Analysis Overview
SHA256
8257389d6264742d414404beaaaac869336c91f9f9af1e31ee081aa6e7857f3c
Threat Level: Shows suspicious behavior
The file dia-setup-0.97.2-2-unsigned (1).exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Checks installed software on the system
Drops file in Program Files directory
Unsigned PE
One or more HTTP URLs in PDF identified
System Location Discovery: System Language Discovery
Enumerates physical storage devices
NSIS installer
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Checks processor information in registry
Modifies registry class
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:03
Signatures
One or more HTTP URLs in PDF identified
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win7-20240903-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\hh.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\hh.exe | N/A |
| N/A | N/A | C:\Windows\hh.exe | N/A |
Processes
C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\help\fr\dia-manual.chm
Network
Files
memory/2348-16-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win7-20241010-en
Max time kernel
8s
Max time network
20s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2660 wrote to memory of 2124 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2660 wrote to memory of 2124 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2660 wrote to memory of 2124 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2660 wrote to memory of 2124 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2660 wrote to memory of 2124 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2660 wrote to memory of 2124 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2660 wrote to memory of 2124 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-icns.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-icns.dll,#1
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win10v2004-20241007-en
Max time kernel
132s
Max time network
159s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 60 wrote to memory of 3036 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 60 wrote to memory of 3036 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 60 wrote to memory of 3036 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-jpeg.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-jpeg.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
137s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\hh.exe | N/A |
| N/A | N/A | C:\Windows\hh.exe | N/A |
Processes
C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\help\fr\dia-manual.chm
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win10v2004-20241007-en
Max time kernel
91s
Max time network
152s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1124 wrote to memory of 1608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1124 wrote to memory of 1608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1124 wrote to memory of 1608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-bmp.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-bmp.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win7-20240903-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2388 wrote to memory of 2516 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2388 wrote to memory of 2516 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2388 wrote to memory of 2516 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2388 wrote to memory of 2516 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2388 wrote to memory of 2516 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2388 wrote to memory of 2516 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2388 wrote to memory of 2516 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-jpeg.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-jpeg.dll,#1
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\help\eu\dia-manual.pdf"
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E3D768DD3863B2A31534F9D1ACA5446E --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C748B7185E57F3EBA04AD3BB266ECBA5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C748B7185E57F3EBA04AD3BB266ECBA5 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3C6C825D4102BCB3855693633BA45AF6 --mojo-platform-channel-handle=2292 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=50B2FACD009B9532976F15CE9A83873B --mojo-platform-channel-handle=1944 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F316EE0BC64A842F93E41447D4D68A56 --mojo-platform-channel-handle=2480 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5DB7F682F6156A83F15BCBD169459503 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5DB7F682F6156A83F15BCBD169459503 --renderer-client-id=7 --mojo-platform-channel-handle=2288 --allow-no-sandbox-job /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.20.192.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | b30d3becc8731792523d599d949e63f5 |
| SHA1 | 19350257e42d7aee17fb3bf139a9d3adb330fad4 |
| SHA256 | b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3 |
| SHA512 | 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | 752a1f26b18748311b691c7d8fc20633 |
| SHA1 | c1f8e83eebc1cc1e9b88c773338eb09ff82ab862 |
| SHA256 | 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131 |
| SHA512 | a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5 |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | 65a4e61a77963a5054054e2afe5af9c8 |
| SHA1 | 8f194ca6db0e9e174734e5f4d9d8fcd1aea24980 |
| SHA256 | 785c0c8cbc6098d136d0463ca973669f32dc96d348bf68ff0a6ec18b6be272ca |
| SHA512 | 260db5b51fc20b6455acf256cb0a0a03d96fdae18a53e674d1a1ddc56344d85f21d3dcef7ce0de4be87203ef5cda7736b2ea976bd608440af5796fb61e5c7aa9 |
Analysis: behavioral21
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win7-20240903-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2480 wrote to memory of 2388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2480 wrote to memory of 2388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2480 wrote to memory of 2388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2480 wrote to memory of 2388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2480 wrote to memory of 2388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2480 wrote to memory of 2388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2480 wrote to memory of 2388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-gif.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-gif.dll,#1
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3700 wrote to memory of 3512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3700 wrote to memory of 3512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3700 wrote to memory of 3512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-icns.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-icns.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win7-20240903-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2084 wrote to memory of 2948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2084 wrote to memory of 2948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2084 wrote to memory of 2948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2084 wrote to memory of 2948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2084 wrote to memory of 2948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2084 wrote to memory of 2948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2084 wrote to memory of 2948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-pcx.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-pcx.dll,#1
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win7-20240903-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Processes
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\help\fr\dia-manual.pdf"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 6aca654ba8c2b85cf5f54314185161aa |
| SHA1 | 2a6c7f8a406749d8a9eadee9d7bf8f8f5c82de29 |
| SHA256 | fd19f5bc1296c061d7804d416a44925283e77fade7ba81ef0b9fc2a4328cce2c |
| SHA512 | f2ac9449d2c09da5bd421c5a330b1ee50b781bb486b1a0caf67c25a60132f05537a73b868f82c71c7b5242b8a982ade89ef33238c8177d85b13877027e3940bc |
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
147s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\help\pl\dia-manual.pdf"
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A9517C5E50A84B681E4DDFD1A62DA8C4 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=84656632FFB2CD46AFFC342399DB43B9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=84656632FFB2CD46AFFC342399DB43B9 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C4490B7BFB523CB0B98D30E69C454D9F --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B046108F9EEA08AF2D2E8EB5A5A7B042 --mojo-platform-channel-handle=1880 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=66A3A88520A95AC56941AFBBF3CD6D65 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=66A3A88520A95AC56941AFBBF3CD6D65 --renderer-client-id=6 --mojo-platform-channel-handle=2140 --allow-no-sandbox-job /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4C254B66078C7C2C5BB3CB19AB3431E6 --mojo-platform-channel-handle=2672 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.20.192.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | b30d3becc8731792523d599d949e63f5 |
| SHA1 | 19350257e42d7aee17fb3bf139a9d3adb330fad4 |
| SHA256 | b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3 |
| SHA512 | 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | 752a1f26b18748311b691c7d8fc20633 |
| SHA1 | c1f8e83eebc1cc1e9b88c773338eb09ff82ab862 |
| SHA256 | 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131 |
| SHA512 | a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5 |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | 8c629d66b264ee4d61cd815b3236c086 |
| SHA1 | 81ffd2608d8b468da37c4587bfdaee9885d3f88f |
| SHA256 | 1e494737c20c61e11962426ace6884de7f3bc7c5dca48aa5ee13d0abc89cb91c |
| SHA512 | f52dde9d4cbb40518b23d8f94778b12e9cf258500d546fb9ddb4badfe716c3e536773ceb97350009495575f6d2799cf1c871b212c96a70e74b7ec71b52f466d3 |
memory/4256-121-0x00000000093D0000-0x000000000967B000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
153s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4488 wrote to memory of 1556 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4488 wrote to memory of 1556 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4488 wrote to memory of 1556 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-ani.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-ani.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win7-20241023-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2824 wrote to memory of 2920 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2824 wrote to memory of 2920 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2824 wrote to memory of 2920 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2824 wrote to memory of 2920 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2824 wrote to memory of 2920 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2824 wrote to memory of 2920 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2824 wrote to memory of 2920 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-png.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-png.dll,#1
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win7-20240708-en
Max time kernel
137s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Dia\bin\diaw.exe | N/A |
Loads dropped DLL
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Dia\shapes\Electric\vcommand.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Pneumatic\cnx.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\share\locale\be@latin\LC_MESSAGES\glib20.mo | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\share\locale\mi\LC_MESSAGES\gtk20-properties.mo | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Circuit\vinductor_de.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\server_with_pc_router.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cybernetics\factor-greater1.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\intelliswitch_stack.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\woman_blue.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\sheets\network.sheet | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\share\locale\eu\LC_MESSAGES\gtk20-properties.mo | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\lib\locale\ja\LC_MESSAGES\atk10.mo | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\BPMN\Intermediate-Event-Rule.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\100baset_hub.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\firewall_subdued.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\share\locale\pt\LC_MESSAGES\gtk20-properties.mo | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\share\locale\uz\LC_MESSAGES\gtk20.mo | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File opened for modification | C:\Program Files (x86)\Dia\shapes\network\printer.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\share\locale\et\LC_MESSAGES\gtk20-properties.mo | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\share\locale\ta\LC_MESSAGES\gtk20.mo | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\communications_server.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\edge_label_switch_router_with_netflow.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\flowchart\document.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\share\locale\pt_BR\LC_MESSAGES\glib20.mo | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\sonet_mux.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\locale\kn\LC_MESSAGES\dia.mo | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\share\locale\pl\LC_MESSAGES\glib20.mo | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Map\Isometric\Tree1.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\bin\libpng14-14.dll | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Circuit\lamp_de.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\mux.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\university.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\sheets\cisconetwork.sheet | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\lib\locale\or\LC_MESSAGES\atk10.mo | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\dpt.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\workgroup_director.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\network\patch-panel.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\multilayer_switch.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\router_in_building.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\stp.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File opened for modification | C:\Program Files (x86)\Dia\shapes\Contact\l_outnot.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Gane_and_Sarson\process.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\BPMN\Group.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\ChemEng\airforced.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\ata.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\pad.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\jigsaw\part_ioio.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\sheets\UML\eventsink.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Map\Isometric\Train2.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\samples\Visio\vdxtosvg\animation_tests.svg | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\locale\sv\LC_MESSAGES\dia.mo | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Assorted\triangle-isoceles.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\government_building.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\laptop.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\BPMN\Intermediate-Event-Link.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\accesspoint.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\share\locale\en_GB\LC_MESSAGES\gtk20.mo | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\share\locale\zh_CN\LC_MESSAGES\gtk20.mo | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\cddi_fddi_concentrator.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\vn2900.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\samples\self\dia-linux-2.dia | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\atm_switch.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File opened for modification | C:\Program Files (x86)\Dia\shapes\Pneumatic\comspr.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\jigsaw\part_ooio.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Dia\bin\diaw.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createdxf\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t dxf \"%1\"" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.dia\Content Type = "application/dia" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createcgm | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createcgm\ = "Create CGM image" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createdxf\command | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createpng\ = "Create PNG image" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwmf | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwpg | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.dia\ = "diaFile" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createeps | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createpng | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createcgm\command | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createpng\command | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwmf\ = "Create Windows Meta File" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createeps\ = "Create EPS file" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createhpgl\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t hpgl \"%1\"" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createmp | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createsvg | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createshape\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t shape \"%1\"" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createtex\ = "Create TeX PSTricks macros" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwpg\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t wpg \"%1\"" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createdxf\ = "Create DXF drawing" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\ = "diaFile" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\EditFlags = 00000100 | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\open | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwmf\command | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createmp\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t mp \"%1\"" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createpng\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t png \"%1\"" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createsvg\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t svg \"%1\"" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createshape\ = "Create dia shape" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createtex | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createhpgl | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createcgm\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t cgm \"%1\"" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createdxf | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createmp\ = "Create TeX Metapost macros" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createfig | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createhpgl\ = "Create HPGL file" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createhpgl\command | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createshape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createtex\command | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\open\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\dia-win-remote.exe\" diaw.exe --integrated \"%1\"" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createfig\command | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.dia | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createeps\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t eps \"%1\"" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createsvg\ = "Create SVG image" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwmf\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t wmf \"%1\"" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\DefaultIcon\ = "C:\\Program Files (x86)\\Dia\\etc\\dia-diagram.ico,0" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createtex\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t tex \"%1\"" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwpg\ = "Create WPG image" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createsvg\command | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwpg\command | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createfig\ = "Create XFig drawing" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createshape\command | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createmp\command | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createfig\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t fig \"%1\"" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createeps\command | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe
"C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.bat"
C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe
.\gdk-pixbuf-query-loaders.exe
C:\Program Files (x86)\Dia\bin\diaw.exe
"C:\Program Files (x86)\Dia\bin\diaw.exe" --integrated
Network
Files
\Users\Admin\AppData\Local\Temp\nse907.tmp\LangDLL.dll
| MD5 | 9384f4007c492d4fa040924f31c00166 |
| SHA1 | aba37faef30d7c445584c688a0b5638f5db31c7b |
| SHA256 | 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5 |
| SHA512 | 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf |
\Users\Admin\AppData\Local\Temp\nse907.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\nse907.tmp\ioSpecial.ini
| MD5 | 63432dea8a90abb8e3f2655f8af7be00 |
| SHA1 | 64df68c0014bc2baa7faa1b8e3c9579f744a4a2f |
| SHA256 | ced3fc554eb3d298044d1420dc16b845dde5f5f12f894d8f1bad03eb88a20e05 |
| SHA512 | d0fe1e9a90f69fa2e3f50ea2fc98caf42572d95e4cdac807f4c82f00eb9b1963cde90185ec00822487e1f73e915921ff9319e526c035f2208bb7accb323b67aa |
\Users\Admin\AppData\Local\Temp\nse907.tmp\InstallOptions.dll
| MD5 | 325b008aec81e5aaa57096f05d4212b5 |
| SHA1 | 27a2d89747a20305b6518438eff5b9f57f7df5c3 |
| SHA256 | c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b |
| SHA512 | 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf |
C:\Program Files (x86)\Dia\shapes\Electric\contact_f.png
| MD5 | 769418c2c959df0b58fc44990ab35678 |
| SHA1 | 8216cce7f9dd359c0397254d08b34c9bbf9f0cf2 |
| SHA256 | f4b982b8bd1d14eeec01f2ba81f386b1c7531defa20ab33b93ff4c24222edcdb |
| SHA512 | 38657ed89144d7ce9f11af432fbdfda0241d348f02385178277b5e02a3b42650c108a7797b277fd9743bf9e03cbb250ad7f1576e499924508c08c9de2d8465c3 |
C:\Program Files (x86)\Dia\shapes\Electric\relay.png
| MD5 | de2be0dc706d9521593a56790d41ddbd |
| SHA1 | eb04b193530b90cd0dd0a30bf79a453e26a31adc |
| SHA256 | 38c878c60763942773e08b416d7a57ce4d839618098e0c08f509e6b5c9c0918f |
| SHA512 | 064da4939d0a3a01203552e46b9d9fb1031b89cea7aa19c76c724945ebb656f25d28b83fc1c4c05af126b98981b84fc99d702fea9f729385de0fc6bdbe52795b |
C:\Program Files (x86)\Dia\shapes\Pneumatic\cnx.png
| MD5 | a46b4391b54836f4eb77d13a3dc1b6fd |
| SHA1 | 7287b898fcf189eccb3657eb80e66f3cc496b501 |
| SHA256 | e25947afe63d6c7297934995d5d19315e7dea452804e4dd20f1c0f803693851d |
| SHA512 | ae54933dc85794ad25fc4934586a6e563fb3b1175955c0c0fdf01b870ce01b122599651f299fd01074dba628f09dd82b1c1b70964c576a9f6a10179abe399cdb |
C:\Program Files (x86)\Dia\sheets\Jackson\designed_domain.png
| MD5 | 232e5acd595bedf4ff623d0190dd9c1f |
| SHA1 | 19f4777cc146d2c44388a74f0c2c44cb2782d92c |
| SHA256 | e344612fc4418b2517b9743e397e628f0ff6d598e779e0e42eb07489f9e9c825 |
| SHA512 | ed006138ebc51eaa5bd2b8f862b4e54dd9bdfefe77c6a0165d600ace0d06673759c7fa476ca61f750f053ff1012f9116171dd17529e251173fe7852a7f0fc6ab |
C:\Program Files (x86)\Dia\bin\libtiff3.dll
| MD5 | cfd09d054747280ed660ef7d79d0d443 |
| SHA1 | a27dd167551e19ac15adb035608a3ed6a94c15de |
| SHA256 | 373a9d90cc37a365e0e22c3efe35f14924f33ff6d778ddccb1603093468abf25 |
| SHA512 | b477f033784ceb084a2a383af784937a28b823e550d53e6bc90516f33e3521aeb54416796f6188c72e7a407ebd61673bd09956c50bd5eda8056065099d6417aa |
C:\Program Files (x86)\Dia\bin\libxml2.dll
| MD5 | 7ee993251d55a2eab74340d27ff82260 |
| SHA1 | 15975f2aaf1dab31a7b22af068b531d806bf337e |
| SHA256 | 20e6d1109016042147a058f5ec45f0bcd58c290a89380e4d9ec467e98f0d99ca |
| SHA512 | b9c1bf31272dda582ec05d4bd7dd4575962d4c7ac13867785104866cd42b481320368fd9a7a36ae2ebea38edc726e48ceeaa3d33bd70020fbff9afa64d561f05 |
\Users\Admin\AppData\Local\Temp\nse907.tmp\nsExec.dll
| MD5 | acc2b699edfea5bf5aae45aba3a41e96 |
| SHA1 | d2accf4d494e43ceb2cff69abe4dd17147d29cc2 |
| SHA256 | 168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e |
| SHA512 | e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe |
C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.bat
| MD5 | 79f54de0035d4e7431f3ca60a907f0a1 |
| SHA1 | bc273d1ea3227a445b86458cc335a72e3221ac85 |
| SHA256 | 9f040e3e3241fc600cbe21bd72eaec40a455a99f02d8829a801683037907e3cc |
| SHA512 | 5c03fcd4c6a65dbdfd707776450946051e2fe3b3df99b4d033515751b2e2062253bb4c208d07c1bfaf70c733c874dcc5c1e1517acb0a0a42f370c1d0608e193d |
C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe
| MD5 | 5792bf1e8e2ebc1f00bbd6cbd19dad06 |
| SHA1 | f679aa2befee24305fc1fae7b42bfce7b81c6ad8 |
| SHA256 | 58d880f065930a7a90ffb3a2cd964ab3b02c9a858fe5da880e152a2e1e9bc956 |
| SHA512 | bed5097a2adae3d3772203825ff62dfe2dd57dfc854837647fd61b83153420ebe44d45b7fdb9a24820ebeae5ba0c499012f0ae064ee5b54ed73e5a7d41431c3a |
C:\Program Files (x86)\Dia\bin\libglib-2.0-0.dll
| MD5 | 18e88b04da123bf05b07ff60a4e96654 |
| SHA1 | f46cd8411e579da9f31749809a5707fecb28b7db |
| SHA256 | c0f35b0e5f9b25f36bf9ef885a8135e7dcdb77d425f8ac88124d90cf2bf32fde |
| SHA512 | 735158b60194205c6262dae0689599babdc2bd0e10d0d6a71c1e1c56695caf432b207e439b5f84a3995c2d8aef3ab26706cf796848c0af0ddd340d388a76f1d4 |
C:\Program Files (x86)\Dia\bin\intl.dll
| MD5 | eb2d4c4d4a527bc88a69a16cc99afcf5 |
| SHA1 | b326ec4919e1ec9595c064b24853b1e6b71530a3 |
| SHA256 | 682d4277092472cac940558f9e679b44a6394159e49c9bbda299e33bfc6fdc92 |
| SHA512 | 009f31cd68a87a40aef4be07af805ab50fac03f4c621144b170d9d3313b1b6a73415f6dd878b048f85afc1b662659a88e4cc89e9a8c76f631f6f1b79d57fd0b0 |
C:\Program Files (x86)\Dia\bin\libgmodule-2.0-0.dll
| MD5 | b0b2396fc6413016a45a5e8ca2ea8152 |
| SHA1 | d9d2311d1619c1f51b406fee1a17529d3de21124 |
| SHA256 | 1e2332ed84bb447fe814e9201effe88e682fd9b2da89e2b1a27aef1c786b6589 |
| SHA512 | 496c8d905a481c3bcacee2a54e0a27cb8605a62d36668dbb61dbb4e23fecb83efe92c4cbb16df0b7276f8938cb66879dddff03c4fca50ca5dd504814982041c8 |
C:\Program Files (x86)\Dia\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-ani.dll
| MD5 | ad674e2d99f06c4f81491b287d454400 |
| SHA1 | 538b92c8850deb9c1a348f713671221daef58b47 |
| SHA256 | a0b7226efb9dfce34a7c90f0e91c8b31555c9bbd58c19ac8c761598233fd462e |
| SHA512 | ddd902d5f5a57e6cde20f18645f4f8a81ca81ea7a3f76b51a98303b2415bdddbe37a5cb6cf21becff71d2f359a5de0804336b130be45b7b32ede0b7057737e88 |
C:\Program Files (x86)\Dia\bin\libgdk_pixbuf-2.0-0.dll
| MD5 | e4c64b0e7e4c6606f3973a16c0c1ee84 |
| SHA1 | 0e369ad075b58c09e7c17796797993d67d5a12de |
| SHA256 | c8ff2373d4c261fcd6525a826dbc736d347ae10168490a7a7fc837e76329afc1 |
