Analysis Overview
SHA256
653d46b5d17c5fd51248e6dde5adc57a5d7621299b7561cecf2479464da44efd
Threat Level: Shows suspicious behavior
The file PingPlotter Professional 5.24.3.8913 [Programs.TheMicroTech.Net].zip was found to be: Shows suspicious behavior.
Malicious Activity Summary
Enumerates connected drives
Blocklisted process makes network request
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Uses Volume Shadow Copy service COM API
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 04:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-12 04:52
Reported
2024-06-12 04:56
Platform
win10v2004-20240226-en
Max time kernel
137s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4076 wrote to memory of 4740 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4076 wrote to memory of 4740 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4076 wrote to memory of 4740 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4740 -ip 4740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 616
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3948 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.201.106:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 106.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-12 04:52
Reported
2024-06-12 04:56
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
52s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1000 wrote to memory of 2632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1000 wrote to memory of 2632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1000 wrote to memory of 2632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2632 -ip 2632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-12 04:52
Reported
2024-06-12 04:56
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\dll\msi.pdb | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wkernel32.pdb | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ResourceCleaner.pdb | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\tmp\ResourceCleaner.pdb | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wntdll.pdb | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\dll\wntdll.pdb | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msi.pdb | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmp\ResourceCleaner.pdb | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dll\wntdll.pdb | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\dll\msi.pdb | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\DLL\wkernel32.pdb | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\DLL\wkernel32.pdb | C:\Windows\syswow64\MsiExec.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Http.Connections.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\PingPlotter ICMP Generator.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.FileProviders.Physical.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.EntityFrameworkCore.Design.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Remotion.Linq.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Resources\SplashBundles\cloud_agent.bundle | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\NGraphics.WPF.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.ValueTuple.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Utils.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Authentication.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Security.Permissions.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Net.Sockets.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Threading.Tasks.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\PingPlotter ICMP Generator.exe.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\LiteHtmlSharp.Wpf.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\MsgPack.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Reflection.Metadata.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Collections.Specialized.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Net.WebSockets.Client.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Drawing.Primitives.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Options.ConfigurationExtensions.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Text.Addons.JavaScript.Wpf.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Text.Encodings.Web.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Localization.Abstractions.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Diagnostics.DiagnosticSource.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Zeroconf.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Namotion.Reflection.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Text.RegularExpressions.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Threading.ThreadPool.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\MacAddressVendorLookup.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Resources\SplashBundles\trial_banner.bundle | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Jint.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.IO.FileSystem.Primitives.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Resources\SplashBundles\action_alert.bundle | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.Formatters.Json.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.ComponentModel.Annotations.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Xml.XPath.XDocument.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Security.Cryptography.Encoding.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Net.NameResolution.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Chronic.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\NGraphics.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Extensions\MOSColumn\package.json | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Data.Common.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.ApiExplorer.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Reflection.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\MagHubClient.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Resources\SplashBundles\new_version.bundle | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Diagnostics.Contracts.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.IO.Compression.ZipFile.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Wiry.Base32.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Html.Abstractions.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.Data.Sqlite.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Collections.Immutable.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\WriteableBitmapEx.Wpf.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Xml.XmlDocument.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Shared.Wpf.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Http.Extensions.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Primitives.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Security.Cryptography.Cng.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.Core.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\FluentCommandLineParser.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Localization.dll | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Microsoft.NET\ngenserviceclientlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI125E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1C76.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI11DF.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI157D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1200.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1388.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e58dc53.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI2541.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1027.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID73.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe | N/A |
| File opened for modification | C:\Windows\Installer\e58dc51.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIEFD.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{CBAA9826-6D34-44FF-AEBF-E880F91CADCE} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\SystemFoldermsiexec.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1A31.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI259F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIE6F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\ext.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1141.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI11BF.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIDE2.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\ext.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1C55.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e58dc51.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\SystemFoldermsiexec.exe | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003f3ccc8c3b3921e10000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003f3ccc8c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003f3ccc8c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3f3ccc8c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003f3ccc8c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Pingman Tools\PingPlotter 5 | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Pingman Tools | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Pingman Tools\PingPlotter 5\License = 6763060ab6cb83846512a1baf3abfa025a81f1a62a8fd8950f00e52ee03301c22f2c677f069245ba086d7acdd4620b84 | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\PackageName = "{5716629D-5364-4C67-9992-4C03A559A38F}.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\DefaultIcon\ = "C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe,1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BDE4C0E5F8F1D9E448B630CA83009281\6289AABC43D6FF44EAFB8E089FC1DAEC | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\URL Protocol | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BDE4C0E5F8F1D9E448B630CA83009281 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|PingPlotter 5|PingPlotter.exe | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\FirewallICMPforUDP = "PingPlotter5Main" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\WebInterface = "PingPlotter5Main" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\Pingman Tools.PingPlotter 5.ppws\ShellNew | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\DefaultIcon\ = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe,0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\Scripts = "PingPlotter5Main" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\Pingman Tools.PingPlotter 5.pp2 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\Pingman Tools.PingPlotter 5.pp2\ShellNew | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\ = "URL:PingPlotter Protocol Handler" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\PingPlotter5Main | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\PackageCode = "D9266175463576C49929C4305A953AF8" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Version = "85458947" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\ = "&Open PingPlotter workspace" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\ = "&Open PingPlotter Sample Set" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\ = "PingPlotter Workspace" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" \"%1\"" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\ = "open" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\DefaultIcon\ = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe,0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\pingplotter | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Downloaded Installations\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\ = "Pingman Tools.PingPlotter 5.ppws" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\ = "PingPlotter Sample Set" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\WindowsService = "\x06" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" \"%1\"" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\ = "open" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command\command = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d002000220025003100220000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Downloaded Installations\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media\DiskPrompt = "[1]" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|PingPlotter 5|PingPlotter.exe\PingPlotter,Version="5.24.3.8913",Culture="neutral",ProcessorArchitecture="MSIL" = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\ProductName = "PingPlotter 5" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\ProductIcon = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command\command = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d002000220025003100220000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\pingplotter\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\Pingman Tools.PingPlotter 5.ppws | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\ = "Pingman Tools.PingPlotter 5.pp2" | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe
"C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding CD4260307A46ACE0967FBF6020BC780E C
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9D1F35A8187679CFA452B8AC6F18A8F4
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DC1D9B417077D784F70220BE90416E41 E Global\MSI0000
