Analysis
-
max time kernel
288s -
max time network
1186s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
03-04-2022 16:13
Static task
static1
Behavioral task
behavioral1
Sample
$RTWBRPB.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
$RTWBRPB.exe
Resource
win10-20220331-en
Behavioral task
behavioral3
Sample
$RTWBRPB.exe
Resource
win10v2004-20220331-en
Behavioral task
behavioral4
Sample
$RTWBRPB.exe
Resource
win11-20220223-en
General
-
Target
$RTWBRPB.exe
-
Size
5.0MB
-
MD5
b8c24a19ae1706e4baf0253b8f33abe3
-
SHA1
a6eb472bb97ddec488203467d10bc26e86dc8e53
-
SHA256
3c855659332b10f81efb7574d83624a30db08c15fe3927cee1dbdb2c523d3554
-
SHA512
2c18eea5f88c2cf0fcceacfa8df78d50d59cdcf9d21369c4cffea43a4e020f31a0ad27394ff22572585c2db7708d8c10c5b7e74000d83c1f543a3608190e5b68
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0005000000019396-109.dat acprotect -
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\DRIVERS\SET30A2.tmp DrvInst.exe File created C:\Windows\system32\DRIVERS\SET30A2.tmp DrvInst.exe File opened for modification C:\Windows\system32\DRIVERS\tap0901.sys DrvInst.exe -
Executes dropped EXE 17 IoCs
pid Process 1804 GenericSetup.exe 1592 Carrier.exe 1504 saBSI.exe 1756 xrvoe1jq.331.exe 1744 xrvoe1jq.331.tmp 2036 tapinstall.exe 1544 tapinstall.exe 1828 mask_svc.exe 1656 mask_svc.exe 1080 mask_svc.exe 1756 BITTOR~1.EXE 2068 bittorrentie.exe 2164 MaskVPNUpdate.exe 2220 bittorrentie.exe 2292 bittorrentie.exe 2348 bittorrentie.exe 2424 bittorrentie.exe -
resource yara_rule behavioral1/files/0x0006000000015f1d-71.dat upx behavioral1/files/0x0006000000015f1d-72.dat upx behavioral1/files/0x0006000000015f1d-74.dat upx behavioral1/files/0x0005000000019396-109.dat upx -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\MACHINE\Software\Wow6432Node\Wine Carrier.exe Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Wine Carrier.exe Key opened \REGISTRY\MACHINE\Software\Wow6432Node\Wine BITTOR~1.EXE Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Wine BITTOR~1.EXE -
Loads dropped DLL 51 IoCs
pid Process 1800 $RTWBRPB.exe 1804 GenericSetup.exe 1712 cmd.exe 796 cmd.exe 1504 saBSI.exe 1504 saBSI.exe 1504 saBSI.exe 1020 cmd.exe 1756 xrvoe1jq.331.exe 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1596 cmd.exe 1596 cmd.exe 1080 cmd.exe 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1080 mask_svc.exe 1080 mask_svc.exe 1080 mask_svc.exe 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1756 BITTOR~1.EXE 1756 BITTOR~1.EXE 1804 GenericSetup.exe 1804 GenericSetup.exe 1804 GenericSetup.exe 1804 GenericSetup.exe 1804 GenericSetup.exe 1804 GenericSetup.exe 1080 mask_svc.exe 2164 MaskVPNUpdate.exe 2164 MaskVPNUpdate.exe 1756 BITTOR~1.EXE 1756 BITTOR~1.EXE 1756 BITTOR~1.EXE 1756 BITTOR~1.EXE 1756 BITTOR~1.EXE 1756 BITTOR~1.EXE 1756 BITTOR~1.EXE 1756 BITTOR~1.EXE -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\bt = "\"C:\\Users\\Admin\\AppData\\Roaming\\BITTOR~1\\BITTOR~1.EXE\" /MINIMIZED" BITTOR~1.EXE Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\bt = "C:\\Users\\Admin\\AppData\\Roaming\\BitTorrent\\BitTorrent.exe /MINIMIZED" Carrier.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run BITTOR~1.EXE -
Checks for any installed AV software in registry 1 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\AVG\AV GenericSetup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir GenericSetup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV GenericSetup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version GenericSetup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast GenericSetup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version GenericSetup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast GenericSetup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir GenericSetup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 21 IoCs
description ioc Process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt tapinstall.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{20a884a5-9ea2-2a31-56ec-7d33af47a548}\SETE013.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{20a884a5-9ea2-2a31-56ec-7d33af47a548}\tap0901.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{20a884a5-9ea2-2a31-56ec-7d33af47a548}\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{20a884a5-9ea2-2a31-56ec-7d33af47a548} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_a572b7f20c402d28\oemvista.PNF DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_a572b7f20c402d28\oemvista.PNF DrvInst.exe File created C:\Windows\System32\DriverStore\INFCACHE.0 DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{20a884a5-9ea2-2a31-56ec-7d33af47a548}\SETE012.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{20a884a5-9ea2-2a31-56ec-7d33af47a548}\SETE024.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstor.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{20a884a5-9ea2-2a31-56ec-7d33af47a548}\SETE012.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{20a884a5-9ea2-2a31-56ec-7d33af47a548}\SETE013.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{20a884a5-9ea2-2a31-56ec-7d33af47a548}\SETE024.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat tapinstall.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{20a884a5-9ea2-2a31-56ec-7d33af47a548}\oemvista.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat tapinstall.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 1828 mask_svc.exe 1656 mask_svc.exe 1080 mask_svc.exe -
Drops file in Program Files directory 62 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe xrvoe1jq.331.tmp File opened for modification C:\Program Files (x86)\MaskVPN\mask_svc.exe xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\is-MR4R0.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\is-809B9.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-KJJ77.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-JP8PT.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-MGU8D.tmp xrvoe1jq.331.tmp File opened for modification C:\Program Files (x86)\MaskVPN\unins000.dat xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\is-A520K.tmp xrvoe1jq.331.tmp File opened for modification C:\Program Files (x86)\MaskVPN\libeay32.dll xrvoe1jq.331.tmp File opened for modification C:\Program Files (x86)\MaskVPN\MaskVPN.exe xrvoe1jq.331.tmp File opened for modification C:\Program Files (x86)\MaskVPN\ssleay32.dll xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\is-FOQO2.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-71DI8.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-7DB7U.tmp xrvoe1jq.331.tmp File opened for modification C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\is-4G4OO.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-BNIPQ.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-HOVDK.tmp xrvoe1jq.331.tmp File opened for modification C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\is-HRC07.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\is-PPT3T.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\is-NACTV.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-HOO46.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-D439O.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\unins000.msg xrvoe1jq.331.tmp File opened for modification C:\Program Files (x86)\MaskVPN\libMaskVPN.dll xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\is-3IKVO.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\is-82BL9.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\is-IS74H.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-NE0B7.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-S52I3.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-A5VIC.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\is-DNIHT.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-LQPCG.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-MNV4H.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-8MB1B.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\is-QR0V0.tmp xrvoe1jq.331.tmp File opened for modification C:\Program Files (x86)\MaskVPN\tunnle.exe xrvoe1jq.331.tmp File opened for modification C:\Program Files (x86)\MaskVPN\driver\winxp32\devcon.exe xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\is-J1NUP.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-96529.tmp xrvoe1jq.331.tmp File opened for modification C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-JOPNH.tmp xrvoe1jq.331.tmp File opened for modification C:\Program Files (x86)\MaskVPN\tunnle.dll xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\is-U8TV7.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-3E150.tmp xrvoe1jq.331.tmp File opened for modification C:\Program Files (x86)\MaskVPN\ipseccmd.exe xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\is-L8F8N.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-8UA43.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-BEL4J.tmp xrvoe1jq.331.tmp File opened for modification C:\Program Files (x86)\MaskVPN\version MaskVPNUpdate.exe File opened for modification C:\Program Files (x86)\MaskVPN\libCommon.dll xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\is-SE7E8.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\is-BJEDS.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-5B04N.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-MV7N8.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-RE11C.tmp xrvoe1jq.331.tmp File opened for modification C:\Program Files (x86)\MaskVPN\polstore.dll xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\is-HMNQH.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-3THLQ.tmp xrvoe1jq.331.tmp File created C:\Program Files (x86)\MaskVPN\unins000.dat xrvoe1jq.331.tmp -
Drops file in Windows directory 13 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.app.log tapinstall.exe File opened for modification C:\Windows\INF\setupapi.dev.log tapinstall.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\INF\oem2.inf DrvInst.exe File opened for modification C:\Windows\INF\oem2.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\INF\oem2.PNF DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev2 DrvInst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc0000000002000000000010660000000100002000000002caa836fc11507c8d16f5beaf6d536366be76d8a1bfb60006a433b0df6c5ee8000000000e8000000002000020000000883083f369d62797f5ad0580c679380ec448092a0dc8184fe2ed5839c635262320000000c91386b64ac7c0858fd46caee7886aa53ebe3190e95c3326a3b28bf65ded446640000000fc37319507606b686ffdc3204e95ecbe33781057fedceb6c380e7da8cc45c2e4abcf9e502cbbe221174b757beb02165e0c2d35f326e4f653857b3d0c304823d6 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl BITTOR~1.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\bittorrentie.exe = "1" BITTOR~1.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D3A54361-B369-11EC-B71A-4E218B73CFBB} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DOMStorage\bittorrent.com\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "355767739" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CROSS_DOMAIN_REDIRECT_MITIGATION BITTOR~1.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CROSS_DOMAIN_REDIRECT_MITIGATION\bittorrentie.exe = "0" BITTOR~1.EXE Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main BITTOR~1.EXE Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DOMStorage\bittorrent.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION BITTOR~1.EXE Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 609135aa7647d801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION BITTOR~1.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\bittorrentie.exe = "11000" BITTOR~1.EXE Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION BITTOR~1.EXE Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc0000000002000000000010660000000100002000000061710f3f39f93f8645fd5ee3444a574c754d9df8f3f7b4398f9e468327693505000000000e80000000020000200000001bb6e560ce13cbd7c732037b1cfee69f029205602d93a0b410e7be376018b2a39000000047c55669b7fc782a55a3a0907878483a94709c84f96adedf903d80c66d01674b1334c811d21a1008cef57af22a91504ad5081852b9346b4a0dba3c203ae095ee98cb92e914798de739a87f86628dbccffa89865971db16310549cfd3b5651244d465e5c720e4ddff93324303ec1eff14303e62e7847abb30e40ec4cba75a1e4394c70d9784e1e18e01ca5bc688c3f15840000000acebf98881732c4bb768950cc1f64e9737e67e4bbb8c5bff21a8f0bacb66ee6068fb99d782e17636b16a2a895d6c344f70b87876b5814b96d9ef1dbc1fe27e4b iexplore.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-552 = "North Asia Standard Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\lltdres.dll,-3 = "Allows this PC to be discovered and located on the network." DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\sstpsvc.dll,-203 = "Allows you to securely connect to a private network using the Internet." DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-422 = "Russian Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node xrvoe1jq.331.tmp Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\BitTorrent\shell Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Magnet\shell\ = "open" Carrier.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\bittorrent\shell Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\.btapp\Content Type = "application/x-bittorrent-app" Carrier.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\.btskin Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\.btinstall\Content Type = "application/x-bittorrent-appinst" Carrier.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32 xrvoe1jq.331.tmp Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Magnet\shell\open\command Carrier.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\MIME\Database\Content Type\application/x-bittorrent-appinst Carrier.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32\ = "{94512587-22D8-4197-B757-6BA2F3DE6DEC}" xrvoe1jq.331.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-app Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\FalconBetaAccount\remote_access_client_id = "2604015069" Carrier.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\MIME\Database\Content Type\application/x-bittorrent Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Magnet\ = "Magnet URI" Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Magnet\Content Type = "application/x-magnet" Carrier.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-app\Extension = ".btapp" Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\MIME\Database\Content Type\application/x-bittorrent-app\Extension = ".btapp" Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\MIME\Database\Content Type\application/x-bittorrent-skin\Extension = ".btskin" Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\BitTorrent\ = "bittorrent URI" Carrier.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-skin Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\.btkey\Content Type = "application/x-bittorrent-key" Carrier.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\MIME\Database\Content Type\application/x-bittorrent-key Carrier.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\BitTorrent\shell\open\command Carrier.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\.btkey Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\.btkey\ = "BitTorrent" Carrier.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-key\Extension = ".btkey" Carrier.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\.btsearch\OpenWithProgids Carrier.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Applications\BitTorrent.exe\shell Carrier.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\BitTorrent\DefaultIcon Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\BitTorrent\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\BitTorrent\\maindoc.ico" Carrier.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\BitTorrent\Content Type Carrier.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\.btsearch Carrier.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrentsearchdescription+xml Carrier.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrentsearchdescription+xml\Extension = ".btsearch" Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Magnet\URL Protocol Carrier.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A} xrvoe1jq.331.tmp Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\MIME\Database\Content Type Carrier.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Magnet Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Magnet\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\BitTorrent\\BitTorrent.exe\" \"%1\" /SHELLASSOC" Carrier.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Magnet\DefaultIcon Carrier.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\MIME\Database\Content Type\application/x-bittorrent-app Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\.btskin\ = "BitTorrent" Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\.btsearch\OpenWithProgids\BitTorrent Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\BitTorrent\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\BitTorrent\\BitTorrent.exe\" \"%1\" /SHELLASSOC" Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\BitTorrent\shell\ = "open" Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\BitTorrent\Content Type\ = "application/x-bittorrent" Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Magnet\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\BitTorrent\\maindoc.ico" Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\BitTorrent\Content Type = "application/x-bittorrent-protocol" Carrier.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\.btinstall Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\.torrent\OpenWithProgids\BitTorrent Carrier.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\bittorrent\DefaultIcon Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\.torrent\ = "BitTorrent" Carrier.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\MIME Carrier.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-appinst Carrier.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-appinst\Extension = ".btinstall" Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Applications\BitTorrent.exe\shell\ = "open" Carrier.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Applications\BitTorrent.exe\shell\open Carrier.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Applications\BitTorrent.exe Carrier.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\MIME\Database\Content Type\application/x-bittorrent\Extension = ".torrent" Carrier.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\MIME\Database\Content Type\application/x-bittorrentsearchdescription+xml Carrier.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\bittorrent\shell\open\command Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\.btinstall\ = "BitTorrent" Carrier.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 GenericSetup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be xrvoe1jq.331.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\801D62D07B449D5C5C035C98EA61FA443C2A58FE\Blob = 19000000010000001000000091fad483f14848a8a69b18b805cdbb3a030000000100000014000000801d62d07b449d5c5c035c98ea61fa443c2a58fe0b000000010000001000000045006e007400720075007300740000001d0000000100000010000000e871723e266f38af5d49cda2a502669c14000000010000001400000055e481d11180bed889b908a331f9a1240916b97053000000010000002400000030223020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c009000000010000005e000000305c06082b0601050507030306082b0601050507030106082b0601050507030206082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b06010505070308060a2b0601040182370a03040f0000000100000014000000f53631b5177626eb6541df5563c8187d9dca421a2000000001000000600400003082045c30820344a00302010202043863b966300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3139313232343138323035315a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3743072301106096086480186f8420101040403020007301f0603551d2304183016801455e481d11180bed889b908a331f9a1240916b970301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970301d06092a864886f67d0741000410300e1b0856352e303a342e3003020490300d06092a864886f70d010105050003820101005947ac21848a17c99c89531eba80851ac63c4e3eb19cb67cc6925d186402e3d3060811617c63e32b9d31037076d2a328a0f4bb9a6373ed6de52adbed14a92bc63611d02beb078ba5da9e5c199d5612f55429c805edb2122a8df4031bffe7921087b03ab5c39d053712a3c7f415b9d5a439169b533a2391f1a882a26a8868c1790222bcaaa6d6aedfb0145fb887d0dd7c7f7bffaf1ccfe6db07ad5edb859dd02b0d33db04d1e64940132b76fb3ee99c890f15ce18b08578214f6b4f0efa3667cd07f2ff08d0e2ded9bf2aafb88786213c04cab794687fcf3ce998d738ffecc0d950f02e4b58ae466fd02ec360da725572bd4c459e61babf84819203d1d2697cc5 BITTOR~1.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 GenericSetup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd GenericSetup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd GenericSetup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde saBSI.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617530300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\801D62D07B449D5C5C035C98EA61FA443C2A58FE\Blob = 0f0000000100000014000000f53631b5177626eb6541df5563c8187d9dca421a09000000010000005e000000305c06082b0601050507030306082b0601050507030106082b0601050507030206082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b06010505070308060a2b0601040182370a030453000000010000002400000030223020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c014000000010000001400000055e481d11180bed889b908a331f9a1240916b9701d0000000100000010000000e871723e266f38af5d49cda2a502669c0b000000010000001000000045006e00740072007500730074000000030000000100000014000000801d62d07b449d5c5c035c98ea61fa443c2a58fe2000000001000000600400003082045c30820344a00302010202043863b966300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3139313232343138323035315a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3743072301106096086480186f8420101040403020007301f0603551d2304183016801455e481d11180bed889b908a331f9a1240916b970301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970301d06092a864886f67d0741000410300e1b0856352e303a342e3003020490300d06092a864886f70d010105050003820101005947ac21848a17c99c89531eba80851ac63c4e3eb19cb67cc6925d186402e3d3060811617c63e32b9d31037076d2a328a0f4bb9a6373ed6de52adbed14a92bc63611d02beb078ba5da9e5c199d5612f55429c805edb2122a8df4031bffe7921087b03ab5c39d053712a3c7f415b9d5a439169b533a2391f1a882a26a8868c1790222bcaaa6d6aedfb0145fb887d0dd7c7f7bffaf1ccfe6db07ad5edb859dd02b0d33db04d1e64940132b76fb3ee99c890f15ce18b08578214f6b4f0efa3667cd07f2ff08d0e2ded9bf2aafb88786213c04cab794687fcf3ce998d738ffecc0d950f02e4b58ae466fd02ec360da725572bd4c459e61babf84819203d1d2697cc5 BITTOR~1.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC tapinstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\801D62D07B449D5C5C035C98EA61FA443C2A58FE BITTOR~1.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 GenericSetup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 GenericSetup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 GenericSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA xrvoe1jq.331.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f xrvoe1jq.331.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 0f00000001000000200000002dc1a6a6cb0cb42f7e0d2c56f38bc7decbccd143405f669070ce130f9249ba48030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\801D62D07B449D5C5C035C98EA61FA443C2A58FE\Blob = 040000000100000010000000ba21ea20d6dddb8fc1578b40ada1fcfc0f0000000100000014000000f53631b5177626eb6541df5563c8187d9dca421a09000000010000005e000000305c06082b0601050507030306082b0601050507030106082b0601050507030206082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b06010505070308060a2b0601040182370a030453000000010000002400000030223020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c014000000010000001400000055e481d11180bed889b908a331f9a1240916b9701d0000000100000010000000e871723e266f38af5d49cda2a502669c0b000000010000001000000045006e00740072007500730074000000030000000100000014000000801d62d07b449d5c5c035c98ea61fa443c2a58fe19000000010000001000000091fad483f14848a8a69b18b805cdbb3a2000000001000000600400003082045c30820344a00302010202043863b966300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3139313232343138323035315a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3743072301106096086480186f8420101040403020007301f0603551d2304183016801455e481d11180bed889b908a331f9a1240916b970301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970301d06092a864886f67d0741000410300e1b0856352e303a342e3003020490300d06092a864886f70d010105050003820101005947ac21848a17c99c89531eba80851ac63c4e3eb19cb67cc6925d186402e3d3060811617c63e32b9d31037076d2a328a0f4bb9a6373ed6de52adbed14a92bc63611d02beb078ba5da9e5c199d5612f55429c805edb2122a8df4031bffe7921087b03ab5c39d053712a3c7f415b9d5a439169b533a2391f1a882a26a8868c1790222bcaaa6d6aedfb0145fb887d0dd7c7f7bffaf1ccfe6db07ad5edb859dd02b0d33db04d1e64940132b76fb3ee99c890f15ce18b08578214f6b4f0efa3667cd07f2ff08d0e2ded9bf2aafb88786213c04cab794687fcf3ce998d738ffecc0d950f02e4b58ae466fd02ec360da725572bd4c459e61babf84819203d1d2697cc5 BITTOR~1.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 GenericSetup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd GenericSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A GenericSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 saBSI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC xrvoe1jq.331.tmp -
Suspicious behavior: EnumeratesProcesses 45 IoCs
pid Process 1804 GenericSetup.exe 1804 GenericSetup.exe 1804 GenericSetup.exe 1804 GenericSetup.exe 1804 GenericSetup.exe 1804 GenericSetup.exe 1804 GenericSetup.exe 1804 GenericSetup.exe 1804 GenericSetup.exe 1804 GenericSetup.exe 1804 GenericSetup.exe 1804 GenericSetup.exe 1804 GenericSetup.exe 1804 GenericSetup.exe 1504 saBSI.exe 1504 saBSI.exe 1504 saBSI.exe 1504 saBSI.exe 1504 saBSI.exe 1504 saBSI.exe 1504 saBSI.exe 1504 saBSI.exe 1504 saBSI.exe 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1828 mask_svc.exe 1656 mask_svc.exe 1080 mask_svc.exe 1080 mask_svc.exe 1080 mask_svc.exe 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1756 BITTOR~1.EXE 1804 GenericSetup.exe 1804 GenericSetup.exe 1804 GenericSetup.exe 1804 GenericSetup.exe 1804 GenericSetup.exe 1804 GenericSetup.exe 1080 mask_svc.exe 1080 mask_svc.exe 2164 MaskVPNUpdate.exe 2164 MaskVPNUpdate.exe 1756 BITTOR~1.EXE -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1804 GenericSetup.exe 1756 BITTOR~1.EXE -
Suspicious use of AdjustPrivilegeToken 62 IoCs
description pid Process Token: SeDebugPrivilege 1804 GenericSetup.exe Token: SeManageVolumePrivilege 1592 Carrier.exe Token: SeDebugPrivilege 1744 xrvoe1jq.331.tmp Token: SeDebugPrivilege 1744 xrvoe1jq.331.tmp Token: SeRestorePrivilege 1504 saBSI.exe Token: SeBackupPrivilege 1504 saBSI.exe Token: SeRestorePrivilege 1544 tapinstall.exe Token: SeRestorePrivilege 1544 tapinstall.exe Token: SeRestorePrivilege 1544 tapinstall.exe Token: SeRestorePrivilege 1544 tapinstall.exe Token: SeRestorePrivilege 1544 tapinstall.exe Token: SeRestorePrivilege 1544 tapinstall.exe Token: SeRestorePrivilege 1544 tapinstall.exe Token: SeRestorePrivilege 1544 tapinstall.exe Token: SeRestorePrivilege 1544 tapinstall.exe Token: SeRestorePrivilege 1544 tapinstall.exe Token: SeRestorePrivilege 1544 tapinstall.exe Token: SeRestorePrivilege 1544 tapinstall.exe Token: SeRestorePrivilege 1544 tapinstall.exe Token: SeRestorePrivilege 1544 tapinstall.exe Token: SeRestorePrivilege 784 DrvInst.exe Token: SeRestorePrivilege 784 DrvInst.exe Token: SeRestorePrivilege 784 DrvInst.exe Token: SeRestorePrivilege 784 DrvInst.exe Token: SeRestorePrivilege 784 DrvInst.exe Token: SeRestorePrivilege 784 DrvInst.exe Token: SeRestorePrivilege 784 DrvInst.exe Token: SeRestorePrivilege 784 DrvInst.exe Token: SeRestorePrivilege 784 DrvInst.exe Token: SeRestorePrivilege 784 DrvInst.exe Token: SeRestorePrivilege 784 DrvInst.exe Token: SeRestorePrivilege 784 DrvInst.exe Token: SeRestorePrivilege 784 DrvInst.exe Token: SeRestorePrivilege 784 DrvInst.exe Token: SeBackupPrivilege 1328 vssvc.exe Token: SeRestorePrivilege 1328 vssvc.exe Token: SeAuditPrivilege 1328 vssvc.exe Token: SeBackupPrivilege 784 DrvInst.exe Token: SeRestorePrivilege 784 DrvInst.exe Token: SeRestorePrivilege 2016 DrvInst.exe Token: SeRestorePrivilege 2016 DrvInst.exe Token: SeRestorePrivilege 2016 DrvInst.exe Token: SeRestorePrivilege 2016 DrvInst.exe Token: SeRestorePrivilege 2016 DrvInst.exe Token: SeRestorePrivilege 2016 DrvInst.exe Token: SeRestorePrivilege 2016 DrvInst.exe Token: SeLoadDriverPrivilege 2016 DrvInst.exe Token: SeLoadDriverPrivilege 2016 DrvInst.exe Token: SeLoadDriverPrivilege 2016 DrvInst.exe Token: SeRestorePrivilege 1544 tapinstall.exe Token: SeLoadDriverPrivilege 1544 tapinstall.exe Token: SeRestorePrivilege 1360 DrvInst.exe Token: SeRestorePrivilege 1360 DrvInst.exe Token: SeRestorePrivilege 1360 DrvInst.exe Token: SeRestorePrivilege 1360 DrvInst.exe Token: SeRestorePrivilege 1360 DrvInst.exe Token: SeRestorePrivilege 1360 DrvInst.exe Token: SeRestorePrivilege 1360 DrvInst.exe Token: SeRestorePrivilege 1360 DrvInst.exe Token: SeLoadDriverPrivilege 1360 DrvInst.exe Token: SeManageVolumePrivilege 1756 BITTOR~1.EXE Token: SeDebugPrivilege 2164 MaskVPNUpdate.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp 1744 xrvoe1jq.331.tmp -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1756 BITTOR~1.EXE 1756 BITTOR~1.EXE 1756 BITTOR~1.EXE -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 1804 GenericSetup.exe 2068 bittorrentie.exe 2068 bittorrentie.exe 2164 MaskVPNUpdate.exe 2220 bittorrentie.exe 2220 bittorrentie.exe 2292 bittorrentie.exe 2292 bittorrentie.exe 2348 bittorrentie.exe 2348 bittorrentie.exe 2424 bittorrentie.exe 2424 bittorrentie.exe 2412 iexplore.exe 2412 iexplore.exe 2524 IEXPLORE.EXE 2524 IEXPLORE.EXE 2524 IEXPLORE.EXE 2524 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1800 wrote to memory of 1804 1800 $RTWBRPB.exe 27 PID 1800 wrote to memory of 1804 1800 $RTWBRPB.exe 27 PID 1800 wrote to memory of 1804 1800 $RTWBRPB.exe 27 PID 1800 wrote to memory of 1804 1800 $RTWBRPB.exe 27 PID 1800 wrote to memory of 1804 1800 $RTWBRPB.exe 27 PID 1800 wrote to memory of 1804 1800 $RTWBRPB.exe 27 PID 1800 wrote to memory of 1804 1800 $RTWBRPB.exe 27 PID 1804 wrote to memory of 1712 1804 GenericSetup.exe 31 PID 1804 wrote to memory of 1712 1804 GenericSetup.exe 31 PID 1804 wrote to memory of 1712 1804 GenericSetup.exe 31 PID 1804 wrote to memory of 1712 1804 GenericSetup.exe 31 PID 1712 wrote to memory of 1592 1712 cmd.exe 33 PID 1712 wrote to memory of 1592 1712 cmd.exe 33 PID 1712 wrote to memory of 1592 1712 cmd.exe 33 PID 1712 wrote to memory of 1592 1712 cmd.exe 33 PID 1804 wrote to memory of 796 1804 GenericSetup.exe 36 PID 1804 wrote to memory of 796 1804 GenericSetup.exe 36 PID 1804 wrote to memory of 796 1804 GenericSetup.exe 36 PID 1804 wrote to memory of 796 1804 GenericSetup.exe 36 PID 796 wrote to memory of 1504 796 cmd.exe 38 PID 796 wrote to memory of 1504 796 cmd.exe 38 PID 796 wrote to memory of 1504 796 cmd.exe 38 PID 796 wrote to memory of 1504 796 cmd.exe 38 PID 796 wrote to memory of 1504 796 cmd.exe 38 PID 796 wrote to memory of 1504 796 cmd.exe 38 PID 796 wrote to memory of 1504 796 cmd.exe 38 PID 1804 wrote to memory of 1020 1804 GenericSetup.exe 41 PID 1804 wrote to memory of 1020 1804 GenericSetup.exe 41 PID 1804 wrote to memory of 1020 1804 GenericSetup.exe 41 PID 1804 wrote to memory of 1020 1804 GenericSetup.exe 41 PID 1020 wrote to memory of 1756 1020 cmd.exe 43 PID 1020 wrote to memory of 1756 1020 cmd.exe 43 PID 1020 wrote to memory of 1756 1020 cmd.exe 43 PID 1020 wrote to memory of 1756 1020 cmd.exe 43 PID 1020 wrote to memory of 1756 1020 cmd.exe 43 PID 1020 wrote to memory of 1756 1020 cmd.exe 43 PID 1020 wrote to memory of 1756 1020 cmd.exe 43 PID 1756 wrote to memory of 1744 1756 xrvoe1jq.331.exe 44 PID 1756 wrote to memory of 1744 1756 xrvoe1jq.331.exe 44 PID 1756 wrote to memory of 1744 1756 xrvoe1jq.331.exe 44 PID 1756 wrote to memory of 1744 1756 xrvoe1jq.331.exe 44 PID 1756 wrote to memory of 1744 1756 xrvoe1jq.331.exe 44 PID 1756 wrote to memory of 1744 1756 xrvoe1jq.331.exe 44 PID 1756 wrote to memory of 1744 1756 xrvoe1jq.331.exe 44 PID 1744 wrote to memory of 1596 1744 xrvoe1jq.331.tmp 46 PID 1744 wrote to memory of 1596 1744 xrvoe1jq.331.tmp 46 PID 1744 wrote to memory of 1596 1744 xrvoe1jq.331.tmp 46 PID 1744 wrote to memory of 1596 1744 xrvoe1jq.331.tmp 46 PID 1744 wrote to memory of 1596 1744 xrvoe1jq.331.tmp 46 PID 1744 wrote to memory of 1596 1744 xrvoe1jq.331.tmp 46 PID 1744 wrote to memory of 1596 1744 xrvoe1jq.331.tmp 46 PID 1596 wrote to memory of 2036 1596 cmd.exe 48 PID 1596 wrote to memory of 2036 1596 cmd.exe 48 PID 1596 wrote to memory of 2036 1596 cmd.exe 48 PID 1596 wrote to memory of 2036 1596 cmd.exe 48 PID 1744 wrote to memory of 1080 1744 xrvoe1jq.331.tmp 49 PID 1744 wrote to memory of 1080 1744 xrvoe1jq.331.tmp 49 PID 1744 wrote to memory of 1080 1744 xrvoe1jq.331.tmp 49 PID 1744 wrote to memory of 1080 1744 xrvoe1jq.331.tmp 49 PID 1744 wrote to memory of 1080 1744 xrvoe1jq.331.tmp 49 PID 1744 wrote to memory of 1080 1744 xrvoe1jq.331.tmp 49 PID 1744 wrote to memory of 1080 1744 xrvoe1jq.331.tmp 49 PID 1080 wrote to memory of 1544 1080 cmd.exe 51 PID 1080 wrote to memory of 1544 1080 cmd.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\$RTWBRPB.exe"C:\Users\Admin\AppData\Local\Temp\$RTWBRPB.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\7zS807A3126\GenericSetup.exe.\GenericSetup.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1649002479\Carrier.exe" /S /FORCEINSTALL 1110010101110000"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1649002479\Carrier.exe"C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1649002479\Carrier.exe" /S /FORCEINSTALL 11100101011100004⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""saBSI.exe" /affid 91213 PaidDistribution=true InstallID=33e2f051-94da-49b5-a539-d6705c8b8bbe subID=CS"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1649002479\saBSI.exe"saBSI.exe" /affid 91213 PaidDistribution=true InstallID=33e2f051-94da-49b5-a539-d6705c8b8bbe subID=CS4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\xrvoe1jq.331.exe" /silent /shortcut /startmenu /subid=663"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\xrvoe1jq.331.exe"C:\Users\Admin\AppData\Local\Temp\xrvoe1jq.331.exe" /silent /shortcut /startmenu /subid=6634⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\is-A0SRS.tmp\xrvoe1jq.331.tmp"C:\Users\Admin\AppData\Local\Temp\is-A0SRS.tmp\xrvoe1jq.331.tmp" /SL5="$7014E,15170975,270336,C:\Users\Admin\AppData\Local\Temp\xrvoe1jq.331.exe" /silent /shortcut /startmenu /subid=6635⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap09017⤵
- Executes dropped EXE
PID:2036
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap09017⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1544
-
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1828
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1656
-
-
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}1⤵PID:1012
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{595e231f-c548-64fd-e47a-f2232b39e348}\oemvista.inf" "9" "6d14a44ff" "00000000000002D4" "WinSta0\Default" "00000000000003D0" "208" "c:\program files (x86)\maskvpn\driver\win764"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:784
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005C4" "00000000000005C0"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:tap0901.NTamd64:tap0901.ndi:9.0.0.21:tap0901" "6d14a44ff" "00000000000002D4" "00000000000005AC" "00000000000005CC"1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1360
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1080 -
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2164
-
-
C:\Users\Admin\AppData\Roaming\BITTOR~1\BITTOR~1.EXE"C:\Users\Admin\AppData\Roaming\BITTOR~1\BITTOR~1.EXE" /RUNONSTARTUP1⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:1756 -
C:\Users\Admin\AppData\Roaming\BITTOR~1\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BITTOR~1\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_1756_00B5A110_1923151456 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2068
-
-
C:\Users\Admin\AppData\Roaming\BITTOR~1\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BITTOR~1\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_1756_00B5A1A8_111527206 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2220
-
-
C:\Users\Admin\AppData\Roaming\BITTOR~1\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BITTOR~1\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_1756_00B5A1A8_1728984640 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2292
-
-
C:\Users\Admin\AppData\Roaming\BITTOR~1\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BITTOR~1\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_1756_00B5A1A8_997694796 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2348
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://bittorrent.com/prodnews?v=7%2e10%2e5%2e1%2e462112⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2412 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2412 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2524
-
-
-
C:\Users\Admin\AppData\Roaming\BITTOR~1\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BITTOR~1\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_1756_00B5A110_974869348 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2424
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}1⤵PID:1232
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD587868193626dc756d10885f46d76f42e
SHA194a5ce8ed7633ed77531b6cb14ceb1927c5cae1f
SHA256b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41
SHA51279751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277
-
Filesize
91B
MD53a05ce392d84463b43858e26c48f9cbf
SHA178f624e2c81c3d745a45477d61749b8452c129f1
SHA2565b56d8b121fc9a7f2d4e90edb1b29373cd2d06bac1c54ada8f6cb559b411180b
SHA5128a31fda09f0fa7779c4fb0c0629d4d446957c8aaae0595759dd2b434e84a17ecb6ffe4beff973a245caf0452a0c04a488d2ae7b232d8559f3bd1bfd68fed7cf1
-
Filesize
90KB
MD5d10f74d86cd350732657f542df533f82
SHA1c54074f8f162a780819175e7169c43f6706ad46c
SHA256c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67
SHA5120d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e
-
Filesize
90KB
MD5d10f74d86cd350732657f542df533f82
SHA1c54074f8f162a780819175e7169c43f6706ad46c
SHA256c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67
SHA5120d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e
-
Filesize
90KB
MD5d10f74d86cd350732657f542df533f82
SHA1c54074f8f162a780819175e7169c43f6706ad46c
SHA256c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67
SHA5120d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e
-
Filesize
31B
MD59133a44bfd841b8849bddead9957c2c3
SHA13c1d92aa3f6247a2e7ceeaf0b811cf584ae87591
SHA256b8109f63a788470925ea267f1b6032bba281b1ac3afdf0c56412cb753df58392
SHA512d7f5f99325b9c77939735df3a61097a24613f85e7acc2d84875f78f60b0b70e3504f34d9fff222c593e1daadd9db71080a23b588fe7009ce93b5a4cbe9785545
-
Filesize
7.1MB
MD5c6b1934d3e588271f27a38bfeed42abb
SHA108072ecb9042e6f7383d118c78d45b42a418864f
SHA25635ec7f4d10493f28d582440719e6f622d9a2a102e40a0bc7c4924a3635a7f5a8
SHA5121db865c5fee202b825888a8eb6a202100e57fe2192baf08e47bc8e6bf68c7fe78b4b16aa7700d8655d1be8494eb6fd69103d706c52372b07c7c6ab415ba29692
-
Filesize
7.1MB
MD5c6b1934d3e588271f27a38bfeed42abb
SHA108072ecb9042e6f7383d118c78d45b42a418864f
SHA25635ec7f4d10493f28d582440719e6f622d9a2a102e40a0bc7c4924a3635a7f5a8
SHA5121db865c5fee202b825888a8eb6a202100e57fe2192baf08e47bc8e6bf68c7fe78b4b16aa7700d8655d1be8494eb6fd69103d706c52372b07c7c6ab415ba29692
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59734a25fbd51c71f54d2974de9cd5cc9
SHA1127482bb6fbd446c4396111bcfb422a14fde64d5
SHA256eb6a441102b980f81791d830480d4285c3e0453db3e34aa10321d70cda0ec03c
SHA5129905b12f1d1a258420a9b7b685cba590da7bf97a3251611fbada059be72a58bbb415b4397d18833a29f5508f6b89a7383b06826446ebf96f910b9134a5b721a4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f082fe1cfe94015c51d0a50e26f26787
SHA1d36e346a1a2838c2acc1ed4deebd943670c9aa4d
SHA256ba1596cd1417d155e3d7ee79aefa8339b39e5bc27029d415e0780ef14b1b115c
SHA512f69ee43eb6b6ae2fed48334e9291777ff24711a9a9a2d758a5a95a426b869d1fd4fa9e9999c7388b92660df001b4f649b943ebe3b08e39d3e9af213f9f808f38
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD515fd7a605561dff53893a883ff91640f
SHA1a4f7f8c82350aec4a94d6e3901e3237ebdf2921c
SHA2567483843cfdcefed8793b8e6acf5973a4bbd4007ccfb84504080bbfcf4d65401c
SHA512381ba20a79562dbe93528ac56b8d93e89320501ce85156aeb5bcc8c27bd35eac432852ee616aaa1a6f2c3549fa91d5f6455978f6785974d3c3da953366d21269
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5cf683220c44f4ae02f11c23e1388efd5
SHA185dee2e84fc18cafe7a316782ec145cef159cba2
SHA256c3673d8561de9e529f8569aa54aeb26051f291f62ed80c782770c4f0239a89b9
SHA5128735c3393ec0005480c4b283143d733410dbe521b4d67e825c8e8296f6341c652ee0f3297a58e49eefb21bf7b9041f808732b8d8719635abb985e9fa8318c623
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52b9014133aaa77f5f27864dff13d7940
SHA1f155541b56011e388e8905adea27d6fbc260c289
SHA256b5039465de26a9d53d3cf6525d1b360d1586ec4484576ec364d3636c71a7e182
SHA512cb266622d426c2abd59a3adba5a213c680edf37fc14bf96e671d620568283a28f16a2a1d9f4b0acb9a2be2cbdae40996f6e43b27dea4d326c599fbbff54ac709
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d7cf60c67c912afae0468d95791ab487
SHA17098de87e09b155689f76d94f05be113aabf6ab3
SHA25619af4fd80044dc31a933936a1239bffdef14befbb509acef5139e1d59a7b72dd
SHA51227087cd9e51309b909714b43bc16ea3f7661d1d340a93415222e8547f1334ec722e5a41f6bb6dabbf8cda1ed250408feefeed381d6e99eee68c9a0c1a4e7f7e3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5fe2da1ddcc788b21c0ad786709f9a48c
SHA127e263d704b87b666343951be1f35b2f4bd05c11
SHA2566c32f4711e463715aa01c89a56c555435507004aa4eed63aca7944da5785cf78
SHA51254e3d2826bd607aed5d61c845ca8f39e8889842be811b3b38e91b71172dcf8a48c9bb74a03bcdc3beae02d213d45a27206e3b85b838259788422a4aa447797b5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59a34d585f5ddec005b8a595a2b7a7a3b
SHA11ce6e473de298bff3bdd2ddf39aec38fe27fca00
SHA256c8824e8a6b5de37d9adaa49d8802c3df7a0d4001c7239e66da0dc5fe202ca668
SHA5129a53d172aed7d42e7d47f0621d89cf6b11096921bbaca0c0ab43c85fbb4aa22b7c0b3ca14328e0a1ba0d7322a69bfe8b772f2659011c9fccc74cd77c17ac3175
-
Filesize
10.0MB
MD5305b424f87d4b6f08eacdf47f8eefcd1
SHA19622b76a56443fddead8f4996d5f1b4e05fa0b93
SHA25648a61875fe1ef52b1f375b1e95f38193da7bccfa0a54cd283687b4ccce59fced
SHA512b5d53d066693b02ae39d3c2e0095a53aa311e2cf0a239a43ebd2d8bc7e481cdb26d0819c577f60433f0a23b7141b8a9ed94d1fd8dce6e9e3fffa441eef4bd7a3
-
Filesize
10.0MB
MD5305b424f87d4b6f08eacdf47f8eefcd1
SHA19622b76a56443fddead8f4996d5f1b4e05fa0b93
SHA25648a61875fe1ef52b1f375b1e95f38193da7bccfa0a54cd283687b4ccce59fced
SHA512b5d53d066693b02ae39d3c2e0095a53aa311e2cf0a239a43ebd2d8bc7e481cdb26d0819c577f60433f0a23b7141b8a9ed94d1fd8dce6e9e3fffa441eef4bd7a3
-
Filesize
814B
MD5fd63ee3928edd99afc5bdf17e4f1e7b6
SHA11b40433b064215ea6c001332c2ffa093b1177875
SHA2562a2ddbdc4600e829ad756fd5e84a79c0401fa846ad4f2f2fb235b410e82434a9
SHA5121925cde90ee84db1e5c15fa774ee5f10fa368948df7643259b03599ad58cfce9d409fd2cd752ff4cbca60b4bbe92b184ff92a0c6e8b78849c4497d38266bd3b4
-
Filesize
2.0MB
MD53a72aae846afdd8c7f070f390a2151b0
SHA1dadb6c535731cf4445ee8ce2c216585ccc80760b
SHA25663a52c497a4a0f8c62d7686486fd3be8c3297024e336c0953ab2dcad9dceed3c
SHA512cc1e2c1d45f133f50ca80e0699122976ff9f141530ad0d45863da0df94399812853f1f21b31b17fb1a7e8a7461ebf5cd6c591eb56df2dbdc448ba3bdfbcf06e9
-
Filesize
2.0MB
MD53a72aae846afdd8c7f070f390a2151b0
SHA1dadb6c535731cf4445ee8ce2c216585ccc80760b
SHA25663a52c497a4a0f8c62d7686486fd3be8c3297024e336c0953ab2dcad9dceed3c
SHA512cc1e2c1d45f133f50ca80e0699122976ff9f141530ad0d45863da0df94399812853f1f21b31b17fb1a7e8a7461ebf5cd6c591eb56df2dbdc448ba3bdfbcf06e9
-
Filesize
1.2MB
MD52c5cc4fed6ef0d07e8a855ea52b7c108
SHA16db652c54c0e712f1db740fc8535791bf7845dcc
SHA25660410875199ad0bf34cd8402e0cc9151caf919fe98eeffd7056285e7239a3474
SHA512cd8622cc38270caaf90ba61058a80d5554700dcfbb05ee921dde9aba7a1d6a068f24e73535baf3bbf4d2cc63d84cfe362cfa67df201b401d52b5af490610b0cc
-
Filesize
1.2MB
MD52c5cc4fed6ef0d07e8a855ea52b7c108
SHA16db652c54c0e712f1db740fc8535791bf7845dcc
SHA25660410875199ad0bf34cd8402e0cc9151caf919fe98eeffd7056285e7239a3474
SHA512cd8622cc38270caaf90ba61058a80d5554700dcfbb05ee921dde9aba7a1d6a068f24e73535baf3bbf4d2cc63d84cfe362cfa67df201b401d52b5af490610b0cc
-
Filesize
1.7MB
MD501227301983ff36cb4a2e883e7df03ad
SHA13bce75ce687cfbe2ab05d8b3099b18983785327a
SHA256cebb53236803ce766583f57b18025ef6a0b49224720cd1753c6a26a5b3a7c8a6
SHA5124d39c8adb6d5b179846e4a3ccc8b5fcd5a38a551cff535930a11a4ebb2ebb1b4fd81bb81a39b9aa74d0b1ae5600dbca679aa910a71376a4ed2bced61b5003fe0
-
Filesize
1.7MB
MD501227301983ff36cb4a2e883e7df03ad
SHA13bce75ce687cfbe2ab05d8b3099b18983785327a
SHA256cebb53236803ce766583f57b18025ef6a0b49224720cd1753c6a26a5b3a7c8a6
SHA5124d39c8adb6d5b179846e4a3ccc8b5fcd5a38a551cff535930a11a4ebb2ebb1b4fd81bb81a39b9aa74d0b1ae5600dbca679aa910a71376a4ed2bced61b5003fe0
-
Filesize
15.0MB
MD58484f06a0fe7ed5aa67533afa9ffdaed
SHA163939a50d6c543557af2e0ae79e1d4ab36909e6d
SHA256e8e727a4fcd9ac2337af227fe26a6202e703f0fc4fb5e9262222eab83fa37e32
SHA51204bc3551f03fca0b07a9737afeed311571fef43a854286ee9fea5f21adfc5fa8b87ee0914a95f887ebbe35c18e3086ee15a5a0606cf8f5e2a679b433576aa462
-
Filesize
15.0MB
MD58484f06a0fe7ed5aa67533afa9ffdaed
SHA163939a50d6c543557af2e0ae79e1d4ab36909e6d
SHA256e8e727a4fcd9ac2337af227fe26a6202e703f0fc4fb5e9262222eab83fa37e32
SHA51204bc3551f03fca0b07a9737afeed311571fef43a854286ee9fea5f21adfc5fa8b87ee0914a95f887ebbe35c18e3086ee15a5a0606cf8f5e2a679b433576aa462
-
Filesize
26KB
MD5d765f43cbea72d14c04af3d2b9c8e54b
SHA1daebe266073616e5fc931c319470fcf42a06867a
SHA25689c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0
SHA512ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2
-
Filesize
7KB
MD587868193626dc756d10885f46d76f42e
SHA194a5ce8ed7633ed77531b6cb14ceb1927c5cae1f
SHA256b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41
SHA51279751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277
-
Filesize
19KB
MD5c757503bc0c5a6679e07fe15b93324d6
SHA16a81aa87e4b07c7fea176c8adf1b27ddcdd44573
SHA25691ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e
SHA512efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99
-
Filesize
7KB
MD587868193626dc756d10885f46d76f42e
SHA194a5ce8ed7633ed77531b6cb14ceb1927c5cae1f
SHA256b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41
SHA51279751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277
-
Filesize
26KB
MD5d765f43cbea72d14c04af3d2b9c8e54b
SHA1daebe266073616e5fc931c319470fcf42a06867a
SHA25689c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0
SHA512ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2
-
C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_a572b7f20c402d28\oemvista.PNF
Filesize8KB
MD52c61c1506e7727e7545c88e150e70827
SHA132b763eb77ed6aaa855c4549df299176b9d73216
SHA2560bccc9e1a7e5bc3c955253b8aed652b8dae053c96120b3347e84462689a9981e
SHA512ee6d7df7dd4029670d3122d2b15e6e6ef2bf3900bd6f2af6d5647051975ced5aebcacb6bf8d77b058b9d08f6cdc83ea1af4d4856cd9ed0df2b29965e5f4483a5
-
C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_a572b7f20c402d28\oemvista.inf
Filesize7KB
MD587868193626dc756d10885f46d76f42e
SHA194a5ce8ed7633ed77531b6cb14ceb1927c5cae1f
SHA256b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41
SHA51279751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277
-
C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_a572b7f20c402d28\tap0901.cat
Filesize19KB
MD5c757503bc0c5a6679e07fe15b93324d6
SHA16a81aa87e4b07c7fea176c8adf1b27ddcdd44573
SHA25691ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e
SHA512efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99
-
Filesize
1.4MB
MD5a5d13a5fa9bf8c7467e9b541dc85657b
SHA198cbf61891a221b9ba722d9dc3a8f8912cac168d
SHA256cdbc5e3d6628f257b76accff08742866b919ee697f967369595136cc4cc8bbaa
SHA512aafbc62d681c318f782346660538335a08100f1d06758cbefe6ea6c8f18969b618de21d99e2e5630d26a3ee24c8ed261c3842ff3627132d45596ef55606f4bb8
-
Filesize
26KB
MD5d765f43cbea72d14c04af3d2b9c8e54b
SHA1daebe266073616e5fc931c319470fcf42a06867a
SHA25689c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0
SHA512ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2
-
Filesize
19KB
MD5c757503bc0c5a6679e07fe15b93324d6
SHA16a81aa87e4b07c7fea176c8adf1b27ddcdd44573
SHA25691ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e
SHA512efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99
-
Filesize
8.7MB
MD5a220528f31dceddc955b791b13ac4989
SHA157a83b83a11b6e27c9e88a7835d8a84744d79bdd
SHA256e801fa187027537337d8b4e4bde3a7da95499172f6b1477830a216d0a385518b
SHA5129ef563fd0b960cf121093c6191fec6c03fcb8fe380065d9ba7a22f5be97f551294941bab2de9982ae563d858f17ca6df45f24353cf56cb77b052442410a54931
-
Filesize
8.7MB
MD5a220528f31dceddc955b791b13ac4989
SHA157a83b83a11b6e27c9e88a7835d8a84744d79bdd
SHA256e801fa187027537337d8b4e4bde3a7da95499172f6b1477830a216d0a385518b
SHA5129ef563fd0b960cf121093c6191fec6c03fcb8fe380065d9ba7a22f5be97f551294941bab2de9982ae563d858f17ca6df45f24353cf56cb77b052442410a54931
-
Filesize
90KB
MD5d10f74d86cd350732657f542df533f82
SHA1c54074f8f162a780819175e7169c43f6706ad46c
SHA256c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67
SHA5120d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e
-
Filesize
90KB
MD5d10f74d86cd350732657f542df533f82
SHA1c54074f8f162a780819175e7169c43f6706ad46c
SHA256c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67
SHA5120d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e
-
Filesize
90KB
MD5d10f74d86cd350732657f542df533f82
SHA1c54074f8f162a780819175e7169c43f6706ad46c
SHA256c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67
SHA5120d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e
-
Filesize
7.1MB
MD5c6b1934d3e588271f27a38bfeed42abb
SHA108072ecb9042e6f7383d118c78d45b42a418864f
SHA25635ec7f4d10493f28d582440719e6f622d9a2a102e40a0bc7c4924a3635a7f5a8
SHA5121db865c5fee202b825888a8eb6a202100e57fe2192baf08e47bc8e6bf68c7fe78b4b16aa7700d8655d1be8494eb6fd69103d706c52372b07c7c6ab415ba29692
-
Filesize
7.1MB
MD5c6b1934d3e588271f27a38bfeed42abb
SHA108072ecb9042e6f7383d118c78d45b42a418864f
SHA25635ec7f4d10493f28d582440719e6f622d9a2a102e40a0bc7c4924a3635a7f5a8
SHA5121db865c5fee202b825888a8eb6a202100e57fe2192baf08e47bc8e6bf68c7fe78b4b16aa7700d8655d1be8494eb6fd69103d706c52372b07c7c6ab415ba29692
-
Filesize
7.1MB
MD5c6b1934d3e588271f27a38bfeed42abb
SHA108072ecb9042e6f7383d118c78d45b42a418864f
SHA25635ec7f4d10493f28d582440719e6f622d9a2a102e40a0bc7c4924a3635a7f5a8
SHA5121db865c5fee202b825888a8eb6a202100e57fe2192baf08e47bc8e6bf68c7fe78b4b16aa7700d8655d1be8494eb6fd69103d706c52372b07c7c6ab415ba29692
-
Filesize
7.1MB
MD5c6b1934d3e588271f27a38bfeed42abb
SHA108072ecb9042e6f7383d118c78d45b42a418864f
SHA25635ec7f4d10493f28d582440719e6f622d9a2a102e40a0bc7c4924a3635a7f5a8
SHA5121db865c5fee202b825888a8eb6a202100e57fe2192baf08e47bc8e6bf68c7fe78b4b16aa7700d8655d1be8494eb6fd69103d706c52372b07c7c6ab415ba29692
-
Filesize
7.1MB
MD5c6b1934d3e588271f27a38bfeed42abb
SHA108072ecb9042e6f7383d118c78d45b42a418864f
SHA25635ec7f4d10493f28d582440719e6f622d9a2a102e40a0bc7c4924a3635a7f5a8
SHA5121db865c5fee202b825888a8eb6a202100e57fe2192baf08e47bc8e6bf68c7fe78b4b16aa7700d8655d1be8494eb6fd69103d706c52372b07c7c6ab415ba29692
-
Filesize
7.1MB
MD5c6b1934d3e588271f27a38bfeed42abb
SHA108072ecb9042e6f7383d118c78d45b42a418864f
SHA25635ec7f4d10493f28d582440719e6f622d9a2a102e40a0bc7c4924a3635a7f5a8
SHA5121db865c5fee202b825888a8eb6a202100e57fe2192baf08e47bc8e6bf68c7fe78b4b16aa7700d8655d1be8494eb6fd69103d706c52372b07c7c6ab415ba29692
-
Filesize
10.0MB
MD5305b424f87d4b6f08eacdf47f8eefcd1
SHA19622b76a56443fddead8f4996d5f1b4e05fa0b93
SHA25648a61875fe1ef52b1f375b1e95f38193da7bccfa0a54cd283687b4ccce59fced
SHA512b5d53d066693b02ae39d3c2e0095a53aa311e2cf0a239a43ebd2d8bc7e481cdb26d0819c577f60433f0a23b7141b8a9ed94d1fd8dce6e9e3fffa441eef4bd7a3
-
Filesize
2.0MB
MD53a72aae846afdd8c7f070f390a2151b0
SHA1dadb6c535731cf4445ee8ce2c216585ccc80760b
SHA25663a52c497a4a0f8c62d7686486fd3be8c3297024e336c0953ab2dcad9dceed3c
SHA512cc1e2c1d45f133f50ca80e0699122976ff9f141530ad0d45863da0df94399812853f1f21b31b17fb1a7e8a7461ebf5cd6c591eb56df2dbdc448ba3bdfbcf06e9
-
Filesize
1.2MB
MD52c5cc4fed6ef0d07e8a855ea52b7c108
SHA16db652c54c0e712f1db740fc8535791bf7845dcc
SHA25660410875199ad0bf34cd8402e0cc9151caf919fe98eeffd7056285e7239a3474
SHA512cd8622cc38270caaf90ba61058a80d5554700dcfbb05ee921dde9aba7a1d6a068f24e73535baf3bbf4d2cc63d84cfe362cfa67df201b401d52b5af490610b0cc
-
Filesize
1.2MB
MD52c5cc4fed6ef0d07e8a855ea52b7c108
SHA16db652c54c0e712f1db740fc8535791bf7845dcc
SHA25660410875199ad0bf34cd8402e0cc9151caf919fe98eeffd7056285e7239a3474
SHA512cd8622cc38270caaf90ba61058a80d5554700dcfbb05ee921dde9aba7a1d6a068f24e73535baf3bbf4d2cc63d84cfe362cfa67df201b401d52b5af490610b0cc
-
Filesize
1.2MB
MD52c5cc4fed6ef0d07e8a855ea52b7c108
SHA16db652c54c0e712f1db740fc8535791bf7845dcc
SHA25660410875199ad0bf34cd8402e0cc9151caf919fe98eeffd7056285e7239a3474
SHA512cd8622cc38270caaf90ba61058a80d5554700dcfbb05ee921dde9aba7a1d6a068f24e73535baf3bbf4d2cc63d84cfe362cfa67df201b401d52b5af490610b0cc
-
Filesize
1.2MB
MD52c5cc4fed6ef0d07e8a855ea52b7c108
SHA16db652c54c0e712f1db740fc8535791bf7845dcc
SHA25660410875199ad0bf34cd8402e0cc9151caf919fe98eeffd7056285e7239a3474
SHA512cd8622cc38270caaf90ba61058a80d5554700dcfbb05ee921dde9aba7a1d6a068f24e73535baf3bbf4d2cc63d84cfe362cfa67df201b401d52b5af490610b0cc
-
Filesize
5.6MB
MD5b431083586e39d018e19880ad1a5ce8f
SHA13bbf957ab534d845d485a8698accc0a40b63cedd
SHA256b525fdcc32c5a359a7f5738a30eff0c6390734d8a2c987c62e14c619f99d406b
SHA5127805a3464fcc3ac4ea1258e2412180c52f2af40a79b540348486c830a20c2bbed337bbf5f4a8926b3ef98c63c87747014f5b43c35f7ec4e7a3693b9dbd0ae67b
-
Filesize
959KB
MD5b5e330f90e1bab5e5ee8ccb04e679687
SHA13360a68276a528e4b651c9019b6159315c3acca8
SHA2562900d536923740fe530891f481e35e37262db5283a4b98047fe5335eacaf3441
SHA51241ab8f239cfff8e5ddcff95cdf2ae11499d57b2ebe8f0786757a200047fd022bfd6975be95e9cfcc17c405e631f069b9951591cf74faf3e6a548191e63a8439c
-
Filesize
63KB
MD51c55ae5ef9980e3b1028447da6105c75
SHA1f85218e10e6aa23b2f5a3ed512895b437e41b45c
SHA2566afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f
SHA5121ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
41KB
MD5ef899fa243c07b7b82b3a45f6ec36771
SHA14a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe
SHA256da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77
SHA5123f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8
-
Filesize
2.3MB
MD53d88c579199498b224033b6b66638fb8
SHA16f6303288e2206efbf18e4716095059fada96fc4
SHA2565bccb86319fc90210d065648937725b14b43fa0c96f9da56d9984e027adebbc3
SHA5129740c521ed38643201ed4c2574628454723b9213f12e193c11477e64a2c03daa58d2a48e70df1a7e9654c50a80049f3cf213fd01f2b74e585c3a86027db19ec9
-
Filesize
1.7MB
MD501227301983ff36cb4a2e883e7df03ad
SHA13bce75ce687cfbe2ab05d8b3099b18983785327a
SHA256cebb53236803ce766583f57b18025ef6a0b49224720cd1753c6a26a5b3a7c8a6
SHA5124d39c8adb6d5b179846e4a3ccc8b5fcd5a38a551cff535930a11a4ebb2ebb1b4fd81bb81a39b9aa74d0b1ae5600dbca679aa910a71376a4ed2bced61b5003fe0
-
Filesize
15.0MB
MD58484f06a0fe7ed5aa67533afa9ffdaed
SHA163939a50d6c543557af2e0ae79e1d4ab36909e6d
SHA256e8e727a4fcd9ac2337af227fe26a6202e703f0fc4fb5e9262222eab83fa37e32
SHA51204bc3551f03fca0b07a9737afeed311571fef43a854286ee9fea5f21adfc5fa8b87ee0914a95f887ebbe35c18e3086ee15a5a0606cf8f5e2a679b433576aa462