Analysis Overview
SHA256
3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3
Threat Level: Known bad
The file 3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N was found to be: Known bad.
Malicious Activity Summary
Modifies firewall policy service
Sets service image path in registry
Adds policy Run key to start application
Reads user/profile data of web browsers
Credentials from Password Stores: Windows Credential Manager
Adds Run key to start application
Enumerates connected drives
Drops file in System32 directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Browser Information Discovery
Modifies registry class
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-05 20:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-05 20:48
Reported
2024-11-05 20:50
Platform
win7-20240903-en
Max time kernel
120s
Max time network
119s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\users\admin\appdata\local\temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3n.exe = "c:\\users\\admin\\appdata\\local\\temp\\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3n.exe:*:Enabled:SMPN" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdfmgr = "c:\\windows\\wdfmgr.exe" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msrpc = "c:\\windows\\msrpc.exe" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wdfmgr\ImagePath = "c:\\windows\\wdfmgr.exe" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
Credentials from Password Stores: Windows Credential Manager
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wdfmgr = "c:\\windows\\wdfmgr.exe" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\wdfmgr = "c:\\windows\\wdfmgr.exe" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsassv = "c:\\windows\\lsassv.exe" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | \??\c:\windows\SysWOW64\regedit.exe | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
Drops file in Windows directory
Browser Information Discovery
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "25930" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\Backup\\amd64_microsoft-windows-t..nalservices-runtime_31bf3856ad364e35_6.1.7601.17514_none_3b05f4d3e2a0703c_winsta.dll_4e6f9a4e" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "98765" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "56519" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_microsoft-windows-nap-oobsha.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5ad997a8f8e6c88d\\msshavmsg.dll.mui" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_microsoft-windows-w..ewmdrmcompatibility_31bf3856ad364e35_6.1.7600.16385_none_090727b340445c97\\portabledevicewmdrm.mof" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "101757" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files (x86)\\Microsoft Office\\Office14\\FORMS\\1033\\SMSL.ICO" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\PolicyDefinitions\\en-US\\CredentialProviders.adml" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f6a00d30a34ae11a\\apphelp.dll.mui" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "71549" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "88243" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "13978" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "27792" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\servicing\\Packages\\Package_for_KB976902_RTM~31bf3856ad364e35~amd64~~6.1.1.17514.cat" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\DriverStore\\FileRepository\\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\\Amd64\\EP0LVRA9.DLL" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWOW64\\wbem\\it-IT\\WmiPerfClass.dll.mui" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "62083" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_microsoft-windows-diskdiagnostic-adm_31bf3856ad364e35_6.1.7600.16385_none_b8b9f3bcc473892a\\DiskDiagnostic.admx" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_6.1.7600.16385_none_e5e3f53c23550761\\RS_UserWERQueue.ps1" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "89674" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "40405" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "48013" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files (x86)\\Common Files\\microsoft shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\onexui.dll" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\it-IT\\notepad.exe.mui" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWOW64\\it-IT\\rasplap.dll.mui" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWOW64\\wbem\\wzcdlg.mof" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_prnca00c.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_928ddfae8716e27f\\CNBBR323.DLL.mui" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\PolicyDefinitions\\StartMenu.admx" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_microsoft-windows-p..sions-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_194039000e7ad3f0\\PreviousVersions.adml" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_microsoft-windows-sctasks.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0bb7e1a52cbf32c3\\schtasks.exe.mui" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_wiaca00e.inf_31bf3856ad364e35_6.1.7600.16385_none_9bdaf7e8cb1745bc\\CNFRA6.ICC" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\es-ES\\wshext.dll.mui" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\Backup\\amd64_microsoft-windows-d..owmanager.resources_31bf3856ad364e35_6.1.7600.16385_en-us_05ee2d61d58171a1_dwmcore.dll.mui_ebf60d96" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\DriverStore\\FileRepository\\mdmarn.inf_amd64_neutral_fa693d8797766f49\\mdmarn.inf" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\en-US\\napinsp.dll.mui" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWOW64\\it-IT\\irclass.dll.mui" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\Backup\\x86_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_accc80812c85f01f_dhcpcmonitor.dll.mui_478a7103" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "9698" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_microsoft-windows-m..owfilters.kstvtuner_31bf3856ad364e35_6.1.7601.17514_none_8d3b6ca8a0917ca2\\vbisurf.ax" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "76029" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\Manifests\\amd64_circlass.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b4b7bd75a240b053.manifest" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\1040\\alinkui.dll" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_cpu.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_53476b155eec25b4\\intelppm.sys.mui" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\Microsoft Office 2010 Tools\\Microsoft Office 2010 Upload Center.lnk" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\Fonts\\RAGE.TTF" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "88435" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\Backup\\amd64_microsoft-windows-kernelbase.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d3dd093ad06026e1.manifest" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "107344" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "14035" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\ja-JP\\about_Comparison_Operators.help.txt" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "11439" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "60303" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "99117" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\PolicyDefinitions\\es-ES\\sdiageng.adml" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\\403-7.htm" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_it-it_42a55ec43db85af9\\adtschema.dll.mui" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "80251" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "106044" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\es-ES\\helppane.exe.mui" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWOW64\\dui70.dll" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "59967" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\servicing\\Packages\\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~hr-HR~7.1.7601.16492.cat" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe
"C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe"
Network
Files
memory/2096-0-0x0000000000400000-0x0000000000425000-memory.dmp
C:\Windows\msrpc.exe
| MD5 | 9a7abf0b50b262dd799886182413d037 |
| SHA1 | 7fce224e02e6df3d774f3040110ed53a8afd8fa7 |
| SHA256 | daba259cbc55db97e8bcc01848310c02ab44ec34d34db4bab3db5eda96f2456a |
| SHA512 | 9e1ed7abb6e9722c0518ccca2c86b73e03b7a15e808623193078a0cf8ef8502a36faea101f0335e1f2d54252d5707301d43cd98808f2836f4999a879b6356191 |
memory/2096-17-0x0000000000400000-0x0000000000425000-memory.dmp
memory/2096-22-0x0000000000400000-0x0000000000425000-memory.dmp
memory/2096-24-0x0000000000400000-0x0000000000425000-memory.dmp
memory/2096-25-0x0000000000400000-0x0000000000425000-memory.dmp
memory/2096-26-0x0000000000400000-0x0000000000425000-memory.dmp
memory/2096-27-0x0000000000400000-0x0000000000425000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-05 20:48
Reported
2024-11-05 20:50
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
109s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\users\admin\appdata\local\temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3n.exe = "c:\\users\\admin\\appdata\\local\\temp\\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3n.exe:*:Enabled:SMPN" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdfmgr = "c:\\windows\\wdfmgr.exe" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msrpc = "c:\\windows\\msrpc.exe" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wdfmgr\ImagePath = "c:\\windows\\wdfmgr.exe" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
Credentials from Password Stores: Windows Credential Manager
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wdfmgr = "c:\\windows\\wdfmgr.exe" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\wdfmgr = "c:\\windows\\wdfmgr.exe" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsassv = "c:\\windows\\lsassv.exe" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | \??\c:\windows\SysWOW64\regedit.exe | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
Drops file in Windows directory
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration\\DSCResources\\en-US\\RunAsHelper.strings.psd1" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "88452" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\DriverStore\\de-DE\\wvmbus.inf_loc" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "70997" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_microsoft-onecoreua..uetooth-userservice_31bf3856ad364e35_10.0.19041.746_none_e6778e5b0114e5b0\\HeadphoneSystemToastIcon.png" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\Help\\mui\\0C0A\\odbcjet.chm" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "63415" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "33986" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "88069" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "30508" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "43068" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SystemApps\\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\\23\\emulation\\remote\\emulationRemote.bundle.js" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_microsoft-windows-filehistory-core_31bf3856ad364e35_10.0.19041.264_none_92ee62a6d5b1c18a\\fhsrchapi.dll" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "96458" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "22831" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_microsoft-windows-i..codepage-additional_31bf3856ad364e35_10.0.19041.1_none_0b4e711bdf4c1580\\C_10004.NLS" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_th-th_af6ca232f6e1fb8e\\msimsg.dll.mui" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "95846" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "99659" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_dual_mdmaiwa4.inf_31bf3856ad364e35_10.0.19041.1_none_8b2bc56009ca6d1b\\mdmaiwa4.inf" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_microsoft-windows-d..ice-winrt.resources_31bf3856ad364e35_10.0.19041.1_en-us_8ee8b15ed97272d5\\Windows.Devices.PointOfService.dll.mui" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\servicing\\Packages\\Microsoft-Windows-PhotoBasic-Feature-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\images\\checkmark_selected.svg" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\PolicyDefinitions\\it-IT\\Kerberos.adml" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\DriverStore\\es-ES\\net8192su64.inf_loc" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "68128" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "10502" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "34872" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "14213" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\PolicyDefinitions\\fr-FR\\PeerToPeerCaching.adml" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\Invite or Link.one" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "22901" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\DriverStore\\es-ES\\SensorsServiceDriver.inf_loc" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "68237" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "68785" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "84654" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\\oobe-footer-vm.js" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "89173" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "21934" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\DriverStore\\en-US\\rndiscmp.inf_loc" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "56869" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "74265" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "4629" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "81950" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_microsoft-windows-b..t-strings.resources_31bf3856ad364e35_10.0.19041.1_en-us_d3c612fa621c9f6a\\bootstr.dll.mui" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_dual_ntprint4.inf_31bf3856ad364e35_10.0.19041.746_none_284758abe10778d6\\Amd64\\V3HostingFilter-pipelineconfig.xml" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "52493" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "65508" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "82670" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "47448" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "13803" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "30664" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "52856" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SystemResources\\Windows.UI.Shell\\Images\\TabletMode.scale-100.png" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\WindowsApps\\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\\Assets\\GetStartedAppList.targetsize-60_contrast-black.png" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "76402" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "73114" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_microsoft-windows-n..-backgroundtransfer_31bf3856ad364e35_10.0.19041.746_none_e9de70883cc6c1ef\\f\\Windows.Networking.BackgroundTransfer.dll" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "26780" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "23146" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ja-JP\\resource.xml" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "31788" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "105390" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "16716" | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe
"C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/4068-0-0x0000000000400000-0x0000000000425000-memory.dmp
C:\Windows\msrpc.exe
| MD5 | 25e6fc4beb10cd7ebc3bddc9af889b9f |
| SHA1 | 68bb24ba14860d2540a8bbdcb15e97a924fb102d |
| SHA256 | ab1cd7f403714010f5540fabdfdb43835def2d6463141173c76b602d8d1e73ea |
| SHA512 | a8fdfbd9363e372341c04e776e5180e3abbb652172145ef4a265c52f93efc71ec40c18f0376e33e0e7079d4e0d3986693914bbf13252340d6e135e56f70a53c3 |
memory/4068-17-0x0000000000400000-0x0000000000425000-memory.dmp
memory/4068-21-0x0000000000400000-0x0000000000425000-memory.dmp
memory/4068-26-0x0000000000400000-0x0000000000425000-memory.dmp
memory/4068-27-0x0000000000400000-0x0000000000425000-memory.dmp
memory/4068-29-0x0000000000400000-0x0000000000425000-memory.dmp
memory/4068-30-0x0000000000400000-0x0000000000425000-memory.dmp