C:\Windows\SysWOW64\cmd.exe
/C "C:\Users\Admin\AppData\Local\Temp\{FE7D9469-69FF-4AD0-A0FA-666CF8090897}.bat"
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\cmd.exe
/C "C:\Users\Admin\AppData\Local\Temp\{FE7D9469-69FF-4AD0-A0FA-666CF8090897}.bat"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" /queue:1
C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
"C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" regserver initializeprofile quiet
C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
"C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" regserver quiet
Network
Files
C:\Users\Admin\AppData\Local\Temp\nsu4642.tmp\System.dll
| MD5 | ca332bb753b0775d5e806e236ddcec55 |
| SHA1 | f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f |
| SHA256 | df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d |
| SHA512 | 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00 |
C:\Users\Admin\AppData\Local\Temp\nsu4642.tmp\DotNetChecker.dll
| MD5 | f18364fa5084add86c6e73e457404f18 |
| SHA1 | 6d87c4b9dbf78af88fddf0d4d5febe845c8e4e6a |
| SHA256 | 39c43d67f546fc898f7406d213b73dcb1bc30fc811ddfa3a02b6b50c29d11f91 |
| SHA512 | 716892492390fe4314f3289286f733d07b8b84de1f5af0676b26e68c0be01808682d35ad2bb9e9491247b7bb5a0ea297a6850e26de9baf88621c789206107db3 |
C:\Users\Admin\AppData\Local\Temp\MSI804F.tmp
| MD5 | ca95f207ec70ba34b46c785f7bcb5570 |
| SHA1 | 25c0d45cb9f94892e2877033d06fe8909e5b9972 |
| SHA256 | 8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb |
| SHA512 | c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831 |
C:\Users\Admin\AppData\Local\Temp\MSI8219.tmp
| MD5 | 5576bf4d22dc695564e49a68cbc98bc2 |
| SHA1 | 80e0e045162a65d84939e22a821ecbbbde3f31d6 |
| SHA256 | 20f76ffd846155a41633d75cb2e784e54f6ec77ca9ca9d52d9510c3e2e918801 |
| SHA512 | 4b952ce6ef08c86d8594fadd1069c3af39c3465314716dc7e7d9937befab8f4db5e4920a901920af4f937e5bb80ca02c33406d54cc766920b8ebba3855500972 |
\??\Volume{8ccc3c3f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0f901d05-e6b5-4346-a3f0-c7e8795fba43}_OnDiskSnapshotProp
| MD5 | c2d3287eacfe9b2b84a06ecc53a06f3f |
| SHA1 | 870c4a36229db9de6a60d26a94eea102f9462417 |
| SHA256 | f1d365244c4d85454404359b41e39f3ac35c0d6dea0f3571d5813a6ab8504b7a |
| SHA512 | 38d7b5d19a4d84f588e6efbc8760880f8e90bbe89e1aa9e979d5bb323805a788abffec2ea47634e8a3567625c8e082fa98de3b4a2651acefbf739d138bcbc9ce |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | 29235c8b397a0b7cc27d7e81b0279ebd |
| SHA1 | bed43f593c3cd174514bb0c1175606bcb353e04e |
| SHA256 | af6b1d10b043b53d07a902934665d503ab6ca270dab555e8d0bf3bac6fa7c938 |
| SHA512 | 1082f31d93847b41da5152e535642ca1dd7f9ac221afeeaaf1b35f30387ad05ed4c2e24c9053f0f00c7df72aecbfbb32540e14602b6b28743f6e9bda88f962ef |
C:\Windows\Installer\MSI1027.tmp
| MD5 | 71c143221c4d2f06e495ee3f9e51a7f0 |
| SHA1 | 44a3aa0ca190243d6f21becbd5b0c5e923426135 |
| SHA256 | 8d245ef042215b0e9211692c7deaef442f4d46bd5323d74aa1bf25d676525bd9 |
| SHA512 | 98a97a4f45cb70eb671ddc3c8d26a9a4c3d34745f0d1b6ee052a2080e1b4b3dac11303eb9a0c8d38e34df624edc28864e52f13e4d79bc16fe9223c5663372445 |
C:\Windows\Installer\MSI11DF.tmp
| MD5 | 94fa9ff9c26724e0b8ac910c1e7c40aa |
| SHA1 | 0cf47957200dec349d6b6da432e24165afd590eb |
| SHA256 | adae076f90908818d67777c050c5b1b6cc94be728017bab6c638dfc7763d4d09 |
| SHA512 | becb8229e8ef77a673829c547d2520d6fec94218abf2a21e2948ae5c156bf4a1eb64bfec38653b49902bb31708d9cf770c38f042c1f869d4d4695313b2acfefb |
C:\Windows\Installer\MSI1200.tmp
| MD5 | 99dc199a4a390a86f2728f5232a2f9a6 |
| SHA1 | 21b03b2dacbc5e19f3334054703ce53c8ba4a15f |
| SHA256 | 12b9deeb6e80129593bae1439bcbc491c6f602bfff255f72eba627100a54e2f9 |
| SHA512 | 8ba930b0fb37257bbb0d5ea97bbb581ec7d545b737bdce03a78e713b3ad95a2f4b2b6d101817102763100edfe8e46f4532946a7bd3ac24d2142358ac26ec45db |
C:\Windows\Installer\MSI1388.tmp
| MD5 | e34827bf55cae867e83cc6122d25154a |
| SHA1 | e513c23028532a6997692965765e235d42d96efa |
| SHA256 | 7f8ce80c53a7a4c3cecfbf497ee443538fd126a6e369b9930a3b021db548b55a |
| SHA512 | 506143a220f58c4236e4736f404c9421b9d5e0caaa21eff950953258ccf783de3534ea702e476acf565719964da6aeaeed787fca2d66c2b8ef5aa51c9b6e38d2 |
C:\Users\Admin\AppData\Local\Temp\{FE7D9469-69FF-4AD0-A0FA-666CF8090897}.bat
| MD5 | a937e8f48d3a6c808168c5b8ccde386d |
| SHA1 | a5c79ce563c6976b75f3037ab544616813b1ac48 |
| SHA256 | a159304fedf73b8147af1cf80d495f9338db77bbafc822ba176eee02cab7561b |
| SHA512 | 33cf95a0dc2f57e3e9084eb3ff526c469b2372b64fef0968ac95933f8f6f50b9b7784cfc4aae63d57c02feadb9b0a4845d870f907b41dcfc1a06558fb728a55a |
C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
| MD5 | aea6964efb6bfc8723f85e191c6db9b0 |
| SHA1 | f213e8ae0088838ae76d9d5841f9e9a2376c78a9 |
| SHA256 | 89a3e51a67ef4684952ab912be4e9fd379b4cf46991d6c17c6e59d34f6ec5eac |
| SHA512 | 84a8587ccc35cdb2392f2de20a7323bf626bfdef0cc1ba6957273921aa8336086edd58689fac446e342d3ecb9f0a00e7dd2dbb2e5de223a5b6a42e75d845ab8a |
C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe.config
| MD5 | 928b8e104bc50973bad9150c577aaa64 |
| SHA1 | 33eb7ed6547d26bbb8dbb087a45baf41292d01d2 |
| SHA256 | b42eb2bb81f89946449c5b27315afec9c87070ac01a6d0d1df91bd9d46702629 |
| SHA512 | 3b8ac3ce5365b27c8156dfb1ccfeff4f8a0e3b10360c2e5639d3516f2b5aa3c2dc524ddbbd6e3d1941ae0d15f8867eb2e19a0df1c31d1872d25f7758c481cff2 |
memory/5044-514-0x000002922A950000-0x000002922AC40000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\CoreLib.dll
| MD5 | 4f79b56c4bebf4683f731c2fa68126ce |
| SHA1 | be502d11260c83f3bdb67279f796b137094248b6 |
| SHA256 | 28130a2c33fd8ac4a915bd2a695b1160e61ad179136860675b42bbebc878bb63 |
| SHA512 | 3384c07d2378e87d9e7e85f5db6af6bbfe804b559057339b04fda64e744344255da4d309a75efed9ec3246afbb852d4b4dde9baa7d2a783230f25a56d5f6294f |
memory/5044-516-0x0000029246160000-0x00000292463A2000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Docking.Wpf.dll
| MD5 | b9d27fbdd161b1879aa1b5bf390b8114 |
| SHA1 | 1e9ffc3fcefc25581fd726087c74d257c713ffe4 |
| SHA256 | 3866414e85e128dd761a894b63befed29fded32788ab79087d0abc79335f17a4 |
| SHA512 | 4af0057663f74f65af501ec45bed8cc75e225395b1acbd318220cd97eb28123b3b7290c34b865129edc20255c6876c58c25308ae1a458a97f5df285f5a2444c6 |
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Editors.Wpf.dll
| MD5 | 6f0e2870c72222d5989e9842d7d9e275 |
| SHA1 | 9a847f1d5efe181c945c60bcfeeb43132db3f599 |
| SHA256 | b637f6e4c87ac32276f92c609ee71bb3d482b36d5516e383e5c52d8f615359e8 |
| SHA512 | ff99918d8a8510d70d250695a583deb91953f6db2abf2a71069a2d67932532977529d3a50ec012cd4547a03601cf8f5367592187768fe4d8aa5a80d8dacfda0d |
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Shared.Wpf.dll
| MD5 | 674447f18caace5e1163fb227e4cf08d |
| SHA1 | 62082108201e8be712cd52806a66503cf51fe714 |
| SHA256 | 56dfde9007145d5f6ed21730ecbb5ac04e7c6bc1370fb317acb0e29bffaf5c84 |
| SHA512 | 89fcdc36bd040a554a3bf8be205541914a00e0eed741eed066831d7564fa0f2ede717fb21d1e85e9503d9d262145d2fef837e37ed40087bb7386159fa5411bb8 |
memory/5044-528-0x0000029246010000-0x000002924602A000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.DataGrid.Contrib.Wpf.dll
| MD5 | 9c43eb18df357b00aaf31b6684e57a53 |
| SHA1 | 6de6fc5c23b5ef38eb2faab1eb643c3161c2e9f6 |
| SHA256 | abf2ec51aff791bee7580e77502a90b28aa034d2e729580e0d2b10d7ee296fd6 |
| SHA512 | fea50d9884aef63e24546d0947608fee8fb3aad6b0f8b5a02fdf5fead5564c2d8f16828fae1c182f1350b209a8a9b2e99201822957c36787b6ff36d266412309 |
memory/5044-526-0x0000029246910000-0x0000029246A26000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.SyntaxEditor.Wpf.dll
| MD5 | 855914201fde2285b71d87c05c4bbcc2 |
| SHA1 | 8bc1bdbb97c2775c0399e9d0e90a036f41357a4c |
| SHA256 | 580a06e4ff57218280a92877d2b5def390b563c86a16366882cfee5d30951bd6 |
| SHA512 | 7040fcb1fa29171f10e9a6400deae3283a078899eb21c969d9fde51136ab5002d2cc95ef9b37ea1647fd28c18df1f1776bd80d12b16703a9b15f2776d97b7fbb |
memory/5044-524-0x0000029246070000-0x00000292460C2000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.PropertyGrid.Wpf.dll
| MD5 | 3e50933e28b0ac08f7158e3a783f6bf4 |
| SHA1 | 2178728de734670785b749499e4cfda7e1e30f60 |
| SHA256 | 7d0ee0f0aad53788758a43ccf295cad4b8e6afae6815f2a2800033b29b81c14a |
| SHA512 | 3324d40fdc9a82915b8323f5386d00361bea8ae42aa79fc85b4d9d95a087fbadfc557d9f77e34938ef4fdc8b04d0e6a9f24bbfca6569d981cf404626fb2eb7f6 |
memory/5044-522-0x0000029246730000-0x000002924690E000-memory.dmp
memory/5044-534-0x0000029245090000-0x0000029245098000-memory.dmp
memory/5044-537-0x0000029246040000-0x000002924604A000-memory.dmp
memory/5044-539-0x0000029246A30000-0x0000029246AE2000-memory.dmp
memory/5044-540-0x0000029246AF0000-0x0000029246B8C000-memory.dmp
memory/5044-541-0x0000029246130000-0x000002924615C000-memory.dmp
memory/5044-542-0x00000292466D0000-0x00000292466F4000-memory.dmp
memory/5044-538-0x00000292460F0000-0x00000292460FA000-memory.dmp
memory/5044-536-0x0000029246030000-0x0000029246038000-memory.dmp
memory/5044-543-0x0000029246B90000-0x0000029246BC2000-memory.dmp
memory/5044-535-0x00000292460D0000-0x00000292460EA000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\System.IO.dll
| MD5 | ba3845f4986d242d62641e1f6e14caba |
| SHA1 | 9278fe4d60ed3462835a90c56bf187cadc35ddda |
| SHA256 | ab5d0fa375fd11f411293552ffa7b127a62ecc7bef74c5c3a49cad629413e38b |
| SHA512 | 4ccc206b30208cf1ceef1e7341cf7f28e36f3ba90daff5051ee706841a1f30d49d654399c33b2d336d330789b76e5d3fac39d22d6d45d6d76a3ef643750a70cf |
memory/5044-544-0x00000292471F0000-0x0000029247808000-memory.dmp
memory/5044-532-0x0000029246050000-0x000002924606C000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\NGraphics.dll
| MD5 | 36896e5b8ff559857c870c8d60470d79 |
| SHA1 | 8abe9941ec44d19b2f079fa66c118d60ecd75141 |
| SHA256 | 57f963ae4825b02214ccae01276708613cdda30d74c50289972f4a16bea3d823 |
| SHA512 | ddbd19c34fe0b38958778cb8e01ec0daf22882a5db774f24d5fbaf3f18938f71f48b55d6b8ed1d31ac31086d416c65f3e410168c891295412a3d67cbbf781793 |
memory/5044-530-0x0000029245000000-0x000002924500A000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\NGraphics.Net.dll
| MD5 | 50f77484e5ebbab4178d226457277f61 |
| SHA1 | f9ce26a5dac69bc620481e76ff4bcaa44610b4f1 |
| SHA256 | 76a4ee07ad63c27d6d95b9e0cc9a903563514e9b8fb51744646a19e00c3175a5 |
| SHA512 | f094291b6097608443d168d7cc5cd6a288f98f6bdb418e22d6f606ea2f54a6c6c166f13fedd827a79e8812d598e4fca1d59f50af17264f80e8dd3621856c77da |
memory/5044-520-0x0000029246460000-0x000002924654C000-memory.dmp
memory/5044-518-0x00000292463B0000-0x000002924645E000-memory.dmp
memory/5044-545-0x0000029246BD0000-0x0000029246BE2000-memory.dmp
memory/5044-546-0x0000029246BF0000-0x0000029246C06000-memory.dmp
memory/5044-547-0x0000029246E30000-0x0000029246E48000-memory.dmp
memory/5044-548-0x0000029246EA0000-0x0000029246EEC000-memory.dmp
memory/5044-549-0x0000029246FB0000-0x000002924706A000-memory.dmp
memory/5044-550-0x0000029246EF0000-0x0000029246F14000-memory.dmp
memory/5044-551-0x0000029246F90000-0x0000029246FA2000-memory.dmp
memory/5044-554-0x0000029247B40000-0x0000029247E6E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ymbrvablvg.tmp
| MD5 | 96a568f9af3d18ebb930331118447946 |
| SHA1 | 30519320aed158e16d1db748d9a9064094593554 |
| SHA256 | 6b824e9f13ee7210ccabdc81e255cf3a390e5b8fcc7b69069349d89de428994e |
| SHA512 | b45971c7a6e3ccc4f02227f570bbd7adfbcef7ed4cf39322c272a1ce70fca4f5e048001c44cc17eddf9313770c31fc6728b9e15c56007f03b554a7f529765aab |
C:\Users\Admin\AppData\Local\Temp\ymbrvablvg.tmp
| MD5 | 2a13a6f38d9299bdfbb1d30a1cea8fde |
| SHA1 | 8a3d0cd8dcdb24b4d0b40e1de5988b6dc980ed0f |
| SHA256 | 0f0a878a2dbefb3233c75339d2b5511f0f86e54a230ae037fe3b64a87e193399 |
| SHA512 | 1be095400f54a1cbab1f3f58a485aef463b019a3a55be9b07e2096d30b43676f98b97df3987a97b9a04f5b9a427ad7c26074a0feeec1002a51fb8dd156812cbb |
C:\Config.Msi\e58dc52.rbs
| MD5 | 51ed69178e2fdb90e1e101c7fef44982 |
| SHA1 | 581cc6a5735e94a431680d73853762129b95d7c9 |
| SHA256 | d99be018e924eeb40c9ca4c51a38b0c58b897b737b533ed0dcc89d9cc93db62d |
| SHA512 | 5ba82b862cf56757b2009e513b62be5b7bc16afc3202ae6f1f66c318009481eaa95c5664f6a442fe8cf68809ef03f091db97f007a0bfdcf557fa27f4dea2216c |
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-12 04:52
Reported
2024-06-12 04:56
Platform
win7-20240508-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DotNetChecker.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DotNetChecker.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 220
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-12 04:52
Reported
2024-06-12 04:56
Platform
win10v2004-20240508-en
Max time kernel
61s
Max time network
52s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3956 wrote to memory of 4688 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3956 wrote to memory of 4688 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3956 wrote to memory of 4688 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DotNetChecker.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DotNetChecker.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4688 -ip 4688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 612
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-12 04:52
Reported
2024-06-12 04:56
Platform
win7-20240221-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 224
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-12 04:52
Reported
2024-06-12 04:56
Platform
win10v2004-20240611-en
Max time kernel
92s
Max time network
128s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4768 wrote to memory of 4956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4768 wrote to memory of 4956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4768 wrote to memory of 4956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4956 -ip 4956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 628
