Analysis Overview
SHA256
3586e0620442b8dfe2ae80f14dd389c224a7b9db7e6b9b29779a5b3d28e4a47f
Threat Level: Shows suspicious behavior
The file pingplotter_install.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Enumerates connected drives
Blocklisted process makes network request
Loads dropped DLL
Drops file in Windows directory
Drops file in Program Files directory
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
Program crash
Uses Volume Shadow Copy service COM API
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 05:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-12 05:07
Reported
2024-06-12 05:11
Platform
win7-20240221-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 224
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-12 05:07
Reported
2024-06-12 05:11
Platform
win7-20240508-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 224
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-12 05:07
Reported
2024-06-12 05:11
Platform
win10v2004-20240611-en
Max time kernel
92s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3664 wrote to memory of 3940 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3664 wrote to memory of 3940 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3664 wrote to memory of 3940 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3940 -ip 3940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 628
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.186:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-12 05:07
Reported
2024-06-12 05:11
Platform
win7-20231129-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2840 wrote to memory of 2636 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2840 wrote to memory of 2636 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2840 wrote to memory of 2636 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2840 wrote to memory of 2636 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2840 wrote to memory of 2636 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2840 wrote to memory of 2636 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2840 wrote to memory of 2636 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\$_4_.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DC15DB52B622ADB6BA20C0C1D986D457 C
Network
Files
C:\Users\Admin\AppData\Local\Temp\MSI780.tmp
| MD5 | ca95f207ec70ba34b46c785f7bcb5570 |
| SHA1 | 25c0d45cb9f94892e2877033d06fe8909e5b9972 |
| SHA256 | 8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb |
| SHA512 | c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831 |
C:\Users\Admin\AppData\Local\Temp\MSI89C.tmp
| MD5 | 5576bf4d22dc695564e49a68cbc98bc2 |
| SHA1 | 80e0e045162a65d84939e22a821ecbbbde3f31d6 |
| SHA256 | 20f76ffd846155a41633d75cb2e784e54f6ec77ca9ca9d52d9510c3e2e918801 |
| SHA512 | 4b952ce6ef08c86d8594fadd1069c3af39c3465314716dc7e7d9937befab8f4db5e4920a901920af4f937e5bb80ca02c33406d54cc766920b8ebba3855500972 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 05:07
Reported
2024-06-12 05:11
Platform
win7-20240220-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\PingPlotter_v5_manual.pdf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Extensions\AlertAction_LaunchAnExecutable\default_settings.json | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.DiaSymReader.Native.arm.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Reflection.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Collections.Specialized.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\SQLitePCLRaw.batteries_v2.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\wpl95gklra.dat | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Cryptography.Internal.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.DotNet.PlatformAbstractions.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Configuration.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.ComponentModel.Annotations.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\FluffySpoon.AspNet.LetsEncrypt.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Extensions\AlertAction_LaunchAnExecutable\launchanexecutable.js | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Threading.Tasks.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Security.Principal.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.IO.Pipes.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\AngleSharp.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.ResponseCaching.Abstractions.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Hosting.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.Win32.Registry.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Threading.Tasks.Parallel.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Authentication.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Security.SecureString.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Net.WebHeaderCollection.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.DataProtection.Abstractions.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Authorization.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Extensions\AlertAction_LaunchAnExecutable\launchanexecutable.html | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Topshelf.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.EntityFrameworkCore.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Threading.Channels.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.AppContext.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Security.Principal.Windows.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Runtime.Extensions.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Runtime.Serialization.Json.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\CommonServiceLocator.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\GalaSoft.MvvmLight.Extras.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\mustache-sharp.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Reflection.Metadata.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Extensions\MOSColumn\package.json | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Threading.Timer.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Authorization.Policy.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Certes.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\MathNet.Numerics.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.ObjectModel.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\PingPlotter ICMP Generator.exe.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Extensions\AlertAction_LaunchAnExecutable\launchanexecutable.meta.json | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\NGraphics.WPF.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\ParallelExtensionsExtras.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Resources\Fonts\Roboto\Roboto-Regular.ttf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Security.Cryptography.Cng.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\mustache-netstandard.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.SignalR.Protocols.Json.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Collections.NonGeneric.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Diagnostics.Debug.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.SyntaxEditor.Addons.Xml.Wpf.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Configuration.Abstractions.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Numerics.Vectors.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Diagnostics.Contracts.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Xml.XDocument.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.Runtime.Handles.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\Resources\SplashBundles\action_hops.bundle | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\MagHubClient.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\PingPlotter 5\System.ValueTuple.dll | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI755F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\SystemFoldermsiexec.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6CCE.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI71A4.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\ext.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76514c.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\SystemFoldermsiexec.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenserviceclientlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6C20.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7473.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8029.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI806A.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f76514b.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6B74.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI700D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe | N/A |
