\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\Pingman Tools.PingPlotter 5.pp2\ShellNew C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\pingplotter\DefaultIcon C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|PingPlotter 5|PingPlotter.exe\PingPlotter,Version="5.24.3.8913",Culture="neutral",ProcessorArchitecture="MSIL" = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\FirewallICMPforUDP = "PingPlotter5Main" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" \"%1\"" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\DefaultIcon C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\URL Protocol C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\Pingman Tools.PingPlotter 5.pp2 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BDE4C0E5F8F1D9E448B630CA83009281\6289AABC43D6FF44EAFB8E089FC1DAEC C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command\command = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d002000220025003100220000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\ = "PingPlotter Workspace" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\Scripts = "PingPlotter5Main" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\WindowsService = "\x06" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command\command = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d002000220025003100220000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\ = "PingPlotter Sample Set" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\ProductName = "PingPlotter 5" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\ = "&Open PingPlotter workspace" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\ = "Pingman Tools.PingPlotter 5.ppws" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" /url \"%1\"" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\DefaultIcon C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2620 wrote to memory of 2596 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 2596 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 2596 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 2596 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 2596 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 2596 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 2596 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 2428 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 2428 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 2428 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 2428 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 2428 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 2428 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 2428 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 1804 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 1804 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 1804 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 1804 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 1804 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 1804 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 1804 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1804 wrote to memory of 808 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 1804 wrote to memory of 808 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 1804 wrote to memory of 808 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 1804 wrote to memory of 808 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 808 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 808 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 808 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 808 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1804 wrote to memory of 2200 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 1804 wrote to memory of 2200 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 1804 wrote to memory of 2200 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 1804 wrote to memory of 2200 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 1804 wrote to memory of 1716 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 1804 wrote to memory of 1716 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 1804 wrote to memory of 1716 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 1804 wrote to memory of 1716 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 1804 wrote to memory of 1284 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 1804 wrote to memory of 1284 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 1804 wrote to memory of 1284 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 1804 wrote to memory of 1284 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 2620 wrote to memory of 1952 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
PID 2620 wrote to memory of 1952 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
PID 2620 wrote to memory of 1952 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
PID 2620 wrote to memory of 1060 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
PID 2620 wrote to memory of 1060 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
PID 2620 wrote to memory of 1060 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\$_4_.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding F352532781A0A424C94D2E81BBDCD986 C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000002C8" "00000000000005B0"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 96A76E5D8E7228058C24B7C0DC51A7BA

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding F8B61BE9C04289D776C70F54A5158557 M Global\MSI0000

C:\Windows\SysWOW64\cmd.exe

/C "C:\Users\Admin\AppData\Local\Temp\{1DC67473-A1D4-41E5-A7F6-05AEF94AFCC5}.bat"

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

/C "C:\Users\Admin\AppData\Local\Temp\{1DC67473-A1D4-41E5-A7F6-05AEF94AFCC5}.bat"

C:\Windows\SysWOW64\cmd.exe

/C "C:\Users\Admin\AppData\Local\Temp\{1DC67473-A1D4-41E5-A7F6-05AEF94AFCC5}.bat"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" /queue:1

C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe

"C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" regserver initializeprofile quiet

C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe

"C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" regserver quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp

Files

C:\Users\Admin\AppData\Local\Temp\Cab1FF1.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar218A.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\MSI2208.tmp

MD5 ca95f207ec70ba34b46c785f7bcb5570
SHA1 25c0d45cb9f94892e2877033d06fe8909e5b9972
SHA256 8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb
SHA512 c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831

C:\Users\Admin\AppData\Local\Temp\MSI23A1.tmp

MD5 5576bf4d22dc695564e49a68cbc98bc2
SHA1 80e0e045162a65d84939e22a821ecbbbde3f31d6
SHA256 20f76ffd846155a41633d75cb2e784e54f6ec77ca9ca9d52d9510c3e2e918801
SHA512 4b952ce6ef08c86d8594fadd1069c3af39c3465314716dc7e7d9937befab8f4db5e4920a901920af4f937e5bb80ca02c33406d54cc766920b8ebba3855500972

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_B5408224970389A1C2D228B1F06E63F2

MD5 9853099f01ac4f1daf69213c4457ead3
SHA1 489a280ea8f959c2a0497d5b78c0a4d5a837b98b
SHA256 a9fb8b63992d83f5f216be6a9393270aabbaeb03fca59fc82ad13e99e3556ed8
SHA512 43ac89702d7f53f501a6364151053bd4ad17caa370fc853b0b749f8b2c7647af5bb00d767efa33240b4f6fc85a76b7409b75929fb991534c39639a7a843991db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

MD5 f3caf7a7e82ca0c660532a49d65858d4
SHA1 34a5babef00151e28ac420f3b84cd90a5e5ac99f
SHA256 cdb6c2f46d77119c126ad9b9be53fc57c3fa834e25fe0ae73a8398f10a18701e
SHA512 3b3e3f4de4fc948bb15b8ca5f7e4c630deea291092132878a91968501c407057e8be2405b2c6ada56e63682acd1bb27f897480c2ece2680212da66b3287607c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

MD5 7b201f6b1d9a5bc0fb792fd0da8762bd
SHA1 5b75892b727a2424b19aa5c181665fd5c153a022
SHA256 1fe5ae1e5467543edd091f942583e1d19f1c489fe1e299034479f1775de027e2
SHA512 cb5ca799100e09de47fa86ae56349e11b8c2588f61053b0df632ac66024718fc33ba9e3a2dc7ccb5a4b301a7caed1f2fb482318b66911317b3d752d3616f7cce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

MD5 2eee3865f16574bb2c8058a2b4977995
SHA1 9e65c7b29d8a121cbd4dbdd24161113b7ec774f2
SHA256 6de01a7f89ac9c20580975e0f3163a4d355006395a615c71d86c7d0c7c5c007e
SHA512 3ec5e1000906b083f0366703a8e660360c80c2c2706beddb2f0976fda723596f955ab9e75f0d5328d02755279cf28e4dd4fc29ae334901eb986e84b9b58cb2c8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

MD5 04560e031fd7f9563d5f513b02dd6dcc
SHA1 41ec5b00546dd2381d7ef81a54f7665919e55492
SHA256 1f1806e8c3d982c16b35d2ef5f7b2ba08abd6290df0ca189e7050410bc2bc8de
SHA512 6f29bafa2776a982ff4b21d56eb1c670a7470d3dac1335de22810ef4f04744ff230647662db3a96ad4e92db84e9edd7e68dbb48cb0616d71cd628a8f455ce79b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 428ea7f238682528145e65f3eee89b4e
SHA1 2cecdb829b1bca26bc65eba00dc81f6797080131
SHA256 f431509f0731518a4bd8a3e2f9042720c076afc099f908310400718cd6294194
SHA512 0a4fc7d40b72c7494740b4edc938df60eef9d9a5f04f9fa2626cc751f3e4fa59b7b5c9fc38e063ee80ad528efc3c900469178e58530caa497d0ae3f12c1585f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_B5408224970389A1C2D228B1F06E63F2

MD5 36f5d03cd7b13e5fe0e915b00f4034e9
SHA1 c989899d4758051248cbb3edf7300aa356b176ca
SHA256 91e9646cae08070083e277fed6d82a39ad9f8ac15e3dfc5f13c893dbc95099d7
SHA512 b8ec8a218e62b3de3f63a6de399c438f19f378f3c6fbcf386d2e7719255f8d26c3133bbba6b008ad2a7f22054db2011f4ebd48a50b64bf9500bc2cc68f532238

C:\Windows\Installer\MSI39E.tmp

MD5 71c143221c4d2f06e495ee3f9e51a7f0
SHA1 44a3aa0ca190243d6f21becbd5b0c5e923426135
SHA256 8d245ef042215b0e9211692c7deaef442f4d46bd5323d74aa1bf25d676525bd9
SHA512 98a97a4f45cb70eb671ddc3c8d26a9a4c3d34745f0d1b6ee052a2080e1b4b3dac11303eb9a0c8d38e34df624edc28864e52f13e4d79bc16fe9223c5663372445

\Windows\Installer\MSI46C.tmp

MD5 94fa9ff9c26724e0b8ac910c1e7c40aa
SHA1 0cf47957200dec349d6b6da432e24165afd590eb
SHA256 adae076f90908818d67777c050c5b1b6cc94be728017bab6c638dfc7763d4d09
SHA512 becb8229e8ef77a673829c547d2520d6fec94218abf2a21e2948ae5c156bf4a1eb64bfec38653b49902bb31708d9cf770c38f042c1f869d4d4695313b2acfefb

\Windows\Installer\MSI4DA.tmp

MD5 99dc199a4a390a86f2728f5232a2f9a6
SHA1 21b03b2dacbc5e19f3334054703ce53c8ba4a15f
SHA256 12b9deeb6e80129593bae1439bcbc491c6f602bfff255f72eba627100a54e2f9
SHA512 8ba930b0fb37257bbb0d5ea97bbb581ec7d545b737bdce03a78e713b3ad95a2f4b2b6d101817102763100edfe8e46f4532946a7bd3ac24d2142358ac26ec45db

C:\Windows\Installer\MSI5B7.tmp

MD5 e34827bf55cae867e83cc6122d25154a
SHA1 e513c23028532a6997692965765e235d42d96efa
SHA256 7f8ce80c53a7a4c3cecfbf497ee443538fd126a6e369b9930a3b021db548b55a
SHA512 506143a220f58c4236e4736f404c9421b9d5e0caaa21eff950953258ccf783de3534ea702e476acf565719964da6aeaeed787fca2d66c2b8ef5aa51c9b6e38d2

C:\Users\Admin\AppData\Local\Temp\{1DC67473-A1D4-41E5-A7F6-05AEF94AFCC5}.bat

MD5 a33978158c4b6efd7eefae0fa8bd6505
SHA1 6a6eaad0812c0a9b8416d2af5ecdb9685dfdeba1
SHA256 029cac49e9ee7d9c9bbfebe663005c745c87e9f59e16b48d8cb5c1104316b781
SHA512 36773a2363b6dfab25937a1a040f9427d5613fd5d65fb53ba1cdf02dd110c2fd5a7c1353de40fbd11b91de20fa7a3e264abeba345fd57d2357070f6699288013

C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe

MD5 aea6964efb6bfc8723f85e191c6db9b0
SHA1 f213e8ae0088838ae76d9d5841f9e9a2376c78a9
SHA256 89a3e51a67ef4684952ab912be4e9fd379b4cf46991d6c17c6e59d34f6ec5eac
SHA512 84a8587ccc35cdb2392f2de20a7323bf626bfdef0cc1ba6957273921aa8336086edd58689fac446e342d3ecb9f0a00e7dd2dbb2e5de223a5b6a42e75d845ab8a

C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe.config

MD5 928b8e104bc50973bad9150c577aaa64
SHA1 33eb7ed6547d26bbb8dbb087a45baf41292d01d2
SHA256 b42eb2bb81f89946449c5b27315afec9c87070ac01a6d0d1df91bd9d46702629
SHA512 3b8ac3ce5365b27c8156dfb1ccfeff4f8a0e3b10360c2e5639d3516f2b5aa3c2dc524ddbbd6e3d1941ae0d15f8867eb2e19a0df1c31d1872d25f7758c481cff2

memory/1952-530-0x0000000000DE0000-0x00000000010D0000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\CoreLib.dll

MD5 4f79b56c4bebf4683f731c2fa68126ce
SHA1 be502d11260c83f3bdb67279f796b137094248b6
SHA256 28130a2c33fd8ac4a915bd2a695b1160e61ad179136860675b42bbebc878bb63
SHA512 3384c07d2378e87d9e7e85f5db6af6bbfe804b559057339b04fda64e744344255da4d309a75efed9ec3246afbb852d4b4dde9baa7d2a783230f25a56d5f6294f

memory/1952-532-0x000000001B2C0000-0x000000001B502000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Docking.Wpf.dll

MD5 b9d27fbdd161b1879aa1b5bf390b8114
SHA1 1e9ffc3fcefc25581fd726087c74d257c713ffe4
SHA256 3866414e85e128dd761a894b63befed29fded32788ab79087d0abc79335f17a4
SHA512 4af0057663f74f65af501ec45bed8cc75e225395b1acbd318220cd97eb28123b3b7290c34b865129edc20255c6876c58c25308ae1a458a97f5df285f5a2444c6

memory/1952-534-0x0000000000710000-0x00000000007BE000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Editors.Wpf.dll

MD5 6f0e2870c72222d5989e9842d7d9e275
SHA1 9a847f1d5efe181c945c60bcfeeb43132db3f599
SHA256 b637f6e4c87ac32276f92c609ee71bb3d482b36d5516e383e5c52d8f615359e8
SHA512 ff99918d8a8510d70d250695a583deb91953f6db2abf2a71069a2d67932532977529d3a50ec012cd4547a03601cf8f5367592187768fe4d8aa5a80d8dacfda0d

C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Shared.Wpf.dll

MD5 674447f18caace5e1163fb227e4cf08d
SHA1 62082108201e8be712cd52806a66503cf51fe714
SHA256 56dfde9007145d5f6ed21730ecbb5ac04e7c6bc1370fb317acb0e29bffaf5c84
SHA512 89fcdc36bd040a554a3bf8be205541914a00e0eed741eed066831d7564fa0f2ede717fb21d1e85e9503d9d262145d2fef837e37ed40087bb7386159fa5411bb8

memory/1952-536-0x000000001AA80000-0x000000001AB6C000-memory.dmp

memory/1952-538-0x000000001BF60000-0x000000001C13E000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.PropertyGrid.Wpf.dll

MD5 3e50933e28b0ac08f7158e3a783f6bf4
SHA1 2178728de734670785b749499e4cfda7e1e30f60
SHA256 7d0ee0f0aad53788758a43ccf295cad4b8e6afae6815f2a2800033b29b81c14a
SHA512 3324d40fdc9a82915b8323f5386d00361bea8ae42aa79fc85b4d9d95a087fbadfc557d9f77e34938ef4fdc8b04d0e6a9f24bbfca6569d981cf404626fb2eb7f6

C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.SyntaxEditor.Wpf.dll

MD5 855914201fde2285b71d87c05c4bbcc2
SHA1 8bc1bdbb97c2775c0399e9d0e90a036f41357a4c
SHA256 580a06e4ff57218280a92877d2b5def390b563c86a16366882cfee5d30951bd6
SHA512 7040fcb1fa29171f10e9a6400deae3283a078899eb21c969d9fde51136ab5002d2cc95ef9b37ea1647fd28c18df1f1776bd80d12b16703a9b15f2776d97b7fbb

memory/1952-540-0x00000000025E0000-0x0000000002632000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.DataGrid.Contrib.Wpf.dll

MD5 9c43eb18df357b00aaf31b6684e57a53
SHA1 6de6fc5c23b5ef38eb2faab1eb643c3161c2e9f6
SHA256 abf2ec51aff791bee7580e77502a90b28aa034d2e729580e0d2b10d7ee296fd6
SHA512 fea50d9884aef63e24546d0947608fee8fb3aad6b0f8b5a02fdf5fead5564c2d8f16828fae1c182f1350b209a8a9b2e99201822957c36787b6ff36d266412309

memory/1952-544-0x0000000000150000-0x000000000016A000-memory.dmp

memory/1952-542-0x000000001B100000-0x000000001B216000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\NGraphics.Net.dll

MD5 50f77484e5ebbab4178d226457277f61
SHA1 f9ce26a5dac69bc620481e76ff4bcaa44610b4f1
SHA256 76a4ee07ad63c27d6d95b9e0cc9a903563514e9b8fb51744646a19e00c3175a5
SHA512 f094291b6097608443d168d7cc5cd6a288f98f6bdb418e22d6f606ea2f54a6c6c166f13fedd827a79e8812d598e4fca1d59f50af17264f80e8dd3621856c77da

memory/1952-546-0x0000000000170000-0x000000000017A000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\NGraphics.dll

MD5 36896e5b8ff559857c870c8d60470d79
SHA1 8abe9941ec44d19b2f079fa66c118d60ecd75141
SHA256 57f963ae4825b02214ccae01276708613cdda30d74c50289972f4a16bea3d823
SHA512 ddbd19c34fe0b38958778cb8e01ec0daf22882a5db774f24d5fbaf3f18938f71f48b55d6b8ed1d31ac31086d416c65f3e410168c891295412a3d67cbbf781793

memory/1952-548-0x0000000000570000-0x000000000058C000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\System.IO.dll

MD5 ba3845f4986d242d62641e1f6e14caba
SHA1 9278fe4d60ed3462835a90c56bf187cadc35ddda
SHA256 ab5d0fa375fd11f411293552ffa7b127a62ecc7bef74c5c3a49cad629413e38b
SHA512 4ccc206b30208cf1ceef1e7341cf7f28e36f3ba90daff5051ee706841a1f30d49d654399c33b2d336d330789b76e5d3fac39d22d6d45d6d76a3ef643750a70cf

memory/1952-550-0x0000000000180000-0x0000000000188000-memory.dmp

memory/1952-551-0x0000000000BF0000-0x0000000000C0A000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\System.Threading.Tasks.dll

MD5 e7120b5779730efb615235cf0107e386
SHA1 455ea9f216bbfcd1876f142d7a1b634fd85ef819
SHA256 ace34e85a2e954ed07ec11390cbdea7097ae4e56efd8b1bcef35788ce08c6777
SHA512 91f893b93d771eb1ac9b9f666561375da5c9a282bf778bca76489306f8aa398fd31bfa59eaeca2f1b1b16a598dc0f5cfa9d3f3d98b0a4cd2ec9fd5539bc3efb3

memory/1952-553-0x0000000000D10000-0x0000000000D18000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\System.Runtime.dll

MD5 351865b759999ab60da018c38878662d
SHA1 2c6d09dfe7a95f78af5b27d0ffab491ca47dc2e5
SHA256 cfc8576cd3f50e93ead20e4a08cb1623e95cd928e5afcbaab9ad8ec1eba2528d
SHA512 7e329b5072fe7eb47871368a357643a4ec59576c0c7dfd2a48b671a33c9fb2fdf24198540ca283797ec2b274946c33f99d10d6b5aa5174872369aa5b58677f3b

memory/1952-555-0x0000000000D20000-0x0000000000D2A000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\NGraphics.WPF.dll

MD5 c15a90b02588f3c2e92086d729268d9a
SHA1 f3917545b0d2f1784d6c677940e184a8bdf199d7
SHA256 64c10c0c8c7e80b8697d395f4c89622f5323d89a1b5ae5bb5c2436d2b614667e
SHA512 821986403f4c2d96413f3b2f81ff570198d4445f6cbb5fca38dc43ce4f2f6d7fd571cec70ef047e93e24f32b2069695435344523ff3390d40a6a400e71144407

memory/1952-557-0x0000000000D30000-0x0000000000D3A000-memory.dmp

memory/1952-558-0x000000001BDF0000-0x000000001BEA2000-memory.dmp

memory/1952-559-0x000000001AC80000-0x000000001AD1C000-memory.dmp

memory/1952-560-0x0000000002650000-0x000000000267C000-memory.dmp

memory/1952-561-0x000000001B660000-0x000000001B684000-memory.dmp

memory/1952-562-0x000000001B690000-0x000000001B6C2000-memory.dmp

memory/1952-563-0x000000001C910000-0x000000001CF16000-memory.dmp

memory/1952-564-0x000000001B510000-0x000000001B522000-memory.dmp

memory/1952-565-0x000000001B630000-0x000000001B646000-memory.dmp

memory/1952-566-0x000000001B7D0000-0x000000001B7E8000-memory.dmp

memory/1952-567-0x000000001C510000-0x000000001C55C000-memory.dmp

memory/1952-568-0x000000001C670000-0x000000001C72A000-memory.dmp

memory/1952-569-0x000000001C7D0000-0x000000001C7F4000-memory.dmp

memory/1952-570-0x000000001CF40000-0x000000001CF52000-memory.dmp

memory/1952-573-0x000000001D3C0000-0x000000001D6EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\k6uw8zvfvb.tmp

MD5 c30592a9bf4b648e81780bec7ddc9889
SHA1 43e319088483afd479d82d24b1fd1d6c9f3f17b8
SHA256 54a3899a84898c9e10eb78a9c50d37572e3f9769ff69d53ea2c43f7500954602
SHA512 1b7075843a97d7db22ade059cb85f2f05404980faa7008845f007ddc1adcbe4aacfb0952becc28f2daece8c85a97c65953a3a315eb612d8486d017ad428e17d5

memory/1060-590-0x0000000000200000-0x00000000004F0000-memory.dmp

memory/1060-591-0x000000001AFE0000-0x000000001B222000-memory.dmp

memory/1060-597-0x0000000000540000-0x000000000055A000-memory.dmp

memory/1060-596-0x000000001BF00000-0x000000001C016000-memory.dmp

memory/1060-595-0x000000001B470000-0x000000001B4C2000-memory.dmp

memory/1060-594-0x000000001BD20000-0x000000001BEFE000-memory.dmp

memory/1060-593-0x000000001BC30000-0x000000001BD1C000-memory.dmp

memory/1060-592-0x000000001A930000-0x000000001A9DE000-memory.dmp

memory/1060-602-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

memory/1060-601-0x00000000007A0000-0x00000000007BA000-memory.dmp

memory/1060-600-0x0000000000710000-0x0000000000718000-memory.dmp

memory/1060-599-0x00000000006F0000-0x000000000070C000-memory.dmp

memory/1060-598-0x0000000000560000-0x000000000056A000-memory.dmp

memory/1060-604-0x00000000022B0000-0x00000000022BA000-memory.dmp

memory/1060-606-0x000000001C0E0000-0x000000001C17C000-memory.dmp

memory/1060-605-0x000000001C020000-0x000000001C0D2000-memory.dmp

memory/1060-603-0x0000000000AF0000-0x0000000000AFA000-memory.dmp

memory/1060-607-0x000000001AEA0000-0x000000001AECC000-memory.dmp

memory/1060-608-0x000000001B230000-0x000000001B254000-memory.dmp

memory/1060-610-0x000000001C8F0000-0x000000001CEF6000-memory.dmp

memory/1060-609-0x000000001B4D0000-0x000000001B502000-memory.dmp

memory/1060-611-0x0000000002490000-0x00000000024A2000-memory.dmp

memory/1060-612-0x000000001B510000-0x000000001B526000-memory.dmp

memory/1060-613-0x000000001B530000-0x000000001B548000-memory.dmp

memory/1060-614-0x000000001C670000-0x000000001C6BC000-memory.dmp

memory/1060-615-0x000000001C6D0000-0x000000001C78A000-memory.dmp

memory/1060-617-0x000000001CF40000-0x000000001CF52000-memory.dmp

memory/1060-616-0x000000001C790000-0x000000001C7B4000-memory.dmp

memory/1060-620-0x000000001D3F0000-0x000000001D71E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\k6uw8zvfvb.tmp

MD5 860e71a1d9021d02fe43ce9b12582d56
SHA1 d17b0d6207c8b1b21b64b98630cd8c09a3fd72eb
SHA256 c55fd0ee823e3b9aaa33454df9c884f20ddb8023870cb5fd3fc07a9addffd9cb
SHA512 779c361d2f328e2beb01a978824436af6e918c89ec38a63ba224cef680d003fbeeed78605b104fdae691081dbba6090d51250efd0b8e6b3f273842a3fee3e95f

C:\Config.Msi\f76fd83.rbs

MD5 a220124d08c3efe8e058449a2e5450fa
SHA1 56cb72f65c8389750a02f58ac686e4159c52436f
SHA256 67d69f0faa0349e85d77164d1c66eb2ae5c335080801b7dbddf39e1a22b3d58b
SHA512 d0a7b3e20caa8cf122f9d8fa9f5dad44e9754c5c6ccda79944069738c2987ab39bf2779ba3264a4180bd412bcfed2a291dac700470932b44c22b448f8d1cd319

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-12 04:52

Reported

2024-06-12 04:56

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\$_4_.msi

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\dll\wntdll.pdb C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\wntdll.pdb C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\msi.pdb C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\msi.pdb C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\msi.pdb C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\DLL\wkernel32.pdb C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\ResourceCleaner.pdb C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\tmp\ResourceCleaner.pdb C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\wntdll.pdb C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\wkernel32.pdb C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\DLL\wkernel32.pdb C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\tmp\ResourceCleaner.pdb C:\Windows\syswow64\MsiExec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PingPlotter 5\websocket-sharp.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Resources\SplashBundles\load_file_block.bundle C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Alert Audio\tibetan-bell.mp3 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Xml.XDocument.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Runtime.Serialization.Formatters.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Collections.Specialized.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.IO.FileSystem.Watcher.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Http.Features.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\MailKit.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Configuration.FileExtensions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Buffers.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Threading.Channels.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Caching.Memory.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.ComponentModel.EventBasedAsync.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.ViewFeatures.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\x64\e_sqlite3.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.DiaSymReader.Native.amd64.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\netstandard.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Dynamic.Runtime.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.FileProviders.Composite.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\BouncyCastle.Crypto.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Runtime.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Runtime.Serialization.Json.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Server.Kestrel.Https.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Resources\SplashBundles\trial_banner.bundle C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.DataAnnotations.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\PingPlotter_v5_manual.pdf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Diagnostics.Contracts.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Diagnostics.FileVersionInfo.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\PingPlotter ICMP Generator.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Shared.Wpf.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\NLog.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Globalization.Calendars.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Collections.Concurrent.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.ResponseCaching.Abstractions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.IO.MemoryMappedFiles.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Logging.Debug.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Data.Common.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Net.Primitives.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.IO.FileSystem.DriveInfo.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Certes.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Logging.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\INIFileParser.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\ParallelExtensionsExtras.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Reactive.Interfaces.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Authentication.Cookies.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\protobuf-net.Core.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\CommonServiceLocator.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.FileProviders.Abstractions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Threading.Tasks.Extensions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Security.AccessControl.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Logging.Console.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Cryptography.KeyDerivation.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Identity.EntityFrameworkCore.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\GalaSoft.MvvmLight.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Localization.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Text.Encoding.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.ServiceModel.Primitives.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Text.Encoding.CodePages.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Net.Ping.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Linq.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.ComponentModel.Primitives.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\e58397a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3D65.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3DF2.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{CBAA9826-6D34-44FF-AEBF-E880F91CADCE} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe N/A
File created C:\Windows\Installer\e58397a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI427E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI479F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\SystemFoldermsiexec.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3F8D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3FCC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\ext.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3B5E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3C0B.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\SystemFoldermsiexec.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe N/A
File opened for modification C:\Windows\Installer\MSI5416.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3D16.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3F6C.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58397c.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI49A5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4994.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5530.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3F0D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI40C7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3F4C.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\ext.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe N/A
N/A N/A C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Pingman Tools\PingPlotter 5 C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Pingman Tools\PingPlotter 5\License = 6dffa239e9c6194dc45f35ef2db066dceebcdced6a8686306863a0778a47583cf43897c50c7c7b3940ec0d0a81d3a4e4 C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Pingman Tools C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\ = "PingPlotter Workspace" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\URL Protocol C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|PingPlotter 5|PingPlotter.exe C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\PingPlotter5Main C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command\command = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d002000220025003100220000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\DefaultIcon\ = "C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe,1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\Pingman Tools.PingPlotter 5.pp2\ShellNew C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\ = "PingPlotter Sample Set" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\pingplotter C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\PackageCode = "D9266175463576C49929C4305A953AF8" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\Pingman Tools.PingPlotter 5.ppws C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\DefaultIcon C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\pingplotter\DefaultIcon C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|PingPlotter 5|PingPlotter.exe\PingPlotter,Version="5.24.3.8913",Culture="neutral",ProcessorArchitecture="MSIL" = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\ = "open" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\Pingman Tools.PingPlotter 5.pp2 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\DefaultIcon C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\pingplotter\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BDE4C0E5F8F1D9E448B630CA83009281 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" \"%1\"" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\ProductIcon = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\DefaultIcon\ = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe,0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\FirewallICMPforUDP = "PingPlotter5Main" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\ = "&Open PingPlotter workspace" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" \"%1\"" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Version = "85458947" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\ = "Pingman Tools.PingPlotter 5.ppws" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command\command = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d002000220025003100220000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\ = "&Open PingPlotter Sample Set" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\ = "Pingman Tools.PingPlotter 5.pp2" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\Scripts = "PingPlotter5Main" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BDE4C0E5F8F1D9E448B630CA83009281\6289AABC43D6FF44EAFB8E089FC1DAEC C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\ = "open" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\ProductName = "PingPlotter 5" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\PackageName = "$_4_.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2336 wrote to memory of 868 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2336 wrote to memory of 868 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2336 wrote to memory of 868 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2336 wrote to memory of 2552 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2336 wrote to memory of 2552 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2336 wrote to memory of 2552 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2336 wrote to memory of 2548 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2336 wrote to memory of 2548 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2336 wrote to memory of 2548 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2548 wrote to memory of 916 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 916 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 916 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 916 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 916 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 916 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2548 wrote to memory of 3724 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 3724 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 3724 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 3164 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 3164 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 3164 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2740 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 2548 wrote to memory of 2740 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 2548 wrote to memory of 2740 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 2336 wrote to memory of 3664 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
PID 2336 wrote to memory of 3664 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
PID 2336 wrote to memory of 4084 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
PID 2336 wrote to memory of 4084 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\$_4_.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 962E2D363EE79B817075EE74AD4A1FEF C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 11241EF45D392B70EDED2E6B50318022

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding D7646EF6D665F93158B33AEDB33A2436 E Global\MSI0000

C:\Windows\SysWOW64\cmd.exe

/C "C:\Users\Admin\AppData\Local\Temp\{8CFA690E-2EA4-40A2-B90A-43ED81AC7361}.bat"

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

/C "C:\Users\Admin\AppData\Local\Temp\{8CFA690E-2EA4-40A2-B90A-43ED81AC7361}.bat"

C:\Windows\SysWOW64\cmd.exe

/C "C:\Users\Admin\AppData\Local\Temp\{8CFA690E-2EA4-40A2-B90A-43ED81AC7361}.bat"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" /queue:1

C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe

"C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" regserver initializeprofile quiet

C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe

"C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" regserver quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\MSI41BC.tmp

MD5 ca95f207ec70ba34b46c785f7bcb5570
SHA1 25c0d45cb9f94892e2877033d06fe8909e5b9972
SHA256 8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb
SHA512 c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831

C:\Users\Admin\AppData\Local\Temp\MSI4367.tmp

MD5 5576bf4d22dc695564e49a68cbc98bc2
SHA1 80e0e045162a65d84939e22a821ecbbbde3f31d6
SHA256 20f76ffd846155a41633d75cb2e784e54f6ec77ca9ca9d52d9510c3e2e918801
SHA512 4b952ce6ef08c86d8594fadd1069c3af39c3465314716dc7e7d9937befab8f4db5e4920a901920af4f937e5bb80ca02c33406d54cc766920b8ebba3855500972

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_B5408224970389A1C2D228B1F06E63F2

MD5 e12e0bb1d4eef8c132f5a1807175a497
SHA1 17c203f9852f9aeea77be93a29fbf5569651f108
SHA256 794b534ff074e6fd6bcff8fdc5b0cdb7eb725541c1647a1d54a5f07d832cdf91
SHA512 15a8361341cf7d8e031d0703fe52f6672662de0ae1e69c2cbe3947798dc38f6f25969815eee19dc3c177aef720efd4b448e886a29be0289b9ad20b758c96b3da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_B5408224970389A1C2D228B1F06E63F2

MD5 36f5d03cd7b13e5fe0e915b00f4034e9
SHA1 c989899d4758051248cbb3edf7300aa356b176ca
SHA256 91e9646cae08070083e277fed6d82a39ad9f8ac15e3dfc5f13c893dbc95099d7
SHA512 b8ec8a218e62b3de3f63a6de399c438f19f378f3c6fbcf386d2e7719255f8d26c3133bbba6b008ad2a7f22054db2011f4ebd48a50b64bf9500bc2cc68f532238

C:\Windows\Installer\MSI3DF2.tmp

MD5 71c143221c4d2f06e495ee3f9e51a7f0
SHA1 44a3aa0ca190243d6f21becbd5b0c5e923426135
SHA256 8d245ef042215b0e9211692c7deaef442f4d46bd5323d74aa1bf25d676525bd9
SHA512 98a97a4f45cb70eb671ddc3c8d26a9a4c3d34745f0d1b6ee052a2080e1b4b3dac11303eb9a0c8d38e34df624edc28864e52f13e4d79bc16fe9223c5663372445

C:\Windows\Installer\MSI3F6C.tmp

MD5 94fa9ff9c26724e0b8ac910c1e7c40aa
SHA1 0cf47957200dec349d6b6da432e24165afd590eb
SHA256 adae076f90908818d67777c050c5b1b6cc94be728017bab6c638dfc7763d4d09
SHA512 becb8229e8ef77a673829c547d2520d6fec94218abf2a21e2948ae5c156bf4a1eb64bfec38653b49902bb31708d9cf770c38f042c1f869d4d4695313b2acfefb

C:\Windows\Installer\MSI3F8D.tmp

MD5 99dc199a4a390a86f2728f5232a2f9a6
SHA1 21b03b2dacbc5e19f3334054703ce53c8ba4a15f
SHA256 12b9deeb6e80129593bae1439bcbc491c6f602bfff255f72eba627100a54e2f9
SHA512 8ba930b0fb37257bbb0d5ea97bbb581ec7d545b737bdce03a78e713b3ad95a2f4b2b6d101817102763100edfe8e46f4532946a7bd3ac24d2142358ac26ec45db

C:\Windows\Installer\MSI40C7.tmp

MD5 e34827bf55cae867e83cc6122d25154a
SHA1 e513c23028532a6997692965765e235d42d96efa
SHA256 7f8ce80c53a7a4c3cecfbf497ee443538fd126a6e369b9930a3b021db548b55a
SHA512 506143a220f58c4236e4736f404c9421b9d5e0caaa21eff950953258ccf783de3534ea702e476acf565719964da6aeaeed787fca2d66c2b8ef5aa51c9b6e38d2

C:\Users\Admin\AppData\Local\Temp\{8CFA690E-2EA4-40A2-B90A-43ED81AC7361}.bat

MD5 75f71be434f233a92fe830e187878277
SHA1 0cc9746ff5344ba1fdd74c5c9aafe1dff2306801
SHA256 58a61dcf6a0a2f10025a860207a03fc18fb46ba393758dccf0ab07523002ada3
SHA512 490734e33a0fe95b876bc180fd30cad5faf8ce1d86ca5bae3d1673a2437af1be19aa84822803cea4cce573c54e3a9e2e05c921f1c8a110860715ae52238f74b2

C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe

MD5 aea6964efb6bfc8723f85e191c6db9b0
SHA1 f213e8ae0088838ae76d9d5841f9e9a2376c78a9
SHA256 89a3e51a67ef4684952ab912be4e9fd379b4cf46991d6c17c6e59d34f6ec5eac
SHA512 84a8587ccc35cdb2392f2de20a7323bf626bfdef0cc1ba6957273921aa8336086edd58689fac446e342d3ecb9f0a00e7dd2dbb2e5de223a5b6a42e75d845ab8a

C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe.config

MD5 928b8e104bc50973bad9150c577aaa64
SHA1 33eb7ed6547d26bbb8dbb087a45baf41292d01d2
SHA256 b42eb2bb81f89946449c5b27315afec9c87070ac01a6d0d1df91bd9d46702629
SHA512 3b8ac3ce5365b27c8156dfb1ccfeff4f8a0e3b10360c2e5639d3516f2b5aa3c2dc524ddbbd6e3d1941ae0d15f8867eb2e19a0df1c31d1872d25f7758c481cff2

memory/3664-490-0x0000022C29070000-0x0000022C29360000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\CoreLib.dll

MD5 4f79b56c4bebf4683f731c2fa68126ce
SHA1 be502d11260c83f3bdb67279f796b137094248b6
SHA256 28130a2c33fd8ac4a915bd2a695b1160e61ad179136860675b42bbebc878bb63
SHA512 3384c07d2378e87d9e7e85f5db6af6bbfe804b559057339b04fda64e744344255da4d309a75efed9ec3246afbb852d4b4dde9baa7d2a783230f25a56d5f6294f

memory/3664-492-0x0000022C450F0000-0x0000022C45332000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Docking.Wpf.dll

MD5 b9d27fbdd161b1879aa1b5bf390b8114
SHA1 1e9ffc3fcefc25581fd726087c74d257c713ffe4
SHA256 3866414e85e128dd761a894b63befed29fded32788ab79087d0abc79335f17a4
SHA512 4af0057663f74f65af501ec45bed8cc75e225395b1acbd318220cd97eb28123b3b7290c34b865129edc20255c6876c58c25308ae1a458a97f5df285f5a2444c6

memory/3664-494-0x0000022C45340000-0x0000022C453EE000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Editors.Wpf.dll

MD5 6f0e2870c72222d5989e9842d7d9e275
SHA1 9a847f1d5efe181c945c60bcfeeb43132db3f599
SHA256 b637f6e4c87ac32276f92c609ee71bb3d482b36d5516e383e5c52d8f615359e8
SHA512 ff99918d8a8510d70d250695a583deb91953f6db2abf2a71069a2d67932532977529d3a50ec012cd4547a03601cf8f5367592187768fe4d8aa5a80d8dacfda0d

memory/3664-496-0x0000022C454E0000-0x0000022C455CC000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Shared.Wpf.dll

MD5 674447f18caace5e1163fb227e4cf08d
SHA1 62082108201e8be712cd52806a66503cf51fe714
SHA256 56dfde9007145d5f6ed21730ecbb5ac04e7c6bc1370fb317acb0e29bffaf5c84
SHA512 89fcdc36bd040a554a3bf8be205541914a00e0eed741eed066831d7564fa0f2ede717fb21d1e85e9503d9d262145d2fef837e37ed40087bb7386159fa5411bb8

memory/3664-498-0x0000022C457B0000-0x0000022C4598E000-memory.dmp

memory/3664-504-0x0000022C2B070000-0x0000022C2B08A000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.DataGrid.Contrib.Wpf.dll

MD5 9c43eb18df357b00aaf31b6684e57a53
SHA1 6de6fc5c23b5ef38eb2faab1eb643c3161c2e9f6
SHA256 abf2ec51aff791bee7580e77502a90b28aa034d2e729580e0d2b10d7ee296fd6
SHA512 fea50d9884aef63e24546d0947608fee8fb3aad6b0f8b5a02fdf5fead5564c2d8f16828fae1c182f1350b209a8a9b2e99201822957c36787b6ff36d266412309

memory/3664-502-0x0000022C45990000-0x0000022C45AA6000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.SyntaxEditor.Wpf.dll

MD5 855914201fde2285b71d87c05c4bbcc2
SHA1 8bc1bdbb97c2775c0399e9d0e90a036f41357a4c
SHA256 580a06e4ff57218280a92877d2b5def390b563c86a16366882cfee5d30951bd6
SHA512 7040fcb1fa29171f10e9a6400deae3283a078899eb21c969d9fde51136ab5002d2cc95ef9b37ea1647fd28c18df1f1776bd80d12b16703a9b15f2776d97b7fbb

memory/3664-500-0x0000022C453F0000-0x0000022C45442000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.PropertyGrid.Wpf.dll

MD5 3e50933e28b0ac08f7158e3a783f6bf4
SHA1 2178728de734670785b749499e4cfda7e1e30f60
SHA256 7d0ee0f0aad53788758a43ccf295cad4b8e6afae6815f2a2800033b29b81c14a
SHA512 3324d40fdc9a82915b8323f5386d00361bea8ae42aa79fc85b4d9d95a087fbadfc557d9f77e34938ef4fdc8b04d0e6a9f24bbfca6569d981cf404626fb2eb7f6

C:\Program Files (x86)\PingPlotter 5\NGraphics.Net.dll

MD5 50f77484e5ebbab4178d226457277f61
SHA1 f9ce26a5dac69bc620481e76ff4bcaa44610b4f1
SHA256 76a4ee07ad63c27d6d95b9e0cc9a903563514e9b8fb51744646a19e00c3175a5
SHA512 f094291b6097608443d168d7cc5cd6a288f98f6bdb418e22d6f606ea2f54a6c6c166f13fedd827a79e8812d598e4fca1d59f50af17264f80e8dd3621856c77da

memory/3664-506-0x0000022C29760000-0x0000022C2976A000-memory.dmp

memory/3664-508-0x0000022C45010000-0x0000022C4502C000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\NGraphics.dll

MD5 36896e5b8ff559857c870c8d60470d79
SHA1 8abe9941ec44d19b2f079fa66c118d60ecd75141
SHA256 57f963ae4825b02214ccae01276708613cdda30d74c50289972f4a16bea3d823
SHA512 ddbd19c34fe0b38958778cb8e01ec0daf22882a5db774f24d5fbaf3f18938f71f48b55d6b8ed1d31ac31086d416c65f3e410168c891295412a3d67cbbf781793

C:\Program Files (x86)\PingPlotter 5\System.IO.dll

MD5 ba3845f4986d242d62641e1f6e14caba
SHA1 9278fe4d60ed3462835a90c56bf187cadc35ddda
SHA256 ab5d0fa375fd11f411293552ffa7b127a62ecc7bef74c5c3a49cad629413e38b
SHA512 4ccc206b30208cf1ceef1e7341cf7f28e36f3ba90daff5051ee706841a1f30d49d654399c33b2d336d330789b76e5d3fac39d22d6d45d6d76a3ef643750a70cf

memory/3664-510-0x0000022C2B090000-0x0000022C2B098000-memory.dmp

memory/3664-511-0x0000022C45040000-0x0000022C4505A000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\System.Threading.Tasks.dll

MD5 e7120b5779730efb615235cf0107e386
SHA1 455ea9f216bbfcd1876f142d7a1b634fd85ef819
SHA256 ace34e85a2e954ed07ec11390cbdea7097ae4e56efd8b1bcef35788ce08c6777
SHA512 91f893b93d771eb1ac9b9f666561375da5c9a282bf778bca76489306f8aa398fd31bfa59eaeca2f1b1b16a598dc0f5cfa9d3f3d98b0a4cd2ec9fd5539bc3efb3

memory/3664-513-0x0000022C2B0A0000-0x0000022C2B0A8000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\System.Runtime.dll

MD5 351865b759999ab60da018c38878662d
SHA1 2c6d09dfe7a95f78af5b27d0ffab491ca47dc2e5
SHA256 cfc8576cd3f50e93ead20e4a08cb1623e95cd928e5afcbaab9ad8ec1eba2528d
SHA512 7e329b5072fe7eb47871368a357643a4ec59576c0c7dfd2a48b671a33c9fb2fdf24198540ca283797ec2b274946c33f99d10d6b5aa5174872369aa5b58677f3b

memory/3664-515-0x0000022C2B0B0000-0x0000022C2B0BA000-memory.dmp

memory/3664-517-0x0000022C45060000-0x0000022C4506A000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\NGraphics.WPF.dll

MD5 c15a90b02588f3c2e92086d729268d9a
SHA1 f3917545b0d2f1784d6c677940e184a8bdf199d7
SHA256 64c10c0c8c7e80b8697d395f4c89622f5323d89a1b5ae5bb5c2436d2b614667e
SHA512 821986403f4c2d96413f3b2f81ff570198d4445f6cbb5fca38dc43ce4f2f6d7fd571cec70ef047e93e24f32b2069695435344523ff3390d40a6a400e71144407

C:\Program Files (x86)\PingPlotter 5\Newtonsoft.Json.dll

MD5 9ef8fb5c101ca8cdcb20af7e2188496f
SHA1 a4f3566d20fe9003a092ab1bced77f12016b9022
SHA256 ae8b84a5e656c0df5a58e365cf91c6eedcd85ff31f93bd5f21db6f1fe025ccd0
SHA512 271198207f107f29b374e188efa318c052827d696e2296dfb58120608edfd7110272338f3effbcb7d3db6e45e72dbb168e5ca90b59836436d9e50276756ae72e

memory/3664-519-0x0000022C45AB0000-0x0000022C45B62000-memory.dmp

memory/3664-520-0x0000022C45B70000-0x0000022C45C0C000-memory.dmp

memory/3664-521-0x0000022C450A0000-0x0000022C450CC000-memory.dmp

memory/3664-522-0x0000022C456F0000-0x0000022C45714000-memory.dmp

memory/3664-523-0x0000022C45720000-0x0000022C45752000-memory.dmp

memory/3664-524-0x0000022C46230000-0x0000022C46848000-memory.dmp

memory/3664-525-0x0000022C456C0000-0x0000022C456D2000-memory.dmp

memory/3664-526-0x0000022C45760000-0x0000022C45776000-memory.dmp

memory/3664-527-0x0000022C45E10000-0x0000022C45E28000-memory.dmp

memory/3664-528-0x0000022C45E80000-0x0000022C45ECC000-memory.dmp

memory/3664-529-0x0000022C45F90000-0x0000022C4604A000-memory.dmp

memory/3664-530-0x0000022C45ED0000-0x0000022C45EF4000-memory.dmp

memory/3664-531-0x0000022C45F60000-0x0000022C45F72000-memory.dmp

memory/3664-534-0x0000022C46B80000-0x0000022C46EAE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\o3ey8m5dzg.tmp

MD5 68a315c999de93329126f6cf253abb38
SHA1 39c2450055b71297194b2e879e8629b63c1e246c
SHA256 de3ae99fbd0874fc135347f28a7789ed074b8fabd4fcfbf90a108e2d9ba6d950
SHA512 d861413606dd80d784071c3cf5517d0393c2dc7c64dc0fe9b47566f3cd0ccac0e174ed649e210e0f6c4fbac1cb68baa007e934df4dc1b97b54b57af6253b9f61

C:\Users\Admin\AppData\Local\Temp\o3ey8m5dzg.tmp

MD5 486bacf967f244b262d05250f7bfbe5f
SHA1 2c3658795db37557ca727206cd943b87b662b73b
SHA256 c07a8f6148e167798825c9496a7998fe67a1fc5570d9a603961d2bd7a79412bc
SHA512 38f3e67d1f551ac4020e0fe6c14d01a962753d475222305b15fcaa4d1e2e50469c0e28c5d9863754cec99867462110dbb76b75a0dbe202728cc25d7e73a3d38e

C:\Config.Msi\e58397b.rbs

MD5 253daa0f9f04ad10411363a5945471be
SHA1 cac727067ce59eeec9ae6cb11afe013b8384c3f5
SHA256 ab842540efe0cf801df62d87059c6bfa1e80e7c3cf25bdd210e26105c26092d9
SHA512 a4244274f1bfc37ff482ff8d533202a103257cf0981673558cb78f708cbdf0d35dbdabe90d2f9e4cc8ad3a9233c7134605642eb887bca101e4c6604d5e6460b5

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 04:52

Reported

2024-06-12 04:56

Platform

win7-20240419-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\KEYGEN-FFF\PingPlotter.v3.30.4_KEYGEN-FFF.exe"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{202997B1-2878-11EF-B904-5A22F41CCA2C} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\KEYGEN-FFF\PingPlotter.v3.30.4_KEYGEN-FFF.exe

"C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\KEYGEN-FFF\PingPlotter.v3.30.4_KEYGEN-FFF.exe"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2512 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\MoveUndo.docm"

Network

Files

memory/1312-0-0x0000000000400000-0x0000000000521000-memory.dmp

memory/1312-3-0x0000000000400000-0x0000000000521000-memory.dmp

memory/1312-5-0x0000000000400000-0x0000000000521000-memory.dmp

memory/1312-10-0x0000000000401000-0x0000000000461000-memory.dmp

memory/1312-9-0x0000000000280000-0x0000000000281000-memory.dmp

memory/1312-8-0x0000000000270000-0x0000000000272000-memory.dmp

memory/1312-7-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1312-6-0x0000000000220000-0x000000000024E000-memory.dmp

memory/1312-4-0x0000000000400000-0x0000000000521000-memory.dmp

memory/1312-2-0x0000000000400000-0x0000000000521000-memory.dmp

memory/1312-1-0x0000000000220000-0x000000000024E000-memory.dmp

memory/1312-11-0x0000000000400000-0x0000000000521000-memory.dmp

memory/1312-12-0x0000000000400000-0x0000000000521000-memory.dmp

memory/1312-13-0x0000000000400000-0x0000000000521000-memory.dmp

memory/1312-14-0x0000000000220000-0x000000000024E000-memory.dmp

memory/1312-15-0x0000000000400000-0x0000000000521000-memory.dmp

memory/1312-16-0x0000000000220000-0x000000000024E000-memory.dmp

memory/1312-17-0x0000000000400000-0x0000000000521000-memory.dmp

memory/1032-24-0x000000002FB31000-0x000000002FB32000-memory.dmp

memory/1032-25-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1032-26-0x000000007180D000-0x0000000071818000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 04:52

Reported

2024-06-12 04:56

Platform

win10v2004-20240611-en

Max time kernel

141s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\KEYGEN-FFF\PingPlotter.v3.30.4_KEYGEN-FFF.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\KEYGEN-FFF\PingPlotter.v3.30.4_KEYGEN-FFF.exe

"C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\KEYGEN-FFF\PingPlotter.v3.30.4_KEYGEN-FFF.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
BE 2.17.107.123:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 123.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/1828-5-0x0000000000400000-0x0000000000521000-memory.dmp

memory/1828-9-0x0000000002150000-0x000000000217E000-memory.dmp

memory/1828-8-0x0000000002180000-0x0000000002181000-memory.dmp

memory/1828-10-0x0000000000401000-0x0000000000461000-memory.dmp

memory/1828-7-0x0000000000590000-0x0000000000592000-memory.dmp

memory/1828-6-0x0000000000580000-0x0000000000581000-memory.dmp

memory/1828-3-0x0000000000400000-0x0000000000521000-memory.dmp

memory/1828-2-0x0000000000400000-0x0000000000521000-memory.dmp

memory/1828-1-0x0000000000400000-0x0000000000521000-memory.dmp

memory/1828-0-0x0000000002150000-0x000000000217E000-memory.dmp

memory/1828-11-0x0000000000400000-0x0000000000521000-memory.dmp

memory/1828-4-0x0000000000400000-0x0000000000521000-memory.dmp

memory/1828-13-0x0000000002150000-0x000000000217E000-memory.dmp

memory/1828-21-0x0000000000400000-0x0000000000521000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 04:52

Reported

2024-06-12 04:56

Platform

win7-20240508-en

Max time kernel

132s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PingPlotter 5\Topshelf.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Alert Audio\buzzer.mp3 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Castle.Core.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.Cors.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.WebSockets.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Drawing.Primitives.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.FileSystemGlobbing.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Nito.Collections.Deque.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Extensions\RemoteAgentScript\remoteagent.meta.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.Formatters.Json.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Net.WebSockets.Client.Managed.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Diagnostics.Debug.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Server.Kestrel.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\SsdpRadar.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Resources\Fonts\Roboto\Roboto-Medium.ttf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.TagHelpers.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Authentication.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Dynamic.Runtime.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Xml.XDocument.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Security.Principal.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.DependencyModel.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.HttpOverrides.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Threading.Timer.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Cryptography.Internal.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Routing.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Resources\SplashBundles\core.bundle C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.DependencyInjection.Abstractions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.ComponentModel.Primitives.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.ComponentModel.TypeConverter.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Threading.Channels.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Shared.Wpf.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.FileProviders.Composite.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.FileProviders.Physical.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.ComponentModel.Annotations.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Diagnostics.StackTrace.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Security.SecureString.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Runtime.Extensions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\x64\LiteHtmlLib.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.DiaSymReader.Native.x86.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Remotion.Linq.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.AppContext.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Docking.Wpf.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Newtonsoft.Json.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Reflection.Primitives.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.SyntaxEditor.Wpf.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\x86\e_sqlite3.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\mustache-netstandard.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\NJsonSchema.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Newtonsoft.Json.Bson.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Net.Sockets.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.SignalR.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\MsgPack.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\MessagePack.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Hosting.Abstractions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Extensions\MOSColumn\moscolumn.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Net.WebSockets.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Cryptography.KeyDerivation.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Logging.Configuration.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Server.Kestrel.Https.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.DataGrid.Contrib.Wpf.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Resources\SplashBundles\action_alert.bundle C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PingPlotter 5\System.Linq.Parallel.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI1C1B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe N/A
File opened for modification C:\Windows\Installer\f779c31.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI1EE1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI201B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f779c30.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1D57.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe N/A
File opened for modification C:\Windows\Installer\MSI2F7B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1D07.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1DE6.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\ext.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\ext.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f779c30.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1B40.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\SystemFoldermsiexec.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2386.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1D28.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1D78.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\SystemFoldermsiexec.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI24A1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2F8C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f779c31.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1CA9.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1E35.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2433.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f779c33.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe N/A
N/A N/A C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Pingman Tools\PingPlotter 5 C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Pingman Tools C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Pingman Tools\PingPlotter 5 C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Pingman Tools\PingPlotter 5\License = adf0308de21a01c33fa810922e71ab091d65b164aa199d1fe9130850099dd63ad175cb374c608d1f3a89c24c2b4ac93e C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\ = "open" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\ = "&Open PingPlotter Sample Set" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\ = "Pingman Tools.PingPlotter 5.pp2" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\ = "PingPlotter Sample Set" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\ = "URL:PingPlotter Protocol Handler" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\ProductName = "PingPlotter 5" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|PingPlotter 5|PingPlotter.exe C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\ = "&Open PingPlotter workspace" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\Pingman Tools.PingPlotter 5.ppws C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\DefaultIcon C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\PackageName = "{5716629D-5364-4C67-9992-4C03A559A38F}.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BDE4C0E5F8F1D9E448B630CA83009281\6289AABC43D6FF44EAFB8E089FC1DAEC C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Downloaded Installations\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\ = "open" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\ = "PingPlotter Workspace" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\URL Protocol C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\FirewallICMPforUDP = "PingPlotter5Main" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\WebInterface = "PingPlotter5Main" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\WindowsService = "\x06" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" \"%1\"" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command\command = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d002000220025003100220000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\Pingman Tools.PingPlotter 5.pp2\ShellNew C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\Pingman Tools.PingPlotter 5.pp2 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\pingplotter\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\DefaultIcon C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\DefaultIcon\ = "C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe,1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\ProductIcon = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\Pingman Tools.PingPlotter 5.ppws\ShellNew C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command\command = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d002000220025003100220000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Downloaded Installations\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\DefaultIcon\ = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe,0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\pingplotter\DefaultIcon C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|PingPlotter 5|PingPlotter.exe\PingPlotter,Version="5.24.3.8913",Culture="neutral",ProcessorArchitecture="MSIL" = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\PackageCode = "D9266175463576C49929C4305A953AF8" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\DefaultIcon\ = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe,0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\ = "Pingman Tools.PingPlotter 5.ppws" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" /url \"%1\"" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\PingPlotter5Main C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\Scripts = "PingPlotter5Main" C:\Windows\system32\msiexec.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2964 wrote to memory of 1944 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2964 wrote to memory of 1944 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2964 wrote to memory of 1944 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2964 wrote to memory of 1944 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2964 wrote to memory of 1944 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2964 wrote to memory of 1944 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2964 wrote to memory of 1944 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2964 wrote to memory of 2304 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2964 wrote to memory of 2304 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2964 wrote to memory of 2304 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2964 wrote to memory of 2304 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2964 wrote to memory of 2304 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2964 wrote to memory of 2304 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2964 wrote to memory of 2304 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2964 wrote to memory of 2288 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2964 wrote to memory of 2288 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2964 wrote to memory of 2288 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2964 wrote to memory of 2288 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2964 wrote to memory of 2288 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2964 wrote to memory of 2288 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2964 wrote to memory of 2288 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2288 wrote to memory of 1584 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 1584 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 1584 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 1584 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 1584 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1584 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1584 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1584 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2288 wrote to memory of 2500 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 2500 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 2500 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 2500 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 2800 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 2288 wrote to memory of 2800 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 2288 wrote to memory of 2800 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 2288 wrote to memory of 2800 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 2964 wrote to memory of 1200 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
PID 2964 wrote to memory of 1200 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
PID 2964 wrote to memory of 1200 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
PID 2964 wrote to memory of 2280 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
PID 2964 wrote to memory of 2280 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
PID 2964 wrote to memory of 2280 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe

"C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A703E191B7F471631000DB965481D999 C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000005C" "0000000000000318"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A312B2E051A7AA8E51865620DBE9A529

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 33F085D003894205F3850E2674B43CFC M Global\MSI0000

C:\Windows\SysWOW64\cmd.exe

/C "C:\Users\Admin\AppData\Local\Temp\{7185CD67-9B19-48BA-8AC5-F197A1F6DA5B}.bat"

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

/C "C:\Users\Admin\AppData\Local\Temp\{7185CD67-9B19-48BA-8AC5-F197A1F6DA5B}.bat"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" /queue:1

C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe

"C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" regserver initializeprofile quiet

C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe

"C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" regserver quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp

Files

\Users\Admin\AppData\Local\Temp\nsy2D3A.tmp\System.dll

MD5 ca332bb753b0775d5e806e236ddcec55
SHA1 f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256 df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA512 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

\Users\Admin\AppData\Local\Temp\nsy2D3A.tmp\DotNetChecker.dll

MD5 f18364fa5084add86c6e73e457404f18
SHA1 6d87c4b9dbf78af88fddf0d4d5febe845c8e4e6a
SHA256 39c43d67f546fc898f7406d213b73dcb1bc30fc811ddfa3a02b6b50c29d11f91
SHA512 716892492390fe4314f3289286f733d07b8b84de1f5af0676b26e68c0be01808682d35ad2bb9e9491247b7bb5a0ea297a6850e26de9baf88621c789206107db3

C:\Users\Admin\AppData\Local\Temp\Cab35B5.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar836B.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\Local\Temp\MSI8436.tmp

MD5 ca95f207ec70ba34b46c785f7bcb5570
SHA1 25c0d45cb9f94892e2877033d06fe8909e5b9972
SHA256 8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb
SHA512 c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831

C:\Users\Admin\AppData\Local\Temp\MSI85A1.tmp

MD5 5576bf4d22dc695564e49a68cbc98bc2
SHA1 80e0e045162a65d84939e22a821ecbbbde3f31d6
SHA256 20f76ffd846155a41633d75cb2e784e54f6ec77ca9ca9d52d9510c3e2e918801
SHA512 4b952ce6ef08c86d8594fadd1069c3af39c3465314716dc7e7d9937befab8f4db5e4920a901920af4f937e5bb80ca02c33406d54cc766920b8ebba3855500972

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4c49d43fe9e08ae84631925d5e6c6fc5
SHA1 e37a209cc10ac87e91ca96182fd2bf3732170833
SHA256 6561f3c13db1fd0dcf73df343499c7e149eef06001d578647586054329c3b3e5
SHA512 575e5853bbf588baf8fd7e01e8c83f7c7abc3db31bcd41b56bc67d18e46bf2fa459c953d20d99c80435847feb8affd7e6b7d069a8b412f251caaaac5f58df8af

C:\Windows\Installer\MSI1D07.tmp

MD5 71c143221c4d2f06e495ee3f9e51a7f0
SHA1 44a3aa0ca190243d6f21becbd5b0c5e923426135
SHA256 8d245ef042215b0e9211692c7deaef442f4d46bd5323d74aa1bf25d676525bd9
SHA512 98a97a4f45cb70eb671ddc3c8d26a9a4c3d34745f0d1b6ee052a2080e1b4b3dac11303eb9a0c8d38e34df624edc28864e52f13e4d79bc16fe9223c5663372445

\Windows\Installer\MSI1D78.tmp

MD5 94fa9ff9c26724e0b8ac910c1e7c40aa
SHA1 0cf47957200dec349d6b6da432e24165afd590eb
SHA256 adae076f90908818d67777c050c5b1b6cc94be728017bab6c638dfc7763d4d09
SHA512 becb8229e8ef77a673829c547d2520d6fec94218abf2a21e2948ae5c156bf4a1eb64bfec38653b49902bb31708d9cf770c38f042c1f869d4d4695313b2acfefb

C:\Windows\Installer\MSI1DE6.tmp

MD5 99dc199a4a390a86f2728f5232a2f9a6
SHA1 21b03b2dacbc5e19f3334054703ce53c8ba4a15f
SHA256 12b9deeb6e80129593bae1439bcbc491c6f602bfff255f72eba627100a54e2f9
SHA512 8ba930b0fb37257bbb0d5ea97bbb581ec7d545b737bdce03a78e713b3ad95a2f4b2b6d101817102763100edfe8e46f4532946a7bd3ac24d2142358ac26ec45db

C:\Windows\Installer\MSI1EE1.tmp

MD5 e34827bf55cae867e83cc6122d25154a
SHA1 e513c23028532a6997692965765e235d42d96efa
SHA256 7f8ce80c53a7a4c3cecfbf497ee443538fd126a6e369b9930a3b021db548b55a
SHA512 506143a220f58c4236e4736f404c9421b9d5e0caaa21eff950953258ccf783de3534ea702e476acf565719964da6aeaeed787fca2d66c2b8ef5aa51c9b6e38d2

C:\Users\Admin\AppData\Local\Temp\{7185CD67-9B19-48BA-8AC5-F197A1F6DA5B}.bat

MD5 f6818e7ca5e3b67451c9e672aab6f176
SHA1 816b7e4c7d0e7f5a200c008f4b2fbab16401ad43
SHA256 748e284ad9f27b7067978564a0989f1dbe23fb0ac1750778e08267373f9601c2
SHA512 bfea7b7800b33f8431d4807954315a13f4e8f67cb8d72a0c3e23f15875688a0a96e872d5feb5a5ac4e4b0f30479b74b61cff026d8cde3ef3e417eee23830df96

C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe

MD5 aea6964efb6bfc8723f85e191c6db9b0
SHA1 f213e8ae0088838ae76d9d5841f9e9a2376c78a9
SHA256 89a3e51a67ef4684952ab912be4e9fd379b4cf46991d6c17c6e59d34f6ec5eac
SHA512 84a8587ccc35cdb2392f2de20a7323bf626bfdef0cc1ba6957273921aa8336086edd58689fac446e342d3ecb9f0a00e7dd2dbb2e5de223a5b6a42e75d845ab8a

C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe.config

MD5 928b8e104bc50973bad9150c577aaa64
SHA1 33eb7ed6547d26bbb8dbb087a45baf41292d01d2
SHA256 b42eb2bb81f89946449c5b27315afec9c87070ac01a6d0d1df91bd9d46702629
SHA512 3b8ac3ce5365b27c8156dfb1ccfeff4f8a0e3b10360c2e5639d3516f2b5aa3c2dc524ddbbd6e3d1941ae0d15f8867eb2e19a0df1c31d1872d25f7758c481cff2

memory/1200-539-0x0000000001200000-0x00000000014F0000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\CoreLib.dll

MD5 4f79b56c4bebf4683f731c2fa68126ce
SHA1 be502d11260c83f3bdb67279f796b137094248b6
SHA256 28130a2c33fd8ac4a915bd2a695b1160e61ad179136860675b42bbebc878bb63
SHA512 3384c07d2378e87d9e7e85f5db6af6bbfe804b559057339b04fda64e744344255da4d309a75efed9ec3246afbb852d4b4dde9baa7d2a783230f25a56d5f6294f

memory/1200-541-0x000000001B190000-0x000000001B3D2000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Docking.Wpf.dll

MD5 b9d27fbdd161b1879aa1b5bf390b8114
SHA1 1e9ffc3fcefc25581fd726087c74d257c713ffe4
SHA256 3866414e85e128dd761a894b63befed29fded32788ab79087d0abc79335f17a4
SHA512 4af0057663f74f65af501ec45bed8cc75e225395b1acbd318220cd97eb28123b3b7290c34b865129edc20255c6876c58c25308ae1a458a97f5df285f5a2444c6

memory/1200-543-0x0000000000DF0000-0x0000000000E9E000-memory.dmp

memory/1200-547-0x000000001BC70000-0x000000001BE4E000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Shared.Wpf.dll

MD5 674447f18caace5e1163fb227e4cf08d
SHA1 62082108201e8be712cd52806a66503cf51fe714
SHA256 56dfde9007145d5f6ed21730ecbb5ac04e7c6bc1370fb317acb0e29bffaf5c84
SHA512 89fcdc36bd040a554a3bf8be205541914a00e0eed741eed066831d7564fa0f2ede717fb21d1e85e9503d9d262145d2fef837e37ed40087bb7386159fa5411bb8

memory/1200-545-0x000000001B4E0000-0x000000001B5CC000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.SyntaxEditor.Wpf.dll

MD5 855914201fde2285b71d87c05c4bbcc2
SHA1 8bc1bdbb97c2775c0399e9d0e90a036f41357a4c
SHA256 580a06e4ff57218280a92877d2b5def390b563c86a16366882cfee5d30951bd6
SHA512 7040fcb1fa29171f10e9a6400deae3283a078899eb21c969d9fde51136ab5002d2cc95ef9b37ea1647fd28c18df1f1776bd80d12b16703a9b15f2776d97b7fbb

memory/1200-549-0x0000000000450000-0x00000000004A2000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.PropertyGrid.Wpf.dll

MD5 3e50933e28b0ac08f7158e3a783f6bf4
SHA1 2178728de734670785b749499e4cfda7e1e30f60
SHA256 7d0ee0f0aad53788758a43ccf295cad4b8e6afae6815f2a2800033b29b81c14a
SHA512 3324d40fdc9a82915b8323f5386d00361bea8ae42aa79fc85b4d9d95a087fbadfc557d9f77e34938ef4fdc8b04d0e6a9f24bbfca6569d981cf404626fb2eb7f6

C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Editors.Wpf.dll

MD5 6f0e2870c72222d5989e9842d7d9e275
SHA1 9a847f1d5efe181c945c60bcfeeb43132db3f599
SHA256 b637f6e4c87ac32276f92c609ee71bb3d482b36d5516e383e5c52d8f615359e8
SHA512 ff99918d8a8510d70d250695a583deb91953f6db2abf2a71069a2d67932532977529d3a50ec012cd4547a03601cf8f5367592187768fe4d8aa5a80d8dacfda0d

memory/1200-551-0x000000001C0D0000-0x000000001C1E6000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.DataGrid.Contrib.Wpf.dll

MD5 9c43eb18df357b00aaf31b6684e57a53
SHA1 6de6fc5c23b5ef38eb2faab1eb643c3161c2e9f6
SHA256 abf2ec51aff791bee7580e77502a90b28aa034d2e729580e0d2b10d7ee296fd6
SHA512 fea50d9884aef63e24546d0947608fee8fb3aad6b0f8b5a02fdf5fead5564c2d8f16828fae1c182f1350b209a8a9b2e99201822957c36787b6ff36d266412309

memory/1200-553-0x00000000004B0000-0x00000000004CA000-memory.dmp

memory/1200-555-0x0000000000650000-0x000000000065A000-memory.dmp

memory/1200-560-0x0000000000690000-0x00000000006AA000-memory.dmp

memory/1200-559-0x0000000000680000-0x0000000000688000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\Newtonsoft.Json.dll

MD5 9ef8fb5c101ca8cdcb20af7e2188496f
SHA1 a4f3566d20fe9003a092ab1bced77f12016b9022
SHA256 ae8b84a5e656c0df5a58e365cf91c6eedcd85ff31f93bd5f21db6f1fe025ccd0
SHA512 271198207f107f29b374e188efa318c052827d696e2296dfb58120608edfd7110272338f3effbcb7d3db6e45e72dbb168e5ca90b59836436d9e50276756ae72e

C:\Program Files (x86)\PingPlotter 5\NLog.dll

MD5 a55e8da594924aff7aac9494c91a63d7
SHA1 d92135f1aab51978f26d8f879dbd4e5ffc71146c
SHA256 95d5e5a3d6b1a0175bfeef2c10106ad2bee646bc9063d8c3bfdb70f284060b34
SHA512 ce0fd4ca5a5ef5e6d6413d7f526110ea2b2473e2218915b65935441ffa51982e62512b8e658d39a2705aaa90a5171bd73fb73d410deda0b11c5c11c61a9f1be0

memory/1200-570-0x000000001B070000-0x000000001B10C000-memory.dmp

memory/1200-568-0x000000001B780000-0x000000001B832000-memory.dmp

memory/1200-566-0x0000000000B00000-0x0000000000B0A000-memory.dmp

memory/1200-572-0x0000000000CE0000-0x0000000000D0C000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\System.Threading.Tasks.Dataflow.dll

MD5 18dcf426a4822b80a52832439138e7f0
SHA1 270924f3bd1b1f7ac5efdd26e7a8eb922b584129
SHA256 be2c678b7e39d7af3e631a4b882302a38959b8736a114d9223720ab7d4077f5a
SHA512 5b7b6c327a8ff25703c8acbcbd9aa3398398fb51d68893ef938f64a7abeeb50cc9751f525f967b1346bb979a3122bf09ebaa444ad5b41f5deef824bf5c342870

memory/1200-573-0x0000000000D40000-0x0000000000D64000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\NGraphics.WPF.dll

MD5 c15a90b02588f3c2e92086d729268d9a
SHA1 f3917545b0d2f1784d6c677940e184a8bdf199d7
SHA256 64c10c0c8c7e80b8697d395f4c89622f5323d89a1b5ae5bb5c2436d2b614667e
SHA512 821986403f4c2d96413f3b2f81ff570198d4445f6cbb5fca38dc43ce4f2f6d7fd571cec70ef047e93e24f32b2069695435344523ff3390d40a6a400e71144407

memory/1200-564-0x00000000006C0000-0x00000000006CA000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\System.Runtime.dll

MD5 351865b759999ab60da018c38878662d
SHA1 2c6d09dfe7a95f78af5b27d0ffab491ca47dc2e5
SHA256 cfc8576cd3f50e93ead20e4a08cb1623e95cd928e5afcbaab9ad8ec1eba2528d
SHA512 7e329b5072fe7eb47871368a357643a4ec59576c0c7dfd2a48b671a33c9fb2fdf24198540ca283797ec2b274946c33f99d10d6b5aa5174872369aa5b58677f3b

memory/1200-562-0x00000000006B0000-0x00000000006B8000-memory.dmp

memory/1200-574-0x00000000011A0000-0x00000000011D2000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\System.Threading.Tasks.dll

MD5 e7120b5779730efb615235cf0107e386
SHA1 455ea9f216bbfcd1876f142d7a1b634fd85ef819
SHA256 ace34e85a2e954ed07ec11390cbdea7097ae4e56efd8b1bcef35788ce08c6777
SHA512 91f893b93d771eb1ac9b9f666561375da5c9a282bf778bca76489306f8aa398fd31bfa59eaeca2f1b1b16a598dc0f5cfa9d3f3d98b0a4cd2ec9fd5539bc3efb3

C:\Program Files (x86)\PingPlotter 5\System.IO.dll

MD5 ba3845f4986d242d62641e1f6e14caba
SHA1 9278fe4d60ed3462835a90c56bf187cadc35ddda
SHA256 ab5d0fa375fd11f411293552ffa7b127a62ecc7bef74c5c3a49cad629413e38b
SHA512 4ccc206b30208cf1ceef1e7341cf7f28e36f3ba90daff5051ee706841a1f30d49d654399c33b2d336d330789b76e5d3fac39d22d6d45d6d76a3ef643750a70cf

memory/1200-557-0x0000000000660000-0x000000000067C000-memory.dmp

C:\Program Files (x86)\PingPlotter 5\NGraphics.dll

MD5 36896e5b8ff559857c870c8d60470d79
SHA1 8abe9941ec44d19b2f079fa66c118d60ecd75141
SHA256 57f963ae4825b02214ccae01276708613cdda30d74c50289972f4a16bea3d823
SHA512 ddbd19c34fe0b38958778cb8e01ec0daf22882a5db774f24d5fbaf3f18938f71f48b55d6b8ed1d31ac31086d416c65f3e410168c891295412a3d67cbbf781793

C:\Program Files (x86)\PingPlotter 5\NGraphics.Net.dll

MD5 50f77484e5ebbab4178d226457277f61
SHA1 f9ce26a5dac69bc620481e76ff4bcaa44610b4f1
SHA256 76a4ee07ad63c27d6d95b9e0cc9a903563514e9b8fb51744646a19e00c3175a5
SHA512 f094291b6097608443d168d7cc5cd6a288f98f6bdb418e22d6f606ea2f54a6c6c166f13fedd827a79e8812d598e4fca1d59f50af17264f80e8dd3621856c77da

memory/1200-575-0x000000001C800000-0x000000001CE06000-memory.dmp

memory/1200-576-0x0000000001080000-0x0000000001092000-memory.dmp

memory/1200-578-0x000000001AC70000-0x000000001AC88000-memory.dmp

memory/1200-579-0x000000001B5D0000-0x000000001B61C000-memory.dmp

memory/1200-577-0x00000000011E0000-0x00000000011F6000-memory.dmp

memory/1200-582-0x000000001CED0000-0x000000001CEE2000-memory.dmp

memory/1200-581-0x000000001B840000-0x000000001B864000-memory.dmp

memory/1200-580-0x000000001CE10000-0x000000001CECA000-memory.dmp

memory/1200-585-0x000000001D360000-0x000000001D68E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yxj4htisnt.tmp

MD5 b16a5fba3793c99536148b33a7304ab1
SHA1 e353837d75409bf40a3933a4a33cc4241c1989f4
SHA256 172a427175692aa038ff7c36ed654549aec085ad7931cde5452b7814f6cc1832
SHA512 6bdf135a6aaceeb9013c71369a648ee1f9a2f48c5308706c9cb7c331b58fb48f7648e6d2d68ad7fa31439599a66b371a1b81146637f87b9164052c4c055dfab8

memory/2280-603-0x000000001B040000-0x000000001B282000-memory.dmp

memory/2280-604-0x000000001AF00000-0x000000001AFAE000-memory.dmp

memory/2280-605-0x000000001B530000-0x000000001B61C000-memory.dmp

memory/2280-602-0x0000000001330000-0x0000000001620000-memory.dmp

memory/2280-609-0x0000000000460000-0x000000000047A000-memory.dmp

memory/2280-608-0x000000001BE10000-0x000000001BF26000-memory.dmp

memory/2280-610-0x00000000003D0000-0x00000000003DA000-memory.dmp

memory/2280-619-0x0000000000D70000-0x0000000000D9C000-memory.dmp

memory/2280-620-0x000000001AB00000-0x000000001AB24000-memory.dmp

memory/2280-618-0x000000001BFF0000-0x000000001C08C000-memory.dmp

memory/2280-617-0x000000001BF30000-0x000000001BFE2000-memory.dmp

memory/2280-616-0x0000000000AA0000-0x0000000000AAA000-memory.dmp

memory/2280-615-0x0000000000A90000-0x0000000000A9A000-memory.dmp

memory/2280-614-0x0000000000A80000-0x0000000000A88000-memory.dmp

memory/2280-613-0x0000000000630000-0x000000000064A000-memory.dmp

memory/2280-612-0x00000000004A0000-0x00000000004A8000-memory.dmp

memory/2280-611-0x0000000000480000-0x000000000049C000-memory.dmp

memory/2280-607-0x000000001B290000-0x000000001B2E2000-memory.dmp

memory/2280-606-0x000000001BC30000-0x000000001BE0E000-memory.dmp

memory/2280-621-0x000000001C460000-0x000000001C492000-memory.dmp

memory/2280-622-0x000000001C800000-0x000000001CE06000-memory.dmp

memory/2280-623-0x000000001B410000-0x000000001B422000-memory.dmp

memory/2280-627-0x000000001CE10000-0x000000001CECA000-memory.dmp

memory/2280-626-0x000000001C600000-0x000000001C64C000-memory.dmp

memory/2280-625-0x000000001C4A0000-0x000000001C4B8000-memory.dmp

memory/2280-629-0x000000001CED0000-0x000000001CEE2000-memory.dmp

memory/2280-628-0x000000001C650000-0x000000001C674000-memory.dmp

memory/2280-624-0x000000001B620000-0x000000001B636000-memory.dmp

memory/2280-632-0x000000001D190000-0x000000001D4BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yxj4htisnt.tmp

MD5 9e3a645eefcedc75fd12957ecee400a6
SHA1 3336d6e406ed53b4403557953b431517cfa871eb
SHA256 3c4499fadbddfa0adc98cd8a422018cf9ec5daec6ce23c64ea6c1eb0a1806c93
SHA512 507c9a7c2fec9eb57bcb8d60f03439440f52091dec99076ec7d92ef88e0edbd45c74f42fb8c425fd964ae0b2b41dc3a56bab60b0e8bf97edfdb317260ac48b01

C:\Config.Msi\f779c32.rbs

MD5 3c637802dcf530951126ee8b36d3e1e8
SHA1 1085952fd71150bab00cc8bd8d6bc5e0bcb8d994
SHA256 665d0915b162e95f286f55addfcff7cab9a69dac69db096b249fa3c4ca29a15a
SHA512 71a3ef668fa4706662ba338a467459859171abd4b3c7b6f1688f2540d3e3f484f05113158c5cc470f3790f40729d7aa8270563cd016ed4307d466f9b3bd931a6

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-12 04:52

Reported

2024-06-12 04:56

Platform

win7-20240611-en

Max time kernel

117s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 224

Network

N/A

Files

N/A