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-12 04:52
Reported
2024-06-12 04:56
Platform
win7-20240611-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 224
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-12 04:52
Reported
2024-06-12 04:56
Platform
win7-20240221-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Globalization.Calendars.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Net.Security.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Collections.Specialized.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\SQLitePCLRaw.core.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Buffers.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Extensions\RemoteAgentScript\package.json | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Caching.Memory.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.IO.Pipes.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\IpHlpApidotnet.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Diagnostics.TextWriterTraceListener.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.SignalR.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\LiteHtmlSharp.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Http.Features.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\x86\e_sqlite3.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.EntityFrameworkCore.Proxies.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Authorization.Policy.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.ServiceModel.Primitives.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\qvsntoj3kv.dat | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Extensions\AlertAction_LaunchAnExecutable\launchanexecutable.js | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Resources\pngcrush.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Diagnostics.Tracing.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Server.Kestrel.Https.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\PingPlotter ICMP Generator.exe.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Persistence.Sqlite.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\GalaSoft.MvvmLight.Platform.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Http.Extensions.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Xml.XmlDocument.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\MathNet.Numerics.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\ExposedObject.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Numerics.Vectors.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Windows.Interactivity.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.IO.Pipelines.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Authentication.Cookies.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Linq.Expressions.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Threading.Tasks.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Collections.NonGeneric.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Nito.AsyncEx.Tasks.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Extensions\AlertAction_LaunchAnExecutable\launchanexecutable.meta.json | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.DataAnnotations.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\MessagePack.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\protobuf-net.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\netstandard.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Threading.Overlapped.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Configuration.Binder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Resources.Reader.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.Diagnostics.Runtime.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\ParallelExtensionsExtras.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.EntityFrameworkCore.Design.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Globalization.Extensions.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.IO.Compression.ZipFile.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\PingPlotter ICMP Generator.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Shared.Wpf.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.DataGrid.Contrib.Wpf.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.Formatters.Json.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.ComponentModel.TypeConverter.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Runtime.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Runtime.Serialization.Xml.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Alert Audio\buzzer.mp3 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Threading.ThreadPool.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.PropertyGrid.Wpf.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Extensions\MOSColumn\default_settings.json | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Castle.Core.dll | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI1864.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\ext.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA6B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4DA.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI34F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI46C.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI17E5.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3BE.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\SystemFoldermsiexec.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f76fd82.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5B7.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI39E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76fd84.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB28.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe | N/A |
| File opened for modification | C:\Windows\Installer\f76fd81.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76fd82.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI529.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIED.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB08.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenserviceclientlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI207.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\ext.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6D1.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\SystemFoldermsiexec.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76fd81.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3FE.tmp | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
Loads dropped DLL
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Pingman Tools\PingPlotter 5\License = 411880bf66de892c79882f0f97e6657ac089c5e1a2397a1bb845404a4d3d5c5fe316ae9f04f117193f7ca22880d48a77 | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Pingman Tools\PingPlotter 5 | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Pingman Tools\PingPlotter 5 | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Pingman Tools | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\DefaultIcon\ = "C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe,1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" \"%1\"" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\ = "URL:PingPlotter Protocol Handler" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\WebInterface = "PingPlotter5Main" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\DefaultIcon\ = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe,0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media\DiskPrompt = "[1]" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\ = "open" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\PingPlotter5Main | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\PackageCode = "D9266175463576C49929C4305A953AF8" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\ProductIcon = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BDE4C0E5F8F1D9E448B630CA83009281 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\ = "&Open PingPlotter Sample Set" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\pingplotter | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Version = "85458947" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\PackageName = "$_4_.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\ = "Pingman Tools.PingPlotter 5.pp2" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\pingplotter\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\Pingman Tools.PingPlotter 5.pp2\ShellNew | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\pingplotter\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|PingPlotter 5|PingPlotter.exe\PingPlotter,Version="5.24.3.8913",Culture="neutral",ProcessorArchitecture="MSIL" = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\FirewallICMPforUDP = "PingPlotter5Main" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" \"%1\"" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\URL Protocol | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\Pingman Tools.PingPlotter 5.pp2 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BDE4C0E5F8F1D9E448B630CA83009281\6289AABC43D6FF44EAFB8E089FC1DAEC | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command\command = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d002000220025003100220000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\ = "PingPlotter Workspace" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\Scripts = "PingPlotter5Main" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\WindowsService = "\x06" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command\command = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d002000220025003100220000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\ = "PingPlotter Sample Set" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\ProductName = "PingPlotter 5" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\ = "&Open PingPlotter workspace" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\ = "Pingman Tools.PingPlotter 5.ppws" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" /url \"%1\"" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\$_4_.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F352532781A0A424C94D2E81BBDCD986 C
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000002C8" "00000000000005B0"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 96A76E5D8E7228058C24B7C0DC51A7BA
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F8B61BE9C04289D776C70F54A5158557 M Global\MSI0000
C:\Windows\SysWOW64\cmd.exe
/C "C:\Users\Admin\AppData\Local\Temp\{1DC67473-A1D4-41E5-A7F6-05AEF94AFCC5}.bat"
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\cmd.exe
/C "C:\Users\Admin\AppData\Local\Temp\{1DC67473-A1D4-41E5-A7F6-05AEF94AFCC5}.bat"
C:\Windows\SysWOW64\cmd.exe
/C "C:\Users\Admin\AppData\Local\Temp\{1DC67473-A1D4-41E5-A7F6-05AEF94AFCC5}.bat"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" /queue:1
C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
"C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" regserver initializeprofile quiet
C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
"C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" regserver quiet
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab1FF1.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar218A.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\Local\Temp\MSI2208.tmp
| MD5 | ca95f207ec70ba34b46c785f7bcb5570 |
| SHA1 | 25c0d45cb9f94892e2877033d06fe8909e5b9972 |
| SHA256 | 8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb |
| SHA512 | c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831 |
C:\Users\Admin\AppData\Local\Temp\MSI23A1.tmp
| MD5 | 5576bf4d22dc695564e49a68cbc98bc2 |
| SHA1 | 80e0e045162a65d84939e22a821ecbbbde3f31d6 |
| SHA256 | 20f76ffd846155a41633d75cb2e784e54f6ec77ca9ca9d52d9510c3e2e918801 |
| SHA512 | 4b952ce6ef08c86d8594fadd1069c3af39c3465314716dc7e7d9937befab8f4db5e4920a901920af4f937e5bb80ca02c33406d54cc766920b8ebba3855500972 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_B5408224970389A1C2D228B1F06E63F2
| MD5 | 9853099f01ac4f1daf69213c4457ead3 |
| SHA1 | 489a280ea8f959c2a0497d5b78c0a4d5a837b98b |
| SHA256 | a9fb8b63992d83f5f216be6a9393270aabbaeb03fca59fc82ad13e99e3556ed8 |
| SHA512 | 43ac89702d7f53f501a6364151053bd4ad17caa370fc853b0b749f8b2c7647af5bb00d767efa33240b4f6fc85a76b7409b75929fb991534c39639a7a843991db |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
| MD5 | f3caf7a7e82ca0c660532a49d65858d4 |
| SHA1 | 34a5babef00151e28ac420f3b84cd90a5e5ac99f |
| SHA256 | cdb6c2f46d77119c126ad9b9be53fc57c3fa834e25fe0ae73a8398f10a18701e |
| SHA512 | 3b3e3f4de4fc948bb15b8ca5f7e4c630deea291092132878a91968501c407057e8be2405b2c6ada56e63682acd1bb27f897480c2ece2680212da66b3287607c0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
| MD5 | 7b201f6b1d9a5bc0fb792fd0da8762bd |
| SHA1 | 5b75892b727a2424b19aa5c181665fd5c153a022 |
| SHA256 | 1fe5ae1e5467543edd091f942583e1d19f1c489fe1e299034479f1775de027e2 |
| SHA512 | cb5ca799100e09de47fa86ae56349e11b8c2588f61053b0df632ac66024718fc33ba9e3a2dc7ccb5a4b301a7caed1f2fb482318b66911317b3d752d3616f7cce |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
| MD5 | 2eee3865f16574bb2c8058a2b4977995 |
| SHA1 | 9e65c7b29d8a121cbd4dbdd24161113b7ec774f2 |