| File opened for modification | C:\Windows\Installer\f76514c.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI52E3.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6DAA.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6E38.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76514e.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6D6B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI74F1.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5361.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6C6F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\ext.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76514b.msi | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Pingman Tools | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Pingman Tools\PingPlotter 5 | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Pingman Tools\PingPlotter 5 | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Pingman Tools\PingPlotter 5\License = 6ac1c8f0eba2d500424d4348d7ff9d1812a8e946e91a1b3ced7e2b38b4a0fc26eab33f6140021a529c74aad29dc68a5d | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BDE4C0E5F8F1D9E448B630CA83009281 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\DefaultIcon\ = "C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe,1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|PingPlotter 5|PingPlotter.exe | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Downloaded Installations\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\DefaultIcon\ = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe,0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\pingplotter | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\ = "open" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\DefaultIcon\ = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe,0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" /url \"%1\"" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Downloaded Installations\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media\DiskPrompt = "[1]" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" \"%1\"" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\Pingman Tools.PingPlotter 5.ppws | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\FirewallICMPforUDP = "PingPlotter5Main" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\WebInterface = "PingPlotter5Main" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command\command = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d002000220025003100220000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\ = "Pingman Tools.PingPlotter 5.pp2" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\WindowsService = "\x06" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\Scripts = "PingPlotter5Main" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\PackageName = "{5716629D-5364-4C67-9992-4C03A559A38F}.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\ = "&Open PingPlotter workspace" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Version = "85458947" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\Pingman Tools.PingPlotter 5.pp2 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\ProductName = "PingPlotter 5" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\ProductIcon = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\ = "Pingman Tools.PingPlotter 5.ppws" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" \"%1\"" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\ = "&Open PingPlotter Sample Set" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\pingplotter\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\pingplotter\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command\command = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d002000220025003100220000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\ = "PingPlotter Workspace" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\URL Protocol | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|PingPlotter 5|PingPlotter.exe\PingPlotter,Version="5.24.3.8913",Culture="neutral",ProcessorArchitecture="MSIL" = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\ = "URL:PingPlotter Protocol Handler" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\Pingman Tools.PingPlotter 5.ppws\ShellNew | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\Pingman Tools.PingPlotter 5.pp2\ShellNew | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\ = "PingPlotter Sample Set" | C:\Windows\system32\msiexec.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Users\Admin\AppData\Local\Temp\pingplotter_install.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\pingplotter_install.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\pingplotter_install.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\pingplotter_install.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pingplotter_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pingplotter_install.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\pingplotter_install.exe
"C:\Users\Admin\AppData\Local\Temp\pingplotter_install.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 71AA038CAD480FFCC0C76E5CF8DB81FC C
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1432 -s 552
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A5E138A733F4C4A47734E9DB153227E9
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D0" "00000000000002CC"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C7A8242ED9DCD9C02071BA52527CD0DC M Global\MSI0000
C:\Windows\SysWOW64\cmd.exe
/C "C:\Users\Admin\AppData\Local\Temp\{B430673A-8214-403C-B687-0E8D828C119E}.bat"
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\cmd.exe
/C "C:\Users\Admin\AppData\Local\Temp\{B430673A-8214-403C-B687-0E8D828C119E}.bat"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" /queue:1
C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
"C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" regserver initializeprofile quiet
C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
"C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" regserver quiet
Network
Files
\Users\Admin\AppData\Local\Temp\nst2889.tmp\System.dll
| MD5 | ca332bb753b0775d5e806e236ddcec55 |
| SHA1 | f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f |
| SHA256 | df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d |
| SHA512 | 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00 |
\Users\Admin\AppData\Local\Temp\nst2889.tmp\DotNetChecker.dll
| MD5 | f18364fa5084add86c6e73e457404f18 |
| SHA1 | 6d87c4b9dbf78af88fddf0d4d5febe845c8e4e6a |
| SHA256 | 39c43d67f546fc898f7406d213b73dcb1bc30fc811ddfa3a02b6b50c29d11f91 |
| SHA512 | 716892492390fe4314f3289286f733d07b8b84de1f5af0676b26e68c0be01808682d35ad2bb9e9491247b7bb5a0ea297a6850e26de9baf88621c789206107db3 |
C:\Users\Admin\AppData\Local\Temp\Cab3133.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar3423.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\Local\Temp\MSI34C0.tmp
| MD5 | ca95f207ec70ba34b46c785f7bcb5570 |
| SHA1 | 25c0d45cb9f94892e2877033d06fe8909e5b9972 |
| SHA256 | 8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb |
| SHA512 | c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831 |
C:\Users\Admin\AppData\Local\Temp\MSI364A.tmp
| MD5 | 5576bf4d22dc695564e49a68cbc98bc2 |
| SHA1 | 80e0e045162a65d84939e22a821ecbbbde3f31d6 |
| SHA256 | 20f76ffd846155a41633d75cb2e784e54f6ec77ca9ca9d52d9510c3e2e918801 |
| SHA512 | 4b952ce6ef08c86d8594fadd1069c3af39c3465314716dc7e7d9937befab8f4db5e4920a901920af4f937e5bb80ca02c33406d54cc766920b8ebba3855500972 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_B5408224970389A1C2D228B1F06E63F2
| MD5 | 36f5d03cd7b13e5fe0e915b00f4034e9 |
| SHA1 | c989899d4758051248cbb3edf7300aa356b176ca |
| SHA256 | 91e9646cae08070083e277fed6d82a39ad9f8ac15e3dfc5f13c893dbc95099d7 |
| SHA512 | b8ec8a218e62b3de3f63a6de399c438f19f378f3c6fbcf386d2e7719255f8d26c3133bbba6b008ad2a7f22054db2011f4ebd48a50b64bf9500bc2cc68f532238 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_B5408224970389A1C2D228B1F06E63F2
| MD5 | 8c8198d1dea39d829a1fe7081201d815 |
| SHA1 | 83bf9c06b86db36e5c9af4476ff80ae21f80db26 |
| SHA256 | 7658d10135763e8e4d23e7063864020a120844712b7bec9ac2294d54cd79a287 |
| SHA512 | fd1af68f475598be7bf125029664557e6d258995e46cdd34d0e933978730ad1672606ba25f92fdb44de040c252ed690926dfdbfffe9050dff8432125ec0d236d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
| MD5 | f3caf7a7e82ca0c660532a49d65858d4 |
| SHA1 | 34a5babef00151e28ac420f3b84cd90a5e5ac99f |
| SHA256 | cdb6c2f46d77119c126ad9b9be53fc57c3fa834e25fe0ae73a8398f10a18701e |
| SHA512 | 3b3e3f4de4fc948bb15b8ca5f7e4c630deea291092132878a91968501c407057e8be2405b2c6ada56e63682acd1bb27f897480c2ece2680212da66b3287607c0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 62200445ef25a94260c14924735782af |
| SHA1 | ad244ba742cca535e91cdc5c28fb0caafe174ae3 |