| SHA512 | 4fecda9d9f7f3b6316026d8cd507fae32556c40bed27d1fa8c3e7ba4a247ed9a41ad8dd2ee817a1e76afa3788f2484db8227f53148db2f54f7ba53284bb35377 |
C:\Program Files (x86)\Dia\bin\libgio-2.0-0.dll
| MD5 | ea1263fb4c2230284f3e30c446bfea6b |
| SHA1 | 8118780cf010f3bc1eb2323cb6c2bef4a548ef65 |
| SHA256 | 433d3c2f00fda700fc6353e1af600937a42407b6f2467aa41bd825e96a79c464 |
| SHA512 | 48784c89389440c1cacea3d7b70e5a0663474fadf634209cc1c3a8065a2b8aa2884d0ca224e784b693501db436a171b4e0660a051371fe66d1e5cb00a8e296ef |
C:\Program Files (x86)\Dia\bin\libgobject-2.0-0.dll
| MD5 | 356d697647a480562c4e2e921b13f8ed |
| SHA1 | 1218243c9b4e8e6fabcc5f2eac1adb78002b01c2 |
| SHA256 | 75b4e8a0757f7db26ef195f3c5e2da5770d95c3af081c2cdae0ec15b460aa9ea |
| SHA512 | 4ef4ad1648f508cb3ad5ab446196d351219a28083df096353a343b81a6d699691bb8a77158a6085d00d4c9eae408a0193dac7e3b806156d62bb6ee552dc8095a |
C:\Program Files (x86)\Dia\bin\libgthread-2.0-0.dll
| MD5 | 7ad6f303082b382bff7bafbab246c61f |
| SHA1 | 8d94c4d4b0633a80e28504a3c694dd2bae252854 |
| SHA256 | ee2e8485fdbfb2c5626099ccafcdc41ac60414dffd5c6c3befaf786634baf5c3 |
| SHA512 | eee840f217ff65b22efd16e78fb898990116efdfb6ee1cbf9d9fb64b9f3209f18860f6477c1df60352fb242671d973dcac043134748f823d210fc393ed4e2598 |
C:\Program Files (x86)\Dia\bin\zlib1.dll
| MD5 | d90dad5eea33a178bac56fff2847d4c2 |
| SHA1 | cbbce727fd8447487c7fc68051b24df17d043649 |
| SHA256 | 104162a59e7784e1fe2ec0b7db8836e1eb905abfd1602a05d86debe930b40cbf |
| SHA512 | 8dbe57e32554d049a0779c40645dfbad2eaa1eeaf746898cd44f8686265f1fd4f84d6f857ba40644294d817d5c5eab6ba6271df55c56047fd16c10b8478184eb |
C:\Program Files (x86)\Dia\bin\libpng14-14.dll
| MD5 | ec778df2faa455daf5d2c5e20f5198e2 |
| SHA1 | 44adb4d80e7728dc35617ed3801b528b720698c4 |
| SHA256 | 8005a9aacc2b47a064d5e1d18d7ca5d1b28cc19b49dec0a888ede1cc970d4395 |
| SHA512 | cb0c484ba1237fd49ecdaabd865d2034bed200b37913cbe891ad3b6a27ae4ad6dbdb8d3db7ad46fbd68e5ca0d4cb4af9d7f528309ad356477abcc230b357b502 |
C:\Program Files (x86)\Dia\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-bmp.dll
| MD5 | a6b653293267cc2a2c7137f6b1e82d85 |
| SHA1 | a86d19b1385fdd822dda8081fcfb511cc96b7871 |
| SHA256 | 2240e5ca17355e2ccb3915f6ed905af4346e9a0cb5174f840faec1b5aa5ffa87 |
| SHA512 | 85039b9f79eab0343067620dfe1a7581476e55a8a78ba9db656bbfc4f28d9bb69832180fcee44ff4918059dcf21db460386c2d2f131a29ecb1157a265e641f55 |
memory/2156-2462-0x0000000000410000-0x0000000000444000-memory.dmp
C:\Program Files (x86)\Dia\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-gif.dll
| MD5 | a762b54e2fedd949efc9f0e73326ed97 |
| SHA1 | 379d03aab3558b49c53de54eff46b41c4334cba5 |
| SHA256 | 28d2dc3fe8a66f1937ce722766c8f5416d8b282bb3f53affeaa2b05fbdfd6c27 |
| SHA512 | 78d865d762ed560670acaac9f7cbb760865335b3cad7fcbb9db23784cd3fc57051ec27c658f266d90257b166529bfea1deb7d8507c38a8c3cbfbf2792a9964df |
C:\Program Files (x86)\Dia\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-ico.dll
| MD5 | b53255ccd3a0174b6f14fbdfe1b3b3c4 |
| SHA1 | 5bf6460a14c61e89eb37361ba93f227074f5e4e0 |
| SHA256 | 18e97911fbc619d31a95e58a2511a4b14d75c58cf0a22757e0f44f18f1b9248e |
| SHA512 | 29deb6d6ff70042b0a2a1d7552b037390c194a38d115d9bf4b1f8f7979ba393ab88c62fd47214d68646a749028173943082671a81b92ecafe1285c479d62982a |
memory/2156-2485-0x0000000000410000-0x0000000000434000-memory.dmp
\Program Files (x86)\Dia\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-icns.dll
| MD5 | 0fa7b2f79527f58b40c6e6a773d8ad97 |
| SHA1 | 8c4d24b466e86736bc325b5d096f6588060b85a3 |
| SHA256 | 220e32d68f36fc09e73c8e0302541967ecd15976c62f472481a1fc24892f96d1 |
| SHA512 | d49f4870c59bb419c7033f50314a8b46f9e08d6fb6b72a63910fd8e5695b6233ea2a132940907d66bc5a98ebc14248d08be35d167139fedf72e902013a9dce07 |
memory/2156-2486-0x0000000002300000-0x0000000002411000-memory.dmp
memory/2156-2491-0x000000006DD00000-0x000000006DD0D000-memory.dmp
memory/2156-2490-0x000000006A300000-0x000000006A323000-memory.dmp
memory/2156-2489-0x00000000685C0000-0x00000000686C6000-memory.dmp
memory/2156-2488-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Program Files (x86)\Dia\locale\ja\LC_MESSAGES\dia.mo
| MD5 | 2fb460a8a948fc6478ebf4e9e2c24163 |
| SHA1 | cbe7bbd206039820bc459b0d211264f328a37207 |
| SHA256 | 1116fa099fd52a30099b01cce44cd24747eb565722815b003cb2cb3910b943c0 |
| SHA512 | 5c132bc07ffe0c6954f29ca5c9447a96b35a20addb8ed7f1aa4cbcaf077ed9105a58758b49a21cf339175669f526767afd38ba7db6bf7f17d7f189a003cf0b43 |
C:\Program Files (x86)\Dia\share\locale\da\LC_MESSAGES\glib20.mo
| MD5 | 27563cfa1d0d54d358bd621b4b2d71dd |
| SHA1 | f8a704a0bed7407634d8d9347b5e7edfbf081460 |
| SHA256 | c67bff3405528f2daaf7ec10dfc4d95766326b44c39ca0b22d6d6666e9e1b103 |
| SHA512 | cb2097cf0b4935c406789c349d52bc17c885042d43ee3f084e70933ea531c2f885d817284569cd64f920c6f44e62fad2f040692022968e4585d57ed7f6410960 |
C:\Program Files (x86)\Dia\share\locale\el\LC_MESSAGES\gtk20-properties.mo
| MD5 | 8cd537c1d83b8ab58d6f421b56833e6d |
| SHA1 | f22df4559e1c6d5793db6cb7bcd4ac9459b3de63 |
| SHA256 | fef8013bc9494a22c7d06dfd9975308f1ea2e62054eaa14cd0e568c42bc2b309 |
| SHA512 | 3a8ad64739952a21f86a88ced51fe8ff598e2e9a7bada3f7ccc223a6a7580a82b588e76456ea2d36af73f264d6c87ef715e6aca085415f14ec60488bbb49b4dc |
C:\Program Files (x86)\Dia\share\locale\eu\LC_MESSAGES\gtk20-properties.mo
| MD5 | ce88da280f2cbb87b977839ece9f0a38 |
| SHA1 | 5788bf9043d9308992da1b296ba2ab43b435766b |
| SHA256 | b66a2dfc04193aa54e79bd6f981ba895f35d851e66eacca8fffede391712f1bd |
| SHA512 | 656449807e5093ef79834013d2e292e3ade64869b72a09949bedc73765c6951e2f32a33d06349cf9124f252d4a852ac16ca51ed4f4d382acd272ef99e134200a |
C:\Program Files (x86)\Dia\share\locale\gl\LC_MESSAGES\gtk20.mo
| MD5 | b76be150f5aa94ac070dbf03460dfa79 |
| SHA1 | 56aa41644c1a11a55163e5d00c461ac304823f65 |
| SHA256 | 68505c7dc0a89584b12a9e15b17e0bd370b30868f5184d18e10f4d0713c51481 |
| SHA512 | 67f2343e3687793a404ff875c07a4e469940bcf01881a6e566dbd2e0f9c0f3945a5112af90dcdb1422a24b396570ce67c37cee8ee58f2796366f6878a40bcfb7 |
C:\Program Files (x86)\Dia\share\locale\lt\LC_MESSAGES\gtk20.mo
| MD5 | 037b1adba1507f1374252c07430e4443 |
| SHA1 | 922090038a62bdcf1a3db6a2f24e133cac4e4e54 |
| SHA256 | 96993b3288f70c8ed703be11966dd7df8d5a9ee7c026fd4aa26864ed08745535 |
| SHA512 | 378dc7f3cd0781c91a7bf7d9d6a5b671c6a7fa68fe136a85849dd65e0e5b344a9d155a8f54e5d2102a01dcf9a84dc56db90b7ed6341ba86e6a763b4bf2b28235 |
C:\Program Files (x86)\Dia\share\locale\nb\LC_MESSAGES\gtk20.mo
| MD5 | 3ba1afac076d1d58bb8ff84073f12402 |
| SHA1 | 80d3f69b223d0f5176536ff176017dc7f37e4e85 |
| SHA256 | 449c92afed408e52591423b383be83829ab99442b2f59d29720852164656035c |
| SHA512 | fbf6e1f9460c6413fe0df67df2abb750aa29f60509c2be2023008be914185062fc9cfa481c4e6c5e4aec0e2b05b828a43f828ab8b6852bce6153cab64482b3f0 |
C:\Program Files (x86)\Dia\share\locale\or\LC_MESSAGES\gtk20-properties.mo
| MD5 | 308d7044ce7d73f8a1535991811ad560 |
| SHA1 | 36fc07a4c2e3ca75990973ae82f26efd5c4fa9b6 |
| SHA256 | 42908285d6687d151d7a81dafb18596edf3e6d14eb2cdb21c4bda83a1a234270 |
| SHA512 | bd779a6edd580a4b53aa739d4c8382388455e0d07d11eb813a0c9c05c4c417fe0c24201d61f734b1df19b25cb6b4469d5a89be29590ab1b446b362c3b47bc978 |
C:\Program Files (x86)\Dia\share\locale\sr@ije\LC_MESSAGES\gtk20-properties.mo
| MD5 | ee2b2af69c61dd1729f1dccd771e65d1 |
| SHA1 | 86b236b60ac7781d55a1bc4f1af43505e6b23d0f |
| SHA256 | a9a2c2e7ff0371f8873eb6ddf5c4b7e3dadca980855373a134978988faa00561 |
| SHA512 | 55ba28dccf7ecd8be5f7144d5d3ef5120455346bd39b7056af007c2bf44da6a88ef5100d4af4893a0774ae815fae4a50e8ef63482946e3f94334faceb5c69fd4 |
C:\Users\Admin\AppData\Local\Temp\nse907.tmp\ioSpecial.ini
| MD5 | 5ca299bf0be6788d8ad6f8e495e50a5f |
| SHA1 | 5d947219b55ed2208f588d93f05c6a28a0a614fb |
| SHA256 | 0c5d476fa6426c9cab47ba7235c198977f51a6d18cc257525df2c9db302b034f |
| SHA512 | df80f3c9c1eda21420390f9549db06b5a9b44978d650aed4c988f2474d8c0089ea37162da3e9ae53128e81bd65d4a2454938a47d2cb8d873d3beebb1eec4c20e |
C:\Program Files (x86)\Dia\bin\diaw.exe
| MD5 | db14ee352a7193fbec1dc09250eb67cf |
| SHA1 | b5201a6633dac057b8b454dc2b9f8ed02a01042e |
| SHA256 | 4c38562afe57192c1a715b7749a4f3eb1581c6fe52e9122b79e8ccece1e5607e |
| SHA512 | 4fe169ee431184af39dd48d9aaa4ac2778e15f177dac898846f12da3233d16e2dc23330319bde65a39c6816a6efd929b984a87a533161966988d270ae9824a2f |
memory/2060-3071-0x00000000002C0000-0x00000000002F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nse907.tmp\ioSpecial.ini
| MD5 | 37ebada1d2171cc424dd9a87161f90c1 |
| SHA1 | 3209cf67fe92993f376eba88d7635f8e6e03d4a8 |
| SHA256 | 150cc5527725a602109521b6db66b701b5793bf953788cb955dbd87c32b29f53 |
| SHA512 | 39f762b3d4b01099422f129889c8e42337a454daaeb55cec0864da33c153c65338dff184a84b0e23b2c4ab1aebb5156fc9dca3c7de25be52c75647a89165402a |
memory/2060-3088-0x0000000000670000-0x00000000006F1000-memory.dmp
memory/2060-3089-0x0000000000410000-0x0000000000433000-memory.dmp
memory/2060-3087-0x0000000000590000-0x0000000000669000-memory.dmp
memory/2060-3086-0x0000000000300000-0x00000000003F5000-memory.dmp
memory/2060-3091-0x0000000000670000-0x00000000006F1000-memory.dmp
memory/2060-3093-0x00000000025F0000-0x00000000025FD000-memory.dmp
memory/2060-3092-0x0000000002570000-0x000000000257D000-memory.dmp
memory/2060-3111-0x0000000003BA0000-0x0000000003BCC000-memory.dmp
memory/2060-3110-0x0000000003B80000-0x0000000003B8D000-memory.dmp
memory/2060-3108-0x0000000003B30000-0x0000000003B5D000-memory.dmp
