Malware Analysis Report

2025-08-11 07:36

Sample ID 241015-3slegstake
Target rcsetup154.exe
SHA256 dbf0895d886b428c8465ee57aea56a7e7b6e4c003efd04ca00d216a2d821eac9
Tags
bootkit discovery persistence privilege_escalation spyware stealer
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

dbf0895d886b428c8465ee57aea56a7e7b6e4c003efd04ca00d216a2d821eac9

Threat Level: Shows suspicious behavior

The file rcsetup154.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery persistence privilege_escalation spyware stealer

Writes to the Master Boot Record (MBR)

Event Triggered Execution: Component Object Model Hijacking

Drops file in Program Files directory

Checks installed software on the system

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Browser Information Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Enumerates system info in registry

Checks processor information in registry

Modifies data under HKEY_USERS

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-15 23:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win7-20241010-en

Max time kernel

122s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files\Recuva\recuva64.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files\Recuva\recuva64.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Recuva\Lang\lang-1040.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-9999.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\recuva64.exe C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1063.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-2074.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\logs\error_log_20241015_234735_00000.txt C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1036.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1028.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1037.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-3098.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1043.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1046.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1071.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1044.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1035.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1062.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1057.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\lil.log.tmp.04595010-8081-4f37-8f0f-a9a261837aa8 C:\Program Files\Recuva\recuva64.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1067.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1079.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1030.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1052.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\recuva.exe C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1045.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1027.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1058.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1060.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1054.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File opened for modification C:\Program Files\Recuva\lil.log C:\Program Files\Recuva\recuva64.exe N/A
File created C:\Program Files\Recuva\Lang\lang-5146.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\RecuvaShell64.dll.new C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\SomeRandomTmpFile748329742893.tmp C:\Program Files\Recuva\recuva64.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1029.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1068.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1059.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1048.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1050.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1049.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-2052.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1032.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1061.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1066.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\uninst.exe C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1041.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1053.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1034.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1051.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1026.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File opened for modification C:\Program Files\Recuva\lil.log C:\Program Files\Recuva\recuva64.exe N/A
File opened for modification C:\Program Files\Recuva\RecuvaShell64.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1038.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1025.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1031.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1055.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe

Reads user/profile data of web browsers

spyware stealer

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Recuva\recuva64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Recuva\recuva64.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Recuva\recuva64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Recuva\recuva64.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\Recuva C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\Recuva\Language = "1033" C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key created \REGISTRY\USER\S-1-5-19 C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\Software\Piriform\Recuva\Language = "1033" C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Piriform\Recuva C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key created \REGISTRY\USER\S-1-5-19 C:\Program Files\Recuva\recuva64.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Piriform\Recuva C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Piriform\Recuva C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Piriform C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key created \REGISTRY\USER\S-1-5-20 C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Piriform C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Piriform\Recuva\Language = "1033" C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key created \REGISTRY\USER\S-1-5-18 C:\Program Files\Recuva\recuva64.exe N/A
Key created \REGISTRY\USER\S-1-5-20 C:\Program Files\Recuva\recuva64.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Software\Piriform\Recuva C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\ = "RecuvaShellExt Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\RecuvaShellExt\ = "{435E5DF5-2510-463C-B223-BDA47006D002}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Software\Piriform C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{80109467-DE5A-42A1-9445-7E3952C80B6E} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\RecuvaShellExt C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RecuvaShell.DLL\AppID = "{80109467-DE5A-42A1-9445-7E3952C80B6E}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\FLAGS C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\HELPDIR C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Software\Piriform\Recuva\Language = "1033" C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{80109467-DE5A-42A1-9445-7E3952C80B6E}\ = "RecuvaShell" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\FLAGS\ = "0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32\ = "C:\\Program Files\\Recuva\\RecuvaShell64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\ = "RecuvaShell 1.0 Type Library" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\0\win64 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\HELPDIR\ = "C:\\Program Files\\Recuva" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Software C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\RecuvaShellExt C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\0\win64\ = "C:\\Program Files\\Recuva\\RecuvaShell64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Software\Piriform\Recuva C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\RecuvaShellExt\ = "{435E5DF5-2510-463C-B223-BDA47006D002}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RecuvaShell.DLL C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\0 C:\Windows\system32\regsvr32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2380 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2380 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2380 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2380 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2380 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2380 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2496 wrote to memory of 2248 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2496 wrote to memory of 2248 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2496 wrote to memory of 2248 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2496 wrote to memory of 2248 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2496 wrote to memory of 2248 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2496 wrote to memory of 2248 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2496 wrote to memory of 2248 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2380 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe C:\Program Files\Recuva\recuva64.exe
PID 2380 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe C:\Program Files\Recuva\recuva64.exe
PID 2380 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe C:\Program Files\Recuva\recuva64.exe
PID 2380 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe C:\Program Files\Recuva\recuva64.exe
PID 2380 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe C:\Program Files\Recuva\recuva64.exe
PID 2380 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe C:\Program Files\Recuva\recuva64.exe
PID 2380 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe C:\Program Files\Recuva\recuva64.exe
PID 2380 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe C:\Program Files\Recuva\recuva64.exe
PID 2380 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe C:\Windows\SysWOW64\WerFault.exe
PID 2380 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe C:\Windows\SysWOW64\WerFault.exe
PID 2380 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe C:\Windows\SysWOW64\WerFault.exe
PID 2380 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe

"C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /I "C:\Program Files\Recuva\RecuvaShell64.dll" /s

C:\Windows\system32\regsvr32.exe

/I "C:\Program Files\Recuva\RecuvaShell64.dll" /s

C:\Program Files\Recuva\recuva64.exe

"C:\Program Files\Recuva\recuva64.exe" /installationComplete "bin|folders|allusers"

C:\Program Files\Recuva\recuva64.exe

"C:\Program Files\Recuva\recuva64.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 780

Network

Country Destination Domain Proto
US 8.8.8.8:53 analytics.ff.avast.com udp
US 8.8.8.8:53 ncc.avast.com udp
US 34.117.223.223:443 analytics.ff.avast.com tcp
GB 2.19.117.82:80 ncc.avast.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.178.3:80 o.pki.goog tcp
US 8.8.8.8:53 service.piriform.com udp
GB 23.218.79.229:443 service.piriform.com tcp
US 8.8.8.8:53 license.piriform.com udp
GB 23.218.79.229:443 license.piriform.com tcp
GB 2.19.117.82:80 ncc.avast.com tcp
US 8.8.8.8:53 analytics.ff.avast.com udp
US 34.117.223.223:443 analytics.ff.avast.com tcp
US 8.8.8.8:53 ncc.avast.com udp
GB 2.19.117.105:80 ncc.avast.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsoD79C.tmp\UserInfo.dll

MD5 2f69afa9d17a5245ec9b5bb03d56f63c
SHA1 e0a133222136b3d4783e965513a690c23826aec9
SHA256 e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0
SHA512 bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

\Users\Admin\AppData\Local\Temp\nsoD79C.tmp\System.dll

MD5 cff85c549d536f651d4fb8387f1976f2
SHA1 d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA256 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

\Users\Admin\AppData\Local\Temp\nsoD79C.tmp\g\gcapi_dll.dll

MD5 2973af8515effd0a3bfc7a43b03b3fcc
SHA1 4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee
SHA256 d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0
SHA512 b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

\Users\Admin\AppData\Local\Temp\nsoD79C.tmp\ui\pfUI.dll

MD5 7e36940483a62f7e3bdd30d95ef37b93
SHA1 5e5624afd2170a8f32fbc52bc296caf4a16e211d
SHA256 a639f28eb67410b9d685ff7eb564eb8c1a45f1116a6c520321510c8c6eb89923
SHA512 32d12fb13fed59b7801f32a2d65cc54739e99f289398fa62bdf3e952c5c3561819c8d75b35bf2f127967585c11a272a633470ca7325b16c06453d4f06eded663

\Users\Admin\AppData\Local\Temp\nsoD79C.tmp\nsDialogs.dll

MD5 6c3f8c94d0727894d706940a8a980543
SHA1 0d1bcad901be377f38d579aafc0c41c0ef8dcefd
SHA256 56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2
SHA512 2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

memory/2380-85-0x00000000003F0000-0x00000000003F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsoD79C.tmp\ui\res\PF_logo.png

MD5 079cca30760cca3c01863b6b96e87848
SHA1 98c2ca01f248bc61817db7e5faea4a3d8310db50
SHA256 8dd37d3721e25c32c5bf878b6dba9e61d04b7ce8aec45bdf703a41bc41802dfa
SHA512 3e25c10e3a5830584c608b9178ab062e93e0e9009a7d897bb5e3561180b0b0910bd4178063d982eb33806a005c93931ae2ec5be520ec0d0c9a7c452cb78fd6a8

C:\Users\Admin\AppData\Local\Temp\nsoD79C.tmp\ui\res\RC_Computer.png

MD5 67f13e50fa75087ef8c2074a52cc8bb1
SHA1 8f31cf48fab91b9e263105289d17c146d088274b
SHA256 044ec2d36e9f573d762fc8a43eb09f7b24eb30094a4e61b5d606fd96f72d391f
SHA512 44ee943ae440d93d7ec78393749667680abbe379f9e21fb10244362c2c3f9df790170c541aa30a8487ef25952068c78e44dacd48def29aa84cee78d1c1ce63ae

C:\Users\Admin\AppData\Local\Temp\nsoD79C.tmp\ui\res\Recuva_Logo_72px.png

MD5 6a2e01749e591a1ce8216daed41b8721
SHA1 a4aa31d936a33eb7d58e809b738184f6b2c7e1c2
SHA256 f72782600989eff0aa13ff7c63875538c9042c32b77862475c899514f61c9290
SHA512 262e6b6ed89fa30f954dc73c1bb329d9ea256fefa172e12b23610e7c1ab6dad3b698cbcdc010f8c16e90b0bdd6e96d60e8aba50b876d69f9fb1f2889ac14f0fe

memory/2380-103-0x00000000043F0000-0x0000000004400000-memory.dmp

memory/2380-109-0x00000000048A0000-0x00000000048B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

MD5 4e32fc7c3e01483647b99595897d77d9
SHA1 733a6ba91df43fb833fa5687b4d976a6ab85089b
SHA256 19ee777dcaef3c7b02b3f5c7fecd99ac2754826a91ffaf73cddb13de91b85d5d
SHA512 5c123bfbd297aba66221fcc2b61a912d88c1c7f553bdea5776e01037a9b16618d0aee4ee2bdd35809949884adc2e2a1929d5c06fc8f9cbd1d340490cd8ea0640

memory/2380-134-0x0000000006F20000-0x0000000006F28000-memory.dmp

memory/2380-140-0x0000000006EC0000-0x0000000006EC1000-memory.dmp

memory/2380-146-0x0000000006EC0000-0x0000000006EC8000-memory.dmp

memory/2380-148-0x0000000006E80000-0x0000000006E81000-memory.dmp

memory/2380-157-0x0000000006EC0000-0x0000000006EC8000-memory.dmp

memory/2380-160-0x0000000006EF0000-0x0000000006EF8000-memory.dmp

memory/2380-162-0x0000000006E60000-0x0000000006E61000-memory.dmp

memory/2380-167-0x0000000006E80000-0x0000000006E81000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

MD5 7e251887c6eb2f81ec29b7bd7c128947
SHA1 a5a46a8c9e79227d4fb1c4815079d591b32e11d3
SHA256 072f705935922dd49d0ef71b9eddbba5dd08507e3afbed8365077a28a5e2170a
SHA512 6b41a6af4c76c5873ef479c75b891c3d6cd8991e7db60e7f05cd93df1a7d711882186191b30593f8de953375a3416325e83030ef53e57f98b8da01fc50f2f2d2

memory/2380-212-0x0000000007020000-0x0000000007028000-memory.dmp

memory/2380-215-0x0000000007060000-0x0000000007068000-memory.dmp

memory/2380-217-0x0000000007010000-0x0000000007011000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsoD79C.tmp\ButtonEvent.dll

MD5 c24568a3b0d7c8d7761e684eb77252b5
SHA1 66db7f147cbc2309d8d78fdce54660041acbc60d
SHA256 e2da6d8b73b5954d58baa89a949aacece0527dfb940ca130ac6d3fd992d0909d
SHA512 5d43e4c838fd7f4c6a4ab6cc6d63e0f81d765d9ca33d9278d082c4f75f9416907df10b003e10edc1b5ef39535f722d8dbfab114775ac67da7f9390dcc2b4b443

\Users\Admin\AppData\Local\Temp\nsoD79C.tmp\p\InstallerHelper.dll

MD5 8bfdb69444233a57163ba06a2a6cfcd1
SHA1 73090c37af9e2bd236102e172dadb159a00612ec
SHA256 6aa7b6f12487c9740666d37a98b0c7b987b7e023a1640f8a6ab1b049a35f9374
SHA512 a160efb1f04097be38bab5d93ea6cd13ed1f2a3a834c85a310ed9a1d58db9df48898788844524563c52c79e7c1f286a5d699f08ff079364b101ecb18b514c8ed

\Users\Admin\AppData\Local\Temp\nsoD79C.tmp\INetC.dll

MD5 7760daf1b6a7f13f06b25b5a09137ca1
SHA1 cc5a98ea3aa582de5428c819731e1faeccfcf33a
SHA256 5233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079
SHA512 d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5

memory/2380-243-0x00000000003F0000-0x00000000003F1000-memory.dmp

\Program Files\Recuva\recuva64.exe

MD5 6f852ec18d167ff2abb2ab80f0d5a4fe
SHA1 57ac2fa10e510c9317b61c33d3a0116da0a57c6e
SHA256 d42b70bb05ef00c09319a975e1df73c1a7d1a52b537c2f605dbf0b4dccf814fc
SHA512 c4b8117d804943e615428b0784c3037e7ba6e367a74accf577fbc13cb8800fce356f9c6e8121a0edaf68a530176790b44d610e782e3d6f7d1819f34f766e17de

\Program Files\Recuva\RecuvaShell64.dll

MD5 776f4c4ad3c85c1693a522bc2c60f33a
SHA1 5a4215e1221b3f8f1d7500e5902474707b1542e2
SHA256 2b406578019ba9b6afcb08b26c56c4017c6fa6dea102129dd44dc47fc74a2cc4
SHA512 baf5f2ba8db33f51fbb8bf81ee0c92a6f69a76224d80ccb3e17115c9247c891f155abfd358a9a435c6b8bbcbae3154ae49a939e8ea4c8bcc3671d4c8b60d19d5

C:\Program Files\Recuva\lang\lang-1050.dll

MD5 8bac7d3eb37fba38aa06200dd23ae6ca
SHA1 0c5c89cc696aba1b7665cb0c0d6dc028370c233f
SHA256 4b7d0341102e062077af9ce99a12412dc3c11044bbbc782194681f47146b6494
SHA512 b14afa6b347a6505c4c66bd58b9482554ed64083dcbad3c1574f9e9a1233f21715ca14cac0bd305c8f615179924d48820864a614937aee2b571143da52006abe

\Program Files\Recuva\Lang\lang-1049.dll

MD5 c5c056c945f3c5c7f76cef938f338513
SHA1 0b147e88c65aacda1949acc116f95a0af4a7f2d8
SHA256 222db72107c1452f141ea8d086473458c59f6675566b01177fc91265855ab067
SHA512 2a4d888a565621e5c2cbf2775cb7299bc9c87de724af1f387f5e94abfb80e247d127248ebc8893cb0651f83c8611cc3cea2d7c64744dfb5fbf57a68a83047dfe

\Program Files\Recuva\Lang\lang-1048.dll

MD5 d3ccae022f330ee57be94aefa4d7b060
SHA1 b735f8f3ebffd519850ba8d14013fe4d1ecee521
SHA256 975aeb207d52e07a0aadeb934476536f8c6b7deec29d5d111baf89f3bac76fdc
SHA512 be336a7a2f2ded9359800005e1c7b2eb025ba16b1b58ad198f569b6a72a1d419761365d7ab55a9673921e03a7b50abd11e050494940de4783296a00a711e46a8

\Program Files\Recuva\Lang\lang-1046.dll

MD5 d79062b2834f351b25778486d04587e6
SHA1 c48f13f399e80d9fbe28df24d3c66cfa88ff20ba
SHA256 e3c7fe920d284ef7974175c52f374ee412580f83707d58ef2dec51ae403159e6
SHA512 3f604d7138022dad7f0fd9b27ed679691237f56bf851d2900502590df37c78df201d0c44264ec3f338ed7da86c1f0edbe2933c1ad079497a7ddbe17e625f7aa4

\Program Files\Recuva\Lang\lang-1045.dll

MD5 2f9eae30109a4ea38724cc80d4d2cd3e
SHA1 b00eac5de9434bf7d8b3296a6be1d929343dc1be
SHA256 a35b4506ea3694754ce1eb0d8e29f2f78b2365d96b7302e7c9c6fdf8a0266eb9
SHA512 fc4f02d863ee9266477d20a9b177631d519e778887f4db531fb75c5712174ba6ff9e3c0d8b1d14a333f06be3776227130aefc6a8a2ccc8ab569400e17a6590df

\Program Files\Recuva\Lang\lang-1044.dll

MD5 00547e1c34a464106f945b4c2030348e
SHA1 d01291685e44e73af5543f1325308ace114897d4
SHA256 301d83c11f5a07cdc686d3d91d075cd69c38beae8d0aac3af1f4b825588d11a6
SHA512 b105e1f091fc1b3f9eebe9a4aef59c8d9156aaeca73d22370c790e81c5270e464a47f80cbfd41a8c7e0ccf504c9f9ce4cf3d5210d660dcacf2512be10b390d93

\Program Files\Recuva\Lang\lang-1043.dll

MD5 e636190971396417c638d01fc791896b
SHA1 ce8a1196c4d3d5dc2d19b62aea2a657ffec65436
SHA256 cc3bafd490827c81a6e82f15695fbc3af988d491bdb0559c9c76ee60ba8deb2b
SHA512 11549da87e4dea6eb9f70e7010dd20b7f5307e3a3d20a070e60f2535f06a15b473c60402963c4fdafd0f1c3c13697aa20b2e983830c2e9ee562953c305b87656

\Program Files\Recuva\Lang\lang-1041.dll

MD5 cbece409b25c16d629e2d10f533e3bda
SHA1 949760246d3def76f61fd75a6ef20395eca6e897
SHA256 2ff82dbbaabeb196aa0c070d7f2fd0eb40346e51d4e8ad5ac398ec56d96ac393
SHA512 0318400513c46930270a4dcbe951c155b1e1f1513f3df3afd72c71d205efd71fdb65e9649aef5e9e78364e7e2b23d19dbbbb0928f84b91b3d555b446ef4bf7f0

\Program Files\Recuva\Lang\lang-1040.dll

MD5 a0a8770cf404c1d3e247a92afbd13c69
SHA1 228f204a36cd5acbc7b7367b1d880755f3d0a9d2
SHA256 116c74beb855d6715c83b664794f8bb3d3946f677c0b3befecc7cec8e1b6093f
SHA512 85536d1239c5f660d1072dd136ae221f2f0ae15ce7dd7863b13321661090dc0af14b57ebc830a4819724a33e83c12227407f850876885dd66ab00630e965c59d

\Program Files\Recuva\Lang\lang-1038.dll

MD5 a33f9c0db68d89309c0b406be609aa3c
SHA1 793fe49282ce5c3027309286ff8071ab9e08451a
SHA256 87ec0ce45b22f524ebbf497777cb17fdf4e4346915fa6a2b9f13be85ea05fbf7
SHA512 eae5bf2cb55344f5b41cf84ea4a30885c506735c66262b18a6e9e71d2214c6debee13a1addc4d104f958027e384761781dce6d5c04b565af93c87dcf69e1ed86

\Program Files\Recuva\Lang\lang-1037.dll

MD5 3f18f8241914468072cbc7cb7feea5e5
SHA1 75461ee9e923251d5193cabf38632b504440eea9
SHA256 cb72a05f8c33621781d777133de8e7c14d43d14598ca08c4af4bb756948568c0
SHA512 78de99c109f9f505276759e6ff426c4fffced92816858c082e729d76fa2bde9cfb954beb4fc7ed0de3f23ca4a6540841ec9ed1caf5c83ab73539f6ff3091c128

\Program Files\Recuva\Lang\lang-1036.dll

MD5 d0e8f5ddabed692709759ae273b02067
SHA1 7618f1b38ee416c09a506239917839e1ef51d36a
SHA256 302c8535823e4680cd5be12882063dd38fea9ed8d06e191d4fb20f20bcc38e8b
SHA512 6314c163a72f4be7faeff685eab790a4d0471f7be57a9ef90eaa8cfb1045524fea1264293fc82f3883e03275b4557a6bd6cd647f4dbdbdaa998ce6ffab7b180e

\Program Files\Recuva\Lang\lang-1035.dll

MD5 144fd9be97f093a4306b21a8955cedbb
SHA1 6f32e163b3d56690a0514f156bbd91608000d1b8
SHA256 60be5324d22ab098bda84e94217de5a01841f282d9bd2222105500dc8cb05142
SHA512 6a602c22dc5c4bb48c8f7e74a9f45ab533951faeb5f7cbdd40e22bca18e1620a683d985c87d5a295d72f0f23dffc6d7cf4c43927e8a4264351ac51911ca19b17

\Program Files\Recuva\Lang\lang-1034.dll

MD5 3d8a9f4447d7f9c6de15d4f5323cf555
SHA1 260beb6224190d275e03e4ce7dbb14ac2699e53a
SHA256 d0a2939bdb56722b72b45a11c8d1b92de943b06ff6ab85b7119631ef7201bbbc
SHA512 bed4808db9e948c62978c01d2e1ce2cbe02eccdf3c070cd99197c90c2d04d01fed3f370fe211188effc486d480ee1c96b11d34b16d085345f4cc34667d176edd

\Program Files\Recuva\Lang\lang-1032.dll

MD5 60acdcb72ba110396610e2e1df7b1638
SHA1 1bef00663a3625ac19fb0d8c8a304674094f9b24
SHA256 21bb1f597d5e6ec2835eb9065a11e8bd39ca865102f4de20cb676fbb1a331ac0
SHA512 524bf6b53c053a6338a8f5479df2e69240de9d466de563f95da113f12e977e310571b4ae7bd7d6949da2c605444aaf8166b724751abfc6b25749b8197ba0e3e6

\Program Files\Recuva\Lang\lang-1031.dll

MD5 7bc339dfcea7528971b93abcad36b81e
SHA1 e2843316fca4d43cc64620ea74e3835a122e7445
SHA256 e8c68e0bb516fd172c966c78fccb934fcc034e9b4cb909d3356b2f894ccf9177
SHA512 afb8b2a99cff2bd12e4bc66f3a94850175ed58f572d66bdb6012a6414b3055f035244814b4d1881263385c77c88ad06d1ce9b9cd5e6a261138fb4f37069df26a

\Program Files\Recuva\Lang\lang-1030.dll

MD5 36805a518e09fd2c3c542658b7236685
SHA1 ba348d4370cb8fab13c571ff901a99d0da2e1f9c
SHA256 66be2616822511ddb956e352ed21beccfa5ae9299f5c925838161b26bba454ac
SHA512 0a2a280745926cacb75830385ffae5250a29f61e211f77f9fd332e23b712370b7ba710477d4172968bc26b154f428df086626b6e3830057e1e5e8b688eef09cc

\Program Files\Recuva\Lang\lang-1029.dll

MD5 aa0a34b36afe2d138c34db2e78de8c0f
SHA1 3bc66cc08c2380c1cb9a59ba879e67163b5edd7e
SHA256 bb648a873d5df48f1e2c3b7889c7ddbeddcfcc3d9ffdfdb5312a06e639fd7146
SHA512 95e2ee106e9b93da124edb9e7ecad8ed5d990221643be3d6632cc6c9cc4b99fe6a110404c768f8a3c377f6df0b9eb5d66e5db1651cc85db9579e547cefff8aaf

\Program Files\Recuva\Lang\lang-1028.dll

MD5 6fc9bcf180db0001a26175b15958f3aa
SHA1 0d0623371908b2ec26b7bd158c52e02d43ae0627
SHA256 16b27a8f4cf64a56cfdb8fe84ac497c8fbdaac3385bc0975ae63c39820f311d3
SHA512 9f3d80f4b6a61c5a587303876bdf1ad1e180485f62a032cf372e01a2c48a82b30d455bc8ce702d25fd6ee873ecf8fea15110c7cd882c11a06e3206f44e29d055

\Program Files\Recuva\Lang\lang-1027.dll

MD5 b581c8a181139d70fc96d38634ff21b4
SHA1 806aaa63ddfb0dd1ecb3d529c56d11631d833935
SHA256 8156b27c1677ff3d5a0208aed2e01cec4d5e5b55e3390875329340d5f7972a27
SHA512 5844e3dbe0af811e533012c0ff30bbd06716ae836af618c692b182864e9b736de5c40007aff6cb0dc32bd1999b8a55d7328f6306c2f38e0dc82510988781e2d6

\Program Files\Recuva\Lang\lang-1026.dll

MD5 71ecb94a15e9596a8bbcca5c4e3274dc
SHA1 e869a7e6a47df81e390bc09e7fd4c7f3b62cd2b4
SHA256 10b7e73b445eb063300f8d5b76cc8b91e3de63ee4084c4766a7d68000a5a52e6
SHA512 c3c4cbac2f2ef6d7f167d1a1835d978d559911bb5245276cae42b9c82435f63def34c49b564c61f76a7647c68cee64267980842db6d12cb5ccd85e9780bebbce

\Program Files\Recuva\Lang\lang-1025.dll

MD5 0d3d447c9970765f19bb7cd782756028
SHA1 dd84e86a91cc362fd5e08eb4f1f3910edf0076ed
SHA256 0dd80b0a75d09c587b54e4c527af5650ce0678d8dfb2627ff097439853b71a0a
SHA512 c35514f6b1960122d0986c830fad03cad328cc7e690c4428d60b1645148b00a74eae4b837dcb8d1889ba7de5b6388da8370b04db1d019daa7d73da95fd2e919d

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win7-20240903-en

Max time kernel

119s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 220

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win7-20240708-en

Max time kernel

14s

Max time network

20s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1025.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1025.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1029.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1029.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files\Recuva\recuva64.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Recuva\RecuvaShell64.dll.new C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1066.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1060.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\uninst.exe C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1036.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1035.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1071.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1061.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1048.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1051.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1050.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-9999.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\recuva.exe C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1041.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1034.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1025.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1057.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1054.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File opened for modification C:\Program Files\Recuva\lil.log C:\Program Files\Recuva\recuva64.exe N/A
File created C:\Program Files\Recuva\Lang\lang-3098.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1079.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1068.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\lil.log.tmp.963b01aa-0187-4599-adda-1511a4b587fc C:\Program Files\Recuva\recuva64.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1044.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1045.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-2052.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1055.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1067.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1059.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1040.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1030.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1027.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1058.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1038.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1062.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\recuva64.exe C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1043.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1028.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1046.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1029.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1037.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-5146.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File opened for modification C:\Program Files\Recuva\RecuvaShell64.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1031.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1049.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1053.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1026.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1032.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1063.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1052.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
File created C:\Program Files\Recuva\Lang\lang-2074.dll C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe

Reads user/profile data of web browsers

spyware stealer

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Recuva\recuva64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Recuva\recuva64.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Piriform\Recuva C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Piriform\Recuva C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\Recuva\Language = "1033" C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\Recuva C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Piriform C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\Recuva C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key created \REGISTRY\USER\S-1-5-19 C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\Recuva\Language = "1033" C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key created \REGISTRY\USER\S-1-5-20 C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Piriform\Recuva\Language = "1033" C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Piriform\Recuva C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Software\Piriform C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\0\win64 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\HELPDIR\ = "C:\\Program Files\\Recuva" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\RecuvaShellExt C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\RecuvaShellExt\ = "{435E5DF5-2510-463C-B223-BDA47006D002}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\RecuvaShellExt\ = "{435E5DF5-2510-463C-B223-BDA47006D002}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\ = "RecuvaShell 1.0 Type Library" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Software\Piriform\Recuva C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32\ = "C:\\Program Files\\Recuva\\RecuvaShell64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\RecuvaShellExt C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Software C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RecuvaShell.DLL\AppID = "{80109467-DE5A-42A1-9445-7E3952C80B6E}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\ = "RecuvaShellExt Class" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\FLAGS C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\FLAGS\ = "0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\HELPDIR C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Software\Piriform\Recuva\Language = "1033" C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{80109467-DE5A-42A1-9445-7E3952C80B6E}\ = "RecuvaShell" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\0\win64\ = "C:\\Program Files\\Recuva\\RecuvaShell64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{80109467-DE5A-42A1-9445-7E3952C80B6E} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\0 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RecuvaShell.DLL C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2616 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2616 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2616 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4696 wrote to memory of 4844 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4696 wrote to memory of 4844 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2616 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe C:\Program Files\Recuva\recuva64.exe
PID 2616 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe C:\Program Files\Recuva\recuva64.exe
PID 2616 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2616 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2616 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2616 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 2780 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 2780 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 4912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 4912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 3936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 3936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 3936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 3936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 3936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 3936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4220 wrote to memory of 3936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe

"C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /I "C:\Program Files\Recuva\RecuvaShell64.dll" /s

C:\Windows\system32\regsvr32.exe

/I "C:\Program Files\Recuva\RecuvaShell64.dll" /s

C:\Program Files\Recuva\recuva64.exe

"C:\Program Files\Recuva\recuva64.exe" /installationComplete "bin|folders|allusers"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ccleaner.com/go/app_releasenotes?p=2&v=1.54.120&l=1033&b=1&a=0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ccleaner.com/go/app_releasenotes?p=2&v=1.54.120&l=1033&b=1&a=0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd9cba46f8,0x7ffd9cba4708,0x7ffd9cba4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x40,0x104,0x7ffd9cba46f8,0x7ffd9cba4708,0x7ffd9cba4718

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2616 -ip 2616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 3512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,4046935836379075576,46533985431301157,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,4046935836379075576,46533985431301157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3540 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3540 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,12145749945884322382,12835749020127081015,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1976 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 analytics.ff.avast.com udp
US 34.117.223.223:443 analytics.ff.avast.com tcp
US 8.8.8.8:53 ncc.avast.com udp
GB 2.19.117.105:80 ncc.avast.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
US 8.8.8.8:53 223.223.117.34.in-addr.arpa udp
US 8.8.8.8:53 105.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 service.piriform.com udp
GB 23.218.79.229:443 service.piriform.com tcp
US 8.8.8.8:53 license.piriform.com udp
GB 23.218.79.229:443 license.piriform.com tcp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 229.79.218.23.in-addr.arpa udp
GB 2.19.117.105:80 ncc.avast.com tcp
US 8.8.8.8:53 analytics.ff.avast.com udp
US 34.117.223.223:443 analytics.ff.avast.com tcp
US 8.8.8.8:53 www.ccleaner.com udp
GB 23.44.65.89:80 www.ccleaner.com tcp
GB 23.44.65.89:80 www.ccleaner.com tcp
GB 23.44.65.89:443 www.ccleaner.com tcp
US 8.8.8.8:53 89.65.44.23.in-addr.arpa udp
US 8.8.8.8:53 cdn-production.ccleaner.com udp
US 8.8.8.8:53 cdn.cookielaw.org udp
US 8.8.8.8:53 dev.visualwebsiteoptimizer.com udp
US 104.18.87.42:443 cdn.cookielaw.org tcp
US 104.18.87.42:443 cdn.cookielaw.org tcp
US 34.96.102.137:443 dev.visualwebsiteoptimizer.com tcp
US 104.18.87.42:443 cdn.cookielaw.org tcp
US 8.8.8.8:53 s.go-mpulse.net udp
GB 2.19.168.132:443 s.go-mpulse.net tcp
US 8.8.8.8:53 assets.adobedtm.com udp
US 8.8.8.8:53 geolocation.onetrust.com udp
GB 23.219.196.224:443 assets.adobedtm.com tcp
US 172.64.155.119:443 geolocation.onetrust.com tcp
US 8.8.8.8:53 www.nortonlifelock.com udp
US 8.8.8.8:53 dpm.demdex.net udp
GB 23.44.64.117:443 www.nortonlifelock.com tcp
IE 34.255.28.93:443 dpm.demdex.net tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 42.87.18.104.in-addr.arpa udp
US 8.8.8.8:53 137.102.96.34.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 132.168.19.2.in-addr.arpa udp
US 8.8.8.8:53 232.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 224.196.219.23.in-addr.arpa udp
US 8.8.8.8:53 119.155.64.172.in-addr.arpa udp
US 8.8.8.8:53 117.64.44.23.in-addr.arpa udp
US 8.8.8.8:53 mstatic.ccleaner.com udp
US 8.8.8.8:53 www.google.com udp
NL 20.50.2.53:443 mstatic.ccleaner.com tcp
US 8.8.8.8:53 amplify.outbrain.com udp
US 8.8.8.8:53 s.yimg.com udp
US 8.8.8.8:53 www.mczbf.com udp
GB 142.250.200.36:443 www.google.com tcp
US 8.8.8.8:53 symantec.demdex.net udp
GB 23.219.197.58:443 amplify.outbrain.com tcp
US 8.8.8.8:53 cm.everesttech.net udp
US 8.8.8.8:53 symantec.tt.omtrdc.net udp
GB 87.248.114.11:443 s.yimg.com tcp
NL 18.239.36.92:443 www.mczbf.com tcp
IE 66.235.152.156:443 symantec.tt.omtrdc.net tcp
IE 34.252.167.206:443 cm.everesttech.net tcp
US 8.8.8.8:53 tr.outbrain.com udp
US 8.8.8.8:53 wave.outbrain.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 23.219.197.58:443 wave.outbrain.com tcp
GB 142.250.187.226:443 googleads.g.doubleclick.net tcp
US 64.74.236.95:443 tr.outbrain.com tcp
US 8.8.8.8:53 cdn-uat.ccleaner.com udp
US 8.8.8.8:53 oms.ccleaner.com udp
IE 66.235.152.221:443 oms.ccleaner.com tcp
NL 18.239.36.92:443 www.mczbf.com tcp
IE 66.235.152.221:443 oms.ccleaner.com tcp
US 8.8.8.8:53 zn4i1jhjmxub1nc6y-gendigital.siteintercept.qualtrics.com udp
US 8.8.8.8:53 s1.pir.fm udp
US 104.17.208.240:443 zn4i1jhjmxub1nc6y-gendigital.siteintercept.qualtrics.com tcp
GB 2.21.67.26:443 s1.pir.fm tcp
US 8.8.8.8:53 siteintercept.qualtrics.com udp
US 8.8.8.8:53 93.28.255.34.in-addr.arpa udp
US 8.8.8.8:53 53.2.50.20.in-addr.arpa udp
US 8.8.8.8:53 36.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 58.197.219.23.in-addr.arpa udp
US 8.8.8.8:53 11.114.248.87.in-addr.arpa udp
US 8.8.8.8:53 156.152.235.66.in-addr.arpa udp
US 8.8.8.8:53 92.36.239.18.in-addr.arpa udp
US 8.8.8.8:53 206.167.252.34.in-addr.arpa udp
US 8.8.8.8:53 226.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 95.236.74.64.in-addr.arpa udp
US 8.8.8.8:53 221.152.235.66.in-addr.arpa udp
US 8.8.8.8:53 26.67.21.2.in-addr.arpa udp
US 8.8.8.8:53 240.208.17.104.in-addr.arpa udp
GB 142.250.200.36:443 www.google.com udp
GB 142.250.187.226:443 googleads.g.doubleclick.net udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsuB8D2.tmp\UserInfo.dll

MD5 2f69afa9d17a5245ec9b5bb03d56f63c
SHA1 e0a133222136b3d4783e965513a690c23826aec9
SHA256 e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0
SHA512 bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

C:\Users\Admin\AppData\Local\Temp\nsuB8D2.tmp\System.dll

MD5 cff85c549d536f651d4fb8387f1976f2
SHA1 d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA256 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

C:\Users\Admin\AppData\Local\Temp\nsuB8D2.tmp\g\gcapi_dll.dll

MD5 2973af8515effd0a3bfc7a43b03b3fcc
SHA1 4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee
SHA256 d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0
SHA512 b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

C:\Users\Admin\AppData\Local\Temp\nsuB8D2.tmp\ui\pfUI.dll

MD5 7e36940483a62f7e3bdd30d95ef37b93
SHA1 5e5624afd2170a8f32fbc52bc296caf4a16e211d
SHA256 a639f28eb67410b9d685ff7eb564eb8c1a45f1116a6c520321510c8c6eb89923
SHA512 32d12fb13fed59b7801f32a2d65cc54739e99f289398fa62bdf3e952c5c3561819c8d75b35bf2f127967585c11a272a633470ca7325b16c06453d4f06eded663

C:\Users\Admin\AppData\Local\Temp\nsuB8D2.tmp\nsDialogs.dll

MD5 6c3f8c94d0727894d706940a8a980543
SHA1 0d1bcad901be377f38d579aafc0c41c0ef8dcefd
SHA256 56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2
SHA512 2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

C:\Users\Admin\AppData\Local\Temp\nsuB8D2.tmp\ui\res\PF_logo.png

MD5 079cca30760cca3c01863b6b96e87848
SHA1 98c2ca01f248bc61817db7e5faea4a3d8310db50
SHA256 8dd37d3721e25c32c5bf878b6dba9e61d04b7ce8aec45bdf703a41bc41802dfa
SHA512 3e25c10e3a5830584c608b9178ab062e93e0e9009a7d897bb5e3561180b0b0910bd4178063d982eb33806a005c93931ae2ec5be520ec0d0c9a7c452cb78fd6a8

C:\Users\Admin\AppData\Local\Temp\nsuB8D2.tmp\ui\res\Recuva_Logo_72px.png

MD5 6a2e01749e591a1ce8216daed41b8721
SHA1 a4aa31d936a33eb7d58e809b738184f6b2c7e1c2
SHA256 f72782600989eff0aa13ff7c63875538c9042c32b77862475c899514f61c9290
SHA512 262e6b6ed89fa30f954dc73c1bb329d9ea256fefa172e12b23610e7c1ab6dad3b698cbcdc010f8c16e90b0bdd6e96d60e8aba50b876d69f9fb1f2889ac14f0fe

C:\Users\Admin\AppData\Local\Temp\nsuB8D2.tmp\ui\res\RC_Computer.png

MD5 67f13e50fa75087ef8c2074a52cc8bb1
SHA1 8f31cf48fab91b9e263105289d17c146d088274b
SHA256 044ec2d36e9f573d762fc8a43eb09f7b24eb30094a4e61b5d606fd96f72d391f
SHA512 44ee943ae440d93d7ec78393749667680abbe379f9e21fb10244362c2c3f9df790170c541aa30a8487ef25952068c78e44dacd48def29aa84cee78d1c1ce63ae

memory/2616-95-0x00000000061E0000-0x00000000061F0000-memory.dmp

memory/2616-101-0x0000000006380000-0x0000000006390000-memory.dmp

memory/2616-119-0x0000000007400000-0x0000000007408000-memory.dmp

memory/2616-121-0x00000000071A0000-0x00000000071A8000-memory.dmp

memory/2616-122-0x0000000007190000-0x0000000007191000-memory.dmp

memory/2616-124-0x00000000071A0000-0x00000000071A8000-memory.dmp

memory/2616-127-0x0000000007190000-0x0000000007198000-memory.dmp

memory/2616-130-0x0000000007150000-0x0000000007151000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

MD5 415773c8a40d67830753a00bf9aadef9
SHA1 16466c63002df483882521338117d3478492d5de
SHA256 01fa79743f9493e3365277c104a43cea647d5bd5977aac113fc9c8fdb7f6a3ac
SHA512 8840daf7f1148732db64aa4c89fc9e5b9b4732c872cf5d6d197600a10235ce484621e76be43c39c71c3aedc58e4cb2bd8102d7878a53e30cba89156c7be11710

memory/2616-142-0x0000000007240000-0x0000000007248000-memory.dmp

memory/2616-145-0x0000000007280000-0x0000000007288000-memory.dmp

memory/2616-148-0x0000000007190000-0x0000000007191000-memory.dmp

memory/2616-152-0x0000000007150000-0x0000000007151000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

MD5 b148c3816af3dd30eec81d0ce3a7ed71
SHA1 20b9fc3f29cefbdaae44ed6fcb059c048d9ade97
SHA256 75baeacf35fbd06452eb70f57cb0279332300514232bbf91bd10628aaaa082dc
SHA512 babe4da57ee363c54933b90019b7f46d65a64cd7386a19e8ce1e01167bc1433aa13a7afb43205beb858e68f55b160500f9a0d54d3e873982b164efe998e38a45

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

MD5 bf4384743632135621b7694b85b0bd6b
SHA1 a4fc348f9805a481e5b05dfb270c959afea2192a
SHA256 84c913bd8e54eff15a6ad1f658cf2b4566e97447aa86d6f86ef9708f2a6d4adb
SHA512 5dcb131701368e8247cd81091c4e1f5a3b7c10c2a00d73eb1e5177337cdfe77ab4d1d4a3877efa712e7bcd950968d47161801633c83e36dae5355d3964d3ddc9

memory/2616-198-0x0000000007380000-0x0000000007388000-memory.dmp

memory/2616-200-0x0000000007400000-0x0000000007408000-memory.dmp

memory/2616-203-0x00000000071A0000-0x00000000071A1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

MD5 59c329a087ba6e62be7bce57e7ce0971
SHA1 9e7281c8957a28d4cfdea898c424ce7f3984f57d
SHA256 ad204bf0e4e745e9babf5f68f8782f435e3e7b3451867ac15134c48f6d060078
SHA512 78e37fd6eb34378eea8da24c31de2299c5d15d00a6452d32a1ce1ced939f4b329a7149d92545fa92718d593bd1d2870ff0831825bb489186da85d749f3d6b3c6

C:\Users\Admin\AppData\Local\Temp\nsuB8D2.tmp\ButtonEvent.dll

MD5 c24568a3b0d7c8d7761e684eb77252b5
SHA1 66db7f147cbc2309d8d78fdce54660041acbc60d
SHA256 e2da6d8b73b5954d58baa89a949aacece0527dfb940ca130ac6d3fd992d0909d
SHA512 5d43e4c838fd7f4c6a4ab6cc6d63e0f81d765d9ca33d9278d082c4f75f9416907df10b003e10edc1b5ef39535f722d8dbfab114775ac67da7f9390dcc2b4b443

C:\Users\Admin\AppData\Local\Temp\nsuB8D2.tmp\p\InstallerHelper.dll

MD5 8bfdb69444233a57163ba06a2a6cfcd1
SHA1 73090c37af9e2bd236102e172dadb159a00612ec
SHA256 6aa7b6f12487c9740666d37a98b0c7b987b7e023a1640f8a6ab1b049a35f9374
SHA512 a160efb1f04097be38bab5d93ea6cd13ed1f2a3a834c85a310ed9a1d58db9df48898788844524563c52c79e7c1f286a5d699f08ff079364b101ecb18b514c8ed

C:\Users\Admin\AppData\Local\Temp\nsuB8D2.tmp\INetC.dll

MD5 7760daf1b6a7f13f06b25b5a09137ca1
SHA1 cc5a98ea3aa582de5428c819731e1faeccfcf33a
SHA256 5233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079
SHA512 d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5

C:\Program Files\Recuva\recuva64.exe

MD5 6f852ec18d167ff2abb2ab80f0d5a4fe
SHA1 57ac2fa10e510c9317b61c33d3a0116da0a57c6e
SHA256 d42b70bb05ef00c09319a975e1df73c1a7d1a52b537c2f605dbf0b4dccf814fc
SHA512 c4b8117d804943e615428b0784c3037e7ba6e367a74accf577fbc13cb8800fce356f9c6e8121a0edaf68a530176790b44d610e782e3d6f7d1819f34f766e17de

C:\Program Files\Recuva\RecuvaShell64.dll

MD5 776f4c4ad3c85c1693a522bc2c60f33a
SHA1 5a4215e1221b3f8f1d7500e5902474707b1542e2
SHA256 2b406578019ba9b6afcb08b26c56c4017c6fa6dea102129dd44dc47fc74a2cc4
SHA512 baf5f2ba8db33f51fbb8bf81ee0c92a6f69a76224d80ccb3e17115c9247c891f155abfd358a9a435c6b8bbcbae3154ae49a939e8ea4c8bcc3671d4c8b60d19d5

C:\Program Files\Recuva\lang\lang-1029.dll

MD5 aa0a34b36afe2d138c34db2e78de8c0f
SHA1 3bc66cc08c2380c1cb9a59ba879e67163b5edd7e
SHA256 bb648a873d5df48f1e2c3b7889c7ddbeddcfcc3d9ffdfdb5312a06e639fd7146
SHA512 95e2ee106e9b93da124edb9e7ecad8ed5d990221643be3d6632cc6c9cc4b99fe6a110404c768f8a3c377f6df0b9eb5d66e5db1651cc85db9579e547cefff8aaf

C:\Program Files\Recuva\lang\lang-1034.dll

MD5 3d8a9f4447d7f9c6de15d4f5323cf555
SHA1 260beb6224190d275e03e4ce7dbb14ac2699e53a
SHA256 d0a2939bdb56722b72b45a11c8d1b92de943b06ff6ab85b7119631ef7201bbbc
SHA512 bed4808db9e948c62978c01d2e1ce2cbe02eccdf3c070cd99197c90c2d04d01fed3f370fe211188effc486d480ee1c96b11d34b16d085345f4cc34667d176edd

C:\Program Files\Recuva\lang\lang-1032.dll

MD5 60acdcb72ba110396610e2e1df7b1638
SHA1 1bef00663a3625ac19fb0d8c8a304674094f9b24
SHA256 21bb1f597d5e6ec2835eb9065a11e8bd39ca865102f4de20cb676fbb1a331ac0
SHA512 524bf6b53c053a6338a8f5479df2e69240de9d466de563f95da113f12e977e310571b4ae7bd7d6949da2c605444aaf8166b724751abfc6b25749b8197ba0e3e6

C:\Program Files\Recuva\lang\lang-1036.dll

MD5 d0e8f5ddabed692709759ae273b02067
SHA1 7618f1b38ee416c09a506239917839e1ef51d36a
SHA256 302c8535823e4680cd5be12882063dd38fea9ed8d06e191d4fb20f20bcc38e8b
SHA512 6314c163a72f4be7faeff685eab790a4d0471f7be57a9ef90eaa8cfb1045524fea1264293fc82f3883e03275b4557a6bd6cd647f4dbdbdaa998ce6ffab7b180e

C:\Program Files\Recuva\lang\lang-1040.dll

MD5 a0a8770cf404c1d3e247a92afbd13c69
SHA1 228f204a36cd5acbc7b7367b1d880755f3d0a9d2
SHA256 116c74beb855d6715c83b664794f8bb3d3946f677c0b3befecc7cec8e1b6093f
SHA512 85536d1239c5f660d1072dd136ae221f2f0ae15ce7dd7863b13321661090dc0af14b57ebc830a4819724a33e83c12227407f850876885dd66ab00630e965c59d

C:\Program Files\Recuva\lang\lang-1041.dll

MD5 cbece409b25c16d629e2d10f533e3bda
SHA1 949760246d3def76f61fd75a6ef20395eca6e897
SHA256 2ff82dbbaabeb196aa0c070d7f2fd0eb40346e51d4e8ad5ac398ec56d96ac393
SHA512 0318400513c46930270a4dcbe951c155b1e1f1513f3df3afd72c71d205efd71fdb65e9649aef5e9e78364e7e2b23d19dbbbb0928f84b91b3d555b446ef4bf7f0

C:\Program Files\Recuva\lang\lang-1044.dll

MD5 00547e1c34a464106f945b4c2030348e
SHA1 d01291685e44e73af5543f1325308ace114897d4
SHA256 301d83c11f5a07cdc686d3d91d075cd69c38beae8d0aac3af1f4b825588d11a6
SHA512 b105e1f091fc1b3f9eebe9a4aef59c8d9156aaeca73d22370c790e81c5270e464a47f80cbfd41a8c7e0ccf504c9f9ce4cf3d5210d660dcacf2512be10b390d93

C:\Program Files\Recuva\lang\lang-1046.dll

MD5 d79062b2834f351b25778486d04587e6
SHA1 c48f13f399e80d9fbe28df24d3c66cfa88ff20ba
SHA256 e3c7fe920d284ef7974175c52f374ee412580f83707d58ef2dec51ae403159e6
SHA512 3f604d7138022dad7f0fd9b27ed679691237f56bf851d2900502590df37c78df201d0c44264ec3f338ed7da86c1f0edbe2933c1ad079497a7ddbe17e625f7aa4

C:\Program Files\Recuva\lang\lang-1048.dll

MD5 d3ccae022f330ee57be94aefa4d7b060
SHA1 b735f8f3ebffd519850ba8d14013fe4d1ecee521
SHA256 975aeb207d52e07a0aadeb934476536f8c6b7deec29d5d111baf89f3bac76fdc
SHA512 be336a7a2f2ded9359800005e1c7b2eb025ba16b1b58ad198f569b6a72a1d419761365d7ab55a9673921e03a7b50abd11e050494940de4783296a00a711e46a8

C:\Program Files\Recuva\lang\lang-1050.dll

MD5 8bac7d3eb37fba38aa06200dd23ae6ca
SHA1 0c5c89cc696aba1b7665cb0c0d6dc028370c233f
SHA256 4b7d0341102e062077af9ce99a12412dc3c11044bbbc782194681f47146b6494
SHA512 b14afa6b347a6505c4c66bd58b9482554ed64083dcbad3c1574f9e9a1233f21715ca14cac0bd305c8f615179924d48820864a614937aee2b571143da52006abe

C:\Program Files\Recuva\lang\lang-1052.dll

MD5 63a9474c28a85978156a9dc6c6682e74
SHA1 68aae980ea0027b34b188bf0aa1180d1f30ced28
SHA256 5ba89e7990fc2d524e0c7defdcd333215d919b20a7d3a0802e38d3b7abd9f431
SHA512 d7dfb7e63c955cbaf4e1aad45d0fcf1d843f5ed39c427f0a8778f26c14ca1dd6cb9de9952fafe22e3b8afbb1a56f4247906b4e89cbca8f3ce7031f08ec7cacf5

C:\Program Files\Recuva\lang\lang-1054.dll

MD5 97be0e56bc97f5473f7d02e17c903e2b
SHA1 6efc528e2a45eced5dc9dc3c879b9e15b872eb45
SHA256 37bd7ae885b4270d4aa83ec78f2fbec8cf42aef2d5f668bcec462ca741f03f20
SHA512 741e731198146d02104cfe2690ce494e1a1db94946bce9694c9b47bc32ecf1365c20cebfc861016aa9a0d19a8b9dd01d621df4f127fff44ddd02395b8c9b723f

C:\Program Files\Recuva\lang\lang-1055.dll

MD5 050c40db5910f16c8ae277e0492ee776
SHA1 f4f4da3d2dc4e5ca55cef28d54c89691688fa038
SHA256 52e6251aa191ca72444259c79f7e7898b1bcea0b85b076b7c2434d220acc21ba
SHA512 19fca708597f1325ea51af3d0d28e388372642799b9b06cc58b08da0aa5d930e32b8d72fc7ef9198363f9b4f2ced431e2fa91c8008809a1ff8e957b607693a4c

C:\Program Files\Recuva\lang\lang-1062.dll

MD5 c2bb13c129496bfabaa08661ae26c0c1
SHA1 d9a75274bb240f9fa6d19ae5432604ccd5d1fa8b
SHA256 e09a70188f5f55d3817adaacae13863796a8af3bd452fd5be94323fcde513495
SHA512 10f1cabf0978317e47a2317943aa2de983a0f2ee23e7a9ff398a5c5bd295f11f150eabb4193417dc3f17cbc75d2053dea50f3c69e2c867777fc0d72d1c18e23e

C:\Program Files\Recuva\lang\lang-1063.dll

MD5 7701899a486486e55c1ed2ae0163e076
SHA1 2d1c81169248b3f6ac62b847f1941a59c5a81e6e
SHA256 bfd62edc0985890bbdb5afbf071c3d1390a32a70c8254942c0f5faed29e71e81
SHA512 e5262a8f159a1e12312a8ea0cc8a76f5465b0dae90ffd0ad570de183442889ebb1ce5c96544f06e1a7db988b168d53449de862669d9c0915f060a4f2e9c68465

C:\Program Files\Recuva\lang\lang-1066.dll

MD5 105602b7958bc4732199afcd0c297ea8
SHA1 dba1536d7ab657c6d2ee877d54467c3b6a252ba5
SHA256 a60fa04853dfb6486d5b13687caed6461ce2efcd0024db16469bd7cfc7caee7a
SHA512 d8ad51629b88991115d723d77550476c80ceda75078102aca3649eda89d7af1f5cb7538d34844e538479ddc31b47b20f72e1899b1f997e1d3c686823d52cc6e5

C:\Program Files\Recuva\lang\lang-1061.dll

MD5 7850b0777d22e2969b00f1ef10c77457
SHA1 f4a1e4d88e73e7ce92b5fdd0b5577fe38293688e
SHA256 6292a86942e5428d95169fea0894f18d241577277d1844c89ecc7d2f5b84955c
SHA512 97e491c2abdfa4e394c10a695d442e0d5f00b2aa2d22c443ea1581dfd657e26cdcdaab84c4ed726d7f5f1c328f9d0a119e7ff6212efe09721f2e3cc42c7c2f66

C:\Program Files\Recuva\lang\lang-1067.dll

MD5 0d38f5305588e9512bf7362b30f7098c
SHA1 0003a77b8603c4c08a0c9f4831ad4d50a3fcddeb
SHA256 3c8db0b0a673701e50d1550ce33fc60ecd5bf19709cdeae43927a499b577692e
SHA512 6097cc6b787e0ac20cf8e6addeef52b5e76b2dbccadfdfb4062b392a634345f001a5d6edd67853a05b8001bb3380b5709889f5cd260e29060ca14e6cc9a6c2c4

C:\Program Files\Recuva\lang\lang-1079.dll

MD5 383fe0266f5558ca1f1d07debd1e30af
SHA1 eb88be971bc416d53f4c462325d97fc0e5007574
SHA256 6e2454f2c03a7b7cd960d4bf9b4580afa58bb367df20dc8c8820004eec4e1a8d
SHA512 acd5d27420ba5c460154e543b4725e02890669e77ccf8145aee51770929b2e36c7bf4d6b8d49a4c41a57a13544ba1ac21b72e1439d83bb982757364cc2f9878c

C:\Program Files\Recuva\lang\lang-2074.dll

MD5 f1b4de3fe497b36358bc741cff7fdd90
SHA1 8c5178ee91760f278317c1842afb059e3d2788a7
SHA256 7717d0adb2a376bbd0bdb122ac9cab9dbe6ed43ee0caaf0a5ce64131511fe8d5
SHA512 37d3b81cca924442bb0505cd5d1105aa02418ab8b7e399be02289c62f843edade9ba37312e47054ec93d87c0cefb016ef811f4e9544d94ee7b33489db14b86b1

C:\Program Files\Recuva\lang\lang-5146.dll

MD5 93c6937489d191e69ad525f9c4e12dd1
SHA1 05d9e3938636ce76164cf721ecc4f4784cc4604a
SHA256 919780cb6a9cc192983eebd9c62706b2e48b7b38cfce15cb1a59d9948edf914b
SHA512 bd32d3b9271ec4508c9d953e78921bc1a00151ab853a55786cbfa58e0b05903e041561214932c6acfdfe1ffd9ab062a2482a825ee78bf9866ebab36f7754e8b6

C:\Program Files\Recuva\lang\lang-9999.dll

MD5 96371dc631a83c0060835a44f3405b5b
SHA1 8a01933aca0fa311d52a611cd762f5d40704acce
SHA256 73143a8d684a153734ccf90042243e8cabaf8fa3304c308009ea510c035e8227
SHA512 eb2fd077d26d47c0863c2778f8a9b8763c525732d67ecc434c58ef6211b7ab05cb800093bf8d6c1b8d0065cfa1dd45eb1f58075c5e3efc0a48b36f9ba6ad049a

C:\Program Files\Recuva\lang\lang-3098.dll

MD5 ff33fc671604cf40f0d2d86c92554356
SHA1 1095cbeb4ee9ec222c4eff20ceca2e3d0d2e97d8
SHA256 0b8d8b0f725e9f81ccd7072c7fc861ae9d9c1aae93e6fbd175499b50282cfe24
SHA512 0c727db5ce49a56344de594b7c44438166dc6f84270434cfd3031f6d75a98d450fc0b3cf845b8eed9a49e0096db75c596a40c0b664d505d1f4ab035c0accc9ea

C:\Program Files\Recuva\lang\lang-2052.dll

MD5 1526ec823cc107f7868c7797c5c4ff4c
SHA1 4cc553baf4a196f3bdd1ba166efc57fa7e538994
SHA256 86be9eb272b06c4fd03d6b646327b2c7927b21aafa2a0283a2876f4381027084
SHA512 7d5151ae04f9481908a383a66f7500415054f614ca9ac1da9df31c4ee48b633fbe73e58ec6ede95893e95fca14c654a6d1a5b7fb8efcef551d22b0832e1aadec

C:\Program Files\Recuva\lang\lang-1071.dll

MD5 b05a7f9d951d8eaf0c8ed139654bc491
SHA1 5c60725ed9d4e5fb2188e38d16156ea5c58dd06a
SHA256 3e3115c9f010ff8698b1eb85f5ff8a8f67b24f35a3b39932769cd81a72c53a55
SHA512 6e978a4d8ae8f33053023cf2d7731a3be099e6d0d55d23956b1b720bccf82bbc0542a22d587059cf57985864528427196c439a71b1da5942f697114e75544514

C:\Program Files\Recuva\lang\lang-1068.dll

MD5 6ce86d40028d7eb5af8b49665b359eda
SHA1 e85025e74f4b37e72cf16235c78823ed854317ac
SHA256 b7d044138c94c716a768e3924f51af5141e7eb5ef98e36bf18903389ee02c111
SHA512 f07c6a255b8c60e390fe4a2c78b0db6f4d262f551cd4141d122c5e5eca273d6c8abcea2c9f15b3e2a1fe52594db06b75eb5bf3a34d1f160d312fd9bce9ff2547

C:\Program Files\Recuva\lang\lang-1060.dll

MD5 d4f39c67826276ff59f286369e1f7abd
SHA1 64bb468d8a603016723d402ef40ac27690aae875
SHA256 a125ea0f8c55bef28c5a3f0ade0a5b1cedf9134fccd7ef3617d0dc5a8c7a56f4
SHA512 d2256684019cd3a21afe1e0e55919febdbdd1cda6dce65ee582da8246d7fa3e511163c8afa506c021b419b377f4dc2e09453810d12ee631d0dbcc998b517215f

C:\Program Files\Recuva\lang\lang-1059.dll

MD5 d7152b4d171f280f374cdf99c33e2004
SHA1 add078db16b73fb95de20c3de3990b44da95faac
SHA256 537ad7110c76f94f84b4dbb16566d33c7cd943a43059bb92c5425602b66a0dbe
SHA512 6bbecb0e100fc3f235084314e91c0301c6ab5636df9db93d838a8f320f614cdf28eb9774b10551edc39c102c8b7354a03e15418d3dee2e82cf5ff9ffdbb826f7

C:\Program Files\Recuva\lang\lang-1058.dll

MD5 c8b13819bdb6919f3ec33d4376a88e69
SHA1 f6bcf93f398aa215f82074a00bca287a8e207e1f
SHA256 2671492f2a3029b28f82452dc635cf64b70c7acf1fb6bf83c807b93defc48213
SHA512 448be4d50b88f1d08198ff62be2f7ea77dd22ab3af80eddd6fec05562ae8fe7c45f24e4f5f39166dc180283ad7472fd79e5a461f8abd3b637774e09cea0fd9f2

C:\Program Files\Recuva\lang\lang-1057.dll

MD5 3efadde128dec1e09ed34f51875122fa
SHA1 292acbe4f41c0c929aedec73b38af8e75135342f
SHA256 81f26b1cc58d141456ccb70583041a10417102bd39a8b2335b185686038a3e31
SHA512 6ff9b00ff007cc776f0753b5cc4acf0cdec16ec77759c16ceedb2bc4c4b459064d21d6ad53647cb09558fe6cea12312067ba3cdd3308a409690c75bf927f316c

C:\Program Files\Recuva\lang\lang-1053.dll

MD5 536b974cc95e03786be55e8a31c576e4
SHA1 f3596479eed50d8c840e53d2d8a4d489f83a0b01
SHA256 0e2da9ea2feac33d86d83222b56be738090e1849f4cd3342876452491d6c2747
SHA512 d7259dbe8e5cbcf7d70d888d3990d58bdbdf674feb72e19b11f4f3834b10ce296a228bd0e8b0c1508ab43147360f49cd31d461a835db3be2db9c35006329b1cb

C:\Program Files\Recuva\lang\lang-1051.dll

MD5 7c30e87594716400b087c22ffe5a05c1
SHA1 ac4ee657f85d426b7cfcaa9a06ebdbed30e58690
SHA256 b3d8725fc19c23c96fe8162a46304241866104cfa03e582d5ff8c566d7ca4639
SHA512 1c757d4b7adc979326d3dceb154b383d462cb1200bfb907fce26f3c2a64a4382074ef549740996527b046af12158d3c52bf2818a682e7ad2c4b31ff7253a7386

C:\Program Files\Recuva\lang\lang-1049.dll

MD5 c5c056c945f3c5c7f76cef938f338513
SHA1 0b147e88c65aacda1949acc116f95a0af4a7f2d8
SHA256 222db72107c1452f141ea8d086473458c59f6675566b01177fc91265855ab067
SHA512 2a4d888a565621e5c2cbf2775cb7299bc9c87de724af1f387f5e94abfb80e247d127248ebc8893cb0651f83c8611cc3cea2d7c64744dfb5fbf57a68a83047dfe

C:\Program Files\Recuva\lang\lang-1045.dll

MD5 2f9eae30109a4ea38724cc80d4d2cd3e
SHA1 b00eac5de9434bf7d8b3296a6be1d929343dc1be
SHA256 a35b4506ea3694754ce1eb0d8e29f2f78b2365d96b7302e7c9c6fdf8a0266eb9
SHA512 fc4f02d863ee9266477d20a9b177631d519e778887f4db531fb75c5712174ba6ff9e3c0d8b1d14a333f06be3776227130aefc6a8a2ccc8ab569400e17a6590df

C:\Program Files\Recuva\lang\lang-1043.dll

MD5 e636190971396417c638d01fc791896b
SHA1 ce8a1196c4d3d5dc2d19b62aea2a657ffec65436
SHA256 cc3bafd490827c81a6e82f15695fbc3af988d491bdb0559c9c76ee60ba8deb2b
SHA512 11549da87e4dea6eb9f70e7010dd20b7f5307e3a3d20a070e60f2535f06a15b473c60402963c4fdafd0f1c3c13697aa20b2e983830c2e9ee562953c305b87656

C:\Program Files\Recuva\lang\lang-1038.dll

MD5 a33f9c0db68d89309c0b406be609aa3c
SHA1 793fe49282ce5c3027309286ff8071ab9e08451a
SHA256 87ec0ce45b22f524ebbf497777cb17fdf4e4346915fa6a2b9f13be85ea05fbf7
SHA512 eae5bf2cb55344f5b41cf84ea4a30885c506735c66262b18a6e9e71d2214c6debee13a1addc4d104f958027e384761781dce6d5c04b565af93c87dcf69e1ed86

C:\Program Files\Recuva\lang\lang-1037.dll

MD5 3f18f8241914468072cbc7cb7feea5e5
SHA1 75461ee9e923251d5193cabf38632b504440eea9
SHA256 cb72a05f8c33621781d777133de8e7c14d43d14598ca08c4af4bb756948568c0
SHA512 78de99c109f9f505276759e6ff426c4fffced92816858c082e729d76fa2bde9cfb954beb4fc7ed0de3f23ca4a6540841ec9ed1caf5c83ab73539f6ff3091c128

C:\Program Files\Recuva\lang\lang-1035.dll

MD5 144fd9be97f093a4306b21a8955cedbb
SHA1 6f32e163b3d56690a0514f156bbd91608000d1b8
SHA256 60be5324d22ab098bda84e94217de5a01841f282d9bd2222105500dc8cb05142
SHA512 6a602c22dc5c4bb48c8f7e74a9f45ab533951faeb5f7cbdd40e22bca18e1620a683d985c87d5a295d72f0f23dffc6d7cf4c43927e8a4264351ac51911ca19b17

C:\Program Files\Recuva\lang\lang-1031.dll

MD5 7bc339dfcea7528971b93abcad36b81e
SHA1 e2843316fca4d43cc64620ea74e3835a122e7445
SHA256 e8c68e0bb516fd172c966c78fccb934fcc034e9b4cb909d3356b2f894ccf9177
SHA512 afb8b2a99cff2bd12e4bc66f3a94850175ed58f572d66bdb6012a6414b3055f035244814b4d1881263385c77c88ad06d1ce9b9cd5e6a261138fb4f37069df26a

C:\Program Files\Recuva\lang\lang-1030.dll

MD5 36805a518e09fd2c3c542658b7236685
SHA1 ba348d4370cb8fab13c571ff901a99d0da2e1f9c
SHA256 66be2616822511ddb956e352ed21beccfa5ae9299f5c925838161b26bba454ac
SHA512 0a2a280745926cacb75830385ffae5250a29f61e211f77f9fd332e23b712370b7ba710477d4172968bc26b154f428df086626b6e3830057e1e5e8b688eef09cc

C:\Program Files\Recuva\lang\lang-1028.dll

MD5 6fc9bcf180db0001a26175b15958f3aa
SHA1 0d0623371908b2ec26b7bd158c52e02d43ae0627
SHA256 16b27a8f4cf64a56cfdb8fe84ac497c8fbdaac3385bc0975ae63c39820f311d3
SHA512 9f3d80f4b6a61c5a587303876bdf1ad1e180485f62a032cf372e01a2c48a82b30d455bc8ce702d25fd6ee873ecf8fea15110c7cd882c11a06e3206f44e29d055

C:\Program Files\Recuva\lang\lang-1027.dll

MD5 b581c8a181139d70fc96d38634ff21b4
SHA1 806aaa63ddfb0dd1ecb3d529c56d11631d833935
SHA256 8156b27c1677ff3d5a0208aed2e01cec4d5e5b55e3390875329340d5f7972a27
SHA512 5844e3dbe0af811e533012c0ff30bbd06716ae836af618c692b182864e9b736de5c40007aff6cb0dc32bd1999b8a55d7328f6306c2f38e0dc82510988781e2d6

C:\Program Files\Recuva\lang\lang-1026.dll

MD5 71ecb94a15e9596a8bbcca5c4e3274dc
SHA1 e869a7e6a47df81e390bc09e7fd4c7f3b62cd2b4
SHA256 10b7e73b445eb063300f8d5b76cc8b91e3de63ee4084c4766a7d68000a5a52e6
SHA512 c3c4cbac2f2ef6d7f167d1a1835d978d559911bb5245276cae42b9c82435f63def34c49b564c61f76a7647c68cee64267980842db6d12cb5ccd85e9780bebbce

C:\Program Files\Recuva\lang\lang-1025.dll

MD5 0d3d447c9970765f19bb7cd782756028
SHA1 dd84e86a91cc362fd5e08eb4f1f3910edf0076ed
SHA256 0dd80b0a75d09c587b54e4c527af5650ce0678d8dfb2627ff097439853b71a0a
SHA512 c35514f6b1960122d0986c830fad03cad328cc7e690c4428d60b1645148b00a74eae4b837dcb8d1889ba7de5b6388da8370b04db1d019daa7d73da95fd2e919d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c2d9eeb3fdd75834f0ac3f9767de8d6f
SHA1 4d16a7e82190f8490a00008bd53d85fb92e379b0
SHA256 1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66
SHA512 d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e55832d7cd7e868a2c087c4c73678018
SHA1 ed7a2f6d6437e907218ffba9128802eaf414a0eb
SHA256 a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574
SHA512 897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

\??\pipe\LOCAL\crashpad_4220_EMSRMGWRCKLTWJXA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 30ce9cd1f1d9ed89122fcc8c5277e002
SHA1 3e84f08aef67d8dc6b9369f755312feb1541d1ec
SHA256 274f994c16d908ac2646f4c1510f87b38a60af68c6d336fd5bc89297a3c1932d
SHA512 362df2fafa4d2d33d25aa05fe9fa8bcf4e0e2bd5414aa24114f38d63012f699413750a30c08dc523bab98cf822406a07d239260971dfc907dc6e9f561ca7762a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 00d8b1c1c8915447de452b7779041bcb
SHA1 4f23f38d02c709480ccb37ea55867d4af7cf4f22
SHA256 ad8cb6fc2cf7ba8943a5c15526c2c90282e3f3d4a22b04ec6f51a06ffabdc20a
SHA512 664210cd76452058cefd6882cfab6a75401eb1d69b2a478fe4e2def2a21d44e6d88f68334e745594aca1ece067156dffc9f7f2a9ac8e83a59dec188af48e92d4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b448965e25a6e070c8fac83e5678d1a9
SHA1 5e19edd2dd198ae8ace07c9e4f8a0d8af3314bbd
SHA256 5e018abbc35b9326027a14b1fc84666569319be8c03ea8c9e3eb54d50d26b449
SHA512 672daa985355d0b97277ddd09f628427bc8f7693fb766722840465f75a5c8347fbe33982f0bf5817d553bcac3799d07869dce7af712c7110f80a3483dcce8f1f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 355b3f59567939aa42dee998912502c7
SHA1 42d3db88f3f4391d815599f36d7233b05f12fe25
SHA256 6a6fb98166b7d018635d12c781a9d49703d5b1c47a79c0c7f22702ea3715ea29
SHA512 ed78d57b72f89d9110e8e5bdf4fd550f3f72b0ce1ce87b54db03449b14a1265525d2d05833bad656be6031c679d52c49bb47dbc72bdfb112fd3e5b6319bb8415

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f1584a519c752ae7733015642f4eed08
SHA1 0960f020f2180d5ccc2a818ea32bf8eeac092a64
SHA256 d93bcbc5456d407992cd74e5be6d8472808c2c83844ac80b5836079e993feb32
SHA512 652d99bfc979d4e9c379e2b1a7b5931014102859fbdebcece8790de55f3a64231e275703154a55ec459c3e744bbb766e0ba85caec245250012a17400335dc906

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 2037e8ce22c5cec15dcf00bc2acb22dd
SHA1 a660e4fe261f7f1630ab4c83c74ddd8f46dfe79e
SHA256 1a5ff8c0a595b9f50347d256205b30eee1ab11a854ae37efb3098854d59965f1
SHA512 00087432e7919ef6e0b8d572878797ba8f99cd01df5bc2531f345981cb1d6ab2a8b5c1d46d7ad058ce424a323648cf918aa92228f8c8e7713ee650fddd657c3a

Analysis: behavioral15

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win7-20241010-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_107_\$_107_\pfUI.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_107_\$_107_\pfUI.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_107_\$_107_\pfUI.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 400

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1027.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1027.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win7-20240903-en

Max time kernel

121s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1026.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1026.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win7-20240903-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1027.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1027.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win7-20240708-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1028.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1028.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1030.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1030.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ButtonEvent.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3596 wrote to memory of 1540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3596 wrote to memory of 1540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3596 wrote to memory of 1540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ButtonEvent.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ButtonEvent.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1540 -ip 1540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win7-20240903-en

Max time kernel

122s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 236

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\g\gcapi_dll.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4860 wrote to memory of 932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4860 wrote to memory of 932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4860 wrote to memory of 932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\g\gcapi_dll.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\g\gcapi_dll.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_107_\$_107_\pfUI.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 540 wrote to memory of 1860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 540 wrote to memory of 1860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 540 wrote to memory of 1860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_107_\$_107_\pfUI.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_107_\$_107_\pfUI.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1860 -ip 1860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 808

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1025.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1025.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win7-20241010-en

Max time kernel

119s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1031.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1031.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1031.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1031.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win7-20240903-en

Max time kernel

122s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1032.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1032.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win7-20241010-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 220

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win10v2004-20241007-en

Max time kernel

137s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 620 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1260 wrote to memory of 620 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1260 wrote to memory of 620 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 620 -ip 620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win7-20241010-en

Max time kernel

62s

Max time network

20s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\g\gcapi_dll.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2792 wrote to memory of 2900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\g\gcapi_dll.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\g\gcapi_dll.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win7-20240729-en

Max time kernel

14s

Max time network

17s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 240

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2996 wrote to memory of 4192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2996 wrote to memory of 4192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2996 wrote to memory of 4192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4192 -ip 4192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1026.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1026.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3300 wrote to memory of 5068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3300 wrote to memory of 5068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3300 wrote to memory of 5068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5068 -ip 5068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3808 wrote to memory of 1976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3808 wrote to memory of 1976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3808 wrote to memory of 1976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1976 -ip 1976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1028.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1028.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1029.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1029.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win7-20240903-en

Max time kernel

119s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1030.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1030.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win7-20240903-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ButtonEvent.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ButtonEvent.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ButtonEvent.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 220

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-10-15 23:46

Reported

2024-10-15 23:49

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1032.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1032.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A