| SHA256 | 7b9de83ffc1129188c681b30a7c00c7cd6d5dcf368418ee75a79fb0170a51758 |
| SHA512 | 4af1363ab54cb97e01c9a548a2ac2ff53b08c7ae9f7aded9deda0d8f705c198297a3c443e42caf408c5449ef5e62191a99a715944e4a25fdd1c34fdf3c53a3e4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
| MD5 | 846105a74213fc4fe5c1c99cc99f3664 |
| SHA1 | 900a9047864a047384c7618768047cded7b30181 |
| SHA256 | e8537cf02c5af5e85481dc9d0d03cea7e478816b0026db250e9613d8fceb2490 |
| SHA512 | 9946140cdd2362b683fb794a5dc80be33df4dee0877de012a2f49418b6167f7b8c9cc788734090c18cf4bb1ba976c6093254c38f3abc47335e8987efa812c5ab |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
| MD5 | 2eee3865f16574bb2c8058a2b4977995 |
| SHA1 | 9e65c7b29d8a121cbd4dbdd24161113b7ec774f2 |
| SHA256 | 6de01a7f89ac9c20580975e0f3163a4d355006395a615c71d86c7d0c7c5c007e |
| SHA512 | 3ec5e1000906b083f0366703a8e660360c80c2c2706beddb2f0976fda723596f955ab9e75f0d5328d02755279cf28e4dd4fc29ae334901eb986e84b9b58cb2c8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
| MD5 | 87e6192ca3fbcf9915e78c9684195f84 |
| SHA1 | 6f74fbb7ed33d4e3d92f6e490a25c97367df4ca5 |
| SHA256 | 34a37734eb68c3eef804f148944b43531a841f72f59b0e11a9be98156df78c13 |
| SHA512 | 326712499bcd215077b14de9df09b1e8a5abe3cbefc24f49e8bd596c7768ddb020b5daeca52c201be4f69c0dc3405a6207a2b240d4048fc6a63d9632c3b1033c |
C:\Windows\Installer\MSI6C20.tmp
| MD5 | 71c143221c4d2f06e495ee3f9e51a7f0 |
| SHA1 | 44a3aa0ca190243d6f21becbd5b0c5e923426135 |
| SHA256 | 8d245ef042215b0e9211692c7deaef442f4d46bd5323d74aa1bf25d676525bd9 |
| SHA512 | 98a97a4f45cb70eb671ddc3c8d26a9a4c3d34745f0d1b6ee052a2080e1b4b3dac11303eb9a0c8d38e34df624edc28864e52f13e4d79bc16fe9223c5663372445 |
C:\Windows\Installer\MSI6D6B.tmp
| MD5 | 94fa9ff9c26724e0b8ac910c1e7c40aa |
| SHA1 | 0cf47957200dec349d6b6da432e24165afd590eb |
| SHA256 | adae076f90908818d67777c050c5b1b6cc94be728017bab6c638dfc7763d4d09 |
| SHA512 | becb8229e8ef77a673829c547d2520d6fec94218abf2a21e2948ae5c156bf4a1eb64bfec38653b49902bb31708d9cf770c38f042c1f869d4d4695313b2acfefb |
C:\Windows\Installer\MSI6DAA.tmp
| MD5 | 99dc199a4a390a86f2728f5232a2f9a6 |
| SHA1 | 21b03b2dacbc5e19f3334054703ce53c8ba4a15f |
| SHA256 | 12b9deeb6e80129593bae1439bcbc491c6f602bfff255f72eba627100a54e2f9 |
| SHA512 | 8ba930b0fb37257bbb0d5ea97bbb581ec7d545b737bdce03a78e713b3ad95a2f4b2b6d101817102763100edfe8e46f4532946a7bd3ac24d2142358ac26ec45db |
C:\Windows\Installer\MSI700D.tmp
| MD5 | e34827bf55cae867e83cc6122d25154a |
| SHA1 | e513c23028532a6997692965765e235d42d96efa |
| SHA256 | 7f8ce80c53a7a4c3cecfbf497ee443538fd126a6e369b9930a3b021db548b55a |
| SHA512 | 506143a220f58c4236e4736f404c9421b9d5e0caaa21eff950953258ccf783de3534ea702e476acf565719964da6aeaeed787fca2d66c2b8ef5aa51c9b6e38d2 |
C:\Users\Admin\AppData\Local\Temp\{B430673A-8214-403C-B687-0E8D828C119E}.bat
| MD5 | 2f8261431256e01b71cf769a759372c2 |
| SHA1 | 90c2ce5292b4a6470f1305525a447d6dce333f41 |
| SHA256 | a5a3f6625268b4ffa1101b0cc9dd8b5776348d3a72b71b0cfb5f237ffba3e797 |
| SHA512 | a99143a3b2e834ad715d01ae382910b94e43585a1125f69f79615842819d520adea71ca5dfd4b0e29b2008d2dbbdecb4fc9249262d3f8b8af5496ced66dd9352 |
C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
| MD5 | aea6964efb6bfc8723f85e191c6db9b0 |
| SHA1 | f213e8ae0088838ae76d9d5841f9e9a2376c78a9 |
| SHA256 | 89a3e51a67ef4684952ab912be4e9fd379b4cf46991d6c17c6e59d34f6ec5eac |
| SHA512 | 84a8587ccc35cdb2392f2de20a7323bf626bfdef0cc1ba6957273921aa8336086edd58689fac446e342d3ecb9f0a00e7dd2dbb2e5de223a5b6a42e75d845ab8a |
C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe.config
| MD5 | 928b8e104bc50973bad9150c577aaa64 |
| SHA1 | 33eb7ed6547d26bbb8dbb087a45baf41292d01d2 |
| SHA256 | b42eb2bb81f89946449c5b27315afec9c87070ac01a6d0d1df91bd9d46702629 |
| SHA512 | 3b8ac3ce5365b27c8156dfb1ccfeff4f8a0e3b10360c2e5639d3516f2b5aa3c2dc524ddbbd6e3d1941ae0d15f8867eb2e19a0df1c31d1872d25f7758c481cff2 |
memory/2660-553-0x0000000000B70000-0x0000000000E60000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\CoreLib.dll
| MD5 | 4f79b56c4bebf4683f731c2fa68126ce |
| SHA1 | be502d11260c83f3bdb67279f796b137094248b6 |
| SHA256 | 28130a2c33fd8ac4a915bd2a695b1160e61ad179136860675b42bbebc878bb63 |
| SHA512 | 3384c07d2378e87d9e7e85f5db6af6bbfe804b559057339b04fda64e744344255da4d309a75efed9ec3246afbb852d4b4dde9baa7d2a783230f25a56d5f6294f |
memory/2660-555-0x000000001B0A0000-0x000000001B2E2000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Docking.Wpf.dll