memory/2060-3107-0x0000000003AF0000-0x0000000003B26000-memory.dmp
memory/2060-3106-0x0000000003A80000-0x0000000003ADE000-memory.dmp
memory/2060-3104-0x0000000003A40000-0x0000000003A50000-memory.dmp
memory/2060-3103-0x0000000003A10000-0x0000000003A1B000-memory.dmp
memory/2060-3102-0x00000000039D0000-0x00000000039EE000-memory.dmp
memory/2060-3101-0x00000000039C0000-0x00000000039CA000-memory.dmp
memory/2060-3100-0x00000000039B0000-0x00000000039BC000-memory.dmp
memory/2060-3099-0x0000000003990000-0x000000000399B000-memory.dmp
memory/2060-3098-0x0000000003970000-0x000000000397D000-memory.dmp
memory/2060-3097-0x0000000003950000-0x000000000395C000-memory.dmp
memory/2060-3096-0x0000000002630000-0x000000000263B000-memory.dmp
memory/2060-3095-0x0000000002620000-0x000000000262A000-memory.dmp
memory/2060-3094-0x0000000002610000-0x0000000002620000-memory.dmp
memory/2060-3112-0x0000000061780000-0x0000000061B3B000-memory.dmp
memory/2060-3119-0x0000000062E80000-0x0000000062E9F000-memory.dmp
memory/2060-3134-0x00000000039D0000-0x00000000039EE000-memory.dmp
memory/2060-3133-0x0000000062D40000-0x0000000062D54000-memory.dmp
memory/2060-3132-0x0000000000410000-0x0000000000433000-memory.dmp
memory/2060-3131-0x0000000062940000-0x0000000062960000-memory.dmp
memory/2060-3130-0x000000006B280000-0x000000006B296000-memory.dmp
memory/2060-3129-0x000000006D700000-0x000000006D7B6000-memory.dmp
memory/2060-3128-0x000000006D4C0000-0x000000006D4D4000-memory.dmp
memory/2060-3127-0x0000000065580000-0x00000000655C2000-memory.dmp
memory/2060-3126-0x0000000065C40000-0x0000000065C4E000-memory.dmp
memory/2060-3125-0x0000000063A40000-0x0000000063A85000-memory.dmp
memory/2060-3124-0x000000006DD00000-0x000000006DD0D000-memory.dmp
memory/2060-3123-0x00000000685C0000-0x00000000686C6000-memory.dmp
memory/2060-3122-0x000000006D580000-0x000000006D651000-memory.dmp
memory/2060-3121-0x000000006A300000-0x000000006A323000-memory.dmp
memory/2060-3120-0x0000000065340000-0x0000000065377000-memory.dmp
memory/2060-3118-0x00000000002C0000-0x00000000002F4000-memory.dmp
memory/2060-3117-0x000000006A800000-0x000000006A879000-memory.dmp
memory/2060-3116-0x0000000068F40000-0x0000000068F63000-memory.dmp
memory/2060-3115-0x0000000064F80000-0x0000000064FC2000-memory.dmp
memory/2060-3114-0x0000000068DC0000-0x0000000068ED1000-memory.dmp
memory/2060-3113-0x000000006C340000-0x000000006C3F3000-memory.dmp
memory/2060-3137-0x0000000068DC0000-0x0000000068ED1000-memory.dmp
memory/2060-3136-0x000000006C340000-0x000000006C3F3000-memory.dmp
memory/2060-3296-0x0000000000670000-0x00000000006F1000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win7-20241010-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\hh.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\hh.exe | N/A |
| N/A | N/A | C:\Windows\hh.exe | N/A |
Processes
C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\help\pl\dia-manual.chm
Network
Files
memory/2136-20-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win7-20240903-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Processes
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\help\pl\dia-manual.pdf"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | aa09e122ec07d6008196e362bd24ed6a |
| SHA1 | b9fb3af6b128bc6b9f53c52dbdbfab7ae280674e |
| SHA256 | f18ab5f521347ceef2771a74f8eea253102fe73d76deac97706bf37b2fdcab54 |
| SHA512 | d5be02684745c46c25550ef86e01068bdb7b1b23042ee73c69bc6c1e37a15336e0c5ae15bdb219ae1eb95d0e436b18cdc48651d76df72a5e7558f446c5590678 |
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win7-20240708-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2200 wrote to memory of 3068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2200 wrote to memory of 3068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2200 wrote to memory of 3068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2200 wrote to memory of 3068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2200 wrote to memory of 3068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2200 wrote to memory of 3068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2200 wrote to memory of 3068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-bmp.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-bmp.dll,#1
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4348 wrote to memory of 4540 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4348 wrote to memory of 4540 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4348 wrote to memory of 4540 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-gif.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-gif.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
153s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2160 wrote to memory of 2128 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2160 wrote to memory of 2128 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2160 wrote to memory of 2128 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-ico.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-ico.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1524 wrote to memory of 1928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1524 wrote to memory of 1928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1524 wrote to memory of 1928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-png.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-png.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe | N/A |
Loads dropped DLL
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\100baset_hub.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\share\locale\en_GB\LC_MESSAGES\gtk20-properties.mo | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Assorted\arrow-right-notched.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File opened for modification | C:\Program Files (x86)\Dia\sheets\GRAFCET\etapesp.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\lib\locale\ja\LC_MESSAGES\atk10.mo | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Contact\l_outr.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\adm.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\stb.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File opened for modification | C:\Program Files (x86)\Dia\shapes\Civil\civil_gas_bottle.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\ChemEng\aircooler.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\flowchart\transmittape.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\web_cluster.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\macintosh.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\satellite.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File opened for modification | C:\Program Files (x86)\Dia\shapes\jigsaw\part_oiio.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\SDL\inout.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\bin\libgio-2.0-0.dll | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\front_end_processor.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Civil\civil_gas_bottle.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\network\telephone.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Pneumatic\compush.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\mac_woman.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\small_business.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\samples\self\umlclass.dia | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\dia\grafcet.dll | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\firewall_horizontal.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\ip.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File opened for modification | C:\Program Files (x86)\Dia\shapes\network\patch-panel.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\locale\ca\LC_MESSAGES\dia.mo | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\share\locale\zh_TW\LC_MESSAGES\gtk20.mo | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Assorted\cross-maltese.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\ChemEng\measure.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\bbs.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\channelized_pipe.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\wi-fi_tag.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Lights\Stroboscope.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\MSE\node_center.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\lib\locale\wa\LC_MESSAGES\atk10.mo | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\BPMN\Activity-Looping.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\ChemEng\traycol.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\workgroup_switch.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File opened for modification | C:\Program Files (x86)\Dia\shapes\Civil\civil_final-settling_basin.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cybernetics\sum.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\flowchart\extract.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Lights\PAR_floor.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File opened for modification | C:\Program Files (x86)\Dia\shapes\network\sceadplug.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\BPMN\End-Event-Multiple.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\locale\am\LC_MESSAGES\dia.mo | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\share\locale\ko\LC_MESSAGES\gtk20.mo | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\share\locale\sr@latin\LC_MESSAGES\gtk20-properties.mo | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File opened for modification | C:\Program Files (x86)\Dia\sheets\GRAFCET\etapeme.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\hootphone.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Contact\l_out.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\dia\pixbuf.dll | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File opened for modification | C:\Program Files (x86)\Dia\shapes\jigsaw\part_oioi.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Map\Isometric\Block2.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cybernetics\b-sens.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cisco\softphone.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Civil\civil_container.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Contact\l_out.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\Cybernetics\r-integrator.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\jigsaw\part_oiio.png | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\shapes\network\zip-disk.shape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| File created | C:\Program Files (x86)\Dia\lib\locale\bn_IN\LC_MESSAGES\atk10.mo | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.dia | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.dia\ = "diaFile" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createfig\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t fig \"%1\"" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\DefaultIcon\ = "C:\\Program Files (x86)\\Dia\\etc\\dia-diagram.ico,0" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createmp\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t mp \"%1\"" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createsvg | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createtex | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwmf\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t wmf \"%1\"" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createfig\command | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createeps\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t eps \"%1\"" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createpng\ = "Create PNG image" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createpng\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t png \"%1\"" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwpg\command | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\open\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\dia-win-remote.exe\" diaw.exe --integrated \"%1\"" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createdxf | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createdxf\command | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createshape\command | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createsvg\ = "Create SVG image" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createpng | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createsvg\command | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwmf\command | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createfig | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwpg\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t wpg \"%1\"" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\EditFlags = 00000100 | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createcgm\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t cgm \"%1\"" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createhpgl\command | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createmp | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createsvg\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t svg \"%1\"" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createshape | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\ = "diaFile" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createcgm\ = "Create CGM image" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createeps | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createhpgl | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createpng\command | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwmf\ = "Create Windows Meta File" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.dia\Content Type = "application/dia" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createcgm | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createeps\ = "Create EPS file" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createtex\command | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createtex\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t tex \"%1\"" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwmf | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createmp\command | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createtex\ = "Create TeX PSTricks macros" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwpg\ = "Create WPG image" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createfig\ = "Create XFig drawing" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createdxf\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t dxf \"%1\"" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createhpgl\ = "Create HPGL file" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\open | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createdxf\ = "Create DXF drawing" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createcgm\command | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createshape\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t shape \"%1\"" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwpg | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createeps\command | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createhpgl\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t hpgl \"%1\"" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createmp\ = "Create TeX Metapost macros" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createshape\ = "Create dia shape" | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2704 wrote to memory of 5096 | N/A | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2704 wrote to memory of 5096 | N/A | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2704 wrote to memory of 5096 | N/A | C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe | C:\Windows\SysWOW64\cmd.exe |
| PID 5096 wrote to memory of 1124 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe |
| PID 5096 wrote to memory of 1124 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe |
| PID 5096 wrote to memory of 1124 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe
"C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.bat"
C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe
.\gdk-pixbuf-query-loaders.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsz7754.tmp\LangDLL.dll
| MD5 | 9384f4007c492d4fa040924f31c00166 |
| SHA1 | aba37faef30d7c445584c688a0b5638f5db31c7b |
| SHA256 | 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5 |
| SHA512 | 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf |
C:\Users\Admin\AppData\Local\Temp\nsz7754.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\nsz7754.tmp\InstallOptions.dll
| MD5 | 325b008aec81e5aaa57096f05d4212b5 |
| SHA1 | 27a2d89747a20305b6518438eff5b9f57f7df5c3 |
| SHA256 | c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b |
| SHA512 | 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf |
C:\Users\Admin\AppData\Local\Temp\nsz7754.tmp\ioSpecial.ini
| MD5 | 2fcb5aed6058c147d1ffa6530e0f6426 |
| SHA1 | d6e7093e4150cca1587e95637f16e4de12326cda |
| SHA256 | ef03bef0fb1a6dd278705a2dcf5bee2302c796082438bd586cf4b304530a56f6 |
| SHA512 | 9f6bc17a63e8d9f81313bb2fc28e9b9865a554c94b69f2314fd51f408386f0e1a7ca382a38f82c633f64334f0e70c820a170f63085f6703ad92bdda25a6f72cd |
C:\Program Files (x86)\Dia\shapes\Electric\contact_f.png
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Program Files (x86)\Dia\shapes\Electric\lamp.png
| MD5 | a236ce7bcce07956cb91b9fd735db8e3 |
| SHA1 | 559c86d1ae243c0a6778bf68a23b786ad693713b |
| SHA256 | c1349cda9b4c30345ea0b1afa2b45f9be0467b0a9e253c6d1cc57613d1a32bbe |
| SHA512 | 7e3c48d81f6f99b8d7e12e7e63ea21fe1751a0ff2db34da159fe93244724983df0c3adc79136a67efe779f9975b9c163ba59ebf4366b6999956f81689a177b2e |
C:\Program Files (x86)\Dia\shapes\Pneumatic\cnx.png
| MD5 | a46b4391b54836f4eb77d13a3dc1b6fd |
| SHA1 | 7287b898fcf189eccb3657eb80e66f3cc496b501 |
| SHA256 | e25947afe63d6c7297934995d5d19315e7dea452804e4dd20f1c0f803693851d |
| SHA512 | ae54933dc85794ad25fc4934586a6e563fb3b1175955c0c0fdf01b870ce01b122599651f299fd01074dba628f09dd82b1c1b70964c576a9f6a10179abe399cdb |
C:\Program Files (x86)\Dia\bin\libtiff3.dll
| MD5 | cfd09d054747280ed660ef7d79d0d443 |
| SHA1 | a27dd167551e19ac15adb035608a3ed6a94c15de |
| SHA256 | 373a9d90cc37a365e0e22c3efe35f14924f33ff6d778ddccb1603093468abf25 |
| SHA512 | b477f033784ceb084a2a383af784937a28b823e550d53e6bc90516f33e3521aeb54416796f6188c72e7a407ebd61673bd09956c50bd5eda8056065099d6417aa |
C:\Program Files (x86)\Dia\bin\libxml2.dll
| MD5 | 7ee993251d55a2eab74340d27ff82260 |
| SHA1 | 15975f2aaf1dab31a7b22af068b531d806bf337e |
| SHA256 | 20e6d1109016042147a058f5ec45f0bcd58c290a89380e4d9ec467e98f0d99ca |
| SHA512 | b9c1bf31272dda582ec05d4bd7dd4575962d4c7ac13867785104866cd42b481320368fd9a7a36ae2ebea38edc726e48ceeaa3d33bd70020fbff9afa64d561f05 |
C:\Users\Admin\AppData\Local\Temp\nsz7754.tmp\nsExec.dll
| MD5 | acc2b699edfea5bf5aae45aba3a41e96 |
| SHA1 | d2accf4d494e43ceb2cff69abe4dd17147d29cc2 |
| SHA256 | 168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e |
| SHA512 | e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe |
C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.bat
| MD5 | 79f54de0035d4e7431f3ca60a907f0a1 |
| SHA1 | bc273d1ea3227a445b86458cc335a72e3221ac85 |
| SHA256 | 9f040e3e3241fc600cbe21bd72eaec40a455a99f02d8829a801683037907e3cc |
| SHA512 | 5c03fcd4c6a65dbdfd707776450946051e2fe3b3df99b4d033515751b2e2062253bb4c208d07c1bfaf70c733c874dcc5c1e1517acb0a0a42f370c1d0608e193d |
C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe
| MD5 | 5792bf1e8e2ebc1f00bbd6cbd19dad06 |
| SHA1 | f679aa2befee24305fc1fae7b42bfce7b81c6ad8 |
| SHA256 | 58d880f065930a7a90ffb3a2cd964ab3b02c9a858fe5da880e152a2e1e9bc956 |
| SHA512 | bed5097a2adae3d3772203825ff62dfe2dd57dfc854837647fd61b83153420ebe44d45b7fdb9a24820ebeae5ba0c499012f0ae064ee5b54ed73e5a7d41431c3a |
C:\Program Files (x86)\Dia\bin\libglib-2.0-0.dll
| MD5 | 18e88b04da123bf05b07ff60a4e96654 |
| SHA1 | f46cd8411e579da9f31749809a5707fecb28b7db |
| SHA256 | c0f35b0e5f9b25f36bf9ef885a8135e7dcdb77d425f8ac88124d90cf2bf32fde |
| SHA512 | 735158b60194205c6262dae0689599babdc2bd0e10d0d6a71c1e1c56695caf432b207e439b5f84a3995c2d8aef3ab26706cf796848c0af0ddd340d388a76f1d4 |
C:\Program Files (x86)\Dia\bin\libgmodule-2.0-0.dll
| MD5 | b0b2396fc6413016a45a5e8ca2ea8152 |
| SHA1 | d9d2311d1619c1f51b406fee1a17529d3de21124 |
| SHA256 | 1e2332ed84bb447fe814e9201effe88e682fd9b2da89e2b1a27aef1c786b6589 |
| SHA512 | 496c8d905a481c3bcacee2a54e0a27cb8605a62d36668dbb61dbb4e23fecb83efe92c4cbb16df0b7276f8938cb66879dddff03c4fca50ca5dd504814982041c8 |
C:\Program Files (x86)\Dia\bin\intl.dll
| MD5 | eb2d4c4d4a527bc88a69a16cc99afcf5 |
| SHA1 | b326ec4919e1ec9595c064b24853b1e6b71530a3 |
| SHA256 | 682d4277092472cac940558f9e679b44a6394159e49c9bbda299e33bfc6fdc92 |
| SHA512 | 009f31cd68a87a40aef4be07af805ab50fac03f4c621144b170d9d3313b1b6a73415f6dd878b048f85afc1b662659a88e4cc89e9a8c76f631f6f1b79d57fd0b0 |
memory/1124-2501-0x000000006A300000-0x000000006A323000-memory.dmp
memory/1124-2500-0x00000000685C0000-0x00000000686C6000-memory.dmp
memory/1124-2499-0x000000006DD00000-0x000000006DD0D000-memory.dmp
memory/1124-2498-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1124-2496-0x00000000028C0000-0x00000000029D1000-memory.dmp
memory/1124-2495-0x00000000027E0000-0x00000000028B9000-memory.dmp
memory/1124-2494-0x00000000027E0000-0x0000000002804000-memory.dmp
C:\Program Files (x86)\Dia\bin\libgdk_pixbuf-2.0-0.dll
| MD5 | e4c64b0e7e4c6606f3973a16c0c1ee84 |
| SHA1 | 0e369ad075b58c09e7c17796797993d67d5a12de |
| SHA256 | c8ff2373d4c261fcd6525a826dbc736d347ae10168490a7a7fc837e76329afc1 |
| SHA512 | 4fecda9d9f7f3b6316026d8cd507fae32556c40bed27d1fa8c3e7ba4a247ed9a41ad8dd2ee817a1e76afa3788f2484db8227f53148db2f54f7ba53284bb35377 |
C:\Program Files (x86)\Dia\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-ico.dll
| MD5 | b53255ccd3a0174b6f14fbdfe1b3b3c4 |
| SHA1 | 5bf6460a14c61e89eb37361ba93f227074f5e4e0 |
| SHA256 | 18e97911fbc619d31a95e58a2511a4b14d75c58cf0a22757e0f44f18f1b9248e |
| SHA512 | 29deb6d6ff70042b0a2a1d7552b037390c194a38d115d9bf4b1f8f7979ba393ab88c62fd47214d68646a749028173943082671a81b92ecafe1285c479d62982a |
C:\Program Files (x86)\Dia\bin\zlib1.dll
| MD5 | d90dad5eea33a178bac56fff2847d4c2 |
| SHA1 | cbbce727fd8447487c7fc68051b24df17d043649 |
| SHA256 | 104162a59e7784e1fe2ec0b7db8836e1eb905abfd1602a05d86debe930b40cbf |
| SHA512 | 8dbe57e32554d049a0779c40645dfbad2eaa1eeaf746898cd44f8686265f1fd4f84d6f857ba40644294d817d5c5eab6ba6271df55c56047fd16c10b8478184eb |
C:\Program Files (x86)\Dia\bin\libgthread-2.0-0.dll
| MD5 | 7ad6f303082b382bff7bafbab246c61f |
| SHA1 | 8d94c4d4b0633a80e28504a3c694dd2bae252854 |
| SHA256 | ee2e8485fdbfb2c5626099ccafcdc41ac60414dffd5c6c3befaf786634baf5c3 |
| SHA512 | eee840f217ff65b22efd16e78fb898990116efdfb6ee1cbf9d9fb64b9f3209f18860f6477c1df60352fb242671d973dcac043134748f823d210fc393ed4e2598 |
C:\Program Files (x86)\Dia\bin\libpng14-14.dll
| MD5 | ec778df2faa455daf5d2c5e20f5198e2 |
| SHA1 | 44adb4d80e7728dc35617ed3801b528b720698c4 |
| SHA256 | 8005a9aacc2b47a064d5e1d18d7ca5d1b28cc19b49dec0a888ede1cc970d4395 |
| SHA512 | cb0c484ba1237fd49ecdaabd865d2034bed200b37913cbe891ad3b6a27ae4ad6dbdb8d3db7ad46fbd68e5ca0d4cb4af9d7f528309ad356477abcc230b357b502 |
C:\Program Files (x86)\Dia\bin\libgio-2.0-0.dll
| MD5 | ea1263fb4c2230284f3e30c446bfea6b |
| SHA1 | 8118780cf010f3bc1eb2323cb6c2bef4a548ef65 |
| SHA256 | 433d3c2f00fda700fc6353e1af600937a42407b6f2467aa41bd825e96a79c464 |
| SHA512 | 48784c89389440c1cacea3d7b70e5a0663474fadf634209cc1c3a8065a2b8aa2884d0ca224e784b693501db436a171b4e0660a051371fe66d1e5cb00a8e296ef |
C:\Program Files (x86)\Dia\bin\libgobject-2.0-0.dll
| MD5 | 356d697647a480562c4e2e921b13f8ed |
| SHA1 | 1218243c9b4e8e6fabcc5f2eac1adb78002b01c2 |
| SHA256 | 75b4e8a0757f7db26ef195f3c5e2da5770d95c3af081c2cdae0ec15b460aa9ea |
| SHA512 | 4ef4ad1648f508cb3ad5ab446196d351219a28083df096353a343b81a6d699691bb8a77158a6085d00d4c9eae408a0193dac7e3b806156d62bb6ee552dc8095a |
C:\Program Files (x86)\Dia\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-icns.dll
| MD5 | 0fa7b2f79527f58b40c6e6a773d8ad97 |
| SHA1 | 8c4d24b466e86736bc325b5d096f6588060b85a3 |
| SHA256 | 220e32d68f36fc09e73c8e0302541967ecd15976c62f472481a1fc24892f96d1 |
| SHA512 | d49f4870c59bb419c7033f50314a8b46f9e08d6fb6b72a63910fd8e5695b6233ea2a132940907d66bc5a98ebc14248d08be35d167139fedf72e902013a9dce07 |
C:\Program Files (x86)\Dia\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-gif.dll
| MD5 | a762b54e2fedd949efc9f0e73326ed97 |
| SHA1 | 379d03aab3558b49c53de54eff46b41c4334cba5 |
| SHA256 | 28d2dc3fe8a66f1937ce722766c8f5416d8b282bb3f53affeaa2b05fbdfd6c27 |
| SHA512 | 78d865d762ed560670acaac9f7cbb760865335b3cad7fcbb9db23784cd3fc57051ec27c658f266d90257b166529bfea1deb7d8507c38a8c3cbfbf2792a9964df |
memory/1124-2474-0x00000000027E0000-0x0000000002814000-memory.dmp
C:\Program Files (x86)\Dia\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-bmp.dll
| MD5 | a6b653293267cc2a2c7137f6b1e82d85 |
| SHA1 | a86d19b1385fdd822dda8081fcfb511cc96b7871 |
| SHA256 | 2240e5ca17355e2ccb3915f6ed905af4346e9a0cb5174f840faec1b5aa5ffa87 |
| SHA512 | 85039b9f79eab0343067620dfe1a7581476e55a8a78ba9db656bbfc4f28d9bb69832180fcee44ff4918059dcf21db460386c2d2f131a29ecb1157a265e641f55 |
C:\Program Files (x86)\Dia\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-ani.dll
| MD5 | ad674e2d99f06c4f81491b287d454400 |
| SHA1 | 538b92c8850deb9c1a348f713671221daef58b47 |
| SHA256 | a0b7226efb9dfce34a7c90f0e91c8b31555c9bbd58c19ac8c761598233fd462e |
| SHA512 | ddd902d5f5a57e6cde20f18645f4f8a81ca81ea7a3f76b51a98303b2415bdddbe37a5cb6cf21becff71d2f359a5de0804336b130be45b7b32ede0b7057737e88 |
C:\Program Files (x86)\Dia\locale\ja\LC_MESSAGES\dia.mo
| MD5 | 2fb460a8a948fc6478ebf4e9e2c24163 |
| SHA1 | cbe7bbd206039820bc459b0d211264f328a37207 |
| SHA256 | 1116fa099fd52a30099b01cce44cd24747eb565722815b003cb2cb3910b943c0 |
| SHA512 | 5c132bc07ffe0c6954f29ca5c9447a96b35a20addb8ed7f1aa4cbcaf077ed9105a58758b49a21cf339175669f526767afd38ba7db6bf7f17d7f189a003cf0b43 |
C:\Program Files (x86)\Dia\share\locale\da\LC_MESSAGES\glib20.mo
| MD5 | 27563cfa1d0d54d358bd621b4b2d71dd |
| SHA1 | f8a704a0bed7407634d8d9347b5e7edfbf081460 |
| SHA256 | c67bff3405528f2daaf7ec10dfc4d95766326b44c39ca0b22d6d6666e9e1b103 |
| SHA512 | cb2097cf0b4935c406789c349d52bc17c885042d43ee3f084e70933ea531c2f885d817284569cd64f920c6f44e62fad2f040692022968e4585d57ed7f6410960 |
C:\Program Files (x86)\Dia\share\locale\el\LC_MESSAGES\gtk20-properties.mo
| MD5 | 8cd537c1d83b8ab58d6f421b56833e6d |
| SHA1 | f22df4559e1c6d5793db6cb7bcd4ac9459b3de63 |
| SHA256 | fef8013bc9494a22c7d06dfd9975308f1ea2e62054eaa14cd0e568c42bc2b309 |
| SHA512 | 3a8ad64739952a21f86a88ced51fe8ff598e2e9a7bada3f7ccc223a6a7580a82b588e76456ea2d36af73f264d6c87ef715e6aca085415f14ec60488bbb49b4dc |
C:\Program Files (x86)\Dia\share\locale\eu\LC_MESSAGES\gtk20-properties.mo
| MD5 | ce88da280f2cbb87b977839ece9f0a38 |
| SHA1 | 5788bf9043d9308992da1b296ba2ab43b435766b |
| SHA256 | b66a2dfc04193aa54e79bd6f981ba895f35d851e66eacca8fffede391712f1bd |
| SHA512 | 656449807e5093ef79834013d2e292e3ade64869b72a09949bedc73765c6951e2f32a33d06349cf9124f252d4a852ac16ca51ed4f4d382acd272ef99e134200a |
C:\Program Files (x86)\Dia\share\locale\gl\LC_MESSAGES\gtk20.mo
| MD5 | b76be150f5aa94ac070dbf03460dfa79 |
| SHA1 | 56aa41644c1a11a55163e5d00c461ac304823f65 |
| SHA256 | 68505c7dc0a89584b12a9e15b17e0bd370b30868f5184d18e10f4d0713c51481 |
| SHA512 | 67f2343e3687793a404ff875c07a4e469940bcf01881a6e566dbd2e0f9c0f3945a5112af90dcdb1422a24b396570ce67c37cee8ee58f2796366f6878a40bcfb7 |
C:\Program Files (x86)\Dia\share\locale\lt\LC_MESSAGES\gtk20.mo
| MD5 | 037b1adba1507f1374252c07430e4443 |
| SHA1 | 922090038a62bdcf1a3db6a2f24e133cac4e4e54 |
| SHA256 | 96993b3288f70c8ed703be11966dd7df8d5a9ee7c026fd4aa26864ed08745535 |
| SHA512 | 378dc7f3cd0781c91a7bf7d9d6a5b671c6a7fa68fe136a85849dd65e0e5b344a9d155a8f54e5d2102a01dcf9a84dc56db90b7ed6341ba86e6a763b4bf2b28235 |
C:\Program Files (x86)\Dia\share\locale\nb\LC_MESSAGES\gtk20.mo
| MD5 | 3ba1afac076d1d58bb8ff84073f12402 |
| SHA1 | 80d3f69b223d0f5176536ff176017dc7f37e4e85 |
| SHA256 | 449c92afed408e52591423b383be83829ab99442b2f59d29720852164656035c |
| SHA512 | fbf6e1f9460c6413fe0df67df2abb750aa29f60509c2be2023008be914185062fc9cfa481c4e6c5e4aec0e2b05b828a43f828ab8b6852bce6153cab64482b3f0 |
C:\Program Files (x86)\Dia\share\locale\or\LC_MESSAGES\gtk20-properties.mo
| MD5 | 308d7044ce7d73f8a1535991811ad560 |
| SHA1 | 36fc07a4c2e3ca75990973ae82f26efd5c4fa9b6 |
| SHA256 | 42908285d6687d151d7a81dafb18596edf3e6d14eb2cdb21c4bda83a1a234270 |
| SHA512 | bd779a6edd580a4b53aa739d4c8382388455e0d07d11eb813a0c9c05c4c417fe0c24201d61f734b1df19b25cb6b4469d5a89be29590ab1b446b362c3b47bc978 |
C:\Program Files (x86)\Dia\share\locale\sr@ije\LC_MESSAGES\gtk20-properties.mo
| MD5 | ee2b2af69c61dd1729f1dccd771e65d1 |
| SHA1 | 86b236b60ac7781d55a1bc4f1af43505e6b23d0f |
| SHA256 | a9a2c2e7ff0371f8873eb6ddf5c4b7e3dadca980855373a134978988faa00561 |
| SHA512 | 55ba28dccf7ecd8be5f7144d5d3ef5120455346bd39b7056af007c2bf44da6a88ef5100d4af4893a0774ae815fae4a50e8ef63482946e3f94334faceb5c69fd4 |
C:\Users\Admin\AppData\Local\Temp\nsz7754.tmp\ioSpecial.ini
| MD5 | decafd20f184dc35922fca9acc6574e2 |
| SHA1 | 03caafbe55de91e329a5fd596147e90df5ef818c |
| SHA256 | 256f928ebed0ec9bf80e6720c7315a788b836db0ca5badfc2323eed58dac8b25 |
| SHA512 | 222e653dce54585ca4c79861c39cd721977af9873ddf4d2954d27319e139282fd81dbfae84b55af018259bdbd0496021487e6567654c4a3ec60f98284158a461 |
C:\Users\Admin\AppData\Local\Temp\nsz7754.tmp\ioSpecial.ini
| MD5 | ccc7336f3c63b09d4a1e0804b5b52cb2 |
| SHA1 | b1a74973a687146cb81f041b1941c8d11cc32fb8 |
| SHA256 | 57d5c3e22d9dd531b787963f6b2fe55dd7801c5bf358154d83d9385b1c1a2db4 |
| SHA512 | ef196c7c8fd3a5c1338a78eb1f0a79ac96bfa5aa59bfd9d7b4725cb6f0b68821b43cfe505f53ae1e16c71dd58f5c2888ac2de0624e5188277f11b7e7dd0841c7 |
C:\Users\Admin\AppData\Local\Temp\nsz7754.tmp\ioSpecial.ini
| MD5 | 82334bfdc1dd009682eeca586bb7a59c |
| SHA1 | 0503336ef1f205fef385924c77893e7a990af5a5 |
| SHA256 | 84997eb2bb479c7897cf2fed208a8f75cbb5359ad49e9667f0f0451a9897472b |
| SHA512 | 48ca5b8680c5b7d8a1ae565bf38114af74334c64a92e6dd98f068021375a4947342d3a98630ef0e108a8b41c2676b32f5a860e49c03d360d45727857700166ac |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win7-20240903-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\hh.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\hh.exe | N/A |
| N/A | N/A | C:\Windows\hh.exe | N/A |
Processes
C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\help\eu\dia-manual.chm
Network
Files
memory/2764-20-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\hh.exe | N/A |
| N/A | N/A | C:\Windows\hh.exe | N/A |
Processes
C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\help\eu\dia-manual.chm
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.167.79.40.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win7-20240903-en
Max time kernel
117s
Max time network
124s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Processes
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\help\eu\dia-manual.pdf"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 04b900db92900d79eae95916d0b2f8d5 |
| SHA1 | 018ba675cd10ed5152af295e856dce8169de5c61 |
| SHA256 | 28c797dbc5784176fae617213e85bc2116a3ae3cea7ab4916d64f96f57a275b3 |
| SHA512 | f098603187401dc640d0f16ef6079dd66582f08d098603766e4b66d9f0e60bd664d7effce9a67b875a488c4ee3fad572057707b9bbcaeaf1ba7aada0ca21ad81 |
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
150s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\help\fr\dia-manual.pdf"
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E8EC858C2DFE1706D9A4A488D26FBA04 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E9C1E6E30AFACF6C9CF95510F1E5E116 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E9C1E6E30AFACF6C9CF95510F1E5E116 --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C0EF5F1F37C973609E671FE4B3C65C0A --mojo-platform-channel-handle=2280 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=57D815A29F8ADA3E98A37C3C7BA3B231 --mojo-platform-channel-handle=2408 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=AF7EE88D35D9E6A7A979B00EB3CEE45A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=AF7EE88D35D9E6A7A979B00EB3CEE45A --renderer-client-id=6 --mojo-platform-channel-handle=2288 --allow-no-sandbox-job /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6F8682CBD9B599CE464FDD940F9EC2CB --mojo-platform-channel-handle=2664 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.20.192.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | b30d3becc8731792523d599d949e63f5 |
| SHA1 | 19350257e42d7aee17fb3bf139a9d3adb330fad4 |
| SHA256 | b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3 |
| SHA512 | 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | 752a1f26b18748311b691c7d8fc20633 |
| SHA1 | c1f8e83eebc1cc1e9b88c773338eb09ff82ab862 |
| SHA256 | 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131 |
| SHA512 | a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5 |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | 8c629d66b264ee4d61cd815b3236c086 |
| SHA1 | 81ffd2608d8b468da37c4587bfdaee9885d3f88f |
| SHA256 | 1e494737c20c61e11962426ace6884de7f3bc7c5dca48aa5ee13d0abc89cb91c |
| SHA512 | f52dde9d4cbb40518b23d8f94778b12e9cf258500d546fb9ddb4badfe716c3e536773ceb97350009495575f6d2799cf1c871b212c96a70e74b7ec71b52f466d3 |
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
152s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\hh.exe | N/A |
| N/A | N/A | C:\Windows\hh.exe | N/A |
Processes
C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\help\pl\dia-manual.chm
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win7-20240903-en
Max time kernel
120s
Max time network
127s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2332 wrote to memory of 2348 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2332 wrote to memory of 2348 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2332 wrote to memory of 2348 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2348 wrote to memory of 2924 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2348 wrote to memory of 2924 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2348 wrote to memory of 2924 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2348 wrote to memory of 2924 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\imgmap.py
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\imgmap.py
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\imgmap.py"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | a24caf26cd88342840c5d1addf6d8498 |
| SHA1 | 0f588fd1b686c000cb6a1bda50428c816a877372 |
| SHA256 | 1e959cc8bee18be18ca0e9cc08d2ef91f5989d122229d6d893acd756ba64320c |
| SHA512 | 4c520872c3a06353af53f0c49f09113338861b287712e41d0725c6843ba14963ce004e150ca165b7de3de62aa3fbf1ff659a7107eac7f95c10c0ddd7a9725ec1 |
Analysis: behavioral30
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
149s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1796 wrote to memory of 4660 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1796 wrote to memory of 4660 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1796 wrote to memory of 4660 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-pcx.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-pcx.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win7-20240903-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2104 wrote to memory of 1696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2104 wrote to memory of 1696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2104 wrote to memory of 1696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2104 wrote to memory of 1696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2104 wrote to memory of 1696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2104 wrote to memory of 1696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2104 wrote to memory of 1696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-ani.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-ani.dll,#1
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win7-20240903-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2736 wrote to memory of 2824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2736 wrote to memory of 2824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2736 wrote to memory of 2824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2736 wrote to memory of 2824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2736 wrote to memory of 2824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2736 wrote to memory of 2824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2736 wrote to memory of 2824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-ico.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-ico.dll,#1
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:06
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\imgmap.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |