icedid | 7354552c28ad25c6c83e84f1ef7da0a8a53dc9ba8177416c1f4be229130505b5

Analysis

max time kernel
366s
max time network
379s
platform
windows7_x64
resource
win7-20220414-en
submitted
23-06-2022 05:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

document 2.iso
Size

2.2MB
MD5

f00ee02812c8e68ff8e9e701c051fafe
SHA1

7d0866e47cc51a09b3441805fb21a06a349048b8
SHA256

7354552c28ad25c6c83e84f1ef7da0a8a53dc9ba8177416c1f4be229130505b5
SHA512

8856fb7ea9cdc6d36062dfbd6165b1da9ad5c70e33dab6d4bab7bf785f788d6ebbd95e1488f44d98957f369053e9e0fa5095fcf6c95d808ac04142cbf9b1608b

Score

10^/10

icedid 3433768635 banker discovery loader persistence suricata trojan

Malware Config

Extracted

Family

icedid

Campaign

3433768635

bredofenction.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

117 2112 rundll32.exe
118 2760 rundll32.exe
Downloads MZ/PE file

flow	pid	process
117	2112	rundll32.exe
118	2760	rundll32.exe

Drops file in Drivers directory 2 IoCs

Processes:

setup64.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\scdemu.sys	setup64.exe
File opened for modification	C:\Windows\system32\Drivers\scdemu.sys	setup64.exe

Executes dropped EXE 6 IoCs

Processes:

PowerISO8.exesetup64.exePWRISOVM.EXEChromeRecovery.exePowerISO.exePowerISO.exe

pid process

2352 PowerISO8.exe
1952 setup64.exe
2500 PWRISOVM.EXE
796 ChromeRecovery.exe
2676 PowerISO.exe
2328 PowerISO.exe

Registers COM server for autorun 1 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ = "C:\\Program Files (x86)\\PowerISO\\PWRISOSH.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ = "C:\\Program Files (x86)\\PowerISO\\PWRISOSH.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ = "C:\\Program Files (x86)\\PowerISO\\PWRISOSH.DLL"	regsvr32.exe

Loads dropped DLL 35 IoCs

Processes:

PowerISO8.exeregsvr32.exeregsvr32.exechrome.exePowerISO.exeregsvr32.exeregsvr32.exePowerISO.exeregsvr32.exeregsvr32.exerundll32.exerundll32.exe

pid	process
2352	PowerISO8.exe
2352	PowerISO8.exe
2352	PowerISO8.exe
868
2352	PowerISO8.exe
2352	PowerISO8.exe
2352	PowerISO8.exe
2352	PowerISO8.exe
2352	PowerISO8.exe
2352	PowerISO8.exe
2352	PowerISO8.exe
2352	PowerISO8.exe
2352	PowerISO8.exe
2352	PowerISO8.exe
2544	regsvr32.exe
2540	regsvr32.exe
2420	chrome.exe
2420	chrome.exe
1204
2676	PowerISO.exe
520	regsvr32.exe
2484	regsvr32.exe
2676	PowerISO.exe
1204
2328	PowerISO.exe
3068	regsvr32.exe
2448	regsvr32.exe
2112	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PowerISO8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PWRISOVM.EXE = "C:\\Program Files (x86)\\PowerISO\\PWRISOVM.EXE -startup"	PowerISO8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

PowerISO8.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\PowerISO\devcon.exe	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\SimpChinese.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Arabic.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Turkish.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Indonesian.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Urdu(Pakistan).lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\uninstall.exe	PowerISO8.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2760_1389340579\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2760_1389340579\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files (x86)\PowerISO\piso.exe	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\libvorbis.dll	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\License.txt	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Bulgarian.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Spanish.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Finnish.lng	PowerISO8.exe
File opened for modification	C:\Program Files (x86)\PowerISO\PWRISOSH.DLL	PowerISO8.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2760_1389340579\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files (x86)\PowerISO\setup64.exe	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Korean.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Lithuanian.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Slovak.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\lame_enc.dll	PowerISO8.exe
File opened for modification	C:\Program Files (x86)\PowerISO\PWRISOVM.EXE	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\french.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Greek.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\libFLAC.dll	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\unrar.dll	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\7z.dll	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Readme.txt	PowerISO8.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2760_1389340579\manifest.json	elevation_service.exe
File created	C:\Program Files (x86)\PowerISO\Lang\TradChinese.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Italian.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\slovenian.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Swedish.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Dutch.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Bosnian.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Norsk.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Thai.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Ukrainian.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\MACDll.dll	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\czech.lng	PowerISO8.exe
File opened for modification	C:\Program Files (x86)\PowerISO\PowerISO.exe	PowerISO8.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2760_1389340579\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2760_1389340579\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files (x86)\PowerISO\Lang\kazakh.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\German.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Japanese.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Farsi.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Serbian(cyrl).lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\PowerISO.chm	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\danish.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Armenian.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Malay.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Vietnamese.lng	PowerISO8.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2760_1389340579\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Polish.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Russian.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\croatian.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Romanian.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Burmese.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Hungarian.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Portuguese(Brazil).lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Belarusian.lng	PowerISO8.exe
File created	C:\Program Files (x86)\PowerISO\Lang\Azerbaijani.lng	PowerISO8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CF3954E1-F2B8-11EC-AE57-4E0428891AFE} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b000000000200000000001066000000010000200000008296462ffd7fa186ce052b11f9bc1132798348796f971cc46d47e6cca38e8d70000000000e8000000002000020000000492dd81f4b2d8997e63918eb5a4e038bba09791344bd596bf4f2ba3b1411a4f720000000ae3dc324530131cc99ea165e624c2e6942a7bdaa2cf8d19b8004a869f2f2f391400000007913760bf54b9f217ec3441ff1ffe210702ff2027a2eb638fe04b5c6f13c121f92f8290cdbf737fdacd9d01e54bc886dfaba22f2534051164d9d1c2e5460ae3a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b00000000020000000000106600000001000020000000372ef4d9717d85e145a792717dda7b708fff0f90b77ac05af8974399c2bccbbe000000000e80000000020000200000009e842d72fa7d8c298e0dacc5b55809da0be18808da05b61c8b5207a1aaa34ee19000000081f505d518183886b00a15c000934bd2c13e6a578fd5c26458edef1e09ad68dd37d87679b3b044a2a84efb1755f03974e33ba6136696557e4035cd95b4b78e9ac9005366f5a057d99a423f3514bf0092d75f26d09ed1e0c3ae57096a26dcc8ccadf7ebe3a7fc1211df1feb10cbf1c9e087b74f4fea0317080c752ff55fed5045c84ae2c144eccbc9ba8d300d830e48d6400000001a121af4e304ad3a8ebd9574b1092c823b57f22fd16913406f7a845b3d8b87327e1137c6f88673744cb60ed565ba5bbf0e4045f8cc8d55f3c28607baf872f551	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "362728586"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 607f6ea9c586d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exePowerISO8.exeregsvr32.exePowerISO.exeregsvr32.exePowerISO.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\PowerISO	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bif	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerISO	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ = "C:\\Program Files (x86)\\PowerISO\\PWRISOSH.DLL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bwi	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cdi	PowerISO8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerISO\ = "PowerISO File"	PowerISO8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.iso\ = "PowerISO"	PowerISO8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\ = "PowerISO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ashdisc	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cif	PowerISO8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.isz\ = "PowerISO"	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8658416-7CCB-4c1d-A021-AFF0A2EB8004}	PowerISO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\PowerISO\ = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\PowerISO	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bin	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pxi	PowerISO8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerISO\shell\open\command\ = "\"C:\\Program Files (x86)\\PowerISO\\PowerISO.exe\" \"%1\""	PowerISO8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.daa	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.isz	PowerISO8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.isz	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PowerISO	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mdf	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mds	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.c2d	PowerISO8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\PowerISO\ = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerISO\DefaultIcon	PowerISO8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerISO\DefaultIcon\ = "C:\\Program Files (x86)\\PowerISO\\PowerISO.exe,0"	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xdi	PowerISO8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.xdi	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vcd	PowerISO8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\ = "PowerISO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\PowerISO\ = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PowerISO\ = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\ = "PowerISO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ = "C:\\Program Files (x86)\\PowerISO\\PWRISOSH.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\PowerISO\ = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.b5i	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PowerISO	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ima	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\PowerISO	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gi	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dmg	PowerISO8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ = "C:\\Program Files (x86)\\PowerISO\\PWRISOSH.DLL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\PowerISO	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uif	PowerISO8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uif\ = "PowerISO"	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cue	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerISO\shell\open\command	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8658416-7CCB-4c1d-A021-AFF0A2EB8004}	PowerISO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ncd	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.iso	PowerISO8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xdi\ = "PowerISO"	PowerISO8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\PowerISO\ = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\PowerISO\ = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PowerISO	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.img	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wim	PowerISO8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.daa	PowerISO8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.uif	PowerISO8.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exerundll32.exerundll32.exe

pid	process
1788	chrome.exe
612	chrome.exe
612	chrome.exe
2140	chrome.exe
2336	chrome.exe
612	chrome.exe
612	chrome.exe
2420	chrome.exe
2112	rundll32.exe
2112	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe

Suspicious use of FindShellTrayWindow 48 IoCs

Processes:

chrome.exeiexplore.exePowerISO.exePowerISO.exe

pid	process
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
1564	iexplore.exe
2676	PowerISO.exe
2676	PowerISO.exe
2328	PowerISO.exe
2328	PowerISO.exe

Suspicious use of SendNotifyMessage 34 IoCs

Processes:

chrome.exePowerISO.exePowerISO.exe

pid	process
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
2676	PowerISO.exe
2328	PowerISO.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

iexplore.exeIEXPLORE.EXEPowerISO.exePowerISO.exe

pid process

1564 iexplore.exe
1564 iexplore.exe
2600 IEXPLORE.EXE
2600 IEXPLORE.EXE
2676 PowerISO.exe
2676 PowerISO.exe
2328 PowerISO.exe
2328 PowerISO.exe

pid	process
1564	iexplore.exe
1564	iexplore.exe
2600	IEXPLORE.EXE
2600	IEXPLORE.EXE
2676	PowerISO.exe
2676	PowerISO.exe
2328	PowerISO.exe
2328	PowerISO.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exechrome.exe

description	pid	process	target process
PID 1552 wrote to memory of 1324	1552	cmd.exe	isoburn.exe
PID 1552 wrote to memory of 1324	1552	cmd.exe	isoburn.exe
PID 1552 wrote to memory of 1324	1552	cmd.exe	isoburn.exe
PID 612 wrote to memory of 240	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 240	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 240	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 796	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 1788	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 1788	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 1788	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 2000	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 2000	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 2000	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 2000	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 2000	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 2000	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 2000	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 2000	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 2000	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 2000	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 2000	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 2000	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 2000	612	chrome.exe	chrome.exe
PID 612 wrote to memory of 2000	612	chrome.exe	chrome.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\document 2.iso"
1⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\System32\isoburn.exe
"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\document 2.iso"
2⤵
PID:1324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefb4c4f50,0x7fefb4c4f60,0x7fefb4c4f70
2⤵
PID:240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1260 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1152 /prefetch:2
2⤵
PID:796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1712 /prefetch:8
2⤵
PID:2000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2068 /prefetch:1
2⤵
PID:1808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2108 /prefetch:1
2⤵
PID:2008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
2⤵
PID:940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3312 /prefetch:2
2⤵
PID:1724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
2⤵
PID:1684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3548 /prefetch:8
2⤵
PID:2080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3648 /prefetch:8
2⤵
PID:2088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3596 /prefetch:8
2⤵
PID:2152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3564 /prefetch:8
2⤵
PID:2160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3800 /prefetch:8
2⤵
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3812 /prefetch:8
2⤵
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3824 /prefetch:8
2⤵
PID:2212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4112 /prefetch:8
2⤵
PID:2220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4212 /prefetch:8
2⤵
PID:2344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4108 /prefetch:8
2⤵
PID:2356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1464 /prefetch:8
2⤵
PID:2488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=680 /prefetch:8
2⤵
PID:2496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1872 /prefetch:1
2⤵
PID:2560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2192 /prefetch:1
2⤵
PID:2632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4196 /prefetch:8
2⤵
PID:2716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1112 /prefetch:8
2⤵
PID:2760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:1
2⤵
PID:2796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2504 /prefetch:1
2⤵
PID:2804

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:2920

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x13c,0x140,0x144,0x110,0x148,0x13fbaa890,0x13fbaa8a0,0x13fbaa8b0
3⤵
PID:2360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
2⤵
PID:2928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3944 /prefetch:8
2⤵
PID:2992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3680 /prefetch:8
2⤵
PID:3000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4392 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4412 /prefetch:8
2⤵
PID:2300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4448 /prefetch:8
2⤵
PID:2228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4500 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2336

C:\Users\Admin\Downloads\PowerISO8.exe
"C:\Users\Admin\Downloads\PowerISO8.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
PID:2352

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s /u "C:\Program Files (x86)\PowerISO\PWRISOSH.DLL"
3⤵
PID:664

C:\Program Files (x86)\PowerISO\setup64.exe
"C:\Program Files (x86)\PowerISO\setup64.exe" cp C:\Users\Admin\AppData\Local\Temp\nszB61B.tmp "C:\Windows\system32\Drivers\scdemu.sys"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:1952

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\PowerISO\PWRISOSH.DLL"
3⤵
- Loads dropped DLL
PID:2544

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\PowerISO\PWRISOSH.DLL"
4⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:2540

C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
"C:\Program Files (x86)\PowerISO\PWRISOVM.EXE" 999
3⤵
- Executes dropped EXE
PID:2500

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.poweriso.com/thankyou.htm
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1564

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1564 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3860 /prefetch:8
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3564 /prefetch:8
2⤵
PID:2924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3728 /prefetch:8
2⤵
PID:2328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3780 /prefetch:8
2⤵
PID:1432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3660 /prefetch:8
2⤵
PID:2544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=824 /prefetch:1
2⤵
PID:3024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=644 /prefetch:8
2⤵
PID:2172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1140,7064645982991210685,234060381060007713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2404 /prefetch:8
2⤵
PID:2576

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:1684

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:2760

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2760_1389340579\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2760_1389340579\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={54276309-841a-4e3a-a006-39539a078cf9} --system
2⤵
- Executes dropped EXE
PID:796

C:\Program Files (x86)\PowerISO\PowerISO.exe
"C:\Program Files (x86)\PowerISO\PowerISO.exe" "C:\Users\Admin\Desktop\document 2.iso"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2676

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\PowerISO\PWRISOSH.DLL"
2⤵
- Loads dropped DLL
PID:520

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\PowerISO\PWRISOSH.DLL"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:2484

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" s3lop1n.dll, PluginInit
2⤵
PID:2216

C:\Program Files (x86)\PowerISO\PowerISO.exe
"C:\Program Files (x86)\PowerISO\PowerISO.exe" -pf C:\Users\Admin\AppData\Local\Temp\429D.tmp
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2328

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\PowerISO\PWRISOSH.DLL"
2⤵
- Loads dropped DLL
PID:3068

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\PowerISO\PWRISOSH.DLL"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:2448

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" s3lop1n.dll, PluginInit
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2112

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" s3lop1n.dll, PluginInit
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PowerISO\PWRISOSH.DLL

Filesize
325KB

MD5
751457ed43b489beb89b86fa01d0edf6

SHA1
e5c8c98de0e3e13f3102a89546ee811cbd4c9bf6

SHA256
dce4c19e87fa27dcbd82750edba77a95ef8e40845fbc8eb9f928bce0ea22179e

SHA512
5a9eb89f6fc27d2200db12cc01a670fe3382a9d5993cd9fcb7670b9ccbc2278a02a1aab92ec0cfa820f3f161dbcfa035e930cb9585d9e3bd3109fb5a2dac9590

Download Submit
C:\Program Files (x86)\PowerISO\PWRISOVM.EXE

Filesize
405KB

MD5
85c4d16dc4ec55dd88a44711d70145cc

SHA1
9a2a94240f650378ecbb9a641c0f5ffc5050fc08

SHA256
3b14c925346f69633d3f73f19841ced630c9dec00ff20c5b6cb0c5a85e1e31c1

SHA512
1a44629400226779cb3e6b41df0c3ee6fc14cf160a167b4d8c056fd84f215c4ade96faf7f0ef8c51d5fb5612d50b75812f1c10b0ab419c4e11765dd6f37347fd

Download Submit
C:\Program Files (x86)\PowerISO\setup64.exe

Filesize
18KB

MD5
edda92af8f1a180c165f92951ed55a42

SHA1
1eb86ca757395527fd5d32bc3f8dbd482e3f6b51

SHA256
4d23f626854a739b5805199e710f9d4c55c4e89aa9dc00491cfbb0b990707738

SHA512
26a6f72544c8f4ea89af3b16a60e2a9f0d1e5f9575a14a43f0c96b78a6e8f29595b38c109688bd21418955b57d45805980dd2d1ea76504e08c94e09bb506f873

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ezmz917\imagestore.dat

Filesize
9KB

MD5
5eb788b9763a117f56c886a60a15798e

SHA1
57ccfa20a82f696f8e848b1ad57e536e9809db5e

SHA256
e47b533cba7a69de9655cf0154170d995c0bb4576342facbbe2341e204a56a5f

SHA512
b4db1995a7b342709b8bfd1247ff3bdea5261bd04a372c44683d1ebd7061d645d7b71f44a576938ad91f1da89e6e1748732442ede9f002e6b9e9eb73b63f6f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszB61B.tmp

Filesize
135KB

MD5
92eae8dec1f992db12aa23d9d55f264a

SHA1
add6697b8c1c71980e391619e81e0bada05e38ee

SHA256
d01a58e0a222e4d301b75ae80150d8cbc17f56b3f6458352d2c7c449be302eee

SHA512
443a12a1a49e388725ee347e650297ba5268d655acd08e623ea988cde07ae08ae861620b600fb223358339eeab926fee1c8377386501310c68a3eb9515649441

Download Submit
C:\Users\Admin\Downloads\PowerISO8.exe

Filesize
4.2MB

MD5
8144c52493e8e561fcd5b567daf193d2

SHA1
71f936cab2bcdfb42d215be4b296d0cb39581079

SHA256
4b12a3a8175a0066bf49b16ea05a76061a05e48e28652af48b664eadec62f377

SHA512
296c2272156b942d8cea42f5c3267726f2a0b2b4a347cdb794ab04ffa520c6e5cb8ffb901d38fc245e0667171c8d7394d4839c58fae5e2657b6a82fdbc092b9e

Download Submit
C:\Users\Admin\Downloads\PowerISO8.exe

Filesize
4.2MB

MD5
8144c52493e8e561fcd5b567daf193d2

SHA1
71f936cab2bcdfb42d215be4b296d0cb39581079

SHA256
4b12a3a8175a0066bf49b16ea05a76061a05e48e28652af48b664eadec62f377

SHA512
296c2272156b942d8cea42f5c3267726f2a0b2b4a347cdb794ab04ffa520c6e5cb8ffb901d38fc245e0667171c8d7394d4839c58fae5e2657b6a82fdbc092b9e

Download Submit
\??\pipe\crashpad_612_ICITQNJSDAQPOEBV

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files (x86)\PowerISO\PWRISOSH.DLL

Filesize
325KB

MD5
751457ed43b489beb89b86fa01d0edf6

SHA1
e5c8c98de0e3e13f3102a89546ee811cbd4c9bf6

SHA256
dce4c19e87fa27dcbd82750edba77a95ef8e40845fbc8eb9f928bce0ea22179e

SHA512
5a9eb89f6fc27d2200db12cc01a670fe3382a9d5993cd9fcb7670b9ccbc2278a02a1aab92ec0cfa820f3f161dbcfa035e930cb9585d9e3bd3109fb5a2dac9590

Download Submit
\Program Files (x86)\PowerISO\PWRISOSH.DLL

Filesize
325KB

MD5
751457ed43b489beb89b86fa01d0edf6

SHA1
e5c8c98de0e3e13f3102a89546ee811cbd4c9bf6

SHA256
dce4c19e87fa27dcbd82750edba77a95ef8e40845fbc8eb9f928bce0ea22179e

SHA512
5a9eb89f6fc27d2200db12cc01a670fe3382a9d5993cd9fcb7670b9ccbc2278a02a1aab92ec0cfa820f3f161dbcfa035e930cb9585d9e3bd3109fb5a2dac9590

Download Submit
\Program Files (x86)\PowerISO\PWRISOSH.DLL

Filesize
325KB

MD5
751457ed43b489beb89b86fa01d0edf6

SHA1
e5c8c98de0e3e13f3102a89546ee811cbd4c9bf6

SHA256
dce4c19e87fa27dcbd82750edba77a95ef8e40845fbc8eb9f928bce0ea22179e

SHA512
5a9eb89f6fc27d2200db12cc01a670fe3382a9d5993cd9fcb7670b9ccbc2278a02a1aab92ec0cfa820f3f161dbcfa035e930cb9585d9e3bd3109fb5a2dac9590

Download Submit
\Program Files (x86)\PowerISO\PWRISOSH.DLL

Filesize
325KB

MD5
751457ed43b489beb89b86fa01d0edf6

SHA1
e5c8c98de0e3e13f3102a89546ee811cbd4c9bf6

SHA256
dce4c19e87fa27dcbd82750edba77a95ef8e40845fbc8eb9f928bce0ea22179e

SHA512
5a9eb89f6fc27d2200db12cc01a670fe3382a9d5993cd9fcb7670b9ccbc2278a02a1aab92ec0cfa820f3f161dbcfa035e930cb9585d9e3bd3109fb5a2dac9590

Download Submit
\Program Files (x86)\PowerISO\PWRISOSH.DLL

Filesize
325KB

MD5
751457ed43b489beb89b86fa01d0edf6

SHA1
e5c8c98de0e3e13f3102a89546ee811cbd4c9bf6

SHA256
dce4c19e87fa27dcbd82750edba77a95ef8e40845fbc8eb9f928bce0ea22179e

SHA512
5a9eb89f6fc27d2200db12cc01a670fe3382a9d5993cd9fcb7670b9ccbc2278a02a1aab92ec0cfa820f3f161dbcfa035e930cb9585d9e3bd3109fb5a2dac9590

Download Submit
\Program Files (x86)\PowerISO\PWRISOVM.EXE

Filesize
405KB

MD5
85c4d16dc4ec55dd88a44711d70145cc

SHA1
9a2a94240f650378ecbb9a641c0f5ffc5050fc08

SHA256
3b14c925346f69633d3f73f19841ced630c9dec00ff20c5b6cb0c5a85e1e31c1

SHA512
1a44629400226779cb3e6b41df0c3ee6fc14cf160a167b4d8c056fd84f215c4ade96faf7f0ef8c51d5fb5612d50b75812f1c10b0ab419c4e11765dd6f37347fd

Download Submit
\Program Files (x86)\PowerISO\PWRISOVM.EXE

Filesize
405KB

MD5
85c4d16dc4ec55dd88a44711d70145cc

SHA1
9a2a94240f650378ecbb9a641c0f5ffc5050fc08

SHA256
3b14c925346f69633d3f73f19841ced630c9dec00ff20c5b6cb0c5a85e1e31c1

SHA512
1a44629400226779cb3e6b41df0c3ee6fc14cf160a167b4d8c056fd84f215c4ade96faf7f0ef8c51d5fb5612d50b75812f1c10b0ab419c4e11765dd6f37347fd

Download Submit
\Program Files (x86)\PowerISO\PWRISOVM.EXE

Filesize
405KB

MD5
85c4d16dc4ec55dd88a44711d70145cc

SHA1
9a2a94240f650378ecbb9a641c0f5ffc5050fc08

SHA256
3b14c925346f69633d3f73f19841ced630c9dec00ff20c5b6cb0c5a85e1e31c1

SHA512
1a44629400226779cb3e6b41df0c3ee6fc14cf160a167b4d8c056fd84f215c4ade96faf7f0ef8c51d5fb5612d50b75812f1c10b0ab419c4e11765dd6f37347fd

Download Submit
\Program Files (x86)\PowerISO\PWRISOVM.EXE

Filesize
405KB

MD5
85c4d16dc4ec55dd88a44711d70145cc

SHA1
9a2a94240f650378ecbb9a641c0f5ffc5050fc08

SHA256
3b14c925346f69633d3f73f19841ced630c9dec00ff20c5b6cb0c5a85e1e31c1

SHA512
1a44629400226779cb3e6b41df0c3ee6fc14cf160a167b4d8c056fd84f215c4ade96faf7f0ef8c51d5fb5612d50b75812f1c10b0ab419c4e11765dd6f37347fd

Download Submit
\Program Files (x86)\PowerISO\PWRISOVM.EXE

Filesize
405KB

MD5
85c4d16dc4ec55dd88a44711d70145cc

SHA1
9a2a94240f650378ecbb9a641c0f5ffc5050fc08

SHA256
3b14c925346f69633d3f73f19841ced630c9dec00ff20c5b6cb0c5a85e1e31c1

SHA512
1a44629400226779cb3e6b41df0c3ee6fc14cf160a167b4d8c056fd84f215c4ade96faf7f0ef8c51d5fb5612d50b75812f1c10b0ab419c4e11765dd6f37347fd

Download Submit
\Program Files (x86)\PowerISO\PWRISOVM.EXE

Filesize
405KB

MD5
85c4d16dc4ec55dd88a44711d70145cc

SHA1
9a2a94240f650378ecbb9a641c0f5ffc5050fc08

SHA256
3b14c925346f69633d3f73f19841ced630c9dec00ff20c5b6cb0c5a85e1e31c1

SHA512
1a44629400226779cb3e6b41df0c3ee6fc14cf160a167b4d8c056fd84f215c4ade96faf7f0ef8c51d5fb5612d50b75812f1c10b0ab419c4e11765dd6f37347fd

Download Submit
\Program Files (x86)\PowerISO\PowerISO.exe

Filesize
4.8MB

MD5
08db2e9311300f8060b9f0cffdc866f2

SHA1
a867aca87012e53ce41a0b3a6c0241f6a19e6c19

SHA256
8bee553cc75f3ff0160b588c46205d9441513a657a451dce377e9df6ab13fb95

SHA512
cfb875decb15a1e046d6146358dfd30c7ad0d6abe706da3a4fdf2931e8b9cb7ac7f46fcf349abdf623f30e557804dfddba44e5ad22eee37a58a322e3049813c6

Download Submit
\Program Files (x86)\PowerISO\PowerISO.exe

Filesize
4.8MB

MD5
08db2e9311300f8060b9f0cffdc866f2

SHA1
a867aca87012e53ce41a0b3a6c0241f6a19e6c19

SHA256
8bee553cc75f3ff0160b588c46205d9441513a657a451dce377e9df6ab13fb95

SHA512
cfb875decb15a1e046d6146358dfd30c7ad0d6abe706da3a4fdf2931e8b9cb7ac7f46fcf349abdf623f30e557804dfddba44e5ad22eee37a58a322e3049813c6

Download Submit
\Program Files (x86)\PowerISO\setup64.exe

Filesize
18KB

MD5
edda92af8f1a180c165f92951ed55a42

SHA1
1eb86ca757395527fd5d32bc3f8dbd482e3f6b51

SHA256
4d23f626854a739b5805199e710f9d4c55c4e89aa9dc00491cfbb0b990707738

SHA512
26a6f72544c8f4ea89af3b16a60e2a9f0d1e5f9575a14a43f0c96b78a6e8f29595b38c109688bd21418955b57d45805980dd2d1ea76504e08c94e09bb506f873

Download Submit
\Program Files (x86)\PowerISO\setup64.exe

Filesize
18KB

MD5
edda92af8f1a180c165f92951ed55a42

SHA1
1eb86ca757395527fd5d32bc3f8dbd482e3f6b51

SHA256
4d23f626854a739b5805199e710f9d4c55c4e89aa9dc00491cfbb0b990707738

SHA512
26a6f72544c8f4ea89af3b16a60e2a9f0d1e5f9575a14a43f0c96b78a6e8f29595b38c109688bd21418955b57d45805980dd2d1ea76504e08c94e09bb506f873

Download Submit
\Program Files (x86)\PowerISO\setup64.exe

Filesize
18KB

MD5
edda92af8f1a180c165f92951ed55a42

SHA1
1eb86ca757395527fd5d32bc3f8dbd482e3f6b51

SHA256
4d23f626854a739b5805199e710f9d4c55c4e89aa9dc00491cfbb0b990707738

SHA512
26a6f72544c8f4ea89af3b16a60e2a9f0d1e5f9575a14a43f0c96b78a6e8f29595b38c109688bd21418955b57d45805980dd2d1ea76504e08c94e09bb506f873

Download Submit
\Program Files (x86)\PowerISO\uninstall.exe

Filesize
146KB

MD5
73fd046a512a175a488669dac239a771

SHA1
d9ae2878b73e4c86581aacd9b2172816c8e6ed60

SHA256
5e404b2adb25dc1b413bbe2abb31bf2a0dfed817dafa2ef30c151f131f1eae82

SHA512
23f15bbeaabd37c6e6dc14ba2f95fac178fb04b8a053d6863e413ab8aa875744fa2a44a76d49b365c641e1eb46fb04267f2c4338cfa6ddddc1cab27c09624db1

Download Submit
\Users\Admin\AppData\Local\Temp\nse9022.tmp\InstOpt.dll

Filesize
25KB

MD5
6a45ec125830c244261b28fe97fb9f9d

SHA1
f30e65fa3a84c9078bf29af4b4d08ec618a8e44f

SHA256
fa8b56b52dc7130d924d0060633b5763c032408385a47ec7438d5e1d481d2fe5

SHA512
5387439a2a1f235a2ffe934570db8ab200e2688496d2be39d8f6a47dc7fb55e6e30e957b5b2f6d79799581278bd57c03dc81908afa5e9707375a14ec8a34e4e2

Download Submit
\Users\Admin\AppData\Local\Temp\nse9022.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
memory/520-186-0x0000000000000000-mapping.dmp

Download
memory/664-89-0x0000000000000000-mapping.dmp

Download
memory/796-183-0x0000000000000000-mapping.dmp

Download
memory/1324-76-0x0000000000000000-mapping.dmp

Download
memory/1552-54-0x000007FEFC0C1000-0x000007FEFC0C3000-memory.dmp

Filesize
8KB

Download
memory/1952-93-0x0000000000000000-mapping.dmp

Download
memory/2112-199-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/2216-191-0x0000000000000000-mapping.dmp

Download
memory/2328-198-0x0000000071721000-0x0000000071723000-memory.dmp

Filesize
8KB

Download
memory/2352-86-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download
memory/2352-84-0x0000000000000000-mapping.dmp

Download
memory/2360-83-0x0000000000000000-mapping.dmp

Download
memory/2448-196-0x0000000000000000-mapping.dmp

Download
memory/2484-188-0x0000000000000000-mapping.dmp

Download
memory/2500-109-0x0000000000000000-mapping.dmp

Download
memory/2540-113-0x0000000000000000-mapping.dmp

Download
memory/2544-102-0x0000000000000000-mapping.dmp

Download
memory/2676-190-0x0000000071551000-0x0000000071553000-memory.dmp

Filesize
8KB

Download
memory/2920-82-0x0000000000000000-mapping.dmp

Download
memory/3068-194-0x0000000000000000-mapping.dmp

Download

pid	process
2352	PowerISO8.exe
1952	setup64.exe
2500	PWRISOVM.EXE
796	ChromeRecovery.exe
2676	PowerISO.exe
2328	PowerISO.exe