| MD5 | b9d27fbdd161b1879aa1b5bf390b8114 |
| SHA1 | 1e9ffc3fcefc25581fd726087c74d257c713ffe4 |
| SHA256 | 3866414e85e128dd761a894b63befed29fded32788ab79087d0abc79335f17a4 |
| SHA512 | 4af0057663f74f65af501ec45bed8cc75e225395b1acbd318220cd97eb28123b3b7290c34b865129edc20255c6876c58c25308ae1a458a97f5df285f5a2444c6 |
memory/2660-557-0x000000001AF70000-0x000000001B01E000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Editors.Wpf.dll
| MD5 | 6f0e2870c72222d5989e9842d7d9e275 |
| SHA1 | 9a847f1d5efe181c945c60bcfeeb43132db3f599 |
| SHA256 | b637f6e4c87ac32276f92c609ee71bb3d482b36d5516e383e5c52d8f615359e8 |
| SHA512 | ff99918d8a8510d70d250695a583deb91953f6db2abf2a71069a2d67932532977529d3a50ec012cd4547a03601cf8f5367592187768fe4d8aa5a80d8dacfda0d |
memory/2660-567-0x00000000001D0000-0x00000000001EA000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.DataGrid.Contrib.Wpf.dll
| MD5 | 9c43eb18df357b00aaf31b6684e57a53 |
| SHA1 | 6de6fc5c23b5ef38eb2faab1eb643c3161c2e9f6 |
| SHA256 | abf2ec51aff791bee7580e77502a90b28aa034d2e729580e0d2b10d7ee296fd6 |
| SHA512 | fea50d9884aef63e24546d0947608fee8fb3aad6b0f8b5a02fdf5fead5564c2d8f16828fae1c182f1350b209a8a9b2e99201822957c36787b6ff36d266412309 |
memory/2660-565-0x000000001BA40000-0x000000001BB56000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.SyntaxEditor.Wpf.dll
| MD5 | 855914201fde2285b71d87c05c4bbcc2 |
| SHA1 | 8bc1bdbb97c2775c0399e9d0e90a036f41357a4c |
| SHA256 | 580a06e4ff57218280a92877d2b5def390b563c86a16366882cfee5d30951bd6 |
| SHA512 | 7040fcb1fa29171f10e9a6400deae3283a078899eb21c969d9fde51136ab5002d2cc95ef9b37ea1647fd28c18df1f1776bd80d12b16703a9b15f2776d97b7fbb |
memory/2660-563-0x0000000000AE0000-0x0000000000B32000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.PropertyGrid.Wpf.dll
| MD5 | 3e50933e28b0ac08f7158e3a783f6bf4 |
| SHA1 | 2178728de734670785b749499e4cfda7e1e30f60 |
| SHA256 | 7d0ee0f0aad53788758a43ccf295cad4b8e6afae6815f2a2800033b29b81c14a |
| SHA512 | 3324d40fdc9a82915b8323f5386d00361bea8ae42aa79fc85b4d9d95a087fbadfc557d9f77e34938ef4fdc8b04d0e6a9f24bbfca6569d981cf404626fb2eb7f6 |
memory/2660-561-0x000000001BE60000-0x000000001C03E000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Shared.Wpf.dll
| MD5 | 674447f18caace5e1163fb227e4cf08d |
| SHA1 | 62082108201e8be712cd52806a66503cf51fe714 |
| SHA256 | 56dfde9007145d5f6ed21730ecbb5ac04e7c6bc1370fb317acb0e29bffaf5c84 |
| SHA512 | 89fcdc36bd040a554a3bf8be205541914a00e0eed741eed066831d7564fa0f2ede717fb21d1e85e9503d9d262145d2fef837e37ed40087bb7386159fa5411bb8 |
memory/2660-559-0x000000001B4F0000-0x000000001B5DC000-memory.dmp
memory/2660-569-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Program Files (x86)\PingPlotter 5\NGraphics.Net.dll
| MD5 | 50f77484e5ebbab4178d226457277f61 |
| SHA1 | f9ce26a5dac69bc620481e76ff4bcaa44610b4f1 |
| SHA256 | 76a4ee07ad63c27d6d95b9e0cc9a903563514e9b8fb51744646a19e00c3175a5 |
| SHA512 | f094291b6097608443d168d7cc5cd6a288f98f6bdb418e22d6f606ea2f54a6c6c166f13fedd827a79e8812d598e4fca1d59f50af17264f80e8dd3621856c77da |
C:\Program Files (x86)\PingPlotter 5\NGraphics.dll
| MD5 | 36896e5b8ff559857c870c8d60470d79 |
| SHA1 | 8abe9941ec44d19b2f079fa66c118d60ecd75141 |
| SHA256 | 57f963ae4825b02214ccae01276708613cdda30d74c50289972f4a16bea3d823 |
| SHA512 | ddbd19c34fe0b38958778cb8e01ec0daf22882a5db774f24d5fbaf3f18938f71f48b55d6b8ed1d31ac31086d416c65f3e410168c891295412a3d67cbbf781793 |
memory/2660-571-0x0000000000410000-0x000000000042C000-memory.dmp
memory/2660-572-0x0000000000430000-0x0000000000438000-memory.dmp
memory/2660-573-0x0000000000B40000-0x0000000000B5A000-memory.dmp
memory/2660-574-0x0000000000B60000-0x0000000000B68000-memory.dmp
memory/2660-575-0x0000000002370000-0x000000000237A000-memory.dmp
memory/2660-576-0x0000000002380000-0x000000000238A000-memory.dmp
memory/2660-577-0x000000001C040000-0x000000001C0F2000-memory.dmp
memory/2660-578-0x000000001C100000-0x000000001C19C000-memory.dmp
memory/2660-579-0x0000000002440000-0x000000000246C000-memory.dmp
memory/2660-580-0x000000001AB40000-0x000000001AB64000-memory.dmp
memory/2660-581-0x000000001B5E0000-0x000000001B612000-memory.dmp
memory/2660-582-0x000000001C940000-0x000000001CF46000-memory.dmp
memory/2660-583-0x000000001A9F0000-0x000000001AA02000-memory.dmp
memory/2660-584-0x000000001AB10000-0x000000001AB26000-memory.dmp
memory/2660-585-0x000000001AB80000-0x000000001AB98000-memory.dmp
memory/2660-586-0x000000001BB60000-0x000000001BBAC000-memory.dmp
