Analysis
-
max time kernel
266s -
max time network
288s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
10-10-2021 11:03
Static task
static1
Behavioral task
behavioral1
Sample
5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832.exe
Resource
win7v20210408
General
-
Target
5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832.exe
-
Size
35.1MB
-
MD5
4932b7fa81a500c5050ccf3a945077e3
-
SHA1
13d7cf3a826274183d761bc4bcd16e68c069e14b
-
SHA256
5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832
-
SHA512
bb3cda1748c8c6bdfb3ea9771ec658557f208911fa94f88f872f49d9d91eeea5c667ba6c7a366325b9498309d6a1381fab96c5a3929c9b150b653e456fc234fc
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
ste2.exedescription pid process target process PID 588 created 2972 588 ste2.exe Explorer.EXE -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\nscFBC8.tmp\nsArray.dll acprotect -
Bazar/Team9 Loader payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2244-129-0x0000000002A10000-0x0000000002A37000-memory.dmp BazarLoaderVar5 behavioral2/memory/2244-127-0x0000000002A40000-0x0000000002A6F000-memory.dmp BazarLoaderVar5 behavioral2/memory/588-139-0x00000000029D0000-0x00000000029FF000-memory.dmp BazarLoaderVar5 behavioral2/memory/4584-217-0x0000000002660000-0x000000000268F000-memory.dmp BazarLoaderVar5 behavioral2/memory/4628-224-0x0000000003030000-0x000000000305F000-memory.dmp BazarLoaderVar5 -
Executes dropped EXE 11 IoCs
Processes:
5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832.tmptv.exeste2.exeste2.exeTeamViewer_.exeTeamViewer_.exeTeamViewer.exetv_w32.exetv_x64.exeste2.exeste2.exepid process 2988 5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832.tmp 3692 tv.exe 2244 ste2.exe 588 ste2.exe 792 TeamViewer_.exe 396 TeamViewer_.exe 1512 TeamViewer.exe 848 tv_w32.exe 1020 tv_x64.exe 4584 ste2.exe 4628 ste2.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\nscFBC8.tmp\nsArray.dll upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
TeamViewer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation TeamViewer.exe -
Loads dropped DLL 62 IoCs
Processes:
tv.exeTeamViewer_.exeTeamViewer_.exeTeamViewer.exetv_w32.exetv_x64.exepid process 3692 tv.exe 792 TeamViewer_.exe 792 TeamViewer_.exe 792 TeamViewer_.exe 792 TeamViewer_.exe 792 TeamViewer_.exe 792 TeamViewer_.exe 792 TeamViewer_.exe 792 TeamViewer_.exe 792 TeamViewer_.exe 792 TeamViewer_.exe 792 TeamViewer_.exe 792 TeamViewer_.exe 792 TeamViewer_.exe 792 TeamViewer_.exe 792 TeamViewer_.exe 792 TeamViewer_.exe 792 TeamViewer_.exe 792 TeamViewer_.exe 792 TeamViewer_.exe 792 TeamViewer_.exe 792 TeamViewer_.exe 792 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 396 TeamViewer_.exe 1512 TeamViewer.exe 848 tv_w32.exe 1020 tv_x64.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 100 api.ipify.org 101 api.ipify.org 102 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ste2.exedescription pid process target process PID 588 set thread context of 4448 588 ste2.exe chrome.exe -
Drops file in Program Files directory 2 IoCs
Processes:
5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832.tmpdescription ioc process File opened for modification C:\Program Files (x86)\LjSsjzaijfpQGN\tv.exe 5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832.tmp File created C:\Program Files (x86)\LjSsjzaijfpQGN\is-J4S5S.tmp 5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832.tmp -
Drops file in Windows directory 3 IoCs
Processes:
MicrosoftEdgeCP.exeMicrosoftEdge.exedescription ioc process File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 4 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\LjSsjzaijfpQGN\tv.exe nsis_installer_1 C:\Program Files (x86)\LjSsjzaijfpQGN\tv.exe nsis_installer_2 C:\Program Files (x86)\LjSsjzaijfpQGN\tv.exe nsis_installer_1 C:\Program Files (x86)\LjSsjzaijfpQGN\tv.exe nsis_installer_2 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TeamViewer.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 TeamViewer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TeamViewer.exe -
Processes:
MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exeTeamViewer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ TeamViewer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\TeamViewer.exe = "11001" TeamViewer.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE\ TeamViewer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE\TeamViewer.exe = "0" TeamViewer.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
tv_w32.exetv_x64.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs tv_w32.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root tv_w32.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\teamviewer.com\Total = "10" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "5" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "10" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.teamviewer.com\ = "41" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.teamviewer.com\ = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000f05dc22df244a331f25b669805b31b7bb0d96f03a6e1c638cf55b7ce5d553548b9423d5299b64f17fca6890aa2c1dc51af8d3eeeae0d7e2365f7 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpCleanupState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 0100000061511d58a16e8fb567d3ba441a72a34a7130d9e06621d99f96caa531b05acad4b205dd525ef1700eb86af7b5674bc4826ec5a4a0e8023a0788468f67ab8636d406a35ec356b9e17a7233b11c6c9193956813f6acc5b8cec4d64305754c2f730adbc9dc66bde582959acc73323264f7be2dba7d1e3c64b5280f625e9d9674491d01190a04c097abed83d74f5f3ae4fbef155a8c3d842482055e414b667977ae7668311959c6ee353a50f348707431e7a8ce92c0f68919a1506c81b1c2e256fccee6b28c9a7d0adddfe4bf2a662c6b64a0a40498e152646c0baac23d4d1f33c972083d67825a0b19c539ddcf9817b2413c8c4f5fd95c235d81afa49793b62c366ba17080ece010ec7623ec6bfc2e2649dbc513de1f9e7755d5f8c71d6e4963f76927edd907c13b6a9bac8bc40101e786eaf0f02b179f80bddc9ecbed6ea5f61b8a4e52d8124dab18b9005cb04f0b15fcd2e6860286605f544c555115563d07bce5ff40f8aa7780e24b56fef67f09d0e0aa08754471193245343df738a4a4b490ee3258deaa75da3424a0105ff3073835c5575df57cd41a10ce052c30637b2dead4cd7d84c8affd0546 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\teamviewer.com MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedWidth = "800" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\Disallowed\Certific MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\teamviewer.com\Total = "117" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\teamviewer.com\Total = "193" MicrosoftEdgeCP.exe -
Processes:
TeamViewer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 TeamViewer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 TeamViewer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 TeamViewer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 TeamViewer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 TeamViewer.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832.tmpTeamViewer.exeste2.exepid process 2988 5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832.tmp 2988 5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832.tmp 1512 TeamViewer.exe 1512 TeamViewer.exe 1512 TeamViewer.exe 1512 TeamViewer.exe 1512 TeamViewer.exe 1512 TeamViewer.exe 588 ste2.exe 588 ste2.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
MicrosoftEdgeCP.exepid process 1576 MicrosoftEdgeCP.exe 1576 MicrosoftEdgeCP.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
ste2.exeste2.exepid process 2244 ste2.exe 4584 ste2.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exedescription pid process Token: SeDebugPrivilege 3164 MicrosoftEdge.exe Token: SeDebugPrivilege 3164 MicrosoftEdge.exe Token: SeDebugPrivilege 3164 MicrosoftEdge.exe Token: SeDebugPrivilege 3164 MicrosoftEdge.exe Token: SeDebugPrivilege 3012 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3012 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3012 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3012 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3164 MicrosoftEdge.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
Processes:
5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832.tmpTeamViewer.exepid process 2988 5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832.tmp 1512 TeamViewer.exe 1512 TeamViewer.exe 1512 TeamViewer.exe 1512 TeamViewer.exe 1512 TeamViewer.exe 1512 TeamViewer.exe 1512 TeamViewer.exe 1512 TeamViewer.exe -
Suspicious use of SendNotifyMessage 8 IoCs
Processes:
TeamViewer.exepid process 1512 TeamViewer.exe 1512 TeamViewer.exe 1512 TeamViewer.exe 1512 TeamViewer.exe 1512 TeamViewer.exe 1512 TeamViewer.exe 1512 TeamViewer.exe 1512 TeamViewer.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
ste2.exeste2.exeTeamViewer.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeste2.exeste2.exepid process 2244 ste2.exe 2244 ste2.exe 588 ste2.exe 588 ste2.exe 1512 TeamViewer.exe 1512 TeamViewer.exe 1512 TeamViewer.exe 1512 TeamViewer.exe 3164 MicrosoftEdge.exe 1576 MicrosoftEdgeCP.exe 1576 MicrosoftEdgeCP.exe 1512 TeamViewer.exe 1512 TeamViewer.exe 1512 TeamViewer.exe 4584 ste2.exe 4584 ste2.exe 4628 ste2.exe 4628 ste2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832.exe5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832.tmpste2.exetv.exeTeamViewer_.exeTeamViewer_.exeMicrosoftEdgeCP.exeste2.exedescription pid process target process PID 1828 wrote to memory of 2988 1828 5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832.exe 5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832.tmp PID 1828 wrote to memory of 2988 1828 5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832.exe 5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832.tmp PID 1828 wrote to memory of 2988 1828 5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832.exe 5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832.tmp PID 2988 wrote to memory of 3692 2988 5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832.tmp tv.exe PID 2988 wrote to memory of 3692 2988 5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832.tmp tv.exe PID 2988 wrote to memory of 3692 2988 5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832.tmp tv.exe PID 2988 wrote to memory of 2244 2988 5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832.tmp ste2.exe PID 2988 wrote to memory of 2244 2988 5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832.tmp ste2.exe PID 2244 wrote to memory of 588 2244 ste2.exe ste2.exe PID 2244 wrote to memory of 588 2244 ste2.exe ste2.exe PID 2244 wrote to memory of 588 2244 ste2.exe ste2.exe PID 3692 wrote to memory of 792 3692 tv.exe TeamViewer_.exe PID 3692 wrote to memory of 792 3692 tv.exe TeamViewer_.exe PID 3692 wrote to memory of 792 3692 tv.exe TeamViewer_.exe PID 792 wrote to memory of 396 792 TeamViewer_.exe TeamViewer_.exe PID 792 wrote to memory of 396 792 TeamViewer_.exe TeamViewer_.exe PID 792 wrote to memory of 396 792 TeamViewer_.exe TeamViewer_.exe PID 396 wrote to memory of 1512 396 TeamViewer_.exe TeamViewer.exe PID 396 wrote to memory of 1512 396 TeamViewer_.exe TeamViewer.exe PID 1576 wrote to memory of 3012 1576 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1576 wrote to memory of 3012 1576 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1576 wrote to memory of 3012 1576 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1576 wrote to memory of 3012 1576 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1576 wrote to memory of 3012 1576 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1576 wrote to memory of 3012 1576 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1576 wrote to memory of 3012 1576 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1576 wrote to memory of 3012 1576 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1576 wrote to memory of 3012 1576 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1576 wrote to memory of 3012 1576 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1576 wrote to memory of 3012 1576 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1576 wrote to memory of 3012 1576 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1576 wrote to memory of 3012 1576 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1576 wrote to memory of 3012 1576 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1576 wrote to memory of 3012 1576 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1576 wrote to memory of 3012 1576 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 588 wrote to memory of 4448 588 ste2.exe chrome.exe PID 588 wrote to memory of 4448 588 ste2.exe chrome.exe PID 588 wrote to memory of 4448 588 ste2.exe chrome.exe PID 588 wrote to memory of 4448 588 ste2.exe chrome.exe PID 588 wrote to memory of 4448 588 ste2.exe chrome.exe PID 588 wrote to memory of 4448 588 ste2.exe chrome.exe PID 588 wrote to memory of 4448 588 ste2.exe chrome.exe PID 588 wrote to memory of 4448 588 ste2.exe chrome.exe PID 588 wrote to memory of 4448 588 ste2.exe chrome.exe PID 588 wrote to memory of 4448 588 ste2.exe chrome.exe PID 588 wrote to memory of 4448 588 ste2.exe chrome.exe PID 588 wrote to memory of 4448 588 ste2.exe chrome.exe PID 588 wrote to memory of 4448 588 ste2.exe chrome.exe PID 588 wrote to memory of 4448 588 ste2.exe chrome.exe PID 588 wrote to memory of 4448 588 ste2.exe chrome.exe PID 588 wrote to memory of 4448 588 ste2.exe chrome.exe PID 588 wrote to memory of 4448 588 ste2.exe chrome.exe PID 588 wrote to memory of 4448 588 ste2.exe chrome.exe PID 588 wrote to memory of 4448 588 ste2.exe chrome.exe PID 588 wrote to memory of 4448 588 ste2.exe chrome.exe PID 588 wrote to memory of 4448 588 ste2.exe chrome.exe PID 588 wrote to memory of 4448 588 ste2.exe chrome.exe PID 588 wrote to memory of 4448 588 ste2.exe chrome.exe PID 588 wrote to memory of 4448 588 ste2.exe chrome.exe PID 588 wrote to memory of 4448 588 ste2.exe chrome.exe PID 588 wrote to memory of 4448 588 ste2.exe chrome.exe PID 588 wrote to memory of 4448 588 ste2.exe chrome.exe PID 588 wrote to memory of 4448 588 ste2.exe chrome.exe PID 588 wrote to memory of 4448 588 ste2.exe chrome.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832.exe"C:\Users\Admin\AppData\Local\Temp\5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-RPN9I.tmp\5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832.tmp"C:\Users\Admin\AppData\Local\Temp\is-RPN9I.tmp\5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832.tmp" /SL5="$30112,35974500,1061376,C:\Users\Admin\AppData\Local\Temp\5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\LjSsjzaijfpQGN\tv.exe"C:\Program Files (x86)\LjSsjzaijfpQGN\tv.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe"C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exeC:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe /RUN6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer.exe"C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer.exe" --noInstallation7⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\TeamViewer\tv_w32.exe"C:\Users\Admin\AppData\Local\Temp\TeamViewer\tv_w32.exe" --action hooks --log C:\Users\Admin\AppData\Roaming\TeamViewer\TeamViewer15_Logfile.log8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\TeamViewer\tv_x64.exe"C:\Users\Admin\AppData\Local\Temp\TeamViewer\tv_x64.exe" --action hooks --log C:\Users\Admin\AppData\Roaming\TeamViewer\TeamViewer15_Logfile.log8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
-
C:\LjSsjzaijfpQGNLjSsjzaijfpQGN\ste2.exe"C:\LjSsjzaijfpQGNLjSsjzaijfpQGN\ste2.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\LjSsjzaijfpQGNLjSsjzaijfpQGN\ste2.exe"C:\LjSsjzaijfpQGNLjSsjzaijfpQGN\ste2.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\LjSsjzaijfpQGNLjSsjzaijfpQGN\ste2.exe"C:\LjSsjzaijfpQGNLjSsjzaijfpQGN\ste2.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SetWindowsHookEx
-
C:\LjSsjzaijfpQGNLjSsjzaijfpQGN\ste2.exe"C:\LjSsjzaijfpQGNLjSsjzaijfpQGN\ste2.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\LjSsjzaijfpQGNLjSsjzaijfpQGN\ste2.exeMD5
47933f87a08b2dc9c415433ac4ab4f04
SHA1d6ff3d8b0a0729c651c8318d3fa470d90cc0c8ab
SHA256807c8c2c02fd1c0f567bbbe14e24484ff0871d83130464c8376e8382e563d1cb
SHA512189d7b35194f11a7c60cd1b40cd58fcec99b15d17aebf208697f3a45af53e45f133e189751707e292fcc2a76bbfb4e3cd32d3cac258891abe99386f4640971b0
-
C:\LjSsjzaijfpQGNLjSsjzaijfpQGN\ste2.exeMD5
47933f87a08b2dc9c415433ac4ab4f04
SHA1d6ff3d8b0a0729c651c8318d3fa470d90cc0c8ab
SHA256807c8c2c02fd1c0f567bbbe14e24484ff0871d83130464c8376e8382e563d1cb
SHA512189d7b35194f11a7c60cd1b40cd58fcec99b15d17aebf208697f3a45af53e45f133e189751707e292fcc2a76bbfb4e3cd32d3cac258891abe99386f4640971b0
-
C:\LjSsjzaijfpQGNLjSsjzaijfpQGN\ste2.exeMD5
47933f87a08b2dc9c415433ac4ab4f04
SHA1d6ff3d8b0a0729c651c8318d3fa470d90cc0c8ab
SHA256807c8c2c02fd1c0f567bbbe14e24484ff0871d83130464c8376e8382e563d1cb
SHA512189d7b35194f11a7c60cd1b40cd58fcec99b15d17aebf208697f3a45af53e45f133e189751707e292fcc2a76bbfb4e3cd32d3cac258891abe99386f4640971b0
-
C:\Program Files (x86)\LjSsjzaijfpQGN\tv.exeMD5
4a8e5e6ca45331d7e08c2c44364231fe
SHA1c3c908aaa09783b9b638dfbb1770efd9e77ae5bb
SHA256187ed0e2c02f10ee82731490d0cd9928590d428c80d7c7382ba471df2cb8b9b8
SHA512e33a8406ed003bef4a341b757390f57e753ebd2d73d36b6970de2dafecc9d0092760156bf6bd42b21cd9a78a7abd7cb1b2a5c593d5172b337999800246a2ca1f
-
C:\Program Files (x86)\LjSsjzaijfpQGN\tv.exeMD5
4a8e5e6ca45331d7e08c2c44364231fe
SHA1c3c908aaa09783b9b638dfbb1770efd9e77ae5bb
SHA256187ed0e2c02f10ee82731490d0cd9928590d428c80d7c7382ba471df2cb8b9b8
SHA512e33a8406ed003bef4a341b757390f57e753ebd2d73d36b6970de2dafecc9d0092760156bf6bd42b21cd9a78a7abd7cb1b2a5c593d5172b337999800246a2ca1f
-
C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exeMD5
986d59d14852ea73b31f748e9b5ca95f
SHA1f137bcd2f8674ea4ac95c899b67815d7caab13fb
SHA25664e6442cfe7d87d0144e617b1d0fbccc40a73b50d58e57fa8845abdac287adf6
SHA512ff44a48af8334c66ef651bfbdad5131e72ea724463e962a1b226d77e402e80a81cd834e069b6c95dbbfbcd1394cb99834c81fa68bb42bd741a378f4d5513f4a5
-
C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exeMD5
986d59d14852ea73b31f748e9b5ca95f
SHA1f137bcd2f8674ea4ac95c899b67815d7caab13fb
SHA25664e6442cfe7d87d0144e617b1d0fbccc40a73b50d58e57fa8845abdac287adf6
SHA512ff44a48af8334c66ef651bfbdad5131e72ea724463e962a1b226d77e402e80a81cd834e069b6c95dbbfbcd1394cb99834c81fa68bb42bd741a378f4d5513f4a5
-
C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exeMD5
986d59d14852ea73b31f748e9b5ca95f
SHA1f137bcd2f8674ea4ac95c899b67815d7caab13fb
SHA25664e6442cfe7d87d0144e617b1d0fbccc40a73b50d58e57fa8845abdac287adf6
SHA512ff44a48af8334c66ef651bfbdad5131e72ea724463e962a1b226d77e402e80a81cd834e069b6c95dbbfbcd1394cb99834c81fa68bb42bd741a378f4d5513f4a5
-
C:\Users\Admin\AppData\Local\Temp\TeamViewer\tvinfo.iniMD5
8dc7b09b9fbcd5fd96c3a8bdf3bad902
SHA15ac23bc1570874becc04e78ecdd855461e42e10d
SHA2568732d50f90c1abdd2a044951870a16ce3f906e933cf8c8cf5ecd76bfc38590dc
SHA512affeb53a0c0dfaf59a757718009151099ea8914ead3f1fd028d7b72e22c39c5393161ad1e7cd76a0505b5dc6ba4608d60ec1679334d15dcac1b36bb0062eb863
-
C:\Users\Admin\AppData\Local\Temp\is-RPN9I.tmp\5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832.tmpMD5
2823ea83dd9de61289ff0e7647af1aae
SHA18c1018e31ee200fb1b22128d37ff6ede205186dc
SHA256cac76e1ac26c4c2523816ce831c9f9f404345971a173b13d234bd05c87e6ed13
SHA51269efa3446becdc26e0d90e35c64e4acfc3f1b5e96155695e8ebf811360cf4b3a9cb0d0c52d1385256dc48bc0af6c79f381700d83e7c70ae98f2bd5a55a75cbe0
-
\Users\Admin\AppData\Local\Temp\nscFBC8.tmp\System.dllMD5
0ff2d70cfdc8095ea99ca2dabbec3cd7
SHA110c51496d37cecd0e8a503a5a9bb2329d9b38116
SHA256982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b
SHA512cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e
-
\Users\Admin\AppData\Local\Temp\nscFBC8.tmp\TvGetVersion.dllMD5
de5041a1efd290a8bfc405f4a46168ff
SHA14add2640ae5cc100769e604932ed1dd1e71f6608
SHA256e721edb07e9a58dd696691d2492f1b3238974b35ae5401798b00c5a382d9ffbb
SHA512dfa8f382ab2f922d9c01e5ef0dc7f0fc0e2fbd11ee131d03157d469bfbbda87b10c2d1cf0ad590e880a82ea7988354ffc19f6bd4ffa34254af502805a66f1190
-
\Users\Admin\AppData\Local\Temp\nscFBC8.tmp\TvGetVersion.dllMD5
de5041a1efd290a8bfc405f4a46168ff
SHA14add2640ae5cc100769e604932ed1dd1e71f6608
SHA256e721edb07e9a58dd696691d2492f1b3238974b35ae5401798b00c5a382d9ffbb
SHA512dfa8f382ab2f922d9c01e5ef0dc7f0fc0e2fbd11ee131d03157d469bfbbda87b10c2d1cf0ad590e880a82ea7988354ffc19f6bd4ffa34254af502805a66f1190
-
\Users\Admin\AppData\Local\Temp\nscFBC8.tmp\TvGetVersion.dllMD5
de5041a1efd290a8bfc405f4a46168ff
SHA14add2640ae5cc100769e604932ed1dd1e71f6608
SHA256e721edb07e9a58dd696691d2492f1b3238974b35ae5401798b00c5a382d9ffbb
SHA512dfa8f382ab2f922d9c01e5ef0dc7f0fc0e2fbd11ee131d03157d469bfbbda87b10c2d1cf0ad590e880a82ea7988354ffc19f6bd4ffa34254af502805a66f1190
-
\Users\Admin\AppData\Local\Temp\nscFBC8.tmp\TvGetVersion.dllMD5
de5041a1efd290a8bfc405f4a46168ff
SHA14add2640ae5cc100769e604932ed1dd1e71f6608
SHA256e721edb07e9a58dd696691d2492f1b3238974b35ae5401798b00c5a382d9ffbb
SHA512dfa8f382ab2f922d9c01e5ef0dc7f0fc0e2fbd11ee131d03157d469bfbbda87b10c2d1cf0ad590e880a82ea7988354ffc19f6bd4ffa34254af502805a66f1190
-
\Users\Admin\AppData\Local\Temp\nscFBC8.tmp\TvGetVersion.dllMD5
de5041a1efd290a8bfc405f4a46168ff
SHA14add2640ae5cc100769e604932ed1dd1e71f6608
SHA256e721edb07e9a58dd696691d2492f1b3238974b35ae5401798b00c5a382d9ffbb
SHA512dfa8f382ab2f922d9c01e5ef0dc7f0fc0e2fbd11ee131d03157d469bfbbda87b10c2d1cf0ad590e880a82ea7988354ffc19f6bd4ffa34254af502805a66f1190
-
\Users\Admin\AppData\Local\Temp\nscFBC8.tmp\TvGetVersion.dllMD5
de5041a1efd290a8bfc405f4a46168ff
SHA14add2640ae5cc100769e604932ed1dd1e71f6608
SHA256e721edb07e9a58dd696691d2492f1b3238974b35ae5401798b00c5a382d9ffbb
SHA512dfa8f382ab2f922d9c01e5ef0dc7f0fc0e2fbd11ee131d03157d469bfbbda87b10c2d1cf0ad590e880a82ea7988354ffc19f6bd4ffa34254af502805a66f1190
-
\Users\Admin\AppData\Local\Temp\nscFBC8.tmp\TvGetVersion.dllMD5
de5041a1efd290a8bfc405f4a46168ff
SHA14add2640ae5cc100769e604932ed1dd1e71f6608
SHA256e721edb07e9a58dd696691d2492f1b3238974b35ae5401798b00c5a382d9ffbb
SHA512dfa8f382ab2f922d9c01e5ef0dc7f0fc0e2fbd11ee131d03157d469bfbbda87b10c2d1cf0ad590e880a82ea7988354ffc19f6bd4ffa34254af502805a66f1190
-
\Users\Admin\AppData\Local\Temp\nscFBC8.tmp\TvGetVersion.dllMD5
de5041a1efd290a8bfc405f4a46168ff
SHA14add2640ae5cc100769e604932ed1dd1e71f6608
SHA256e721edb07e9a58dd696691d2492f1b3238974b35ae5401798b00c5a382d9ffbb
SHA512dfa8f382ab2f922d9c01e5ef0dc7f0fc0e2fbd11ee131d03157d469bfbbda87b10c2d1cf0ad590e880a82ea7988354ffc19f6bd4ffa34254af502805a66f1190
-
\Users\Admin\AppData\Local\Temp\nscFBC8.tmp\TvGetVersion.dllMD5
de5041a1efd290a8bfc405f4a46168ff
SHA14add2640ae5cc100769e604932ed1dd1e71f6608
SHA256e721edb07e9a58dd696691d2492f1b3238974b35ae5401798b00c5a382d9ffbb
SHA512dfa8f382ab2f922d9c01e5ef0dc7f0fc0e2fbd11ee131d03157d469bfbbda87b10c2d1cf0ad590e880a82ea7988354ffc19f6bd4ffa34254af502805a66f1190
-
\Users\Admin\AppData\Local\Temp\nscFBC8.tmp\TvGetVersion.dllMD5
de5041a1efd290a8bfc405f4a46168ff
SHA14add2640ae5cc100769e604932ed1dd1e71f6608
SHA256e721edb07e9a58dd696691d2492f1b3238974b35ae5401798b00c5a382d9ffbb
SHA512dfa8f382ab2f922d9c01e5ef0dc7f0fc0e2fbd11ee131d03157d469bfbbda87b10c2d1cf0ad590e880a82ea7988354ffc19f6bd4ffa34254af502805a66f1190
-
\Users\Admin\AppData\Local\Temp\nscFBC8.tmp\TvGetVersion.dllMD5
de5041a1efd290a8bfc405f4a46168ff
SHA14add2640ae5cc100769e604932ed1dd1e71f6608
SHA256e721edb07e9a58dd696691d2492f1b3238974b35ae5401798b00c5a382d9ffbb
SHA512dfa8f382ab2f922d9c01e5ef0dc7f0fc0e2fbd11ee131d03157d469bfbbda87b10c2d1cf0ad590e880a82ea7988354ffc19f6bd4ffa34254af502805a66f1190
-
\Users\Admin\AppData\Local\Temp\nscFBC8.tmp\TvGetVersion.dllMD5
de5041a1efd290a8bfc405f4a46168ff
SHA14add2640ae5cc100769e604932ed1dd1e71f6608
SHA256e721edb07e9a58dd696691d2492f1b3238974b35ae5401798b00c5a382d9ffbb
SHA512dfa8f382ab2f922d9c01e5ef0dc7f0fc0e2fbd11ee131d03157d469bfbbda87b10c2d1cf0ad590e880a82ea7988354ffc19f6bd4ffa34254af502805a66f1190
-
\Users\Admin\AppData\Local\Temp\nscFBC8.tmp\TvGetVersion.dllMD5
de5041a1efd290a8bfc405f4a46168ff
SHA14add2640ae5cc100769e604932ed1dd1e71f6608
SHA256e721edb07e9a58dd696691d2492f1b3238974b35ae5401798b00c5a382d9ffbb
SHA512dfa8f382ab2f922d9c01e5ef0dc7f0fc0e2fbd11ee131d03157d469bfbbda87b10c2d1cf0ad590e880a82ea7988354ffc19f6bd4ffa34254af502805a66f1190
-
\Users\Admin\AppData\Local\Temp\nscFBC8.tmp\TvGetVersion.dllMD5
de5041a1efd290a8bfc405f4a46168ff
SHA14add2640ae5cc100769e604932ed1dd1e71f6608
SHA256e721edb07e9a58dd696691d2492f1b3238974b35ae5401798b00c5a382d9ffbb
SHA512dfa8f382ab2f922d9c01e5ef0dc7f0fc0e2fbd11ee131d03157d469bfbbda87b10c2d1cf0ad590e880a82ea7988354ffc19f6bd4ffa34254af502805a66f1190
-
\Users\Admin\AppData\Local\Temp\nscFBC8.tmp\TvGetVersion.dllMD5
de5041a1efd290a8bfc405f4a46168ff
SHA14add2640ae5cc100769e604932ed1dd1e71f6608
SHA256e721edb07e9a58dd696691d2492f1b3238974b35ae5401798b00c5a382d9ffbb
SHA512dfa8f382ab2f922d9c01e5ef0dc7f0fc0e2fbd11ee131d03157d469bfbbda87b10c2d1cf0ad590e880a82ea7988354ffc19f6bd4ffa34254af502805a66f1190
-
\Users\Admin\AppData\Local\Temp\nscFBC8.tmp\UAC.dllMD5
113c5f02686d865bc9e8332350274fd1
SHA14fa4414666f8091e327adb4d81a98a0d6e2e254a
SHA2560d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d
SHA512e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284
-
\Users\Admin\AppData\Local\Temp\nscFBC8.tmp\UAC.dllMD5
113c5f02686d865bc9e8332350274fd1
SHA14fa4414666f8091e327adb4d81a98a0d6e2e254a
SHA2560d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d
SHA512e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284
-
\Users\Admin\AppData\Local\Temp\nscFBC8.tmp\UAC.dllMD5
113c5f02686d865bc9e8332350274fd1
SHA14fa4414666f8091e327adb4d81a98a0d6e2e254a
SHA2560d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d
SHA512e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284
-
\Users\Admin\AppData\Local\Temp\nscFBC8.tmp\UAC.dllMD5
113c5f02686d865bc9e8332350274fd1
SHA14fa4414666f8091e327adb4d81a98a0d6e2e254a
SHA2560d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d
SHA512e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284
-
\Users\Admin\AppData\Local\Temp\nscFBC8.tmp\UserInfo.dllMD5
9b0db6a6056e8e51ac35e602aeab769f
SHA1b541c6d2635141cdc3a74f59d55db8df4a92e7ac
SHA256925d80c31702a95d58ede91ee97fd842de78ca6dde69156a6c1a755fba93cd5c
SHA51283fe9d346835940a37e0e0a18d041c9d13fc95a0e9ece3bc18e555cf0e8e7ddf7b42dba422b1e55ace31db3c9fc807e0b44e93b8f07f5acb943eaaf77b4f0ac6
-
\Users\Admin\AppData\Local\Temp\nscFBC8.tmp\UserInfo.dllMD5
9b0db6a6056e8e51ac35e602aeab769f
SHA1b541c6d2635141cdc3a74f59d55db8df4a92e7ac
SHA256925d80c31702a95d58ede91ee97fd842de78ca6dde69156a6c1a755fba93cd5c
SHA51283fe9d346835940a37e0e0a18d041c9d13fc95a0e9ece3bc18e555cf0e8e7ddf7b42dba422b1e55ace31db3c9fc807e0b44e93b8f07f5acb943eaaf77b4f0ac6
-
\Users\Admin\AppData\Local\Temp\nscFBC8.tmp\UserInfo.dllMD5
9b0db6a6056e8e51ac35e602aeab769f
SHA1b541c6d2635141cdc3a74f59d55db8df4a92e7ac
SHA256925d80c31702a95d58ede91ee97fd842de78ca6dde69156a6c1a755fba93cd5c
SHA51283fe9d346835940a37e0e0a18d041c9d13fc95a0e9ece3bc18e555cf0e8e7ddf7b42dba422b1e55ace31db3c9fc807e0b44e93b8f07f5acb943eaaf77b4f0ac6
-
\Users\Admin\AppData\Local\Temp\nscFBC8.tmp\UserInfo.dllMD5
9b0db6a6056e8e51ac35e602aeab769f
SHA1b541c6d2635141cdc3a74f59d55db8df4a92e7ac
SHA256925d80c31702a95d58ede91ee97fd842de78ca6dde69156a6c1a755fba93cd5c
SHA51283fe9d346835940a37e0e0a18d041c9d13fc95a0e9ece3bc18e555cf0e8e7ddf7b42dba422b1e55ace31db3c9fc807e0b44e93b8f07f5acb943eaaf77b4f0ac6
-
\Users\Admin\AppData\Local\Temp\nscFBC8.tmp\nsArray.dllMD5
82d49c227928741f6f09c5cea3bde9f1
SHA1b0904368a5e94026d0ca5760d4577236f796051d
SHA2568bc5e75bbfa5a8f10526aec2af441153b2883d6d288726ed8f7c9af12a1ee02b
SHA512d4f588e3613886e3dab58330cd69ce7f24c39be2c4854cc8edfcef98e1324926fcde0d79df1a8fdf5e2bf9327b17f22a9fa1396568c0ace4e46d4f548fdc7530
-
\Users\Admin\AppData\Local\Temp\nscFBC8.tmp\nsis7z.dllMD5
87853c0f20f065793bdc707ece66190b
SHA1738e11a9a565923ec75400a0cd4bce4db257b21d
SHA25666b2f36274ddfeef35b1d6ae6e5755f834446e5d78a719063347543793987161
SHA512febfcd11795f4ef0ff3d25cbf1856be01e7f6423a9f16028c927988c04ab21de5f0b076d7f4ce9294aa7603c0db61ea5ffb888af2e9f7c6a6a11bcabfe9795a2
-
\Users\Admin\AppData\Local\Temp\nscFBC8.tmp\nsis7z.dllMD5
87853c0f20f065793bdc707ece66190b
SHA1738e11a9a565923ec75400a0cd4bce4db257b21d
SHA25666b2f36274ddfeef35b1d6ae6e5755f834446e5d78a719063347543793987161
SHA512febfcd11795f4ef0ff3d25cbf1856be01e7f6423a9f16028c927988c04ab21de5f0b076d7f4ce9294aa7603c0db61ea5ffb888af2e9f7c6a6a11bcabfe9795a2
-
\Users\Admin\AppData\Local\Temp\nscFBC8.tmp\nsis7z.dllMD5
87853c0f20f065793bdc707ece66190b
SHA1738e11a9a565923ec75400a0cd4bce4db257b21d
SHA25666b2f36274ddfeef35b1d6ae6e5755f834446e5d78a719063347543793987161
SHA512febfcd11795f4ef0ff3d25cbf1856be01e7f6423a9f16028c927988c04ab21de5f0b076d7f4ce9294aa7603c0db61ea5ffb888af2e9f7c6a6a11bcabfe9795a2
-
\Users\Admin\AppData\Local\Temp\nscFBC8.tmp\nsis7z.dllMD5
87853c0f20f065793bdc707ece66190b
SHA1738e11a9a565923ec75400a0cd4bce4db257b21d
SHA25666b2f36274ddfeef35b1d6ae6e5755f834446e5d78a719063347543793987161
SHA512febfcd11795f4ef0ff3d25cbf1856be01e7f6423a9f16028c927988c04ab21de5f0b076d7f4ce9294aa7603c0db61ea5ffb888af2e9f7c6a6a11bcabfe9795a2
-
\Users\Admin\AppData\Local\Temp\nscFBC8.tmp\nsis7z.dllMD5
87853c0f20f065793bdc707ece66190b
SHA1738e11a9a565923ec75400a0cd4bce4db257b21d
SHA25666b2f36274ddfeef35b1d6ae6e5755f834446e5d78a719063347543793987161
SHA512febfcd11795f4ef0ff3d25cbf1856be01e7f6423a9f16028c927988c04ab21de5f0b076d7f4ce9294aa7603c0db61ea5ffb888af2e9f7c6a6a11bcabfe9795a2
-
\Users\Admin\AppData\Local\Temp\nscFBC8.tmp\nsis7z.dllMD5
87853c0f20f065793bdc707ece66190b
SHA1738e11a9a565923ec75400a0cd4bce4db257b21d
SHA25666b2f36274ddfeef35b1d6ae6e5755f834446e5d78a719063347543793987161
SHA512febfcd11795f4ef0ff3d25cbf1856be01e7f6423a9f16028c927988c04ab21de5f0b076d7f4ce9294aa7603c0db61ea5ffb888af2e9f7c6a6a11bcabfe9795a2
-
\Users\Admin\AppData\Local\Temp\nskC2D6.tmp\InstallOptions.dllMD5
033ee34c40e8fa85bf2739bcb2f3e186
SHA12ca942f35f77f37df3fc6097acac34f2e77341b7
SHA256c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7
SHA5122204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f
-
\Users\Admin\AppData\Local\Temp\nskC2D6.tmp\InstallOptions.dllMD5
033ee34c40e8fa85bf2739bcb2f3e186
SHA12ca942f35f77f37df3fc6097acac34f2e77341b7
SHA256c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7
SHA5122204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f
-
\Users\Admin\AppData\Local\Temp\nskC2D6.tmp\InstallOptions.dllMD5
033ee34c40e8fa85bf2739bcb2f3e186
SHA12ca942f35f77f37df3fc6097acac34f2e77341b7
SHA256c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7
SHA5122204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f
-
\Users\Admin\AppData\Local\Temp\nskC2D6.tmp\InstallOptions.dllMD5
033ee34c40e8fa85bf2739bcb2f3e186
SHA12ca942f35f77f37df3fc6097acac34f2e77341b7
SHA256c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7
SHA5122204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f
-
\Users\Admin\AppData\Local\Temp\nskC2D6.tmp\InstallOptions.dllMD5
033ee34c40e8fa85bf2739bcb2f3e186
SHA12ca942f35f77f37df3fc6097acac34f2e77341b7
SHA256c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7
SHA5122204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f
-
\Users\Admin\AppData\Local\Temp\nskC2D6.tmp\InstallOptions.dllMD5
033ee34c40e8fa85bf2739bcb2f3e186
SHA12ca942f35f77f37df3fc6097acac34f2e77341b7
SHA256c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7
SHA5122204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f
-
\Users\Admin\AppData\Local\Temp\nskC2D6.tmp\InstallOptions.dllMD5
033ee34c40e8fa85bf2739bcb2f3e186
SHA12ca942f35f77f37df3fc6097acac34f2e77341b7
SHA256c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7
SHA5122204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f
-
\Users\Admin\AppData\Local\Temp\nskC2D6.tmp\InstallOptions.dllMD5
033ee34c40e8fa85bf2739bcb2f3e186
SHA12ca942f35f77f37df3fc6097acac34f2e77341b7
SHA256c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7
SHA5122204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f
-
\Users\Admin\AppData\Local\Temp\nskC2D6.tmp\InstallOptions.dllMD5
033ee34c40e8fa85bf2739bcb2f3e186
SHA12ca942f35f77f37df3fc6097acac34f2e77341b7
SHA256c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7
SHA5122204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f
-
\Users\Admin\AppData\Local\Temp\nskC2D6.tmp\InstallOptions.dllMD5
033ee34c40e8fa85bf2739bcb2f3e186
SHA12ca942f35f77f37df3fc6097acac34f2e77341b7
SHA256c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7
SHA5122204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f
-
\Users\Admin\AppData\Local\Temp\nskC2D6.tmp\System.dllMD5
0ff2d70cfdc8095ea99ca2dabbec3cd7
SHA110c51496d37cecd0e8a503a5a9bb2329d9b38116
SHA256982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b
SHA512cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e
-
\Users\Admin\AppData\Local\Temp\nskC2D6.tmp\TvGetVersion.dllMD5
de5041a1efd290a8bfc405f4a46168ff
SHA14add2640ae5cc100769e604932ed1dd1e71f6608
SHA256e721edb07e9a58dd696691d2492f1b3238974b35ae5401798b00c5a382d9ffbb
SHA512dfa8f382ab2f922d9c01e5ef0dc7f0fc0e2fbd11ee131d03157d469bfbbda87b10c2d1cf0ad590e880a82ea7988354ffc19f6bd4ffa34254af502805a66f1190
-
\Users\Admin\AppData\Local\Temp\nskC2D6.tmp\TvGetVersion.dllMD5
de5041a1efd290a8bfc405f4a46168ff
SHA14add2640ae5cc100769e604932ed1dd1e71f6608
SHA256e721edb07e9a58dd696691d2492f1b3238974b35ae5401798b00c5a382d9ffbb
SHA512dfa8f382ab2f922d9c01e5ef0dc7f0fc0e2fbd11ee131d03157d469bfbbda87b10c2d1cf0ad590e880a82ea7988354ffc19f6bd4ffa34254af502805a66f1190
-
\Users\Admin\AppData\Local\Temp\nskC2D6.tmp\TvGetVersion.dllMD5
de5041a1efd290a8bfc405f4a46168ff
SHA14add2640ae5cc100769e604932ed1dd1e71f6608
SHA256e721edb07e9a58dd696691d2492f1b3238974b35ae5401798b00c5a382d9ffbb
SHA512dfa8f382ab2f922d9c01e5ef0dc7f0fc0e2fbd11ee131d03157d469bfbbda87b10c2d1cf0ad590e880a82ea7988354ffc19f6bd4ffa34254af502805a66f1190
-
\Users\Admin\AppData\Local\Temp\nskC2D6.tmp\TvGetVersion.dllMD5
de5041a1efd290a8bfc405f4a46168ff
SHA14add2640ae5cc100769e604932ed1dd1e71f6608
SHA256e721edb07e9a58dd696691d2492f1b3238974b35ae5401798b00c5a382d9ffbb
SHA512dfa8f382ab2f922d9c01e5ef0dc7f0fc0e2fbd11ee131d03157d469bfbbda87b10c2d1cf0ad590e880a82ea7988354ffc19f6bd4ffa34254af502805a66f1190
-
\Users\Admin\AppData\Local\Temp\nskC2D6.tmp\TvGetVersion.dllMD5
de5041a1efd290a8bfc405f4a46168ff
SHA14add2640ae5cc100769e604932ed1dd1e71f6608
SHA256e721edb07e9a58dd696691d2492f1b3238974b35ae5401798b00c5a382d9ffbb
SHA512dfa8f382ab2f922d9c01e5ef0dc7f0fc0e2fbd11ee131d03157d469bfbbda87b10c2d1cf0ad590e880a82ea7988354ffc19f6bd4ffa34254af502805a66f1190
-
\Users\Admin\AppData\Local\Temp\nskC2D6.tmp\UserInfo.dllMD5
9b0db6a6056e8e51ac35e602aeab769f
SHA1b541c6d2635141cdc3a74f59d55db8df4a92e7ac
SHA256925d80c31702a95d58ede91ee97fd842de78ca6dde69156a6c1a755fba93cd5c
SHA51283fe9d346835940a37e0e0a18d041c9d13fc95a0e9ece3bc18e555cf0e8e7ddf7b42dba422b1e55ace31db3c9fc807e0b44e93b8f07f5acb943eaaf77b4f0ac6
-
\Users\Admin\AppData\Local\Temp\nskC2D6.tmp\UserInfo.dllMD5
9b0db6a6056e8e51ac35e602aeab769f
SHA1b541c6d2635141cdc3a74f59d55db8df4a92e7ac
SHA256925d80c31702a95d58ede91ee97fd842de78ca6dde69156a6c1a755fba93cd5c
SHA51283fe9d346835940a37e0e0a18d041c9d13fc95a0e9ece3bc18e555cf0e8e7ddf7b42dba422b1e55ace31db3c9fc807e0b44e93b8f07f5acb943eaaf77b4f0ac6
-
\Users\Admin\AppData\Local\Temp\nskC2D6.tmp\UserInfo.dllMD5
9b0db6a6056e8e51ac35e602aeab769f
SHA1b541c6d2635141cdc3a74f59d55db8df4a92e7ac
SHA256925d80c31702a95d58ede91ee97fd842de78ca6dde69156a6c1a755fba93cd5c
SHA51283fe9d346835940a37e0e0a18d041c9d13fc95a0e9ece3bc18e555cf0e8e7ddf7b42dba422b1e55ace31db3c9fc807e0b44e93b8f07f5acb943eaaf77b4f0ac6
-
\Users\Admin\AppData\Local\Temp\nskC2D6.tmp\UserInfo.dllMD5
9b0db6a6056e8e51ac35e602aeab769f
SHA1b541c6d2635141cdc3a74f59d55db8df4a92e7ac
SHA256925d80c31702a95d58ede91ee97fd842de78ca6dde69156a6c1a755fba93cd5c
SHA51283fe9d346835940a37e0e0a18d041c9d13fc95a0e9ece3bc18e555cf0e8e7ddf7b42dba422b1e55ace31db3c9fc807e0b44e93b8f07f5acb943eaaf77b4f0ac6
-
\Users\Admin\AppData\Local\Temp\nskC2D6.tmp\linker.dllMD5
4ac3f0ab2e423515ed9c575333342054
SHA1a3e4f2b2135157f964d471564044b023a64f2532
SHA256f223d6c72f86544b358a6301daf60ccdd86198f32e3447a1860acf3f59f2dae9
SHA5128fbd5b4989be51c27fa15af155d2921bea9aa5d0557a22d4224256e678dfe7dcaa5f80917a748c31dc9c9a91573e4618e2497ccfd47eefd7a0fa08c12366a1e5
-
\Users\Admin\AppData\Local\Temp\nskC2D6.tmp\linker.dllMD5
4ac3f0ab2e423515ed9c575333342054
SHA1a3e4f2b2135157f964d471564044b023a64f2532
SHA256f223d6c72f86544b358a6301daf60ccdd86198f32e3447a1860acf3f59f2dae9
SHA5128fbd5b4989be51c27fa15af155d2921bea9aa5d0557a22d4224256e678dfe7dcaa5f80917a748c31dc9c9a91573e4618e2497ccfd47eefd7a0fa08c12366a1e5
-
\Users\Admin\AppData\Local\Temp\nsrBBC0.tmp\TvGetVersion.dllMD5
a48b275ce1643d55e04817b00632c802
SHA1b827f2d42ab36be638b49fbe4520039c26b2985a
SHA256efc361e5a2cbb903a8eeb68406c68b63ea7e3e82830ea9058cfbdaef1a72272c
SHA512b18ee82f23dd381e2eebc938ff3888a1346f4046da3cfcdb00557aab7d47a6adef566cff0080defcd4fd7b541504eda13eb2ad3d2da85b23357e5efd0b92b5a2
-
memory/396-203-0x00000000021E0000-0x0000000002212000-memory.dmpFilesize
200KB
-
memory/396-185-0x00000000007B1000-0x00000000007B5000-memory.dmpFilesize
16KB
-
memory/396-175-0x0000000000000000-mapping.dmp
-
memory/588-139-0x00000000029D0000-0x00000000029FF000-memory.dmpFilesize
188KB
-
memory/588-135-0x0000000000000000-mapping.dmp
-
memory/792-155-0x0000000006A71000-0x0000000006A73000-memory.dmpFilesize
8KB
-
memory/792-137-0x0000000000000000-mapping.dmp
-
memory/792-174-0x0000000006B20000-0x0000000006B2E000-memory.dmpFilesize
56KB
-
memory/792-171-0x0000000006B11000-0x0000000006B13000-memory.dmpFilesize
8KB
-
memory/1512-216-0x0000000000000000-mapping.dmp
-
memory/1828-117-0x0000000000400000-0x0000000000510000-memory.dmpFilesize
1.1MB
-
memory/2244-123-0x0000000000000000-mapping.dmp
-
memory/2244-129-0x0000000002A10000-0x0000000002A37000-memory.dmpFilesize
156KB
-
memory/2244-127-0x0000000002A40000-0x0000000002A6F000-memory.dmpFilesize
188KB
-
memory/2988-120-0x0000000000750000-0x0000000000751000-memory.dmpFilesize
4KB
-
memory/2988-118-0x0000000000000000-mapping.dmp
-
memory/3692-121-0x0000000000000000-mapping.dmp
-
memory/4584-217-0x0000000002660000-0x000000000268F000-memory.dmpFilesize
188KB
-
memory/4628-223-0x0000000000000000-mapping.dmp
-
memory/4628-224-0x0000000003030000-0x000000000305F000-memory.dmpFilesize
188KB