Analysis
-
max time kernel
1201s -
max time network
1094s -
platform
windows10_x64 -
resource
win10-20220331-en -
submitted
03-04-2022 16:13
Static task
static1
Behavioral task
behavioral1
Sample
$RTWBRPB.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
$RTWBRPB.exe
Resource
win10-20220331-en
Behavioral task
behavioral3
Sample
$RTWBRPB.exe
Resource
win10v2004-20220331-en
Behavioral task
behavioral4
Sample
$RTWBRPB.exe
Resource
win11-20220223-en
General
-
Target
$RTWBRPB.exe
-
Size
5.0MB
-
MD5
b8c24a19ae1706e4baf0253b8f33abe3
-
SHA1
a6eb472bb97ddec488203467d10bc26e86dc8e53
-
SHA256
3c855659332b10f81efb7574d83624a30db08c15fe3927cee1dbdb2c523d3554
-
SHA512
2c18eea5f88c2cf0fcceacfa8df78d50d59cdcf9d21369c4cffea43a4e020f31a0ad27394ff22572585c2db7708d8c10c5b7e74000d83c1f543a3608190e5b68
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 22 IoCs
pid Process 2480 GenericSetup.exe 3644 Carrier.exe 4600 BitTorrent.exe 3896 bittorrentie.exe 4296 bittorrentie.exe 416 bittorrentie.exe 812 bittorrentie.exe 476 bittorrentie.exe 2824 bittorrentie.exe 4352 bittorrentie.exe 4764 bittorrentie.exe 3912 bittorrentie.exe 60 bittorrentie.exe 4316 bittorrentie.exe 500 bittorrentie.exe 3960 bittorrentie.exe 2432 bittorrentie.exe 4828 bittorrentie.exe 4072 helper.exe 4344 bittorrentie.exe 1556 bittorrentie.exe 4380 bittorrentie.exe -
resource yara_rule behavioral2/files/0x0008000000019dbe-132.dat upx behavioral2/files/0x0008000000019dbe-133.dat upx behavioral2/files/0x0006000000019ded-134.dat upx behavioral2/files/0x0006000000019ded-136.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000\Control Panel\International\Geo\Nation BitTorrent.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\MACHINE\Software\WOW6432Node\Wine Carrier.exe Key opened \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000\Software\Wine Carrier.exe Key opened \REGISTRY\MACHINE\Software\WOW6432Node\Wine BitTorrent.exe Key opened \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000\Software\Wine BitTorrent.exe -
Loads dropped DLL 1 IoCs
pid Process 2480 GenericSetup.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000\Software\Microsoft\Windows\CurrentVersion\Run\bt = "C:\\Users\\Admin\\AppData\\Roaming\\BitTorrent\\BitTorrent.exe /MINIMIZED" Carrier.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000\Software\Microsoft\Windows\CurrentVersion\Run BitTorrent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000\Software\Microsoft\Windows\CurrentVersion\Run\bt = "\"C:\\Users\\Admin\\AppData\\Roaming\\BitTorrent\\BitTorrent.exe\" /MINIMIZED" BitTorrent.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000\Software\Microsoft\Windows\CurrentVersion\Run Carrier.exe -
Checks for any installed AV software in registry 1 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version GenericSetup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast GenericSetup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir GenericSetup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVG\AV GenericSetup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir GenericSetup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV GenericSetup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version GenericSetup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast GenericSetup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName BitTorrent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 BitTorrent.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName BitTorrent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 BitTorrent.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION BitTorrent.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION BitTorrent.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CROSS_DOMAIN_REDIRECT_MITIGATION BitTorrent.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CROSS_DOMAIN_REDIRECT_MITIGATION\bittorrentie.exe = "0" BitTorrent.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\bittorrentie.exe = "11000" BitTorrent.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\bittorrentie.exe = "1" BitTorrent.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\bittorrent.com MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\BitTorrent\ = "bittorrent URI" Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\BitTorrent\URL Protocol Carrier.exe Set value (data) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "r4w0rw8" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\.btapp\ = "BitTorrent" Carrier.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-key Carrier.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates\4EEF7FAF0062D34AB = 0300000001000000140000004eef7faf0062d34abee6137e774438ae9988739f04000000010000001000000024d7172657e6b799f66cf32ae88b5c280f0000000100000020000000547b3c62613c9c2b025d5461623ae703e9853ee45a8bf3b425bf63528e992912140000000100000014000000fe7e60dd9d8292295edf1cf80869a75b98896ed01900000001000000100000002aac2185e0e1b6503eb16a495b1815fc5c0000000100000004000000000800001800000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d702000000001000000eb050000308205e7308203cfa003020102021333000001a636dabe8bbe573d9a0000000001a6300d06092a864886f70d01010b0500307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f667420536563757265205365727665722043412032303131301e170d3231303331313139323835325a170d3232303631313139323835325a3081a9310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e310d300b060355040b130442696e67311b301906035504031312494520496e737472756d656e746174696f6e3127302506092a864886f70d010901161862696e6769657465616d406d6963726f736f66742e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d0b49f5b650f0fa690df343367a2cd62155e98e3c0fc14cb1f696618be8c327ef257f50d47bce3a4286e36edc0382e0ac81096dbce62463bb552970d01d02a7ca642d6faed9b5878c4e2e33e7c9f94ea4eb7f125662d5d2fe78138ce3e827bd98969028a908fab20632542a1ef952c10382b7efcaae1f5e7521d5fb617a93aa002b579a3203726111c73a9832712e3b5d4d140b247c91824de8123b45ea39fbcdb6e5c77d68cd3db64dd24844a1879865356f655cf1c5d94b208e244bd075a9823c87af7bcad6aab52e3444aad2947a7baad0d42c9d785964dbd8b4e09004359094d0646c3ca98e7c698b0fa7d6f1606b1459fd6df8d9aea8ae85911789bc5e10203010001a38201303082012c300e0603551d0f0101ff0404030204f030150603551d25040e300c060a2b0601040182374c0c01301d0603551d0e04160414fe7e60dd9d8292295edf1cf80869a75b98896ed0301f0603551d230418301680143656896549cb5b9b2f3cac4216504d91b933d79130530603551d1f044c304a3048a046a0448642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63726c2f4d69635365635365724341323031315f323031312d31302d31382e63726c306006082b0601050507010104543052305006082b060105050730028644687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63657274732f4d69635365635365724341323031315f323031312d31302d31382e637274300c0603551d130101ff04023000300d06092a864886f70d01010b05000382020100c1055e1c6ece899cbff031668bd0b72ee668484f9392c48efe112ba21c521af47582849539f2fd53f7f8adecc243743211150de90b106e6bdaaedb88a8fc71aff2bd4bfeae5628507aa3b47095bf680a0a56bc6cb9c70871fa0b05857bf1762af884469264870c4139f7f9e93bbedaf73a867994c51e7c8473506f1ca68a8f9059cfa5c068be7ecade98315eebd7e71431ebe7d033b4fc8056d94ab70b03e1368082fc83a82cd632b9f3a03f9c9d51881c39b432ee9856e87835bc0481e57489da3590d20b2b9b0900704de861f994d956a2c0347178c59e5048bb9bbfbe8cef237d5860d7f407dcbce486eee7d98a90509a8f1b81445453326b139f0d2fdc68b831681fa96f2284b8153e3dbe60cb2d0ac030d0e2ecfc85c9d361c25e01cabe57cd6ebdc40708b2bd449152e90d2d45d725db856ab64d29a9fdb9fdb85f6354cbd5be240f4b71fa745db8eb32c0e4ea4747bfa5a4f9a5346e42b3379636d05e52225cea1baa7792b8f51b803658026b11fd0ab5877a99f4e74ff994c61177ea425554a7135d8b020661d2d285eb8bf1aa00d3bf78e2f5dba62cd7befdb85fffe6c1b65643f56fe36cf412f366b03bc8c78c852c1ed43a218256636d67eb8241477d3258af4f96b9698b0326d6d01826734eb18f1b393cbf85c0f9fdab4fb854536110f2f678003f80f270cbb1fbeb5ba09523f959dfeba84319577874e4dec0 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "355820121" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\.btinstall\Content Type = "application/x-bittorrent-appinst" Carrier.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-appinst Carrier.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Magnet\DefaultIcon Carrier.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 432aec278747d801 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Magnet\shell\open Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-appinst\Extension = ".btinstall" Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\.btkey\Content Type = "application/x-bittorrent-key" Carrier.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Magnet\Content Type = "application/x-magnet" Carrier.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\.btskin Carrier.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\bittorrent\shell Carrier.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{9600A6C9-CC38-47F4-A5F8-8418E71C5EC0} = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\.btapp Carrier.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\.btinstall Carrier.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-appinst Carrier.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6 GenericSetup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 GenericSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431 BitTorrent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 0f0000000100000014000000327fc447408de9bf596f83d4b2fa4b8e3e7097d8090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b060105050703076200000001000000200000006dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb1770b000000010000001e00000045006e00740072007500730074002000280032003000340038002900000014000000010000001400000055e481d11180bed889b908a331f9a1240916b9701d0000000100000010000000e871723e266f38af5d49cda2a502669c7e000000010000000800000000c001b39667d601030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d343120000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551 BitTorrent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 19000000010000001000000091fad483f14848a8a69b18b805cdbb3a030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d34317e000000010000000800000000c001b39667d6011d0000000100000010000000e871723e266f38af5d49cda2a502669c14000000010000001400000055e481d11180bed889b908a331f9a1240916b9700b000000010000001e00000045006e0074007200750073007400200028003200300034003800290000006200000001000000200000006dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb1777f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000014000000327fc447408de9bf596f83d4b2fa4b8e3e7097d820000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551 BitTorrent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 040000000100000010000000ee2931bc327e9ae6e8b5f751b43471900f0000000100000014000000327fc447408de9bf596f83d4b2fa4b8e3e7097d8090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b060105050703076200000001000000200000006dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb1770b000000010000001e00000045006e00740072007500730074002000280032003000340038002900000014000000010000001400000055e481d11180bed889b908a331f9a1240916b9701d0000000100000010000000e871723e266f38af5d49cda2a502669c7e000000010000000800000000c001b39667d601030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d343119000000010000001000000091fad483f14848a8a69b18b805cdbb3a20000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551 BitTorrent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 GenericSetup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 GenericSetup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6 GenericSetup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 GenericSetup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 5c00000001000000040000000008000019000000010000001000000091fad483f14848a8a69b18b805cdbb3a030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d34317e000000010000000800000000c001b39667d6011d0000000100000010000000e871723e266f38af5d49cda2a502669c14000000010000001400000055e481d11180bed889b908a331f9a1240916b9700b000000010000001e00000045006e0074007200750073007400200028003200300034003800290000006200000001000000200000006dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb1777f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000014000000327fc447408de9bf596f83d4b2fa4b8e3e7097d8040000000100000010000000ee2931bc327e9ae6e8b5f751b434719020000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551 BitTorrent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 GenericSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4 GenericSetup.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 2480 GenericSetup.exe 2480 GenericSetup.exe 2480 GenericSetup.exe 2480 GenericSetup.exe 2480 GenericSetup.exe 2480 GenericSetup.exe 2480 GenericSetup.exe 2480 GenericSetup.exe 2480 GenericSetup.exe 2480 GenericSetup.exe 2480 GenericSetup.exe 4600 BitTorrent.exe 4600 BitTorrent.exe 2480 GenericSetup.exe 2480 GenericSetup.exe 2480 GenericSetup.exe 2480 GenericSetup.exe 4600 BitTorrent.exe 4600 BitTorrent.exe 4600 BitTorrent.exe 4600 BitTorrent.exe 4600 BitTorrent.exe 4600 BitTorrent.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4600 BitTorrent.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4060 MicrosoftEdgeCP.exe 4060 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2480 GenericSetup.exe Token: SeManageVolumePrivilege 3644 Carrier.exe Token: SeManageVolumePrivilege 4600 BitTorrent.exe Token: SeDebugPrivilege 2212 MicrosoftEdge.exe Token: SeDebugPrivilege 2212 MicrosoftEdge.exe Token: SeDebugPrivilege 2212 MicrosoftEdge.exe Token: SeDebugPrivilege 2212 MicrosoftEdge.exe Token: SeDebugPrivilege 1564 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1564 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1564 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1564 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2480 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2480 MicrosoftEdgeCP.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4600 BitTorrent.exe 4600 BitTorrent.exe 4600 BitTorrent.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4600 BitTorrent.exe 4600 BitTorrent.exe 4600 BitTorrent.exe -
Suspicious use of SetWindowsHookEx 38 IoCs
pid Process 2480 GenericSetup.exe 3896 bittorrentie.exe 3896 bittorrentie.exe 416 bittorrentie.exe 416 bittorrentie.exe 812 bittorrentie.exe 812 bittorrentie.exe 476 bittorrentie.exe 476 bittorrentie.exe 2212 MicrosoftEdge.exe 2824 bittorrentie.exe 2824 bittorrentie.exe 4060 MicrosoftEdgeCP.exe 4060 MicrosoftEdgeCP.exe 4352 bittorrentie.exe 4352 bittorrentie.exe 4764 bittorrentie.exe 4764 bittorrentie.exe 3912 bittorrentie.exe 3912 bittorrentie.exe 60 bittorrentie.exe 60 bittorrentie.exe 4316 bittorrentie.exe 4316 bittorrentie.exe 500 bittorrentie.exe 500 bittorrentie.exe 3960 bittorrentie.exe 3960 bittorrentie.exe 2432 bittorrentie.exe 2432 bittorrentie.exe 4828 bittorrentie.exe 4828 bittorrentie.exe 4344 bittorrentie.exe 4344 bittorrentie.exe 1556 bittorrentie.exe 1556 bittorrentie.exe 4380 bittorrentie.exe 4380 bittorrentie.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2400 wrote to memory of 2480 2400 $RTWBRPB.exe 66 PID 2400 wrote to memory of 2480 2400 $RTWBRPB.exe 66 PID 2400 wrote to memory of 2480 2400 $RTWBRPB.exe 66 PID 2480 wrote to memory of 2284 2480 GenericSetup.exe 69 PID 2480 wrote to memory of 2284 2480 GenericSetup.exe 69 PID 2480 wrote to memory of 2284 2480 GenericSetup.exe 69 PID 2284 wrote to memory of 3644 2284 cmd.exe 71 PID 2284 wrote to memory of 3644 2284 cmd.exe 71 PID 2284 wrote to memory of 3644 2284 cmd.exe 71 PID 4600 wrote to memory of 3896 4600 BitTorrent.exe 78 PID 4600 wrote to memory of 3896 4600 BitTorrent.exe 78 PID 4600 wrote to memory of 3896 4600 BitTorrent.exe 78 PID 4600 wrote to memory of 4296 4600 BitTorrent.exe 79 PID 4600 wrote to memory of 4296 4600 BitTorrent.exe 79 PID 4600 wrote to memory of 4296 4600 BitTorrent.exe 79 PID 4600 wrote to memory of 416 4600 BitTorrent.exe 80 PID 4600 wrote to memory of 416 4600 BitTorrent.exe 80 PID 4600 wrote to memory of 416 4600 BitTorrent.exe 80 PID 4600 wrote to memory of 812 4600 BitTorrent.exe 81 PID 4600 wrote to memory of 812 4600 BitTorrent.exe 81 PID 4600 wrote to memory of 812 4600 BitTorrent.exe 81 PID 4600 wrote to memory of 476 4600 BitTorrent.exe 83 PID 4600 wrote to memory of 476 4600 BitTorrent.exe 83 PID 4600 wrote to memory of 476 4600 BitTorrent.exe 83 PID 4600 wrote to memory of 2824 4600 BitTorrent.exe 86 PID 4600 wrote to memory of 2824 4600 BitTorrent.exe 86 PID 4600 wrote to memory of 2824 4600 BitTorrent.exe 86 PID 4600 wrote to memory of 4352 4600 BitTorrent.exe 89 PID 4600 wrote to memory of 4352 4600 BitTorrent.exe 89 PID 4600 wrote to memory of 4352 4600 BitTorrent.exe 89 PID 4060 wrote to memory of 2352 4060 MicrosoftEdgeCP.exe 91 PID 4060 wrote to memory of 2352 4060 MicrosoftEdgeCP.exe 91 PID 4060 wrote to memory of 2352 4060 MicrosoftEdgeCP.exe 91 PID 4060 wrote to memory of 2352 4060 MicrosoftEdgeCP.exe 91 PID 4600 wrote to memory of 4764 4600 BitTorrent.exe 93 PID 4600 wrote to memory of 4764 4600 BitTorrent.exe 93 PID 4600 wrote to memory of 4764 4600 BitTorrent.exe 93 PID 4060 wrote to memory of 2352 4060 MicrosoftEdgeCP.exe 91 PID 4060 wrote to memory of 2352 4060 MicrosoftEdgeCP.exe 91 PID 4060 wrote to memory of 2352 4060 MicrosoftEdgeCP.exe 91 PID 4060 wrote to memory of 2352 4060 MicrosoftEdgeCP.exe 91 PID 4060 wrote to memory of 2352 4060 MicrosoftEdgeCP.exe 91 PID 4060 wrote to memory of 2352 4060 MicrosoftEdgeCP.exe 91 PID 4060 wrote to memory of 2352 4060 MicrosoftEdgeCP.exe 91 PID 4060 wrote to memory of 2352 4060 MicrosoftEdgeCP.exe 91 PID 4060 wrote to memory of 2352 4060 MicrosoftEdgeCP.exe 91 PID 4060 wrote to memory of 2352 4060 MicrosoftEdgeCP.exe 91 PID 4060 wrote to memory of 2352 4060 MicrosoftEdgeCP.exe 91 PID 4060 wrote to memory of 2352 4060 MicrosoftEdgeCP.exe 91 PID 4060 wrote to memory of 2352 4060 MicrosoftEdgeCP.exe 91 PID 4600 wrote to memory of 3912 4600 BitTorrent.exe 94 PID 4600 wrote to memory of 3912 4600 BitTorrent.exe 94 PID 4600 wrote to memory of 3912 4600 BitTorrent.exe 94 PID 4600 wrote to memory of 60 4600 BitTorrent.exe 95 PID 4600 wrote to memory of 60 4600 BitTorrent.exe 95 PID 4600 wrote to memory of 60 4600 BitTorrent.exe 95 PID 4600 wrote to memory of 4316 4600 BitTorrent.exe 96 PID 4600 wrote to memory of 4316 4600 BitTorrent.exe 96 PID 4600 wrote to memory of 4316 4600 BitTorrent.exe 96 PID 4600 wrote to memory of 500 4600 BitTorrent.exe 98 PID 4600 wrote to memory of 500 4600 BitTorrent.exe 98 PID 4600 wrote to memory of 500 4600 BitTorrent.exe 98 PID 4600 wrote to memory of 3960 4600 BitTorrent.exe 99 PID 4600 wrote to memory of 3960 4600 BitTorrent.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\$RTWBRPB.exe"C:\Users\Admin\AppData\Local\Temp\$RTWBRPB.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\7zS069EAB46\GenericSetup.exe.\GenericSetup.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1649009727\Carrier.exe" /S /FORCEINSTALL 1110010101111110"3⤵
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1649009727\Carrier.exe"C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1649009727\Carrier.exe" /S /FORCEINSTALL 11100101011111104⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3644
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}1⤵PID:4992
-
C:\Users\Admin\AppData\Roaming\BitTorrent\BitTorrent.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\BitTorrent.exe" /RUNONSTARTUP1⤵
- Executes dropped EXE
- Checks computer location settings
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_4600_03AD0498_429641409 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3896
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_4600_03AD0400_652006866 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
PID:4296
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_4600_03AD0400_1599015810 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:416
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_4600_03AD0400_1496335264 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:812
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_4600_03AD0498_812523544 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:476
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_4600_03AD0498_566740109 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2824
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_4600_03AD0498_71487676 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4352
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_4600_03AD0498_2048865201 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4764
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_4600_03AD0498_1678509909 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3912
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_4600_03AD0498_1246065501 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:60
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_4600_03AD0498_1828483554 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4316
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_4600_03AD0498_1440718746 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:500
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_4600_03AD0498_2144240512 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3960
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_4600_03AD0498_1569068339 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2432
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_4600_03AD0498_1431860158 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4828
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\helper\helper.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\helper\helper.exe" 58498 --hval g31dxG4GKAu7d3IE -- -pid 4600 -version 462112⤵
- Executes dropped EXE
PID:4072
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_4600_03AD0498_2114567315 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4344
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_4600_03AD0498_1774367813 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1556
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_4600_03AD0498_1096148264 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4380
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2212
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:3144
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4060
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1564
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:4672
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2352
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2480
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92B
MD5a721c745490a6240166b2671cd6d4d9a
SHA1834a37829b9824a0e73927f363a8441c599f3ac6
SHA2567ba8e0943b54e717b19c8653870a48e2d94c6171ac06a4b1fd49481a1b548a0c
SHA5126c85ed4f583ec256ea94031e4b30b8882a47bf9975f1207efc2e7369d8f63036bcec227fdb05d857ffd872fc316bd96bd821ef3564edc255403a240eaf9b3d61
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F
Filesize1KB
MD5fbe6540c9b8f9c5e4037c78b75cfc85a
SHA17cec860e3fa1da38f487106d7d74bfd195cb59cf
SHA256b12d609bd17c544f5f67e51b1428f5911d319ff5cdf62d209202c5107a9204c7
SHA512c30126e9d4ebc1a8147fa0ee2e217efc2de5a29563e567bcd920b0b69f6ba85107e10bf706fb7757feaed7cf6aaa181c5d117b92024252c396c8837eb636fef3
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize1KB
MD5a45cdb16b1a10e95d57af30bc8a04573
SHA15716763f252564722c1567e89cac1aae10047928
SHA256e4353be7cb2bc22e53b043f160dc276c08a8477e0fc6f1c8c15eac6422690369
SHA512e39d89843c66f60bab021d3510ff27293a60651645f6d2bd7a389d632fa00b6665a97fe6b26d9accb918d78e1ad0fb231efe4443a7a9f7cd30a89710c34a682f
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize1KB
MD53ced30683f1d0f830e70a0bb94b90c3b
SHA1a4df26688abbf4c2fac59fcf7ab403b47ea352d8
SHA256a71a13e0f94ab2eb71a4b85bd542811558213ab1023e9a1486f458e04799e283
SHA512d5e7ab314e0fabacff3c49e38b812e37bb02969d5a8643326c3b586bbce01738b5d6419d06082ad1bc672f194169738efca798cb50e13e80a383c1696b5ef589
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F
Filesize442B
MD571bb2f0c83553081f082c06b4320a68f
SHA1707a4f39d9c027b6439f67f9635fc4c589142fbc
SHA256a13f5a2c503170680f92cf713c85213b299ae4df1941816c368f5351a0250ecc
SHA51212f3a544ddc5389a71aa841725db563bfbbaf0d4c1d0a8eb5673d818b19ca299ba6b53e6e5fea9278095ed4e2687019a9e30709d4908441a9ef204b56a7f3f7b
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize458B
MD5456af7bd0e6b26b936054cf5ca2cd565
SHA1a4a29f0582e1105bc5eb75a974ff50435d4900f8
SHA2567f2544b48ada87ff0915e67cb44a3e15ab81485e80aff13521201c491f384e7f
SHA5123592ae292b5939d09785daf726d93a7100943c54b3a8aa716f7b31a55ecb3e1c276f045e1d30d44d936527508ccaa9ba025d59cc0a1802a59bf1b609148955d1
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize432B
MD5dcf5ee73e0f7cac042650a9aa4cc6af2
SHA18968f13c1515248f86d8ab771634dbff3ebe639d
SHA256212128584a2989724f6ab65cf84d8e87be6b95a4750e5d919df96db5fe295d09
SHA5122736244926b95a0ba0cf21780801078121f7a90dfce2ea4a00bf9db4a7d04e1c84fd665abb234743d6c74426fe437952a520a952cb86d36bd582ae38e3bb8e22
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2219095117.pri
Filesize207KB
MD5e2b88765ee31470114e866d939a8f2c6
SHA1e0a53b8511186ff308a0507b6304fb16cabd4e1f
SHA256523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e
SHA512462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d
-
Filesize
10.0MB
MD5305b424f87d4b6f08eacdf47f8eefcd1
SHA19622b76a56443fddead8f4996d5f1b4e05fa0b93
SHA25648a61875fe1ef52b1f375b1e95f38193da7bccfa0a54cd283687b4ccce59fced
SHA512b5d53d066693b02ae39d3c2e0095a53aa311e2cf0a239a43ebd2d8bc7e481cdb26d0819c577f60433f0a23b7141b8a9ed94d1fd8dce6e9e3fffa441eef4bd7a3
-
Filesize
10.0MB
MD5305b424f87d4b6f08eacdf47f8eefcd1
SHA19622b76a56443fddead8f4996d5f1b4e05fa0b93
SHA25648a61875fe1ef52b1f375b1e95f38193da7bccfa0a54cd283687b4ccce59fced
SHA512b5d53d066693b02ae39d3c2e0095a53aa311e2cf0a239a43ebd2d8bc7e481cdb26d0819c577f60433f0a23b7141b8a9ed94d1fd8dce6e9e3fffa441eef4bd7a3
-
Filesize
814B
MD5fd63ee3928edd99afc5bdf17e4f1e7b6
SHA11b40433b064215ea6c001332c2ffa093b1177875
SHA2562a2ddbdc4600e829ad756fd5e84a79c0401fa846ad4f2f2fb235b410e82434a9
SHA5121925cde90ee84db1e5c15fa774ee5f10fa368948df7643259b03599ad58cfce9d409fd2cd752ff4cbca60b4bbe92b184ff92a0c6e8b78849c4497d38266bd3b4
-
Filesize
2.0MB
MD53a72aae846afdd8c7f070f390a2151b0
SHA1dadb6c535731cf4445ee8ce2c216585ccc80760b
SHA25663a52c497a4a0f8c62d7686486fd3be8c3297024e336c0953ab2dcad9dceed3c
SHA512cc1e2c1d45f133f50ca80e0699122976ff9f141530ad0d45863da0df94399812853f1f21b31b17fb1a7e8a7461ebf5cd6c591eb56df2dbdc448ba3bdfbcf06e9
-
Filesize
2.0MB
MD53a72aae846afdd8c7f070f390a2151b0
SHA1dadb6c535731cf4445ee8ce2c216585ccc80760b
SHA25663a52c497a4a0f8c62d7686486fd3be8c3297024e336c0953ab2dcad9dceed3c
SHA512cc1e2c1d45f133f50ca80e0699122976ff9f141530ad0d45863da0df94399812853f1f21b31b17fb1a7e8a7461ebf5cd6c591eb56df2dbdc448ba3bdfbcf06e9
-
Filesize
2.0MB
MD53a72aae846afdd8c7f070f390a2151b0
SHA1dadb6c535731cf4445ee8ce2c216585ccc80760b
SHA25663a52c497a4a0f8c62d7686486fd3be8c3297024e336c0953ab2dcad9dceed3c
SHA512cc1e2c1d45f133f50ca80e0699122976ff9f141530ad0d45863da0df94399812853f1f21b31b17fb1a7e8a7461ebf5cd6c591eb56df2dbdc448ba3bdfbcf06e9
-
Filesize
2.0MB
MD53a72aae846afdd8c7f070f390a2151b0
SHA1dadb6c535731cf4445ee8ce2c216585ccc80760b
SHA25663a52c497a4a0f8c62d7686486fd3be8c3297024e336c0953ab2dcad9dceed3c
SHA512cc1e2c1d45f133f50ca80e0699122976ff9f141530ad0d45863da0df94399812853f1f21b31b17fb1a7e8a7461ebf5cd6c591eb56df2dbdc448ba3bdfbcf06e9
-
Filesize
4.9MB
MD5b13c3cbf6ac3fee83ea38fa1164376ba
SHA1440956cf95926e7d7cb2dba57a5de4bba87ed06c
SHA2569baee772391167e729cbf149a29a4eed8f1c99b74034361ca95df54b1308893a
SHA51243f877b34343ed68b4797ded8dd1bef3446a29b31b5ca42ac80da8fb8183c8b8af865469a23ebe87728cd2102dd97fadbdc16d5b53ccd23ba93cfeb8c92d3789
-
Filesize
4.9MB
MD5b13c3cbf6ac3fee83ea38fa1164376ba
SHA1440956cf95926e7d7cb2dba57a5de4bba87ed06c
SHA2569baee772391167e729cbf149a29a4eed8f1c99b74034361ca95df54b1308893a
SHA51243f877b34343ed68b4797ded8dd1bef3446a29b31b5ca42ac80da8fb8183c8b8af865469a23ebe87728cd2102dd97fadbdc16d5b53ccd23ba93cfeb8c92d3789
-
Filesize
8KB
MD53e18386cb3c53e0470aab9c832d01c85
SHA1654f75e928cc1614ce9a5b78f22c47d3072280f6
SHA2561d6be57b629aef70dacfef49cd2d7535adf7d7f69bcae76f13ccd572163813e7
SHA51207531485f34b56516ce06d2cc04352f86210562e8bcaf6767807dabf69611d4978eaf5193fe81b17fb5597e6b121adaa3f2cf418806cb305274ed10eedca9b2c
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3729659790-1998850411-3319863756-1000\9d1627c087e30ee6fe8c9cce3c77e841_d3041c85-2b75-40fa-bc85-00cb01f9567b
Filesize1KB
MD5a282f2a032655c8e7e7a03577675c5b7
SHA1e8e4b149e7d35c92ba3b8e98a31f66b9da25bfbc
SHA256e13951f065159bb01d85eea703006e5c965c7f028586c2eb54f109624c5bdb26
SHA512094ebec386146b5b4b48e6d55e7164d34922c49566906fa1ffb09254edac963bab487606299aa76b375a45db04c55ecdb3ad302cb43e27b5fa6d147442bb72be
-
Filesize
5.6MB
MD5b431083586e39d018e19880ad1a5ce8f
SHA13bbf957ab534d845d485a8698accc0a40b63cedd
SHA256b525fdcc32c5a359a7f5738a30eff0c6390734d8a2c987c62e14c619f99d406b
SHA5127805a3464fcc3ac4ea1258e2412180c52f2af40a79b540348486c830a20c2bbed337bbf5f4a8926b3ef98c63c87747014f5b43c35f7ec4e7a3693b9dbd0ae67b