memory/2660-587-0x000000001CF50000-0x000000001D00A000-memory.dmp
memory/2660-588-0x000000001C570000-0x000000001C594000-memory.dmp
memory/2660-589-0x000000001C790000-0x000000001C7A2000-memory.dmp
memory/2660-592-0x000000001D4D0000-0x000000001D7FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\n2qhommiz8.tmp
| MD5 | 1b216f3e50e7b10e4f9a580332235aa2 |
| SHA1 | f486de6fb2821060e16d756d166b1d906d62bb59 |
| SHA256 | 1be4125c593a76ddfa0fb3bfe1fc249c3f50f885604c363fa1f5b7c8672638d7 |
| SHA512 | 7cc997d977ddd93e54021f9eb54f64189cdb71b880e9a32f4ca2299aa924ef7abae74d1a2a313e7ccf4ab4ec84d2b01d2ee3f7ce12a71d1ada17866cdf95733d |
memory/584-609-0x0000000000D70000-0x0000000001060000-memory.dmp
memory/584-610-0x000000001AEA0000-0x000000001B0E2000-memory.dmp
memory/584-611-0x000000001B1F0000-0x000000001B29E000-memory.dmp
memory/584-616-0x000000001B3B0000-0x000000001B3CA000-memory.dmp
memory/584-626-0x000000001C390000-0x000000001C3BC000-memory.dmp
memory/584-625-0x000000001BF20000-0x000000001BFBC000-memory.dmp
memory/584-624-0x000000001BE30000-0x000000001BEE2000-memory.dmp
memory/584-623-0x000000001BE00000-0x000000001BE0A000-memory.dmp
memory/584-622-0x000000001B420000-0x000000001B42A000-memory.dmp
memory/584-621-0x000000001B410000-0x000000001B418000-memory.dmp
memory/584-620-0x000000001B3F0000-0x000000001B40A000-memory.dmp
memory/584-619-0x000000001B2A0000-0x000000001B2A8000-memory.dmp
memory/584-618-0x000000001B3D0000-0x000000001B3EC000-memory.dmp
memory/584-617-0x000000001AAC0000-0x000000001AACA000-memory.dmp
memory/584-615-0x000000001BCE0000-0x000000001BDF6000-memory.dmp
memory/584-614-0x000000001A8F0000-0x000000001A942000-memory.dmp
memory/584-613-0x000000001BB00000-0x000000001BCDE000-memory.dmp
memory/584-612-0x000000001BA10000-0x000000001BAFC000-memory.dmp
memory/584-627-0x000000001C3C0000-0x000000001C3E4000-memory.dmp
memory/584-628-0x000000001C3F0000-0x000000001C422000-memory.dmp
memory/584-629-0x000000001C680000-0x000000001CC86000-memory.dmp
memory/584-630-0x000000001C430000-0x000000001C442000-memory.dmp
memory/584-634-0x000000001CDE0000-0x000000001CE9A000-memory.dmp
memory/584-633-0x000000001CCD0000-0x000000001CD1C000-memory.dmp
memory/584-632-0x000000001CCA0000-0x000000001CCB8000-memory.dmp
memory/584-636-0x000000001CF40000-0x000000001CF52000-memory.dmp
memory/584-635-0x000000001CEA0000-0x000000001CEC4000-memory.dmp
memory/584-631-0x000000001C450000-0x000000001C466000-memory.dmp
memory/584-639-0x000000001D180000-0x000000001D4AE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\n2qhommiz8.tmp
| MD5 | b06e1c396a21c7bce749e798470227a7 |
| SHA1 | a3c9952db8107f9d5c18cd6b07e41bc7a27f7c3e |
| SHA256 | 3e2c52e89065126effaeb0f5b2f01724625a5ba44b235ff87d50ac75862e918a |
| SHA512 | 6b11bd1517e22c6ab8fa97bd985b96ccf65af8dc0da7efb9e9ff35e528052771c3f5a69b5cfbe78139d76153a6c3e845d058fb34066c228aca51210713dc0d96 |
C:\Config.Msi\f76514d.rbs
| MD5 | e5d1920718c10f03a4b02289e3b01023 |
| SHA1 | 79a63df6763debd9a07e052d673bc1f362b70ae9 |
| SHA256 | 3b016dd38d6ed5c7694ed903c49b68f24e9a7aef3218d0678a42bfbf0434a985 |
| SHA512 | 2ef9f53acea4c839c36fc7e80d295fa0d1428d16013ea7ca43d9b5148509beaff83cef9330a9a9805f9cbf8324c514daceb03ad1fdc0d29c8b0750df235e1262 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-12 05:07
Reported
2024-06-12 05:11
Platform
win7-20240611-en
Max time kernel
118s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DotNetChecker.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DotNetChecker.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 224
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-12 05:07
Reported
2024-06-12 05:11
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
53s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2484 wrote to memory of 4828 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2484 wrote to memory of 4828 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2484 wrote to memory of 4828 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DotNetChecker.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DotNetChecker.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4828 -ip 4828
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 612
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-12 05:07
Reported
2024-06-12 05:11
Platform
win7-20240611-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 220
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-12 05:07
Reported
2024-06-12 05:11
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3040 wrote to memory of 1916 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3040 wrote to memory of 1916 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3040 wrote to memory of 1916 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1916 -ip 1916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 52.111.229.43:443 | tcp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-12 05:07
Reported
2024-06-12 05:11
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2628 wrote to memory of 3652 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2628 wrote to memory of 3652 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2628 wrote to memory of 3652 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\$_4_.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 0EC4CF081FD576931736972B2923DDA6 C
Network
Files
C:\Users\Admin\AppData\Local\Temp\MSI8184.tmp
| MD5 | ca95f207ec70ba34b46c785f7bcb5570 |
| SHA1 | 25c0d45cb9f94892e2877033d06fe8909e5b9972 |
| SHA256 | 8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb |
| SHA512 | c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831 |
C:\Users\Admin\AppData\Local\Temp\MSI83AC.tmp
| MD5 | 5576bf4d22dc695564e49a68cbc98bc2 |
| SHA1 | 80e0e045162a65d84939e22a821ecbbbde3f31d6 |
| SHA256 | 20f76ffd846155a41633d75cb2e784e54f6ec77ca9ca9d52d9510c3e2e918801 |
| SHA512 | 4b952ce6ef08c86d8594fadd1069c3af39c3465314716dc7e7d9937befab8f4db5e4920a901920af4f937e5bb80ca02c33406d54cc766920b8ebba3855500972 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 05:07
Reported
2024-06-12 05:11
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
151s
Command Line
Signatures
Enumerates connected drives
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pingplotter_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pingplotter_install.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pingplotter_install.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2424 wrote to memory of 2356 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2424 wrote to memory of 2356 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2424 wrote to memory of 2356 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\pingplotter_install.exe
"C:\Users\Admin\AppData\Local\Temp\pingplotter_install.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 5433BB223DBE34F3BCF9867FA22E4F0B C
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4756 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 152.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsm16A2.tmp\System.dll
| MD5 | ca332bb753b0775d5e806e236ddcec55 |
| SHA1 | f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f |
| SHA256 | df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d |
| SHA512 | 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00 |
C:\Users\Admin\AppData\Local\Temp\nsm16A2.tmp\DotNetChecker.dll
| MD5 | f18364fa5084add86c6e73e457404f18 |
| SHA1 | 6d87c4b9dbf78af88fddf0d4d5febe845c8e4e6a |
| SHA256 | 39c43d67f546fc898f7406d213b73dcb1bc30fc811ddfa3a02b6b50c29d11f91 |
| SHA512 | 716892492390fe4314f3289286f733d07b8b84de1f5af0676b26e68c0be01808682d35ad2bb9e9491247b7bb5a0ea297a6850e26de9baf88621c789206107db3 |
C:\Users\Admin\AppData\Local\Temp\MSI3391.tmp
| MD5 | ca95f207ec70ba34b46c785f7bcb5570 |
| SHA1 | 25c0d45cb9f94892e2877033d06fe8909e5b9972 |
| SHA256 | 8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb |
| SHA512 | c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831 |
C:\Users\Admin\AppData\Local\Temp\MSI39EF.tmp
| MD5 | 5576bf4d22dc695564e49a68cbc98bc2 |
| SHA1 | 80e0e045162a65d84939e22a821ecbbbde3f31d6 |
| SHA256 | 20f76ffd846155a41633d75cb2e784e54f6ec77ca9ca9d52d9510c3e2e918801 |
| SHA512 | 4b952ce6ef08c86d8594fadd1069c3af39c3465314716dc7e7d9937befab8f4db5e4920a901920af4f937e5bb80ca02c33406d54cc766920b8ebba3855500972 |
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-12 05:07
Reported
2024-06-12 05:11
Platform
win10v2004-20240611-en
Max time kernel
91s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3196 wrote to memory of 3028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3196 wrote to memory of 3028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3196 wrote to memory of 3028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3028 -ip 3028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 616
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.209:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |