Analysis
-
max time kernel
1096s -
max time network
1754s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
24-10-2022 20:28
Static task
static1
Behavioral task
behavioral1
Sample
Downloads.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Downloads.exe
Resource
win10-20220901-en
Behavioral task
behavioral3
Sample
Downloads.exe
Resource
win10v2004-20220812-en
General
-
Target
Downloads.exe
-
Size
20.4MB
-
MD5
1f8d2846109b9b9fdadb28ba1492dbff
-
SHA1
6a89d407a8cbe41392fe8771c9b4ab01e479bd2d
-
SHA256
39320dd56575ef700b43ad49fff8c5088cb8b6bd05546f376b04d44c976ae148
-
SHA512
33a5dd606f2f4c1513189560989a3c61cbd47b2a282e7d32798e548f4d53a421075d23a416ce443fb91121c24b79c6132bd652e069cdf063f9f2480e2bb5b452
-
SSDEEP
393216:NCaD/8a2qhzNvMnSVtxr6lTyuF0WOifSRrd1cFKe9CX5QqiMikP537aXmb0r:4aDkalhpZ0lVHSzevqeMvbU
Malware Config
Extracted
C:\Program Files\OpenVPN\doc\openvpn.8.html
http-equiv="Content-Type"
http://docutils.sourceforge.net/"
http://docutils.sf.net/docs/howto/html-stylesheets.html
http-proxy
http-proxy-option
Extracted
Protocol: ftp- Host:
files.000webhost.com - Port:
21 - Username:
fcb-aws-host-4
Extracted
asyncrat
0.5.7B
Default
gfhhjgh.duckdns.org:8050
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_file
system32.exe
-
install_folder
%AppData%
Extracted
fickerstealer
80.87.192.115:80
Extracted
oski
prepepe.ac.ug
Extracted
redline
@zhilsholi
yabynennet.xyz:81
-
auth_value
c2d0b7a2ede97b91495c99e75b4f27fb
Extracted
raccoon
1.8.3-hotfix
5781468cedb3a203003fdf1f12e72fe98d6f1c0f
-
url4cnc
http://194.180.174.53/brikitiki
http://91.219.236.18/brikitiki
http://194.180.174.41/brikitiki
http://91.219.236.148/brikitiki
https://t.me/brikitiki
Extracted
pony
http://londonpaerl.co.uk/yesup/gate.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Blackmoon payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/960-175-0x0000000000400000-0x0000000000625000-memory.dmp family_blackmoon -
Processes:
resource yara_rule behavioral1/memory/1940-193-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1940-194-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1576-221-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1940-228-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1748-242-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1748-245-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1748-324-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1760-157-0x0000000000220000-0x0000000000229000-memory.dmp family_smokeloader -
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Gh0st RAT payload 8 IoCs
Processes:
resource yara_rule family_gh0strat behavioral1/memory/1940-193-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/1940-194-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/1576-221-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/1940-228-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/1748-242-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/1748-245-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/1748-324-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Process spawned unexpected child process 13 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2724 schtasks.exe 103 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 2724 schtasks.exe 103 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2724 schtasks.exe 103 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 2724 schtasks.exe 103 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 968 2724 schtasks.exe 103 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2724 schtasks.exe 103 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 2724 schtasks.exe 103 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2724 schtasks.exe 103 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2724 schtasks.exe 103 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2724 schtasks.exe 103 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 2724 schtasks.exe 103 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 2724 schtasks.exe 103 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2724 schtasks.exe 103 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1236-233-0x0000000000400000-0x00000000007C2000-memory.dmp family_redline behavioral1/memory/1236-235-0x0000000000400000-0x00000000007C2000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Processes:
3.exe3.exeOpus.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Opus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Opus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Opus.exe -
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1604-180-0x0000000000160000-0x0000000000172000-memory.dmp asyncrat -
Processes:
resource yara_rule behavioral1/memory/432-240-0x00000000010B0000-0x0000000001144000-memory.dmp dcrat behavioral1/memory/3016-338-0x0000000000090000-0x0000000000124000-memory.dmp dcrat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
a.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a.exe -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/2592-327-0x0000000000411654-mapping.dmp MailPassView behavioral1/memory/2592-331-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1916-341-0x0000000000442628-mapping.dmp WebBrowserPassView behavioral1/memory/1916-345-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1916-348-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2592-327-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/2592-331-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1916-341-0x0000000000442628-mapping.dmp Nirsoft behavioral1/memory/1916-345-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1916-348-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Blocklisted process makes network request 5 IoCs
Processes:
msiexec.exemsiexec.exeflow pid Process 3 2012 msiexec.exe 5 2012 msiexec.exe 7 2012 msiexec.exe 12 584 msiexec.exe 14 584 msiexec.exe -
Drops file in Drivers directory 7 IoCs
Processes:
DrvInst.exeDrvInst.exeTXPlatforn.exedescription ioc Process File opened for modification C:\Windows\system32\DRIVERS\SET3F23.tmp DrvInst.exe File created C:\Windows\system32\DRIVERS\SET3F23.tmp DrvInst.exe File opened for modification C:\Windows\system32\DRIVERS\wintun.sys DrvInst.exe File opened for modification C:\Windows\system32\DRIVERS\SET4F69.tmp DrvInst.exe File created C:\Windows\system32\DRIVERS\SET4F69.tmp DrvInst.exe File opened for modification C:\Windows\system32\DRIVERS\tap0901.sys DrvInst.exe File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Executes dropped EXE 35 IoCs
Processes:
openvpnserv.exeopenvpn-gui.exeopenvpn.exeopenvpn-gui.exeb6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exeRIP_YOUR_PC_LOL.exehealastounding.exePluto Panel.exe0fd7de5367376231a788872005d7ed4f.exe22.exetest.exegay.exeOpus.exeaaa.exe8f1c8b40c7be588389a8d382040b23bb.exe4.exe___11.19.exea.exesvchost.exeFFDvbcrdfqs.exe3.exeDcvxaamev.exeDcvxaamev.exeFFDvbcrdfqs.exe8f1c8b40c7be588389a8d382040b23bb.exe0fd7de5367376231a788872005d7ed4f.exeTXPlatforn.exeTXPlatforn.exesvchos.exemediaget.exeHD____11.19.exeÖ÷¶¯·ÀÓù·þÎñÄ£¿é.exeaaa.exe3.exeOpus.exepid Process 1900 openvpnserv.exe 1948 openvpn-gui.exe 268 openvpn.exe 1008 openvpn-gui.exe 1760 b6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exe 1320 RIP_YOUR_PC_LOL.exe 1520 healastounding.exe 556 Pluto Panel.exe 1184 0fd7de5367376231a788872005d7ed4f.exe 960 22.exe 1604 test.exe 1612 gay.exe 1568 Opus.exe 1632 aaa.exe 1464 8f1c8b40c7be588389a8d382040b23bb.exe 552 4.exe 2020 ___11.19.exe 1236 a.exe 1940 svchost.exe 2016 FFDvbcrdfqs.exe 432 3.exe 1052 Dcvxaamev.exe 1716 Dcvxaamev.exe 520 FFDvbcrdfqs.exe 1892 8f1c8b40c7be588389a8d382040b23bb.exe 1712 0fd7de5367376231a788872005d7ed4f.exe 1576 TXPlatforn.exe 1748 TXPlatforn.exe 828 svchos.exe 936 mediaget.exe 2140 HD____11.19.exe 2300 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe 1796 aaa.exe 2112 3.exe 3016 Opus.exe -
Modifies Installed Components in the registry 2 TTPs 6 IoCs
Processes:
MsiExec.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C57B257B-3D92-4AC0-8FE8-7D6FF81AEF73}\StubPath = "reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v OPENVPN-GUI /t REG_SZ /d \"C:\\Program Files\\OpenVPN\\bin\\openvpn-gui.exe\"" MsiExec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{C57B257B-3D92-4AC0-8FE8-7D6FF81AEF73} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C57B257B-3D92-4AC0-8FE8-7D6FF81AEF73}\ = "OpenVPN 2.5.7-I602 amd64" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C57B257B-3D92-4AC0-8FE8-7D6FF81AEF73}\Version = "1" MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C57B257B-3D92-4AC0-8FE8-7D6FF81AEF73}\IsInstalled = "1" MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C57B257B-3D92-4AC0-8FE8-7D6FF81AEF73}\DontAsk = "2" MsiExec.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
svchos.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\8134594.txt" svchos.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
TXPlatforn.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Processes:
resource yara_rule behavioral1/memory/1940-191-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1940-193-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1940-194-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1576-221-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1940-228-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1748-239-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1748-242-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1748-245-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1796-321-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral1/memory/1748-324-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1796-334-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
a.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a.exe -
Drops startup file 2 IoCs
Processes:
mediaget.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe mediaget.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe mediaget.exe -
Loads dropped DLL 64 IoCs
Processes:
MsiExec.exeMsiExec.exeMsiExec.exemsiexec.exeopenvpnserv.exeopenvpn-gui.exeopenvpn.exeopenvpn-gui.exeRIP_YOUR_PC_LOL.exehealastounding.exe___11.19.exe4.exe8f1c8b40c7be588389a8d382040b23bb.exe22.exeFFDvbcrdfqs.exeDcvxaamev.exeTXPlatforn.exepid Process 1684 MsiExec.exe 1684 MsiExec.exe 1652 MsiExec.exe 1652 MsiExec.exe 1652 MsiExec.exe 1368 MsiExec.exe 1368 MsiExec.exe 1368 MsiExec.exe 584 msiexec.exe 584 msiexec.exe 584 msiexec.exe 584 msiexec.exe 1368 MsiExec.exe 1360 464 1900 openvpnserv.exe 1368 MsiExec.exe 1368 MsiExec.exe 1652 MsiExec.exe 1360 1684 MsiExec.exe 1948 openvpn-gui.exe 1948 openvpn-gui.exe 1948 openvpn-gui.exe 1112 268 openvpn.exe 268 openvpn.exe 268 openvpn.exe 268 openvpn.exe 1360 1360 1008 openvpn-gui.exe 1008 openvpn-gui.exe 1320 RIP_YOUR_PC_LOL.exe 1320 RIP_YOUR_PC_LOL.exe 1320 RIP_YOUR_PC_LOL.exe 1320 RIP_YOUR_PC_LOL.exe 1320 RIP_YOUR_PC_LOL.exe 1520 healastounding.exe 1520 healastounding.exe 1520 healastounding.exe 1520 healastounding.exe 1520 healastounding.exe 1520 healastounding.exe 1520 healastounding.exe 1520 healastounding.exe 1320 RIP_YOUR_PC_LOL.exe 1520 healastounding.exe 2020 ___11.19.exe 552 4.exe 552 4.exe 552 4.exe 552 4.exe 552 4.exe 1464 8f1c8b40c7be588389a8d382040b23bb.exe 1464 8f1c8b40c7be588389a8d382040b23bb.exe 1464 8f1c8b40c7be588389a8d382040b23bb.exe 1464 8f1c8b40c7be588389a8d382040b23bb.exe 960 22.exe 960 22.exe 960 22.exe 2016 FFDvbcrdfqs.exe 1052 Dcvxaamev.exe 1576 TXPlatforn.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
Processes:
vbc.exeaaa.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts aaa.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
aaa.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook aaa.exe -
Adds Run key to start application 2 TTPs 19 IoCs
Processes:
3.exemsiexec.exe3.exeOpus.exemediaget.exePluto Panel.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0fd7de5367376231a788872005d7ed4f = "\"C:\\Users\\Admin\\AppData\\Roaming\\pid\\0fd7de5367376231a788872005d7ed4f.exe\"" 3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\jnwmon\\csrss.exe\"" 3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3 = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\3.exe\"" 3.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\wshirda\\dllhost.exe\"" 3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opus = "\"C:\\Users\\Admin\\AppData\\Roaming\\test\\Opus.exe\"" 3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Manager = "C:\\Program Files (x86)\\AGP Manager\\agpmgr.exe" Opus.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\a797c6ca3f5e7aff8fa1149c47fe9466 = "\"C:\\Users\\Admin\\AppData\\Roaming\\mediaget.exe\" .." mediaget.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a = "\"C:\\Users\\Admin\\AppData\\Roaming\\DisableDismount\\a.exe\"" 3.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Pluto Panel.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\OpenVPN-GUI = "C:\\Program Files\\OpenVPN\\bin\\openvpn-gui.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\a797c6ca3f5e7aff8fa1149c47fe9466 = "\"C:\\Users\\Admin\\AppData\\Roaming\\mediaget.exe\" .." mediaget.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aaa = "\"C:\\Users\\Admin\\AppData\\Roaming\\Opus\\aaa.exe\"" 3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\AppCompat\\Programs\\spoolsv.exe\"" 3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\openvpn-gui = "\"C:\\Recovery\\31001cc2-2a3d-11ed-9244-9c23e66b04e4\\openvpn-gui.exe\"" 3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\openvpnserv = "\"C:\\Program Files\\OpenVPN\\bin\\libpkcs11-helper-1\\openvpnserv.exe\"" 3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\openvpn-gui = "\"C:\\Program Files\\OpenVPN\\bin\\openvpnserv\\openvpn-gui.exe\"" 3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ö÷¶¯·ÀÓù·þÎñÄ£¿é = "\"C:\\Windows\\SysWOW64\\extrac32\\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe\"" 3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\KBDSP\\sppsvc.exe\"" 3.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Opus.exeOpus.exea.exe3.exe3.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Opus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Opus.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Opus.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc Process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\F: msiexec.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 36 api.ipify.org 48 whatismyipaddress.com 50 whatismyipaddress.com 51 whatismyipaddress.com -
Drops file in System32 directory 64 IoCs
Processes:
DrvInst.exesvchost.exe3.exeMsiExec.exe3.exeDrvInst.exesvchost.exesvchos.exeDrvInst.exeDrvInst.exedescription ioc Process File created C:\Windows\System32\DriverStore\INFCACHE.0 DrvInst.exe File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File created C:\Windows\System32\wshirda\dllhost.exe 3.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\nete1e3e.inf_amd64_neutral_f77725472d91b1d1\nete1e3e.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netvg62a.inf_amd64_neutral_5817ae5135655364\netvg62a.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netrtx64.inf_amd64_neutral_410e89ed86071c9b\netrtx64.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netathrx.inf_amd64_neutral_905772087ff288af\netathrx.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\net8185.inf_amd64_neutral_4ab014d645098f5f\net8185.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\wintun.inf_amd64_neutral_def3401515466414\wintun.PNF DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netr28x.inf_amd64_neutral_c86d6d5c3810fc04\netr28x.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netl160a.inf_amd64_neutral_f8bdd2cbac28a8fd\netl160a.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netxex64.inf_amd64_neutral_77b02fd738dca150\netxex64.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\rndiscmp.inf_amd64_neutral_4ca64d28e1be8fa9\rndiscmp.PNF MsiExec.exe File created C:\Windows\System32\jnwmon\886983d96e3d3e31032c679b2d4ea91b6c05afef 3.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{424c47e5-414c-17a2-f767-4500a0f1a256}\tap0901.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\oemvista.PNF DrvInst.exe File created C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{424c47e5-414c-17a2-f767-4500a0f1a256}\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat MsiExec.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File opened for modification C:\Windows\System32\wshirda\dllhost.exe 3.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netl260a.inf_amd64_neutral_085226e1dfe76c55\netl260a.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netnvma.inf_amd64_neutral_99bb33c9a5bedaea\netnvma.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netxfx64.inf_amd64_neutral_3336ecb2950fdc45\netxfx64.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netk57a.inf_amd64_neutral_8b26ad5d0cc037a9\netk57a.PNF MsiExec.exe File created C:\Windows\System32\jnwmon\csrss.exe 3.exe File created C:\Windows\System32\DriverStore\INFCACHE.0 DrvInst.exe File created C:\Windows\System32\KBDSP\sppsvc.exe 3.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netbc664.inf_amd64_neutral_673d3dfb961e9b17\netbc664.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netnvm64.inf_amd64_neutral_59c2a018fe2cf0b4\netnvm64.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netbxnda.inf_amd64_neutral_c81780c5dcabd0a0\netbxnda.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{5b7ba0ff-770a-73ce-5454-fb706a536676} DrvInst.exe File opened for modification C:\Windows\SysWOW64\ini.ini svchos.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\avmx64c.inf_amd64_neutral_8ebb15bf548db022\avmx64c.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{5b7ba0ff-770a-73ce-5454-fb706a536676}\wintun.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{424c47e5-414c-17a2-f767-4500a0f1a256}\SET8854.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{424c47e5-414c-17a2-f767-4500a0f1a256}\SET8855.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\nete1g3e.inf_amd64_neutral_7f08406e40c6ede2\nete1g3e.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\Temp\{424c47e5-414c-17a2-f767-4500a0f1a256}\SET8853.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{424c47e5-414c-17a2-f767-4500a0f1a256} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\wnetvsc.inf_amd64_neutral_548addf09cb466fa\wnetvsc.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wintun.inf_amd64_neutral_def3401515466414\wintun.PNF DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{424c47e5-414c-17a2-f767-4500a0f1a256}\SET8854.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\OemVista.PNF DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{424c47e5-414c-17a2-f767-4500a0f1a256}\OemVista.inf DrvInst.exe File created C:\Windows\System32\KBDSP\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c 3.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_neutral_856142fd87f1c21a\netloop.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\tdibth.inf_amd64_neutral_6ad685957123daf1\tdibth.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netimm.inf_amd64_neutral_9b64397618841a19\netimm.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netr7364.inf_amd64_neutral_68988e550e69a417\netr7364.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{5b7ba0ff-770a-73ce-5454-fb706a536676}\wintun.cat DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{5b7ba0ff-770a-73ce-5454-fb706a536676}\SET2205.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netb57va.inf_amd64_neutral_6264e97d4fc12211\netb57va.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netr28ux.inf_amd64_neutral_54f2470c084714e1\netr28ux.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\net8187se64.inf_amd64_neutral_c239ab5d36a3b3e9\net8187se64.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netg664.inf_amd64_neutral_b4e8ccc6ba210e97\netg664.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netvfx64.inf_amd64_neutral_194cb6d2ea3a486e\netvfx64.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{424c47e5-414c-17a2-f767-4500a0f1a256}\SET8855.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\oemvista.PNF DrvInst.exe -
Suspicious use of SetThreadContext 6 IoCs
Processes:
0fd7de5367376231a788872005d7ed4f.exeDcvxaamev.exe8f1c8b40c7be588389a8d382040b23bb.exeaaa.exePluto Panel.exedescription pid Process procid_target PID 1184 set thread context of 1712 1184 0fd7de5367376231a788872005d7ed4f.exe 77 PID 1052 set thread context of 1716 1052 Dcvxaamev.exe 76 PID 1464 set thread context of 1892 1464 8f1c8b40c7be588389a8d382040b23bb.exe 74 PID 1632 set thread context of 1796 1632 aaa.exe 114 PID 556 set thread context of 2592 556 Pluto Panel.exe 120 PID 556 set thread context of 1916 556 Pluto Panel.exe 130 -
Drops file in Program Files directory 30 IoCs
Processes:
msiexec.exe___11.19.exe3.exeOpus.exe3.exedescription ioc Process File created C:\Program Files\OpenVPN\bin\openvpnserv.exe msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe ___11.19.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe ___11.19.exe File created C:\Program Files\OpenVPN\bin\openvpnserv\openvpn-gui.exe 3.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\3.exe 3.exe File created C:\Program Files\OpenVPN\bin\libpkcs11-helper-1.dll msiexec.exe File created C:\Program Files\OpenVPN\sample-config\server.ovpn msiexec.exe File opened for modification C:\Program Files (x86)\AGP Manager\agpmgr.exe Opus.exe File created C:\Program Files\OpenVPN\bin\libpkcs11-helper-1\74826328f97624628d94647a42849e43e9fa8dd7 3.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\eb163972666d451bbc4e8765b57a2701f8e51ea7 3.exe File created C:\Program Files\OpenVPN\include\tap-windows.h msiexec.exe File created C:\Program Files\OpenVPN\bin\tapctl.exe msiexec.exe File created C:\Program Files\OpenVPN\bin\openvpnserv\3f62022937ae2cf6c95cdcf7833ad00a7ff59189 3.exe File created C:\Program Files\OpenVPN\bin\openvpn.exe msiexec.exe File created C:\Program Files\OpenVPN\config\README.txt msiexec.exe File created C:\Program Files\OpenVPN\doc\INSTALL-win32.txt msiexec.exe File created C:\Program Files\OpenVPN\bin\libcrypto-1_1-x64.dll msiexec.exe File created C:\Program Files\OpenVPN\license.txt msiexec.exe File created C:\Program Files (x86)\OpenVPN\bin\openvpn-gui.exe ___11.19.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe ___11.19.exe File created C:\Program Files\OpenVPN\log\README.txt msiexec.exe File created C:\Program Files (x86)\AGP Manager\agpmgr.exe Opus.exe File created C:\Program Files\OpenVPN\doc\openvpn.8.html msiexec.exe File created C:\Program Files\OpenVPN\bin\vcruntime140.dll msiexec.exe File created C:\Program Files\OpenVPN\bin\libssl-1_1-x64.dll msiexec.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe ___11.19.exe File created C:\Program Files\OpenVPN\bin\openvpn-gui.exe msiexec.exe File created C:\Program Files\OpenVPN\sample-config\client.ovpn msiexec.exe File created C:\Program Files\OpenVPN\res\ovpn.ico msiexec.exe File created C:\Program Files\OpenVPN\bin\libpkcs11-helper-1\openvpnserv.exe 3.exe -
Drops file in Windows directory 47 IoCs
Processes:
msiexec.exe22.exeDrvInst.exeDrvInst.exeMsiExec.exeDrvInst.exeDrvInst.exeDrvInst.exe3.exedescription ioc Process File created C:\Windows\Installer\{C57B257B-3D92-4AC0-8FE8-7D6FF81AEF73}\openvpn.ico msiexec.exe File created C:\Windows\Installer\{C57B257B-3D92-4AC0-8FE8-7D6FF81AEF73}\tapctl_create.ico msiexec.exe File created C:\Windows\Cursors\WUDFhosts.exe 22.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File created C:\Windows\Installer\6d0780.msi msiexec.exe File created C:\Windows\INF\oem3.PNF MsiExec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File created C:\Windows\INF\oem3.inf DrvInst.exe File opened for modification C:\Windows\Installer\{C57B257B-3D92-4AC0-8FE8-7D6FF81AEF73}\tapctl_create.ico msiexec.exe File opened for modification C:\Windows\Installer\MSI37A1.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\MSIDAD.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.app.log MsiExec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\AppCompat\Programs\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4 3.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSI7465.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI74F3.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log MsiExec.exe File opened for modification C:\Windows\INF\oem3.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\6d0781.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\6d0781.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIFDF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1C81.tmp msiexec.exe File created C:\Windows\Help\Winlogon.exe 22.exe File created C:\Windows\Help\active_desktop_render.dll 22.exe File created C:\Windows\INF\oem2.inf DrvInst.exe File opened for modification C:\Windows\Installer\{C57B257B-3D92-4AC0-8FE8-7D6FF81AEF73}\openvpn.ico msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev2 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev2 DrvInst.exe File opened for modification C:\Windows\Installer\MSI7425.tmp msiexec.exe File created C:\Windows\AppCompat\Programs\spoolsv.exe 3.exe File opened for modification C:\Windows\Installer\6d0780.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI154D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1781.tmp msiexec.exe File created C:\Windows\INF\oem2.PNF MsiExec.exe File opened for modification C:\Windows\Installer\MSI15AB.tmp msiexec.exe File opened for modification C:\Windows\INF\oem2.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSI81BA.tmp msiexec.exe File created C:\Windows\Installer\6d0783.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target Process procid_target 3000 2140 WerFault.exe 93 2856 1716 WerFault.exe 76 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
b6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exe -
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid Process 2688 schtasks.exe 2892 schtasks.exe 968 schtasks.exe 2132 schtasks.exe 2184 schtasks.exe 2424 schtasks.exe 548 schtasks.exe 2968 schtasks.exe 1960 schtasks.exe 2112 schtasks.exe 2888 schtasks.exe 2952 schtasks.exe 2768 schtasks.exe 2228 schtasks.exe 2552 schtasks.exe -
Processes:
Downloads.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main Downloads.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
DrvInst.exenetsh.exerundll32.exeDrvInst.exeDrvInst.exerundll32.exeDrvInst.exeDrvInst.exeMsiExec.exemsiexec.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tcpipcfg.dll,-50002 = "TCP/IP version 6. The latest version of the internet protocol that provides communication across diverse interconnected networks." DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\lltdres.dll,-3 = "Allows this PC to be discovered and located on the network." DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99FD978C-D287-4F50-827F-B2C658EDA8E7} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000070c11366e7e7d801 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000f0461d66e7e7d801 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{08244EE6-92F0-47F2-9FC9-929BAA2E7235} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000050a81f66e7e7d801 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe -
Modifies registry class 55 IoCs
Processes:
msiexec.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\ = "import" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\run\command\ = "\"C:\\Program Files\\OpenVPN\\bin\\openvpn.exe\" --pause-exit --config \"%1\"" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B752B75C29D30CA4F88ED7F68FA1FE37\OpenVPN.GUI.OnLogon = "OpenVPN.GUI" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\OpenVPNFile msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B752B75C29D30CA4F88ED7F68FA1FE37\Drivers msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\OpenVPNFile\DefaultIcon msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\open\command\ = "\"notepad.exe\" \"%1\"" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B752B75C29D30CA4F88ED7F68FA1FE37\Drivers.Wintun = "Drivers" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\OpenVPNFile\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B752B75C29D30CA4F88ED7F68FA1FE37\OpenVPN.Documentation = "OpenVPN" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B752B75C29D30CA4F88ED7F68FA1FE37\OpenVPN.Service = "\x06OpenVPN" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\import\command\ = "\"C:\\Program Files\\OpenVPN\\bin\\openvpn-gui.exe\" --command import \"%1\"" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B752B75C29D30CA4F88ED7F68FA1FE37\EasyRSA = "\x06OpenSSL" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\SourceList\PackageName = "OpenVPN-2.5.7-I602-amd64 (1).msi" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\OpenVPNFile\shell\import msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\SourceList msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\OpenVPNFile\shell\run msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\68FDB164983D1744FB639908B6461C72\B752B75C29D30CA4F88ED7F68FA1FE37 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B752B75C29D30CA4F88ED7F68FA1FE37\Drivers.TAPWindows6 = "Drivers" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\ProductName = "OpenVPN 2.5.7-I602 amd64" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\SourceList\Net\1 = "C:\\Users\\Admin\\Desktop\\" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\OpenVPNFile\shell\run\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\ProductIcon = "C:\\Windows\\Installer\\{C57B257B-3D92-4AC0-8FE8-7D6FF81AEF73}\\openvpn.ico" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\open msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\OpenVPNFile\shell\import\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B752B75C29D30CA4F88ED7F68FA1FE37\OpenVPN msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\PackageCode = "5E0DAF39EF8374D4AB3A9261238AF38B" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\run\ = "Start OpenVPN on this config file" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\import\ = "Import into OpenVPN-GUI" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\Version = "33882148" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Desktop\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ovpn\ = "OpenVPNFile" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\ = "OpenVPN Config File" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\OpenVPNFile\shell msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B752B75C29D30CA4F88ED7F68FA1FE37\OpenVPN.GUI = "OpenVPN" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\68FDB164983D1744FB639908B6461C72 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\.ovpn msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\DefaultIcon\ = "C:\\Program Files\\OpenVPN\\res\\ovpn.ico,0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B752B75C29D30CA4F88ED7F68FA1FE37\OpenSSL = "\x06" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B752B75C29D30CA4F88ED7F68FA1FE37\OpenVPN.SampleCfg = "OpenVPN" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B752B75C29D30CA4F88ED7F68FA1FE37 msiexec.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exeb6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exe___11.19.exeOpus.exe3.exemediaget.exepid Process 584 msiexec.exe 584 msiexec.exe 1760 b6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exe 1760 b6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exe 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 2020 ___11.19.exe 1360 1360 1360 1568 Opus.exe 1568 Opus.exe 1568 Opus.exe 1360 1360 1360 1360 1360 1360 432 3.exe 1360 1360 1360 1360 936 mediaget.exe 936 mediaget.exe 936 mediaget.exe 1360 1360 936 mediaget.exe 936 mediaget.exe 936 mediaget.exe 1360 936 mediaget.exe 936 mediaget.exe 936 mediaget.exe 1360 936 mediaget.exe 936 mediaget.exe 936 mediaget.exe 1360 936 mediaget.exe 936 mediaget.exe 936 mediaget.exe 1360 936 mediaget.exe 936 mediaget.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
TXPlatforn.exepid Process 1748 TXPlatforn.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
b6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exeDcvxaamev.exe8f1c8b40c7be588389a8d382040b23bb.exepid Process 1760 b6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exe 1052 Dcvxaamev.exe 1464 8f1c8b40c7be588389a8d382040b23bb.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid Process Token: SeShutdownPrivilege 2012 msiexec.exe Token: SeIncreaseQuotaPrivilege 2012 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeSecurityPrivilege 584 msiexec.exe Token: SeCreateTokenPrivilege 2012 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2012 msiexec.exe Token: SeLockMemoryPrivilege 2012 msiexec.exe Token: SeIncreaseQuotaPrivilege 2012 msiexec.exe Token: SeMachineAccountPrivilege 2012 msiexec.exe Token: SeTcbPrivilege 2012 msiexec.exe Token: SeSecurityPrivilege 2012 msiexec.exe Token: SeTakeOwnershipPrivilege 2012 msiexec.exe Token: SeLoadDriverPrivilege 2012 msiexec.exe Token: SeSystemProfilePrivilege 2012 msiexec.exe Token: SeSystemtimePrivilege 2012 msiexec.exe Token: SeProfSingleProcessPrivilege 2012 msiexec.exe Token: SeIncBasePriorityPrivilege 2012 msiexec.exe Token: SeCreatePagefilePrivilege 2012 msiexec.exe Token: SeCreatePermanentPrivilege 2012 msiexec.exe Token: SeBackupPrivilege 2012 msiexec.exe Token: SeRestorePrivilege 2012 msiexec.exe Token: SeShutdownPrivilege 2012 msiexec.exe Token: SeDebugPrivilege 2012 msiexec.exe Token: SeAuditPrivilege 2012 msiexec.exe Token: SeSystemEnvironmentPrivilege 2012 msiexec.exe Token: SeChangeNotifyPrivilege 2012 msiexec.exe Token: SeRemoteShutdownPrivilege 2012 msiexec.exe Token: SeUndockPrivilege 2012 msiexec.exe Token: SeSyncAgentPrivilege 2012 msiexec.exe Token: SeEnableDelegationPrivilege 2012 msiexec.exe Token: SeManageVolumePrivilege 2012 msiexec.exe Token: SeImpersonatePrivilege 2012 msiexec.exe Token: SeCreateGlobalPrivilege 2012 msiexec.exe Token: SeCreateTokenPrivilege 2012 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2012 msiexec.exe Token: SeLockMemoryPrivilege 2012 msiexec.exe Token: SeIncreaseQuotaPrivilege 2012 msiexec.exe Token: SeMachineAccountPrivilege 2012 msiexec.exe Token: SeTcbPrivilege 2012 msiexec.exe Token: SeSecurityPrivilege 2012 msiexec.exe Token: SeTakeOwnershipPrivilege 2012 msiexec.exe Token: SeLoadDriverPrivilege 2012 msiexec.exe Token: SeSystemProfilePrivilege 2012 msiexec.exe Token: SeSystemtimePrivilege 2012 msiexec.exe Token: SeProfSingleProcessPrivilege 2012 msiexec.exe Token: SeIncBasePriorityPrivilege 2012 msiexec.exe Token: SeCreatePagefilePrivilege 2012 msiexec.exe Token: SeCreatePermanentPrivilege 2012 msiexec.exe Token: SeBackupPrivilege 2012 msiexec.exe Token: SeRestorePrivilege 2012 msiexec.exe Token: SeShutdownPrivilege 2012 msiexec.exe Token: SeDebugPrivilege 2012 msiexec.exe Token: SeAuditPrivilege 2012 msiexec.exe Token: SeSystemEnvironmentPrivilege 2012 msiexec.exe Token: SeChangeNotifyPrivilege 2012 msiexec.exe Token: SeRemoteShutdownPrivilege 2012 msiexec.exe Token: SeUndockPrivilege 2012 msiexec.exe Token: SeSyncAgentPrivilege 2012 msiexec.exe Token: SeEnableDelegationPrivilege 2012 msiexec.exe Token: SeManageVolumePrivilege 2012 msiexec.exe Token: SeImpersonatePrivilege 2012 msiexec.exe Token: SeCreateGlobalPrivilege 2012 msiexec.exe Token: SeCreateTokenPrivilege 2012 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
msiexec.exeopenvpn-gui.exepid Process 2012 msiexec.exe 2012 msiexec.exe 1948 openvpn-gui.exe 1948 openvpn-gui.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
openvpn-gui.exepid Process 1948 openvpn-gui.exe 1948 openvpn-gui.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
Downloads.exe___11.19.exe8f1c8b40c7be588389a8d382040b23bb.exeDcvxaamev.exe22.exepid Process 1104 Downloads.exe 1104 Downloads.exe 2020 ___11.19.exe 2020 ___11.19.exe 1464 8f1c8b40c7be588389a8d382040b23bb.exe 1052 Dcvxaamev.exe 960 22.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msiexec.exeDrvInst.exeDrvInst.exeMsiExec.exeMsiExec.exeopenvpn-gui.exeRIP_YOUR_PC_LOL.exehealastounding.exedescription pid Process procid_target PID 584 wrote to memory of 1684 584 msiexec.exe 31 PID 584 wrote to memory of 1684 584 msiexec.exe 31 PID 584 wrote to memory of 1684 584 msiexec.exe 31 PID 584 wrote to memory of 1684 584 msiexec.exe 31 PID 584 wrote to memory of 1684 584 msiexec.exe 31 PID 584 wrote to memory of 1652 584 msiexec.exe 35 PID 584 wrote to memory of 1652 584 msiexec.exe 35 PID 584 wrote to memory of 1652 584 msiexec.exe 35 PID 584 wrote to memory of 1652 584 msiexec.exe 35 PID 584 wrote to memory of 1652 584 msiexec.exe 35 PID 584 wrote to memory of 1368 584 msiexec.exe 36 PID 584 wrote to memory of 1368 584 msiexec.exe 36 PID 584 wrote to memory of 1368 584 msiexec.exe 36 PID 584 wrote to memory of 1368 584 msiexec.exe 36 PID 584 wrote to memory of 1368 584 msiexec.exe 36 PID 1072 wrote to memory of 1540 1072 DrvInst.exe 38 PID 1072 wrote to memory of 1540 1072 DrvInst.exe 38 PID 1072 wrote to memory of 1540 1072 DrvInst.exe 38 PID 2024 wrote to memory of 1608 2024 DrvInst.exe 40 PID 2024 wrote to memory of 1608 2024 DrvInst.exe 40 PID 2024 wrote to memory of 1608 2024 DrvInst.exe 40 PID 1368 wrote to memory of 1900 1368 MsiExec.exe 43 PID 1368 wrote to memory of 1900 1368 MsiExec.exe 43 PID 1368 wrote to memory of 1900 1368 MsiExec.exe 43 PID 1368 wrote to memory of 516 1368 MsiExec.exe 46 PID 1368 wrote to memory of 516 1368 MsiExec.exe 46 PID 1368 wrote to memory of 516 1368 MsiExec.exe 46 PID 1684 wrote to memory of 1948 1684 MsiExec.exe 50 PID 1684 wrote to memory of 1948 1684 MsiExec.exe 50 PID 1684 wrote to memory of 1948 1684 MsiExec.exe 50 PID 1948 wrote to memory of 268 1948 openvpn-gui.exe 51 PID 1948 wrote to memory of 268 1948 openvpn-gui.exe 51 PID 1948 wrote to memory of 268 1948 openvpn-gui.exe 51 PID 1360 wrote to memory of 1320 1360 57 PID 1360 wrote to memory of 1320 1360 57 PID 1360 wrote to memory of 1320 1360 57 PID 1360 wrote to memory of 1320 1360 57 PID 1320 wrote to memory of 1520 1320 RIP_YOUR_PC_LOL.exe 58 PID 1320 wrote to memory of 1520 1320 RIP_YOUR_PC_LOL.exe 58 PID 1320 wrote to memory of 1520 1320 RIP_YOUR_PC_LOL.exe 58 PID 1320 wrote to memory of 1520 1320 RIP_YOUR_PC_LOL.exe 58 PID 1320 wrote to memory of 556 1320 RIP_YOUR_PC_LOL.exe 59 PID 1320 wrote to memory of 556 1320 RIP_YOUR_PC_LOL.exe 59 PID 1320 wrote to memory of 556 1320 RIP_YOUR_PC_LOL.exe 59 PID 1320 wrote to memory of 556 1320 RIP_YOUR_PC_LOL.exe 59 PID 1320 wrote to memory of 1184 1320 RIP_YOUR_PC_LOL.exe 60 PID 1320 wrote to memory of 1184 1320 RIP_YOUR_PC_LOL.exe 60 PID 1320 wrote to memory of 1184 1320 RIP_YOUR_PC_LOL.exe 60 PID 1320 wrote to memory of 1184 1320 RIP_YOUR_PC_LOL.exe 60 PID 1320 wrote to memory of 960 1320 RIP_YOUR_PC_LOL.exe 61 PID 1320 wrote to memory of 960 1320 RIP_YOUR_PC_LOL.exe 61 PID 1320 wrote to memory of 960 1320 RIP_YOUR_PC_LOL.exe 61 PID 1320 wrote to memory of 960 1320 RIP_YOUR_PC_LOL.exe 61 PID 1320 wrote to memory of 960 1320 RIP_YOUR_PC_LOL.exe 61 PID 1320 wrote to memory of 960 1320 RIP_YOUR_PC_LOL.exe 61 PID 1320 wrote to memory of 960 1320 RIP_YOUR_PC_LOL.exe 61 PID 1520 wrote to memory of 1604 1520 healastounding.exe 62 PID 1520 wrote to memory of 1604 1520 healastounding.exe 62 PID 1520 wrote to memory of 1604 1520 healastounding.exe 62 PID 1520 wrote to memory of 1604 1520 healastounding.exe 62 PID 1520 wrote to memory of 1612 1520 healastounding.exe 63 PID 1520 wrote to memory of 1612 1520 healastounding.exe 63 PID 1520 wrote to memory of 1612 1520 healastounding.exe 63 PID 1520 wrote to memory of 1612 1520 healastounding.exe 63 -
System policy modification 1 TTPs 9 IoCs
Processes:
3.exe3.exeOpus.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Opus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Opus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Opus.exe -
outlook_win_path 1 IoCs
Processes:
aaa.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook aaa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Downloads.exe"C:\Users\Admin\AppData\Local\Temp\Downloads.exe"1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1104
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\OpenVPN-2.5.7-I602-amd64 (1).msi"1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2012
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 05B67D18F5DC745F86479FBA27536E1C C2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Program Files\OpenVPN\bin\openvpn-gui.exe"C:\Program Files\OpenVPN\bin\openvpn-gui.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Program Files\OpenVPN\bin\openvpn.exeopenvpn --version4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:268
-
-
-
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 8E9812B685C46ACE038115CAD0A4C00E2⤵
- Loads dropped DLL
PID:1652
-
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 22B734F1894817DF29C1DBFAA1C2E831 M Global\MSI00002⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\system32\netsh.exenetsh interface set interface name="Local Area Connection 2" newname="OpenVPN Wintun"3⤵
- Modifies data under HKEY_USERS
PID:1900
-
-
C:\Windows\system32\netsh.exenetsh interface set interface name="Local Area Connection 2" newname="OpenVPN TAP-Windows6"3⤵PID:516
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1348
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000568" "000000000000032C"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1596
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{6b22850e-7c35-7017-357c-17709bdc2a6f}\wintun.inf" "9" "65109ab53" "000000000000032C" "WinSta0\Default" "0000000000000568" "208" "C:\Windows\Temp\de46534946d5613aa598c892a26a4182e94cd8b2dd3a6b923b7dde9c2b4b5c22"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{2bec2ae7-e0b1-26f9-d6c8-9c2f82a6f34a} Global\{2f2d8b98-d59b-6a85-20e8-477fcc11540e} C:\Windows\System32\DriverStore\Temp\{5b7ba0ff-770a-73ce-5454-fb706a536676}\wintun.inf C:\Windows\System32\DriverStore\Temp\{5b7ba0ff-770a-73ce-5454-fb706a536676}\wintun.cat2⤵
- Modifies data under HKEY_USERS
PID:1540
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{7104eb05-f44a-12d6-05eb-0471b794c41e}\OemVista.inf" "9" "68a913dff" "0000000000000568" "WinSta0\Default" "00000000000004A4" "208" "C:\Windows\Temp\1571a9adb2f64dcfff8b210f1870edb801825b3a54267cb0b9bd88abba8f1a60"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{2bc51c5d-22f9-4e08-e2af-570ffb6a4c78} Global\{41fae03e-d645-7b76-dd27-bb6458cf5a18} C:\Windows\System32\DriverStore\Temp\{424c47e5-414c-17a2-f767-4500a0f1a256}\OemVista.inf C:\Windows\System32\DriverStore\Temp\{424c47e5-414c-17a2-f767-4500a0f1a256}\tap0901.cat2⤵
- Modifies data under HKEY_USERS
PID:1608
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "wintun.inf:Wintun.NTamd64:Wintun.Install:0.8.0.0:wintun" "62b53aaff" "0000000000000330" "000000000000058C" "000000000000054C"1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1960
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0001" "C:\Windows\INF\oem3.inf" "oemvista.inf:tap0901.NTamd64:tap0901.ndi:9.24.6.601:root\tap0901" "633338203" "00000000000002A8" "0000000000000330" "00000000000004C0"1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1896
-
C:\Program Files\OpenVPN\bin\openvpnserv.exe"C:\Program Files\OpenVPN\bin\openvpnserv.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1900
-
C:\Program Files\OpenVPN\bin\openvpn-gui.exe"C:\Program Files\OpenVPN\bin\openvpn-gui.exe" --command import "C:\Users\Admin\Desktop\Russia-udp.ovpn"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1008
-
C:\Users\Admin\Desktop\b6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exe"C:\Users\Admin\Desktop\b6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exe"1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1760
-
C:\Users\Admin\Desktop\RIP_YOUR_PC_LOL.exe"C:\Users\Admin\Desktop\RIP_YOUR_PC_LOL.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Users\Admin\AppData\Roaming\healastounding.exe"C:\Users\Admin\AppData\Roaming\healastounding.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Users\Admin\AppData\Roaming\test.exe"C:\Users\Admin\AppData\Roaming\test.exe"3⤵
- Executes dropped EXE
PID:1604
-
-
C:\Users\Admin\AppData\Roaming\gay.exe"C:\Users\Admin\AppData\Roaming\gay.exe"3⤵
- Executes dropped EXE
PID:1612 -
C:\Users\Admin\AppData\Roaming\mediaget.exe"C:\Users\Admin\AppData\Roaming\mediaget.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:936 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\mediaget.exe" "mediaget.exe" ENABLE5⤵
- Modifies Windows Firewall
PID:2500
-
-
-
-
C:\Users\Admin\AppData\Roaming\Opus.exe"C:\Users\Admin\AppData\Roaming\Opus.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1568 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1872.tmp"4⤵
- Creates scheduled task(s)
PID:548
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2E91.tmp"4⤵
- Creates scheduled task(s)
PID:2112
-
-
-
C:\Users\Admin\AppData\Roaming\aaa.exe"C:\Users\Admin\AppData\Roaming\aaa.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1632 -
C:\Users\Admin\AppData\Roaming\aaa.exe"C:\Users\Admin\AppData\Roaming\aaa.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- outlook_win_path
PID:1796 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8162955.bat" "C:\Users\Admin\AppData\Roaming\aaa.exe" "5⤵PID:2808
-
-
-
-
C:\Users\Admin\AppData\Roaming\4.exe"C:\Users\Admin\AppData\Roaming\4.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:552 -
C:\Users\Admin\AppData\Roaming\3.exe"C:\Users\Admin\AppData\Roaming\3.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:432 -
C:\Users\Admin\AppData\Roaming\3.exe"C:\Users\Admin\AppData\Roaming\3.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- System policy modification
PID:2112 -
C:\Users\Admin\AppData\Roaming\test\Opus.exe"C:\Users\Admin\AppData\Roaming\test\Opus.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
PID:3016
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1464 -
C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1052 -
C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"5⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 8486⤵
- Program crash
PID:2856
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe"C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe"C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe"5⤵
- Executes dropped EXE
PID:520
-
-
-
C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"4⤵
- Executes dropped EXE
PID:1892
-
-
-
C:\Users\Admin\AppData\Roaming\a.exe"C:\Users\Admin\AppData\Roaming\a.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:1236
-
-
-
C:\Users\Admin\AppData\Roaming\Pluto Panel.exe"C:\Users\Admin\AppData\Roaming\Pluto Panel.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:556 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
PID:2592
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵PID:1916
-
-
-
C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1184 -
C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"3⤵
- Executes dropped EXE
PID:1712
-
-
-
C:\Users\Admin\AppData\Roaming\22.exe"C:\Users\Admin\AppData\Roaming\22.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:960 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Block3⤵PID:1760
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=Filter13⤵PID:2488
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP3⤵PID:2640
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP3⤵PID:2784
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP3⤵PID:2844
-
-
-
C:\Users\Admin\AppData\Roaming\___11.19.exe"C:\Users\Admin\AppData\Roaming\___11.19.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul4⤵PID:2008
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.15⤵
- Runs ping.exe
PID:1100
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe3⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Drops file in System32 directory
PID:828
-
-
C:\Users\Admin\AppData\Roaming\HD____11.19.exeC:\Users\Admin\AppData\Roaming\HD____11.19.exe3⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 3244⤵
- Program crash
PID:3000
-
-
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
PID:1748
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\8134594.txt",MainThread2⤵
- Executes dropped EXE
PID:2300
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\wshirda\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "aaa" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Opus\aaa.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "openvpn-gui" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\openvpn-gui.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "a" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\DisableDismount\a.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "openvpnserv" /sc ONLOGON /tr "'C:\Program Files\OpenVPN\bin\libpkcs11-helper-1\openvpnserv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "0fd7de5367376231a788872005d7ed4f" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\pid\0fd7de5367376231a788872005d7ed4f.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Opus" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\test\Opus.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "openvpn-gui" /sc ONLOGON /tr "'C:\Program Files\OpenVPN\bin\openvpnserv\openvpn-gui.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\jnwmon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "160340192818797396851470131155-7780651571704574106-19396846661932494448-430395747"1⤵PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Ö÷¶¯·ÀÓù·þÎñÄ£¿é" /sc ONLOGON /tr "'C:\Windows\SysWOW64\extrac32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\KBDSP\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "3" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\3.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2952
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
4Scheduled Task
1Defense Evasion
Bypass User Account Control
1Disabling Security Tools
1Modify Registry
7Scripting
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD55797d2a762227f35cdd581ec648693a8
SHA1e587b804db5e95833cbd2229af54c755ee0393b9
SHA256c51c64dfb7c445ecf0001f69c27e13299ddcfba0780efa72b866a7487b7491c7
SHA5125c4de4f65c0338f9a63b853db356175cae15c2ddc6b727f473726d69ee0d07545ac64b313c380548211216ea667caf32c5a0fd86f7abe75fc60086822bc4c92e
-
Filesize
63KB
MD593397fefb9c81d442c7fd21a49fa0905
SHA161d82acb60fc1d6229c23867fe9987297bc5eb26
SHA2561125f49d5c67ba6553be30519e32fa29f23fdf9c0f68c7198b0074dfdc01996f
SHA512a1d95a40fdc5d26b21fe210cb3e7ae5537bb7877fd9fc6b7d13413078ec73eba75ff92077c446bd230696e87fd7447060fd24f05c99f34f3ce65fe6c5cc43c75
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
Filesize471B
MD5ac8f4e239adac1f3be16390b3aeb03e7
SHA1c99bc579ecee71e61405a8c8a11f44e562c6edf5
SHA2567c2b69381484f8d56c2eb0e467452108714ea6a734666114f740b51ee6d00cfd
SHA512d33831ffec5c3acd06e59e744807246de796123b0b75cf3105ae837f219720d488978540fe667b342d712c2aa6027ae63baa9cd30fcff13284ee18f213fb0d18
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_9E87DAFD2E5867FC65A4BDC474DCD371
Filesize471B
MD51e7ee3d68387aa7c32f5d4b3f13f8d07
SHA134188c73861d1f7121ecf5af197014215dafeed7
SHA256b24094179932e9d5e77e51c46117a65a5bba08bf0daec7d5efdcccbd66a86552
SHA512724ae3e0d44f324a2604791873f7fa6e1296e1e83516d4f943a1d43dcbc1f17851d01b11868ceea406d824451667d16989fdbf28f86f4a9b24e754d1a491c482
-
Filesize
60KB
MD5d15aaa7c9be910a9898260767e2490e1
SHA12090c53f8d9fc3fbdbafd3a1e4dc25520eb74388
SHA256f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e
SHA5127e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94
-
Filesize
1KB
MD578f2fcaa601f2fb4ebc937ba532e7549
SHA1ddfb16cd4931c973a2037d3fc83a4d7d775d05e4
SHA256552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988
SHA512bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
Filesize434B
MD578e0d9d11e2f5b7ab7aadc48bf24e8cf
SHA11e9ac8d2268c5878aa57283a7e30f33fe15a1acc
SHA2560f2d9c8663155315a9ae515e3e583185c81026ec15b207e5b01ade30a149907b
SHA512af0b5406d41980170f40de36094c6fe03abf7e12544e45395bf1e744640f4987ec2f5059462b7d0ccf0cdc737e3ed174911500431c48442aeb8f64304f226846
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_9E87DAFD2E5867FC65A4BDC474DCD371
Filesize430B
MD5a33fde2e7ca9e0d87fc49da280687a0b
SHA198b48723912f4169058fa8217680c1fea6879721
SHA2567752fb7cfabe36ad1071d648fdd8ca751c05d53820a9460eb5a0ab12945a2cd7
SHA51235376ed7a3e797446609b2e7d5ddcae6938f50b86c2970bfcd64c1160e88a9c8376e7b42aaf398bc937f1d277b31f21c2db29be6de31174fa0f6116df306b02b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5109001627f441b45389817c7d69881cb
SHA17f33d4ebf2e44bfa8ee0309850d66f213e4b40f5
SHA256091a918f9e890173cbbfc8886a825f3a5cca08e59e2848b2c1dafae058a8eb5d
SHA5129a0b3a204f2f58825292a9bf6f6276dc2267f69fd6af2e2cea2f7634a975ceb4b489fc746c26e5f9616b76db978be07a2013730d3dbf5dea24570cd115ff4f3e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
Filesize254B
MD5314388392b77ad41b030b74b91c13472
SHA11fce99a58853a673e1576f11593003e5c15e2a8f
SHA2565fc9ffa6b17bb6ff09d12d3fa61b21d3e3caeb5422731a6c01fc2a6d322e633f
SHA512294898ba47cc0940c26367bdfa64a40507d0fac90bfa3cee7485d54a29dd04490af41a68203c59e07134968d4c522f0847ff2294918ba473f8f223a6a4072f9e
-
Filesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
Filesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
Filesize
28KB
MD5af026609b5026ff10cab8608cfd116a9
SHA1b40b69c44ce8ed40f0bc8da74d7b643c3d8dec36
SHA256f09bd250428169811b958593b5b142a4a2916f49f6d1946b7b0caacba2330b43
SHA5123b3329a2349a4f542a96846a5f05a56ac88e355766a057d3162673ae6327ab8eb41a25f19556f9e8830539a643a544b7852333c5cb24ed774e6737a10fd27a2f
-
Filesize
9KB
MD5f3d7fa89f9bfb4d43d80f83b488ba9ce
SHA10f4479c0dcbb9a63babc8962948ab7e5d13afbaf
SHA2563c429b0c37b7b1aaf56c6631ccf1f0416cfa1dd60aa4ee32d0d981ef5318234e
SHA512beaf413f7ad49a08c09d976b5d4e8c45457b42ba858dccd9ca8a4c7ccfb2a95a11a382e5b22c8a25340a0e836f3408d332cae87e97e057bf4859ab42b1c0362c
-
Filesize
1KB
MD58480579050970b0812cc3d9a1bce1340
SHA1edebebd090602f4eee375ad754c8566d4fda23cb
SHA25644098408ab9611dd99a38e140c7fb1ca5dce6eb2d5f0d5e500547ac1ba5d235b
SHA51246de9202c3cf0ddbf19f9e0e02ec17530f2722abfa08669fd30a6095ce2342fa89a2cc59c1d47afd82b48c915bb95f4c6d16e7c21129a9c8f09c2bf239566933
-
Filesize
30KB
MD5b1c405ed0434695d6fc893c0ae94770c
SHA179ecacd11a5f2b7e2d3f0461eef97b7b91181c46
SHA2564c474ea37a98899e2997591a5e963f10f7d89d620c74c8ee099d3490f5213246
SHA512635421879cd4c7c069489033afaf7db1641615bfd84e237264acfe3f2d67668ecfe8a9b9edd0e9d35b44dec7d6ba0197ed7048dfb8ec3dba87ccdc88be9acfb7
-
Filesize
7KB
MD526009f092ba352c1a64322268b47e0e3
SHA1e1b2220cd8dcaef6f7411a527705bd90a5922099
SHA256150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9
SHA512c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363
-
Filesize
9KB
MD54fee2548578cd9f1719f84d2cb456dbf
SHA13070ed53d0e9c965bf1ffea82c259567a51f5d5f
SHA256baecd78253fb6fbcfb521131e3570bf655aa9a05bb5610ce8bb4bddccf599b24
SHA5126bc0c8c3757d1e226218a9485a4f9cdbae7ca40b56c35b9ff28c373be9bd6fbd7b1846ddf5680edb2e910d31912791afe2f9f2207b3880b56adb55426fc3fd49
-
Filesize
4.2MB
MD55eb35ebcf9e8c2f742ada2b58b539755
SHA1b0dd289cb1945cab4667e79ff0f053905c3f5ab0
SHA2565212a707c137cf8b133a21cab458a03d81592a4b713cfb7bc668a661e604313f
SHA512475889b8a718ed736b0b08ac80714d38a5feb501242fcac5382e1ef6fb34e669571720d0491e9954cd741ba314ff8f312b6636d681579110c72d305f952b7159
-
Filesize
7KB
MD5be073de16088676381ee1d0e13d6ac4e
SHA13c1d230134033b9fe248d5d020b72f1d889dfa64
SHA256e1a702ed3ff2dc9610bd8fb25addcfcb99455f71926037fc1ac65ad10e7ab9de
SHA5124355e2145bc39d3acd9e55d86c9947330d3787c6bea53314b7b94e9b7b0af1197e26af0e4c222bb2c479bf2f9cfa23cc70d2295274cfd503796797d5f6a24c05
-
Filesize
1KB
MD58480579050970b0812cc3d9a1bce1340
SHA1edebebd090602f4eee375ad754c8566d4fda23cb
SHA25644098408ab9611dd99a38e140c7fb1ca5dce6eb2d5f0d5e500547ac1ba5d235b
SHA51246de9202c3cf0ddbf19f9e0e02ec17530f2722abfa08669fd30a6095ce2342fa89a2cc59c1d47afd82b48c915bb95f4c6d16e7c21129a9c8f09c2bf239566933
-
Filesize
8KB
MD5062e9c11f9fb9c0e1ab96e07f40c69f2
SHA12c497a52b9e9e545835ed7f20bde159d2dd6aead
SHA256b60238bd3ab8392de0804cc13feb8c47dd861e8d889fc5b38023288a05abf93e
SHA512f469b57307747bc829bd770e0f95e6ac82d0b131169a8e255a687f3e07b90a63b63b71678b5f85e4f83d18872d4af186a97fdd2395358e19a25c53e6c301691a
-
Filesize
7KB
MD526009f092ba352c1a64322268b47e0e3
SHA1e1b2220cd8dcaef6f7411a527705bd90a5922099
SHA256150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9
SHA512c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363
-
Filesize
275KB
MD52232c07e354364e0eb1dc80024593826
SHA165bb4232c0416cfb2c158bfc32a7732ad72cee72
SHA256fb1cd5e7c3ea30dfafd3cc1862e311388361d896610db28c63716da9d71e8f3f
SHA512f0d295565b209f4dedd2a79123fa54ff9b8cbb173f14463ab3d3707b8d87aad84b05c2898478ecc148e29d02fa07ddda9499795e0ceafc2982c0adbd570a3572
-
Filesize
262KB
MD5525a2895051f5cf8e068abe360ea2b1b
SHA1925bd576b2b93b1a3a6ebf22e0a00c3510a0a589
SHA256ced917f052a2d81424b51c2d690cb57635bf313a8cd9bc9b33cb6c43fb2cc422
SHA51272cf54c9357dae09730e95b2e149e72ca319588956946de7bd5f0bb2046569c38c7853720f586df17ef9987fc12b44b869410587126c4ec0973f27708fb4da41
-
Filesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
Filesize
275KB
MD52232c07e354364e0eb1dc80024593826
SHA165bb4232c0416cfb2c158bfc32a7732ad72cee72
SHA256fb1cd5e7c3ea30dfafd3cc1862e311388361d896610db28c63716da9d71e8f3f
SHA512f0d295565b209f4dedd2a79123fa54ff9b8cbb173f14463ab3d3707b8d87aad84b05c2898478ecc148e29d02fa07ddda9499795e0ceafc2982c0adbd570a3572
-
Filesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
Filesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
Filesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
Filesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
Filesize
262KB
MD5525a2895051f5cf8e068abe360ea2b1b
SHA1925bd576b2b93b1a3a6ebf22e0a00c3510a0a589
SHA256ced917f052a2d81424b51c2d690cb57635bf313a8cd9bc9b33cb6c43fb2cc422
SHA51272cf54c9357dae09730e95b2e149e72ca319588956946de7bd5f0bb2046569c38c7853720f586df17ef9987fc12b44b869410587126c4ec0973f27708fb4da41
-
Filesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
Filesize
30KB
MD5b1c405ed0434695d6fc893c0ae94770c
SHA179ecacd11a5f2b7e2d3f0461eef97b7b91181c46
SHA2564c474ea37a98899e2997591a5e963f10f7d89d620c74c8ee099d3490f5213246
SHA512635421879cd4c7c069489033afaf7db1641615bfd84e237264acfe3f2d67668ecfe8a9b9edd0e9d35b44dec7d6ba0197ed7048dfb8ec3dba87ccdc88be9acfb7
-
Filesize
28KB
MD5af026609b5026ff10cab8608cfd116a9
SHA1b40b69c44ce8ed40f0bc8da74d7b643c3d8dec36
SHA256f09bd250428169811b958593b5b142a4a2916f49f6d1946b7b0caacba2330b43
SHA5123b3329a2349a4f542a96846a5f05a56ac88e355766a057d3162673ae6327ab8eb41a25f19556f9e8830539a643a544b7852333c5cb24ed774e6737a10fd27a2f
-
C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\oemvista.PNF
Filesize8KB
MD531c2314ce0fdab5742cc08c9ee83458a
SHA1e313e040df2b04838e0d95f704cfb954ee889e10
SHA2560cce5520e3787b68136626b688bf9a49bcf0e41253a6036b00ae8e905d2d87b4
SHA512f428411409c1fcad57dce51160b4078034cebec181a6c10dc830536102cd38c96b49c141cf2101515cce8a34b09c5e6d4036c8ddac1e11439b84136ad6fece2d
-
Filesize
7KB
MD51bd48dd18a2257f714e5f3b6640b7bab
SHA150392da0a812e43a2b9d81797e7a3cc7ad8efb7e
SHA256ecdbc859186272dce6271b9d5470c4ede7673a8e99b57bd93c8c77fd842f1c31
SHA5128437a0af212676fffd353bad7057c4a7b60dc100afe545560eead2808a460b53cbb3e54cff955f2fb8b06dec9a6070cfc032229ec8551b6be806368f7ffe12e6
-
Filesize
1.4MB
MD5cbd8f8093104b7359fafaccb7222f959
SHA1ae51db1d6f471216251438cf1612a0839baa8f68
SHA2564469586652ce5b71493216a5fd2608dd387dfeaf55cd8e43124d1d4264b0b56d
SHA51292d6ac9d947460f11b8d5a2f04eb75f472a085817fd21638a2fc4f6d14d19c53ed5401d10bd3b551e55025b1b0765eec32aafc8dba1aea21c724a76d55c81b37
-
Filesize
1.4MB
MD520748bcff75ee1fb82f09e5d996ccf09
SHA1d9a96de21ea56a3715425f452d5cc64f920a442d
SHA2567215d2d63526ab743dd61aea989509605cb388388990d9fe53b00a9f7efb3465
SHA5127a5aeab8b1843149aee743a9cd5698c67536066174e21d6cf9671fdf15b9edbd6d580623835401ef8abb0f8125482c0e752029eebe23ab127093670f4850599d
-
Filesize
7KB
MD526009f092ba352c1a64322268b47e0e3
SHA1e1b2220cd8dcaef6f7411a527705bd90a5922099
SHA256150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9
SHA512c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363
-
Filesize
9KB
MD54fee2548578cd9f1719f84d2cb456dbf
SHA13070ed53d0e9c965bf1ffea82c259567a51f5d5f
SHA256baecd78253fb6fbcfb521131e3570bf655aa9a05bb5610ce8bb4bddccf599b24
SHA5126bc0c8c3757d1e226218a9485a4f9cdbae7ca40b56c35b9ff28c373be9bd6fbd7b1846ddf5680edb2e910d31912791afe2f9f2207b3880b56adb55426fc3fd49
-
Filesize
9KB
MD5f3d7fa89f9bfb4d43d80f83b488ba9ce
SHA10f4479c0dcbb9a63babc8962948ab7e5d13afbaf
SHA2563c429b0c37b7b1aaf56c6631ccf1f0416cfa1dd60aa4ee32d0d981ef5318234e
SHA512beaf413f7ad49a08c09d976b5d4e8c45457b42ba858dccd9ca8a4c7ccfb2a95a11a382e5b22c8a25340a0e836f3408d332cae87e97e057bf4859ab42b1c0362c
-
Filesize
1KB
MD58480579050970b0812cc3d9a1bce1340
SHA1edebebd090602f4eee375ad754c8566d4fda23cb
SHA25644098408ab9611dd99a38e140c7fb1ca5dce6eb2d5f0d5e500547ac1ba5d235b
SHA51246de9202c3cf0ddbf19f9e0e02ec17530f2722abfa08669fd30a6095ce2342fa89a2cc59c1d47afd82b48c915bb95f4c6d16e7c21129a9c8f09c2bf239566933
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
801KB
MD541dcc29d7eaba7b84fd54323394712af
SHA1ddc0100723cc2dc9ae8b02a0cb7fe4a86c02d54b
SHA256a909bef708a47ae428fedbc566132c56f15ae7511dc460cf22055ec1a72d485a
SHA5125a3e8c1eda558e0b90470d752490bc4d04610f93e453cbfd9013a363cfdf5e607974d526c49efe2ef0440e241d775b66bd7c48c74ee9e8677a37cdedc30c42ee
-
Filesize
801KB
MD541dcc29d7eaba7b84fd54323394712af
SHA1ddc0100723cc2dc9ae8b02a0cb7fe4a86c02d54b
SHA256a909bef708a47ae428fedbc566132c56f15ae7511dc460cf22055ec1a72d485a
SHA5125a3e8c1eda558e0b90470d752490bc4d04610f93e453cbfd9013a363cfdf5e607974d526c49efe2ef0440e241d775b66bd7c48c74ee9e8677a37cdedc30c42ee
-
Filesize
801KB
MD541dcc29d7eaba7b84fd54323394712af
SHA1ddc0100723cc2dc9ae8b02a0cb7fe4a86c02d54b
SHA256a909bef708a47ae428fedbc566132c56f15ae7511dc460cf22055ec1a72d485a
SHA5125a3e8c1eda558e0b90470d752490bc4d04610f93e453cbfd9013a363cfdf5e607974d526c49efe2ef0440e241d775b66bd7c48c74ee9e8677a37cdedc30c42ee
-
Filesize
801KB
MD541dcc29d7eaba7b84fd54323394712af
SHA1ddc0100723cc2dc9ae8b02a0cb7fe4a86c02d54b
SHA256a909bef708a47ae428fedbc566132c56f15ae7511dc460cf22055ec1a72d485a
SHA5125a3e8c1eda558e0b90470d752490bc4d04610f93e453cbfd9013a363cfdf5e607974d526c49efe2ef0440e241d775b66bd7c48c74ee9e8677a37cdedc30c42ee
-
Filesize
63KB
MD593397fefb9c81d442c7fd21a49fa0905
SHA161d82acb60fc1d6229c23867fe9987297bc5eb26
SHA2561125f49d5c67ba6553be30519e32fa29f23fdf9c0f68c7198b0074dfdc01996f
SHA512a1d95a40fdc5d26b21fe210cb3e7ae5537bb7877fd9fc6b7d13413078ec73eba75ff92077c446bd230696e87fd7447060fd24f05c99f34f3ce65fe6c5cc43c75
-
Filesize
37KB
MD5cab1b54a817fbcedcef2c09e3ac60b77
SHA1c0f78271670af581037429fe688cfd277ebbfd43
SHA25643b19f2d9726b32edfbdbe10a4b4e59b7ba7d27bc4a940467f77a44977e2e41a
SHA512812555b6be6de6ccc6bce6b67b8daafb72cba4645d4730b7b11e165cac1099cda1fb653590ca6628839aaa3cc7a22f5a3b2edb0fe583c79b04a5a5f7c6dd2b73
-
Filesize
37KB
MD5cab1b54a817fbcedcef2c09e3ac60b77
SHA1c0f78271670af581037429fe688cfd277ebbfd43
SHA25643b19f2d9726b32edfbdbe10a4b4e59b7ba7d27bc4a940467f77a44977e2e41a
SHA512812555b6be6de6ccc6bce6b67b8daafb72cba4645d4730b7b11e165cac1099cda1fb653590ca6628839aaa3cc7a22f5a3b2edb0fe583c79b04a5a5f7c6dd2b73
-
Filesize
94KB
MD55797d2a762227f35cdd581ec648693a8
SHA1e587b804db5e95833cbd2229af54c755ee0393b9
SHA256c51c64dfb7c445ecf0001f69c27e13299ddcfba0780efa72b866a7487b7491c7
SHA5125c4de4f65c0338f9a63b853db356175cae15c2ddc6b727f473726d69ee0d07545ac64b313c380548211216ea667caf32c5a0fd86f7abe75fc60086822bc4c92e
-
Filesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
Filesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
Filesize
275KB
MD52232c07e354364e0eb1dc80024593826
SHA165bb4232c0416cfb2c158bfc32a7732ad72cee72
SHA256fb1cd5e7c3ea30dfafd3cc1862e311388361d896610db28c63716da9d71e8f3f
SHA512f0d295565b209f4dedd2a79123fa54ff9b8cbb173f14463ab3d3707b8d87aad84b05c2898478ecc148e29d02fa07ddda9499795e0ceafc2982c0adbd570a3572
-
Filesize
262KB
MD5525a2895051f5cf8e068abe360ea2b1b
SHA1925bd576b2b93b1a3a6ebf22e0a00c3510a0a589
SHA256ced917f052a2d81424b51c2d690cb57635bf313a8cd9bc9b33cb6c43fb2cc422
SHA51272cf54c9357dae09730e95b2e149e72ca319588956946de7bd5f0bb2046569c38c7853720f586df17ef9987fc12b44b869410587126c4ec0973f27708fb4da41
-
Filesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
Filesize
275KB
MD52232c07e354364e0eb1dc80024593826
SHA165bb4232c0416cfb2c158bfc32a7732ad72cee72
SHA256fb1cd5e7c3ea30dfafd3cc1862e311388361d896610db28c63716da9d71e8f3f
SHA512f0d295565b209f4dedd2a79123fa54ff9b8cbb173f14463ab3d3707b8d87aad84b05c2898478ecc148e29d02fa07ddda9499795e0ceafc2982c0adbd570a3572
-
Filesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
Filesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
Filesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
Filesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
Filesize
262KB
MD5525a2895051f5cf8e068abe360ea2b1b
SHA1925bd576b2b93b1a3a6ebf22e0a00c3510a0a589
SHA256ced917f052a2d81424b51c2d690cb57635bf313a8cd9bc9b33cb6c43fb2cc422
SHA51272cf54c9357dae09730e95b2e149e72ca319588956946de7bd5f0bb2046569c38c7853720f586df17ef9987fc12b44b869410587126c4ec0973f27708fb4da41
-
Filesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550