bumblebee | 23c10f0ff64c3161ac221e9cd6eae744b3260f0ac346cca4cc7afa770b60c0da

Analysis

max time kernel
245s
max time network
252s
platform
windows7_x64
resource
win7-20220414-en
submitted
14/06/2022, 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

document.iso
Size

3.1MB
MD5

8b76eb981cb9a08767a93f1c3bdbf3df
SHA1

4d558beaaa7af0e1232fe8d5436f7be0dd674660
SHA256

23c10f0ff64c3161ac221e9cd6eae744b3260f0ac346cca4cc7afa770b60c0da
SHA512

4ea530db2356f434bc7f879926d8ee7a0f4515fa203d576ae7141d7d18477510a7e84049f5aabb350ee10c8315bb9a4cba6e61eee578ddbb553cb37386b13955

Score

10^/10

bumblebee 1406r discovery evasion persistence trojan

Malware Config

Extracted

Family

bumblebee

Botnet

1406r

39.57.152.217:440

69.161.201.181:382

244.6.154.71:111

193.233.203.156:443

221.106.84.123:307

194.135.33.148:443

111.99.39.11:387

223.243.46.133:147

48.165.175.199:316

78.89.31.86:229

157.17.142.85:406

90.81.8.16:370

21.29.238.98:209

154.56.0.252:443

103.175.16.108:443

188.57.4.52:357

15.209.19.148:466

160.70.24.228:486

33.145.184.132:240

235.126.132.170:106

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Enumerates VirtualBox registry keys 2 TTPs 10 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	rundll32.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	rundll32.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	rundll32.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	rundll32.exe

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\scdemu.sys	setup64.exe
File opened for modification	C:\Windows\system32\Drivers\scdemu.sys	setup64.exe

Executes dropped EXE 4 IoCs

pid	Process
2840	PowerISO8.exe
2904	setup64.exe
3024	PWRISOVM.EXE
2792	PowerISO.exe

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ = "C:\\Program Files (x86)\\PowerISO\\PWRISOSH.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ = "C:\\Program Files (x86)\\PowerISO\\PWRISOSH.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	rundll32.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\SOFTWARE\Wine	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\SOFTWARE\Wine	rundll32.exe

Loads dropped DLL 31 IoCs

pid	Process
2840	PowerISO8.exe
2840	PowerISO8.exe
2840	PowerISO8.exe
868	Process not Found
2840	PowerISO8.exe
2840	PowerISO8.exe
2840	PowerISO8.exe
2840	PowerISO8.exe
2840	PowerISO8.exe
2840	PowerISO8.exe
2840	PowerISO8.exe
2840	PowerISO8.exe
2840	PowerISO8.exe
2840	PowerISO8.exe
3008	regsvr32.exe
2052	regsvr32.exe
2720	chrome.exe
1204	Process not Found
2792	PowerISO.exe
2736	regsvr32.exe
2828	regsvr32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
3048	chrome.exe
3048	chrome.exe
2112	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PWRISOVM.EXE = "C:\\Program Files (x86)\\PowerISO\\PWRISOVM.EXE -startup"	PowerISO8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 57 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PowerISO\Lang\czech.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Japanese.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\slovenian.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Malay.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\TradChinese.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Russian.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Vietnamese.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Romanian.lng	PowerISO8.exe
File opened for modification	C:\Program Files (x86)\PowerISO\PowerISO.exe	PowerISO8.exe
File opened for modification	C:\Program Files (x86)\PowerISO\PWRISOVM.EXE	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Dutch.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Armenian.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Slovak.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Urdu(Pakistan).lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\croatian.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Indonesian.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\libvorbis.dll	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Portuguese(Brazil).lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\German.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Azerbaijani.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\libFLAC.dll	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\uninstall.exe	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Arabic.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Greek.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Swedish.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\License.txt	PowerISO8.exe
File opened for modification	C:\Program Files (x86)\PowerISO\PWRISOSH.DLL	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\french.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Korean.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Farsi.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Serbian(cyrl).lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\setup64.exe	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Finnish.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\lame_enc.dll	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Readme.txt	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Burmese.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\SimpChinese.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Italian.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Spanish.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Hungarian.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Thai.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\danish.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Bosnian.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\unrar.dll	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Lithuanian.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Norsk.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Belarusian.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\7z.dll	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\PowerISO.chm	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Polish.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\kazakh.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\MACDll.dll	PowerISO8.exe
File opened for modification	C:\Program Files (x86)\PowerISO\devcon.exe	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Turkish.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Bulgarian.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Ukrainian.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\piso.exe	PowerISO8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2068a67b2880d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A03F1E71-EC1B-11EC-A5C5-C6DEEDF3EE1E} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "362001369"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c000000000200000000001066000000010000200000008d81b16ffc9d36381852d1aff43ed8bd762c2794f394788f64be1c3ffe015e75000000000e80000000020000200000003127971e716c6d516de587effad699cfa1023ecba14be717ee018170a99a334e20000000b215930021449da4e593953dab9aedfad006f16629513688b7db50bc1adf678f40000000ba9f40af9e4220d6fa3275e489de6fb1f124b224fb2c5f6e7305a4d64b2598fa48dd243c2d7f8dae1187c50edbcaa075f52f321397eb55a3bc8647846dfad8c4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c00000000020000000000106600000001000020000000e8ed5e928fa7bfbf484a784c91c94ab50375a615d29ea01c6c4cad8e2c597070000000000e8000000002000020000000ff6745685245049cd6e9e75c712689f108b12a6a2d2ab10005fe62cc7f0f2fa9900000009ebe88d619c2c8f0b637c022652209875c0f11077e168056273ca73a1bbfb24d574a325283e3ef9e9fdf4434c1d92001ddb583c75cc8fb5b7f672af3fbf1bef6d5a17a5bd9960a2f1ace523039371a6f120760e4faab4d78127450e6d595761790f40b93212efc265004b5275df58bd35edd1cd77ad7d50d6e79c7c9a1a45e1fde46de083db74dba4e760eef7b90cb9840000000573ef988a94a2da02cfa1320050b2da6dbbdf7318e707a14f1baf4d832bc38ef569d9e5b03e9085ec89e4217ca320fc6ded1c6a1e8f61af39732c08f407578e8	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pxi	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vcd	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.isz	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xdi	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PowerISO	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerISO\shell\open\command	PowerISO8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\PowerISO\ = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ashdisc	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ncd	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerISO\DefaultIcon	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\PowerISO	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\PowerISO\ = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PowerISO\ = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.iso	PowerISO8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerISO\DefaultIcon\ = "C:\\Program Files (x86)\\PowerISO\\PowerISO.exe,0"	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\ = "PowerISO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\PowerISO	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\ = "PowerISO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerISO	PowerISO8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.daa	PowerISO8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cue	PowerISO8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerISO\ = "PowerISO File"	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uif	PowerISO8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.isz	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\PowerISO	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PowerISO	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EXE	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mdf	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.b5i	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cdi	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.c2d	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cif	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ima	PowerISO8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.iso	PowerISO8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uif\ = "PowerISO"	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8658416-7CCB-4c1d-A021-AFF0A2EB8004}	PowerISO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bwi	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lcd	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bif	PowerISO8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerISO\shell\open\command\ = "\"C:\\Program Files (x86)\\PowerISO\\PowerISO.exe\" \"%1\""	PowerISO8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.isz\ = "PowerISO"	PowerISO8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PowerISO\ = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wim	PowerISO8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.daa\ = "PowerISO"	PowerISO8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.uif	PowerISO8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xdi\ = "PowerISO"	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ = "C:\\Program Files (x86)\\PowerISO\\PWRISOSH.DLL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dmg	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerISO\shell\open	PowerISO8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ = "C:\\Program Files (x86)\\PowerISO\\PWRISOSH.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\PowerISO\ = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fcd	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.daa	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.p01	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerISO\shell	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.img	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdi	PowerISO8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.iso\ = "PowerISO"	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\PowerISO	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1816	chrome.exe
1672	chrome.exe
1672	chrome.exe
2696	chrome.exe
2720	chrome.exe
1672	chrome.exe
1672	chrome.exe
3048	chrome.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2584	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2584	AUDIODG.EXE
Token: 33	2584	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2584	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3024	PWRISOVM.EXE
3024	PWRISOVM.EXE
2084	iexplore.exe
2084	iexplore.exe
2220	IEXPLORE.EXE
2220	IEXPLORE.EXE
2792	PowerISO.exe
2792	PowerISO.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 1824	948	cmd.exe	27
PID 948 wrote to memory of 1824	948	cmd.exe	27
PID 948 wrote to memory of 1824	948	cmd.exe	27
PID 1672 wrote to memory of 936	1672	chrome.exe	29
PID 1672 wrote to memory of 936	1672	chrome.exe	29
PID 1672 wrote to memory of 936	1672	chrome.exe	29
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1928	1672	chrome.exe	30
PID 1672 wrote to memory of 1816	1672	chrome.exe	31
PID 1672 wrote to memory of 1816	1672	chrome.exe	31
PID 1672 wrote to memory of 1816	1672	chrome.exe	31
PID 1672 wrote to memory of 1944	1672	chrome.exe	32
PID 1672 wrote to memory of 1944	1672	chrome.exe	32
PID 1672 wrote to memory of 1944	1672	chrome.exe	32
PID 1672 wrote to memory of 1944	1672	chrome.exe	32
PID 1672 wrote to memory of 1944	1672	chrome.exe	32
PID 1672 wrote to memory of 1944	1672	chrome.exe	32
PID 1672 wrote to memory of 1944	1672	chrome.exe	32
PID 1672 wrote to memory of 1944	1672	chrome.exe	32
PID 1672 wrote to memory of 1944	1672	chrome.exe	32
PID 1672 wrote to memory of 1944	1672	chrome.exe	32
PID 1672 wrote to memory of 1944	1672	chrome.exe	32
PID 1672 wrote to memory of 1944	1672	chrome.exe	32
PID 1672 wrote to memory of 1944	1672	chrome.exe	32
PID 1672 wrote to memory of 1944	1672	chrome.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\document.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:948
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\document.iso"
  2⤵
  PID:1824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefada4f50,0x7fefada4f60,0x7fefada4f70
  2⤵
  PID:936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1124 /prefetch:2
  2⤵
  PID:1928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1248 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1832 /prefetch:8
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2068 /prefetch:1
  2⤵
  PID:1992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2028 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:1320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3308 /prefetch:2
  2⤵
  PID:964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3540 /prefetch:8
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3556 /prefetch:8
  2⤵
  PID:1296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3884 /prefetch:8
  2⤵
  PID:2124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3972 /prefetch:8
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4088 /prefetch:8
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3896 /prefetch:8
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2484 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2476 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4564 /prefetch:8
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4664 /prefetch:8
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:2760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1448 /prefetch:8
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3736 /prefetch:8
  2⤵
  PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 /prefetch:8
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3816 /prefetch:8
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4696 /prefetch:8
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4640 /prefetch:8
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3764 /prefetch:8
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1116,9619000369050710258,2972790186294508786,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2432 /prefetch:8
  2⤵
  PID:2100

C:\Users\Admin\Downloads\PowerISO8.exe
"C:\Users\Admin\Downloads\PowerISO8.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
PID:2840
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s /u "C:\Program Files (x86)\PowerISO\PWRISOSH.DLL"
  2⤵
  PID:2888
- C:\Program Files (x86)\PowerISO\setup64.exe
  "C:\Program Files (x86)\PowerISO\setup64.exe" cp C:\Users\Admin\AppData\Local\Temp\nse3C0C.tmp "C:\Windows\system32\Drivers\scdemu.sys"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  PID:2904
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\PowerISO\PWRISOSH.DLL"
  2⤵
  - Loads dropped DLL
  PID:3008
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files (x86)\PowerISO\PWRISOSH.DLL"
    3⤵
    - Registers COM server for autorun
    - Loads dropped DLL
    - Modifies registry class
    PID:2052
- C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
  "C:\Program Files (x86)\PowerISO\PWRISOVM.EXE" 999
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3024
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.poweriso.com/thankyou.htm
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2084
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2084 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2220

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4bc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:2888

C:\Program Files (x86)\PowerISO\PowerISO.exe
"C:\Program Files (x86)\PowerISO\PowerISO.exe" -pf C:\Users\Admin\AppData\Local\Temp\B9DE.tmp
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2792
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\PowerISO\PWRISOSH.DLL"
  2⤵
  - Loads dropped DLL
  PID:2736
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files (x86)\PowerISO\PWRISOSH.DLL"
    3⤵
    - Registers COM server for autorun
    - Loads dropped DLL
    - Modifies registry class
    PID:2828

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" toso3l.dll,LyirJCyvGh
1⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1312

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" toso3l.dll,LyirJCyvGh
1⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PowerISO\Lang\Arabic.lng

Filesize
44KB

MD5
df394959eb900bc4500324b7e1a674f1

SHA1
3e5863b8e7a70f5c963342cb07bf219c3033fb96

SHA256
566220bd0badc31c82ceedce53cb17b8c009e2ae5c1df4e32690274d3511b014

SHA512
4ab2832e0e6028b3911d9f758788a0f3aa710b8bec1cc215d381e4ea0017f4ce2240bb3f38778c1d62c33c364117c3ac70091383f2deff72d4d971f10125d47d

Download Submit
C:\Program Files (x86)\PowerISO\Lang\Armenian.lng

Filesize
47KB

MD5
39a9944552e746501be30e128f511471

SHA1
007dfade843e60a58a32c8fed705e7a8b60abfe4

SHA256
75b9ed8ead6235aa0caedab794b353e3a74957f82d3c0c938a1dffcfe9f54bab

SHA512
3009dcdb35344c19ccced8ee1b523d0e17c54dabf7faa4eba988409893e7bdbb5ffdb4bc21065568c59de94e21ddd1b3e47791abdb73f8b5e3a9cbd72a262b79

Download Submit
C:\Program Files (x86)\PowerISO\Lang\Azerbaijani.lng

Filesize
48KB

MD5
78a717846a059de665e889e05313ea9a

SHA1
67737ad90520e588d7271bd42fc0c1333b442a8c

SHA256
696307e616727c3ef2b791916d4a340cac85c6ede86bed1b0322e5e37ca66043

SHA512
a08944180c73786f16dea1ca18e9819805077e8da778e989c7cd910bcca33a8a310a516d7361158f34e099594716218471a149a3c04a94a654d9b9056cfc7209

Download Submit
C:\Program Files (x86)\PowerISO\Lang\Belarusian.lng

Filesize
89KB

MD5
52374ebf32ba06f759a20a644dbbe838

SHA1
b7d5e06a7fe1ba3d7979e90689cc0f8312517921

SHA256
7e80b73e66232e8ca164aded1a08f63fabe65e4e38859963e6d5541f7f7ab300

SHA512
15802e6ef85bcc1f1816d5794f5d156f27f32443943c3feaff1f0d94e656396f54cfc5adf22d50e214349334126ad3135656b434c8712aeb60b1aee17e21098a

Download Submit
C:\Program Files (x86)\PowerISO\Lang\Bosnian.lng

Filesize
57KB

MD5
27e3f9caf5c2f6f56d05839db1f55dd1

SHA1
4d2b7f09246d97cf6d96cb0c1374093d197a7a8d

SHA256
7be27864827af5ffeb2b8582f52d47eee58ffe84719512cfe721720abc5383c7

SHA512
bfa56a4a410bd66f3e73555c932369a14508a390847c25b21e95e3ad4e22ba93d9251bf41e0c0454f883bed8bac57f6fe19bfb9234dafa3c6e0dc48268c2ddbe

Download Submit
C:\Program Files (x86)\PowerISO\Lang\Bulgarian.lng

Filesize
105KB

MD5
8848d676bcb0c29e64e49a6b959b9f6e

SHA1
892413583021afaa811383629a792e7751bb76ba

SHA256
13bc268e6b5b081007fc6baaeeac1ca065f0bf7f3cb03f9561926b26d2baa7c5

SHA512
c23eb54b05b3052e43f862ab9d56eb2afe4e2ba236af8e001e0b6880c2b460adfeb59931ce6a96f0318a04d927c7b6b91e60f8db30cc12c46cb315af6d2fd64f

Download Submit
C:\Program Files (x86)\PowerISO\Lang\Burmese.lng

Filesize
93KB

MD5
578604d8ea7b9721c10da9c1ac3cf4c2

SHA1
adb75be1a73fc75bf8b1e6b7b87bcabd6d57cb13

SHA256
17ef55a36ec345b1980cfc14fd05195de6908e4aa10b1a473dc9ce70d9e6a6bc

SHA512
1f016a1fe5f383d5a93fbd72f7f959a566426ee9b7145c17587e1e2f12875e32a680840f47dbd55b9f8a0893962f33ba058462533e8e2340c74d65875201fd7e

Download Submit
C:\Program Files (x86)\PowerISO\Lang\Dutch.lng

Filesize
107KB

MD5
9a8a2e8173e1c0c26346678dd7190b0f

SHA1
0df3eef6e81bc2aa7915444214de977172fba29e

SHA256
2f523f226b29ac9ad4daa1aa8ba9ebb01abc2172b354c9ef25df442360787896

SHA512
38b8c398b0a91628904cad9174627a1f94d5dfa0d3591a8ce92652fd93a508b6d91489070079c76b94320b32462ae283dda8aa87eea0ee402fdfda0caf425db0

Download Submit
C:\Program Files (x86)\PowerISO\Lang\Farsi.lng

Filesize
51KB

MD5
197bcf165a0302fd910a683d9bddc63c

SHA1
a26f754fd4011225b9c02f13564a4428f50b3d39

SHA256
d3441d10af3bb133441c1658a0622b5ca69198ad04c84e4b74a92f9f02902485

SHA512
eb0de4994b883169a114f16cbc5c1f04a5497dc69c07817802509e23fd8f99761eb6d634b35a4b77c7d70f4295f24e5e874e38c668a57d718df14254be4d4472

Download Submit
C:\Program Files (x86)\PowerISO\Lang\Finnish.lng

Filesize
64KB

MD5
2f9aa74f68d74f574c29bf7c0b964358

SHA1
5d3c6026ec57837f373b8f5f2cc05043721db73b

SHA256
a28569aaa735d3fcf9934460b283e47a8c510ea80439c57ded797d7d767c9a47

SHA512
7bc0f83ac43b8cb4294ad4bf169c583f6b5948b92ac30a2626736bec204811a4562d3274819a7828ac787e22644e9f2ed2463fe3903ceccd98aa73c11811cb8a

Download Submit
C:\Program Files (x86)\PowerISO\Lang\croatian.lng

Filesize
61KB

MD5
b94e0fe2974e41da7639cb9691fc8c96

SHA1
28f490c0582088bb4790fd3c1430fc37662c6ed1

SHA256
b20d52aeaf8a51049ac2e9bfcdf5047b37e17acefc1b98ab982e9cabf7d2b8e7

SHA512
54df0156aa833eb661b8083e6415d9cee7928521d13329174680de34af263d87e8fc7291533acb52f1f23372681c2f6adda6b56f4bff97ade20fec807434ae37

Download Submit
C:\Program Files (x86)\PowerISO\Lang\czech.lng

Filesize
89KB

MD5
20287671128cac1d457c558ab24992c7

SHA1
4a7103df27eb64d593473b8cb1e634c979153664

SHA256
9936ab1f02b4f38ac618c010235546cca30547540fbdfd8e4513147865006247

SHA512
0dca6a4859a0a785a9444aed32fd30f5309134c45906043976c97c8e26989abbb67c3c879b51681ebce3e2e8b59b1a4bd1fcc609775d2907f97d5887fb3ce607

Download Submit
C:\Program Files (x86)\PowerISO\Lang\danish.lng

Filesize
57KB

MD5
16f6aa7bd28bede15f749c173ba26649

SHA1
a6a6773d1f97439890cbe73fb332e12e250d121f

SHA256
1b3ab2dd6dafb98f01855432efbe46da0b6043fa036b9de127b0f997281bd469

SHA512
e6046bd3191e75a41b46fac85e4e3decec76ce68d524ecbe879887b01dfc21c9ce7ec3d58579bf16ebc693d780bb8b075b3bd136a568f7662e984b91e0f473e2

Download Submit
C:\Program Files (x86)\PowerISO\Lang\french.lng

Filesize
116KB

MD5
3e9744e2ea71a34e92654afbecaa9bd2

SHA1
2165bb586c957c6bf54c060689d4de470e5167ce

SHA256
5fa2532fcfbde8e858fced08d88968bf4188c3351db96ba424320a2a4ac05713

SHA512
96600ad4efae152ac01230745c7be5338cb9f1be785065e526d52c1f15cb816b86613f88e6a312ce86c9aa5bbddabec8010247dc487a3e0bb44e92753b4e2ca3

Download Submit
C:\Program Files (x86)\PowerISO\PWRISOSH.DLL

Filesize
325KB

MD5
751457ed43b489beb89b86fa01d0edf6

SHA1
e5c8c98de0e3e13f3102a89546ee811cbd4c9bf6

SHA256
dce4c19e87fa27dcbd82750edba77a95ef8e40845fbc8eb9f928bce0ea22179e

SHA512
5a9eb89f6fc27d2200db12cc01a670fe3382a9d5993cd9fcb7670b9ccbc2278a02a1aab92ec0cfa820f3f161dbcfa035e930cb9585d9e3bd3109fb5a2dac9590

Download Submit
C:\Program Files (x86)\PowerISO\PWRISOVM.EXE

Filesize
405KB

MD5
85c4d16dc4ec55dd88a44711d70145cc

SHA1
9a2a94240f650378ecbb9a641c0f5ffc5050fc08

SHA256
3b14c925346f69633d3f73f19841ced630c9dec00ff20c5b6cb0c5a85e1e31c1

SHA512
1a44629400226779cb3e6b41df0c3ee6fc14cf160a167b4d8c056fd84f215c4ade96faf7f0ef8c51d5fb5612d50b75812f1c10b0ab419c4e11765dd6f37347fd

Download Submit
C:\Program Files (x86)\PowerISO\setup64.exe

Filesize
18KB

MD5
edda92af8f1a180c165f92951ed55a42

SHA1
1eb86ca757395527fd5d32bc3f8dbd482e3f6b51

SHA256
4d23f626854a739b5805199e710f9d4c55c4e89aa9dc00491cfbb0b990707738

SHA512
26a6f72544c8f4ea89af3b16a60e2a9f0d1e5f9575a14a43f0c96b78a6e8f29595b38c109688bd21418955b57d45805980dd2d1ea76504e08c94e09bb506f873

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1b4wh1e\imagestore.dat

Filesize
9KB

MD5
47d8457d2fd802bb67bc63db26b67828

SHA1
133a47bf0e04ee6883c16288a64c4f08eb907429

SHA256
96b4c5d01b735e5c82a26bfcd8c96f8dea7b5540d937cea290dc6cf7ebe09821

SHA512
252b4208bdfc66e6784e08d4abb7a1ab13233f2c54da992fe576c66eba38341c6552028a0e8abed975ac9c45e0fc79ca7c7b1f47c29604f1ee16cd77f1239bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse3C0C.tmp

Filesize
135KB

MD5
92eae8dec1f992db12aa23d9d55f264a

SHA1
add6697b8c1c71980e391619e81e0bada05e38ee

SHA256
d01a58e0a222e4d301b75ae80150d8cbc17f56b3f6458352d2c7c449be302eee

SHA512
443a12a1a49e388725ee347e650297ba5268d655acd08e623ea988cde07ae08ae861620b600fb223358339eeab926fee1c8377386501310c68a3eb9515649441

Download Submit
C:\Users\Admin\Downloads\PowerISO8.exe

Filesize
4.2MB

MD5
8144c52493e8e561fcd5b567daf193d2

SHA1
71f936cab2bcdfb42d215be4b296d0cb39581079

SHA256
4b12a3a8175a0066bf49b16ea05a76061a05e48e28652af48b664eadec62f377

SHA512
296c2272156b942d8cea42f5c3267726f2a0b2b4a347cdb794ab04ffa520c6e5cb8ffb901d38fc245e0667171c8d7394d4839c58fae5e2657b6a82fdbc092b9e

Download Submit
C:\Users\Admin\Downloads\PowerISO8.exe

Filesize
4.2MB

MD5
8144c52493e8e561fcd5b567daf193d2

SHA1
71f936cab2bcdfb42d215be4b296d0cb39581079

SHA256
4b12a3a8175a0066bf49b16ea05a76061a05e48e28652af48b664eadec62f377

SHA512
296c2272156b942d8cea42f5c3267726f2a0b2b4a347cdb794ab04ffa520c6e5cb8ffb901d38fc245e0667171c8d7394d4839c58fae5e2657b6a82fdbc092b9e

Download Submit
\Program Files (x86)\PowerISO\PWRISOSH.DLL

Filesize
325KB

MD5
751457ed43b489beb89b86fa01d0edf6

SHA1
e5c8c98de0e3e13f3102a89546ee811cbd4c9bf6

SHA256
dce4c19e87fa27dcbd82750edba77a95ef8e40845fbc8eb9f928bce0ea22179e

SHA512
5a9eb89f6fc27d2200db12cc01a670fe3382a9d5993cd9fcb7670b9ccbc2278a02a1aab92ec0cfa820f3f161dbcfa035e930cb9585d9e3bd3109fb5a2dac9590

Download Submit
\Program Files (x86)\PowerISO\PWRISOSH.DLL

Filesize
325KB

MD5
751457ed43b489beb89b86fa01d0edf6

SHA1
e5c8c98de0e3e13f3102a89546ee811cbd4c9bf6

SHA256
dce4c19e87fa27dcbd82750edba77a95ef8e40845fbc8eb9f928bce0ea22179e

SHA512
5a9eb89f6fc27d2200db12cc01a670fe3382a9d5993cd9fcb7670b9ccbc2278a02a1aab92ec0cfa820f3f161dbcfa035e930cb9585d9e3bd3109fb5a2dac9590

Download Submit
\Program Files (x86)\PowerISO\PWRISOSH.DLL

Filesize
325KB

MD5
751457ed43b489beb89b86fa01d0edf6

SHA1
e5c8c98de0e3e13f3102a89546ee811cbd4c9bf6

SHA256
dce4c19e87fa27dcbd82750edba77a95ef8e40845fbc8eb9f928bce0ea22179e

SHA512
5a9eb89f6fc27d2200db12cc01a670fe3382a9d5993cd9fcb7670b9ccbc2278a02a1aab92ec0cfa820f3f161dbcfa035e930cb9585d9e3bd3109fb5a2dac9590

Download Submit
\Program Files (x86)\PowerISO\PWRISOVM.EXE

Filesize
405KB

MD5
85c4d16dc4ec55dd88a44711d70145cc

SHA1
9a2a94240f650378ecbb9a641c0f5ffc5050fc08

SHA256
3b14c925346f69633d3f73f19841ced630c9dec00ff20c5b6cb0c5a85e1e31c1

SHA512
1a44629400226779cb3e6b41df0c3ee6fc14cf160a167b4d8c056fd84f215c4ade96faf7f0ef8c51d5fb5612d50b75812f1c10b0ab419c4e11765dd6f37347fd

Download Submit
\Program Files (x86)\PowerISO\PWRISOVM.EXE

Filesize
405KB

MD5
85c4d16dc4ec55dd88a44711d70145cc

SHA1
9a2a94240f650378ecbb9a641c0f5ffc5050fc08

SHA256
3b14c925346f69633d3f73f19841ced630c9dec00ff20c5b6cb0c5a85e1e31c1

SHA512
1a44629400226779cb3e6b41df0c3ee6fc14cf160a167b4d8c056fd84f215c4ade96faf7f0ef8c51d5fb5612d50b75812f1c10b0ab419c4e11765dd6f37347fd

Download Submit
\Program Files (x86)\PowerISO\PWRISOVM.EXE

Filesize
405KB

MD5
85c4d16dc4ec55dd88a44711d70145cc

SHA1
9a2a94240f650378ecbb9a641c0f5ffc5050fc08

SHA256
3b14c925346f69633d3f73f19841ced630c9dec00ff20c5b6cb0c5a85e1e31c1

SHA512
1a44629400226779cb3e6b41df0c3ee6fc14cf160a167b4d8c056fd84f215c4ade96faf7f0ef8c51d5fb5612d50b75812f1c10b0ab419c4e11765dd6f37347fd

Download Submit
\Program Files (x86)\PowerISO\PWRISOVM.EXE

Filesize
405KB

MD5
85c4d16dc4ec55dd88a44711d70145cc

SHA1
9a2a94240f650378ecbb9a641c0f5ffc5050fc08

SHA256
3b14c925346f69633d3f73f19841ced630c9dec00ff20c5b6cb0c5a85e1e31c1

SHA512
1a44629400226779cb3e6b41df0c3ee6fc14cf160a167b4d8c056fd84f215c4ade96faf7f0ef8c51d5fb5612d50b75812f1c10b0ab419c4e11765dd6f37347fd

Download Submit
\Program Files (x86)\PowerISO\PWRISOVM.EXE

Filesize
405KB

MD5
85c4d16dc4ec55dd88a44711d70145cc

SHA1
9a2a94240f650378ecbb9a641c0f5ffc5050fc08

SHA256
3b14c925346f69633d3f73f19841ced630c9dec00ff20c5b6cb0c5a85e1e31c1

SHA512
1a44629400226779cb3e6b41df0c3ee6fc14cf160a167b4d8c056fd84f215c4ade96faf7f0ef8c51d5fb5612d50b75812f1c10b0ab419c4e11765dd6f37347fd

Download Submit
\Program Files (x86)\PowerISO\PWRISOVM.EXE

Filesize
405KB

MD5
85c4d16dc4ec55dd88a44711d70145cc

SHA1
9a2a94240f650378ecbb9a641c0f5ffc5050fc08

SHA256
3b14c925346f69633d3f73f19841ced630c9dec00ff20c5b6cb0c5a85e1e31c1

SHA512
1a44629400226779cb3e6b41df0c3ee6fc14cf160a167b4d8c056fd84f215c4ade96faf7f0ef8c51d5fb5612d50b75812f1c10b0ab419c4e11765dd6f37347fd

Download Submit
\Program Files (x86)\PowerISO\PowerISO.exe

Filesize
4.8MB

MD5
08db2e9311300f8060b9f0cffdc866f2

SHA1
a867aca87012e53ce41a0b3a6c0241f6a19e6c19

SHA256
8bee553cc75f3ff0160b588c46205d9441513a657a451dce377e9df6ab13fb95

SHA512
cfb875decb15a1e046d6146358dfd30c7ad0d6abe706da3a4fdf2931e8b9cb7ac7f46fcf349abdf623f30e557804dfddba44e5ad22eee37a58a322e3049813c6

Download Submit
\Program Files (x86)\PowerISO\PowerISO.exe

Filesize
4.8MB

MD5
08db2e9311300f8060b9f0cffdc866f2

SHA1
a867aca87012e53ce41a0b3a6c0241f6a19e6c19

SHA256
8bee553cc75f3ff0160b588c46205d9441513a657a451dce377e9df6ab13fb95

SHA512
cfb875decb15a1e046d6146358dfd30c7ad0d6abe706da3a4fdf2931e8b9cb7ac7f46fcf349abdf623f30e557804dfddba44e5ad22eee37a58a322e3049813c6

Download Submit
\Program Files (x86)\PowerISO\setup64.exe

Filesize
18KB

MD5
edda92af8f1a180c165f92951ed55a42

SHA1
1eb86ca757395527fd5d32bc3f8dbd482e3f6b51

SHA256
4d23f626854a739b5805199e710f9d4c55c4e89aa9dc00491cfbb0b990707738

SHA512
26a6f72544c8f4ea89af3b16a60e2a9f0d1e5f9575a14a43f0c96b78a6e8f29595b38c109688bd21418955b57d45805980dd2d1ea76504e08c94e09bb506f873

Download Submit
\Program Files (x86)\PowerISO\setup64.exe

Filesize
18KB

MD5
edda92af8f1a180c165f92951ed55a42

SHA1
1eb86ca757395527fd5d32bc3f8dbd482e3f6b51

SHA256
4d23f626854a739b5805199e710f9d4c55c4e89aa9dc00491cfbb0b990707738

SHA512
26a6f72544c8f4ea89af3b16a60e2a9f0d1e5f9575a14a43f0c96b78a6e8f29595b38c109688bd21418955b57d45805980dd2d1ea76504e08c94e09bb506f873

Download Submit
\Program Files (x86)\PowerISO\setup64.exe

Filesize
18KB

MD5
edda92af8f1a180c165f92951ed55a42

SHA1
1eb86ca757395527fd5d32bc3f8dbd482e3f6b51

SHA256
4d23f626854a739b5805199e710f9d4c55c4e89aa9dc00491cfbb0b990707738

SHA512
26a6f72544c8f4ea89af3b16a60e2a9f0d1e5f9575a14a43f0c96b78a6e8f29595b38c109688bd21418955b57d45805980dd2d1ea76504e08c94e09bb506f873

Download Submit
\Program Files (x86)\PowerISO\uninstall.exe

Filesize
146KB

MD5
73fd046a512a175a488669dac239a771

SHA1
d9ae2878b73e4c86581aacd9b2172816c8e6ed60

SHA256
5e404b2adb25dc1b413bbe2abb31bf2a0dfed817dafa2ef30c151f131f1eae82

SHA512
23f15bbeaabd37c6e6dc14ba2f95fac178fb04b8a053d6863e413ab8aa875744fa2a44a76d49b365c641e1eb46fb04267f2c4338cfa6ddddc1cab27c09624db1

Download Submit
\Users\Admin\AppData\Local\Temp\nst2713.tmp\InstOpt.dll

Filesize
25KB

MD5
6a45ec125830c244261b28fe97fb9f9d

SHA1
f30e65fa3a84c9078bf29af4b4d08ec618a8e44f

SHA256
fa8b56b52dc7130d924d0060633b5763c032408385a47ec7438d5e1d481d2fe5

SHA512
5387439a2a1f235a2ffe934570db8ab200e2688496d2be39d8f6a47dc7fb55e6e30e957b5b2f6d79799581278bd57c03dc81908afa5e9707375a14ec8a34e4e2

Download Submit
\Users\Admin\AppData\Local\Temp\nst2713.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
memory/948-54-0x000007FEFB971000-0x000007FEFB973000-memory.dmp

Filesize
8KB

Download
memory/1312-198-0x0000000002500000-0x0000000002617000-memory.dmp

Filesize
1.1MB

Download
memory/2112-199-0x0000000002450000-0x0000000002567000-memory.dmp

Filesize
1.1MB

Download
memory/2792-197-0x000000006FEA1000-0x000000006FEA3000-memory.dmp

Filesize
8KB

Download
memory/2840-83-0x0000000074F21000-0x0000000074F23000-memory.dmp

Filesize
8KB

Download