35ee2cbb9e2b8c9527f93d1653f3dfc096b9b2bd7aa8170cf0e61df3e8a205a7

Resubmissions

04/12/2020, 17:06

201204-4hs2zp9xwe 8

Analysis

max time kernel
150s
max time network
149s
platform
windows10_x64
resource
win10v20201028
submitted
04/12/2020, 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SurfsharkSetup (5).exe
Size

25.2MB
MD5

20ee42699b52682eec596dfe400fbae6
SHA1

41353e3a82c4baa226210e9325ee6b6b0ef7bf6b
SHA256

35ee2cbb9e2b8c9527f93d1653f3dfc096b9b2bd7aa8170cf0e61df3e8a205a7
SHA512

502a9f77396554d5d2c59661e00037c72666bc4df9f318c5e397c798f8ba63325993d7f8f4beaa647101f904d431204fd45ce9a8f2ed9b46efeeb5a3c5d29f48

Score

8^/10

evasion persistence

Malware Config

Signatures

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SET2F10.tmp	Surfshark.Service.exe
File created	C:\Windows\system32\DRIVERS\SET2F10.tmp	Surfshark.Service.exe
File opened for modification	C:\Windows\system32\DRIVERS\wintunshark.sys	Surfshark.Service.exe
File opened for modification	C:\Windows\System32\drivers\SET5B5F.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SET5B5F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\tapsurfshark.sys	DrvInst.exe

Executes dropped EXE 58 IoCs

pid	Process
2152	SurfsharkTunWin10.exe
5012	MSID075.tmp
5108	MSID18F.tmp
3868	MSIE5CC.tmp
4340	MSIE6F6.tmp
4516	SurfsharkSplitTunnelingService.exe
4572	aipackagechainer.exe
4772	nssm.exe
4788	nssm.exe
5096	nssm.exe
4116	nssm.exe
4120	nssm.exe
3720	nssm.exe
776	nssm.exe
2168	nssm.exe
2060	nssm.exe
4284	nssm.exe
3392	Surfshark.Service.exe
4908	devcon.exe
2120	nssm.exe
2556	nssm.exe
3012	Surfshark.ShadowsocksService.exe
1544	Surfshark.exe
4636	TapInstaller.exe
4364	tapinstall.exe
3228	tapinstall.exe
2068	hqn0ieg3.exe
4136	hqn0ieg3.exe
4992	MSI393B.tmp
4524	MSI3A07.tmp
4140	nssm.exe
4876	nssm.exe
4188	nssm.exe
5044	nssm.exe
4312	MSI4B29.tmp
3016	MSI4C05.tmp
5064	nssm.exe
4892	nssm.exe
4344	nssm.exe
1552	nssm.exe
3644	MSI718F.tmp
4764	MSI72A9.tmp
3508	SurfsharkSplitTunnelingService.exe
4400	nssm.exe
3844	nssm.exe
4404	nssm.exe
1836	nssm.exe
2428	nssm.exe
5044	nssm.exe
196	nssm.exe
4424	nssm.exe
4800	nssm.exe
912	nssm.exe
4308	Surfshark.Service.exe
1696	devcon.exe
4140	nssm.exe
2124	nssm.exe
908	Surfshark.ShadowsocksService.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 64 IoCs

pid	Process
1192	SurfsharkSetup (5).exe
1192	SurfsharkSetup (5).exe
3672	MsiExec.exe
3672	MsiExec.exe
3672	MsiExec.exe
2152	SurfsharkTunWin10.exe
2152	SurfsharkTunWin10.exe
624	MsiExec.exe
2208	MsiExec.exe
2208	MsiExec.exe
2208	MsiExec.exe
2208	MsiExec.exe
2208	MsiExec.exe
2152	SurfsharkTunWin10.exe
2168	MsiExec.exe
3860	MsiExec.exe
2168	MsiExec.exe
4304	MsiExec.exe
4872	MsiExec.exe
4872	MsiExec.exe
4872	MsiExec.exe
4872	MsiExec.exe
4872	MsiExec.exe
4872	MsiExec.exe
4872	MsiExec.exe
4872	MsiExec.exe
4872	MsiExec.exe
1192	SurfsharkSetup (5).exe
4872	MsiExec.exe
4872	MsiExec.exe
4872	MsiExec.exe
3392	Surfshark.Service.exe
3392	Surfshark.Service.exe
4636	TapInstaller.exe
4636	TapInstaller.exe
4196	MsiExec.exe
4756	MsiExec.exe
4756	MsiExec.exe
4756	MsiExec.exe
4756	MsiExec.exe
4756	MsiExec.exe
4636	TapInstaller.exe
4756	MsiExec.exe
4460	rundll32.exe
4460	rundll32.exe
4460	rundll32.exe
4460	rundll32.exe
4460	rundll32.exe
2068	hqn0ieg3.exe
2068	hqn0ieg3.exe
2664	MsiExec.exe
2664	MsiExec.exe
2664	MsiExec.exe
2084	MsiExec.exe
2084	MsiExec.exe
2084	MsiExec.exe
2084	MsiExec.exe
2084	MsiExec.exe
2084	MsiExec.exe
2084	MsiExec.exe
2084	MsiExec.exe
2084	MsiExec.exe
2068	hqn0ieg3.exe
2084	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Surfshark = "C:\\Program Files (x86)\\Surfshark\\Surfshark.exe"	Surfshark.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Surfshark\Surfshark\desktop.ini	msiexec.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	SurfsharkSetup (5).exe
File opened (read-only)	\??\B:	hqn0ieg3.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	SurfsharkTunWin10.exe
File opened (read-only)	\??\W:	SurfsharkTunWin10.exe
File opened (read-only)	\??\Y:	SurfsharkTunWin10.exe
File opened (read-only)	\??\P:	SurfsharkSetup (5).exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	SurfsharkSetup (5).exe
File opened (read-only)	\??\X:	SurfsharkTunWin10.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	TapInstaller.exe
File opened (read-only)	\??\I:	SurfsharkTunWin10.exe
File opened (read-only)	\??\N:	SurfsharkSetup (5).exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\K:	hqn0ieg3.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	SurfsharkTunWin10.exe
File opened (read-only)	\??\Q:	SurfsharkTunWin10.exe
File opened (read-only)	\??\I:	SurfsharkSetup (5).exe
File opened (read-only)	\??\L:	TapInstaller.exe
File opened (read-only)	\??\G:	hqn0ieg3.exe
File opened (read-only)	\??\X:	SurfsharkSetup (5).exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	TapInstaller.exe
File opened (read-only)	\??\N:	TapInstaller.exe
File opened (read-only)	\??\L:	SurfsharkSetup (5).exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	hqn0ieg3.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	SurfsharkSetup (5).exe
File opened (read-only)	\??\O:	SurfsharkTunWin10.exe
File opened (read-only)	\??\P:	SurfsharkTunWin10.exe
File opened (read-only)	\??\K:	TapInstaller.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	SurfsharkTunWin10.exe
File opened (read-only)	\??\V:	SurfsharkTunWin10.exe
File opened (read-only)	\??\B:	TapInstaller.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\F:	SurfsharkSetup (5).exe
File opened (read-only)	\??\W:	TapInstaller.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	SurfsharkSetup (5).exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	SurfsharkSetup (5).exe
File opened (read-only)	\??\Z:	SurfsharkSetup (5).exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	TapInstaller.exe
File opened (read-only)	\??\V:	SurfsharkSetup (5).exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4eb7eb8d-4958-584a-93fd-a735b6715166}\SET915B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wintunshark.inf_amd64_f5533537262ef98c\wintunshark.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{756ea1b8-9944-1a47-ab6c-9f59fa474260}\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4eb7eb8d-4958-584a-93fd-a735b6715166}\SET915A.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4eb7eb8d-4958-584a-93fd-a735b6715166}\SET915A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4eb7eb8d-4958-584a-93fd-a735b6715166}\wintunshark.Inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4eb7eb8d-4958-584a-93fd-a735b6715166}\SET915B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{756ea1b8-9944-1a47-ab6c-9f59fa474260}\SET59BB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{756ea1b8-9944-1a47-ab6c-9f59fa474260}\tapsurfshark.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a669a3ecf3206035\tapsurfshark.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4eb7eb8d-4958-584a-93fd-a735b6715166}\SET9159.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4eb7eb8d-4958-584a-93fd-a735b6715166}\wintunshark.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{756ea1b8-9944-1a47-ab6c-9f59fa474260}\tapsurfshark.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{756ea1b8-9944-1a47-ab6c-9f59fa474260}\SET59B9.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{756ea1b8-9944-1a47-ab6c-9f59fa474260}\SET59B9.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a669a3ecf3206035\tapsurfshark.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{756ea1b8-9944-1a47-ab6c-9f59fa474260}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wintunshark.inf_amd64_f5533537262ef98c\wintunshark.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a669a3ecf3206035\oemvista.inf	DrvInst.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Surfshark.Service.exe.log	Surfshark.Service.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Surfshark.ShadowsocksService.exe.log	Surfshark.ShadowsocksService.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wintunshark.inf_amd64_f5533537262ef98c\wintunshark.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{756ea1b8-9944-1a47-ab6c-9f59fa474260}\SET59BA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wintunshark.inf_amd64_f5533537262ef98c\wintunshark.Inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4eb7eb8d-4958-584a-93fd-a735b6715166}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{756ea1b8-9944-1a47-ab6c-9f59fa474260}\SET59BA.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a669a3ecf3206035\oemvista.PNF	tapinstall.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log	rundll32.exe
File created	C:\Windows\System32\DriverStore\Temp\{4eb7eb8d-4958-584a-93fd-a735b6715166}\SET9159.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4eb7eb8d-4958-584a-93fd-a735b6715166}\wintunshark.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{756ea1b8-9944-1a47-ab6c-9f59fa474260}\SET59BB.tmp	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Surfshark\Surfshark TUN Driver Windows\x64\wintunshark.Inf	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\Resources\x32\SplitTunnel.dll	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\Surfshark TAP Driver Windows\drivers\default\x86\tapsurfshark.sys	msiexec.exe
File opened for modification	C:\Program Files (x86)\Surfshark\Resources\x32\SurfsharkWg.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Surfshark\Surfshark.ShadowsocksService.exe	msiexec.exe
File created	C:\Program Files\Surfshark\Surfshark TUN Driver Windows\x64\wintunshark.cat	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\Surfshark TAP Driver Windows\drivers\default\x86\OemVista.inf	msiexec.exe
File opened for modification	C:\Program Files (x86)\Surfshark\Resources\x64\SplitTunnel.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\SurfsharkDiagnostics.exe	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\Resources\x32\nssm.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Surfshark\Resources\x32\SurfsharkSplitTunnelCalloutDriver.inf	msiexec.exe
File opened for modification	C:\Program Files (x86)\Surfshark\Resources\x32\nssm.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Surfshark\SurfsharkDiagnostics.exe	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\Resources\x32\liblzo2-2.dll	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\Resources\x32\SurfsharkSplitTunnelCalloutDriver.sys	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\Resources\x32\surfsharksplittunneldriver.cat	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\Surfshark TAP Driver Windows\bin\x64\tapinstall.exe	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\Surfshark TAP Driver Windows\bin\x86\tapinstall.exe	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\Surfshark TAP Driver Windows\drivers\win10\x86\tapsurfshark.cat	msiexec.exe
File opened for modification	C:\Program Files (x86)\Surfshark\Resources\x64\Surfshark.Firewall.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Surfshark\Resources\x64\SurfsharkSplitTunnelCalloutDriver.sys	msiexec.exe
File opened for modification	C:\Program Files (x86)\Surfshark\Resources\x64\surfsharksplittunneldriver.cat	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\Surfshark TAP Driver Windows\drivers\include\tap-windows.h	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\Resources\x64\libpkcs11-helper-1.dll	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\Resources\x32\Surfshark.Firewall.dll	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\Resources\x64\Surfshark.Firewall.dll	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\Resources\surfshark_ikev2.crt	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\Surfshark TAP Driver Windows\drivers\default\x64\tapsurfshark.cat	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\Surfshark TAP Driver Windows\drivers\default\x64\tapsurfshark.sys	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\Surfshark TAP Driver Windows\drivers\default\x86\tapsurfshark.cat	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\Surfshark TAP Driver Windows\drivers\win10\x86\OemVista.inf	msiexec.exe
File opened for modification	C:\Program Files (x86)\Surfshark\Resources\x32\libssl-1_1.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Surfshark\Resources\x64\openssl.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Surfshark\Resources\x64\openvpn.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Surfshark\Resources\surfshark_ikev2.crt	msiexec.exe
File opened for modification	C:\Program Files (x86)\Surfshark\Resources\x64\devcon.exe	msiexec.exe
File created	C:\Program Files\Surfshark\Surfshark TUN Driver Windows\x64\wintunshark.Sys	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\Surfshark TAP Driver Windows\drivers\default\x64\OemVista.inf	msiexec.exe
File opened for modification	C:\Program Files (x86)\Surfshark\Resources\x32\SplitTunnel.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Surfshark\Resources\x64\SurfsharkWg.dll	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\Resources\x64\SurfsharkSplitTunnelCalloutDriver.inf	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\Resources\x64\SurfsharkWg.dll	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\Resources\x32\SurfsharkWg.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Surfshark\Surfshark.Service.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Surfshark\Resources\x64\SurfsharkSplitTunnelCalloutDriver.inf	msiexec.exe
File opened for modification	C:\Program Files (x86)\Surfshark\Resources\x64\libcrypto-1_1-x64.dll	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\Resources\x64\libcrypto-1_1-x64.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Surfshark\Resources\x64\SurfsharkSplitTunnelingService.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Surfshark\Resources\x32\libpkcs11-helper-1.dll	msiexec.exe
File opened for modification	C:\PROGRA~3\Caphyon\ADVANC~1\{E7AB76D3-32CD-4FF1-911C-C166690DBD25}	attrib.exe
File created	C:\Program Files (x86)\Surfshark\Resources\x64\liblzo2-2.dll	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\Surfshark.exe	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\Resources\x32\SurfsharkSplitTunnelingService.exe	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\Surfshark TAP Driver Windows\drivers\win10\x64\OemVista.inf	msiexec.exe
File opened for modification	C:\Program Files (x86)\Surfshark\Resources\x32\surfsharksplittunneldriver.cat	msiexec.exe
File opened for modification	C:\Program Files (x86)\Surfshark\Resources\x32\openvpn.exe	msiexec.exe
File opened for modification	C:\PROGRA~3\Caphyon\ADVANC~1\{E7AB7~1\SurfsharkSetup.exe	attrib.exe
File created	C:\Program Files (x86)\Surfshark\Resources\x32\libcrypto-1_1.dll	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\Resources\x64\libssl-1_1-x64.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Surfshark\Resources\x32\devcon.exe	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\Resources\x64\openvpn.exe	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\Resources\x32\SurfsharkSplitTunnelCalloutDriver.inf	msiexec.exe
File created	C:\Program Files (x86)\Surfshark\Resources\x64\devcon.exe	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI3A07.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4ACB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{5795EF4B-5D61-4FEC-9CAB-39A0849C7238}\artboard.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	Surfshark.Service.exe
File opened for modification	C:\Windows\Installer\MSI8F6B.tmp	msiexec.exe
File created	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSID016.tmp	msiexec.exe
File created	C:\Windows\Tasks\.job	aipackagechainer.exe
File opened for modification	C:\Windows\Installer\MSI4B29.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4D40.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{968F3CF6-0E71-4C84-8DFD-1C577F72410F}\TUN1x.exe	msiexec.exe
File created	C:\Windows\Installer\{E7AB76D3-32CD-4FF1-911C-C166690DBD25}\artboard.exe	msiexec.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI4922.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI49AF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8F3B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5357.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI552E.tmp-\tapinstall.exe	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3D95.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9038.tmp	msiexec.exe
File created	C:\Windows\Installer\f7489e0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI59BB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f7489d7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICF4A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI552E.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI718F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI552E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI29A6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8CA7.tmp	msiexec.exe
File created	C:\Windows\Installer\f7489db.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7489db.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE6F6.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	Surfshark.Service.exe
File opened for modification	C:\Windows\Installer\MSI4F6B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI51A0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\inf\oem2.inf	DrvInst.exe
File created	C:\Windows\INF\oem3.PNF	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI6651.tmp	msiexec.exe
File created	C:\Windows\Installer\{968F3CF6-0E71-4C84-8DFD-1C577F72410F}\TUN1x.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE7B3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI415E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI552E.tmp-\SurfsharkTapInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI4A0E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8BDA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8C58.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8E4F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID3B5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICECC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI532F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4CD1.tmp	msiexec.exe
File created	C:\Windows\Installer\{5795EF4B-5D61-4FEC-9CAB-39A0849C7238}\artboard.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSI50B5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI552E.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI4C05.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID8F7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f7489e4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE5CC.tmp	msiexec.exe
File created	C:\Windows\Installer\f7489e4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI38FC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3B12.tmp	msiexec.exe
File opened for modification	C:\Windows\Tasks\C__Users_Admin_AppData_Local_Temp_SurfsharkSetup (5).exe.job	SurfsharkSetup (5).exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	Surfshark.Service.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	Surfshark.Service.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\UpperFilters	Surfshark.Service.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe

Delays execution with timeout.exe 5 IoCs

evasion

pid	Process
4676	timeout.exe
2060	timeout.exe
4568	timeout.exe
2292	timeout.exe
3900	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2060	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 22 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\Surfshark.exe = "1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE\Surfshark.exe = "0"	msiexec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION\Surfshark.exe = "1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	msiexec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	msiexec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\Surfshark.exe = "0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\Surfshark.exe = "1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Surfshark.exe = "0"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Surfshark.exe = "11001"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION	msiexec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	msiexec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS	msiexec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	msiexec.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	Surfshark.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	aipackagechainer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	tapinstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	tapinstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\19\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	tapinstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	Surfshark.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	tapinstall.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	tapinstall.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	aipackagechainer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	Surfshark.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	Surfshark.Service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	aipackagechainer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	Surfshark.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	Surfshark.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	tapinstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1B	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	tapinstall.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1c\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	Surfshark.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	Surfshark.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\18	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	tapinstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	tapinstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	Surfshark.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Surfshark.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	tapinstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Surfshark.Service.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Surfshark.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	Surfshark.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	tapinstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	tapinstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	Surfshark.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	Surfshark.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	Surfshark.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	Surfshark.ShadowsocksService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1c\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	Surfshark.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	tapinstall.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1c\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	Surfshark.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Surfshark.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	Surfshark.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	tapinstall.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4FE597516D5CEF4C9BA930A48C92783\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4FE597516D5CEF4C9BA930A48C92783\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A60FEBD17B2E55647951FB3ECC516E6C\SourceList\LastUsedSource = "n;1;C:\\AppData\\Roaming\\Surfshark\\Surfshark TAP Driver Windows 1.0\\install\\C15E6C6\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6FC3F86917E048C4D8DFC175F72714F0\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Surfshark\\Surfshark TUN Driver Windows 1.0\\install\\F72410F\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D67BA7EDC231FF419C11C6696D0DB52\PackageCode = "DD6C2F0C6F23E5E44BAD51783777B78C"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4FE597516D5CEF4C9BA930A48C92783\PackageCode = "DEFFC81AAA531884E8CA3696EF57BA11"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6FC3F86917E048C4D8DFC175F72714F0	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D67BA7EDC231FF419C11C6696D0DB52\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\11FF5D2DA1B9B0A4C931D3F55AA7C3AE\A60FEBD17B2E55647951FB3ECC516E6C	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A60FEBD17B2E55647951FB3ECC516E6C\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D67BA7EDC231FF419C11C6696D0DB52\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E7DDB0412ADB77E4DB46B5864580620A\B4FE597516D5CEF4C9BA930A48C92783	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6FC3F86917E048C4D8DFC175F72714F0\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Surfshark\\Surfshark TUN Driver Windows 1.0\\install\\F72410F\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3D67BA7EDC231FF419C11C6696D0DB52\SurfsharkTAPDriver	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D67BA7EDC231FF419C11C6696D0DB52	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6FC3F86917E048C4D8DFC175F72714F0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D67BA7EDC231FF419C11C6696D0DB52\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Surfshark\\Surfshark 2.7.5000\\install\\90DBD25\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A60FEBD17B2E55647951FB3ECC516E6C\ProductIcon = "C:\\Windows\\Installer\\{1DBEF06A-E2B7-4655-9715-BFE3CC15E6C6}\\TAP1x.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4FE597516D5CEF4C9BA930A48C92783\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4FE597516D5CEF4C9BA930A48C92783\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0E1CE07ECBAE23F45B8E196CE9613798	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D67BA7EDC231FF419C11C6696D0DB52\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A60FEBD17B2E55647951FB3ECC516E6C\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A60FEBD17B2E55647951FB3ECC516E6C\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E7DDB0412ADB77E4DB46B5864580620A\3D67BA7EDC231FF419C11C6696D0DB52	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D67BA7EDC231FF419C11C6696D0DB52\SourceList\PackageName = "SurfsharkSetup.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D67BA7EDC231FF419C11C6696D0DB52\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6FC3F86917E048C4D8DFC175F72714F0\sswt = "MainFeature"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D67BA7EDC231FF419C11C6696D0DB52\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Surfshark\\Surfshark 2.7.5000\\install\\90DBD25\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E7DDB0412ADB77E4DB46B5864580620A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4FE597516D5CEF4C9BA930A48C92783\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6FC3F86917E048C4D8DFC175F72714F0\PackageCode = "C6263A515B8F13B469BFE634FA8D3A16"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6FC3F86917E048C4D8DFC175F72714F0\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D67BA7EDC231FF419C11C6696D0DB52\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D67BA7EDC231FF419C11C6696D0DB52\ProductIcon = "C:\\Windows\\Installer\\{E7AB76D3-32CD-4FF1-911C-C166690DBD25}\\artboard.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6FC3F86917E048C4D8DFC175F72714F0\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6FC3F86917E048C4D8DFC175F72714F0\SourceList\PackageName = "SurfsharkTunWin10.x64.msi"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D67BA7EDC231FF419C11C6696D0DB52	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D67BA7EDC231FF419C11C6696D0DB52\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6FC3F86917E048C4D8DFC175F72714F0\ProductName = "Surfshark TUN Driver Windows"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A60FEBD17B2E55647951FB3ECC516E6C\ProductName = "Surfshark TAP Driver Windows"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A60FEBD17B2E55647951FB3ECC516E6C\SourceList\Net\1 = "C:\\AppData\\Roaming\\Surfshark\\Surfshark TAP Driver Windows 1.0\\install\\C15E6C6\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B4FE597516D5CEF4C9BA930A48C92783\MainFeature	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4FE597516D5CEF4C9BA930A48C92783\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6FC3F86917E048C4D8DFC175F72714F0\ProductIcon = "C:\\Windows\\Installer\\{968F3CF6-0E71-4C84-8DFD-1C577F72410F}\\TUN1x.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A60FEBD17B2E55647951FB3ECC516E6C\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A60FEBD17B2E55647951FB3ECC516E6C\Version = "16777216"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A60FEBD17B2E55647951FB3ECC516E6C\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A60FEBD17B2E55647951FB3ECC516E6C	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B4FE597516D5CEF4C9BA930A48C92783	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B4FE597516D5CEF4C9BA930A48C92783\SurfsharkTAPDriver	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4FE597516D5CEF4C9BA930A48C92783\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A60FEBD17B2E55647951FB3ECC516E6C	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4FE597516D5CEF4C9BA930A48C92783\DeploymentFlags = "3"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D67BA7EDC231FF419C11C6696D0DB52\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A60FEBD17B2E55647951FB3ECC516E6C\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A60FEBD17B2E55647951FB3ECC516E6C\SourceList\Media\1 = ";"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D67BA7EDC231FF419C11C6696D0DB52\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4FE597516D5CEF4C9BA930A48C92783\Version = "34021183"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4FE597516D5CEF4C9BA930A48C92783\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6FC3F86917E048C4D8DFC175F72714F0\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E7DDB0412ADB77E4DB46B5864580620A	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4FE597516D5CEF4C9BA930A48C92783\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6FC3F86917E048C4D8DFC175F72714F0\SourceList\Media\1 = ";"	msiexec.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	tapinstall.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\SystemCertificates\CA\Certificates\B3DD7606D2B5A8B4A13771DBECC9EE1CECAFA38A	Surfshark.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\SystemCertificates\CA\Certificates\87A63D9ADB627D777836153C680A3DFCF27DE90C	Surfshark.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	SurfsharkSetup (5).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	SurfsharkSetup (5).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	SurfsharkSetup (5).exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\SystemCertificates\CA\Certificates\B3DD7606D2B5A8B4A13771DBECC9EE1CECAFA38A\Blob = 030000000100000014000000b3dd7606d2b5a8b4a13771dbecc9ee1cecafa38a140000000100000014000000a5ce37eaebb0750e946788b445fad9241087961f0400000001000000100000003416ca751517b8391cd759fabb8ec9190f00000001000000200000009cbba0fc962f7a2b31c62b1b175a2de4c50a8395727e30b626a80009a780e3d8190000000100000010000000b254301c358754b4b99cbf92922a67175c00000001000000040000000001000018000000010000001000000068cb42b035ea773e52ef50ecf50ec5294b0000000100000044000000360042004100440041003800390037003400410031003000430034004200440036003200430043003900320031004400310033004500340033004200310038005f0000002000000001000000d1030000308203cd308202b5a00302010202100a3787645e5fb48c224efd1bed140c3c300d06092a864886f70d01010b0500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3230303132373132343830385a170d3234313233313233353935395a304a310b300906035504061302555331193017060355040a1310436c6f7564666c6172652c20496e632e3120301e06035504031317436c6f7564666c61726520496e63204543432043412d333059301306072a8648ce3d020106082a8648ce3d03010703420004b9ad4d6699140b46ec1f81d12a501e9d03152f34127d2d96b888389b855f8fbfbb4def6146c4c973d4244fe0ee1cce6cb351712f6aee4c050977d37262a49bd7a382016830820164301d0603551d0e04160414a5ce37eaebb0750e946788b445fad9241087961f301f0603551d23041830168014e59d5930824758ccacfa085436867b3ab5044df0300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b0601050507030230120603551d130101ff040830060101ff020100303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c332e64696769636572742e636f6d2f4f6d6e69726f6f74323032352e63726c306d0603551d2004663064303706096086480186fd6c0101302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300b06096086480186fd6c01023008060667810c0102013008060667810c0102023008060667810c010203300d06092a864886f70d01010b0500038201010005241ddd1bb02aeb98d685e3394d5e6b579d8257fcebe831a257906505be1644385a7702b9cf1042c6e192a4e34527f800472c68a8569953548fad9e40c1d00fb6d70d0b38486c502c4990065b641d8bcc48302ede08e29b4922c0920c115e969294d5fc20dc566ce59293bf7a1cc037e3854915fa2be17439180fb7daf3a25758604fcc8e9400fc467b34313e4d4782813acbf4895d0eef4d0d6e9c1b8224dd32255d117851103da03523042f656f9cc1d143d7d01ef331675927dd6bd275099311242414cf29bee623c3b88f723fe907c82444537ab3b96165a14c0ec64800c97563058770455283d3959d45eaf0e8311d7e091f0afe3eddaa3c5e74d2acb1	Surfshark.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\SystemCertificates\CA\Certificates\87A63D9ADB627D777836153C680A3DFCF27DE90C\Blob = 03000000010000001400000087a63d9adb627d777836153c680a3dfcf27de90c1900000001000000100000006e18d1d4e33491baa873ccc580acdee30400000001000000100000003c59ff689c169ab9304bf08706429bce0f000000010000002000000015e7050789df807f3e3174294a01b637a1239f603e42f4b5db9398efa9da9996140000000100000014000000dc2c582c2a6f352d9f7995a8485dc46d3e53bfb95c000000010000000400000000080000180000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000ab040000308204a73082038fa003020102020e481b6a07a9424c1eaafef3cdf10f300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3136303631353030303030305a170d3234303631353030303030305a306e310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d7361314430420603550403133b476c6f62616c5369676e20457874656e6465642056616c69646174696f6e20436f64655369676e696e67204341202d20534841323536202d20473330820122300d06092a864886f70d01010105000382010f003082010a0282010100d9b7ba25ad94f35bbe41061c53ca0c108c514159337964f4579de4d525c4ec50845898727940e22f78d492ea260e9eae957cfbc4fd7144dd8c5fb7238b5ebbf4fc4bcb233dc37603f5d18c45bc71751d8bd28989bee3513dc6c88ab23135076eb9f5ba6a0df4109faed56249287bec57baab327cb17dd2a2560636eeb0efd06aaeeaab1fd60d9f7c96fbad70992d5d95f080d07946ec553accd338fb0407a807758282e0d07e77b88febd228fcae6d1468417f7643d748ba6044e1b772e8d0f020037bdadab40675c7b203def894c6688f5e7b9e9b9d36e0ced26bc6c66be91422b5717eb68f5a1fdbe76ef442109068e62b45104f73ba2cd7c5316a72dd63730203010001a38201633082015f300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030306082b0601050507030930120603551d130101ff040830060101ff020100301d0603551d0e04160414dc2c582c2a6f352d9f7995a8485dc46d3e53bfb9301f0603551d230418301680148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc303e06082b0601050507010104323030302e06082b060105050730018622687474703a2f2f6f637370322e676c6f62616c7369676e2e636f6d2f726f6f74723330360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e636f6d2f726f6f742d72332e63726c30620603551d20045b3059300b06092b06010401a03201023007060567810c0103304106092b06010401a032015f3034303206082b06010505070201162668747470733a2f2f7777772e676c6f62616c7369676e2e636f6d2f7265706f7369746f72792f300d06092a864886f70d01010b050003820101007609c4cc2fd9ef1e4ba9f857f3403921ca4c3c1d9e292b20d42b44d288ce1a0d05cf8381bbeb69bc318d2ac4c744cc6060941ccfa1e102240ead5bbe2cc2271e67b7e8281f3251e339f398dfb89f2e8b2ab47b0a03bcbd36048fc9d09c4fa3022799b0f045e934dfe43aa3b70637d86f2a7990d4d44e5871ec53a96198f73969e0129c575872862729a51de532f32b99975abf2bb03cb406ea0e64ecb7cd65802417c2d937f5b1261035477b9a02ba54a24593ff79bf1a8cc59fb59fdf78e76b50f14794694b24b8da05e80c9d4f06ec4a31207e4f5d86842f35a3cd9cc184571f1fadc0e2a4b1ef296b2197a6d4feed0337b0fcf58d2abcdc8483e3dec3e75f	Surfshark.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	SurfsharkSetup (5).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	SurfsharkSetup (5).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	tapinstall.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
188	msiexec.exe
188	msiexec.exe
4872	MsiExec.exe
4872	MsiExec.exe
188	msiexec.exe
188	msiexec.exe
188	msiexec.exe
188	msiexec.exe
2084	MsiExec.exe
2084	MsiExec.exe
4284	nssm.exe
4284	nssm.exe
2556	nssm.exe
2556	nssm.exe
188	msiexec.exe
188	msiexec.exe
2084	MsiExec.exe
2084	MsiExec.exe
188	msiexec.exe
188	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	188	msiexec.exe
Token: SeCreateTokenPrivilege	1192	SurfsharkSetup (5).exe
Token: SeAssignPrimaryTokenPrivilege	1192	SurfsharkSetup (5).exe
Token: SeLockMemoryPrivilege	1192	SurfsharkSetup (5).exe
Token: SeIncreaseQuotaPrivilege	1192	SurfsharkSetup (5).exe
Token: SeMachineAccountPrivilege	1192	SurfsharkSetup (5).exe
Token: SeTcbPrivilege	1192	SurfsharkSetup (5).exe
Token: SeSecurityPrivilege	1192	SurfsharkSetup (5).exe
Token: SeTakeOwnershipPrivilege	1192	SurfsharkSetup (5).exe
Token: SeLoadDriverPrivilege	1192	SurfsharkSetup (5).exe
Token: SeSystemProfilePrivilege	1192	SurfsharkSetup (5).exe
Token: SeSystemtimePrivilege	1192	SurfsharkSetup (5).exe
Token: SeProfSingleProcessPrivilege	1192	SurfsharkSetup (5).exe
Token: SeIncBasePriorityPrivilege	1192	SurfsharkSetup (5).exe
Token: SeCreatePagefilePrivilege	1192	SurfsharkSetup (5).exe
Token: SeCreatePermanentPrivilege	1192	SurfsharkSetup (5).exe
Token: SeBackupPrivilege	1192	SurfsharkSetup (5).exe
Token: SeRestorePrivilege	1192	SurfsharkSetup (5).exe
Token: SeShutdownPrivilege	1192	SurfsharkSetup (5).exe
Token: SeDebugPrivilege	1192	SurfsharkSetup (5).exe
Token: SeAuditPrivilege	1192	SurfsharkSetup (5).exe
Token: SeSystemEnvironmentPrivilege	1192	SurfsharkSetup (5).exe
Token: SeChangeNotifyPrivilege	1192	SurfsharkSetup (5).exe
Token: SeRemoteShutdownPrivilege	1192	SurfsharkSetup (5).exe
Token: SeUndockPrivilege	1192	SurfsharkSetup (5).exe
Token: SeSyncAgentPrivilege	1192	SurfsharkSetup (5).exe
Token: SeEnableDelegationPrivilege	1192	SurfsharkSetup (5).exe
Token: SeManageVolumePrivilege	1192	SurfsharkSetup (5).exe
Token: SeImpersonatePrivilege	1192	SurfsharkSetup (5).exe
Token: SeCreateGlobalPrivilege	1192	SurfsharkSetup (5).exe
Token: SeCreateTokenPrivilege	1192	SurfsharkSetup (5).exe
Token: SeAssignPrimaryTokenPrivilege	1192	SurfsharkSetup (5).exe
Token: SeLockMemoryPrivilege	1192	SurfsharkSetup (5).exe
Token: SeIncreaseQuotaPrivilege	1192	SurfsharkSetup (5).exe
Token: SeMachineAccountPrivilege	1192	SurfsharkSetup (5).exe
Token: SeTcbPrivilege	1192	SurfsharkSetup (5).exe
Token: SeSecurityPrivilege	1192	SurfsharkSetup (5).exe
Token: SeTakeOwnershipPrivilege	1192	SurfsharkSetup (5).exe
Token: SeLoadDriverPrivilege	1192	SurfsharkSetup (5).exe
Token: SeSystemProfilePrivilege	1192	SurfsharkSetup (5).exe
Token: SeSystemtimePrivilege	1192	SurfsharkSetup (5).exe
Token: SeProfSingleProcessPrivilege	1192	SurfsharkSetup (5).exe
Token: SeIncBasePriorityPrivilege	1192	SurfsharkSetup (5).exe
Token: SeCreatePagefilePrivilege	1192	SurfsharkSetup (5).exe
Token: SeCreatePermanentPrivilege	1192	SurfsharkSetup (5).exe
Token: SeBackupPrivilege	1192	SurfsharkSetup (5).exe
Token: SeRestorePrivilege	1192	SurfsharkSetup (5).exe
Token: SeShutdownPrivilege	1192	SurfsharkSetup (5).exe
Token: SeDebugPrivilege	1192	SurfsharkSetup (5).exe
Token: SeAuditPrivilege	1192	SurfsharkSetup (5).exe
Token: SeSystemEnvironmentPrivilege	1192	SurfsharkSetup (5).exe
Token: SeChangeNotifyPrivilege	1192	SurfsharkSetup (5).exe
Token: SeRemoteShutdownPrivilege	1192	SurfsharkSetup (5).exe
Token: SeUndockPrivilege	1192	SurfsharkSetup (5).exe
Token: SeSyncAgentPrivilege	1192	SurfsharkSetup (5).exe
Token: SeEnableDelegationPrivilege	1192	SurfsharkSetup (5).exe
Token: SeManageVolumePrivilege	1192	SurfsharkSetup (5).exe
Token: SeImpersonatePrivilege	1192	SurfsharkSetup (5).exe
Token: SeCreateGlobalPrivilege	1192	SurfsharkSetup (5).exe
Token: SeCreateTokenPrivilege	1192	SurfsharkSetup (5).exe
Token: SeAssignPrimaryTokenPrivilege	1192	SurfsharkSetup (5).exe
Token: SeLockMemoryPrivilege	1192	SurfsharkSetup (5).exe
Token: SeIncreaseQuotaPrivilege	1192	SurfsharkSetup (5).exe
Token: SeMachineAccountPrivilege	1192	SurfsharkSetup (5).exe

Suspicious use of FindShellTrayWindow 16 IoCs

pid	Process
1192	SurfsharkSetup (5).exe
2152	SurfsharkTunWin10.exe
4420	msiexec.exe
4420	msiexec.exe
4572	aipackagechainer.exe
4572	aipackagechainer.exe
1192	SurfsharkSetup (5).exe
4636	TapInstaller.exe
1544	Surfshark.exe
1544	Surfshark.exe
1544	Surfshark.exe
1544	Surfshark.exe
1544	Surfshark.exe
1544	Surfshark.exe
2068	hqn0ieg3.exe
3172	msiexec.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1544	Surfshark.exe
1544	Surfshark.exe
1544	Surfshark.exe
1544	Surfshark.exe
1544	Surfshark.exe
1544	Surfshark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 188 wrote to memory of 3672	188	msiexec.exe	78
PID 188 wrote to memory of 3672	188	msiexec.exe	78
PID 188 wrote to memory of 3672	188	msiexec.exe	78
PID 1192 wrote to memory of 2152	1192	SurfsharkSetup (5).exe	79
PID 1192 wrote to memory of 2152	1192	SurfsharkSetup (5).exe	79
PID 1192 wrote to memory of 2152	1192	SurfsharkSetup (5).exe	79
PID 188 wrote to memory of 624	188	msiexec.exe	80
PID 188 wrote to memory of 624	188	msiexec.exe	80
PID 188 wrote to memory of 624	188	msiexec.exe	80
PID 2152 wrote to memory of 952	2152	SurfsharkTunWin10.exe	81
PID 2152 wrote to memory of 952	2152	SurfsharkTunWin10.exe	81
PID 2152 wrote to memory of 952	2152	SurfsharkTunWin10.exe	81
PID 188 wrote to memory of 2208	188	msiexec.exe	82
PID 188 wrote to memory of 2208	188	msiexec.exe	82
PID 188 wrote to memory of 2208	188	msiexec.exe	82
PID 188 wrote to memory of 2168	188	msiexec.exe	83
PID 188 wrote to memory of 2168	188	msiexec.exe	83
PID 188 wrote to memory of 3860	188	msiexec.exe	84
PID 188 wrote to memory of 3860	188	msiexec.exe	84
PID 516 wrote to memory of 4132	516	svchost.exe	88
PID 516 wrote to memory of 4132	516	svchost.exe	88
PID 188 wrote to memory of 4304	188	msiexec.exe	89
PID 188 wrote to memory of 4304	188	msiexec.exe	89
PID 188 wrote to memory of 4304	188	msiexec.exe	89
PID 1192 wrote to memory of 4352	1192	SurfsharkSetup (5).exe	90
PID 1192 wrote to memory of 4352	1192	SurfsharkSetup (5).exe	90
PID 1192 wrote to memory of 4352	1192	SurfsharkSetup (5).exe	90
PID 4352 wrote to memory of 4420	4352	SurfsharkSetup (5).exe	91
PID 4352 wrote to memory of 4420	4352	SurfsharkSetup (5).exe	91
PID 4352 wrote to memory of 4420	4352	SurfsharkSetup (5).exe	91
PID 188 wrote to memory of 4804	188	msiexec.exe	96
PID 188 wrote to memory of 4804	188	msiexec.exe	96
PID 188 wrote to memory of 4872	188	msiexec.exe	98
PID 188 wrote to memory of 4872	188	msiexec.exe	98
PID 188 wrote to memory of 4872	188	msiexec.exe	98
PID 188 wrote to memory of 5012	188	msiexec.exe	99
PID 188 wrote to memory of 5012	188	msiexec.exe	99
PID 188 wrote to memory of 5012	188	msiexec.exe	99
PID 5012 wrote to memory of 5056	5012	MSID075.tmp	100
PID 5012 wrote to memory of 5056	5012	MSID075.tmp	100
PID 5012 wrote to memory of 5056	5012	MSID075.tmp	100
PID 188 wrote to memory of 5108	188	msiexec.exe	102
PID 188 wrote to memory of 5108	188	msiexec.exe	102
PID 188 wrote to memory of 5108	188	msiexec.exe	102
PID 5108 wrote to memory of 4020	5108	MSID18F.tmp	103
PID 5108 wrote to memory of 4020	5108	MSID18F.tmp	103
PID 5108 wrote to memory of 4020	5108	MSID18F.tmp	103
PID 188 wrote to memory of 3868	188	msiexec.exe	105
PID 188 wrote to memory of 3868	188	msiexec.exe	105
PID 188 wrote to memory of 3868	188	msiexec.exe	105
PID 3868 wrote to memory of 2656	3868	MSIE5CC.tmp	106
PID 3868 wrote to memory of 2656	3868	MSIE5CC.tmp	106
PID 3868 wrote to memory of 2656	3868	MSIE5CC.tmp	106
PID 188 wrote to memory of 4340	188	msiexec.exe	108
PID 188 wrote to memory of 4340	188	msiexec.exe	108
PID 4340 wrote to memory of 4516	4340	MSIE6F6.tmp	109
PID 4340 wrote to memory of 4516	4340	MSIE6F6.tmp	109
PID 4872 wrote to memory of 4656	4872	MsiExec.exe	111
PID 4872 wrote to memory of 4656	4872	MsiExec.exe	111
PID 4872 wrote to memory of 4656	4872	MsiExec.exe	111
PID 188 wrote to memory of 4572	188	msiexec.exe	113
PID 188 wrote to memory of 4572	188	msiexec.exe	113
PID 188 wrote to memory of 4572	188	msiexec.exe	113
PID 188 wrote to memory of 4772	188	msiexec.exe	114

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4848	attrib.exe
2120	attrib.exe
1624	attrib.exe
3116	attrib.exe
4768	attrib.exe
2840	attrib.exe

C:\Users\Admin\AppData\Local\Temp\SurfsharkSetup (5).exe
"C:\Users\Admin\AppData\Local\Temp\SurfsharkSetup (5).exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Roaming\Surfshark\Surfshark\prerequisites\SurfsharkTunWin10.exe
  "C:\Users\Admin\AppData\Roaming\Surfshark\Surfshark\prerequisites\SurfsharkTunWin10.exe" /qn
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Surfshark\Surfshark TUN Driver Windows 1.0\install\F72410F\SurfsharkTunWin10.x64.msi" /qn AI_SETUPEXEPATH=C:\Users\Admin\AppData\Roaming\Surfshark\Surfshark\prerequisites\SurfsharkTunWin10.exe SETUPEXEDIR=C:\Users\Admin\AppData\Roaming\Surfshark\Surfshark\prerequisites\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1606842131 /qn " AI_EUIMSI=""
    3⤵
    - Enumerates connected drives
    PID:952
- C:\Users\Admin\AppData\Local\Temp\SurfsharkSetup (5).exe
  "C:\Users\Admin\AppData\Local\Temp\SurfsharkSetup (5).exe" /i "C:\Users\Admin\AppData\Roaming\Surfshark\Surfshark 2.7.5000\install\90DBD25\SurfsharkSetup.msi" "AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\SurfsharkSetup (5).exe" SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ "EXE_CMD_LINE=/exenoupdates /forcecleanup /wintime 1606842131 " CLIENTPROCESSID=1192 CHAINERUIPROCESSID=1192Chainer ALLUSERS=1 "AI_UNINSTALLER=C:\ProgramData\Caphyon\Advanced Installer\{E7AB76D3-32CD-4FF1-911C-C166690DBD25}\SurfsharkSetup.exe" AI_FOUND_PREREQS=".NET Framework 4.6.1 (web installer)" AI_MISSING_PREREQS="Surfshark TUN Driver Windows 10"
  2⤵
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Surfshark\Surfshark 2.7.5000\install\90DBD25\SurfsharkSetup.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\SurfsharkSetup (5).exe" SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1606842131 " CLIENTPROCESSID=1192 CHAINERUIPROCESSID=1192Chainer ALLUSERS=1 AI_UNINSTALLER="C:\ProgramData\Caphyon\Advanced Installer\{E7AB76D3-32CD-4FF1-911C-C166690DBD25}\SurfsharkSetup.exe" AI_FOUND_PREREQS=".NET Framework 4.6.1 (web installer)" AI_MISSING_PREREQS="Surfshark TUN Driver Windows 10" AI_UNINSTALLER="C:\ProgramData\Caphyon\Advanced Installer\{E7AB76D3-32CD-4FF1-911C-C166690DBD25}\SurfsharkSetup.exe" AI_EUIMSI=""
    3⤵
    - Enumerates connected drives
    - Suspicious use of FindShellTrayWindow
    PID:4420

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:188
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CBA886A243C0EA1632591F11CD86C5CC C
  2⤵
  - Loads dropped DLL
  PID:3672
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 241790FB57F5899B4125AD0D6B780A57 C
  2⤵
  - Loads dropped DLL
  PID:624
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 81F0D5CF1B9F005743C43B92BDD458F8
  2⤵
  - Loads dropped DLL
  PID:2208
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding CE08F505C6BE07C2546C4B3E7B6D6991
  2⤵
  - Loads dropped DLL
  PID:2168
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding DE2F8CF08764D838A68187EADB497444 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:3860
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7BF4D176DB6C4C5754086A88CC76DAE7 C
  2⤵
  - Loads dropped DLL
  PID:4304
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4804
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F3DE0858F12E9D9D705456B0A0478C2F
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Users\Admin\AppData\Local\Temp\SurfsharkSetup (5).exe
    "C:\Users\Admin\AppData\Local\Temp\SurfsharkSetup (5).exe" /groupsextract:105; /out:"C:\Users\Admin\AppData\Roaming\Surfshark\Surfshark\prerequisites" /callbackid:4872
    3⤵
    PID:4656
- C:\Windows\Installer\MSID075.tmp
  "C:\Windows\Installer\MSID075.tmp" /EnforcedRunAsAdmin /RunAsAdmin /HideWindow "C:\Windows\SysWOW64\sc.exe" stop SurfsharkSplitTunnelDriver
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\SysWOW64\sc.exe" stop SurfsharkSplitTunnelDriver
    3⤵
    PID:5056
- C:\Windows\Installer\MSID18F.tmp
  "C:\Windows\Installer\MSID18F.tmp" /EnforcedRunAsAdmin /RunAsAdmin /HideWindow "C:\Windows\SysWOW64\sc.exe" delete SurfsharkSplitTunnelDriver
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\SysWOW64\sc.exe" delete SurfsharkSplitTunnelDriver
    3⤵
    PID:4020
- C:\Windows\Installer\MSIE5CC.tmp
  "C:\Windows\Installer\MSIE5CC.tmp" /EnforcedRunAsAdmin /RunAsAdmin /HideWindow "C:\Windows\SysWOW64\certutil.exe" -addstore "Root" "C:\Program Files (x86)\Surfshark\Resources\surfshark_ikev2.crt"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Windows\SysWOW64\certutil.exe
    "C:\Windows\SysWOW64\certutil.exe" -addstore "Root" "C:\Program Files (x86)\Surfshark\Resources\surfshark_ikev2.crt"
    3⤵
    PID:2656
- C:\Windows\Installer\MSIE6F6.tmp
  "C:\Windows\Installer\MSIE6F6.tmp" /EnforcedRunAsAdmin /RunAsAdmin /HideWindow "C:\Program Files (x86)\Surfshark\Resources\x64\SurfsharkSplitTunnelingService.exe" "C:\Program Files (x86)\Surfshark\Resources\x64\SurfsharkSplitTunnelCalloutDriver.sys"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Program Files (x86)\Surfshark\Resources\x64\SurfsharkSplitTunnelingService.exe
    "C:\Program Files (x86)\Surfshark\Resources\x64\SurfsharkSplitTunnelingService.exe" "C:\Program Files (x86)\Surfshark\Resources\x64\SurfsharkSplitTunnelCalloutDriver.sys"
    3⤵
    - Executes dropped EXE
    PID:4516
- C:\Users\Admin\AppData\Roaming\Surfshark\Surfshark\prerequisites\aipackagechainer.exe
  "C:\Users\Admin\AppData\Roaming\Surfshark\Surfshark\prerequisites\aipackagechainer.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  PID:4572
- - C:\Users\Admin\AppData\Roaming\Surfshark\Surfshark\prerequisites\TapInstaller.exe
    "C:\Users\Admin\AppData\Roaming\Surfshark\Surfshark\prerequisites\TapInstaller.exe" /qn
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Suspicious use of FindShellTrayWindow
    PID:4636
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\AppData\Roaming\Surfshark\Surfshark TAP Driver Windows 1.0\install\C15E6C6\TapInstaller.msi" /qn AI_SETUPEXEPATH=C:\Users\Admin\AppData\Roaming\Surfshark\Surfshark\prerequisites\TapInstaller.exe SETUPEXEDIR=C:\Users\Admin\AppData\Roaming\Surfshark\Surfshark\prerequisites\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1606842131 /qn "
      4⤵
      Enumerates connected drives
      PID:5104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE5D73.bat" "
    3⤵
    PID:2300
  - - C:\Windows\SysWOW64\attrib.exe
      C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\SURFSH~1\SURFSH~1\PREREQ~1\AIPACK~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:2120
  - - C:\Windows\SysWOW64\timeout.exe
      C:\Windows\System32\timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:2292
  - - C:\Windows\SysWOW64\attrib.exe
      C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXE5D73.bat"
      4⤵
      Views/modifies file attributes
      PID:1624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE5D73.bat" "
      4⤵
      PID:192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" cls"
      4⤵
      PID:980
- C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
  "C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe" install "Surfshark Service" "C:\Program Files (x86)\Surfshark\Surfshark.Service.exe"
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
  "C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe" install "Surfshark Shadowsocks Service" "C:\Program Files (x86)\Surfshark\Surfshark.ShadowsocksService.exe"
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
  "C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe" set "Surfshark Service" AppNoConsole 1
  2⤵
  - Executes dropped EXE
  PID:5096
- C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
  "C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe" set "Surfshark Shadowsocks Service" AppNoConsole 1
  2⤵
  - Executes dropped EXE
  PID:4116
- C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
  "C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe" set "Surfshark Service" Description "This service is essential for the app to function, as it allows to enable VPN connection and makes sure all the necessary configurations are up to date."
  2⤵
  - Executes dropped EXE
  PID:4120
- C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
  "C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe" set "Surfshark Shadowsocks Service" Description "This service is essential for the app to function, as it allows to enable Shadowsocks connection and makes sure all the necessary configurations are up to date."
  2⤵
  - Executes dropped EXE
  PID:3720
- C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
  "C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe" set "Surfshark Service" AppThrottle 10000
  2⤵
  - Executes dropped EXE
  PID:776
- C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
  "C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe" set "Surfshark Shadowsocks Service" AppThrottle 10000
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
  "C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe" start "Surfshark Service"
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
  "C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe" start "Surfshark Shadowsocks Service"
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Program Files (x86)\Surfshark\Surfshark.exe
  "C:\Program Files (x86)\Surfshark\Surfshark.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1544
- - C:\Users\Admin\AppData\Local\Surfshark\Updates\default\2.7.5.0\hqn0ieg3.exe
    "C:\Users\Admin\AppData\Local\Surfshark\Updates\default\2.7.5.0\hqn0ieg3.exe" /passive
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Suspicious use of FindShellTrayWindow
    PID:2068
  - - C:\Users\Admin\AppData\Local\Surfshark\Updates\default\2.7.5.0\hqn0ieg3.exe
      "C:\Users\Admin\AppData\Local\Surfshark\Updates\default\2.7.5.0\hqn0ieg3.exe" /i "C:\Users\Admin\AppData\Roaming\Surfshark\Surfshark 2.7.7999\install\49C7238\SurfsharkSetup.msi" /passive AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Surfshark\Updates\default\2.7.5.0\hqn0ieg3.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Surfshark\Updates\default\2.7.5.0\ "EXE_CMD_LINE=/exenoupdates /forcecleanup /wintime 1606842131 /passive " CLIENTPROCESSID=2068 CHAINERUIPROCESSID=2068Chainer ALLUSERS=1 "AI_UNINSTALLER=C:\ProgramData\Caphyon\Advanced Installer\{5795EF4B-5D61-4FEC-9CAB-39A0849C7238}\SurfsharkSetup.exe" AI_FOUND_PREREQS=".NET Framework 4.6.1 (web installer)|Surfshark TUN Driver Windows 10"
      4⤵
      Executes dropped EXE
      PID:4136
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Surfshark\Surfshark 2.7.7999\install\49C7238\SurfsharkSetup.msi" /passive AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Surfshark\Updates\default\2.7.5.0\hqn0ieg3.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Surfshark\Updates\default\2.7.5.0\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1606842131 /passive " CLIENTPROCESSID=2068 CHAINERUIPROCESSID=2068Chainer ALLUSERS=1 AI_UNINSTALLER="C:\ProgramData\Caphyon\Advanced Installer\{5795EF4B-5D61-4FEC-9CAB-39A0849C7238}\SurfsharkSetup.exe" AI_FOUND_PREREQS=".NET Framework 4.6.1 (web installer)|Surfshark TUN Driver Windows 10"
        5⤵
        Enumerates connected drives
        Suspicious use of FindShellTrayWindow
        
        PID:3172
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /s /c "timeout 2 & taskkill /IM "Surfshark.exe" /F"
    3⤵
    PID:1160
  - - C:\Windows\system32\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:3900
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM "Surfshark.exe" /F
      4⤵
      Kills process with taskkill
      PID:2060
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 280D8A5981924E6DA31F37B7EF114262 C
  2⤵
  - Loads dropped DLL
  PID:4196
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2B264ACC55BAF69AB899E886ECFEE6E8 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:4756
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI552E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259347734 615 SurfsharkTapInstaller!SurfsharkTapInstaller.CustomActions.InstallTapAdapter
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:4460
  - - C:\Program Files (x86)\Surfshark\Surfshark TAP Driver Windows\bin\x64\tapinstall.exe
      "C:\Program Files (x86)\Surfshark\Surfshark TAP Driver Windows\bin\x64\tapinstall.exe" hwids tapsurfshark
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      PID:4364
  - - C:\Program Files (x86)\Surfshark\Surfshark TAP Driver Windows\bin\x64\tapinstall.exe
      "C:\Program Files (x86)\Surfshark\Surfshark TAP Driver Windows\bin\x64\tapinstall.exe" install OemVista.inf tapsurfshark
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Checks SCSI registry key(s)
      Modifies data under HKEY_USERS
      Modifies system certificate store
      PID:3228
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 322FAD710BF8E5D9D21E8D4B69904C5F C
  2⤵
  - Loads dropped DLL
  PID:2664
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 03EDBBC130DCAD506F6F462E14B2B998
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2084
- C:\Windows\Installer\MSI393B.tmp
  "C:\Windows\Installer\MSI393B.tmp" /EnforcedRunAsAdmin /RunAsAdmin /HideWindow "C:\Windows\SysWOW64\sc.exe" stop SurfsharkSplitTunnelDriver
  2⤵
  - Executes dropped EXE
  PID:4992
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\SysWOW64\sc.exe" stop SurfsharkSplitTunnelDriver
    3⤵
    PID:1524
- C:\Windows\Installer\MSI3A07.tmp
  "C:\Windows\Installer\MSI3A07.tmp" /EnforcedRunAsAdmin /RunAsAdmin /HideWindow "C:\Windows\SysWOW64\sc.exe" delete SurfsharkSplitTunnelDriver
  2⤵
  - Executes dropped EXE
  PID:4524
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\SysWOW64\sc.exe" delete SurfsharkSplitTunnelDriver
    3⤵
    PID:4680
- C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
  "C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe" stop "Surfshark Service"
  2⤵
  - Executes dropped EXE
  PID:4140
- C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
  "C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe" stop "Surfshark Shadowsocks Service"
  2⤵
  - Executes dropped EXE
  PID:4876
- C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
  "C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe" remove "Surfshark Service" confirm
  2⤵
  - Executes dropped EXE
  PID:4188
- C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
  "C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe" remove "Surfshark Shadowsocks Service" confirm
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\Installer\MSI4B29.tmp
  "C:\Windows\Installer\MSI4B29.tmp" /EnforcedRunAsAdmin /RunAsAdmin /HideWindow "C:\Windows\SysWOW64\sc.exe" stop SurfsharkSplitTunnelDriver
  2⤵
  - Executes dropped EXE
  PID:4312
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\SysWOW64\sc.exe" stop SurfsharkSplitTunnelDriver
    3⤵
    PID:4696
- C:\Windows\Installer\MSI4C05.tmp
  "C:\Windows\Installer\MSI4C05.tmp" /EnforcedRunAsAdmin /RunAsAdmin /HideWindow "C:\Windows\SysWOW64\sc.exe" delete SurfsharkSplitTunnelDriver
  2⤵
  - Executes dropped EXE
  PID:3016
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\SysWOW64\sc.exe" delete SurfsharkSplitTunnelDriver
    3⤵
    PID:4244
- C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
  "C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe" stop "Surfshark Service"
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
  "C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe" stop "Surfshark Shadowsocks Service"
  2⤵
  - Executes dropped EXE
  PID:4892
- C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
  "C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe" remove "Surfshark Service" confirm
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
  "C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe" remove "Surfshark Shadowsocks Service" confirm
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D5A48B44E0FCF993812B5DD2C019DA65 E Global\MSI0000
  2⤵
  - Modifies data under HKEY_USERS
  PID:3872
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EXE59F3.bat"
    3⤵
    PID:4576
  - - C:\Windows\SysWOW64\attrib.exe
      C:\Windows\System32\attrib.exe -r "C:\PROGRA~3\Caphyon\ADVANC~1\{E7AB7~1\SURFSH~1.EXE"
      4⤵
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:3116
  - - C:\Windows\SysWOW64\timeout.exe
      C:\Windows\System32\timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:4676
  - - C:\Windows\SysWOW64\attrib.exe
      C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXE59F3.bat"
      4⤵
      Views/modifies file attributes
      PID:2840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE59F3.bat" "
      4⤵
      PID:3652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" cls"
      4⤵
      PID:4384
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EXE5A62.bat"
    3⤵
    PID:4948
  - - C:\Windows\SysWOW64\attrib.exe
      C:\Windows\System32\attrib.exe -r "C:\PROGRA~3\Caphyon\ADVANC~1\{E7AB7~1"
      4⤵
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:4768
  - - C:\Windows\SysWOW64\timeout.exe
      C:\Windows\System32\timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:2060
  - - C:\Windows\SysWOW64\timeout.exe
      C:\Windows\System32\timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:4568
  - - C:\Windows\SysWOW64\attrib.exe
      C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXE5A62.bat"
      4⤵
      Views/modifies file attributes
      PID:4848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE5A62.bat" "
      4⤵
      PID:4732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" cls"
      4⤵
      PID:2548
- C:\Windows\Installer\MSI718F.tmp
  "C:\Windows\Installer\MSI718F.tmp" /EnforcedRunAsAdmin /RunAsAdmin /HideWindow "C:\Windows\SysWOW64\certutil.exe" -addstore "Root" "C:\Program Files (x86)\Surfshark\Resources\surfshark_ikev2.crt"
  2⤵
  - Executes dropped EXE
  PID:3644
- - C:\Windows\SysWOW64\certutil.exe
    "C:\Windows\SysWOW64\certutil.exe" -addstore "Root" "C:\Program Files (x86)\Surfshark\Resources\surfshark_ikev2.crt"
    3⤵
    PID:2176
- C:\Windows\Installer\MSI72A9.tmp
  "C:\Windows\Installer\MSI72A9.tmp" /EnforcedRunAsAdmin /RunAsAdmin /HideWindow "C:\Program Files (x86)\Surfshark\Resources\x64\SurfsharkSplitTunnelingService.exe" "C:\Program Files (x86)\Surfshark\Resources\x64\SurfsharkSplitTunnelCalloutDriver.sys"
  2⤵
  - Executes dropped EXE
  PID:4764
- - C:\Program Files (x86)\Surfshark\Resources\x64\SurfsharkSplitTunnelingService.exe
    "C:\Program Files (x86)\Surfshark\Resources\x64\SurfsharkSplitTunnelingService.exe" "C:\Program Files (x86)\Surfshark\Resources\x64\SurfsharkSplitTunnelCalloutDriver.sys"
    3⤵
    - Executes dropped EXE
    PID:3508
- C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
  "C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe" install "Surfshark Service" "C:\Program Files (x86)\Surfshark\Surfshark.Service.exe"
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
  "C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe" install "Surfshark Shadowsocks Service" "C:\Program Files (x86)\Surfshark\Surfshark.ShadowsocksService.exe"
  2⤵
  - Executes dropped EXE
  PID:3844
- C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
  "C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe" set "Surfshark Service" AppNoConsole 1
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
  "C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe" set "Surfshark Shadowsocks Service" AppNoConsole 1
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
  "C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe" set "Surfshark Service" Description "This service is essential for the app to function, as it allows to enable VPN connection and makes sure all the necessary configurations are up to date."
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
  "C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe" set "Surfshark Shadowsocks Service" Description "This service is essential for the app to function, as it allows to enable Shadowsocks connection and makes sure all the necessary configurations are up to date."
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
  "C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe" set "Surfshark Service" AppThrottle 10000
  2⤵
  - Executes dropped EXE
  PID:196
- C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
  "C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe" set "Surfshark Shadowsocks Service" AppThrottle 10000
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
  "C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe" start "Surfshark Service"
  2⤵
  - Executes dropped EXE
  PID:4800
- C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
  "C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe" start "Surfshark Shadowsocks Service"
  2⤵
  - Executes dropped EXE
  PID:4140

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:516
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Surfshark\Surfshark TUN Driver Windows\x64\wintunshark.Inf" "9" "4baa9febf" "0000000000000178" "WinSta0\Default" "000000000000017C" "208" "C:\Program Files\Surfshark\Surfshark TUN Driver Windows\x64"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:4132
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "c:\program files (x86)\surfshark\surfshark tap driver windows\drivers\win10\x64\oemvista.inf" "9" "4a1dcec0f" "0000000000000194" "WinSta0\Default" "000000000000016C" "208" "c:\program files (x86)\surfshark\surfshark tap driver windows\drivers\win10\x64"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4948
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0001" "C:\Windows\INF\oem3.inf" "oemvista.inf:3beb73aff103cc24:tapsurfshark.ndi:11.57.35.775:tapsurfshark," "4a1dcec0f" "000000000000019C"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:3508

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4480

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
PID:4688

C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
"C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4284
- C:\Program Files (x86)\Surfshark\Surfshark.Service.exe
  "C:\Program Files (x86)\Surfshark\Surfshark.Service.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:3392
- - C:\Program Files (x86)\Surfshark\Resources\x64\devcon.exe
    "C:\Program Files (x86)\Surfshark\Resources\x64\devcon.exe" remove *wintunshark*
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:4908

C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
"C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2556
- C:\Program Files (x86)\Surfshark\Surfshark.ShadowsocksService.exe
  "C:\Program Files (x86)\Surfshark\Surfshark.ShadowsocksService.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3012

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:4244

C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
"C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe"
1⤵
- Executes dropped EXE
PID:912
- C:\Program Files (x86)\Surfshark\Surfshark.Service.exe
  "C:\Program Files (x86)\Surfshark\Surfshark.Service.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:4308
- - C:\Program Files (x86)\Surfshark\Resources\x64\devcon.exe
    "C:\Program Files (x86)\Surfshark\Resources\x64\devcon.exe" remove *wintunshark*
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:1696

C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe
"C:\Program Files (x86)\Surfshark\Resources\x64\nssm.exe"
1⤵
- Executes dropped EXE
PID:2124
- C:\Program Files (x86)\Surfshark\Surfshark.ShadowsocksService.exe
  "C:\Program Files (x86)\Surfshark\Surfshark.ShadowsocksService.exe"
  2⤵
  - Executes dropped EXE
  PID:908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:4260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
PID:4356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/188-457-0x000001A534F40000-0x000001A534F44000-memory.dmp

Filesize
16KB

Download
memory/188-473-0x000001A5333C0000-0x000001A5333C1000-memory.dmp

Filesize
4KB

Download
memory/188-63-0x000001A533D70000-0x000001A533D78000-memory.dmp

Filesize
32KB

Download
memory/188-562-0x000001A534150000-0x000001A534151000-memory.dmp

Filesize
4KB

Download
memory/188-166-0x000001A5341D0000-0x000001A5341DC000-memory.dmp

Filesize
48KB

Download
memory/188-632-0x000001A534250000-0x000001A534260000-memory.dmp

Filesize
64KB

Download
memory/188-329-0x000001A533ED0000-0x000001A533ED8000-memory.dmp

Filesize
32KB

Download
memory/188-52-0x000001A533D70000-0x000001A533D78000-memory.dmp

Filesize
32KB

Download
memory/188-568-0x000001A534150000-0x000001A534151000-memory.dmp

Filesize
4KB

Download
memory/908-689-0x0000000070FA0000-0x000000007168E000-memory.dmp

Filesize
6.9MB

Download
memory/908-690-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/908-695-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/908-700-0x0000000006750000-0x0000000006751000-memory.dmp

Filesize
4KB

Download
memory/1192-4-0x00000000054B0000-0x00000000054B4000-memory.dmp

Filesize
16KB

Download
memory/1544-386-0x000001ACCAD70000-0x000001ACCAD71000-memory.dmp

Filesize
4KB

Download
memory/1544-288-0x000001ACC6260000-0x000001ACC62B8000-memory.dmp

Filesize
352KB

Download
memory/1544-327-0x000001ACC6940000-0x000001ACC6941000-memory.dmp

Filesize
4KB

Download
memory/1544-328-0x000001ACC6980000-0x000001ACC6981000-memory.dmp

Filesize
4KB

Download
memory/1544-279-0x000001ACAC290000-0x000001ACAC291000-memory.dmp

Filesize
4KB

Download
memory/1544-294-0x000001ACC62C0000-0x000001ACC62CE000-memory.dmp

Filesize
56KB

Download
memory/1544-264-0x000001ACAC1E0000-0x000001ACAC1F5000-memory.dmp

Filesize
84KB

Download
memory/1544-373-0x000001ACC6CD0000-0x000001ACC6CD1000-memory.dmp

Filesize
4KB

Download
memory/1544-277-0x000001ACAC280000-0x000001ACAC281000-memory.dmp

Filesize
4KB

Download
memory/1544-252-0x000001ACAC1A0000-0x000001ACAC1B4000-memory.dmp

Filesize
80KB

Download
memory/1544-295-0x000001ACC6390000-0x000001ACC6391000-memory.dmp

Filesize
4KB

Download
memory/1544-367-0x000001ACC6910000-0x000001ACC691E000-memory.dmp

Filesize
56KB

Download
memory/1544-300-0x000001ACC63A0000-0x000001ACC6427000-memory.dmp

Filesize
540KB

Download
memory/1544-365-0x000001ACC6B90000-0x000001ACC6B91000-memory.dmp

Filesize
4KB

Download
memory/1544-326-0x000001ACC6930000-0x000001ACC6931000-memory.dmp

Filesize
4KB

Download
memory/1544-391-0x000001ACCB3C0000-0x000001ACCB3C1000-memory.dmp

Filesize
4KB

Download
memory/1544-282-0x000001ACAC2A0000-0x000001ACAC2D9000-memory.dmp

Filesize
228KB

Download
memory/1544-283-0x000001ACAC250000-0x000001ACAC25B000-memory.dmp

Filesize
44KB

Download
memory/1544-360-0x000001ACC6B70000-0x000001ACC6B83000-memory.dmp

Filesize
76KB

Download
memory/1544-359-0x000001ACC6B50000-0x000001ACC6B63000-memory.dmp

Filesize
76KB

Download
memory/1544-274-0x000001ACAC270000-0x000001ACAC271000-memory.dmp

Filesize
4KB

Download
memory/1544-357-0x000001ACC6B30000-0x000001ACC6B48000-memory.dmp

Filesize
96KB

Download
memory/1544-355-0x000001ACC6B10000-0x000001ACC6B24000-memory.dmp

Filesize
80KB

Download
memory/1544-354-0x000001ACC6AF0000-0x000001ACC6B08000-memory.dmp

Filesize
96KB

Download
memory/1544-353-0x000001ACC6AD0000-0x000001ACC6AE4000-memory.dmp

Filesize
80KB

Download
memory/1544-324-0x000001ACC6900000-0x000001ACC690A000-memory.dmp

Filesize
40KB

Download
memory/1544-273-0x000001ACAC260000-0x000001ACAC261000-memory.dmp

Filesize
4KB

Download
memory/1544-289-0x000001ACAC2E0000-0x000001ACAC2F5000-memory.dmp

Filesize
84KB

Download
memory/1544-242-0x00007FFC67260000-0x00007FFC67C4C000-memory.dmp

Filesize
9.9MB

Download
memory/1544-377-0x000001ACC6CE0000-0x000001ACC6CE1000-memory.dmp

Filesize
4KB

Download
memory/1544-351-0x000001ACC6AB0000-0x000001ACC6AC5000-memory.dmp

Filesize
84KB

Download
memory/1544-272-0x000001ACAC210000-0x000001ACAC214000-memory.dmp

Filesize
16KB

Download
memory/1544-349-0x000001ACC6A90000-0x000001ACC6AA6000-memory.dmp

Filesize
88KB

Download
memory/1544-348-0x000001ACC6A70000-0x000001ACC6A84000-memory.dmp

Filesize
80KB

Download
memory/1544-243-0x000001ACAA100000-0x000001ACAA101000-memory.dmp

Filesize
4KB

Download
memory/1544-343-0x000001ACC6A50000-0x000001ACC6A64000-memory.dmp

Filesize
80KB

Download
memory/1544-266-0x000001ACAC200000-0x000001ACAC210000-memory.dmp

Filesize
64KB

Download
memory/1544-250-0x000001ACAC100000-0x000001ACAC106000-memory.dmp

Filesize
24KB

Download
memory/1544-337-0x000001ACC6950000-0x000001ACC6966000-memory.dmp

Filesize
88KB

Download
memory/1544-270-0x000001ACAC230000-0x000001ACAC231000-memory.dmp

Filesize
4KB

Download
memory/1544-268-0x000001ACAC220000-0x000001ACAC221000-memory.dmp

Filesize
4KB

Download
memory/1544-338-0x000001ACC69D0000-0x000001ACC69E4000-memory.dmp

Filesize
80KB

Download
memory/1544-342-0x000001ACC69F0000-0x000001ACC6A04000-memory.dmp

Filesize
80KB

Download
memory/1544-325-0x000001ACC6920000-0x000001ACC6921000-memory.dmp

Filesize
4KB

Download
memory/2152-23-0x00000000056A0000-0x00000000056A4000-memory.dmp

Filesize
16KB

Download
memory/3012-235-0x0000000006400000-0x0000000006401000-memory.dmp

Filesize
4KB

Download
memory/3012-224-0x0000000070FA0000-0x000000007168E000-memory.dmp

Filesize
6.9MB

Download
memory/3012-231-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download
memory/3012-225-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/3012-232-0x0000000005FF0000-0x000000000609B000-memory.dmp

Filesize
684KB

Download
memory/3012-233-0x0000000006360000-0x0000000006361000-memory.dmp

Filesize
4KB

Download
memory/3012-234-0x00000000063C0000-0x00000000063C1000-memory.dmp

Filesize
4KB

Download
memory/3012-230-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/3012-236-0x00000000065F0000-0x00000000065F1000-memory.dmp

Filesize
4KB

Download
memory/3392-207-0x000001BCDD070000-0x000001BCDD071000-memory.dmp

Filesize
4KB

Download
memory/3392-201-0x000001BCDCC00000-0x000001BCDCCCD000-memory.dmp

Filesize
820KB

Download
memory/3392-197-0x000001BCC2280000-0x000001BCC2281000-memory.dmp

Filesize
4KB

Download
memory/3392-196-0x00007FFC67260000-0x00007FFC67C4C000-memory.dmp

Filesize
9.9MB

Download
memory/3392-199-0x000001BCDB3C0000-0x000001BCDB3D2000-memory.dmp

Filesize
72KB

Download
memory/3392-200-0x000001BCDB3E0000-0x000001BCDB419000-memory.dmp

Filesize
228KB

Download
memory/3392-203-0x000001BCDCE70000-0x000001BCDCE71000-memory.dmp

Filesize
4KB

Download
memory/3392-206-0x000001BCDCEF0000-0x000001BCDCF64000-memory.dmp

Filesize
464KB

Download
memory/3392-208-0x000001BCDD090000-0x000001BCDD0C6000-memory.dmp

Filesize
216KB

Download
memory/3392-211-0x000000006D740000-0x000000006DB3F000-memory.dmp

Filesize
4.0MB

Download
memory/3392-213-0x000001BCDDD20000-0x000001BCDDD21000-memory.dmp

Filesize
4KB

Download
memory/3392-215-0x000001BCDDE70000-0x000001BCDDE71000-memory.dmp

Filesize
4KB

Download
memory/3392-214-0x000001BCDDD00000-0x000001BCDDD01000-memory.dmp

Filesize
4KB

Download
memory/4308-659-0x0000018A0DD40000-0x0000018A0DD41000-memory.dmp

Filesize
4KB

Download
memory/4308-658-0x00007FFC67260000-0x00007FFC67C4C000-memory.dmp

Filesize
9.9MB

Download
memory/4308-676-0x000000006D740000-0x000000006DB3F000-memory.dmp

Filesize
4.0MB

Download
memory/4352-83-0x0000000002CF0000-0x0000000002CF6000-memory.dmp

Filesize
24KB

Download
memory/4460-336-0x0000000070FA0000-0x000000007168E000-memory.dmp

Filesize
6.9MB

Download
memory/4460-346-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/4460-341-0x0000000004180000-0x0000000004181000-memory.dmp

Filesize
4KB

Download
memory/4636-275-0x00000000053D0000-0x00000000053D6000-memory.dmp

Filesize
24KB

Download
memory/4636-307-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download