Analysis
-
max time kernel
1201s -
max time network
1210s -
platform
windows10-2004_x64 -
resource
win10v2004-20220331-en -
submitted
03-04-2022 16:13
Static task
static1
Behavioral task
behavioral1
Sample
$RTWBRPB.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
$RTWBRPB.exe
Resource
win10-20220331-en
Behavioral task
behavioral3
Sample
$RTWBRPB.exe
Resource
win10v2004-20220331-en
Behavioral task
behavioral4
Sample
$RTWBRPB.exe
Resource
win11-20220223-en
General
-
Target
$RTWBRPB.exe
-
Size
5.0MB
-
MD5
b8c24a19ae1706e4baf0253b8f33abe3
-
SHA1
a6eb472bb97ddec488203467d10bc26e86dc8e53
-
SHA256
3c855659332b10f81efb7574d83624a30db08c15fe3927cee1dbdb2c523d3554
-
SHA512
2c18eea5f88c2cf0fcceacfa8df78d50d59cdcf9d21369c4cffea43a4e020f31a0ad27394ff22572585c2db7708d8c10c5b7e74000d83c1f543a3608190e5b68
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 22 IoCs
pid Process 5028 GenericSetup.exe 4452 Carrier.exe 2432 BitTorrent.exe 2608 bittorrentie.exe 1700 bittorrentie.exe 4896 bittorrentie.exe 4664 bittorrentie.exe 3804 bittorrentie.exe 2116 bittorrentie.exe 756 bittorrentie.exe 3400 bittorrentie.exe 4912 bittorrentie.exe 3416 bittorrentie.exe 4552 bittorrentie.exe 3432 bittorrentie.exe 4316 bittorrentie.exe 656 bittorrentie.exe 1520 bittorrentie.exe 4008 helper.exe 3968 bittorrentie.exe 1608 bittorrentie.exe 4936 bittorrentie.exe -
resource yara_rule behavioral3/files/0x0006000000021e5f-135.dat upx behavioral3/files/0x0006000000021e5f-136.dat upx behavioral3/files/0x0006000000021e79-137.dat upx behavioral3/files/0x0006000000021e79-138.dat upx -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\MACHINE\Software\WOW6432Node\Wine Carrier.exe Key opened \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Wine Carrier.exe Key opened \REGISTRY\MACHINE\Software\WOW6432Node\Wine BitTorrent.exe Key opened \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Wine BitTorrent.exe -
Loads dropped DLL 1 IoCs
pid Process 5028 GenericSetup.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Windows\CurrentVersion\Run Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bt = "C:\\Users\\Admin\\AppData\\Roaming\\BitTorrent\\BitTorrent.exe /MINIMIZED" Carrier.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Windows\CurrentVersion\Run BitTorrent.exe Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bt = "\"C:\\Users\\Admin\\AppData\\Roaming\\BitTorrent\\BitTorrent.exe\" /MINIMIZED" BitTorrent.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Checks for any installed AV software in registry 1 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version GenericSetup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast GenericSetup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version GenericSetup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast GenericSetup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir GenericSetup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVG\AV GenericSetup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir GenericSetup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV GenericSetup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\4f7e2f96-d9ef-467a-bcc1-c2d70ece7707.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220403181937.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 BitTorrent.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName BitTorrent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 BitTorrent.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName BitTorrent.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION BitTorrent.exe Set value (int) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\bittorrentie.exe = "11000" BitTorrent.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION BitTorrent.exe Set value (int) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\bittorrentie.exe = "1" BitTorrent.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CROSS_DOMAIN_REDIRECT_MITIGATION BitTorrent.exe Set value (int) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CROSS_DOMAIN_REDIRECT_MITIGATION\bittorrentie.exe = "0" BitTorrent.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\Magnet\DefaultIcon Carrier.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\bittorrent Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\.btapp\Content Type = "application/x-bittorrent-app" Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\.btkey\Content Type = "application/x-bittorrent-key" Carrier.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-key\Extension = ".btkey" Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\.btskin\Content Type = "application/x-bittorrent-skin" Carrier.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-appinst Carrier.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\.btsearch\Content Type = "application/x-bittorrentsearchdescription+xml" Carrier.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\bittorrent\DefaultIcon Carrier.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\.btapp Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\.btapp\ = "BitTorrent" Carrier.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\BitTorrent\shell Carrier.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\BitTorrent\Content Type Carrier.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\.torrent\OpenWithProgids Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\.btinstall\Content Type = "application/x-bittorrent-appinst" Carrier.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\Magnet\shell\open\command Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\BitTorrent\URL Protocol Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\BitTorrent\Content Type = "application/x-bittorrent-protocol" Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-app\Extension = ".btapp" Carrier.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\.btinstall Carrier.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\BitTorrent Carrier.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\BitTorrent\shell\open\command Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\Magnet\ = "Magnet URI" Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\BitTorrent\ = "bittorrent URI" Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\.btinstall\ = "BitTorrent" Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\BitTorrent\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\BitTorrent\\maindoc.ico" Carrier.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent\Extension = ".torrent" Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\Magnet\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\BitTorrent\\BitTorrent.exe\" \"%1\" /SHELLASSOC" Carrier.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\.btkey Carrier.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\Applications\BitTorrent.exe\shell\open Carrier.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\MIME\Database\Content Type\application/x-bittorrent Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\MIME\Database\Content Type\application/x-bittorrent\Extension = ".torrent" Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\BitTorrent\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\BitTorrent\\BitTorrent.exe\" \"%1\" /SHELLASSOC" Carrier.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\Magnet\shell Carrier.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\bittorrent\shell Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\Applications\BitTorrent.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\BitTorrent\\BitTorrent.exe\" \"%1\" /SHELLASSOC" Carrier.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\.btsearch Carrier.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrentsearchdescription+xml\Extension = ".btsearch" Carrier.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\Magnet\shell\open Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\Magnet\shell\ = "open" Carrier.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-app Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\.btskin\ = "BitTorrent" Carrier.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-appinst\Extension = ".btinstall" Carrier.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-appinst Carrier.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\BitTorrent\DefaultIcon Carrier.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\BitTorrent\shell\open Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\BitTorrent\shell\ = "open" Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\Magnet\Content Type = "application/x-magnet" Carrier.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-app\Extension = ".btapp" Carrier.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-key Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-key\Extension = ".btkey" Carrier.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\Applications\BitTorrent.exe\shell\open\command Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\.torrent\ = "BitTorrent" Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\.torrent\Content Type = "application/x-bittorrent" Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\BitTorrent\Content Type\ = "application/x-bittorrent" Carrier.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-skin Carrier.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-skin Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-skin\Extension = ".btskin" Carrier.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\Applications\BitTorrent.exe\shell Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\.btsearch\ = "BitTorrent" Carrier.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\MIME\Database\Content Type\application/x-bittorrentsearchdescription+xml Carrier.exe Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\Magnet Carrier.exe Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\Magnet\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\BitTorrent\\maindoc.ico" Carrier.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 GenericSetup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 GenericSetup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 GenericSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431 BitTorrent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 0f0000000100000014000000327fc447408de9bf596f83d4b2fa4b8e3e7097d8090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b060105050703076200000001000000200000006dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb1770b000000010000001e00000045006e00740072007500730074002000280032003000340038002900000014000000010000001400000055e481d11180bed889b908a331f9a1240916b9701d0000000100000010000000e871723e266f38af5d49cda2a502669c7e000000010000000800000000c001b39667d601030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d343120000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551 BitTorrent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 GenericSetup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 GenericSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4 GenericSetup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6 GenericSetup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6 GenericSetup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 19000000010000001000000091fad483f14848a8a69b18b805cdbb3a030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d34317e000000010000000800000000c001b39667d6011d0000000100000010000000e871723e266f38af5d49cda2a502669c14000000010000001400000055e481d11180bed889b908a331f9a1240916b9700b000000010000001e00000045006e0074007200750073007400200028003200300034003800290000006200000001000000200000006dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb1777f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000014000000327fc447408de9bf596f83d4b2fa4b8e3e7097d820000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551 BitTorrent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 040000000100000010000000ee2931bc327e9ae6e8b5f751b43471900f0000000100000014000000327fc447408de9bf596f83d4b2fa4b8e3e7097d8090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b060105050703076200000001000000200000006dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb1770b000000010000001e00000045006e00740072007500730074002000280032003000340038002900000014000000010000001400000055e481d11180bed889b908a331f9a1240916b9701d0000000100000010000000e871723e266f38af5d49cda2a502669c7e000000010000000800000000c001b39667d601030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d343119000000010000001000000091fad483f14848a8a69b18b805cdbb3a20000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551 BitTorrent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 5c00000001000000040000000008000019000000010000001000000091fad483f14848a8a69b18b805cdbb3a030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d34317e000000010000000800000000c001b39667d6011d0000000100000010000000e871723e266f38af5d49cda2a502669c14000000010000001400000055e481d11180bed889b908a331f9a1240916b9700b000000010000001e00000045006e0074007200750073007400200028003200300034003800290000006200000001000000200000006dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb1777f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000014000000327fc447408de9bf596f83d4b2fa4b8e3e7097d8040000000100000010000000ee2931bc327e9ae6e8b5f751b434719020000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551 BitTorrent.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 5028 GenericSetup.exe 5028 GenericSetup.exe 5028 GenericSetup.exe 5028 GenericSetup.exe 5028 GenericSetup.exe 5028 GenericSetup.exe 5028 GenericSetup.exe 5028 GenericSetup.exe 5028 GenericSetup.exe 5028 GenericSetup.exe 5028 GenericSetup.exe 2432 BitTorrent.exe 2432 BitTorrent.exe 5028 GenericSetup.exe 5028 GenericSetup.exe 5028 GenericSetup.exe 5028 GenericSetup.exe 5028 GenericSetup.exe 5028 GenericSetup.exe 5028 GenericSetup.exe 5028 GenericSetup.exe 5028 GenericSetup.exe 5028 GenericSetup.exe 1796 msedge.exe 1796 msedge.exe 2432 BitTorrent.exe 2432 BitTorrent.exe 3920 msedge.exe 3920 msedge.exe 1084 identity_helper.exe 1084 identity_helper.exe 2432 BitTorrent.exe 2432 BitTorrent.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 2432 BitTorrent.exe 2432 BitTorrent.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2432 BitTorrent.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 3920 msedge.exe 3920 msedge.exe 3920 msedge.exe 3920 msedge.exe 3920 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5028 GenericSetup.exe Token: SeManageVolumePrivilege 4452 Carrier.exe Token: SeManageVolumePrivilege 2432 BitTorrent.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 2432 BitTorrent.exe 2432 BitTorrent.exe 2432 BitTorrent.exe 3920 msedge.exe 3920 msedge.exe 3920 msedge.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2432 BitTorrent.exe 2432 BitTorrent.exe 2432 BitTorrent.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 5028 GenericSetup.exe 2608 bittorrentie.exe 2608 bittorrentie.exe 1700 bittorrentie.exe 1700 bittorrentie.exe 4896 bittorrentie.exe 4896 bittorrentie.exe 4664 bittorrentie.exe 4664 bittorrentie.exe 3804 bittorrentie.exe 3804 bittorrentie.exe 3400 bittorrentie.exe 3400 bittorrentie.exe 4912 bittorrentie.exe 4912 bittorrentie.exe 4552 bittorrentie.exe 4552 bittorrentie.exe 3432 bittorrentie.exe 3432 bittorrentie.exe 4316 bittorrentie.exe 4316 bittorrentie.exe 656 bittorrentie.exe 656 bittorrentie.exe 1520 bittorrentie.exe 1520 bittorrentie.exe 3968 bittorrentie.exe 3968 bittorrentie.exe 1608 bittorrentie.exe 1608 bittorrentie.exe 4936 bittorrentie.exe 4936 bittorrentie.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4304 wrote to memory of 5028 4304 $RTWBRPB.exe 79 PID 4304 wrote to memory of 5028 4304 $RTWBRPB.exe 79 PID 4304 wrote to memory of 5028 4304 $RTWBRPB.exe 79 PID 5028 wrote to memory of 4804 5028 GenericSetup.exe 82 PID 5028 wrote to memory of 4804 5028 GenericSetup.exe 82 PID 5028 wrote to memory of 4804 5028 GenericSetup.exe 82 PID 4804 wrote to memory of 4452 4804 cmd.exe 84 PID 4804 wrote to memory of 4452 4804 cmd.exe 84 PID 4804 wrote to memory of 4452 4804 cmd.exe 84 PID 2432 wrote to memory of 2608 2432 BitTorrent.exe 93 PID 2432 wrote to memory of 2608 2432 BitTorrent.exe 93 PID 2432 wrote to memory of 2608 2432 BitTorrent.exe 93 PID 2432 wrote to memory of 1700 2432 BitTorrent.exe 94 PID 2432 wrote to memory of 1700 2432 BitTorrent.exe 94 PID 2432 wrote to memory of 1700 2432 BitTorrent.exe 94 PID 2432 wrote to memory of 4896 2432 BitTorrent.exe 95 PID 2432 wrote to memory of 4896 2432 BitTorrent.exe 95 PID 2432 wrote to memory of 4896 2432 BitTorrent.exe 95 PID 2432 wrote to memory of 4664 2432 BitTorrent.exe 96 PID 2432 wrote to memory of 4664 2432 BitTorrent.exe 96 PID 2432 wrote to memory of 4664 2432 BitTorrent.exe 96 PID 2432 wrote to memory of 3804 2432 BitTorrent.exe 97 PID 2432 wrote to memory of 3804 2432 BitTorrent.exe 97 PID 2432 wrote to memory of 3804 2432 BitTorrent.exe 97 PID 2432 wrote to memory of 3920 2432 BitTorrent.exe 98 PID 2432 wrote to memory of 3920 2432 BitTorrent.exe 98 PID 3920 wrote to memory of 3992 3920 msedge.exe 99 PID 3920 wrote to memory of 3992 3920 msedge.exe 99 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100 PID 3920 wrote to memory of 2668 3920 msedge.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\$RTWBRPB.exe"C:\Users\Admin\AppData\Local\Temp\$RTWBRPB.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Users\Admin\AppData\Local\Temp\7zS0D0D60C6\GenericSetup.exe.\GenericSetup.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1649009743\Carrier.exe" /S /FORCEINSTALL 1110010101111110"3⤵
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1649009743\Carrier.exe"C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1649009743\Carrier.exe" /S /FORCEINSTALL 11100101011111104⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4452
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}1⤵PID:3608
-
C:\Users\Admin\AppData\Roaming\BitTorrent\BitTorrent.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\BitTorrent.exe" /RUNONSTARTUP1⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_2432_03B5EBE8_681306787 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2608
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_2432_03B5E268_1124220432 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1700
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_2432_03B5E268_1418262395 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4896
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_2432_03B5E268_1052641434 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4664
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_2432_03B5EBE8_277427226 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://bittorrent.com/prodnews?v=7%2e10%2e5%2e1%2e462112⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffd6a4546f8,0x7ffd6a454708,0x7ffd6a4547183⤵PID:3992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,9710850320848614617,7039894478057080224,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:23⤵PID:2668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,9710850320848614617,7039894478057080224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,9710850320848614617,7039894478057080224,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:83⤵PID:4608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,9710850320848614617,7039894478057080224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:13⤵PID:4108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,9710850320848614617,7039894478057080224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:13⤵PID:1456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,9710850320848614617,7039894478057080224,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:13⤵PID:2260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,9710850320848614617,7039894478057080224,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:13⤵PID:1464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,9710850320848614617,7039894478057080224,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:13⤵PID:3716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2220,9710850320848614617,7039894478057080224,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5252 /prefetch:83⤵PID:1752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,9710850320848614617,7039894478057080224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 /prefetch:83⤵PID:2440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
PID:640 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x2a0,0x2a4,0x2a8,0x16c,0x2ac,0x7ff76a2b5460,0x7ff76a2b5470,0x7ff76a2b54804⤵PID:1556
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,9710850320848614617,7039894478057080224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:1084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,9710850320848614617,7039894478057080224,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3420 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2220,9710850320848614617,7039894478057080224,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6260 /prefetch:83⤵PID:3264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2220,9710850320848614617,7039894478057080224,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4732 /prefetch:83⤵PID:5080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2220,9710850320848614617,7039894478057080224,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3380 /prefetch:83⤵PID:4536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2220,9710850320848614617,7039894478057080224,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5884 /prefetch:83⤵PID:5100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2220,9710850320848614617,7039894478057080224,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4740 /prefetch:83⤵PID:2612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2220,9710850320848614617,7039894478057080224,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4676 /prefetch:83⤵PID:432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2220,9710850320848614617,7039894478057080224,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1960 /prefetch:83⤵PID:4628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2220,9710850320848614617,7039894478057080224,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2004 /prefetch:83⤵PID:3724
-
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_2432_03B5EBE8_1082506744 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
PID:2116
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_2432_03B5EBE8_1016538606 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
PID:756
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_2432_03B5EBE8_23257262 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3400
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_2432_03B5EBE8_1384614792 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4912
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_2432_03B5EBE8_1422486671 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
PID:3416
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_2432_03B5EBE8_513228575 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4552
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_2432_03B5EBE8_933681125 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3432
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_2432_03B5EBE8_666423454 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4316
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_2432_03B5EBE8_37580366 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:656
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_2432_03B5EBE8_1679972507 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1520
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\helper\helper.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\helper\helper.exe" 47815 --hval AS45DTWqgK35_-wf -- -pid 2432 -version 462112⤵
- Executes dropped EXE
PID:4008
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_2432_03B5EBE8_862945101 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3968
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_2432_03B5EBE8_2142430672 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1608
-
-
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe"C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.10.5_46211\bittorrentie.exe" BitTorrent_2432_03B5EBE8_578293119 BT4823DF041B09 BitTorrent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4936
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:484
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵PID:4032
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Advertising
Filesize24KB
MD54e9962558e74db5038d8073a5b3431aa
SHA13cd097d9dd4b16a69efbb0fd1efe862867822146
SHA2566f81212bd841eca89aa6f291818b4ad2582d7cdb4e488adea98261494bdcd279
SHA512fcd76bca998afc517c87de0db6ee54e45aa2263fa7b91653ac3adb34c41f3681fbe19d673ae9b24fdf3d53f5af4e4968e603a1eb557207f8860ac51372026b2e
-
Filesize
4KB
MD5fad197d6ffd32d1268b9e7e8d13ab32a
SHA1b0129887a75965bb2ef56a2c39d3231e5b87265d
SHA2564e446af739e1a06b48a73607e9441bc4aa34ceafd808ff845864408179a4d2c3
SHA51201d9f588bfa315e316ff0ff4a15a0a49144fd77ee89960882cd528d7f7a277b086667cea2357c3ca2bd16a2b3f4aeb7fcaf473501b499101be68acbe1e0126cb
-
Filesize
6KB
MD594c183b842784d0ae69f8aa57c8ac015
SHA1c5b1ebc2b5c140ccbb21cd377ca18f3c5d0b80cd
SHA256aa5c4d50684aa478d5982e509cbf1f8347fbc9cc75cb847d54915c16c3a33d25
SHA5125808ddb81657acf4712fa845c95aacbab32a414ffda3b9d1218637e2d53bd3e0d6b95c872779ead6eaa13b4d2d563494ad5587337958bd17f1e791fad5d822fb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Cryptomining
Filesize1KB
MD58c31feb9c3faaa9794aa22ce9f48bfbd
SHA1f5411608a15e803afc97961b310bb21a6a8bd5b6
SHA2566016fd3685046b33c7a2b1e785ac757df20e7c760abe0c27e1b8b0294222421d
SHA512ba4b5886c04ba8f7a7dbb87e96d639783a5969a245de181cf620b8f536e3ac95bbd910cd2f1f6aae6c3cd70fc1ef6209dc10d2b083ec51861b51d83f95811baa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Fingerprinting
Filesize1KB
MD5b51076d21461e00fcbf3dbd2c9e96b2b
SHA131311536cf570f2f9c88d21f03a935ac6e233231
SHA25621a8d3e85d76761a1aab9dca765efef5dfa08d49db037befd91833e4639dd993
SHA5123e193220ddddc47ecea32a2f777e55faa12c7a8052323455c8d7a89c01048155c77ae009fd0f5bebea89f1fae4a88b6b3ceca4e808064f474ea5b3a9497598cb
-
Filesize
34B
MD5cd0395742b85e2b669eaec1d5f15b65b
SHA143c81d1c62fc7ff94f9364639c9a46a0747d122e
SHA2562b4a47b82cbe70e34407c7df126a24007aff8b45d5716db384d27cc1f3b30707
SHA5124df2ce734e2f7bc5f02bb7845ea801b57dcf649565dd94b1b71f578b453ba0a17c61ccee73e7cff8f23cdd6aa37e55be5cb15f4767ff88a9a06de3623604fbf0
-
Filesize
999B
MD5152b745da17397ed5a2f3059bb157600
SHA147bf4e575ba1acf47dcc99f1800f753b4cc65ef6
SHA256ef994058a637f7b1b47c31c8670977084d1f86cc21a196920aa87f8ed31e98e8
SHA5124984a8a46eb452b3c62f2c2ca8c9d999de37c39895ad9a9ed91d12a7731b1cd227f335829f7a6927f19cd8bf4dd7d6749fc853461a46fc97853d5b9e23171d31
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Advertising
Filesize459B
MD5d024831cae8599f0edee70275d99e843
SHA169e08b543802b130da5305cbb0140bda5601079c
SHA2560b75817b9ce2164f52e537c66bbff0fe53024bf9a00fb193efd63fe48f34a978
SHA512ee1096446f6a17bc3fde9aadb418ca4b2db5132cdde1e429300487aaf4d8b9865a3bbc95d3a3198cde137a6395f69c035b74a72f74edc22a490bccc3320b0b03
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Analytics
Filesize50B
MD54cefbb980962973a354915a49d1b0f4d
SHA11d20148cab5cdadb85fad6041262584a12c2745d
SHA25666de8db363de02974a1471153112e51f014bb05936ce870c433fd9a85b34455a
SHA5126a088bbc6c40454165ddee3183667d2997dca5fcc8312f69e3c2397e61255e49b5146b24c2c64cd3c8867289e3abfdf1155e47722fdd8276f96d51e8f311d4b0
-
Filesize
36B
MD57f077f40c2d1ce8e95faa8fdb23ed8b4
SHA12c329e3e20ea559974ddcaabc2c7c22de81e7ad2
SHA256bda08f8b53c121bbc03da1f5c870c016b06fa620a2c02375988555dd12889cdf
SHA512c1fb5d40491ae22a155a9bd115c32cbe9dbcba615545af2f1a252475f9d59844763cd7c177f08277d8ef59e873b7d885fda17f2a504d9ec2c181d0f793cb542b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Cryptomining
Filesize32B
MD54ec1eda0e8a06238ff5bf88569964d59
SHA1a2e78944fcac34d89385487ccbbfa4d8f078d612
SHA256696e930706b5d391eb8778f73b0627ffc2be7f6c9a3e7659170d9d37fc4a97b5
SHA512c9b1ed7b61f26d94d7f5eded2d42d40f3e4300eee2319fe28e04b25cdb6dd92daf67828bff453bf5fc8d7b6ceb58cab319fc0daac9b0050e27a89efe74d2734e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Fingerprinting
Filesize110B
MD5a004023825237dadc8f934758ff9eaf2
SHA1c981a900b5ce63884635cedfe5ba722416021cb2
SHA2563c4e82aae615a7bed985b4544afecb774b728df1cc9f7561ea25b97482119ef7
SHA512e49667fca51a6497ccae9b881d679b857c025f2945ab93c9a6769b1c0a632329993daefab6eda9ed70a32a75630d7b3d93dda5acda8ff87ffe5f090ca7b35e4f
-
Filesize
75B
MD5c6c7f3ee1e17acbff6ac22aa89b02e4e
SHA1bdbd0220e54b80b3d2ffbbddadc89bfbb8e64a8b
SHA256a2f9f27d6938a74979d34484bced535412969c2533dc694bfa667fe81d66d7d4
SHA51286ed28ffdd00b4a397a20968792fcd30dd4a891a187a7789c00c88b64689b334a11fa087eb54ccee813c181cf891b43184dde7af9a6f33caed2a71e2c445a7b4
-
Filesize
35B
MD5976b1cf7e3442f88cd8ba26d3f0965bb
SHA1b75438dc71de4ac761d94a215ddbffadcd1225b0
SHA256decde67630f29fc003cb1f2ccbd7371a05079985a9cce93ec93c4fadd8dc5541
SHA512d0472fed72e1eb0a7747a693a0e654fbe92dd028db3cc42377810d90474dd4099ac981cca333eb52c18e75ed04a1f1f79f3bf5957fe8b16086f1252b3454b8d5
-
Filesize
10.0MB
MD5305b424f87d4b6f08eacdf47f8eefcd1
SHA19622b76a56443fddead8f4996d5f1b4e05fa0b93
SHA25648a61875fe1ef52b1f375b1e95f38193da7bccfa0a54cd283687b4ccce59fced
SHA512b5d53d066693b02ae39d3c2e0095a53aa311e2cf0a239a43ebd2d8bc7e481cdb26d0819c577f60433f0a23b7141b8a9ed94d1fd8dce6e9e3fffa441eef4bd7a3
-
Filesize
10.0MB
MD5305b424f87d4b6f08eacdf47f8eefcd1
SHA19622b76a56443fddead8f4996d5f1b4e05fa0b93
SHA25648a61875fe1ef52b1f375b1e95f38193da7bccfa0a54cd283687b4ccce59fced
SHA512b5d53d066693b02ae39d3c2e0095a53aa311e2cf0a239a43ebd2d8bc7e481cdb26d0819c577f60433f0a23b7141b8a9ed94d1fd8dce6e9e3fffa441eef4bd7a3
-
Filesize
814B
MD5fd63ee3928edd99afc5bdf17e4f1e7b6
SHA11b40433b064215ea6c001332c2ffa093b1177875
SHA2562a2ddbdc4600e829ad756fd5e84a79c0401fa846ad4f2f2fb235b410e82434a9
SHA5121925cde90ee84db1e5c15fa774ee5f10fa368948df7643259b03599ad58cfce9d409fd2cd752ff4cbca60b4bbe92b184ff92a0c6e8b78849c4497d38266bd3b4
-
Filesize
2.0MB
MD53a72aae846afdd8c7f070f390a2151b0
SHA1dadb6c535731cf4445ee8ce2c216585ccc80760b
SHA25663a52c497a4a0f8c62d7686486fd3be8c3297024e336c0953ab2dcad9dceed3c
SHA512cc1e2c1d45f133f50ca80e0699122976ff9f141530ad0d45863da0df94399812853f1f21b31b17fb1a7e8a7461ebf5cd6c591eb56df2dbdc448ba3bdfbcf06e9
-
Filesize
2.0MB
MD53a72aae846afdd8c7f070f390a2151b0
SHA1dadb6c535731cf4445ee8ce2c216585ccc80760b
SHA25663a52c497a4a0f8c62d7686486fd3be8c3297024e336c0953ab2dcad9dceed3c
SHA512cc1e2c1d45f133f50ca80e0699122976ff9f141530ad0d45863da0df94399812853f1f21b31b17fb1a7e8a7461ebf5cd6c591eb56df2dbdc448ba3bdfbcf06e9
-
Filesize
5.6MB
MD5b431083586e39d018e19880ad1a5ce8f
SHA13bbf957ab534d845d485a8698accc0a40b63cedd
SHA256b525fdcc32c5a359a7f5738a30eff0c6390734d8a2c987c62e14c619f99d406b
SHA5127805a3464fcc3ac4ea1258e2412180c52f2af40a79b540348486c830a20c2bbed337bbf5f4a8926b3ef98c63c87747014f5b43c35f7ec4e7a3693b9dbd0ae67b
-
Filesize
2.0MB
MD53a72aae846afdd8c7f070f390a2151b0
SHA1dadb6c535731cf4445ee8ce2c216585ccc80760b
SHA25663a52c497a4a0f8c62d7686486fd3be8c3297024e336c0953ab2dcad9dceed3c
SHA512cc1e2c1d45f133f50ca80e0699122976ff9f141530ad0d45863da0df94399812853f1f21b31b17fb1a7e8a7461ebf5cd6c591eb56df2dbdc448ba3bdfbcf06e9
-
Filesize
2.0MB
MD53a72aae846afdd8c7f070f390a2151b0
SHA1dadb6c535731cf4445ee8ce2c216585ccc80760b
SHA25663a52c497a4a0f8c62d7686486fd3be8c3297024e336c0953ab2dcad9dceed3c
SHA512cc1e2c1d45f133f50ca80e0699122976ff9f141530ad0d45863da0df94399812853f1f21b31b17fb1a7e8a7461ebf5cd6c591eb56df2dbdc448ba3bdfbcf06e9
-
Filesize
4.9MB
MD5b13c3cbf6ac3fee83ea38fa1164376ba
SHA1440956cf95926e7d7cb2dba57a5de4bba87ed06c
SHA2569baee772391167e729cbf149a29a4eed8f1c99b74034361ca95df54b1308893a
SHA51243f877b34343ed68b4797ded8dd1bef3446a29b31b5ca42ac80da8fb8183c8b8af865469a23ebe87728cd2102dd97fadbdc16d5b53ccd23ba93cfeb8c92d3789
-
Filesize
4.9MB
MD5b13c3cbf6ac3fee83ea38fa1164376ba
SHA1440956cf95926e7d7cb2dba57a5de4bba87ed06c
SHA2569baee772391167e729cbf149a29a4eed8f1c99b74034361ca95df54b1308893a
SHA51243f877b34343ed68b4797ded8dd1bef3446a29b31b5ca42ac80da8fb8183c8b8af865469a23ebe87728cd2102dd97fadbdc16d5b53ccd23ba93cfeb8c92d3789
-
Filesize
8KB
MD59ec0d9e1626c2dffc86c4a47ef762c11
SHA1d10408dc0813d17371ac680ca6866228eff2d561
SHA2568f2160c67615f9fc455bcf5fa92766b7455306bfa1b8aa0cc8d3bf27c1a55c91
SHA512497c9f1bce388b15d5790f6fb0977f1c4cda764d077fd5954c0bddb419c49f2d767db801aefc44bd5ea1df1b2483dac2030b9b5ba6f712ea78ae70de851940a1
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
Filesize
537KB
MD50eb34002d91ec0e59b90e6eb922895cb
SHA11fc53d114fbe6c2d8d56e5b375304e3986cfdf2e
SHA25665f32777d56a9bc778800492a9b1db40b6dbfde54628405808c276556e7c3ab8
SHA5128bc3107e4ef6671ae85c9e8a77d92c0837e619c81c655404c0aa82b606a5395cfa2a51f46afdb84f3266984bf63650606eb26f07b219482a6b98ab8f550c2ccb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1082102374-1487407228-1886994731-1000\9d1627c087e30ee6fe8c9cce3c77e841_7555e4b8-c39f-4554-b880-c598c7a310a4
Filesize1KB
MD524f76fe3cfce5970ce5c1f527efd94de
SHA1e7d830c64f087f403b1fa2c064b1940fbfd9fcca
SHA25678f2c06cbb69093b2128af43a4457c7210c3820c2008792e237c65a6353a067d
SHA5126e242b92f276f835b4a4442caa19810ab775c980502ee5d55c98f8bc67eb7898d97875799e81ee3282f71bc8b2bf932c7a5eef594e7c570d128931dab9b9782e