Malware Analysis Report

2025-06-16 00:52

Sample ID 241105-zlp8bayglr
Target 3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N
SHA256 3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3
Tags
credential_access discovery evasion persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3

Threat Level: Known bad

The file 3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N was found to be: Known bad.

Malicious Activity Summary

credential_access discovery evasion persistence spyware stealer

Modifies firewall policy service

Sets service image path in registry

Adds policy Run key to start application

Reads user/profile data of web browsers

Credentials from Password Stores: Windows Credential Manager

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Browser Information Discovery

Modifies registry class

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 20:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 20:48

Reported

2024-11-05 20:50

Platform

win7-20240903-en

Max time kernel

120s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\users\admin\appdata\local\temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3n.exe = "c:\\users\\admin\\appdata\\local\\temp\\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3n.exe:*:Enabled:SMPN" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdfmgr = "c:\\windows\\wdfmgr.exe" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msrpc = "c:\\windows\\msrpc.exe" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wdfmgr\ImagePath = "c:\\windows\\wdfmgr.exe" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wdfmgr = "c:\\windows\\wdfmgr.exe" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\wdfmgr = "c:\\windows\\wdfmgr.exe" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsassv = "c:\\windows\\lsassv.exe" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\windows\SysWOW64\regedit.exe C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\windows\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\AdobeLoader.scr C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened for modification \??\c:\windows\mui\olefx.dll C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened for modification \??\c:\windows\mui\rctfd.sys C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File created \??\c:\windows\msrpc.exe C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened for modification \??\c:\windows\msrpc.exe C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened for modification \??\c:\windows\regedit2.exe C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened for modification \??\c:\windows\lsassv.exe C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File created \??\c:\windows\calc.exe C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File created \??\c:\windows\Start Menu\Programs\Startup\AdobeLoader.scr C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File created \??\c:\windows\wdfmgr.exe C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened for modification \??\c:\windows\wdfmgr.exe C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File created \??\c:\windows\lsassv.exe C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened for modification \??\c:\windows\calc.exe C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File created \??\c:\windows\regedit2.exe C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A

Browser Information Discovery

discovery

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "25930" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\Backup\\amd64_microsoft-windows-t..nalservices-runtime_31bf3856ad364e35_6.1.7601.17514_none_3b05f4d3e2a0703c_winsta.dll_4e6f9a4e" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "98765" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "56519" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_microsoft-windows-nap-oobsha.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5ad997a8f8e6c88d\\msshavmsg.dll.mui" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_microsoft-windows-w..ewmdrmcompatibility_31bf3856ad364e35_6.1.7600.16385_none_090727b340445c97\\portabledevicewmdrm.mof" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "101757" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files (x86)\\Microsoft Office\\Office14\\FORMS\\1033\\SMSL.ICO" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\PolicyDefinitions\\en-US\\CredentialProviders.adml" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f6a00d30a34ae11a\\apphelp.dll.mui" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "71549" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "88243" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "13978" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "27792" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\servicing\\Packages\\Package_for_KB976902_RTM~31bf3856ad364e35~amd64~~6.1.1.17514.cat" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\DriverStore\\FileRepository\\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\\Amd64\\EP0LVRA9.DLL" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWOW64\\wbem\\it-IT\\WmiPerfClass.dll.mui" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "62083" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_microsoft-windows-diskdiagnostic-adm_31bf3856ad364e35_6.1.7600.16385_none_b8b9f3bcc473892a\\DiskDiagnostic.admx" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_6.1.7600.16385_none_e5e3f53c23550761\\RS_UserWERQueue.ps1" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "89674" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "40405" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "48013" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files (x86)\\Common Files\\microsoft shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\onexui.dll" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\it-IT\\notepad.exe.mui" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWOW64\\it-IT\\rasplap.dll.mui" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWOW64\\wbem\\wzcdlg.mof" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_prnca00c.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_928ddfae8716e27f\\CNBBR323.DLL.mui" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\PolicyDefinitions\\StartMenu.admx" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_microsoft-windows-p..sions-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_194039000e7ad3f0\\PreviousVersions.adml" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_microsoft-windows-sctasks.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0bb7e1a52cbf32c3\\schtasks.exe.mui" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_wiaca00e.inf_31bf3856ad364e35_6.1.7600.16385_none_9bdaf7e8cb1745bc\\CNFRA6.ICC" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\es-ES\\wshext.dll.mui" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\Backup\\amd64_microsoft-windows-d..owmanager.resources_31bf3856ad364e35_6.1.7600.16385_en-us_05ee2d61d58171a1_dwmcore.dll.mui_ebf60d96" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\DriverStore\\FileRepository\\mdmarn.inf_amd64_neutral_fa693d8797766f49\\mdmarn.inf" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\en-US\\napinsp.dll.mui" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWOW64\\it-IT\\irclass.dll.mui" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\Backup\\x86_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_accc80812c85f01f_dhcpcmonitor.dll.mui_478a7103" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "9698" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_microsoft-windows-m..owfilters.kstvtuner_31bf3856ad364e35_6.1.7601.17514_none_8d3b6ca8a0917ca2\\vbisurf.ax" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "76029" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\Manifests\\amd64_circlass.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b4b7bd75a240b053.manifest" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\1040\\alinkui.dll" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_cpu.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_53476b155eec25b4\\intelppm.sys.mui" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\Microsoft Office 2010 Tools\\Microsoft Office 2010 Upload Center.lnk" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\Fonts\\RAGE.TTF" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "88435" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\Backup\\amd64_microsoft-windows-kernelbase.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d3dd093ad06026e1.manifest" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "107344" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "14035" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\ja-JP\\about_Comparison_Operators.help.txt" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "11439" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "60303" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "99117" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\PolicyDefinitions\\es-ES\\sdiageng.adml" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\\403-7.htm" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_it-it_42a55ec43db85af9\\adtschema.dll.mui" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "80251" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "106044" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\es-ES\\helppane.exe.mui" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWOW64\\dui70.dll" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "59967" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\servicing\\Packages\\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~hr-HR~7.1.7601.16492.cat" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe

"C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe"

Network

N/A

Files

memory/2096-0-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\msrpc.exe

MD5 9a7abf0b50b262dd799886182413d037
SHA1 7fce224e02e6df3d774f3040110ed53a8afd8fa7
SHA256 daba259cbc55db97e8bcc01848310c02ab44ec34d34db4bab3db5eda96f2456a
SHA512 9e1ed7abb6e9722c0518ccca2c86b73e03b7a15e808623193078a0cf8ef8502a36faea101f0335e1f2d54252d5707301d43cd98808f2836f4999a879b6356191

memory/2096-17-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2096-22-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2096-24-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2096-25-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2096-26-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2096-27-0x0000000000400000-0x0000000000425000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-05 20:48

Reported

2024-11-05 20:50

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

109s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\users\admin\appdata\local\temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3n.exe = "c:\\users\\admin\\appdata\\local\\temp\\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3n.exe:*:Enabled:SMPN" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdfmgr = "c:\\windows\\wdfmgr.exe" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msrpc = "c:\\windows\\msrpc.exe" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wdfmgr\ImagePath = "c:\\windows\\wdfmgr.exe" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wdfmgr = "c:\\windows\\wdfmgr.exe" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\wdfmgr = "c:\\windows\\wdfmgr.exe" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsassv = "c:\\windows\\lsassv.exe" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\windows\SysWOW64\regedit.exe C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\mui\rctfd.sys C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File created \??\c:\windows\msrpc.exe C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File created \??\c:\windows\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\AdobeLoader.scr C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened for modification \??\c:\windows\regedit2.exe C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened for modification \??\c:\windows\lsassv.exe C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened for modification \??\c:\windows\calc.exe C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File created \??\c:\windows\regedit2.exe C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened for modification \??\c:\windows\msrpc.exe C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened for modification \??\c:\windows\mui\olefx.dll C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File created \??\c:\windows\calc.exe C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File created \??\c:\windows\Start Menu\Programs\Startup\AdobeLoader.scr C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File created \??\c:\windows\wdfmgr.exe C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File opened for modification \??\c:\windows\wdfmgr.exe C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
File created \??\c:\windows\lsassv.exe C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration\\DSCResources\\en-US\\RunAsHelper.strings.psd1" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "88452" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\DriverStore\\de-DE\\wvmbus.inf_loc" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "70997" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_microsoft-onecoreua..uetooth-userservice_31bf3856ad364e35_10.0.19041.746_none_e6778e5b0114e5b0\\HeadphoneSystemToastIcon.png" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\Help\\mui\\0C0A\\odbcjet.chm" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "63415" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "33986" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "88069" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "30508" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "43068" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SystemApps\\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\\23\\emulation\\remote\\emulationRemote.bundle.js" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_microsoft-windows-filehistory-core_31bf3856ad364e35_10.0.19041.264_none_92ee62a6d5b1c18a\\fhsrchapi.dll" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "96458" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "22831" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_microsoft-windows-i..codepage-additional_31bf3856ad364e35_10.0.19041.1_none_0b4e711bdf4c1580\\C_10004.NLS" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_th-th_af6ca232f6e1fb8e\\msimsg.dll.mui" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "95846" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "99659" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_dual_mdmaiwa4.inf_31bf3856ad364e35_10.0.19041.1_none_8b2bc56009ca6d1b\\mdmaiwa4.inf" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_microsoft-windows-d..ice-winrt.resources_31bf3856ad364e35_10.0.19041.1_en-us_8ee8b15ed97272d5\\Windows.Devices.PointOfService.dll.mui" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\servicing\\Packages\\Microsoft-Windows-PhotoBasic-Feature-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\images\\checkmark_selected.svg" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\PolicyDefinitions\\it-IT\\Kerberos.adml" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\DriverStore\\es-ES\\net8192su64.inf_loc" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "68128" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "10502" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "34872" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "14213" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\PolicyDefinitions\\fr-FR\\PeerToPeerCaching.adml" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\Invite or Link.one" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "22901" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\DriverStore\\es-ES\\SensorsServiceDriver.inf_loc" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "68237" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "68785" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "84654" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\\oobe-footer-vm.js" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "89173" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "21934" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\DriverStore\\en-US\\rndiscmp.inf_loc" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "56869" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "74265" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "4629" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "81950" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_microsoft-windows-b..t-strings.resources_31bf3856ad364e35_10.0.19041.1_en-us_d3c612fa621c9f6a\\bootstr.dll.mui" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_dual_ntprint4.inf_31bf3856ad364e35_10.0.19041.746_none_284758abe10778d6\\Amd64\\V3HostingFilter-pipelineconfig.xml" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "52493" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "65508" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "82670" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "47448" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "13803" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "30664" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "52856" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SystemResources\\Windows.UI.Shell\\Images\\TabletMode.scale-100.png" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\WindowsApps\\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\\Assets\\GetStartedAppList.targetsize-60_contrast-black.png" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "76402" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "73114" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_microsoft-windows-n..-backgroundtransfer_31bf3856ad364e35_10.0.19041.746_none_e9de70883cc6c1ef\\f\\Windows.Networking.BackgroundTransfer.dll" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "26780" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "23146" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ja-JP\\resource.xml" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "31788" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "105390" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "16716" C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe

"C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/4068-0-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\msrpc.exe

MD5 25e6fc4beb10cd7ebc3bddc9af889b9f
SHA1 68bb24ba14860d2540a8bbdcb15e97a924fb102d
SHA256 ab1cd7f403714010f5540fabdfdb43835def2d6463141173c76b602d8d1e73ea
SHA512 a8fdfbd9363e372341c04e776e5180e3abbb652172145ef4a265c52f93efc71ec40c18f0376e33e0e7079d4e0d3986693914bbf13252340d6e135e56f70a53c3

memory/4068-17-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4068-21-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4068-26-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4068-27-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4068-29-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4068-30-0x0000000000400000-0x0000000000425000-memory.dmp