Malware Analysis Report

2024-10-19 08:51

Sample ID 240724-lk7t3ssbmh
Target 6ee09985aad01926c5ec335e48c36950N.exe
SHA256 49a7d26eb8022c5edc59707b013f38d41ba8838f987e676f6385c3d46c7ab998
Tags
discovery strela stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

49a7d26eb8022c5edc59707b013f38d41ba8838f987e676f6385c3d46c7ab998

Threat Level: Known bad

The file 6ee09985aad01926c5ec335e48c36950N.exe was found to be: Known bad.

Malicious Activity Summary

discovery strela stealer

Strela stealer

Detects Strela Stealer payload

Strela family

Drops file in Drivers directory

Loads dropped DLL

Executes dropped EXE

Checks installed software on the system

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

NSIS installer

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

Enumerates system info in registry

Modifies system certificate store

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-24 09:36

Signatures

Detects Strela Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Strela family

strela

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-07-24 09:36

Reported

2024-07-24 09:38

Platform

win10v2004-20240709-en

Max time kernel

104s

Max time network

107s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ssranghk.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4220 wrote to memory of 1584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4220 wrote to memory of 1584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4220 wrote to memory of 1584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ssranghk.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ssranghk.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-24 09:36

Reported

2024-07-24 09:38

Platform

win7-20240708-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$0.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2524 wrote to memory of 2068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2524 wrote to memory of 2068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2524 wrote to memory of 2068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2524 wrote to memory of 2068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2524 wrote to memory of 2068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2524 wrote to memory of 2068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2524 wrote to memory of 2068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$0.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$0.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-24 09:36

Reported

2024-07-24 09:38

Platform

win10v2004-20240709-en

Max time kernel

104s

Max time network

109s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$0.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 112 wrote to memory of 5064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 112 wrote to memory of 5064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 112 wrote to memory of 5064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$0.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-07-24 09:36

Reported

2024-07-24 09:38

Platform

win7-20240708-en

Max time kernel

14s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\driverinst64.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\driverinst64.exe

"C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\driverinst64.exe"

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-07-24 09:36

Reported

2024-07-24 09:38

Platform

win7-20240704-en

Max time kernel

13s

Max time network

19s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\nt_x86\ssmirrdr.sys

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\nt_x86\ssmirrdr.sys

C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\nt_x86\ssmirrdr.sys

C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\nt_x86\ssmirrdr.sys

Network

N/A

Files

memory/2196-0-0x0000000000010000-0x0000000000017000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-07-24 09:36

Reported

2024-07-24 09:38

Platform

win7-20240708-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 224

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-24 09:36

Reported

2024-07-24 09:38

Platform

win10v2004-20240709-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe"

Signatures

Detects Strela Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Strela stealer

stealer strela

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\SETAC3E.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\drivers\ssmirrdr.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\drivers\SETAC3E.tmp C:\Windows\system32\DrvInst.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\DriverStore\FileRepository\ssmirrdr.inf_amd64_f60e4a3bb7f7b95a\ssmirrdr-nt_amd64.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{01dd3742-a332-b248-a6ee-065c3e1788e0}\nt_amd64\SETAA69.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{01dd3742-a332-b248-a6ee-065c3e1788e0}\nt_amd64\SETAA79.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\drvstore.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{01dd3742-a332-b248-a6ee-065c3e1788e0}\SETAA7A.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{01dd3742-a332-b248-a6ee-065c3e1788e0}\SETAA7B.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\ssmirrdr.inf_amd64_f60e4a3bb7f7b95a\nt_amd64\ssmirrdr.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\SETAC3F.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{01dd3742-a332-b248-a6ee-065c3e1788e0}\SETAA7A.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{01dd3742-a332-b248-a6ee-065c3e1788e0}\ssmirrdr.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\T6V5CGVG.htm C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\ssmirrdr.inf_amd64_f60e4a3bb7f7b95a\nt_amd64\ssmirrdr.dll C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\ssmirrdr.inf_amd64_f60e4a3bb7f7b95a\ssmirrdr.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{01dd3742-a332-b248-a6ee-065c3e1788e0}\nt_amd64\ssmirrdr.dll C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{01dd3742-a332-b248-a6ee-065c3e1788e0}\nt_amd64\ssmirrdr.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\SETAC3F.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{01dd3742-a332-b248-a6ee-065c3e1788e0} C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ssmirrdr.inf_amd64_f60e4a3bb7f7b95a\ssmirrdr.PNF C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{01dd3742-a332-b248-a6ee-065c3e1788e0}\ssmirrdr-nt_amd64.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{01dd3742-a332-b248-a6ee-065c3e1788e0}\nt_amd64\SETAA69.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{01dd3742-a332-b248-a6ee-065c3e1788e0}\SETAA7B.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\ssmirrdr.dll C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\current_time_in_US-CA[1].aspx C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{01dd3742-a332-b248-a6ee-065c3e1788e0}\nt_amd64\SETAA79.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{01dd3742-a332-b248-a6ee-065c3e1788e0}\nt_amd64 C:\Windows\system32\DrvInst.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\supportdotcom\rang\nsiA838.tmp C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File opened for modification C:\Program Files (x86)\supportdotcom\rang\nsiA839.tmp C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File created C:\Program Files (x86)\supportdotcom\rang\logs\ssrangsv_[7-24-2024 - 9.36.44].log C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
File opened for modification C:\Program Files (x86)\supportdotcom\rang\logs\ssrangsv_[7-24-2024 - 9.36.45].log C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
File created C:\Program Files (x86)\Common Files\supportdotcom\rang\ssmirrdr-nt_x86.cat C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File created C:\Program Files (x86)\Common Files\supportdotcom\rang\ssmirrdr.inf C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File created C:\Program Files (x86)\Common Files\supportdotcom\rang\nt_x86\ssmirrdr.sys C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File created C:\Program Files (x86)\Common Files\supportdotcom\rang\nt_amd64\ssmirrdr.dll C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File created C:\Program Files (x86)\Common Files\supportdotcom\rang\nt_amd64\ssmirrdr.sys C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File opened for modification C:\Program Files (x86)\supportdotcom\rang\nsoA8A8.tmp C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File created C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst.exe C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File created C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File created C:\Program Files (x86)\Common Files\supportdotcom\rang\ssmirrdr-nt_amd64.cat C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File created C:\Program Files (x86)\supportdotcom\rang\uninst.exe C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File created C:\Program Files (x86)\Common Files\supportdotcom\rang\nt_x86\ssmirrdr.dll C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File created C:\Program Files (x86)\supportdotcom\rang\ssranghk.dll C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File created C:\Program Files (x86)\supportdotcom\rang\ca-bundle.crt C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File opened for modification C:\Program Files (x86)\supportdotcom\rang\ C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File created C:\Program Files (x86)\supportdotcom\rang\support.ico C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File created C:\Program Files (x86)\supportdotcom\rang\logs\ssrangsv_[7-24-2024 - 9.36.45].log C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\INF\c_display.PNF C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\supportdotcom\rang\ssrangui.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DrvInst.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\Desktop\ScreenSaveActive = "0" C:\Program Files (x86)\supportdotcom\rang\ssrangui.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\Desktop\ScreenSaveTimeOut = "0" C:\Program Files (x86)\supportdotcom\rang\ssrangui.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\dwm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-13 = "High performance" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CertificateRevocation = "0" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\LIVESCRIPT AUTHOR\OLESCRIPT C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWow64\\jscript.dll" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\OLEScript C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ScriptHostEncode C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cdx C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed} C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c733e4af-576e-11d0-b28c-00c04fd7cd22}\ = "Thread NotificationMgr" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\local\CLSID = "{79eac9e7-baf9-11ce-8c82-00aa004ba90b}" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\cdl\CLSID = "{3dd53d40-7b8b-11D0-b013-00aa0059ce02}" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\OLEScript C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF774D1-F077-11D1-B1BC-00C04F86C324}\InprocServer32 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile.HostEncode\CLSID C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\local C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79eac9f2-baf9-11ce-8c82-00aa004ba90b} C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\ = "JScript Language" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0968e258-16c7-4dba-aa86-462dd61e31a3}\InprocServer32 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JScript C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6} C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\InprocServer32 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\ECMASCRIPT AUTHOR\OLESCRIPT C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\HTMLFILE\SCRIPTHOSTENCODE C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\Implemented Categories C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79eac9e7-baf9-11ce-8c82-00aa004ba90b} C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\PROGID C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID\ = "JScript" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\PROGID C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58} C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\https\ = "https: Asychronous Pluggable Protocol Handler" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT\CLSID C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\OLEScript C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ = "JScript Language Authoring" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\OLESCRIPT C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\Implemented Categories C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79eac9e2-baf9-11ce-8c82-00aa004ba90b}\InprocServer32 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ScriptHostEncode C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ProgID C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\Version C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\ECMASCRIPT\OLESCRIPT C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript\OLEScript C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79eac9e5-baf9-11ce-8c82-00aa004ba90b}\InprocServer32 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\file\ = "file:, local: Asychronous Pluggable Protocol Handler" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: 33 N/A C:\Windows\system32\dwm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\dwm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe
PID 2240 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe
PID 2240 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe
PID 2240 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe
PID 2240 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe
PID 3776 wrote to memory of 4396 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 3776 wrote to memory of 4396 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 3776 wrote to memory of 1068 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 3776 wrote to memory of 1068 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 2240 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe
PID 2240 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe
PID 2240 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe
PID 2500 wrote to memory of 4448 N/A C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe C:\Program Files (x86)\supportdotcom\rang\ssrangui.exe
PID 2500 wrote to memory of 4448 N/A C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe C:\Program Files (x86)\supportdotcom\rang\ssrangui.exe
PID 2500 wrote to memory of 4448 N/A C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe C:\Program Files (x86)\supportdotcom\rang\ssrangui.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe

"C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe"

C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe

"C:\Program Files (x86)\Common Files\supportdotcom\rang/driverinst64.exe" /Install

C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe

"C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe" /provider supportdotcom /setup

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{a9681305-690b-8645-8931-02c9e7b027a5}\ssmirrdr.inf" "9" "47bd61347" "00000000000000E8" "WinSta0\Default" "0000000000000158" "208" "c:\program files (x86)\common files\supportdotcom\rang"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "2" "211" "ROOT\SSMIRR_DRIVER\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:10ef38c379e44436:ssmirrdr:2.0.0.0:ssmirr_driver," "47bd61347" "00000000000000E8"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe

"C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe" /provider supportdotcom /regserver /start

C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe

"C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe" -service "-provider" "supportdotcom"

C:\Program Files (x86)\supportdotcom\rang\ssrangui.exe

"ssrangui.exe" -start -ec 1 2764248246 -agentFriendlyName 'ATS Agent'

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 www.google.com udp
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 www.worldtimeserver.com udp
CA 54.39.158.232:80 www.worldtimeserver.com tcp
US 8.8.8.8:53 74.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 167.57.26.184.in-addr.arpa udp
US 8.8.8.8:53 76.27.18.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 csc3-2009-2-crl.verisign.com udp
CA 54.39.158.232:443 www.worldtimeserver.com tcp
US 8.8.8.8:53 232.158.39.54.in-addr.arpa udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp

Files

C:\Users\Admin\AppData\Local\Temp\nsdA818.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe

MD5 38377a28f213b6bb042e60e4b457f516
SHA1 0499b92faa65cd1d00640715c998d2500ff4eebc
SHA256 ca67f164a2ee8be79fb156ac3cdbc154ea8a761bf49e88197c4c07a3a325a2a9
SHA512 e522e4a4157849612017af61b8e6db94c67503872a76fdfa1e342908f9292f296e7e462b8bf02155028e10e1860288bc5acb5490fa7b3136b19d6b8b68fe3319

C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe

MD5 8e1f07c8ec91b5c63eccd0c6cb00a027
SHA1 89afb7d39ed1935f25f8c43b60ab2fdcba58447f
SHA256 d82c089a395db0691c1c845b68c1b1743de8985feb47ec5e03f0db80a5c1b195
SHA512 138f90453e58a34f53cbd7d1700fbc9377c4d67f55119df5198d5575a1ab07e2d00e51562c14d9f8f8120169f2d977948a06cb600ba16c5d53e141b76e39f497

\??\c:\program files (x86)\common files\supportdotcom\rang\ssmirrdr.inf

MD5 6c4423d9cb9921a25de76b2d9f390f74
SHA1 5abdfd7b7d0e454a6ac117c90077b3379e48d666
SHA256 3cb8307e59f4483ec329cd2b92690a877eb4b3a0c3633c9e012a4f8aac249c82
SHA512 9f28e9a824e0983e180bcefdd347ee145c406e920f660622e34bedf5c3b7e7cd083c3f60528f135e341621248a53ad16cca5ebbb6c8b66af166304ab8b94628c

\??\c:\program files (x86)\common files\supportdotcom\rang\ssmirrdr-nt_amd64.cat

MD5 31f007d8f2de5e945dc2e2234628bc37
SHA1 76fb2cd66c869bae25589298a971b458bd06c18e
SHA256 a179d2176962ff702eb57417f931deb3e8c9f2cfb61311d767b243e111b83973
SHA512 170e8ac2cb4decb9fe07f8811c58155c377fc20af3748bcc33cdb203a2780c749f0cc721ba293874ecab1e0423682679ff7a1bccc26caa185af279796112dc18

\??\c:\PROGRA~2\COMMON~1\SUPPOR~1\rang\nt_amd64\ssmirrdr.dll

MD5 28b26600204f79045eda8f7fd8ca3c86
SHA1 b9f19e36b80eb862370d99b466664380440af6d5
SHA256 5140f07b878efd1b74ee9f5821a207d1cee65952702ff75c49a4522face230c6
SHA512 aebd4425b846883e1f49da18edf3b7c96a9fb9ddb7ce709938b21eae169bdaeb5ce6bf8593638b5c887b26de7476b793a4691a7d56e46796bb658f1e516ad3c1

\??\c:\PROGRA~2\COMMON~1\SUPPOR~1\rang\nt_amd64\ssmirrdr.sys

MD5 1100066057fbf612b573efd3b21383f1
SHA1 f95db83ea936f1fe70583a4eca810da807167dfe
SHA256 894f5a999e03807dffea67938d2e456d50d9e5511fe91d2e2293c51d98b3d87d
SHA512 62850de88b00daeab3299fec2bbd9aa0b07f766b96f42392310cb4f23c9e50f0aa8bc87f82e28cd99c195ea205a26c083d048cbac3341861dcee4a5eabb9dea8

C:\Program Files (x86)\supportdotcom\rang\logs\ssrangsv_[7-24-2024 - 9.36.45].log

MD5 3d44744f7dda4a094b90cff3440b459b
SHA1 aa82d2021cf8dd5c209d8b6b230bfd1e85d16682
SHA256 5f8ae2ce6ea6355614c263ea5ff63a797a3201decddd39671c67e51057f618ea
SHA512 74ac16a4fbb3f45f8fe55c7abd0fb0ac1af0b33cbe29052ae5ae55ca0c9a8c6e2a6cd8d2940076ca71458660bf3722cc422b5b1324b19a08fe1c1f07e77f9f66

C:\Program Files (x86)\supportdotcom\rang\ca-bundle.crt

MD5 478f2561ec0658265a01993e00ee89f2
SHA1 3845dc7fd32fb08600ebd5902bc1bd7e7bfa63a1
SHA256 d42fa29fd8a06ea428d041a26d4e6831bbf8538f83032e922287832c39b06b86
SHA512 82636f4317d561a38134f919d6197abbeea56c2a2c750350148b54fb5b864babd8711876d6e322ffdd12489305ca96b9d209335998b922d2c9e4f198ae84f470

C:\Program Files (x86)\supportdotcom\rang\ssrangui.exe

MD5 69d7734b204b81b646d0f8576e7dc8d6
SHA1 a37786dcab45c963d44a135db52b21177847508b
SHA256 24316fd026bcf76caa990e27e3dfd38126fa5b71763fa576ccab43cba6eafb2e
SHA512 0d93c3b9f664c36af3568484352aa09925cf04f9ccdf07bf7a1c7dbd791cbb98b8c18043c8220fce0c9b3defab90586a86d2cddf225980518a3b9e854026c79d

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-24 09:36

Reported

2024-07-24 09:38

Platform

win7-20240705-en

Max time kernel

16s

Max time network

21s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$2.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$2.exe

"C:\Users\Admin\AppData\Local\Temp\$2.exe"

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-07-24 09:36

Reported

2024-07-24 09:38

Platform

win10v2004-20240709-en

Max time kernel

112s

Max time network

114s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\nt_x86\ssmirrdr.sys

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\nt_x86\ssmirrdr.sys

C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\nt_x86\ssmirrdr.sys

C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\nt_x86\ssmirrdr.sys

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1892-0-0x0000000000010000-0x0000000000017000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-24 09:36

Reported

2024-07-24 09:38

Platform

win10v2004-20240709-en

Max time kernel

94s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$2.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$2.exe

"C:\Users\Admin\AppData\Local\Temp\$2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-07-24 09:36

Reported

2024-07-24 09:38

Platform

win7-20240705-en

Max time kernel

118s

Max time network

119s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\nt_amd64\ssmirrdr.sys

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\nt_amd64\ssmirrdr.sys

C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\nt_amd64\ssmirrdr.sys

C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\nt_amd64\ssmirrdr.sys

Network

N/A

Files

memory/2408-0-0x0000000000010000-0x0000000000017000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-24 09:36

Reported

2024-07-24 09:38

Platform

win7-20240704-en

Max time kernel

12s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$3.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$3.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\ScreenSaveActive = "0" C:\Users\Admin\AppData\Local\Temp\$3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\ScreenSaveTimeOut = "0" C:\Users\Admin\AppData\Local\Temp\$3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$3.exe

"C:\Users\Admin\AppData\Local\Temp\$3.exe"

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-07-24 09:36

Reported

2024-07-24 09:38

Platform

win10v2004-20240709-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\driverinst64.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\driverinst64.exe

"C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\driverinst64.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-07-24 09:36

Reported

2024-07-24 09:38

Platform

win7-20240708-en

Max time kernel

119s

Max time network

16s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\nt_amd64\ssmirrdr.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\nt_amd64\ssmirrdr.dll,#1

Network

N/A

Files

memory/2632-2-0x0000000000190000-0x000000000019C000-memory.dmp

memory/2632-1-0x0000000000100000-0x000000000010C000-memory.dmp

memory/2632-0-0x0000000000100000-0x000000000010C000-memory.dmp

memory/2632-3-0x0000000001E70000-0x0000000002180000-memory.dmp

memory/2632-6-0x000007FF70450000-0x000007FF7045A000-memory.dmp

memory/2632-7-0x00000000001A0000-0x00000000001FE000-memory.dmp

memory/2632-10-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2632-9-0x0000000000100000-0x000000000010C000-memory.dmp

memory/2632-8-0x000007FF404C0000-0x000007FF40580000-memory.dmp

memory/2632-5-0x000007FF346C0000-0x000007FF34709000-memory.dmp

memory/2632-4-0x000007FF709E0000-0x000007FF709F4000-memory.dmp

memory/2632-11-0x0000000000190000-0x0000000000192000-memory.dmp

memory/2632-12-0x0000000001E70000-0x0000000002180000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-24 09:36

Reported

2024-07-24 09:38

Platform

win7-20240704-en

Max time kernel

116s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe"

Signatures

Detects Strela Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Strela stealer

stealer strela

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\DRIVERS\SETB49F.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\system32\DRIVERS\SETB49F.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\ssmirrdr.sys C:\Windows\system32\DrvInst.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\DriverStore\Temp\{500209a5-d188-0264-cd34-781ede0e7f7e}\nt_amd64\SETB137.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ssmirrdr.inf_amd64_neutral_f60e4a3bb7f7b95a\ssmirrdr.PNF C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{500209a5-d188-0264-cd34-781ede0e7f7e}\nt_amd64 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infstrng.dat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\current_time_in_US-CA[1].aspx C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infstrng.dat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infstor.dat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
File opened for modification C:\Windows\system32\ssmirrdr.dll C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\AI1Y3MY4.txt C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{500209a5-d188-0264-cd34-781ede0e7f7e}\ssmirrdr-nt_amd64.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infpub.dat C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
File created C:\Windows\system32\SETB56B.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\current_time_in_US-CA[1].htm C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\ssmirrdr.inf_amd64_neutral_f60e4a3bb7f7b95a\ssmirrdr.PNF C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\INFCACHE.0 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infpub.dat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\AI1Y3MY4.txt C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{500209a5-d188-0264-cd34-781ede0e7f7e}\SETB138.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{500209a5-d188-0264-cd34-781ede0e7f7e}\SETB138.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{500209a5-d188-0264-cd34-781ede0e7f7e}\nt_amd64\SETB126.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{500209a5-d188-0264-cd34-781ede0e7f7e}\nt_amd64\SETB126.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{500209a5-d188-0264-cd34-781ede0e7f7e}\ssmirrdr.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infpub.dat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\system32\SETB56B.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{500209a5-d188-0264-cd34-781ede0e7f7e}\nt_amd64\ssmirrdr.dll C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{500209a5-d188-0264-cd34-781ede0e7f7e}\nt_amd64\SETB137.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{500209a5-d188-0264-cd34-781ede0e7f7e}\nt_amd64\ssmirrdr.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{500209a5-d188-0264-cd34-781ede0e7f7e}\SETB148.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{500209a5-d188-0264-cd34-781ede0e7f7e}\SETB148.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{500209a5-d188-0264-cd34-781ede0e7f7e} C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infstrng.dat C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\supportdotcom\rang\ca-bundle.crt C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File opened for modification C:\Program Files (x86)\supportdotcom\rang\ C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File created C:\Program Files (x86)\Common Files\supportdotcom\rang\ssmirrdr-nt_amd64.cat C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File created C:\Program Files (x86)\Common Files\supportdotcom\rang\ssmirrdr-nt_x86.cat C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File created C:\Program Files (x86)\Common Files\supportdotcom\rang\ssmirrdr.inf C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File created C:\Program Files (x86)\Common Files\supportdotcom\rang\nt_amd64\ssmirrdr.sys C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File opened for modification C:\Program Files (x86)\supportdotcom\rang\nsjADC0.tmp C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File created C:\Program Files (x86)\supportdotcom\rang\support.ico C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File created C:\Program Files (x86)\supportdotcom\rang\logs\ssrangsv_[7-24-2024 - 9.36.42].log C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
File created C:\Program Files (x86)\Common Files\supportdotcom\rang\nt_x86\ssmirrdr.sys C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File created C:\Program Files (x86)\supportdotcom\rang\uninst.exe C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File opened for modification C:\Program Files (x86)\supportdotcom\rang\logs\ssrangsv_[7-24-2024 - 9.36.46].log C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
File created C:\Program Files (x86)\Common Files\supportdotcom\rang\nt_amd64\ssmirrdr.dll C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File created C:\Program Files (x86)\Common Files\supportdotcom\rang\nt_x86\ssmirrdr.dll C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File opened for modification C:\Program Files (x86)\supportdotcom\rang\nsjAE0F.tmp C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File created C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst.exe C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File created C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File opened for modification C:\Program Files (x86)\supportdotcom\rang\nsjADBF.tmp C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File created C:\Program Files (x86)\supportdotcom\rang\ssranghk.dll C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
File created C:\Program Files (x86)\supportdotcom\rang\logs\ssrangsv_[7-24-2024 - 9.36.46].log C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev2 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\setuperr.log C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\INF\oem2.PNF C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\oem2.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\setuperr.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\setupact.log C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
File created C:\Windows\INF\oem2.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\setupact.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\supportdotcom\rang\ssrangui.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaveActive = "0" C:\Program Files (x86)\supportdotcom\rang\ssrangui.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaveTimeOut = "0" C:\Program Files (x86)\supportdotcom\rang\ssrangui.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5C4E294B-3230-4770-91C3-CA402A02B996}\WpadDecisionTime = 60d12839adddda01 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5C4E294B-3230-4770-91C3-CA402A02B996}\WpadDecisionTime = c0270d26adddda01 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-37-78-c7-56-a8\WpadDecisionTime = 60d12839adddda01 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0195000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-37-78-c7-56-a8\WpadDecisionTime = 601b4302adddda01 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5C4E294B-3230-4770-91C3-CA402A02B996}\WpadDecisionReason = "1" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-37-78-c7-56-a8\WpadDecisionTime = 60763014adddda01 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0195000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0195000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5C4E294B-3230-4770-91C3-CA402A02B996}\WpadDecisionTime = 60763014adddda01 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5C4E294B-3230-4770-91C3-CA402A02B996}\WpadNetworkName = "Network 3" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10645F09-C446-4AA9-A691-5AB96783DCA2}\ProxyStubClsid32\ = "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D92995F8-CF5E-4A76-BF59-EAD39EA2B97E}\NumMethods\ = "7" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9C7EAD52-8023-4936-A4DB-D2A9A99E436A}\ProxyStubClsid32 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85131631-480C-11D2-B1F9-00C04F86C324}\ProgID C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{012DD920-7B26-11D0-8CA9-00A0C92DBFE8}\ProxyStubClsid32\ = "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7CC7AED8-290E-49BC-8945-C1401CC9306C}\ = "INameSpaceTreeControl2" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E621D2B-5A4C-450C-8B78-C7F52C1F1D9B}\ProxyStubClsid32 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{52BBC746-9F9C-44B4-8D7C-0AAAB79BC7DC}\NumMethods\ = "6" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1DEECAB6-1CFF-4923-9A53-BC2C5D199544}\ = "ICDBurnGlobalSettingsDialog" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D57C7288-D4AD-4768-BE02-9D969532D960} C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{215913CC-57EB-4FAB-AB5A-E5FA7BEA2A6C}\ProxyStubClsid32\ = "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB481469-2D98-42D2-9DDF-9161E8BD44B1}\NumMethods\ = "12" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A530E6D3-0EA0-4B6D-AF89-FBA0944D1A10}\ProxyStubClsid32 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30176CFE-6F36-4EA4-BE65-A4B728FECE39}\NumMethods\ = "6" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A7A2DA3F-4CDA-4FEA-A907-DC6C32B8C3B5}\ProxyStubClsid32 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4BFDDEB8-130E-41D1-8E6E-670E469DC9CD}\ProxyStubClsid32\ = "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FFFA805B-896A-41FF-9FE0-840DA6476686}\ProxyStubClsid32 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1B0120C9-73AB-4249-91E0-CA3E61924B7F}\NumMethods\ = "12" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{88E39E80-3578-11CF-AE69-08002B2E1262}\NumMethods\ = "20" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{42C9F529-AC7B-45D3-A320-C2F23F250B94}\ProxyStubClsid32 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE812157-522C-46CB-8D53-6EFE3DCE2C46} C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{52B14A6A-58F1-45BD-B00A-DCE7403D951E}\NumMethods\ = "4" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50A87BAA-5F79-4C31-B6B3-28F6F2D097E6} C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6BC63938-8254-4965-9680-565933185060} C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7E1AF054-83A6-47FC-AB27-A58AE8D9C705}\NumMethods\ = "13" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4623BD61-5603-444F-824A-AAEBCEED93FA}\ProxyStubClsid32\ = "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2660212B-070F-40D3-AFC1-1EC7DF0A995D}\ = "IMultiComplete" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6DFC60FB-F2E9-459B-BEB5-288F1A7C7D54}\ProxyStubClsid32 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\CLSID C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E982FED-D14B-440C-B8D6-BB386453D386}\ = "IIdentityAdvise" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1B155F51-7593-4458-B3BC-B196A750C014} C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ScriptHostEncode C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DA22171F-70B4-43DB-B38F-296741D1494C}\NumMethods C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{504B27AA-001F-4179-9AD0-663A37C317A9}\NumMethods C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{18140CBD-AA23-4384-A38D-6A8D3E2BE505}\ = "IBrowserProgressSessionProvider" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{240A7174-D653-4A1D-A6D3-D4943CFBFE3D} C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CD9617E6-E67F-4F7B-8B64-11B05F507868}\ = "IRelocateFolderInNamespace" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228} C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A561E69A-B4B8-4113-91A5-64C6BCCA3430}\ProxyStubClsid32 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{36DF1A3D-973D-4956-B55A-47DE453E8103}\ = "IElevatedFactoryServerManager" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B353825-C58B-4F03-AEC4-8DE179122661}\ProxyStubClsid32 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CB072FAA-CF74-45AB-AFB0-FE3D89FFDD94}\NumMethods C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9C204249-C443-4BA4-85ED-C972681DB137}\NumMethods\ = "8" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\PROGID C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CAFEC873-94B2-47A4-AA4A-6A54F2DF865D}\NumMethods C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4EEA50C7-78D0-47C2-B585-3B7C026CCC15}\ProxyStubClsid32\ = "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7FD9502-BE0C-4464-90A1-2B5277031232}\ = "ISyncMgrSyncItemInfo" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{241C033E-E659-43DA-AA4D-4086DBC4758D}\ = "ITravelLogClient" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\OLESCRIPT C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1823E7BA-EC36-447A-9B2E-B4912E15AFE7}\NumMethods C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F1DB8392-7331-11D0-8C99-00A0C92DBFE8} C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DC2601D7-059E-42FC-A09D-2AFD21B6D5F7} C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59007C49-CB25-4BD5-AAD9-6943F08F4F9E}\ = "IMediaTranscoder" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9838AAB6-32FD-455A-823D-83CFE06E4D48}\ProxyStubClsid32 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E621D2B-5A4C-450C-8B78-C7F52C1F1D9B}\NumMethods C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{18140CBD-AA23-4384-A38D-6A8D3E2BE505}\ProxyStubClsid32 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Dictionary C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{709A7BE5-63F9-4568-A1EE-2F4C4A38978E}\ProxyStubClsid32\ = "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DC2601D7-059E-42FC-A09D-2AFD21B6D5F7}\ProxyStubClsid32\ = "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86187C37-E662-4D1E-A122-7478676D7E6E}\NumMethods\ = "19" C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1AF3A467-214F-4298-908E-06B03E0B39F9}\ProxyStubClsid32 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3060 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe
PID 3060 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe
PID 3060 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe
PID 3060 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe
PID 3060 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe
PID 3060 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe
PID 3060 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe
PID 3060 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe
PID 3060 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe
PID 3060 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe
PID 3060 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe
PID 3060 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe
PID 2372 wrote to memory of 3040 N/A C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe C:\Program Files (x86)\supportdotcom\rang\ssrangui.exe
PID 2372 wrote to memory of 3040 N/A C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe C:\Program Files (x86)\supportdotcom\rang\ssrangui.exe
PID 2372 wrote to memory of 3040 N/A C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe C:\Program Files (x86)\supportdotcom\rang\ssrangui.exe
PID 2372 wrote to memory of 3040 N/A C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe C:\Program Files (x86)\supportdotcom\rang\ssrangui.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe

"C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe"

C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe

"C:\Program Files (x86)\Common Files\supportdotcom\rang/driverinst64.exe" /Install

C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe

"C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe" /provider supportdotcom /setup

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{37cc2436-ef8e-1ac3-bf81-2607edbf665d}\ssmirrdr.inf" "9" "67bd61347" "0000000000000594" "WinSta0\Default" "00000000000002C8" "208" "c:\program files (x86)\common files\supportdotcom\rang"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "2" "211" "ROOT\SSMIRR_DRIVER\0000" "C:\Windows\INF\oem2.inf" "ssmirrdr.inf:ssmirrdr.Mfg.ntamd64:ssmirrdr:2.0.0.0:ssmirr_driver" "67bd61347" "0000000000000594" "0000000000000064" "0000000000000068"

C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe

"C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe" /provider supportdotcom /regserver /start

C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe

"C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe" -service "-provider" "supportdotcom"

C:\Program Files (x86)\supportdotcom\rang\ssrangui.exe

"ssrangui.exe" -start -ec 1 2647238069 -agentFriendlyName 'ATS Agent'

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 www.google.com udp
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 www.worldtimeserver.com udp
CA 54.39.158.232:80 www.worldtimeserver.com tcp
CA 54.39.158.232:443 www.worldtimeserver.com tcp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp
US 8.8.8.8:53 advancedtech-rang.support.com udp

Files

\Users\Admin\AppData\Local\Temp\nsdAD9E.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe

MD5 38377a28f213b6bb042e60e4b457f516
SHA1 0499b92faa65cd1d00640715c998d2500ff4eebc
SHA256 ca67f164a2ee8be79fb156ac3cdbc154ea8a761bf49e88197c4c07a3a325a2a9
SHA512 e522e4a4157849612017af61b8e6db94c67503872a76fdfa1e342908f9292f296e7e462b8bf02155028e10e1860288bc5acb5490fa7b3136b19d6b8b68fe3319

C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe

MD5 8e1f07c8ec91b5c63eccd0c6cb00a027
SHA1 89afb7d39ed1935f25f8c43b60ab2fdcba58447f
SHA256 d82c089a395db0691c1c845b68c1b1743de8985feb47ec5e03f0db80a5c1b195
SHA512 138f90453e58a34f53cbd7d1700fbc9377c4d67f55119df5198d5575a1ab07e2d00e51562c14d9f8f8120169f2d977948a06cb600ba16c5d53e141b76e39f497

\??\c:\program files (x86)\common files\supportdotcom\rang\ssmirrdr.inf

MD5 6c4423d9cb9921a25de76b2d9f390f74
SHA1 5abdfd7b7d0e454a6ac117c90077b3379e48d666
SHA256 3cb8307e59f4483ec329cd2b92690a877eb4b3a0c3633c9e012a4f8aac249c82
SHA512 9f28e9a824e0983e180bcefdd347ee145c406e920f660622e34bedf5c3b7e7cd083c3f60528f135e341621248a53ad16cca5ebbb6c8b66af166304ab8b94628c

\??\c:\program files (x86)\common files\supportdotcom\rang\ssmirrdr-nt_amd64.cat

MD5 31f007d8f2de5e945dc2e2234628bc37
SHA1 76fb2cd66c869bae25589298a971b458bd06c18e
SHA256 a179d2176962ff702eb57417f931deb3e8c9f2cfb61311d767b243e111b83973
SHA512 170e8ac2cb4decb9fe07f8811c58155c377fc20af3748bcc33cdb203a2780c749f0cc721ba293874ecab1e0423682679ff7a1bccc26caa185af279796112dc18

\??\c:\PROGRA~2\COMMON~1\SUPPOR~1\rang\nt_amd64\ssmirrdr.dll

MD5 28b26600204f79045eda8f7fd8ca3c86
SHA1 b9f19e36b80eb862370d99b466664380440af6d5
SHA256 5140f07b878efd1b74ee9f5821a207d1cee65952702ff75c49a4522face230c6
SHA512 aebd4425b846883e1f49da18edf3b7c96a9fb9ddb7ce709938b21eae169bdaeb5ce6bf8593638b5c887b26de7476b793a4691a7d56e46796bb658f1e516ad3c1

\??\c:\PROGRA~2\COMMON~1\SUPPOR~1\rang\nt_amd64\ssmirrdr.sys

MD5 1100066057fbf612b573efd3b21383f1
SHA1 f95db83ea936f1fe70583a4eca810da807167dfe
SHA256 894f5a999e03807dffea67938d2e456d50d9e5511fe91d2e2293c51d98b3d87d
SHA512 62850de88b00daeab3299fec2bbd9aa0b07f766b96f42392310cb4f23c9e50f0aa8bc87f82e28cd99c195ea205a26c083d048cbac3341861dcee4a5eabb9dea8

C:\Windows\System32\DriverStore\FileRepository\ssmirrdr.inf_amd64_neutral_f60e4a3bb7f7b95a\ssmirrdr.PNF

MD5 6341c4eed3b4f77cd067cd2db2b592a9
SHA1 3594c5374a4fe9c9ba8046b06eea4ababd73b680
SHA256 bea564e0d2e00c48571b0992cd13a4aa163e7fc396f9d0d549cd8e5d025246f7
SHA512 321737ee2e210e1808a35fc3b5df860a0d6a6e617295ec97f68af912f66d500a215a24c084264b13e4dfce9353c645eb1363d6a327250ab34bf1835ee6a177a3

C:\Windows\System32\DriverStore\INFCACHE.1

MD5 35b452e8bbebc7f7ea4969b7a82d1ffd
SHA1 57241b0d729f0dd2f91181fd59285c75bbb36a3d
SHA256 69d1fd51691f985a324f54da9c00e256c5f9f0f2231ba805a6fe813439ba9257
SHA512 665f1aa9cb8ca0bdbb0a6a7f3ec602561749ce54df7c1ed481c2d3af08147586df7c298a04ed7c0994940dd786001234f748041cd4c2800c352f5dbb568f71e3

C:\Windows\inf\oem2.PNF

MD5 fed87ccdd12af5095f46d54deed3ce09
SHA1 f7db563d5f63a011934c115245b8d1fe1af239a9
SHA256 31a7677b235b7b9cf7e9d81279366037279c13699e0bfd9823846afaaba705f3
SHA512 f3eff6ed1f5ae7d8ebb387c68a8f3ddf5770fb8f7c4da52628fae6f97cb31331f4230c188f3572607af9956573b68ba2b55be6fac1c98610268cb274c93ecc6a

C:\Program Files (x86)\supportdotcom\rang\logs\ssrangsv_[7-24-2024 - 9.36.46].log

MD5 11c569068df757e0c6d81d167cd83448
SHA1 4e4d35d710bfe9911343007fb6f82875b691d390
SHA256 aa8f926c017d0e6fbc393653e82d0bd320904cf74bca38d50415874df9f37408
SHA512 329de1f37b240656f4ee0afe1ff3c0013bc35772726a78a704e4739551f42b2b7f4b84189ddd4a36f71fd4b3c9622481a53ba706433d4151538c120de9e09ba3

C:\Program Files (x86)\supportdotcom\rang\ca-bundle.crt

MD5 478f2561ec0658265a01993e00ee89f2
SHA1 3845dc7fd32fb08600ebd5902bc1bd7e7bfa63a1
SHA256 d42fa29fd8a06ea428d041a26d4e6831bbf8538f83032e922287832c39b06b86
SHA512 82636f4317d561a38134f919d6197abbeea56c2a2c750350148b54fb5b864babd8711876d6e322ffdd12489305ca96b9d209335998b922d2c9e4f198ae84f470

C:\Program Files (x86)\supportdotcom\rang\ssrangui.exe

MD5 69d7734b204b81b646d0f8576e7dc8d6
SHA1 a37786dcab45c963d44a135db52b21177847508b
SHA256 24316fd026bcf76caa990e27e3dfd38126fa5b71763fa576ccab43cba6eafb2e
SHA512 0d93c3b9f664c36af3568484352aa09925cf04f9ccdf07bf7a1c7dbd791cbb98b8c18043c8220fce0c9b3defab90586a86d2cddf225980518a3b9e854026c79d

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Windows\Temp\TarD79F.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 ec313d5b7d7c9685e4d32ff05e6d5ea8
SHA1 c334fd6d27510fe6eb8fe684a54bbe7462466ec0
SHA256 7d2f91bd798d9d63f8011c9ad6ac3a895c2a4a36bffdca0cc79b2eb472da2f08
SHA512 679851f08233a3331a5536a76d1aeb24ddfc9162fe51e0c82779760f0209c7ec2aecd192fa911cf4cdfc811683b1e58e118e0fbd8008b53a2fbadab8d3c4d244

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-24 09:36

Reported

2024-07-24 09:38

Platform

win10v2004-20240709-en

Max time kernel

108s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$3.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$3.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\Desktop\ScreenSaveActive = "0" C:\Users\Admin\AppData\Local\Temp\$3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\Desktop\ScreenSaveTimeOut = "0" C:\Users\Admin\AppData\Local\Temp\$3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$3.exe

"C:\Users\Admin\AppData\Local\Temp\$3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-07-24 09:36

Reported

2024-07-24 09:38

Platform

win10v2004-20240709-en

Max time kernel

105s

Max time network

109s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\nt_x86\ssmirrdr.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2100 wrote to memory of 4464 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2100 wrote to memory of 4464 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2100 wrote to memory of 4464 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\nt_x86\ssmirrdr.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\nt_x86\ssmirrdr.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/4464-0-0x0000000000010000-0x000000000001B000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-07-24 09:36

Reported

2024-07-24 09:38

Platform

win10v2004-20240709-en

Max time kernel

113s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4900 wrote to memory of 116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4900 wrote to memory of 116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4900 wrote to memory of 116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 116 -ip 116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-07-24 09:36

Reported

2024-07-24 09:38

Platform

win7-20240704-en

Max time kernel

118s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ssranghk.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1856 wrote to memory of 3044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1856 wrote to memory of 3044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1856 wrote to memory of 3044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1856 wrote to memory of 3044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1856 wrote to memory of 3044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1856 wrote to memory of 3044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1856 wrote to memory of 3044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ssranghk.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ssranghk.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-07-24 09:36

Reported

2024-07-24 09:38

Platform

win10v2004-20240709-en

Max time kernel

110s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\driverinst.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\driverinst.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\driverinst.exe

"C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\driverinst.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-07-24 09:36

Reported

2024-07-24 09:38

Platform

win10v2004-20240709-en

Max time kernel

116s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\nt_amd64\ssmirrdr.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\nt_amd64\ssmirrdr.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp

Files

memory/4676-0-0x0000000000010000-0x000000000001C000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-07-24 09:36

Reported

2024-07-24 09:38

Platform

win7-20240704-en

Max time kernel

24s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\driverinst.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\driverinst.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\driverinst.exe

"C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\driverinst.exe"

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-07-24 09:36

Reported

2024-07-24 09:38

Platform

win10v2004-20240709-en

Max time kernel

118s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\nt_amd64\ssmirrdr.sys

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\nt_amd64\ssmirrdr.sys

C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\nt_amd64\ssmirrdr.sys

C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\nt_amd64\ssmirrdr.sys

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/2832-0-0x0000000000010000-0x0000000000017000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-07-24 09:36

Reported

2024-07-24 09:38

Platform

win7-20240704-en

Max time kernel

13s

Max time network

20s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\nt_x86\ssmirrdr.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1336 wrote to memory of 2992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1336 wrote to memory of 2992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1336 wrote to memory of 2992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1336 wrote to memory of 2992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1336 wrote to memory of 2992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1336 wrote to memory of 2992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1336 wrote to memory of 2992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\nt_x86\ssmirrdr.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$COMMONFILES\supportdotcom\rang\nt_x86\ssmirrdr.dll,#1

Network

N/A

Files

memory/2992-1-0x00000000000B0000-0x00000000000BB000-memory.dmp

memory/2992-3-0x0000000000110000-0x000000000011B000-memory.dmp

memory/2992-0-0x00000000000B0000-0x00000000000BB000-memory.dmp

memory/2992-2-0x00000000000B0000-0x00000000000BB000-memory.dmp

memory/2992-4-0x0000000000110000-0x0000000000112000-memory.dmp