| SHA256 | 6de01a7f89ac9c20580975e0f3163a4d355006395a615c71d86c7d0c7c5c007e |
| SHA512 | 3ec5e1000906b083f0366703a8e660360c80c2c2706beddb2f0976fda723596f955ab9e75f0d5328d02755279cf28e4dd4fc29ae334901eb986e84b9b58cb2c8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
| MD5 | 04560e031fd7f9563d5f513b02dd6dcc |
| SHA1 | 41ec5b00546dd2381d7ef81a54f7665919e55492 |
| SHA256 | 1f1806e8c3d982c16b35d2ef5f7b2ba08abd6290df0ca189e7050410bc2bc8de |
| SHA512 | 6f29bafa2776a982ff4b21d56eb1c670a7470d3dac1335de22810ef4f04744ff230647662db3a96ad4e92db84e9edd7e68dbb48cb0616d71cd628a8f455ce79b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 428ea7f238682528145e65f3eee89b4e |
| SHA1 | 2cecdb829b1bca26bc65eba00dc81f6797080131 |
| SHA256 | f431509f0731518a4bd8a3e2f9042720c076afc099f908310400718cd6294194 |
| SHA512 | 0a4fc7d40b72c7494740b4edc938df60eef9d9a5f04f9fa2626cc751f3e4fa59b7b5c9fc38e063ee80ad528efc3c900469178e58530caa497d0ae3f12c1585f9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_B5408224970389A1C2D228B1F06E63F2
| MD5 | 36f5d03cd7b13e5fe0e915b00f4034e9 |
| SHA1 | c989899d4758051248cbb3edf7300aa356b176ca |
| SHA256 | 91e9646cae08070083e277fed6d82a39ad9f8ac15e3dfc5f13c893dbc95099d7 |
| SHA512 | b8ec8a218e62b3de3f63a6de399c438f19f378f3c6fbcf386d2e7719255f8d26c3133bbba6b008ad2a7f22054db2011f4ebd48a50b64bf9500bc2cc68f532238 |
C:\Windows\Installer\MSI39E.tmp
| MD5 | 71c143221c4d2f06e495ee3f9e51a7f0 |
| SHA1 | 44a3aa0ca190243d6f21becbd5b0c5e923426135 |
| SHA256 | 8d245ef042215b0e9211692c7deaef442f4d46bd5323d74aa1bf25d676525bd9 |
| SHA512 | 98a97a4f45cb70eb671ddc3c8d26a9a4c3d34745f0d1b6ee052a2080e1b4b3dac11303eb9a0c8d38e34df624edc28864e52f13e4d79bc16fe9223c5663372445 |
\Windows\Installer\MSI46C.tmp
| MD5 | 94fa9ff9c26724e0b8ac910c1e7c40aa |
| SHA1 | 0cf47957200dec349d6b6da432e24165afd590eb |
| SHA256 | adae076f90908818d67777c050c5b1b6cc94be728017bab6c638dfc7763d4d09 |
| SHA512 | becb8229e8ef77a673829c547d2520d6fec94218abf2a21e2948ae5c156bf4a1eb64bfec38653b49902bb31708d9cf770c38f042c1f869d4d4695313b2acfefb |
\Windows\Installer\MSI4DA.tmp
| MD5 | 99dc199a4a390a86f2728f5232a2f9a6 |
| SHA1 | 21b03b2dacbc5e19f3334054703ce53c8ba4a15f |
| SHA256 | 12b9deeb6e80129593bae1439bcbc491c6f602bfff255f72eba627100a54e2f9 |
| SHA512 | 8ba930b0fb37257bbb0d5ea97bbb581ec7d545b737bdce03a78e713b3ad95a2f4b2b6d101817102763100edfe8e46f4532946a7bd3ac24d2142358ac26ec45db |
C:\Windows\Installer\MSI5B7.tmp
| MD5 | e34827bf55cae867e83cc6122d25154a |
| SHA1 | e513c23028532a6997692965765e235d42d96efa |
| SHA256 | 7f8ce80c53a7a4c3cecfbf497ee443538fd126a6e369b9930a3b021db548b55a |
| SHA512 | 506143a220f58c4236e4736f404c9421b9d5e0caaa21eff950953258ccf783de3534ea702e476acf565719964da6aeaeed787fca2d66c2b8ef5aa51c9b6e38d2 |
C:\Users\Admin\AppData\Local\Temp\{1DC67473-A1D4-41E5-A7F6-05AEF94AFCC5}.bat
| MD5 | a33978158c4b6efd7eefae0fa8bd6505 |
| SHA1 | 6a6eaad0812c0a9b8416d2af5ecdb9685dfdeba1 |
| SHA256 | 029cac49e9ee7d9c9bbfebe663005c745c87e9f59e16b48d8cb5c1104316b781 |
| SHA512 | 36773a2363b6dfab25937a1a040f9427d5613fd5d65fb53ba1cdf02dd110c2fd5a7c1353de40fbd11b91de20fa7a3e264abeba345fd57d2357070f6699288013 |
C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
| MD5 | aea6964efb6bfc8723f85e191c6db9b0 |
| SHA1 | f213e8ae0088838ae76d9d5841f9e9a2376c78a9 |
| SHA256 | 89a3e51a67ef4684952ab912be4e9fd379b4cf46991d6c17c6e59d34f6ec5eac |
| SHA512 | 84a8587ccc35cdb2392f2de20a7323bf626bfdef0cc1ba6957273921aa8336086edd58689fac446e342d3ecb9f0a00e7dd2dbb2e5de223a5b6a42e75d845ab8a |
C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe.config
| MD5 | 928b8e104bc50973bad9150c577aaa64 |
| SHA1 | 33eb7ed6547d26bbb8dbb087a45baf41292d01d2 |
| SHA256 | b42eb2bb81f89946449c5b27315afec9c87070ac01a6d0d1df91bd9d46702629 |
| SHA512 | 3b8ac3ce5365b27c8156dfb1ccfeff4f8a0e3b10360c2e5639d3516f2b5aa3c2dc524ddbbd6e3d1941ae0d15f8867eb2e19a0df1c31d1872d25f7758c481cff2 |
memory/1952-530-0x0000000000DE0000-0x00000000010D0000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\CoreLib.dll
| MD5 | 4f79b56c4bebf4683f731c2fa68126ce |
| SHA1 | be502d11260c83f3bdb67279f796b137094248b6 |
| SHA256 | 28130a2c33fd8ac4a915bd2a695b1160e61ad179136860675b42bbebc878bb63 |
| SHA512 | 3384c07d2378e87d9e7e85f5db6af6bbfe804b559057339b04fda64e744344255da4d309a75efed9ec3246afbb852d4b4dde9baa7d2a783230f25a56d5f6294f |
memory/1952-532-0x000000001B2C0000-0x000000001B502000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Docking.Wpf.dll
| MD5 | b9d27fbdd161b1879aa1b5bf390b8114 |
| SHA1 | 1e9ffc3fcefc25581fd726087c74d257c713ffe4 |
| SHA256 | 3866414e85e128dd761a894b63befed29fded32788ab79087d0abc79335f17a4 |
| SHA512 | 4af0057663f74f65af501ec45bed8cc75e225395b1acbd318220cd97eb28123b3b7290c34b865129edc20255c6876c58c25308ae1a458a97f5df285f5a2444c6 |
memory/1952-534-0x0000000000710000-0x00000000007BE000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Editors.Wpf.dll
| MD5 | 6f0e2870c72222d5989e9842d7d9e275 |
| SHA1 | 9a847f1d5efe181c945c60bcfeeb43132db3f599 |
| SHA256 | b637f6e4c87ac32276f92c609ee71bb3d482b36d5516e383e5c52d8f615359e8 |
| SHA512 | ff99918d8a8510d70d250695a583deb91953f6db2abf2a71069a2d67932532977529d3a50ec012cd4547a03601cf8f5367592187768fe4d8aa5a80d8dacfda0d |
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Shared.Wpf.dll
| MD5 | 674447f18caace5e1163fb227e4cf08d |
| SHA1 | 62082108201e8be712cd52806a66503cf51fe714 |
| SHA256 | 56dfde9007145d5f6ed21730ecbb5ac04e7c6bc1370fb317acb0e29bffaf5c84 |
| SHA512 | 89fcdc36bd040a554a3bf8be205541914a00e0eed741eed066831d7564fa0f2ede717fb21d1e85e9503d9d262145d2fef837e37ed40087bb7386159fa5411bb8 |
memory/1952-536-0x000000001AA80000-0x000000001AB6C000-memory.dmp
memory/1952-538-0x000000001BF60000-0x000000001C13E000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.PropertyGrid.Wpf.dll
| MD5 | 3e50933e28b0ac08f7158e3a783f6bf4 |
| SHA1 | 2178728de734670785b749499e4cfda7e1e30f60 |
| SHA256 | 7d0ee0f0aad53788758a43ccf295cad4b8e6afae6815f2a2800033b29b81c14a |
| SHA512 | 3324d40fdc9a82915b8323f5386d00361bea8ae42aa79fc85b4d9d95a087fbadfc557d9f77e34938ef4fdc8b04d0e6a9f24bbfca6569d981cf404626fb2eb7f6 |
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.SyntaxEditor.Wpf.dll
| MD5 | 855914201fde2285b71d87c05c4bbcc2 |
| SHA1 | 8bc1bdbb97c2775c0399e9d0e90a036f41357a4c |
| SHA256 | 580a06e4ff57218280a92877d2b5def390b563c86a16366882cfee5d30951bd6 |
| SHA512 | 7040fcb1fa29171f10e9a6400deae3283a078899eb21c969d9fde51136ab5002d2cc95ef9b37ea1647fd28c18df1f1776bd80d12b16703a9b15f2776d97b7fbb |
memory/1952-540-0x00000000025E0000-0x0000000002632000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.DataGrid.Contrib.Wpf.dll
| MD5 | 9c43eb18df357b00aaf31b6684e57a53 |
| SHA1 | 6de6fc5c23b5ef38eb2faab1eb643c3161c2e9f6 |
| SHA256 | abf2ec51aff791bee7580e77502a90b28aa034d2e729580e0d2b10d7ee296fd6 |
| SHA512 | fea50d9884aef63e24546d0947608fee8fb3aad6b0f8b5a02fdf5fead5564c2d8f16828fae1c182f1350b209a8a9b2e99201822957c36787b6ff36d266412309 |
memory/1952-544-0x0000000000150000-0x000000000016A000-memory.dmp
memory/1952-542-0x000000001B100000-0x000000001B216000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\NGraphics.Net.dll
| MD5 | 50f77484e5ebbab4178d226457277f61 |
| SHA1 | f9ce26a5dac69bc620481e76ff4bcaa44610b4f1 |
| SHA256 | 76a4ee07ad63c27d6d95b9e0cc9a903563514e9b8fb51744646a19e00c3175a5 |
| SHA512 | f094291b6097608443d168d7cc5cd6a288f98f6bdb418e22d6f606ea2f54a6c6c166f13fedd827a79e8812d598e4fca1d59f50af17264f80e8dd3621856c77da |
memory/1952-546-0x0000000000170000-0x000000000017A000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\NGraphics.dll
| MD5 | 36896e5b8ff559857c870c8d60470d79 |
| SHA1 | 8abe9941ec44d19b2f079fa66c118d60ecd75141 |
| SHA256 | 57f963ae4825b02214ccae01276708613cdda30d74c50289972f4a16bea3d823 |
| SHA512 | ddbd19c34fe0b38958778cb8e01ec0daf22882a5db774f24d5fbaf3f18938f71f48b55d6b8ed1d31ac31086d416c65f3e410168c891295412a3d67cbbf781793 |
memory/1952-548-0x0000000000570000-0x000000000058C000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\System.IO.dll
| MD5 | ba3845f4986d242d62641e1f6e14caba |
| SHA1 | 9278fe4d60ed3462835a90c56bf187cadc35ddda |
| SHA256 | ab5d0fa375fd11f411293552ffa7b127a62ecc7bef74c5c3a49cad629413e38b |
| SHA512 | 4ccc206b30208cf1ceef1e7341cf7f28e36f3ba90daff5051ee706841a1f30d49d654399c33b2d336d330789b76e5d3fac39d22d6d45d6d76a3ef643750a70cf |
memory/1952-550-0x0000000000180000-0x0000000000188000-memory.dmp
memory/1952-551-0x0000000000BF0000-0x0000000000C0A000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\System.Threading.Tasks.dll
| MD5 | e7120b5779730efb615235cf0107e386 |
| SHA1 | 455ea9f216bbfcd1876f142d7a1b634fd85ef819 |
| SHA256 | ace34e85a2e954ed07ec11390cbdea7097ae4e56efd8b1bcef35788ce08c6777 |
| SHA512 | 91f893b93d771eb1ac9b9f666561375da5c9a282bf778bca76489306f8aa398fd31bfa59eaeca2f1b1b16a598dc0f5cfa9d3f3d98b0a4cd2ec9fd5539bc3efb3 |
memory/1952-553-0x0000000000D10000-0x0000000000D18000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\System.Runtime.dll
| MD5 | 351865b759999ab60da018c38878662d |
| SHA1 | 2c6d09dfe7a95f78af5b27d0ffab491ca47dc2e5 |
| SHA256 | cfc8576cd3f50e93ead20e4a08cb1623e95cd928e5afcbaab9ad8ec1eba2528d |
| SHA512 | 7e329b5072fe7eb47871368a357643a4ec59576c0c7dfd2a48b671a33c9fb2fdf24198540ca283797ec2b274946c33f99d10d6b5aa5174872369aa5b58677f3b |
memory/1952-555-0x0000000000D20000-0x0000000000D2A000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\NGraphics.WPF.dll
| MD5 | c15a90b02588f3c2e92086d729268d9a |
| SHA1 | f3917545b0d2f1784d6c677940e184a8bdf199d7 |
| SHA256 | 64c10c0c8c7e80b8697d395f4c89622f5323d89a1b5ae5bb5c2436d2b614667e |
| SHA512 | 821986403f4c2d96413f3b2f81ff570198d4445f6cbb5fca38dc43ce4f2f6d7fd571cec70ef047e93e24f32b2069695435344523ff3390d40a6a400e71144407 |
memory/1952-557-0x0000000000D30000-0x0000000000D3A000-memory.dmp
memory/1952-558-0x000000001BDF0000-0x000000001BEA2000-memory.dmp
memory/1952-559-0x000000001AC80000-0x000000001AD1C000-memory.dmp
memory/1952-560-0x0000000002650000-0x000000000267C000-memory.dmp
memory/1952-561-0x000000001B660000-0x000000001B684000-memory.dmp
memory/1952-562-0x000000001B690000-0x000000001B6C2000-memory.dmp
memory/1952-563-0x000000001C910000-0x000000001CF16000-memory.dmp
memory/1952-564-0x000000001B510000-0x000000001B522000-memory.dmp
memory/1952-565-0x000000001B630000-0x000000001B646000-memory.dmp
memory/1952-566-0x000000001B7D0000-0x000000001B7E8000-memory.dmp
memory/1952-567-0x000000001C510000-0x000000001C55C000-memory.dmp
memory/1952-568-0x000000001C670000-0x000000001C72A000-memory.dmp
memory/1952-569-0x000000001C7D0000-0x000000001C7F4000-memory.dmp
memory/1952-570-0x000000001CF40000-0x000000001CF52000-memory.dmp
memory/1952-573-0x000000001D3C0000-0x000000001D6EE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\k6uw8zvfvb.tmp
| MD5 | c30592a9bf4b648e81780bec7ddc9889 |
| SHA1 | 43e319088483afd479d82d24b1fd1d6c9f3f17b8 |
| SHA256 | 54a3899a84898c9e10eb78a9c50d37572e3f9769ff69d53ea2c43f7500954602 |
| SHA512 | 1b7075843a97d7db22ade059cb85f2f05404980faa7008845f007ddc1adcbe4aacfb0952becc28f2daece8c85a97c65953a3a315eb612d8486d017ad428e17d5 |
memory/1060-590-0x0000000000200000-0x00000000004F0000-memory.dmp
memory/1060-591-0x000000001AFE0000-0x000000001B222000-memory.dmp
memory/1060-597-0x0000000000540000-0x000000000055A000-memory.dmp
memory/1060-596-0x000000001BF00000-0x000000001C016000-memory.dmp
memory/1060-595-0x000000001B470000-0x000000001B4C2000-memory.dmp
memory/1060-594-0x000000001BD20000-0x000000001BEFE000-memory.dmp
memory/1060-593-0x000000001BC30000-0x000000001BD1C000-memory.dmp
memory/1060-592-0x000000001A930000-0x000000001A9DE000-memory.dmp
memory/1060-602-0x0000000000AE0000-0x0000000000AE8000-memory.dmp
memory/1060-601-0x00000000007A0000-0x00000000007BA000-memory.dmp
memory/1060-600-0x0000000000710000-0x0000000000718000-memory.dmp
memory/1060-599-0x00000000006F0000-0x000000000070C000-memory.dmp
memory/1060-598-0x0000000000560000-0x000000000056A000-memory.dmp
memory/1060-604-0x00000000022B0000-0x00000000022BA000-memory.dmp
memory/1060-606-0x000000001C0E0000-0x000000001C17C000-memory.dmp
memory/1060-605-0x000000001C020000-0x000000001C0D2000-memory.dmp
memory/1060-603-0x0000000000AF0000-0x0000000000AFA000-memory.dmp
memory/1060-607-0x000000001AEA0000-0x000000001AECC000-memory.dmp
memory/1060-608-0x000000001B230000-0x000000001B254000-memory.dmp
memory/1060-610-0x000000001C8F0000-0x000000001CEF6000-memory.dmp
memory/1060-609-0x000000001B4D0000-0x000000001B502000-memory.dmp
memory/1060-611-0x0000000002490000-0x00000000024A2000-memory.dmp
memory/1060-612-0x000000001B510000-0x000000001B526000-memory.dmp
memory/1060-613-0x000000001B530000-0x000000001B548000-memory.dmp
memory/1060-614-0x000000001C670000-0x000000001C6BC000-memory.dmp
memory/1060-615-0x000000001C6D0000-0x000000001C78A000-memory.dmp
memory/1060-617-0x000000001CF40000-0x000000001CF52000-memory.dmp
memory/1060-616-0x000000001C790000-0x000000001C7B4000-memory.dmp
memory/1060-620-0x000000001D3F0000-0x000000001D71E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\k6uw8zvfvb.tmp
| MD5 | 860e71a1d9021d02fe43ce9b12582d56 |
| SHA1 | d17b0d6207c8b1b21b64b98630cd8c09a3fd72eb |
| SHA256 | c55fd0ee823e3b9aaa33454df9c884f20ddb8023870cb5fd3fc07a9addffd9cb |
| SHA512 | 779c361d2f328e2beb01a978824436af6e918c89ec38a63ba224cef680d003fbeeed78605b104fdae691081dbba6090d51250efd0b8e6b3f273842a3fee3e95f |
C:\Config.Msi\f76fd83.rbs
| MD5 | a220124d08c3efe8e058449a2e5450fa |
| SHA1 | 56cb72f65c8389750a02f58ac686e4159c52436f |
| SHA256 | 67d69f0faa0349e85d77164d1c66eb2ae5c335080801b7dbddf39e1a22b3d58b |
| SHA512 | d0a7b3e20caa8cf122f9d8fa9f5dad44e9754c5c6ccda79944069738c2987ab39bf2779ba3264a4180bd412bcfed2a291dac700470932b44c22b448f8d1cd319 |
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-12 04:52
Reported
2024-06-12 04:56
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\dll\wntdll.pdb | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\dll\wntdll.pdb | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msi.pdb | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dll\msi.pdb | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\dll\msi.pdb | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\DLL\wkernel32.pdb | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ResourceCleaner.pdb | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\tmp\ResourceCleaner.pdb | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wntdll.pdb | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wkernel32.pdb | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\DLL\wkernel32.pdb | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmp\ResourceCleaner.pdb | C:\Windows\syswow64\MsiExec.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\PingPlotter 5\websocket-sharp.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Resources\SplashBundles\load_file_block.bundle | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Alert Audio\tibetan-bell.mp3 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Xml.XDocument.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Runtime.Serialization.Formatters.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Collections.Specialized.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.IO.FileSystem.Watcher.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Http.Features.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\MailKit.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Configuration.FileExtensions.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Buffers.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Threading.Channels.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Caching.Memory.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.ComponentModel.EventBasedAsync.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.ViewFeatures.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\x64\e_sqlite3.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.DiaSymReader.Native.amd64.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\netstandard.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Dynamic.Runtime.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.FileProviders.Composite.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\BouncyCastle.Crypto.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Runtime.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Runtime.Serialization.Json.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Server.Kestrel.Https.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Resources\SplashBundles\trial_banner.bundle | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.DataAnnotations.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\PingPlotter_v5_manual.pdf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Diagnostics.Contracts.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Diagnostics.FileVersionInfo.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\PingPlotter ICMP Generator.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Shared.Wpf.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\NLog.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Globalization.Calendars.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Collections.Concurrent.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.ResponseCaching.Abstractions.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.IO.MemoryMappedFiles.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Logging.Debug.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Data.Common.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Net.Primitives.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.IO.FileSystem.DriveInfo.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Certes.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Logging.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\INIFileParser.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\ParallelExtensionsExtras.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Reactive.Interfaces.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Authentication.Cookies.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\protobuf-net.Core.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\CommonServiceLocator.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.FileProviders.Abstractions.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Threading.Tasks.Extensions.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Security.AccessControl.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Logging.Console.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Cryptography.KeyDerivation.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Identity.EntityFrameworkCore.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\GalaSoft.MvvmLight.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Localization.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Text.Encoding.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.ServiceModel.Primitives.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Text.Encoding.CodePages.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Net.Ping.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Linq.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.ComponentModel.Primitives.dll | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\e58397a.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3D65.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3DF2.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{CBAA9826-6D34-44FF-AEBF-E880F91CADCE} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe | N/A |
| File created | C:\Windows\Installer\e58397a.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI427E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI479F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\SystemFoldermsiexec.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3F8D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3FCC.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\ext.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3B5E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3C0B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\SystemFoldermsiexec.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenserviceclientlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5416.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3D16.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3F6C.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e58397c.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI49A5.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4994.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5530.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3F0D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI40C7.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3F4C.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\ext.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
Loads dropped DLL
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Pingman Tools\PingPlotter 5 | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Pingman Tools\PingPlotter 5\License = 6dffa239e9c6194dc45f35ef2db066dceebcdced6a8686306863a0778a47583cf43897c50c7c7b3940ec0d0a81d3a4e4 | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Pingman Tools | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\ = "PingPlotter Workspace" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\URL Protocol | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|PingPlotter 5|PingPlotter.exe | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\PingPlotter5Main | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command\command = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d002000220025003100220000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\DefaultIcon\ = "C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe,1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\Pingman Tools.PingPlotter 5.pp2\ShellNew | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\ = "PingPlotter Sample Set" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\pingplotter | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\PackageCode = "D9266175463576C49929C4305A953AF8" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\Pingman Tools.PingPlotter 5.ppws | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\pingplotter\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|PingPlotter 5|PingPlotter.exe\PingPlotter,Version="5.24.3.8913",Culture="neutral",ProcessorArchitecture="MSIL" = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\ = "open" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\Pingman Tools.PingPlotter 5.pp2 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\pingplotter\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BDE4C0E5F8F1D9E448B630CA83009281 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" \"%1\"" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\ProductIcon = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\DefaultIcon\ = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe,0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\FirewallICMPforUDP = "PingPlotter5Main" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\ = "&Open PingPlotter workspace" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" \"%1\"" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Version = "85458947" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\ = "Pingman Tools.PingPlotter 5.ppws" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command\command = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d002000220025003100220000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\ = "&Open PingPlotter Sample Set" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\ = "Pingman Tools.PingPlotter 5.pp2" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\Scripts = "PingPlotter5Main" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BDE4C0E5F8F1D9E448B630CA83009281\6289AABC43D6FF44EAFB8E089FC1DAEC | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\ = "open" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\ProductName = "PingPlotter 5" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\PackageName = "$_4_.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media\DiskPrompt = "[1]" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\$_4_.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 962E2D363EE79B817075EE74AD4A1FEF C
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 11241EF45D392B70EDED2E6B50318022
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D7646EF6D665F93158B33AEDB33A2436 E Global\MSI0000
C:\Windows\SysWOW64\cmd.exe
/C "C:\Users\Admin\AppData\Local\Temp\{8CFA690E-2EA4-40A2-B90A-43ED81AC7361}.bat"
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\cmd.exe
/C "C:\Users\Admin\AppData\Local\Temp\{8CFA690E-2EA4-40A2-B90A-43ED81AC7361}.bat"
C:\Windows\SysWOW64\cmd.exe
/C "C:\Users\Admin\AppData\Local\Temp\{8CFA690E-2EA4-40A2-B90A-43ED81AC7361}.bat"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" /queue:1
C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
"C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" regserver initializeprofile quiet
C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
"C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" regserver quiet
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\MSI41BC.tmp
| MD5 | ca95f207ec70ba34b46c785f7bcb5570 |
| SHA1 | 25c0d45cb9f94892e2877033d06fe8909e5b9972 |
| SHA256 | 8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb |
| SHA512 | c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831 |
C:\Users\Admin\AppData\Local\Temp\MSI4367.tmp
| MD5 | 5576bf4d22dc695564e49a68cbc98bc2 |
| SHA1 | 80e0e045162a65d84939e22a821ecbbbde3f31d6 |
| SHA256 | 20f76ffd846155a41633d75cb2e784e54f6ec77ca9ca9d52d9510c3e2e918801 |
| SHA512 | 4b952ce6ef08c86d8594fadd1069c3af39c3465314716dc7e7d9937befab8f4db5e4920a901920af4f937e5bb80ca02c33406d54cc766920b8ebba3855500972 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_B5408224970389A1C2D228B1F06E63F2
| MD5 | e12e0bb1d4eef8c132f5a1807175a497 |
| SHA1 | 17c203f9852f9aeea77be93a29fbf5569651f108 |
| SHA256 | 794b534ff074e6fd6bcff8fdc5b0cdb7eb725541c1647a1d54a5f07d832cdf91 |
| SHA512 | 15a8361341cf7d8e031d0703fe52f6672662de0ae1e69c2cbe3947798dc38f6f25969815eee19dc3c177aef720efd4b448e886a29be0289b9ad20b758c96b3da |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_B5408224970389A1C2D228B1F06E63F2
| MD5 | 36f5d03cd7b13e5fe0e915b00f4034e9 |
| SHA1 | c989899d4758051248cbb3edf7300aa356b176ca |
| SHA256 | 91e9646cae08070083e277fed6d82a39ad9f8ac15e3dfc5f13c893dbc95099d7 |
| SHA512 | b8ec8a218e62b3de3f63a6de399c438f19f378f3c6fbcf386d2e7719255f8d26c3133bbba6b008ad2a7f22054db2011f4ebd48a50b64bf9500bc2cc68f532238 |
C:\Windows\Installer\MSI3DF2.tmp
| MD5 | 71c143221c4d2f06e495ee3f9e51a7f0 |
| SHA1 | 44a3aa0ca190243d6f21becbd5b0c5e923426135 |
| SHA256 | 8d245ef042215b0e9211692c7deaef442f4d46bd5323d74aa1bf25d676525bd9 |
| SHA512 | 98a97a4f45cb70eb671ddc3c8d26a9a4c3d34745f0d1b6ee052a2080e1b4b3dac11303eb9a0c8d38e34df624edc28864e52f13e4d79bc16fe9223c5663372445 |
C:\Windows\Installer\MSI3F6C.tmp
| MD5 | 94fa9ff9c26724e0b8ac910c1e7c40aa |
| SHA1 | 0cf47957200dec349d6b6da432e24165afd590eb |
| SHA256 | adae076f90908818d67777c050c5b1b6cc94be728017bab6c638dfc7763d4d09 |
| SHA512 | becb8229e8ef77a673829c547d2520d6fec94218abf2a21e2948ae5c156bf4a1eb64bfec38653b49902bb31708d9cf770c38f042c1f869d4d4695313b2acfefb |
C:\Windows\Installer\MSI3F8D.tmp
| MD5 | 99dc199a4a390a86f2728f5232a2f9a6 |
| SHA1 | 21b03b2dacbc5e19f3334054703ce53c8ba4a15f |
| SHA256 | 12b9deeb6e80129593bae1439bcbc491c6f602bfff255f72eba627100a54e2f9 |
| SHA512 | 8ba930b0fb37257bbb0d5ea97bbb581ec7d545b737bdce03a78e713b3ad95a2f4b2b6d101817102763100edfe8e46f4532946a7bd3ac24d2142358ac26ec45db |
C:\Windows\Installer\MSI40C7.tmp
| MD5 | e34827bf55cae867e83cc6122d25154a |
| SHA1 | e513c23028532a6997692965765e235d42d96efa |
| SHA256 | 7f8ce80c53a7a4c3cecfbf497ee443538fd126a6e369b9930a3b021db548b55a |
| SHA512 | 506143a220f58c4236e4736f404c9421b9d5e0caaa21eff950953258ccf783de3534ea702e476acf565719964da6aeaeed787fca2d66c2b8ef5aa51c9b6e38d2 |
C:\Users\Admin\AppData\Local\Temp\{8CFA690E-2EA4-40A2-B90A-43ED81AC7361}.bat
| MD5 | 75f71be434f233a92fe830e187878277 |
| SHA1 | 0cc9746ff5344ba1fdd74c5c9aafe1dff2306801 |
| SHA256 | 58a61dcf6a0a2f10025a860207a03fc18fb46ba393758dccf0ab07523002ada3 |
| SHA512 | 490734e33a0fe95b876bc180fd30cad5faf8ce1d86ca5bae3d1673a2437af1be19aa84822803cea4cce573c54e3a9e2e05c921f1c8a110860715ae52238f74b2 |
C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
| MD5 | aea6964efb6bfc8723f85e191c6db9b0 |
| SHA1 | f213e8ae0088838ae76d9d5841f9e9a2376c78a9 |
| SHA256 | 89a3e51a67ef4684952ab912be4e9fd379b4cf46991d6c17c6e59d34f6ec5eac |
| SHA512 | 84a8587ccc35cdb2392f2de20a7323bf626bfdef0cc1ba6957273921aa8336086edd58689fac446e342d3ecb9f0a00e7dd2dbb2e5de223a5b6a42e75d845ab8a |
C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe.config
| MD5 | 928b8e104bc50973bad9150c577aaa64 |
| SHA1 | 33eb7ed6547d26bbb8dbb087a45baf41292d01d2 |
| SHA256 | b42eb2bb81f89946449c5b27315afec9c87070ac01a6d0d1df91bd9d46702629 |
| SHA512 | 3b8ac3ce5365b27c8156dfb1ccfeff4f8a0e3b10360c2e5639d3516f2b5aa3c2dc524ddbbd6e3d1941ae0d15f8867eb2e19a0df1c31d1872d25f7758c481cff2 |
memory/3664-490-0x0000022C29070000-0x0000022C29360000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\CoreLib.dll
| MD5 | 4f79b56c4bebf4683f731c2fa68126ce |
| SHA1 | be502d11260c83f3bdb67279f796b137094248b6 |
| SHA256 | 28130a2c33fd8ac4a915bd2a695b1160e61ad179136860675b42bbebc878bb63 |
| SHA512 | 3384c07d2378e87d9e7e85f5db6af6bbfe804b559057339b04fda64e744344255da4d309a75efed9ec3246afbb852d4b4dde9baa7d2a783230f25a56d5f6294f |
memory/3664-492-0x0000022C450F0000-0x0000022C45332000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Docking.Wpf.dll
| MD5 | b9d27fbdd161b1879aa1b5bf390b8114 |
| SHA1 | 1e9ffc3fcefc25581fd726087c74d257c713ffe4 |
| SHA256 | 3866414e85e128dd761a894b63befed29fded32788ab79087d0abc79335f17a4 |
| SHA512 | 4af0057663f74f65af501ec45bed8cc75e225395b1acbd318220cd97eb28123b3b7290c34b865129edc20255c6876c58c25308ae1a458a97f5df285f5a2444c6 |
memory/3664-494-0x0000022C45340000-0x0000022C453EE000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Editors.Wpf.dll
| MD5 | 6f0e2870c72222d5989e9842d7d9e275 |
| SHA1 | 9a847f1d5efe181c945c60bcfeeb43132db3f599 |
| SHA256 | b637f6e4c87ac32276f92c609ee71bb3d482b36d5516e383e5c52d8f615359e8 |
| SHA512 | ff99918d8a8510d70d250695a583deb91953f6db2abf2a71069a2d67932532977529d3a50ec012cd4547a03601cf8f5367592187768fe4d8aa5a80d8dacfda0d |
memory/3664-496-0x0000022C454E0000-0x0000022C455CC000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Shared.Wpf.dll
| MD5 | 674447f18caace5e1163fb227e4cf08d |
| SHA1 | 62082108201e8be712cd52806a66503cf51fe714 |
| SHA256 | 56dfde9007145d5f6ed21730ecbb5ac04e7c6bc1370fb317acb0e29bffaf5c84 |
| SHA512 | 89fcdc36bd040a554a3bf8be205541914a00e0eed741eed066831d7564fa0f2ede717fb21d1e85e9503d9d262145d2fef837e37ed40087bb7386159fa5411bb8 |
memory/3664-498-0x0000022C457B0000-0x0000022C4598E000-memory.dmp
memory/3664-504-0x0000022C2B070000-0x0000022C2B08A000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.DataGrid.Contrib.Wpf.dll
| MD5 | 9c43eb18df357b00aaf31b6684e57a53 |
| SHA1 | 6de6fc5c23b5ef38eb2faab1eb643c3161c2e9f6 |
| SHA256 | abf2ec51aff791bee7580e77502a90b28aa034d2e729580e0d2b10d7ee296fd6 |
| SHA512 | fea50d9884aef63e24546d0947608fee8fb3aad6b0f8b5a02fdf5fead5564c2d8f16828fae1c182f1350b209a8a9b2e99201822957c36787b6ff36d266412309 |
memory/3664-502-0x0000022C45990000-0x0000022C45AA6000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.SyntaxEditor.Wpf.dll
| MD5 | 855914201fde2285b71d87c05c4bbcc2 |
| SHA1 | 8bc1bdbb97c2775c0399e9d0e90a036f41357a4c |
| SHA256 | 580a06e4ff57218280a92877d2b5def390b563c86a16366882cfee5d30951bd6 |
| SHA512 | 7040fcb1fa29171f10e9a6400deae3283a078899eb21c969d9fde51136ab5002d2cc95ef9b37ea1647fd28c18df1f1776bd80d12b16703a9b15f2776d97b7fbb |
memory/3664-500-0x0000022C453F0000-0x0000022C45442000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.PropertyGrid.Wpf.dll
| MD5 | 3e50933e28b0ac08f7158e3a783f6bf4 |
| SHA1 | 2178728de734670785b749499e4cfda7e1e30f60 |
| SHA256 | 7d0ee0f0aad53788758a43ccf295cad4b8e6afae6815f2a2800033b29b81c14a |
| SHA512 | 3324d40fdc9a82915b8323f5386d00361bea8ae42aa79fc85b4d9d95a087fbadfc557d9f77e34938ef4fdc8b04d0e6a9f24bbfca6569d981cf404626fb2eb7f6 |
C:\Program Files (x86)\PingPlotter 5\NGraphics.Net.dll
| MD5 | 50f77484e5ebbab4178d226457277f61 |
| SHA1 | f9ce26a5dac69bc620481e76ff4bcaa44610b4f1 |
| SHA256 | 76a4ee07ad63c27d6d95b9e0cc9a903563514e9b8fb51744646a19e00c3175a5 |
| SHA512 | f094291b6097608443d168d7cc5cd6a288f98f6bdb418e22d6f606ea2f54a6c6c166f13fedd827a79e8812d598e4fca1d59f50af17264f80e8dd3621856c77da |
memory/3664-506-0x0000022C29760000-0x0000022C2976A000-memory.dmp
memory/3664-508-0x0000022C45010000-0x0000022C4502C000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\NGraphics.dll
| MD5 | 36896e5b8ff559857c870c8d60470d79 |
| SHA1 | 8abe9941ec44d19b2f079fa66c118d60ecd75141 |
| SHA256 | 57f963ae4825b02214ccae01276708613cdda30d74c50289972f4a16bea3d823 |
| SHA512 | ddbd19c34fe0b38958778cb8e01ec0daf22882a5db774f24d5fbaf3f18938f71f48b55d6b8ed1d31ac31086d416c65f3e410168c891295412a3d67cbbf781793 |
C:\Program Files (x86)\PingPlotter 5\System.IO.dll
| MD5 | ba3845f4986d242d62641e1f6e14caba |
| SHA1 | 9278fe4d60ed3462835a90c56bf187cadc35ddda |
| SHA256 | ab5d0fa375fd11f411293552ffa7b127a62ecc7bef74c5c3a49cad629413e38b |
| SHA512 | 4ccc206b30208cf1ceef1e7341cf7f28e36f3ba90daff5051ee706841a1f30d49d654399c33b2d336d330789b76e5d3fac39d22d6d45d6d76a3ef643750a70cf |
memory/3664-510-0x0000022C2B090000-0x0000022C2B098000-memory.dmp
memory/3664-511-0x0000022C45040000-0x0000022C4505A000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\System.Threading.Tasks.dll
| MD5 | e7120b5779730efb615235cf0107e386 |
| SHA1 | 455ea9f216bbfcd1876f142d7a1b634fd85ef819 |
| SHA256 | ace34e85a2e954ed07ec11390cbdea7097ae4e56efd8b1bcef35788ce08c6777 |
| SHA512 | 91f893b93d771eb1ac9b9f666561375da5c9a282bf778bca76489306f8aa398fd31bfa59eaeca2f1b1b16a598dc0f5cfa9d3f3d98b0a4cd2ec9fd5539bc3efb3 |
memory/3664-513-0x0000022C2B0A0000-0x0000022C2B0A8000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\System.Runtime.dll
| MD5 | 351865b759999ab60da018c38878662d |
| SHA1 | 2c6d09dfe7a95f78af5b27d0ffab491ca47dc2e5 |
| SHA256 | cfc8576cd3f50e93ead20e4a08cb1623e95cd928e5afcbaab9ad8ec1eba2528d |
| SHA512 | 7e329b5072fe7eb47871368a357643a4ec59576c0c7dfd2a48b671a33c9fb2fdf24198540ca283797ec2b274946c33f99d10d6b5aa5174872369aa5b58677f3b |
memory/3664-515-0x0000022C2B0B0000-0x0000022C2B0BA000-memory.dmp
memory/3664-517-0x0000022C45060000-0x0000022C4506A000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\NGraphics.WPF.dll
| MD5 | c15a90b02588f3c2e92086d729268d9a |
| SHA1 | f3917545b0d2f1784d6c677940e184a8bdf199d7 |
| SHA256 | 64c10c0c8c7e80b8697d395f4c89622f5323d89a1b5ae5bb5c2436d2b614667e |
| SHA512 | 821986403f4c2d96413f3b2f81ff570198d4445f6cbb5fca38dc43ce4f2f6d7fd571cec70ef047e93e24f32b2069695435344523ff3390d40a6a400e71144407 |
C:\Program Files (x86)\PingPlotter 5\Newtonsoft.Json.dll
| MD5 | 9ef8fb5c101ca8cdcb20af7e2188496f |
| SHA1 | a4f3566d20fe9003a092ab1bced77f12016b9022 |
| SHA256 | ae8b84a5e656c0df5a58e365cf91c6eedcd85ff31f93bd5f21db6f1fe025ccd0 |
| SHA512 | 271198207f107f29b374e188efa318c052827d696e2296dfb58120608edfd7110272338f3effbcb7d3db6e45e72dbb168e5ca90b59836436d9e50276756ae72e |
memory/3664-519-0x0000022C45AB0000-0x0000022C45B62000-memory.dmp
memory/3664-520-0x0000022C45B70000-0x0000022C45C0C000-memory.dmp
memory/3664-521-0x0000022C450A0000-0x0000022C450CC000-memory.dmp
memory/3664-522-0x0000022C456F0000-0x0000022C45714000-memory.dmp
memory/3664-523-0x0000022C45720000-0x0000022C45752000-memory.dmp
memory/3664-524-0x0000022C46230000-0x0000022C46848000-memory.dmp
memory/3664-525-0x0000022C456C0000-0x0000022C456D2000-memory.dmp
memory/3664-526-0x0000022C45760000-0x0000022C45776000-memory.dmp
memory/3664-527-0x0000022C45E10000-0x0000022C45E28000-memory.dmp
memory/3664-528-0x0000022C45E80000-0x0000022C45ECC000-memory.dmp
memory/3664-529-0x0000022C45F90000-0x0000022C4604A000-memory.dmp
memory/3664-530-0x0000022C45ED0000-0x0000022C45EF4000-memory.dmp
memory/3664-531-0x0000022C45F60000-0x0000022C45F72000-memory.dmp
memory/3664-534-0x0000022C46B80000-0x0000022C46EAE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\o3ey8m5dzg.tmp
| MD5 | 68a315c999de93329126f6cf253abb38 |
| SHA1 | 39c2450055b71297194b2e879e8629b63c1e246c |
| SHA256 | de3ae99fbd0874fc135347f28a7789ed074b8fabd4fcfbf90a108e2d9ba6d950 |
| SHA512 | d861413606dd80d784071c3cf5517d0393c2dc7c64dc0fe9b47566f3cd0ccac0e174ed649e210e0f6c4fbac1cb68baa007e934df4dc1b97b54b57af6253b9f61 |
C:\Users\Admin\AppData\Local\Temp\o3ey8m5dzg.tmp
| MD5 | 486bacf967f244b262d05250f7bfbe5f |
| SHA1 | 2c3658795db37557ca727206cd943b87b662b73b |
| SHA256 | c07a8f6148e167798825c9496a7998fe67a1fc5570d9a603961d2bd7a79412bc |
| SHA512 | 38f3e67d1f551ac4020e0fe6c14d01a962753d475222305b15fcaa4d1e2e50469c0e28c5d9863754cec99867462110dbb76b75a0dbe202728cc25d7e73a3d38e |
C:\Config.Msi\e58397b.rbs
| MD5 | 253daa0f9f04ad10411363a5945471be |
| SHA1 | cac727067ce59eeec9ae6cb11afe013b8384c3f5 |
| SHA256 | ab842540efe0cf801df62d87059c6bfa1e80e7c3cf25bdd210e26105c26092d9 |
| SHA512 | a4244274f1bfc37ff482ff8d533202a103257cf0981673558cb78f708cbdf0d35dbdabe90d2f9e4cc8ad3a9233c7134605642eb887bca101e4c6604d5e6460b5 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 04:52
Reported
2024-06-12 04:56
Platform
win7-20240419-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{202997B1-2878-11EF-B904-5A22F41CCA2C} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\KEYGEN-FFF\PingPlotter.v3.30.4_KEYGEN-FFF.exe
"C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\KEYGEN-FFF\PingPlotter.v3.30.4_KEYGEN-FFF.exe"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2512 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\MoveUndo.docm"
Network
Files
memory/1312-0-0x0000000000400000-0x0000000000521000-memory.dmp
memory/1312-3-0x0000000000400000-0x0000000000521000-memory.dmp
memory/1312-5-0x0000000000400000-0x0000000000521000-memory.dmp
memory/1312-10-0x0000000000401000-0x0000000000461000-memory.dmp
memory/1312-9-0x0000000000280000-0x0000000000281000-memory.dmp
memory/1312-8-0x0000000000270000-0x0000000000272000-memory.dmp
memory/1312-7-0x0000000000250000-0x0000000000251000-memory.dmp
memory/1312-6-0x0000000000220000-0x000000000024E000-memory.dmp
memory/1312-4-0x0000000000400000-0x0000000000521000-memory.dmp
memory/1312-2-0x0000000000400000-0x0000000000521000-memory.dmp
memory/1312-1-0x0000000000220000-0x000000000024E000-memory.dmp
memory/1312-11-0x0000000000400000-0x0000000000521000-memory.dmp
memory/1312-12-0x0000000000400000-0x0000000000521000-memory.dmp
memory/1312-13-0x0000000000400000-0x0000000000521000-memory.dmp
memory/1312-14-0x0000000000220000-0x000000000024E000-memory.dmp
memory/1312-15-0x0000000000400000-0x0000000000521000-memory.dmp
memory/1312-16-0x0000000000220000-0x000000000024E000-memory.dmp
memory/1312-17-0x0000000000400000-0x0000000000521000-memory.dmp
memory/1032-24-0x000000002FB31000-0x000000002FB32000-memory.dmp
memory/1032-25-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1032-26-0x000000007180D000-0x0000000071818000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 04:52
Reported
2024-06-12 04:56
Platform
win10v2004-20240611-en
Max time kernel
141s
Max time network
142s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\KEYGEN-FFF\PingPlotter.v3.30.4_KEYGEN-FFF.exe
"C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\KEYGEN-FFF\PingPlotter.v3.30.4_KEYGEN-FFF.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| BE | 2.17.107.123:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/1828-5-0x0000000000400000-0x0000000000521000-memory.dmp
memory/1828-9-0x0000000002150000-0x000000000217E000-memory.dmp
memory/1828-8-0x0000000002180000-0x0000000002181000-memory.dmp
memory/1828-10-0x0000000000401000-0x0000000000461000-memory.dmp
memory/1828-7-0x0000000000590000-0x0000000000592000-memory.dmp
memory/1828-6-0x0000000000580000-0x0000000000581000-memory.dmp
memory/1828-3-0x0000000000400000-0x0000000000521000-memory.dmp
memory/1828-2-0x0000000000400000-0x0000000000521000-memory.dmp
memory/1828-1-0x0000000000400000-0x0000000000521000-memory.dmp
memory/1828-0-0x0000000002150000-0x000000000217E000-memory.dmp
memory/1828-11-0x0000000000400000-0x0000000000521000-memory.dmp
memory/1828-4-0x0000000000400000-0x0000000000521000-memory.dmp
memory/1828-13-0x0000000002150000-0x000000000217E000-memory.dmp
memory/1828-21-0x0000000000400000-0x0000000000521000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-12 04:52
Reported
2024-06-12 04:56
Platform
win7-20240508-en
Max time kernel
132s
Max time network
136s
Command Line
Signatures
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\PingPlotter 5\Topshelf.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Alert Audio\buzzer.mp3 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Castle.Core.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.Cors.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.WebSockets.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Drawing.Primitives.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.FileSystemGlobbing.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Nito.Collections.Deque.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Extensions\RemoteAgentScript\remoteagent.meta.json | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.Formatters.Json.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Net.WebSockets.Client.Managed.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Diagnostics.Debug.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Server.Kestrel.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\SsdpRadar.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Resources\Fonts\Roboto\Roboto-Medium.ttf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.TagHelpers.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Authentication.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Dynamic.Runtime.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Xml.XDocument.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Security.Principal.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.DependencyModel.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.HttpOverrides.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Threading.Timer.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Cryptography.Internal.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Routing.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Resources\SplashBundles\core.bundle | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.DependencyInjection.Abstractions.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.ComponentModel.Primitives.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.ComponentModel.TypeConverter.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Threading.Channels.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Shared.Wpf.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.FileProviders.Composite.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.FileProviders.Physical.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.ComponentModel.Annotations.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Diagnostics.StackTrace.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Security.SecureString.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Runtime.Extensions.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\x64\LiteHtmlLib.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.DiaSymReader.Native.x86.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Remotion.Linq.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.AppContext.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Docking.Wpf.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Newtonsoft.Json.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Reflection.Primitives.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.SyntaxEditor.Wpf.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\x86\e_sqlite3.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\mustache-netstandard.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\NJsonSchema.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Newtonsoft.Json.Bson.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Net.Sockets.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.SignalR.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\MsgPack.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\MessagePack.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Hosting.Abstractions.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Extensions\MOSColumn\moscolumn.js | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Net.WebSockets.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Cryptography.KeyDerivation.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Logging.Configuration.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Server.Kestrel.Https.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.DataGrid.Contrib.Wpf.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Resources\SplashBundles\action_alert.bundle | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Linq.Parallel.dll | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI1C1B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe | N/A |
| File opened for modification | C:\Windows\Installer\f779c31.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1EE1.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI201B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f779c30.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1D57.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI2F7B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1D07.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1DE6.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\ext.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\ext.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenserviceclientlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\f779c30.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1B40.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\SystemFoldermsiexec.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI2386.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1D28.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1D78.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\SystemFoldermsiexec.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI24A1.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI2F8C.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\f779c31.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1CA9.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1E35.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI2433.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f779c33.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Pingman Tools\PingPlotter 5 | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Pingman Tools | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Pingman Tools\PingPlotter 5 | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Pingman Tools\PingPlotter 5\License = adf0308de21a01c33fa810922e71ab091d65b164aa199d1fe9130850099dd63ad175cb374c608d1f3a89c24c2b4ac93e | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\ = "open" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\ = "&Open PingPlotter Sample Set" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\ = "Pingman Tools.PingPlotter 5.pp2" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\ = "PingPlotter Sample Set" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\ = "URL:PingPlotter Protocol Handler" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\ProductName = "PingPlotter 5" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|PingPlotter 5|PingPlotter.exe | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media\DiskPrompt = "[1]" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\ = "&Open PingPlotter workspace" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\Pingman Tools.PingPlotter 5.ppws | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\PackageName = "{5716629D-5364-4C67-9992-4C03A559A38F}.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BDE4C0E5F8F1D9E448B630CA83009281\6289AABC43D6FF44EAFB8E089FC1DAEC | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Downloaded Installations\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\ = "open" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\ = "PingPlotter Workspace" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\URL Protocol | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\FirewallICMPforUDP = "PingPlotter5Main" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\WebInterface = "PingPlotter5Main" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\WindowsService = "\x06" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" \"%1\"" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command\command = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d002000220025003100220000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\Pingman Tools.PingPlotter 5.pp2\ShellNew | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\Pingman Tools.PingPlotter 5.pp2 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\pingplotter\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\DefaultIcon\ = "C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe,1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\ProductIcon = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\Pingman Tools.PingPlotter 5.ppws\ShellNew | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command\command = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d002000220025003100220000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Downloaded Installations\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\DefaultIcon\ = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe,0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\pingplotter\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|PingPlotter 5|PingPlotter.exe\PingPlotter,Version="5.24.3.8913",Culture="neutral",ProcessorArchitecture="MSIL" = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\PackageCode = "D9266175463576C49929C4305A953AF8" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\DefaultIcon\ = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe,0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\ = "Pingman Tools.PingPlotter 5.ppws" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" /url \"%1\"" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\PingPlotter5Main | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\Scripts = "PingPlotter5Main" | C:\Windows\system32\msiexec.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe
"C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A703E191B7F471631000DB965481D999 C
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000005C" "0000000000000318"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A312B2E051A7AA8E51865620DBE9A529
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 33F085D003894205F3850E2674B43CFC M Global\MSI0000
C:\Windows\SysWOW64\cmd.exe
/C "C:\Users\Admin\AppData\Local\Temp\{7185CD67-9B19-48BA-8AC5-F197A1F6DA5B}.bat"
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\cmd.exe
/C "C:\Users\Admin\AppData\Local\Temp\{7185CD67-9B19-48BA-8AC5-F197A1F6DA5B}.bat"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" /queue:1
C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
"C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" regserver initializeprofile quiet
C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
"C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" regserver quiet
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
Files
\Users\Admin\AppData\Local\Temp\nsy2D3A.tmp\System.dll
| MD5 | ca332bb753b0775d5e806e236ddcec55 |
| SHA1 | f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f |
| SHA256 | df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d |
| SHA512 | 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00 |
\Users\Admin\AppData\Local\Temp\nsy2D3A.tmp\DotNetChecker.dll
| MD5 | f18364fa5084add86c6e73e457404f18 |
| SHA1 | 6d87c4b9dbf78af88fddf0d4d5febe845c8e4e6a |
| SHA256 | 39c43d67f546fc898f7406d213b73dcb1bc30fc811ddfa3a02b6b50c29d11f91 |
| SHA512 | 716892492390fe4314f3289286f733d07b8b84de1f5af0676b26e68c0be01808682d35ad2bb9e9491247b7bb5a0ea297a6850e26de9baf88621c789206107db3 |
C:\Users\Admin\AppData\Local\Temp\Cab35B5.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar836B.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\Local\Temp\MSI8436.tmp
| MD5 | ca95f207ec70ba34b46c785f7bcb5570 |
| SHA1 | 25c0d45cb9f94892e2877033d06fe8909e5b9972 |
| SHA256 | 8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb |
| SHA512 | c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831 |
C:\Users\Admin\AppData\Local\Temp\MSI85A1.tmp
| MD5 | 5576bf4d22dc695564e49a68cbc98bc2 |
| SHA1 | 80e0e045162a65d84939e22a821ecbbbde3f31d6 |
| SHA256 | 20f76ffd846155a41633d75cb2e784e54f6ec77ca9ca9d52d9510c3e2e918801 |
| SHA512 | 4b952ce6ef08c86d8594fadd1069c3af39c3465314716dc7e7d9937befab8f4db5e4920a901920af4f937e5bb80ca02c33406d54cc766920b8ebba3855500972 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4c49d43fe9e08ae84631925d5e6c6fc5 |
| SHA1 | e37a209cc10ac87e91ca96182fd2bf3732170833 |
| SHA256 | 6561f3c13db1fd0dcf73df343499c7e149eef06001d578647586054329c3b3e5 |
| SHA512 | 575e5853bbf588baf8fd7e01e8c83f7c7abc3db31bcd41b56bc67d18e46bf2fa459c953d20d99c80435847feb8affd7e6b7d069a8b412f251caaaac5f58df8af |
C:\Windows\Installer\MSI1D07.tmp
| MD5 | 71c143221c4d2f06e495ee3f9e51a7f0 |
| SHA1 | 44a3aa0ca190243d6f21becbd5b0c5e923426135 |
| SHA256 | 8d245ef042215b0e9211692c7deaef442f4d46bd5323d74aa1bf25d676525bd9 |
| SHA512 | 98a97a4f45cb70eb671ddc3c8d26a9a4c3d34745f0d1b6ee052a2080e1b4b3dac11303eb9a0c8d38e34df624edc28864e52f13e4d79bc16fe9223c5663372445 |
\Windows\Installer\MSI1D78.tmp
| MD5 | 94fa9ff9c26724e0b8ac910c1e7c40aa |
| SHA1 | 0cf47957200dec349d6b6da432e24165afd590eb |
| SHA256 | adae076f90908818d67777c050c5b1b6cc94be728017bab6c638dfc7763d4d09 |
| SHA512 | becb8229e8ef77a673829c547d2520d6fec94218abf2a21e2948ae5c156bf4a1eb64bfec38653b49902bb31708d9cf770c38f042c1f869d4d4695313b2acfefb |
C:\Windows\Installer\MSI1DE6.tmp
| MD5 | 99dc199a4a390a86f2728f5232a2f9a6 |
| SHA1 | 21b03b2dacbc5e19f3334054703ce53c8ba4a15f |
| SHA256 | 12b9deeb6e80129593bae1439bcbc491c6f602bfff255f72eba627100a54e2f9 |
| SHA512 | 8ba930b0fb37257bbb0d5ea97bbb581ec7d545b737bdce03a78e713b3ad95a2f4b2b6d101817102763100edfe8e46f4532946a7bd3ac24d2142358ac26ec45db |
C:\Windows\Installer\MSI1EE1.tmp
| MD5 | e34827bf55cae867e83cc6122d25154a |
| SHA1 | e513c23028532a6997692965765e235d42d96efa |
| SHA256 | 7f8ce80c53a7a4c3cecfbf497ee443538fd126a6e369b9930a3b021db548b55a |
| SHA512 | 506143a220f58c4236e4736f404c9421b9d5e0caaa21eff950953258ccf783de3534ea702e476acf565719964da6aeaeed787fca2d66c2b8ef5aa51c9b6e38d2 |
C:\Users\Admin\AppData\Local\Temp\{7185CD67-9B19-48BA-8AC5-F197A1F6DA5B}.bat
| MD5 | f6818e7ca5e3b67451c9e672aab6f176 |
| SHA1 | 816b7e4c7d0e7f5a200c008f4b2fbab16401ad43 |
| SHA256 | 748e284ad9f27b7067978564a0989f1dbe23fb0ac1750778e08267373f9601c2 |
| SHA512 | bfea7b7800b33f8431d4807954315a13f4e8f67cb8d72a0c3e23f15875688a0a96e872d5feb5a5ac4e4b0f30479b74b61cff026d8cde3ef3e417eee23830df96 |
C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
| MD5 | aea6964efb6bfc8723f85e191c6db9b0 |
| SHA1 | f213e8ae0088838ae76d9d5841f9e9a2376c78a9 |
| SHA256 | 89a3e51a67ef4684952ab912be4e9fd379b4cf46991d6c17c6e59d34f6ec5eac |
| SHA512 | 84a8587ccc35cdb2392f2de20a7323bf626bfdef0cc1ba6957273921aa8336086edd58689fac446e342d3ecb9f0a00e7dd2dbb2e5de223a5b6a42e75d845ab8a |
C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe.config
| MD5 | 928b8e104bc50973bad9150c577aaa64 |
| SHA1 | 33eb7ed6547d26bbb8dbb087a45baf41292d01d2 |
| SHA256 | b42eb2bb81f89946449c5b27315afec9c87070ac01a6d0d1df91bd9d46702629 |
| SHA512 | 3b8ac3ce5365b27c8156dfb1ccfeff4f8a0e3b10360c2e5639d3516f2b5aa3c2dc524ddbbd6e3d1941ae0d15f8867eb2e19a0df1c31d1872d25f7758c481cff2 |
memory/1200-539-0x0000000001200000-0x00000000014F0000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\CoreLib.dll
| MD5 | 4f79b56c4bebf4683f731c2fa68126ce |
| SHA1 | be502d11260c83f3bdb67279f796b137094248b6 |
| SHA256 | 28130a2c33fd8ac4a915bd2a695b1160e61ad179136860675b42bbebc878bb63 |
| SHA512 | 3384c07d2378e87d9e7e85f5db6af6bbfe804b559057339b04fda64e744344255da4d309a75efed9ec3246afbb852d4b4dde9baa7d2a783230f25a56d5f6294f |
memory/1200-541-0x000000001B190000-0x000000001B3D2000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Docking.Wpf.dll
| MD5 | b9d27fbdd161b1879aa1b5bf390b8114 |
| SHA1 | 1e9ffc3fcefc25581fd726087c74d257c713ffe4 |
| SHA256 | 3866414e85e128dd761a894b63befed29fded32788ab79087d0abc79335f17a4 |
| SHA512 | 4af0057663f74f65af501ec45bed8cc75e225395b1acbd318220cd97eb28123b3b7290c34b865129edc20255c6876c58c25308ae1a458a97f5df285f5a2444c6 |
memory/1200-543-0x0000000000DF0000-0x0000000000E9E000-memory.dmp
memory/1200-547-0x000000001BC70000-0x000000001BE4E000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Shared.Wpf.dll
| MD5 | 674447f18caace5e1163fb227e4cf08d |
| SHA1 | 62082108201e8be712cd52806a66503cf51fe714 |
| SHA256 | 56dfde9007145d5f6ed21730ecbb5ac04e7c6bc1370fb317acb0e29bffaf5c84 |
| SHA512 | 89fcdc36bd040a554a3bf8be205541914a00e0eed741eed066831d7564fa0f2ede717fb21d1e85e9503d9d262145d2fef837e37ed40087bb7386159fa5411bb8 |
memory/1200-545-0x000000001B4E0000-0x000000001B5CC000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.SyntaxEditor.Wpf.dll
| MD5 | 855914201fde2285b71d87c05c4bbcc2 |
| SHA1 | 8bc1bdbb97c2775c0399e9d0e90a036f41357a4c |
| SHA256 | 580a06e4ff57218280a92877d2b5def390b563c86a16366882cfee5d30951bd6 |
| SHA512 | 7040fcb1fa29171f10e9a6400deae3283a078899eb21c969d9fde51136ab5002d2cc95ef9b37ea1647fd28c18df1f1776bd80d12b16703a9b15f2776d97b7fbb |
memory/1200-549-0x0000000000450000-0x00000000004A2000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.PropertyGrid.Wpf.dll
| MD5 | 3e50933e28b0ac08f7158e3a783f6bf4 |
| SHA1 | 2178728de734670785b749499e4cfda7e1e30f60 |
| SHA256 | 7d0ee0f0aad53788758a43ccf295cad4b8e6afae6815f2a2800033b29b81c14a |
| SHA512 | 3324d40fdc9a82915b8323f5386d00361bea8ae42aa79fc85b4d9d95a087fbadfc557d9f77e34938ef4fdc8b04d0e6a9f24bbfca6569d981cf404626fb2eb7f6 |
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Editors.Wpf.dll
| MD5 | 6f0e2870c72222d5989e9842d7d9e275 |
| SHA1 | 9a847f1d5efe181c945c60bcfeeb43132db3f599 |
| SHA256 | b637f6e4c87ac32276f92c609ee71bb3d482b36d5516e383e5c52d8f615359e8 |
| SHA512 | ff99918d8a8510d70d250695a583deb91953f6db2abf2a71069a2d67932532977529d3a50ec012cd4547a03601cf8f5367592187768fe4d8aa5a80d8dacfda0d |
memory/1200-551-0x000000001C0D0000-0x000000001C1E6000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.DataGrid.Contrib.Wpf.dll
| MD5 | 9c43eb18df357b00aaf31b6684e57a53 |
| SHA1 | 6de6fc5c23b5ef38eb2faab1eb643c3161c2e9f6 |
| SHA256 | abf2ec51aff791bee7580e77502a90b28aa034d2e729580e0d2b10d7ee296fd6 |
| SHA512 | fea50d9884aef63e24546d0947608fee8fb3aad6b0f8b5a02fdf5fead5564c2d8f16828fae1c182f1350b209a8a9b2e99201822957c36787b6ff36d266412309 |
memory/1200-553-0x00000000004B0000-0x00000000004CA000-memory.dmp
memory/1200-555-0x0000000000650000-0x000000000065A000-memory.dmp
memory/1200-560-0x0000000000690000-0x00000000006AA000-memory.dmp
memory/1200-559-0x0000000000680000-0x0000000000688000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\Newtonsoft.Json.dll
| MD5 | 9ef8fb5c101ca8cdcb20af7e2188496f |
| SHA1 | a4f3566d20fe9003a092ab1bced77f12016b9022 |
| SHA256 | ae8b84a5e656c0df5a58e365cf91c6eedcd85ff31f93bd5f21db6f1fe025ccd0 |
| SHA512 | 271198207f107f29b374e188efa318c052827d696e2296dfb58120608edfd7110272338f3effbcb7d3db6e45e72dbb168e5ca90b59836436d9e50276756ae72e |
C:\Program Files (x86)\PingPlotter 5\NLog.dll
| MD5 | a55e8da594924aff7aac9494c91a63d7 |
| SHA1 | d92135f1aab51978f26d8f879dbd4e5ffc71146c |
| SHA256 | 95d5e5a3d6b1a0175bfeef2c10106ad2bee646bc9063d8c3bfdb70f284060b34 |
| SHA512 | ce0fd4ca5a5ef5e6d6413d7f526110ea2b2473e2218915b65935441ffa51982e62512b8e658d39a2705aaa90a5171bd73fb73d410deda0b11c5c11c61a9f1be0 |
memory/1200-570-0x000000001B070000-0x000000001B10C000-memory.dmp
memory/1200-568-0x000000001B780000-0x000000001B832000-memory.dmp
memory/1200-566-0x0000000000B00000-0x0000000000B0A000-memory.dmp
memory/1200-572-0x0000000000CE0000-0x0000000000D0C000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\System.Threading.Tasks.Dataflow.dll
| MD5 | 18dcf426a4822b80a52832439138e7f0 |
| SHA1 | 270924f3bd1b1f7ac5efdd26e7a8eb922b584129 |
| SHA256 | be2c678b7e39d7af3e631a4b882302a38959b8736a114d9223720ab7d4077f5a |
| SHA512 | 5b7b6c327a8ff25703c8acbcbd9aa3398398fb51d68893ef938f64a7abeeb50cc9751f525f967b1346bb979a3122bf09ebaa444ad5b41f5deef824bf5c342870 |
memory/1200-573-0x0000000000D40000-0x0000000000D64000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\NGraphics.WPF.dll
| MD5 | c15a90b02588f3c2e92086d729268d9a |
| SHA1 | f3917545b0d2f1784d6c677940e184a8bdf199d7 |
| SHA256 | 64c10c0c8c7e80b8697d395f4c89622f5323d89a1b5ae5bb5c2436d2b614667e |
| SHA512 | 821986403f4c2d96413f3b2f81ff570198d4445f6cbb5fca38dc43ce4f2f6d7fd571cec70ef047e93e24f32b2069695435344523ff3390d40a6a400e71144407 |
memory/1200-564-0x00000000006C0000-0x00000000006CA000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\System.Runtime.dll
| MD5 | 351865b759999ab60da018c38878662d |
| SHA1 | 2c6d09dfe7a95f78af5b27d0ffab491ca47dc2e5 |
| SHA256 | cfc8576cd3f50e93ead20e4a08cb1623e95cd928e5afcbaab9ad8ec1eba2528d |
| SHA512 | 7e329b5072fe7eb47871368a357643a4ec59576c0c7dfd2a48b671a33c9fb2fdf24198540ca283797ec2b274946c33f99d10d6b5aa5174872369aa5b58677f3b |
memory/1200-562-0x00000000006B0000-0x00000000006B8000-memory.dmp
memory/1200-574-0x00000000011A0000-0x00000000011D2000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\System.Threading.Tasks.dll
| MD5 | e7120b5779730efb615235cf0107e386 |
| SHA1 | 455ea9f216bbfcd1876f142d7a1b634fd85ef819 |
| SHA256 | ace34e85a2e954ed07ec11390cbdea7097ae4e56efd8b1bcef35788ce08c6777 |
| SHA512 | 91f893b93d771eb1ac9b9f666561375da5c9a282bf778bca76489306f8aa398fd31bfa59eaeca2f1b1b16a598dc0f5cfa9d3f3d98b0a4cd2ec9fd5539bc3efb3 |
C:\Program Files (x86)\PingPlotter 5\System.IO.dll
| MD5 | ba3845f4986d242d62641e1f6e14caba |
| SHA1 | 9278fe4d60ed3462835a90c56bf187cadc35ddda |
| SHA256 | ab5d0fa375fd11f411293552ffa7b127a62ecc7bef74c5c3a49cad629413e38b |
| SHA512 | 4ccc206b30208cf1ceef1e7341cf7f28e36f3ba90daff5051ee706841a1f30d49d654399c33b2d336d330789b76e5d3fac39d22d6d45d6d76a3ef643750a70cf |
memory/1200-557-0x0000000000660000-0x000000000067C000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\NGraphics.dll
| MD5 | 36896e5b8ff559857c870c8d60470d79 |
| SHA1 | 8abe9941ec44d19b2f079fa66c118d60ecd75141 |
| SHA256 | 57f963ae4825b02214ccae01276708613cdda30d74c50289972f4a16bea3d823 |
| SHA512 | ddbd19c34fe0b38958778cb8e01ec0daf22882a5db774f24d5fbaf3f18938f71f48b55d6b8ed1d31ac31086d416c65f3e410168c891295412a3d67cbbf781793 |
C:\Program Files (x86)\PingPlotter 5\NGraphics.Net.dll
| MD5 | 50f77484e5ebbab4178d226457277f61 |
| SHA1 | f9ce26a5dac69bc620481e76ff4bcaa44610b4f1 |
| SHA256 | 76a4ee07ad63c27d6d95b9e0cc9a903563514e9b8fb51744646a19e00c3175a5 |
| SHA512 | f094291b6097608443d168d7cc5cd6a288f98f6bdb418e22d6f606ea2f54a6c6c166f13fedd827a79e8812d598e4fca1d59f50af17264f80e8dd3621856c77da |
memory/1200-575-0x000000001C800000-0x000000001CE06000-memory.dmp
memory/1200-576-0x0000000001080000-0x0000000001092000-memory.dmp
memory/1200-578-0x000000001AC70000-0x000000001AC88000-memory.dmp
memory/1200-579-0x000000001B5D0000-0x000000001B61C000-memory.dmp
memory/1200-577-0x00000000011E0000-0x00000000011F6000-memory.dmp
memory/1200-582-0x000000001CED0000-0x000000001CEE2000-memory.dmp
memory/1200-581-0x000000001B840000-0x000000001B864000-memory.dmp
memory/1200-580-0x000000001CE10000-0x000000001CECA000-memory.dmp
memory/1200-585-0x000000001D360000-0x000000001D68E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yxj4htisnt.tmp
| MD5 | b16a5fba3793c99536148b33a7304ab1 |
| SHA1 | e353837d75409bf40a3933a4a33cc4241c1989f4 |
| SHA256 | 172a427175692aa038ff7c36ed654549aec085ad7931cde5452b7814f6cc1832 |
| SHA512 | 6bdf135a6aaceeb9013c71369a648ee1f9a2f48c5308706c9cb7c331b58fb48f7648e6d2d68ad7fa31439599a66b371a1b81146637f87b9164052c4c055dfab8 |
memory/2280-603-0x000000001B040000-0x000000001B282000-memory.dmp
memory/2280-604-0x000000001AF00000-0x000000001AFAE000-memory.dmp
memory/2280-605-0x000000001B530000-0x000000001B61C000-memory.dmp
memory/2280-602-0x0000000001330000-0x0000000001620000-memory.dmp
memory/2280-609-0x0000000000460000-0x000000000047A000-memory.dmp
memory/2280-608-0x000000001BE10000-0x000000001BF26000-memory.dmp
memory/2280-610-0x00000000003D0000-0x00000000003DA000-memory.dmp
memory/2280-619-0x0000000000D70000-0x0000000000D9C000-memory.dmp
memory/2280-620-0x000000001AB00000-0x000000001AB24000-memory.dmp
memory/2280-618-0x000000001BFF0000-0x000000001C08C000-memory.dmp
memory/2280-617-0x000000001BF30000-0x000000001BFE2000-memory.dmp
memory/2280-616-0x0000000000AA0000-0x0000000000AAA000-memory.dmp
memory/2280-615-0x0000000000A90000-0x0000000000A9A000-memory.dmp
memory/2280-614-0x0000000000A80000-0x0000000000A88000-memory.dmp
memory/2280-613-0x0000000000630000-0x000000000064A000-memory.dmp
memory/2280-612-0x00000000004A0000-0x00000000004A8000-memory.dmp
memory/2280-611-0x0000000000480000-0x000000000049C000-memory.dmp
memory/2280-607-0x000000001B290000-0x000000001B2E2000-memory.dmp
memory/2280-606-0x000000001BC30000-0x000000001BE0E000-memory.dmp
memory/2280-621-0x000000001C460000-0x000000001C492000-memory.dmp
memory/2280-622-0x000000001C800000-0x000000001CE06000-memory.dmp
memory/2280-623-0x000000001B410000-0x000000001B422000-memory.dmp
memory/2280-627-0x000000001CE10000-0x000000001CECA000-memory.dmp
memory/2280-626-0x000000001C600000-0x000000001C64C000-memory.dmp
memory/2280-625-0x000000001C4A0000-0x000000001C4B8000-memory.dmp
memory/2280-629-0x000000001CED0000-0x000000001CEE2000-memory.dmp
memory/2280-628-0x000000001C650000-0x000000001C674000-memory.dmp
memory/2280-624-0x000000001B620000-0x000000001B636000-memory.dmp
memory/2280-632-0x000000001D190000-0x000000001D4BE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yxj4htisnt.tmp
| MD5 | 9e3a645eefcedc75fd12957ecee400a6 |
| SHA1 | 3336d6e406ed53b4403557953b431517cfa871eb |
| SHA256 | 3c4499fadbddfa0adc98cd8a422018cf9ec5daec6ce23c64ea6c1eb0a1806c93 |
| SHA512 | 507c9a7c2fec9eb57bcb8d60f03439440f52091dec99076ec7d92ef88e0edbd45c74f42fb8c425fd964ae0b2b41dc3a56bab60b0e8bf97edfdb317260ac48b01 |
C:\Config.Msi\f779c32.rbs
| MD5 | 3c637802dcf530951126ee8b36d3e1e8 |
| SHA1 | 1085952fd71150bab00cc8bd8d6bc5e0bcb8d994 |
| SHA256 | 665d0915b162e95f286f55addfcff7cab9a69dac69db096b249fa3c4ca29a15a |
| SHA512 | 71a3ef668fa4706662ba338a467459859171abd4b3c7b6f1688f2540d3e3f484f05113158c5cc470f3790f40729d7aa8270563cd016ed4307d466f9b3bd931a6 |
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-12 04:52
Reported
2024-06-12 04:56
Platform
win7-20240611-en
Max time kernel
117s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 224