Analysis Overview
SHA256
dbf0895d886b428c8465ee57aea56a7e7b6e4c003efd04ca00d216a2d821eac9
Threat Level: Shows suspicious behavior
The file rcsetup154.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Writes to the Master Boot Record (MBR)
Event Triggered Execution: Component Object Model Hijacking
Drops file in Program Files directory
Checks installed software on the system
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Browser Information Discovery
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Enumerates system info in registry
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-15 23:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win7-20241010-en
Max time kernel
122s
Max time network
131s
Command Line
Signatures
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files\Recuva\recuva64.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files\Recuva\recuva64.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Recuva\Lang\lang-1040.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-9999.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\recuva64.exe | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1063.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-2074.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\logs\error_log_20241015_234735_00000.txt | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1036.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1028.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1037.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-3098.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1043.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1046.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1071.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1044.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1035.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1062.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1057.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\lil.log.tmp.04595010-8081-4f37-8f0f-a9a261837aa8 | C:\Program Files\Recuva\recuva64.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1067.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1079.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1030.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1052.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\recuva.exe | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1045.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1027.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1058.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1060.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1054.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File opened for modification | C:\Program Files\Recuva\lil.log | C:\Program Files\Recuva\recuva64.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-5146.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\RecuvaShell64.dll.new | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\SomeRandomTmpFile748329742893.tmp | C:\Program Files\Recuva\recuva64.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1029.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1068.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1059.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1048.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1050.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1049.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-2052.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1032.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1061.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1066.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\uninst.exe | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1041.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1053.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1034.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1051.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1026.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File opened for modification | C:\Program Files\Recuva\lil.log | C:\Program Files\Recuva\recuva64.exe | N/A |
| File opened for modification | C:\Program Files\Recuva\RecuvaShell64.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1038.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1025.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1031.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1055.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Recuva\recuva64.exe | N/A |
| N/A | N/A | C:\Program Files\Recuva\recuva64.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe |
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Recuva\recuva64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Recuva\recuva64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Recuva\recuva64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Recuva\recuva64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\Recuva | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\Recuva\Language = "1033" | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19 | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Piriform\Recuva\Language = "1033" | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Piriform\Recuva | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19 | C:\Program Files\Recuva\recuva64.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Piriform\Recuva | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Piriform\Recuva | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Piriform | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20 | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Piriform | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Piriform\Recuva\Language = "1033" | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-18 | C:\Program Files\Recuva\recuva64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20 | C:\Program Files\Recuva\recuva64.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Software\Piriform\Recuva | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\ = "RecuvaShellExt Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\RecuvaShellExt\ = "{435E5DF5-2510-463C-B223-BDA47006D002}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Software\Piriform | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{80109467-DE5A-42A1-9445-7E3952C80B6E} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\RecuvaShellExt | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RecuvaShell.DLL\AppID = "{80109467-DE5A-42A1-9445-7E3952C80B6E}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\FLAGS | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\HELPDIR | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Software\Piriform\Recuva\Language = "1033" | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{80109467-DE5A-42A1-9445-7E3952C80B6E}\ = "RecuvaShell" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\FLAGS\ = "0" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32\ = "C:\\Program Files\\Recuva\\RecuvaShell64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\ = "RecuvaShell 1.0 Type Library" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\0\win64 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\HELPDIR\ = "C:\\Program Files\\Recuva" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Software | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\RecuvaShellExt | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\0\win64\ = "C:\\Program Files\\Recuva\\RecuvaShell64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Software\Piriform\Recuva | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\RecuvaShellExt\ = "{435E5DF5-2510-463C-B223-BDA47006D002}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RecuvaShell.DLL | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\0 | C:\Windows\system32\regsvr32.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe
"C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /I "C:\Program Files\Recuva\RecuvaShell64.dll" /s
C:\Windows\system32\regsvr32.exe
/I "C:\Program Files\Recuva\RecuvaShell64.dll" /s
C:\Program Files\Recuva\recuva64.exe
"C:\Program Files\Recuva\recuva64.exe" /installationComplete "bin|folders|allusers"
C:\Program Files\Recuva\recuva64.exe
"C:\Program Files\Recuva\recuva64.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 780
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | analytics.ff.avast.com | udp |
| US | 8.8.8.8:53 | ncc.avast.com | udp |
| US | 34.117.223.223:443 | analytics.ff.avast.com | tcp |
| GB | 2.19.117.82:80 | ncc.avast.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.178.3:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | service.piriform.com | udp |
| GB | 23.218.79.229:443 | service.piriform.com | tcp |
| US | 8.8.8.8:53 | license.piriform.com | udp |
| GB | 23.218.79.229:443 | license.piriform.com | tcp |
| GB | 2.19.117.82:80 | ncc.avast.com | tcp |
| US | 8.8.8.8:53 | analytics.ff.avast.com | udp |
| US | 34.117.223.223:443 | analytics.ff.avast.com | tcp |
| US | 8.8.8.8:53 | ncc.avast.com | udp |
| GB | 2.19.117.105:80 | ncc.avast.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsoD79C.tmp\UserInfo.dll
| MD5 | 2f69afa9d17a5245ec9b5bb03d56f63c |
| SHA1 | e0a133222136b3d4783e965513a690c23826aec9 |
| SHA256 | e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0 |
| SHA512 | bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926 |
\Users\Admin\AppData\Local\Temp\nsoD79C.tmp\System.dll
| MD5 | cff85c549d536f651d4fb8387f1976f2 |
| SHA1 | d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e |
| SHA256 | 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8 |
| SHA512 | 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88 |
\Users\Admin\AppData\Local\Temp\nsoD79C.tmp\g\gcapi_dll.dll
| MD5 | 2973af8515effd0a3bfc7a43b03b3fcc |
| SHA1 | 4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee |
| SHA256 | d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0 |
| SHA512 | b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e |
\Users\Admin\AppData\Local\Temp\nsoD79C.tmp\ui\pfUI.dll
| MD5 | 7e36940483a62f7e3bdd30d95ef37b93 |
| SHA1 | 5e5624afd2170a8f32fbc52bc296caf4a16e211d |
| SHA256 | a639f28eb67410b9d685ff7eb564eb8c1a45f1116a6c520321510c8c6eb89923 |
| SHA512 | 32d12fb13fed59b7801f32a2d65cc54739e99f289398fa62bdf3e952c5c3561819c8d75b35bf2f127967585c11a272a633470ca7325b16c06453d4f06eded663 |
\Users\Admin\AppData\Local\Temp\nsoD79C.tmp\nsDialogs.dll
| MD5 | 6c3f8c94d0727894d706940a8a980543 |
| SHA1 | 0d1bcad901be377f38d579aafc0c41c0ef8dcefd |
| SHA256 | 56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2 |
| SHA512 | 2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355 |
memory/2380-85-0x00000000003F0000-0x00000000003F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsoD79C.tmp\ui\res\PF_logo.png
| MD5 | 079cca30760cca3c01863b6b96e87848 |
| SHA1 | 98c2ca01f248bc61817db7e5faea4a3d8310db50 |
| SHA256 | 8dd37d3721e25c32c5bf878b6dba9e61d04b7ce8aec45bdf703a41bc41802dfa |
| SHA512 | 3e25c10e3a5830584c608b9178ab062e93e0e9009a7d897bb5e3561180b0b0910bd4178063d982eb33806a005c93931ae2ec5be520ec0d0c9a7c452cb78fd6a8 |
C:\Users\Admin\AppData\Local\Temp\nsoD79C.tmp\ui\res\RC_Computer.png
| MD5 | 67f13e50fa75087ef8c2074a52cc8bb1 |
| SHA1 | 8f31cf48fab91b9e263105289d17c146d088274b |
| SHA256 | 044ec2d36e9f573d762fc8a43eb09f7b24eb30094a4e61b5d606fd96f72d391f |
| SHA512 | 44ee943ae440d93d7ec78393749667680abbe379f9e21fb10244362c2c3f9df790170c541aa30a8487ef25952068c78e44dacd48def29aa84cee78d1c1ce63ae |
C:\Users\Admin\AppData\Local\Temp\nsoD79C.tmp\ui\res\Recuva_Logo_72px.png
| MD5 | 6a2e01749e591a1ce8216daed41b8721 |
| SHA1 | a4aa31d936a33eb7d58e809b738184f6b2c7e1c2 |
| SHA256 | f72782600989eff0aa13ff7c63875538c9042c32b77862475c899514f61c9290 |
| SHA512 | 262e6b6ed89fa30f954dc73c1bb329d9ea256fefa172e12b23610e7c1ab6dad3b698cbcdc010f8c16e90b0bdd6e96d60e8aba50b876d69f9fb1f2889ac14f0fe |
memory/2380-103-0x00000000043F0000-0x0000000004400000-memory.dmp
memory/2380-109-0x00000000048A0000-0x00000000048B0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
| MD5 | 4e32fc7c3e01483647b99595897d77d9 |
| SHA1 | 733a6ba91df43fb833fa5687b4d976a6ab85089b |
| SHA256 | 19ee777dcaef3c7b02b3f5c7fecd99ac2754826a91ffaf73cddb13de91b85d5d |
| SHA512 | 5c123bfbd297aba66221fcc2b61a912d88c1c7f553bdea5776e01037a9b16618d0aee4ee2bdd35809949884adc2e2a1929d5c06fc8f9cbd1d340490cd8ea0640 |
memory/2380-134-0x0000000006F20000-0x0000000006F28000-memory.dmp
memory/2380-140-0x0000000006EC0000-0x0000000006EC1000-memory.dmp
memory/2380-146-0x0000000006EC0000-0x0000000006EC8000-memory.dmp
memory/2380-148-0x0000000006E80000-0x0000000006E81000-memory.dmp
memory/2380-157-0x0000000006EC0000-0x0000000006EC8000-memory.dmp
memory/2380-160-0x0000000006EF0000-0x0000000006EF8000-memory.dmp
memory/2380-162-0x0000000006E60000-0x0000000006E61000-memory.dmp
memory/2380-167-0x0000000006E80000-0x0000000006E81000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
| MD5 | 7e251887c6eb2f81ec29b7bd7c128947 |
| SHA1 | a5a46a8c9e79227d4fb1c4815079d591b32e11d3 |
| SHA256 | 072f705935922dd49d0ef71b9eddbba5dd08507e3afbed8365077a28a5e2170a |
| SHA512 | 6b41a6af4c76c5873ef479c75b891c3d6cd8991e7db60e7f05cd93df1a7d711882186191b30593f8de953375a3416325e83030ef53e57f98b8da01fc50f2f2d2 |
memory/2380-212-0x0000000007020000-0x0000000007028000-memory.dmp
memory/2380-215-0x0000000007060000-0x0000000007068000-memory.dmp
memory/2380-217-0x0000000007010000-0x0000000007011000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsoD79C.tmp\ButtonEvent.dll
| MD5 | c24568a3b0d7c8d7761e684eb77252b5 |
| SHA1 | 66db7f147cbc2309d8d78fdce54660041acbc60d |
| SHA256 | e2da6d8b73b5954d58baa89a949aacece0527dfb940ca130ac6d3fd992d0909d |
| SHA512 | 5d43e4c838fd7f4c6a4ab6cc6d63e0f81d765d9ca33d9278d082c4f75f9416907df10b003e10edc1b5ef39535f722d8dbfab114775ac67da7f9390dcc2b4b443 |
\Users\Admin\AppData\Local\Temp\nsoD79C.tmp\p\InstallerHelper.dll
| MD5 | 8bfdb69444233a57163ba06a2a6cfcd1 |
| SHA1 | 73090c37af9e2bd236102e172dadb159a00612ec |
| SHA256 | 6aa7b6f12487c9740666d37a98b0c7b987b7e023a1640f8a6ab1b049a35f9374 |
| SHA512 | a160efb1f04097be38bab5d93ea6cd13ed1f2a3a834c85a310ed9a1d58db9df48898788844524563c52c79e7c1f286a5d699f08ff079364b101ecb18b514c8ed |
\Users\Admin\AppData\Local\Temp\nsoD79C.tmp\INetC.dll
| MD5 | 7760daf1b6a7f13f06b25b5a09137ca1 |
| SHA1 | cc5a98ea3aa582de5428c819731e1faeccfcf33a |
| SHA256 | 5233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079 |
| SHA512 | d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5 |
memory/2380-243-0x00000000003F0000-0x00000000003F1000-memory.dmp
\Program Files\Recuva\recuva64.exe
| MD5 | 6f852ec18d167ff2abb2ab80f0d5a4fe |
| SHA1 | 57ac2fa10e510c9317b61c33d3a0116da0a57c6e |
| SHA256 | d42b70bb05ef00c09319a975e1df73c1a7d1a52b537c2f605dbf0b4dccf814fc |
| SHA512 | c4b8117d804943e615428b0784c3037e7ba6e367a74accf577fbc13cb8800fce356f9c6e8121a0edaf68a530176790b44d610e782e3d6f7d1819f34f766e17de |
\Program Files\Recuva\RecuvaShell64.dll
| MD5 | 776f4c4ad3c85c1693a522bc2c60f33a |
| SHA1 | 5a4215e1221b3f8f1d7500e5902474707b1542e2 |
| SHA256 | 2b406578019ba9b6afcb08b26c56c4017c6fa6dea102129dd44dc47fc74a2cc4 |
| SHA512 | baf5f2ba8db33f51fbb8bf81ee0c92a6f69a76224d80ccb3e17115c9247c891f155abfd358a9a435c6b8bbcbae3154ae49a939e8ea4c8bcc3671d4c8b60d19d5 |
C:\Program Files\Recuva\lang\lang-1050.dll
| MD5 | 8bac7d3eb37fba38aa06200dd23ae6ca |
| SHA1 | 0c5c89cc696aba1b7665cb0c0d6dc028370c233f |
| SHA256 | 4b7d0341102e062077af9ce99a12412dc3c11044bbbc782194681f47146b6494 |
| SHA512 | b14afa6b347a6505c4c66bd58b9482554ed64083dcbad3c1574f9e9a1233f21715ca14cac0bd305c8f615179924d48820864a614937aee2b571143da52006abe |
\Program Files\Recuva\Lang\lang-1049.dll
| MD5 | c5c056c945f3c5c7f76cef938f338513 |
| SHA1 | 0b147e88c65aacda1949acc116f95a0af4a7f2d8 |
| SHA256 | 222db72107c1452f141ea8d086473458c59f6675566b01177fc91265855ab067 |
| SHA512 | 2a4d888a565621e5c2cbf2775cb7299bc9c87de724af1f387f5e94abfb80e247d127248ebc8893cb0651f83c8611cc3cea2d7c64744dfb5fbf57a68a83047dfe |
\Program Files\Recuva\Lang\lang-1048.dll
| MD5 | d3ccae022f330ee57be94aefa4d7b060 |
| SHA1 | b735f8f3ebffd519850ba8d14013fe4d1ecee521 |
| SHA256 | 975aeb207d52e07a0aadeb934476536f8c6b7deec29d5d111baf89f3bac76fdc |
| SHA512 | be336a7a2f2ded9359800005e1c7b2eb025ba16b1b58ad198f569b6a72a1d419761365d7ab55a9673921e03a7b50abd11e050494940de4783296a00a711e46a8 |
\Program Files\Recuva\Lang\lang-1046.dll
| MD5 | d79062b2834f351b25778486d04587e6 |
| SHA1 | c48f13f399e80d9fbe28df24d3c66cfa88ff20ba |
| SHA256 | e3c7fe920d284ef7974175c52f374ee412580f83707d58ef2dec51ae403159e6 |
| SHA512 | 3f604d7138022dad7f0fd9b27ed679691237f56bf851d2900502590df37c78df201d0c44264ec3f338ed7da86c1f0edbe2933c1ad079497a7ddbe17e625f7aa4 |
\Program Files\Recuva\Lang\lang-1045.dll
| MD5 | 2f9eae30109a4ea38724cc80d4d2cd3e |
| SHA1 | b00eac5de9434bf7d8b3296a6be1d929343dc1be |
| SHA256 | a35b4506ea3694754ce1eb0d8e29f2f78b2365d96b7302e7c9c6fdf8a0266eb9 |
| SHA512 | fc4f02d863ee9266477d20a9b177631d519e778887f4db531fb75c5712174ba6ff9e3c0d8b1d14a333f06be3776227130aefc6a8a2ccc8ab569400e17a6590df |
\Program Files\Recuva\Lang\lang-1044.dll
| MD5 | 00547e1c34a464106f945b4c2030348e |
| SHA1 | d01291685e44e73af5543f1325308ace114897d4 |
| SHA256 | 301d83c11f5a07cdc686d3d91d075cd69c38beae8d0aac3af1f4b825588d11a6 |
| SHA512 | b105e1f091fc1b3f9eebe9a4aef59c8d9156aaeca73d22370c790e81c5270e464a47f80cbfd41a8c7e0ccf504c9f9ce4cf3d5210d660dcacf2512be10b390d93 |
\Program Files\Recuva\Lang\lang-1043.dll
| MD5 | e636190971396417c638d01fc791896b |
| SHA1 | ce8a1196c4d3d5dc2d19b62aea2a657ffec65436 |
| SHA256 | cc3bafd490827c81a6e82f15695fbc3af988d491bdb0559c9c76ee60ba8deb2b |
| SHA512 | 11549da87e4dea6eb9f70e7010dd20b7f5307e3a3d20a070e60f2535f06a15b473c60402963c4fdafd0f1c3c13697aa20b2e983830c2e9ee562953c305b87656 |
\Program Files\Recuva\Lang\lang-1041.dll
| MD5 | cbece409b25c16d629e2d10f533e3bda |
| SHA1 | 949760246d3def76f61fd75a6ef20395eca6e897 |
| SHA256 | 2ff82dbbaabeb196aa0c070d7f2fd0eb40346e51d4e8ad5ac398ec56d96ac393 |
| SHA512 | 0318400513c46930270a4dcbe951c155b1e1f1513f3df3afd72c71d205efd71fdb65e9649aef5e9e78364e7e2b23d19dbbbb0928f84b91b3d555b446ef4bf7f0 |
\Program Files\Recuva\Lang\lang-1040.dll
| MD5 | a0a8770cf404c1d3e247a92afbd13c69 |
| SHA1 | 228f204a36cd5acbc7b7367b1d880755f3d0a9d2 |
| SHA256 | 116c74beb855d6715c83b664794f8bb3d3946f677c0b3befecc7cec8e1b6093f |
| SHA512 | 85536d1239c5f660d1072dd136ae221f2f0ae15ce7dd7863b13321661090dc0af14b57ebc830a4819724a33e83c12227407f850876885dd66ab00630e965c59d |
\Program Files\Recuva\Lang\lang-1038.dll
| MD5 | a33f9c0db68d89309c0b406be609aa3c |
| SHA1 | 793fe49282ce5c3027309286ff8071ab9e08451a |
| SHA256 | 87ec0ce45b22f524ebbf497777cb17fdf4e4346915fa6a2b9f13be85ea05fbf7 |
| SHA512 | eae5bf2cb55344f5b41cf84ea4a30885c506735c66262b18a6e9e71d2214c6debee13a1addc4d104f958027e384761781dce6d5c04b565af93c87dcf69e1ed86 |
\Program Files\Recuva\Lang\lang-1037.dll
| MD5 | 3f18f8241914468072cbc7cb7feea5e5 |
| SHA1 | 75461ee9e923251d5193cabf38632b504440eea9 |
| SHA256 | cb72a05f8c33621781d777133de8e7c14d43d14598ca08c4af4bb756948568c0 |
| SHA512 | 78de99c109f9f505276759e6ff426c4fffced92816858c082e729d76fa2bde9cfb954beb4fc7ed0de3f23ca4a6540841ec9ed1caf5c83ab73539f6ff3091c128 |
\Program Files\Recuva\Lang\lang-1036.dll
| MD5 | d0e8f5ddabed692709759ae273b02067 |
| SHA1 | 7618f1b38ee416c09a506239917839e1ef51d36a |
| SHA256 | 302c8535823e4680cd5be12882063dd38fea9ed8d06e191d4fb20f20bcc38e8b |
| SHA512 | 6314c163a72f4be7faeff685eab790a4d0471f7be57a9ef90eaa8cfb1045524fea1264293fc82f3883e03275b4557a6bd6cd647f4dbdbdaa998ce6ffab7b180e |
\Program Files\Recuva\Lang\lang-1035.dll
| MD5 | 144fd9be97f093a4306b21a8955cedbb |
| SHA1 | 6f32e163b3d56690a0514f156bbd91608000d1b8 |
| SHA256 | 60be5324d22ab098bda84e94217de5a01841f282d9bd2222105500dc8cb05142 |
| SHA512 | 6a602c22dc5c4bb48c8f7e74a9f45ab533951faeb5f7cbdd40e22bca18e1620a683d985c87d5a295d72f0f23dffc6d7cf4c43927e8a4264351ac51911ca19b17 |
\Program Files\Recuva\Lang\lang-1034.dll
| MD5 | 3d8a9f4447d7f9c6de15d4f5323cf555 |
| SHA1 | 260beb6224190d275e03e4ce7dbb14ac2699e53a |
| SHA256 | d0a2939bdb56722b72b45a11c8d1b92de943b06ff6ab85b7119631ef7201bbbc |
| SHA512 | bed4808db9e948c62978c01d2e1ce2cbe02eccdf3c070cd99197c90c2d04d01fed3f370fe211188effc486d480ee1c96b11d34b16d085345f4cc34667d176edd |
\Program Files\Recuva\Lang\lang-1032.dll
| MD5 | 60acdcb72ba110396610e2e1df7b1638 |
| SHA1 | 1bef00663a3625ac19fb0d8c8a304674094f9b24 |
| SHA256 | 21bb1f597d5e6ec2835eb9065a11e8bd39ca865102f4de20cb676fbb1a331ac0 |
| SHA512 | 524bf6b53c053a6338a8f5479df2e69240de9d466de563f95da113f12e977e310571b4ae7bd7d6949da2c605444aaf8166b724751abfc6b25749b8197ba0e3e6 |
\Program Files\Recuva\Lang\lang-1031.dll
| MD5 | 7bc339dfcea7528971b93abcad36b81e |
| SHA1 | e2843316fca4d43cc64620ea74e3835a122e7445 |
| SHA256 | e8c68e0bb516fd172c966c78fccb934fcc034e9b4cb909d3356b2f894ccf9177 |
| SHA512 | afb8b2a99cff2bd12e4bc66f3a94850175ed58f572d66bdb6012a6414b3055f035244814b4d1881263385c77c88ad06d1ce9b9cd5e6a261138fb4f37069df26a |
\Program Files\Recuva\Lang\lang-1030.dll
| MD5 | 36805a518e09fd2c3c542658b7236685 |
| SHA1 | ba348d4370cb8fab13c571ff901a99d0da2e1f9c |
| SHA256 | 66be2616822511ddb956e352ed21beccfa5ae9299f5c925838161b26bba454ac |
| SHA512 | 0a2a280745926cacb75830385ffae5250a29f61e211f77f9fd332e23b712370b7ba710477d4172968bc26b154f428df086626b6e3830057e1e5e8b688eef09cc |
\Program Files\Recuva\Lang\lang-1029.dll
| MD5 | aa0a34b36afe2d138c34db2e78de8c0f |
| SHA1 | 3bc66cc08c2380c1cb9a59ba879e67163b5edd7e |
| SHA256 | bb648a873d5df48f1e2c3b7889c7ddbeddcfcc3d9ffdfdb5312a06e639fd7146 |
| SHA512 | 95e2ee106e9b93da124edb9e7ecad8ed5d990221643be3d6632cc6c9cc4b99fe6a110404c768f8a3c377f6df0b9eb5d66e5db1651cc85db9579e547cefff8aaf |
\Program Files\Recuva\Lang\lang-1028.dll
| MD5 | 6fc9bcf180db0001a26175b15958f3aa |
| SHA1 | 0d0623371908b2ec26b7bd158c52e02d43ae0627 |
| SHA256 | 16b27a8f4cf64a56cfdb8fe84ac497c8fbdaac3385bc0975ae63c39820f311d3 |
| SHA512 | 9f3d80f4b6a61c5a587303876bdf1ad1e180485f62a032cf372e01a2c48a82b30d455bc8ce702d25fd6ee873ecf8fea15110c7cd882c11a06e3206f44e29d055 |
\Program Files\Recuva\Lang\lang-1027.dll
| MD5 | b581c8a181139d70fc96d38634ff21b4 |
| SHA1 | 806aaa63ddfb0dd1ecb3d529c56d11631d833935 |
| SHA256 | 8156b27c1677ff3d5a0208aed2e01cec4d5e5b55e3390875329340d5f7972a27 |
| SHA512 | 5844e3dbe0af811e533012c0ff30bbd06716ae836af618c692b182864e9b736de5c40007aff6cb0dc32bd1999b8a55d7328f6306c2f38e0dc82510988781e2d6 |
\Program Files\Recuva\Lang\lang-1026.dll
| MD5 | 71ecb94a15e9596a8bbcca5c4e3274dc |
| SHA1 | e869a7e6a47df81e390bc09e7fd4c7f3b62cd2b4 |
| SHA256 | 10b7e73b445eb063300f8d5b76cc8b91e3de63ee4084c4766a7d68000a5a52e6 |
| SHA512 | c3c4cbac2f2ef6d7f167d1a1835d978d559911bb5245276cae42b9c82435f63def34c49b564c61f76a7647c68cee64267980842db6d12cb5ccd85e9780bebbce |
\Program Files\Recuva\Lang\lang-1025.dll
| MD5 | 0d3d447c9970765f19bb7cd782756028 |
| SHA1 | dd84e86a91cc362fd5e08eb4f1f3910edf0076ed |
| SHA256 | 0dd80b0a75d09c587b54e4c527af5650ce0678d8dfb2627ff097439853b71a0a |
| SHA512 | c35514f6b1960122d0986c830fad03cad328cc7e690c4428d60b1645148b00a74eae4b837dcb8d1889ba7de5b6388da8370b04db1d019daa7d73da95fd2e919d |
Analysis: behavioral9
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win7-20240903-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 220
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win7-20240708-en
Max time kernel
14s
Max time network
20s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1025.dll,#1
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win7-20240903-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1029.dll,#1
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files\Recuva\recuva64.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Recuva\RecuvaShell64.dll.new | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1066.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1060.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\uninst.exe | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1036.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1035.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1071.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1061.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1048.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1051.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1050.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-9999.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\recuva.exe | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1041.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1034.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1025.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1057.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1054.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File opened for modification | C:\Program Files\Recuva\lil.log | C:\Program Files\Recuva\recuva64.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-3098.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1079.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1068.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\lil.log.tmp.963b01aa-0187-4599-adda-1511a4b587fc | C:\Program Files\Recuva\recuva64.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1044.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1045.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-2052.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1055.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1067.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1059.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1040.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1030.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1027.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1058.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1038.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1062.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\recuva64.exe | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1043.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1028.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1046.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1029.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1037.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-5146.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File opened for modification | C:\Program Files\Recuva\RecuvaShell64.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1031.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1049.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1053.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1026.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1032.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1063.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-1052.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| File created | C:\Program Files\Recuva\Lang\lang-2074.dll | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Recuva\recuva64.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe |
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Recuva\recuva64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Recuva\recuva64.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Piriform\Recuva | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Piriform\Recuva | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\Recuva\Language = "1033" | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\Recuva | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Piriform | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\Recuva | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19 | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\Recuva\Language = "1033" | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20 | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Piriform\Recuva\Language = "1033" | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Piriform\Recuva | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Software\Piriform | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\0\win64 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\HELPDIR\ = "C:\\Program Files\\Recuva" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\RecuvaShellExt | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\RecuvaShellExt\ = "{435E5DF5-2510-463C-B223-BDA47006D002}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\RecuvaShellExt\ = "{435E5DF5-2510-463C-B223-BDA47006D002}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\ = "RecuvaShell 1.0 Type Library" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Software\Piriform\Recuva | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32\ = "C:\\Program Files\\Recuva\\RecuvaShell64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\RecuvaShellExt | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Software | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RecuvaShell.DLL\AppID = "{80109467-DE5A-42A1-9445-7E3952C80B6E}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\ = "RecuvaShellExt Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\FLAGS | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\FLAGS\ = "0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\HELPDIR | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Software\Piriform\Recuva\Language = "1033" | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{80109467-DE5A-42A1-9445-7E3952C80B6E}\ = "RecuvaShell" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\0\win64\ = "C:\\Program Files\\Recuva\\RecuvaShell64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{80109467-DE5A-42A1-9445-7E3952C80B6E} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\0 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RecuvaShell.DLL | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe
"C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /I "C:\Program Files\Recuva\RecuvaShell64.dll" /s
C:\Windows\system32\regsvr32.exe
/I "C:\Program Files\Recuva\RecuvaShell64.dll" /s
C:\Program Files\Recuva\recuva64.exe
"C:\Program Files\Recuva\recuva64.exe" /installationComplete "bin|folders|allusers"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ccleaner.com/go/app_releasenotes?p=2&v=1.54.120&l=1033&b=1&a=0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ccleaner.com/go/app_releasenotes?p=2&v=1.54.120&l=1033&b=1&a=0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd9cba46f8,0x7ffd9cba4708,0x7ffd9cba4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x40,0x104,0x7ffd9cba46f8,0x7ffd9cba4708,0x7ffd9cba4718
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2616 -ip 2616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 3512
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,4046935836379075576,46533985431301157,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,4046935836379075576,46533985431301157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3540 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3540 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1976 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | analytics.ff.avast.com | udp |
| US | 34.117.223.223:443 | analytics.ff.avast.com | tcp |
| US | 8.8.8.8:53 | ncc.avast.com | udp |
| GB | 2.19.117.105:80 | ncc.avast.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.187.227:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | 223.223.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | service.piriform.com | udp |
| GB | 23.218.79.229:443 | service.piriform.com | tcp |
| US | 8.8.8.8:53 | license.piriform.com | udp |
| GB | 23.218.79.229:443 | license.piriform.com | tcp |
| US | 8.8.8.8:53 | 3.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.79.218.23.in-addr.arpa | udp |
| GB | 2.19.117.105:80 | ncc.avast.com | tcp |
| US | 8.8.8.8:53 | analytics.ff.avast.com | udp |
| US | 34.117.223.223:443 | analytics.ff.avast.com | tcp |
| US | 8.8.8.8:53 | www.ccleaner.com | udp |
| GB | 23.44.65.89:80 | www.ccleaner.com | tcp |
| GB | 23.44.65.89:80 | www.ccleaner.com | tcp |
| GB | 23.44.65.89:443 | www.ccleaner.com | tcp |
| US | 8.8.8.8:53 | 89.65.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn-production.ccleaner.com | udp |
| US | 8.8.8.8:53 | cdn.cookielaw.org | udp |
| US | 8.8.8.8:53 | dev.visualwebsiteoptimizer.com | udp |
| US | 104.18.87.42:443 | cdn.cookielaw.org | tcp |
| US | 104.18.87.42:443 | cdn.cookielaw.org | tcp |
| US | 34.96.102.137:443 | dev.visualwebsiteoptimizer.com | tcp |
| US | 104.18.87.42:443 | cdn.cookielaw.org | tcp |
| US | 8.8.8.8:53 | s.go-mpulse.net | udp |
| GB | 2.19.168.132:443 | s.go-mpulse.net | tcp |
| US | 8.8.8.8:53 | assets.adobedtm.com | udp |
| US | 8.8.8.8:53 | geolocation.onetrust.com | udp |
| GB | 23.219.196.224:443 | assets.adobedtm.com | tcp |
| US | 172.64.155.119:443 | geolocation.onetrust.com | tcp |
| US | 8.8.8.8:53 | www.nortonlifelock.com | udp |
| US | 8.8.8.8:53 | dpm.demdex.net | udp |
| GB | 23.44.64.117:443 | www.nortonlifelock.com | tcp |
| IE | 34.255.28.93:443 | dpm.demdex.net | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.87.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.102.96.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.168.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.196.219.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.155.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 117.64.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mstatic.ccleaner.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| NL | 20.50.2.53:443 | mstatic.ccleaner.com | tcp |
| US | 8.8.8.8:53 | amplify.outbrain.com | udp |
| US | 8.8.8.8:53 | s.yimg.com | udp |
| US | 8.8.8.8:53 | www.mczbf.com | udp |
| GB | 142.250.200.36:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | symantec.demdex.net | udp |
| GB | 23.219.197.58:443 | amplify.outbrain.com | tcp |
| US | 8.8.8.8:53 | cm.everesttech.net | udp |
| US | 8.8.8.8:53 | symantec.tt.omtrdc.net | udp |
| GB | 87.248.114.11:443 | s.yimg.com | tcp |
| NL | 18.239.36.92:443 | www.mczbf.com | tcp |
| IE | 66.235.152.156:443 | symantec.tt.omtrdc.net | tcp |
| IE | 34.252.167.206:443 | cm.everesttech.net | tcp |
| US | 8.8.8.8:53 | tr.outbrain.com | udp |
| US | 8.8.8.8:53 | wave.outbrain.com | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| GB | 23.219.197.58:443 | wave.outbrain.com | tcp |
| GB | 142.250.187.226:443 | googleads.g.doubleclick.net | tcp |
| US | 64.74.236.95:443 | tr.outbrain.com | tcp |
| US | 8.8.8.8:53 | cdn-uat.ccleaner.com | udp |
| US | 8.8.8.8:53 | oms.ccleaner.com | udp |
| IE | 66.235.152.221:443 | oms.ccleaner.com | tcp |
| NL | 18.239.36.92:443 | www.mczbf.com | tcp |
| IE | 66.235.152.221:443 | oms.ccleaner.com | tcp |
| US | 8.8.8.8:53 | zn4i1jhjmxub1nc6y-gendigital.siteintercept.qualtrics.com | udp |
| US | 8.8.8.8:53 | s1.pir.fm | udp |
| US | 104.17.208.240:443 | zn4i1jhjmxub1nc6y-gendigital.siteintercept.qualtrics.com | tcp |
| GB | 2.21.67.26:443 | s1.pir.fm | tcp |
| US | 8.8.8.8:53 | siteintercept.qualtrics.com | udp |
| US | 8.8.8.8:53 | 93.28.255.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.2.50.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.197.219.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.114.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.152.235.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.36.239.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.167.252.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.236.74.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.152.235.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.67.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.208.17.104.in-addr.arpa | udp |
| GB | 142.250.200.36:443 | www.google.com | udp |
| GB | 142.250.187.226:443 | googleads.g.doubleclick.net | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsuB8D2.tmp\UserInfo.dll
| MD5 | 2f69afa9d17a5245ec9b5bb03d56f63c |
| SHA1 | e0a133222136b3d4783e965513a690c23826aec9 |
| SHA256 | e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0 |
| SHA512 | bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926 |
C:\Users\Admin\AppData\Local\Temp\nsuB8D2.tmp\System.dll
| MD5 | cff85c549d536f651d4fb8387f1976f2 |
| SHA1 | d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e |
| SHA256 | 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8 |
| SHA512 | 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88 |
C:\Users\Admin\AppData\Local\Temp\nsuB8D2.tmp\g\gcapi_dll.dll
| MD5 | 2973af8515effd0a3bfc7a43b03b3fcc |
| SHA1 | 4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee |
| SHA256 | d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0 |
| SHA512 | b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e |
C:\Users\Admin\AppData\Local\Temp\nsuB8D2.tmp\ui\pfUI.dll
| MD5 | 7e36940483a62f7e3bdd30d95ef37b93 |
| SHA1 | 5e5624afd2170a8f32fbc52bc296caf4a16e211d |
| SHA256 | a639f28eb67410b9d685ff7eb564eb8c1a45f1116a6c520321510c8c6eb89923 |
| SHA512 | 32d12fb13fed59b7801f32a2d65cc54739e99f289398fa62bdf3e952c5c3561819c8d75b35bf2f127967585c11a272a633470ca7325b16c06453d4f06eded663 |
C:\Users\Admin\AppData\Local\Temp\nsuB8D2.tmp\nsDialogs.dll
| MD5 | 6c3f8c94d0727894d706940a8a980543 |
| SHA1 | 0d1bcad901be377f38d579aafc0c41c0ef8dcefd |
| SHA256 | 56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2 |
| SHA512 | 2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355 |
C:\Users\Admin\AppData\Local\Temp\nsuB8D2.tmp\ui\res\PF_logo.png
| MD5 | 079cca30760cca3c01863b6b96e87848 |
| SHA1 | 98c2ca01f248bc61817db7e5faea4a3d8310db50 |
| SHA256 | 8dd37d3721e25c32c5bf878b6dba9e61d04b7ce8aec45bdf703a41bc41802dfa |
| SHA512 | 3e25c10e3a5830584c608b9178ab062e93e0e9009a7d897bb5e3561180b0b0910bd4178063d982eb33806a005c93931ae2ec5be520ec0d0c9a7c452cb78fd6a8 |
C:\Users\Admin\AppData\Local\Temp\nsuB8D2.tmp\ui\res\Recuva_Logo_72px.png
| MD5 | 6a2e01749e591a1ce8216daed41b8721 |
| SHA1 | a4aa31d936a33eb7d58e809b738184f6b2c7e1c2 |
| SHA256 | f72782600989eff0aa13ff7c63875538c9042c32b77862475c899514f61c9290 |
| SHA512 | 262e6b6ed89fa30f954dc73c1bb329d9ea256fefa172e12b23610e7c1ab6dad3b698cbcdc010f8c16e90b0bdd6e96d60e8aba50b876d69f9fb1f2889ac14f0fe |
C:\Users\Admin\AppData\Local\Temp\nsuB8D2.tmp\ui\res\RC_Computer.png
| MD5 | 67f13e50fa75087ef8c2074a52cc8bb1 |
| SHA1 | 8f31cf48fab91b9e263105289d17c146d088274b |
| SHA256 | 044ec2d36e9f573d762fc8a43eb09f7b24eb30094a4e61b5d606fd96f72d391f |
| SHA512 | 44ee943ae440d93d7ec78393749667680abbe379f9e21fb10244362c2c3f9df790170c541aa30a8487ef25952068c78e44dacd48def29aa84cee78d1c1ce63ae |
memory/2616-95-0x00000000061E0000-0x00000000061F0000-memory.dmp
memory/2616-101-0x0000000006380000-0x0000000006390000-memory.dmp
memory/2616-119-0x0000000007400000-0x0000000007408000-memory.dmp
memory/2616-121-0x00000000071A0000-0x00000000071A8000-memory.dmp
memory/2616-122-0x0000000007190000-0x0000000007191000-memory.dmp
memory/2616-124-0x00000000071A0000-0x00000000071A8000-memory.dmp
memory/2616-127-0x0000000007190000-0x0000000007198000-memory.dmp
memory/2616-130-0x0000000007150000-0x0000000007151000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
| MD5 | 415773c8a40d67830753a00bf9aadef9 |
| SHA1 | 16466c63002df483882521338117d3478492d5de |
| SHA256 | 01fa79743f9493e3365277c104a43cea647d5bd5977aac113fc9c8fdb7f6a3ac |
| SHA512 | 8840daf7f1148732db64aa4c89fc9e5b9b4732c872cf5d6d197600a10235ce484621e76be43c39c71c3aedc58e4cb2bd8102d7878a53e30cba89156c7be11710 |
memory/2616-142-0x0000000007240000-0x0000000007248000-memory.dmp
memory/2616-145-0x0000000007280000-0x0000000007288000-memory.dmp
memory/2616-148-0x0000000007190000-0x0000000007191000-memory.dmp
memory/2616-152-0x0000000007150000-0x0000000007151000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
| MD5 | b148c3816af3dd30eec81d0ce3a7ed71 |
| SHA1 | 20b9fc3f29cefbdaae44ed6fcb059c048d9ade97 |
| SHA256 | 75baeacf35fbd06452eb70f57cb0279332300514232bbf91bd10628aaaa082dc |
| SHA512 | babe4da57ee363c54933b90019b7f46d65a64cd7386a19e8ce1e01167bc1433aa13a7afb43205beb858e68f55b160500f9a0d54d3e873982b164efe998e38a45 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
| MD5 | bf4384743632135621b7694b85b0bd6b |
| SHA1 | a4fc348f9805a481e5b05dfb270c959afea2192a |
| SHA256 | 84c913bd8e54eff15a6ad1f658cf2b4566e97447aa86d6f86ef9708f2a6d4adb |
| SHA512 | 5dcb131701368e8247cd81091c4e1f5a3b7c10c2a00d73eb1e5177337cdfe77ab4d1d4a3877efa712e7bcd950968d47161801633c83e36dae5355d3964d3ddc9 |
memory/2616-198-0x0000000007380000-0x0000000007388000-memory.dmp
memory/2616-200-0x0000000007400000-0x0000000007408000-memory.dmp
memory/2616-203-0x00000000071A0000-0x00000000071A1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
| MD5 | 59c329a087ba6e62be7bce57e7ce0971 |
| SHA1 | 9e7281c8957a28d4cfdea898c424ce7f3984f57d |
| SHA256 | ad204bf0e4e745e9babf5f68f8782f435e3e7b3451867ac15134c48f6d060078 |
| SHA512 | 78e37fd6eb34378eea8da24c31de2299c5d15d00a6452d32a1ce1ced939f4b329a7149d92545fa92718d593bd1d2870ff0831825bb489186da85d749f3d6b3c6 |
C:\Users\Admin\AppData\Local\Temp\nsuB8D2.tmp\ButtonEvent.dll
| MD5 | c24568a3b0d7c8d7761e684eb77252b5 |
| SHA1 | 66db7f147cbc2309d8d78fdce54660041acbc60d |
| SHA256 | e2da6d8b73b5954d58baa89a949aacece0527dfb940ca130ac6d3fd992d0909d |
| SHA512 | 5d43e4c838fd7f4c6a4ab6cc6d63e0f81d765d9ca33d9278d082c4f75f9416907df10b003e10edc1b5ef39535f722d8dbfab114775ac67da7f9390dcc2b4b443 |
C:\Users\Admin\AppData\Local\Temp\nsuB8D2.tmp\p\InstallerHelper.dll
| MD5 | 8bfdb69444233a57163ba06a2a6cfcd1 |
| SHA1 | 73090c37af9e2bd236102e172dadb159a00612ec |
| SHA256 | 6aa7b6f12487c9740666d37a98b0c7b987b7e023a1640f8a6ab1b049a35f9374 |
| SHA512 | a160efb1f04097be38bab5d93ea6cd13ed1f2a3a834c85a310ed9a1d58db9df48898788844524563c52c79e7c1f286a5d699f08ff079364b101ecb18b514c8ed |
C:\Users\Admin\AppData\Local\Temp\nsuB8D2.tmp\INetC.dll
| MD5 | 7760daf1b6a7f13f06b25b5a09137ca1 |
| SHA1 | cc5a98ea3aa582de5428c819731e1faeccfcf33a |
| SHA256 | 5233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079 |
| SHA512 | d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5 |
C:\Program Files\Recuva\recuva64.exe
| MD5 | 6f852ec18d167ff2abb2ab80f0d5a4fe |
| SHA1 | 57ac2fa10e510c9317b61c33d3a0116da0a57c6e |
| SHA256 | d42b70bb05ef00c09319a975e1df73c1a7d1a52b537c2f605dbf0b4dccf814fc |
| SHA512 | c4b8117d804943e615428b0784c3037e7ba6e367a74accf577fbc13cb8800fce356f9c6e8121a0edaf68a530176790b44d610e782e3d6f7d1819f34f766e17de |
C:\Program Files\Recuva\RecuvaShell64.dll
| MD5 | 776f4c4ad3c85c1693a522bc2c60f33a |
| SHA1 | 5a4215e1221b3f8f1d7500e5902474707b1542e2 |
| SHA256 | 2b406578019ba9b6afcb08b26c56c4017c6fa6dea102129dd44dc47fc74a2cc4 |
| SHA512 | baf5f2ba8db33f51fbb8bf81ee0c92a6f69a76224d80ccb3e17115c9247c891f155abfd358a9a435c6b8bbcbae3154ae49a939e8ea4c8bcc3671d4c8b60d19d5 |
C:\Program Files\Recuva\lang\lang-1029.dll
| MD5 | aa0a34b36afe2d138c34db2e78de8c0f |
| SHA1 | 3bc66cc08c2380c1cb9a59ba879e67163b5edd7e |
| SHA256 | bb648a873d5df48f1e2c3b7889c7ddbeddcfcc3d9ffdfdb5312a06e639fd7146 |
| SHA512 | 95e2ee106e9b93da124edb9e7ecad8ed5d990221643be3d6632cc6c9cc4b99fe6a110404c768f8a3c377f6df0b9eb5d66e5db1651cc85db9579e547cefff8aaf |
C:\Program Files\Recuva\lang\lang-1034.dll
| MD5 | 3d8a9f4447d7f9c6de15d4f5323cf555 |
| SHA1 | 260beb6224190d275e03e4ce7dbb14ac2699e53a |
| SHA256 | d0a2939bdb56722b72b45a11c8d1b92de943b06ff6ab85b7119631ef7201bbbc |
| SHA512 | bed4808db9e948c62978c01d2e1ce2cbe02eccdf3c070cd99197c90c2d04d01fed3f370fe211188effc486d480ee1c96b11d34b16d085345f4cc34667d176edd |
C:\Program Files\Recuva\lang\lang-1032.dll
| MD5 | 60acdcb72ba110396610e2e1df7b1638 |
| SHA1 | 1bef00663a3625ac19fb0d8c8a304674094f9b24 |
| SHA256 | 21bb1f597d5e6ec2835eb9065a11e8bd39ca865102f4de20cb676fbb1a331ac0 |
| SHA512 | 524bf6b53c053a6338a8f5479df2e69240de9d466de563f95da113f12e977e310571b4ae7bd7d6949da2c605444aaf8166b724751abfc6b25749b8197ba0e3e6 |
C:\Program Files\Recuva\lang\lang-1036.dll
| MD5 | d0e8f5ddabed692709759ae273b02067 |
| SHA1 | 7618f1b38ee416c09a506239917839e1ef51d36a |
| SHA256 | 302c8535823e4680cd5be12882063dd38fea9ed8d06e191d4fb20f20bcc38e8b |
| SHA512 | 6314c163a72f4be7faeff685eab790a4d0471f7be57a9ef90eaa8cfb1045524fea1264293fc82f3883e03275b4557a6bd6cd647f4dbdbdaa998ce6ffab7b180e |
C:\Program Files\Recuva\lang\lang-1040.dll
| MD5 | a0a8770cf404c1d3e247a92afbd13c69 |
| SHA1 | 228f204a36cd5acbc7b7367b1d880755f3d0a9d2 |
| SHA256 | 116c74beb855d6715c83b664794f8bb3d3946f677c0b3befecc7cec8e1b6093f |
| SHA512 | 85536d1239c5f660d1072dd136ae221f2f0ae15ce7dd7863b13321661090dc0af14b57ebc830a4819724a33e83c12227407f850876885dd66ab00630e965c59d |
C:\Program Files\Recuva\lang\lang-1041.dll
| MD5 | cbece409b25c16d629e2d10f533e3bda |
| SHA1 | 949760246d3def76f61fd75a6ef20395eca6e897 |
| SHA256 | 2ff82dbbaabeb196aa0c070d7f2fd0eb40346e51d4e8ad5ac398ec56d96ac393 |
| SHA512 | 0318400513c46930270a4dcbe951c155b1e1f1513f3df3afd72c71d205efd71fdb65e9649aef5e9e78364e7e2b23d19dbbbb0928f84b91b3d555b446ef4bf7f0 |
C:\Program Files\Recuva\lang\lang-1044.dll
| MD5 | 00547e1c34a464106f945b4c2030348e |
| SHA1 | d01291685e44e73af5543f1325308ace114897d4 |
| SHA256 | 301d83c11f5a07cdc686d3d91d075cd69c38beae8d0aac3af1f4b825588d11a6 |
| SHA512 | b105e1f091fc1b3f9eebe9a4aef59c8d9156aaeca73d22370c790e81c5270e464a47f80cbfd41a8c7e0ccf504c9f9ce4cf3d5210d660dcacf2512be10b390d93 |
C:\Program Files\Recuva\lang\lang-1046.dll
| MD5 | d79062b2834f351b25778486d04587e6 |
| SHA1 | c48f13f399e80d9fbe28df24d3c66cfa88ff20ba |
| SHA256 | e3c7fe920d284ef7974175c52f374ee412580f83707d58ef2dec51ae403159e6 |
| SHA512 | 3f604d7138022dad7f0fd9b27ed679691237f56bf851d2900502590df37c78df201d0c44264ec3f338ed7da86c1f0edbe2933c1ad079497a7ddbe17e625f7aa4 |
C:\Program Files\Recuva\lang\lang-1048.dll
| MD5 | d3ccae022f330ee57be94aefa4d7b060 |
| SHA1 | b735f8f3ebffd519850ba8d14013fe4d1ecee521 |
| SHA256 | 975aeb207d52e07a0aadeb934476536f8c6b7deec29d5d111baf89f3bac76fdc |
| SHA512 | be336a7a2f2ded9359800005e1c7b2eb025ba16b1b58ad198f569b6a72a1d419761365d7ab55a9673921e03a7b50abd11e050494940de4783296a00a711e46a8 |
C:\Program Files\Recuva\lang\lang-1050.dll
| MD5 | 8bac7d3eb37fba38aa06200dd23ae6ca |
| SHA1 | 0c5c89cc696aba1b7665cb0c0d6dc028370c233f |
| SHA256 | 4b7d0341102e062077af9ce99a12412dc3c11044bbbc782194681f47146b6494 |
| SHA512 | b14afa6b347a6505c4c66bd58b9482554ed64083dcbad3c1574f9e9a1233f21715ca14cac0bd305c8f615179924d48820864a614937aee2b571143da52006abe |
C:\Program Files\Recuva\lang\lang-1052.dll
| MD5 | 63a9474c28a85978156a9dc6c6682e74 |
| SHA1 | 68aae980ea0027b34b188bf0aa1180d1f30ced28 |
| SHA256 | 5ba89e7990fc2d524e0c7defdcd333215d919b20a7d3a0802e38d3b7abd9f431 |
| SHA512 | d7dfb7e63c955cbaf4e1aad45d0fcf1d843f5ed39c427f0a8778f26c14ca1dd6cb9de9952fafe22e3b8afbb1a56f4247906b4e89cbca8f3ce7031f08ec7cacf5 |
C:\Program Files\Recuva\lang\lang-1054.dll
| MD5 | 97be0e56bc97f5473f7d02e17c903e2b |
| SHA1 | 6efc528e2a45eced5dc9dc3c879b9e15b872eb45 |
| SHA256 | 37bd7ae885b4270d4aa83ec78f2fbec8cf42aef2d5f668bcec462ca741f03f20 |
| SHA512 | 741e731198146d02104cfe2690ce494e1a1db94946bce9694c9b47bc32ecf1365c20cebfc861016aa9a0d19a8b9dd01d621df4f127fff44ddd02395b8c9b723f |
C:\Program Files\Recuva\lang\lang-1055.dll
| MD5 | 050c40db5910f16c8ae277e0492ee776 |
| SHA1 | f4f4da3d2dc4e5ca55cef28d54c89691688fa038 |
| SHA256 | 52e6251aa191ca72444259c79f7e7898b1bcea0b85b076b7c2434d220acc21ba |
| SHA512 | 19fca708597f1325ea51af3d0d28e388372642799b9b06cc58b08da0aa5d930e32b8d72fc7ef9198363f9b4f2ced431e2fa91c8008809a1ff8e957b607693a4c |
C:\Program Files\Recuva\lang\lang-1062.dll
| MD5 | c2bb13c129496bfabaa08661ae26c0c1 |
| SHA1 | d9a75274bb240f9fa6d19ae5432604ccd5d1fa8b |
| SHA256 | e09a70188f5f55d3817adaacae13863796a8af3bd452fd5be94323fcde513495 |
| SHA512 | 10f1cabf0978317e47a2317943aa2de983a0f2ee23e7a9ff398a5c5bd295f11f150eabb4193417dc3f17cbc75d2053dea50f3c69e2c867777fc0d72d1c18e23e |
C:\Program Files\Recuva\lang\lang-1063.dll
| MD5 | 7701899a486486e55c1ed2ae0163e076 |
| SHA1 | 2d1c81169248b3f6ac62b847f1941a59c5a81e6e |
| SHA256 | bfd62edc0985890bbdb5afbf071c3d1390a32a70c8254942c0f5faed29e71e81 |
| SHA512 | e5262a8f159a1e12312a8ea0cc8a76f5465b0dae90ffd0ad570de183442889ebb1ce5c96544f06e1a7db988b168d53449de862669d9c0915f060a4f2e9c68465 |
C:\Program Files\Recuva\lang\lang-1066.dll
| MD5 | 105602b7958bc4732199afcd0c297ea8 |
| SHA1 | dba1536d7ab657c6d2ee877d54467c3b6a252ba5 |
| SHA256 | a60fa04853dfb6486d5b13687caed6461ce2efcd0024db16469bd7cfc7caee7a |
| SHA512 | d8ad51629b88991115d723d77550476c80ceda75078102aca3649eda89d7af1f5cb7538d34844e538479ddc31b47b20f72e1899b1f997e1d3c686823d52cc6e5 |
C:\Program Files\Recuva\lang\lang-1061.dll
| MD5 | 7850b0777d22e2969b00f1ef10c77457 |
| SHA1 | f4a1e4d88e73e7ce92b5fdd0b5577fe38293688e |
| SHA256 | 6292a86942e5428d95169fea0894f18d241577277d1844c89ecc7d2f5b84955c |
| SHA512 | 97e491c2abdfa4e394c10a695d442e0d5f00b2aa2d22c443ea1581dfd657e26cdcdaab84c4ed726d7f5f1c328f9d0a119e7ff6212efe09721f2e3cc42c7c2f66 |
C:\Program Files\Recuva\lang\lang-1067.dll
| MD5 | 0d38f5305588e9512bf7362b30f7098c |
| SHA1 | 0003a77b8603c4c08a0c9f4831ad4d50a3fcddeb |
| SHA256 | 3c8db0b0a673701e50d1550ce33fc60ecd5bf19709cdeae43927a499b577692e |
| SHA512 | 6097cc6b787e0ac20cf8e6addeef52b5e76b2dbccadfdfb4062b392a634345f001a5d6edd67853a05b8001bb3380b5709889f5cd260e29060ca14e6cc9a6c2c4 |
C:\Program Files\Recuva\lang\lang-1079.dll
| MD5 | 383fe0266f5558ca1f1d07debd1e30af |
| SHA1 | eb88be971bc416d53f4c462325d97fc0e5007574 |
| SHA256 | 6e2454f2c03a7b7cd960d4bf9b4580afa58bb367df20dc8c8820004eec4e1a8d |
| SHA512 | acd5d27420ba5c460154e543b4725e02890669e77ccf8145aee51770929b2e36c7bf4d6b8d49a4c41a57a13544ba1ac21b72e1439d83bb982757364cc2f9878c |
C:\Program Files\Recuva\lang\lang-2074.dll
| MD5 | f1b4de3fe497b36358bc741cff7fdd90 |
| SHA1 | 8c5178ee91760f278317c1842afb059e3d2788a7 |
| SHA256 | 7717d0adb2a376bbd0bdb122ac9cab9dbe6ed43ee0caaf0a5ce64131511fe8d5 |
| SHA512 | 37d3b81cca924442bb0505cd5d1105aa02418ab8b7e399be02289c62f843edade9ba37312e47054ec93d87c0cefb016ef811f4e9544d94ee7b33489db14b86b1 |
C:\Program Files\Recuva\lang\lang-5146.dll
| MD5 | 93c6937489d191e69ad525f9c4e12dd1 |
| SHA1 | 05d9e3938636ce76164cf721ecc4f4784cc4604a |
| SHA256 | 919780cb6a9cc192983eebd9c62706b2e48b7b38cfce15cb1a59d9948edf914b |
| SHA512 | bd32d3b9271ec4508c9d953e78921bc1a00151ab853a55786cbfa58e0b05903e041561214932c6acfdfe1ffd9ab062a2482a825ee78bf9866ebab36f7754e8b6 |
C:\Program Files\Recuva\lang\lang-9999.dll
| MD5 | 96371dc631a83c0060835a44f3405b5b |
| SHA1 | 8a01933aca0fa311d52a611cd762f5d40704acce |
| SHA256 | 73143a8d684a153734ccf90042243e8cabaf8fa3304c308009ea510c035e8227 |
| SHA512 | eb2fd077d26d47c0863c2778f8a9b8763c525732d67ecc434c58ef6211b7ab05cb800093bf8d6c1b8d0065cfa1dd45eb1f58075c5e3efc0a48b36f9ba6ad049a |
C:\Program Files\Recuva\lang\lang-3098.dll
| MD5 | ff33fc671604cf40f0d2d86c92554356 |
| SHA1 | 1095cbeb4ee9ec222c4eff20ceca2e3d0d2e97d8 |
| SHA256 | 0b8d8b0f725e9f81ccd7072c7fc861ae9d9c1aae93e6fbd175499b50282cfe24 |
| SHA512 | 0c727db5ce49a56344de594b7c44438166dc6f84270434cfd3031f6d75a98d450fc0b3cf845b8eed9a49e0096db75c596a40c0b664d505d1f4ab035c0accc9ea |
C:\Program Files\Recuva\lang\lang-2052.dll
| MD5 | 1526ec823cc107f7868c7797c5c4ff4c |
| SHA1 | 4cc553baf4a196f3bdd1ba166efc57fa7e538994 |
| SHA256 | 86be9eb272b06c4fd03d6b646327b2c7927b21aafa2a0283a2876f4381027084 |
| SHA512 | 7d5151ae04f9481908a383a66f7500415054f614ca9ac1da9df31c4ee48b633fbe73e58ec6ede95893e95fca14c654a6d1a5b7fb8efcef551d22b0832e1aadec |
C:\Program Files\Recuva\lang\lang-1071.dll
| MD5 | b05a7f9d951d8eaf0c8ed139654bc491 |
| SHA1 | 5c60725ed9d4e5fb2188e38d16156ea5c58dd06a |
| SHA256 | 3e3115c9f010ff8698b1eb85f5ff8a8f67b24f35a3b39932769cd81a72c53a55 |
| SHA512 | 6e978a4d8ae8f33053023cf2d7731a3be099e6d0d55d23956b1b720bccf82bbc0542a22d587059cf57985864528427196c439a71b1da5942f697114e75544514 |
C:\Program Files\Recuva\lang\lang-1068.dll
| MD5 | 6ce86d40028d7eb5af8b49665b359eda |
| SHA1 | e85025e74f4b37e72cf16235c78823ed854317ac |
| SHA256 | b7d044138c94c716a768e3924f51af5141e7eb5ef98e36bf18903389ee02c111 |
| SHA512 | f07c6a255b8c60e390fe4a2c78b0db6f4d262f551cd4141d122c5e5eca273d6c8abcea2c9f15b3e2a1fe52594db06b75eb5bf3a34d1f160d312fd9bce9ff2547 |
C:\Program Files\Recuva\lang\lang-1060.dll
| MD5 | d4f39c67826276ff59f286369e1f7abd |
| SHA1 | 64bb468d8a603016723d402ef40ac27690aae875 |
| SHA256 | a125ea0f8c55bef28c5a3f0ade0a5b1cedf9134fccd7ef3617d0dc5a8c7a56f4 |
| SHA512 | d2256684019cd3a21afe1e0e55919febdbdd1cda6dce65ee582da8246d7fa3e511163c8afa506c021b419b377f4dc2e09453810d12ee631d0dbcc998b517215f |
C:\Program Files\Recuva\lang\lang-1059.dll
| MD5 | d7152b4d171f280f374cdf99c33e2004 |
| SHA1 | add078db16b73fb95de20c3de3990b44da95faac |
| SHA256 | 537ad7110c76f94f84b4dbb16566d33c7cd943a43059bb92c5425602b66a0dbe |
| SHA512 | 6bbecb0e100fc3f235084314e91c0301c6ab5636df9db93d838a8f320f614cdf28eb9774b10551edc39c102c8b7354a03e15418d3dee2e82cf5ff9ffdbb826f7 |
C:\Program Files\Recuva\lang\lang-1058.dll
| MD5 | c8b13819bdb6919f3ec33d4376a88e69 |
| SHA1 | f6bcf93f398aa215f82074a00bca287a8e207e1f |
| SHA256 | 2671492f2a3029b28f82452dc635cf64b70c7acf1fb6bf83c807b93defc48213 |
| SHA512 | 448be4d50b88f1d08198ff62be2f7ea77dd22ab3af80eddd6fec05562ae8fe7c45f24e4f5f39166dc180283ad7472fd79e5a461f8abd3b637774e09cea0fd9f2 |
C:\Program Files\Recuva\lang\lang-1057.dll
| MD5 | 3efadde128dec1e09ed34f51875122fa |
| SHA1 | 292acbe4f41c0c929aedec73b38af8e75135342f |
| SHA256 | 81f26b1cc58d141456ccb70583041a10417102bd39a8b2335b185686038a3e31 |
| SHA512 | 6ff9b00ff007cc776f0753b5cc4acf0cdec16ec77759c16ceedb2bc4c4b459064d21d6ad53647cb09558fe6cea12312067ba3cdd3308a409690c75bf927f316c |
C:\Program Files\Recuva\lang\lang-1053.dll
| MD5 | 536b974cc95e03786be55e8a31c576e4 |
| SHA1 | f3596479eed50d8c840e53d2d8a4d489f83a0b01 |
| SHA256 | 0e2da9ea2feac33d86d83222b56be738090e1849f4cd3342876452491d6c2747 |
| SHA512 | d7259dbe8e5cbcf7d70d888d3990d58bdbdf674feb72e19b11f4f3834b10ce296a228bd0e8b0c1508ab43147360f49cd31d461a835db3be2db9c35006329b1cb |
C:\Program Files\Recuva\lang\lang-1051.dll
| MD5 | 7c30e87594716400b087c22ffe5a05c1 |
| SHA1 | ac4ee657f85d426b7cfcaa9a06ebdbed30e58690 |
| SHA256 | b3d8725fc19c23c96fe8162a46304241866104cfa03e582d5ff8c566d7ca4639 |
| SHA512 | 1c757d4b7adc979326d3dceb154b383d462cb1200bfb907fce26f3c2a64a4382074ef549740996527b046af12158d3c52bf2818a682e7ad2c4b31ff7253a7386 |
C:\Program Files\Recuva\lang\lang-1049.dll
| MD5 | c5c056c945f3c5c7f76cef938f338513 |
| SHA1 | 0b147e88c65aacda1949acc116f95a0af4a7f2d8 |
| SHA256 | 222db72107c1452f141ea8d086473458c59f6675566b01177fc91265855ab067 |
| SHA512 | 2a4d888a565621e5c2cbf2775cb7299bc9c87de724af1f387f5e94abfb80e247d127248ebc8893cb0651f83c8611cc3cea2d7c64744dfb5fbf57a68a83047dfe |
C:\Program Files\Recuva\lang\lang-1045.dll
| MD5 | 2f9eae30109a4ea38724cc80d4d2cd3e |
| SHA1 | b00eac5de9434bf7d8b3296a6be1d929343dc1be |
| SHA256 | a35b4506ea3694754ce1eb0d8e29f2f78b2365d96b7302e7c9c6fdf8a0266eb9 |
| SHA512 | fc4f02d863ee9266477d20a9b177631d519e778887f4db531fb75c5712174ba6ff9e3c0d8b1d14a333f06be3776227130aefc6a8a2ccc8ab569400e17a6590df |
C:\Program Files\Recuva\lang\lang-1043.dll
| MD5 | e636190971396417c638d01fc791896b |
| SHA1 | ce8a1196c4d3d5dc2d19b62aea2a657ffec65436 |
| SHA256 | cc3bafd490827c81a6e82f15695fbc3af988d491bdb0559c9c76ee60ba8deb2b |
| SHA512 | 11549da87e4dea6eb9f70e7010dd20b7f5307e3a3d20a070e60f2535f06a15b473c60402963c4fdafd0f1c3c13697aa20b2e983830c2e9ee562953c305b87656 |
C:\Program Files\Recuva\lang\lang-1038.dll
| MD5 | a33f9c0db68d89309c0b406be609aa3c |
| SHA1 | 793fe49282ce5c3027309286ff8071ab9e08451a |
| SHA256 | 87ec0ce45b22f524ebbf497777cb17fdf4e4346915fa6a2b9f13be85ea05fbf7 |
| SHA512 | eae5bf2cb55344f5b41cf84ea4a30885c506735c66262b18a6e9e71d2214c6debee13a1addc4d104f958027e384761781dce6d5c04b565af93c87dcf69e1ed86 |
C:\Program Files\Recuva\lang\lang-1037.dll
| MD5 | 3f18f8241914468072cbc7cb7feea5e5 |
| SHA1 | 75461ee9e923251d5193cabf38632b504440eea9 |
| SHA256 | cb72a05f8c33621781d777133de8e7c14d43d14598ca08c4af4bb756948568c0 |
| SHA512 | 78de99c109f9f505276759e6ff426c4fffced92816858c082e729d76fa2bde9cfb954beb4fc7ed0de3f23ca4a6540841ec9ed1caf5c83ab73539f6ff3091c128 |
C:\Program Files\Recuva\lang\lang-1035.dll
| MD5 | 144fd9be97f093a4306b21a8955cedbb |
| SHA1 | 6f32e163b3d56690a0514f156bbd91608000d1b8 |
| SHA256 | 60be5324d22ab098bda84e94217de5a01841f282d9bd2222105500dc8cb05142 |
| SHA512 | 6a602c22dc5c4bb48c8f7e74a9f45ab533951faeb5f7cbdd40e22bca18e1620a683d985c87d5a295d72f0f23dffc6d7cf4c43927e8a4264351ac51911ca19b17 |
C:\Program Files\Recuva\lang\lang-1031.dll
| MD5 | 7bc339dfcea7528971b93abcad36b81e |
| SHA1 | e2843316fca4d43cc64620ea74e3835a122e7445 |
| SHA256 | e8c68e0bb516fd172c966c78fccb934fcc034e9b4cb909d3356b2f894ccf9177 |
| SHA512 | afb8b2a99cff2bd12e4bc66f3a94850175ed58f572d66bdb6012a6414b3055f035244814b4d1881263385c77c88ad06d1ce9b9cd5e6a261138fb4f37069df26a |
C:\Program Files\Recuva\lang\lang-1030.dll
| MD5 | 36805a518e09fd2c3c542658b7236685 |
| SHA1 | ba348d4370cb8fab13c571ff901a99d0da2e1f9c |
| SHA256 | 66be2616822511ddb956e352ed21beccfa5ae9299f5c925838161b26bba454ac |
| SHA512 | 0a2a280745926cacb75830385ffae5250a29f61e211f77f9fd332e23b712370b7ba710477d4172968bc26b154f428df086626b6e3830057e1e5e8b688eef09cc |
C:\Program Files\Recuva\lang\lang-1028.dll
| MD5 | 6fc9bcf180db0001a26175b15958f3aa |
| SHA1 | 0d0623371908b2ec26b7bd158c52e02d43ae0627 |
| SHA256 | 16b27a8f4cf64a56cfdb8fe84ac497c8fbdaac3385bc0975ae63c39820f311d3 |
| SHA512 | 9f3d80f4b6a61c5a587303876bdf1ad1e180485f62a032cf372e01a2c48a82b30d455bc8ce702d25fd6ee873ecf8fea15110c7cd882c11a06e3206f44e29d055 |
C:\Program Files\Recuva\lang\lang-1027.dll
| MD5 | b581c8a181139d70fc96d38634ff21b4 |
| SHA1 | 806aaa63ddfb0dd1ecb3d529c56d11631d833935 |
| SHA256 | 8156b27c1677ff3d5a0208aed2e01cec4d5e5b55e3390875329340d5f7972a27 |
| SHA512 | 5844e3dbe0af811e533012c0ff30bbd06716ae836af618c692b182864e9b736de5c40007aff6cb0dc32bd1999b8a55d7328f6306c2f38e0dc82510988781e2d6 |
C:\Program Files\Recuva\lang\lang-1026.dll
| MD5 | 71ecb94a15e9596a8bbcca5c4e3274dc |
| SHA1 | e869a7e6a47df81e390bc09e7fd4c7f3b62cd2b4 |
| SHA256 | 10b7e73b445eb063300f8d5b76cc8b91e3de63ee4084c4766a7d68000a5a52e6 |
| SHA512 | c3c4cbac2f2ef6d7f167d1a1835d978d559911bb5245276cae42b9c82435f63def34c49b564c61f76a7647c68cee64267980842db6d12cb5ccd85e9780bebbce |
C:\Program Files\Recuva\lang\lang-1025.dll
| MD5 | 0d3d447c9970765f19bb7cd782756028 |
| SHA1 | dd84e86a91cc362fd5e08eb4f1f3910edf0076ed |
| SHA256 | 0dd80b0a75d09c587b54e4c527af5650ce0678d8dfb2627ff097439853b71a0a |
| SHA512 | c35514f6b1960122d0986c830fad03cad328cc7e690c4428d60b1645148b00a74eae4b837dcb8d1889ba7de5b6388da8370b04db1d019daa7d73da95fd2e919d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c2d9eeb3fdd75834f0ac3f9767de8d6f |
| SHA1 | 4d16a7e82190f8490a00008bd53d85fb92e379b0 |
| SHA256 | 1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66 |
| SHA512 | d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e55832d7cd7e868a2c087c4c73678018 |
| SHA1 | ed7a2f6d6437e907218ffba9128802eaf414a0eb |
| SHA256 | a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574 |
| SHA512 | 897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f |
\??\pipe\LOCAL\crashpad_4220_EMSRMGWRCKLTWJXA
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 30ce9cd1f1d9ed89122fcc8c5277e002 |
| SHA1 | 3e84f08aef67d8dc6b9369f755312feb1541d1ec |
| SHA256 | 274f994c16d908ac2646f4c1510f87b38a60af68c6d336fd5bc89297a3c1932d |
| SHA512 | 362df2fafa4d2d33d25aa05fe9fa8bcf4e0e2bd5414aa24114f38d63012f699413750a30c08dc523bab98cf822406a07d239260971dfc907dc6e9f561ca7762a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 00d8b1c1c8915447de452b7779041bcb |
| SHA1 | 4f23f38d02c709480ccb37ea55867d4af7cf4f22 |
| SHA256 | ad8cb6fc2cf7ba8943a5c15526c2c90282e3f3d4a22b04ec6f51a06ffabdc20a |
| SHA512 | 664210cd76452058cefd6882cfab6a75401eb1d69b2a478fe4e2def2a21d44e6d88f68334e745594aca1ece067156dffc9f7f2a9ac8e83a59dec188af48e92d4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b448965e25a6e070c8fac83e5678d1a9 |
| SHA1 | 5e19edd2dd198ae8ace07c9e4f8a0d8af3314bbd |
| SHA256 | 5e018abbc35b9326027a14b1fc84666569319be8c03ea8c9e3eb54d50d26b449 |
| SHA512 | 672daa985355d0b97277ddd09f628427bc8f7693fb766722840465f75a5c8347fbe33982f0bf5817d553bcac3799d07869dce7af712c7110f80a3483dcce8f1f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 355b3f59567939aa42dee998912502c7 |
| SHA1 | 42d3db88f3f4391d815599f36d7233b05f12fe25 |
| SHA256 | 6a6fb98166b7d018635d12c781a9d49703d5b1c47a79c0c7f22702ea3715ea29 |
| SHA512 | ed78d57b72f89d9110e8e5bdf4fd550f3f72b0ce1ce87b54db03449b14a1265525d2d05833bad656be6031c679d52c49bb47dbc72bdfb112fd3e5b6319bb8415 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | f1584a519c752ae7733015642f4eed08 |
| SHA1 | 0960f020f2180d5ccc2a818ea32bf8eeac092a64 |
| SHA256 | d93bcbc5456d407992cd74e5be6d8472808c2c83844ac80b5836079e993feb32 |
| SHA512 | 652d99bfc979d4e9c379e2b1a7b5931014102859fbdebcece8790de55f3a64231e275703154a55ec459c3e744bbb766e0ba85caec245250012a17400335dc906 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 2037e8ce22c5cec15dcf00bc2acb22dd |
| SHA1 | a660e4fe261f7f1630ab4c83c74ddd8f46dfe79e |
| SHA256 | 1a5ff8c0a595b9f50347d256205b30eee1ab11a854ae37efb3098854d59965f1 |
| SHA512 | 00087432e7919ef6e0b8d572878797ba8f99cd01df5bc2531f345981cb1d6ab2a8b5c1d46d7ad058ce424a323648cf918aa92228f8c8e7713ee650fddd657c3a |
Analysis: behavioral15
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win7-20241010-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_107_\$_107_\pfUI.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_107_\$_107_\pfUI.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 400
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1027.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win7-20240903-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1026.dll,#1
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win7-20240903-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1027.dll,#1
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win7-20240708-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1028.dll,#1
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win10v2004-20241007-en
Max time kernel
139s
Max time network
149s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1030.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3596 wrote to memory of 1540 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3596 wrote to memory of 1540 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3596 wrote to memory of 1540 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ButtonEvent.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ButtonEvent.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1540 -ip 1540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win7-20240903-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 236
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4860 wrote to memory of 932 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4860 wrote to memory of 932 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4860 wrote to memory of 932 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\g\gcapi_dll.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\g\gcapi_dll.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 540 wrote to memory of 1860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 540 wrote to memory of 1860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 540 wrote to memory of 1860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_107_\$_107_\pfUI.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_107_\$_107_\pfUI.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1860 -ip 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 808
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 31.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win10v2004-20241007-en
Max time kernel
139s
Max time network
124s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1025.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win7-20241010-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1031.dll,#1
Network
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1031.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 215.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win7-20240903-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1032.dll,#1
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win7-20241010-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 220
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win10v2004-20241007-en
Max time kernel
137s
Max time network
149s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1260 wrote to memory of 620 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1260 wrote to memory of 620 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1260 wrote to memory of 620 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 620 -ip 620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win7-20241010-en
Max time kernel
62s
Max time network
20s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2792 wrote to memory of 2900 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2792 wrote to memory of 2900 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2792 wrote to memory of 2900 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2792 wrote to memory of 2900 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2792 wrote to memory of 2900 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2792 wrote to memory of 2900 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2792 wrote to memory of 2900 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\g\gcapi_dll.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\g\gcapi_dll.dll,#1
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win7-20240729-en
Max time kernel
14s
Max time network
17s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 240
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2996 wrote to memory of 4192 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2996 wrote to memory of 4192 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2996 wrote to memory of 4192 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4192 -ip 4192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win10v2004-20241007-en
Max time kernel
138s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1026.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
145s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3300 wrote to memory of 5068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3300 wrote to memory of 5068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3300 wrote to memory of 5068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5068 -ip 5068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win10v2004-20241007-en
Max time kernel
135s
Max time network
126s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3808 wrote to memory of 1976 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3808 wrote to memory of 1976 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3808 wrote to memory of 1976 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1976 -ip 1976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1028.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 215.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1029.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win7-20240903-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1030.dll,#1
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win7-20240903-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ButtonEvent.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ButtonEvent.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 220
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-10-15 23:46
Reported
2024-10-15 23:49
Platform
win10v2004-20241007-en
Max time kernel
138s
Max time network
124s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1032.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |