Malware Analysis Report

2025-08-05 23:32

Sample ID 250119-xzjxca1rby
Target 1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe
SHA256 1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227
Tags
credential_access discovery evasion persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227

Threat Level: Known bad

The file 1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe was found to be: Known bad.

Malicious Activity Summary

credential_access discovery evasion persistence spyware stealer

Modifies firewall policy service

Sets service image path in registry

Adds policy Run key to start application

Credentials from Password Stores: Windows Credential Manager

Reads user/profile data of web browsers

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Browser Information Discovery

Suspicious use of FindShellTrayWindow

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-19 19:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-19 19:17

Reported

2025-01-19 19:19

Platform

win7-20240903-en

Max time kernel

120s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\users\admin\appdata\local\temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe = "c:\\users\\admin\\appdata\\local\\temp\\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe:*:Enabled:SMPN" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdfmgr = "c:\\windows\\wdfmgr.exe" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msrpc = "c:\\windows\\msrpc.exe" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wdfmgr\ImagePath = "c:\\windows\\wdfmgr.exe" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wdfmgr = "c:\\windows\\wdfmgr.exe" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\wdfmgr = "c:\\windows\\wdfmgr.exe" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsassv = "c:\\windows\\lsassv.exe" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\windows\SysWOW64\regedit.exe C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\windows\wdfmgr.exe C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File created \??\c:\windows\msrpc.exe C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened for modification \??\c:\windows\calc.exe C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened for modification \??\c:\windows\wdfmgr.exe C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened for modification \??\c:\windows\regedit2.exe C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File created \??\c:\windows\Start Menu\Programs\Startup\AdobeLoader.scr C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened for modification \??\c:\windows\mui\rctfd.sys C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File created \??\c:\windows\lsassv.exe C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened for modification \??\c:\windows\lsassv.exe C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened for modification \??\c:\windows\msrpc.exe C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File created \??\c:\windows\regedit2.exe C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File created \??\c:\windows\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\AdobeLoader.scr C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened for modification \??\c:\windows\mui\olefx.dll C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File created \??\c:\windows\calc.exe C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A

Browser Information Discovery

discovery

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\Dism\\ja-JP\\SmiProvider.dll.mui" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\Manifests\\amd64_mdmcxpv6.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_72f3d4cf9d3dccb6.manifest" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\Manifests\\amd64_microsoft-windows-c..tasp1.res.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6d6425db9d79ae22.manifest" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "1048" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "104063" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "29068" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\DriverStore\\FileRepository\\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\\Amd64\\HPZIPR12.DLL" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "74525" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "111203" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\Manifests\\amd64_microsoft-windows-p..peeradmin.resources_31bf3856ad364e35_6.1.7600.16385_en-us_719df0580731deba.manifest" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files (x86)\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsVersion1Warning.htm" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "36371" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\Manifests\\amd64_microsoft-windows-s..trolpanel.resources_31bf3856ad364e35_6.1.7600.16385_it-it_04f87c1305f0d058.manifest" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files (x86)\\Common Files\\System\\msadc\\ja-JP\\msdaremr.dll.mui" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "34152" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "103851" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "106258" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\Manifests\\amd64_microsoft-windows-t..inkwatson.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f734ab4b52e9d642.manifest" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "26545" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\DriverStore\\FileRepository\\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\\Amd64\\smf6x5u.xml" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\Manifests\\amd64_microsoft-windows-shell-comctl32-v5_31bf3856ad364e35_6.1.7601.17514_none_97c2246fee970dbb.manifest" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\gpedit.dll" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\en-US\\powershell_ise.resources.dll" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_prnep003.inf_31bf3856ad364e35_6.1.7600.16385_none_9403111e2c10328e\\prnep003.inf" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "98522" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\DriverStore\\de-DE\\arcsas.inf_loc" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\en-US\\msaatext.dll.mui" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "49739" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_microsoft-windows-directwrite.resources_31bf3856ad364e35_7.1.7601.16492_ru-ru_29e175fbc10a89d0\\DWrite.dll.mui" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\DriverStore\\FileRepository\\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\\Amd64\\BRD131C.GPD" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "71746" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "77349" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\BitLockerDiscoveryVolumeContents\\de-DE_BitLockerToGo.exe.mui" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "16520" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "31915" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "66209" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_sti.inf_31bf3856ad364e35_6.1.7600.16385_none_b5d3c30ffa77a77a\\scsiscan.sys" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "103376" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\schemas\\EAPHost\\eapuserpropertiesv1.xsd" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWOW64\\it-IT\\loadperf.dll.mui" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "11622" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "30427" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "37963" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "75332" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "91035" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "107718" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "114565" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\Java\\jdk1.7.0_80\\lib\\missioncontrol\\features\\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\\META-INF\\ECLIPSE_.RSA" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\DriverStore\\FileRepository\\prnhp003.inf_amd64_neutral_4480210763997eb4\\Amd64\\hpd7200t.gpd" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "66817" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "95072" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_microsoft-windows-m..vider-rll.resources_31bf3856ad364e35_6.1.7601.17514_it-it_1ee6b4808fedf0f8\\msdasqlr.dll.mui" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_microsoft-windows-onlineidcpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_808b0be0dbba7418\\OnLineIDCPL.dll.mui" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\Backup\\wow64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_66e40021f6ac2d53.manifest" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files (x86)\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsTemplates\\Hardware Tracker.fdt" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\mtxlegih.dll" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_microsoft-windows-m..nager-rll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bd23d596d204e54\\odbcint.dll.mui" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "95944" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\Manifests\\amd64_brmfcmf.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8910876519478872.manifest" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "23518" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "32918" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\it-IT\\runonce.exe.mui" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "78183" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\Backup\\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_cde90685eb910636.manifest" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe

"C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe"

Network

N/A

Files

memory/2676-0-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\msrpc.exe

MD5 9e4fc5458e8c6538130bfdf13f46ce45
SHA1 a3bb4a1598f2162a88351f5f78a49660e54b9c52
SHA256 612b3f592a79e685c5699ea5e0f75514d1e15bb576f4633150dd21d9da560a0e
SHA512 36e4688c89ce4126de2effbccd52e760c8380d443c09ad0258627f599964d813dcdab0b58ce841d5189ba128e1fa39167ba8204f90143fd18b9b418062908f1d

memory/2676-17-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2676-22-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2676-24-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2676-25-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2676-26-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2676-27-0x0000000000400000-0x0000000000425000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-19 19:17

Reported

2025-01-19 19:20

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

111s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\users\admin\appdata\local\temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe = "c:\\users\\admin\\appdata\\local\\temp\\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe:*:Enabled:SMPN" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdfmgr = "c:\\windows\\wdfmgr.exe" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msrpc = "c:\\windows\\msrpc.exe" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wdfmgr\ImagePath = "c:\\windows\\wdfmgr.exe" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wdfmgr = "c:\\windows\\wdfmgr.exe" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\wdfmgr = "c:\\windows\\wdfmgr.exe" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsassv = "c:\\windows\\lsassv.exe" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\windows\SysWOW64\regedit.exe C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\windows\msrpc.exe C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened for modification \??\c:\windows\msrpc.exe C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened for modification \??\c:\windows\regedit2.exe C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File created \??\c:\windows\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\AdobeLoader.scr C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File created \??\c:\windows\Start Menu\Programs\Startup\AdobeLoader.scr C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened for modification \??\c:\windows\mui\rctfd.sys C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File created \??\c:\windows\wdfmgr.exe C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File created \??\c:\windows\calc.exe C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened for modification \??\c:\windows\calc.exe C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened for modification \??\c:\windows\mui\olefx.dll C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened for modification \??\c:\windows\wdfmgr.exe C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File created \??\c:\windows\lsassv.exe C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File opened for modification \??\c:\windows\lsassv.exe C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
File created \??\c:\windows\regedit2.exe C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\Microsoft Office\\root\\Office16\\ODBC Drivers\\Salesforce\\lib\\OpenSSL64.DllA\\openssl64.dlla.manifest" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "30030" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "52435" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_microsoft-windows-cloudfiles-filter_31bf3856ad364e35_10.0.19041.21_none_981e0aa9bd72183e\\r\\cldflt.sys" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "32708" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\DriverStore\\FileRepository\\netathr10x.inf_amd64_2691c4f95b80eb3b\\eeprom_qca9377_1p1_NFA435_olpc.bin" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "64081" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "97885" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "2133" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\WindowsApps\\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\contrast-white\\Weather_TileWide.scale-100.png" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\WindowsApps\\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\\Assets\\InsiderHubAppList.targetsize-96.png" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "26951" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "63965" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "3252" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "13977" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\Font\\PFM\\SY______.PFM" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "46394" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\\cortana.html" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "32946" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\servicing\\Packages\\HyperV-Host-Compute-PowerShell-Module-merged-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.mum" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "61745" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "77840" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_63994a974590744a\\bootmgfw.efi.mui" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "91185" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "2356" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "14748" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "38630" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "79114" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWOW64\\migration\\netiomig.dll" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "81251" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "86201" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\\images\\contrast-black\\GenericMailSmallTile.scale-150.png" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "30182" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\DE\\System.EnterpriseServices.Resources.dll" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\servicing\\InboxFodMetadataCache\\metadata\\Language.Speech~es-mx~1.0.mum" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "63225" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_microsoft-windows-enhancedstorage-api_31bf3856ad364e35_10.0.19041.1_none_8b1fdc6daf23ffa9\\EhStorAPI.dll" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "97094" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "16632" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\msdia100.dll" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "50179" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\wbem\\uk-UA\\netttcim_uninstall.mfl" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "52291" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_microsoft-windows-cryptuiwizard-dll_31bf3856ad364e35_10.0.19041.804_none_99449be11762eb74\\r\\cryptuiwizard.dll.mun" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "94477" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWOW64\\aadauthhelper.dll" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "72129" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "3007" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "24872" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "32715" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SystemApps\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Ratings\\RatingStars41.contrast-black_scale-200.png" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "44964" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "50848" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "53521" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "63779" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "13884" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "19199" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\yuzka873.default-release\\safebrowsing\\analytics-track-digest256.vlpset" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\es\\System.IdentityModel.Selectors.resources.dll" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "80126" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "91961" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "51607" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_microsoft-windows-a..orecodecs.resources_31bf3856ad364e35_10.0.19041.1_it-it_86b855572c427fcd\\msg711.acm.mui" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\WindowsApps\\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\\Assets\\contrast-black\\BadgeLogo.scale-100_contrast-black.png" C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe

"C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/3756-0-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\msrpc.exe

MD5 dfd6768390ce065fbf9039f5925737c3
SHA1 c6ebb6d7c4b1721ca9c6275b37d02e4a540de873
SHA256 d4b3c2c520d34ae0002abebe22ec1707175be4682abbf9282436354466ada9e8
SHA512 6ca13f23ce336fed25296d5281311f3e0dc43aa15214534591ee0a3d72e2785b46ba673c594a90dcb15a57d14cbe0209f42d80b2f112c8ccf11704918d60afd2

memory/3756-17-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3756-20-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3756-25-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3756-27-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3756-28-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3756-30-0x0000000000400000-0x0000000000425000-memory.dmp