435506cbe66bebdfdf9a2a94b1e8f483fdf108ab308129a6eb8dfd56a8bc77bc

Analysis

max time kernel
151s
max time network
140s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
22-12-2022 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windows.10.codec.pack.v2.2.0.setup.exe
Size

45.5MB
MD5

908ea32c938f24669728a7c026a6552b
SHA1

2695b6cd468636b09c1495a86a69ce4f56203a0c
SHA256

435506cbe66bebdfdf9a2a94b1e8f483fdf108ab308129a6eb8dfd56a8bc77bc
SHA512

342281df3e8823dbca8231335c17d76fbc4d0ba35a97c2d777d11c9ca33b86e689ef54c86aebbbec50a6f499b7232c4d56406f0471cce666a74203bfe95e710e
SSDEEP

786432:Zbe52lsoZacQr5el64WTdDUCpGnSlyXMs8AdIqCmF3kdPEcOKbBhscBpw4yTie6d:ZbpHZac09DtpI7XMvmIqoPppw4yees

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 64 IoCs

Processes:

SetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeTrayMenu.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exe

pid	process
1336	SetACL.exe
1424	SetACL.exe
1932	SetACL.exe
1752	SetACL.exe
1668	SetACL.exe
304	SetACL.exe
1884	SetACL.exe
1000	SetACL.exe
1936	SetACL.exe
1572	SetACL.exe
2012	SetACL.exe
1496	SetACL.exe
1148	SetACL.exe
828	SetACL.exe
572	SetACL.exe
1080	SetACL.exe
1680	SetACL.exe
1612	SetACL.exe
1840	SetACL.exe
1840	TrayMenu.exe
1716	SetACL.exe
804	SetACL.exe
1108	SetACL.exe
1424	SetACL.exe
1496	SetACL.exe
1368	SetACL.exe
2016	SetACL.exe
1444	SetACL.exe
1120	SetACL.exe
1676	SetACL.exe
1884	SetACL.exe
1616	SetACL.exe
1076	SetACL.exe
1224	SetACL.exe
1336	SetACL.exe
1572	SetACL.exe
1540	SetACL.exe
1424	SetACL.exe
1940	SetACL.exe
1704	SetACL.exe
2016	SetACL.exe
1444	SetACL.exe
304	SetACL.exe
1588	SetACL.exe
1620	SetACL.exe
552	SetACL.exe
1076	SetACL.exe
1272	SetACL.exe
1964	SetACL.exe
656	SetACL.exe
1156	SetACL.exe
1068	SetACL.exe
548	SetACL.exe
1880	SetACL.exe
2008	SetACL.exe
1092	SetACL.exe
1800	SetACL.exe
1444	SetACL.exe
604	SetACL.exe
2032	SetACL.exe
1616	SetACL.exe
1420	SetACL.exe
1636	SetACL.exe
824	SetACL.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{90C7D10E-CE9A-479B-A238-1A0F2396DE43}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0180E49C-13BF-46DB-9AFD-9F52292E1C22}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2D4D6F88-8B41-40A2-B297-3D722816648B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04FE9017-F873-410E-871E-AB91661A4EF7}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0B390488-D80F-4A68-8408-48DC199F0E97}\InprocServer32\ = "C:\\Windows\\system32\\ffdshow.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6E8FC04-8B05-48B1-9399-848229502A06}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{87271B4E-1726-4CED-AF0D-BE675621FD29}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F544E0F5-CA3C-47EA-A64D-35FCF1602396}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E8E73B6B-4CB3-44A4-BE99-4F7BCB96E491}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BD72668E-6BFF-4CD1-8480-D465708B336B}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20ED4A03-6AFD-4FD9-980B-2F6143AA0892}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F40E1E5-4F79-4988-B1A9-CC98794E6B55}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A0606860-51BE-4CF6-99C0-7CE5F78AC2D8}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A28F324B-DDC5-4999-AA25-D3A7E25EF7A8}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8B25C0E-0894-4531-B668-AB1599FAF7F6}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{007FC171-01AA-4B3A-B2DB-062DEE815A1E}\InprocServer32\ = "C:\\Windows\\system32\\ffdshow.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4DB2B5D9-4556-4340-B189-AD20110D953F}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F40E1E5-4F79-4988-B1A9-CC98794E6B55}\InprocServer32\ = "C:\\Windows\\system32\\ffdshow.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B86F6BEE-E7C0-4D03-8D52-5B4430CF6C88}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{53D9DE0B-FC61-4650-9773-74D13CC7E582}\InprocServer32\ = "C:\\Windows\\system32\\mkx.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E8E73B6B-4CB3-44A4-BE99-4F7BCB96E491}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{007FC171-01AA-4B3A-B2DB-062DEE815A1E}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A0606860-51BE-4CF6-99C0-7CE5F78AC2D8}\InprocServer32\ = "C:\\Windows\\system32\\ffdshow.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A36C253D-CEE4-4BCA-9CC2-E03CF6BBB054}\InprocServer32\ = "C:\\Windows\\system32\\dxr.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B841F346-4835-4de8-AA5E-2E7CD2D4C435}\InprocServer32\ = "C:\\Windows\\system32\\ts.x64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B3DE7EDC-0CD4-4d07-B1C5-92219CD475CC}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B841F346-4835-4de8-AA5E-2E7CD2D4C435}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B841F346-4835-4de8-AA5E-2E7CD2D4C435}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE30215D-164F-4A92-A4EB-9D4C13390F9F}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4DB2B5D9-4556-4340-B189-AD20110D953F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F71651E-65D2-40BF-AC44-275D11927D99}\InprocServer32\ = "C:\\Windows\\system32\\ffdshow.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51A00247-40A8-4845-9F17-7DBFCC9A8783}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BD4FB4BE-809D-487b-ADD6-F7D164247E52}\InprocServer32\ = "C:\\Windows\\system32\\mkx.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{171252A0-8820-4AFE-9DF8-5C92B2D66B04}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C89FC33C-E60A-4C97-BEF4-ACC5762B6404}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{760A8F35-97E7-479D-AAF5-DA9EFF95D751}\InprocServer32\ = "C:\\Windows\\system32\\dxr.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{564FD788-86C9-4444-971E-CC4A243DA150}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE30215D-164F-4A92-A4EB-9D4C13390F9F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2D8F1801-A70D-48F4-B76B-7F5AE022AB54}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A19DE2F2-2F74-4927-8436-61129D26C141}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49590BC9-6DD5-4E44-AD4C-E8FCB7131EC4}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F71651E-65D2-40BF-AC44-275D11927D99}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F13D3732-96BD-4108-AFEB-E85F68FF64DC}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D367878E-F3B8-4235-A968-F378EF1B9A44}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69CE757B-E8C0-4B0A-9EA0-CEA284096F98}\InprocServer32\ = "C:\\Windows\\system32\\VSFilter.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69CE757B-E8C0-4B0A-9EA0-CEA284096F98}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49590BC9-6DD5-4E44-AD4C-E8FCB7131EC4}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8E9922F0-B775-45B8-B650-941BEA790EEB}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64F2005C-6CF5-4652-B94F-600360B15B27}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A28F324B-DDC5-4999-AA25-D3A7E25EF7A8}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A36C253D-CEE4-4BCA-9CC2-E03CF6BBB054}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F13D3732-96BD-4108-AFEB-E85F68FF64DC}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278407C2-558C-4BED-83A0-B6FA454200BD}\InprocServer32\ = "C:\\Windows\\system32\\LAVVideo.ax"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B98D13E7-55DB-4385-A33D-09FD1BA26338}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F71651E-65D2-40BF-AC44-275D11927D99}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7CA71B1E-A67D-4D54-A200-FA47605483A7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBF9000E-F08C-4858-B769-C914A0FBB1D7}\InprocServer32\ = "C:\\Windows\\system32\\ffdshow.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DB43B405-43AA-4f01-82D8-D84D47E6019C}\InprocServer32\ = "C:\\Windows\\system32\\ogm.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04FE9017-F873-410E-871E-AB91661A4EF7}\InprocServer32\ = "C:\\Windows\\system32\\ffdshow.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7CA71B1E-A67D-4D54-A200-FA47605483A7}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{545A00C2-FCCC-40B3-9310-2C36AE64B0DD}\InprocServer32\ = "C:\\Windows\\system32\\ffdshow.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{564FD788-86C9-4444-971E-CC4A243DA150}\InprocServer32\ = "C:\\Windows\\system32\\splitter.x64.ax"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2F64369-3A16-4692-A6C0-6EFCB6AEBAC1}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0B0EFF97-C750-462C-9488-B10E7D87F1A6}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe

Loads dropped DLL 64 IoCs

Processes:

windows.10.codec.pack.v2.2.0.setup.exe

pid	process
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
1392
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
1156
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
1928
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
828
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
1512
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
680
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
1620
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
1104
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
692
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
624
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
768
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
1808
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
548
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
1752
780	windows.10.codec.pack.v2.2.0.setup.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

windows.10.codec.pack.v2.2.0.setup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Codec Settings UAC Manager = "\"C:\\Windows\\system32\\Codecs\\CodecUACManager.exe\""	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Codec Pack Update Checker = "\"C:\\Windows\\system32\\Codecs\\UpdateChecker.exe\""	windows.10.codec.pack.v2.2.0.setup.exe

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1063

Processes:

windows.10.codec.pack.v2.2.0.setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	windows.10.codec.pack.v2.2.0.setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV	windows.10.codec.pack.v2.2.0.setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	windows.10.codec.pack.v2.2.0.setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	windows.10.codec.pack.v2.2.0.setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

Processes:

windows.10.codec.pack.v2.2.0.setup.exe

description	ioc	process
File created	C:\Windows\SysWOW64\FLWindowsVistaAPI.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\DCBassSourceMod.ax.new	windows.10.codec.pack.v2.2.0.setup.exe
File opened for modification	C:\Windows\SysWOW64\Codecs\icon.ico	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\avutil-ics-56.dll	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Lang\mpcresources.id.dll	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Lang\mpcresources.pt_BR.dll	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Shaders\Sepia.hlsl	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Shaders\Sharpen complex.hlsl	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\xvidcore.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Formats.ini.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\system32\IcarosThumbnailProvider.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Lang\mpcresources.eu.dll	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\VzCsDsAudioDevice.vzcs.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\dsmux.exe.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\system32\avi.x64.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\AudioProfiler.exe.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\LAVFilters\avformat-lav-59.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Shaders\YV12 chroma upsampling.hlsl	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\ff_samplerate.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\OptimFROG.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\swresample-lav-4.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\system32\avformat-ics-58.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Shaders\Denoise.hlsl	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Lang\mpcresources.el.dll	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Lang\mpcresources.vi.dll	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\ffdshow.ax.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\system32\LAVAudio.ax.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\bassopus.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Lang\mpcresources.be.dll	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\system32\IcarosConfig.exe.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Lang\mpcresources.sl.dll	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Lang\mpcresources.bn.dll	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\DivXa32.acm.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\mkx.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\cue2xml.js.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\IntelQuickSyncDecoder.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\system32\avutil-ics-56.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Lang\mpcresources.ar.dll	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\IcarosThumbnailProvider.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\system32\ff_liba52.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\PCMOUT_VIDEO_2496.bmp.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\system32\swresample-lav-4.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\system32\libbluray.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\CleanUp_x64.exe.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Shaders\Letterbox.hlsl	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Lang\mpcresources.ca.dll	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\system32\IcarosPropertyHandler.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\system32\ffmpeg.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\system32\avformat-lav-59.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Lang\mpcresources.tt.dll	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Shaders\Gaussian Blur_pass1.hlsl	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\PCMOUT_VIDEO_1644.bmp.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\bass_tta.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Lang\mpcresources.zh_TW.dll	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Shaders\Sharpen.hlsl	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\LAVFilters\avfilter-lav-8.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Lagarith.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\system32\mkzlib.x64.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Lang\mpcresources.ko.dll	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Shaders\Procamp.hlsl	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\ffmpeg.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Lang\mpcresources.sv.dll	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Shaders\Deinterlace (blend).hlsl	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\system32\ff_wmv9.dll.new	windows.10.codec.pack.v2.2.0.setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

windows.10.codec.pack.v2.2.0.setup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	windows.10.codec.pack.v2.2.0.setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	windows.10.codec.pack.v2.2.0.setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	windows.10.codec.pack.v2.2.0.setup.exe

Modifies registry class 64 IoCs

Processes:

windows.10.codec.pack.v2.2.0.setup.exeSetACL.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeSetACL.exeSetACL.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.mk3d\InfoTip = "prop:System.ItemType;System.Size;System.Media.Duration;System.OfflineAvailability"	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ac3\ShellEx	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ogg\ShellEx	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse	SetACL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.OGG\shell\open\LegacyDisable	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.tta\InfoTip = "prop:System.ItemType;System.Size;System.Media.Duration;System.OfflineAvailability"	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F71651E-65D2-40BF-AC44-275D11927D99}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C69148D9-FA1B-424A-B52E-2D618A1E7158}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{0B0EFF97-C750-462C-9488-B10E7D87F1A6}\FriendlyName = "ffdshow DXVA Video Decoder"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{49952F4C-3EDC-4A9B-8906-1DE02A3D4BC2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A19DE2F2-2F74-4927-8436-61129D26C141}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D8F1801-A70D-48F4-B76B-7F5AE022AB54}\InprocServer32\ThreadingModel = "Both"	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.mp4\InfoTip = "prop:System.ItemType;System.Size;System.Media.Duration;System.OfflineAvailability"	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.FLV\shell\play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9991"	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1C773E9-6D1B-4AFA-8E2A-588DDFACBCDD}\TypeLib\ = "{30434FE5-2E32-444D-B242-7AE5AC0C5BA4}"	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VzCs.VzCsMedia	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B28141B3-ACE4-4746-8C38-64035BF8A6B4}\InprocServer32\ = "C:\\Windows\\SysWOW64\\DSDVideoOutFilter.ax"	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51A00247-40A8-4845-9F17-7DBFCC9A8783}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{69CE757B-E8C0-4B0A-9EA0-CEA284096F98}\ = "DVSMorePPage"	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E8E73B6B-4CB3-44A4-BE99-4F7BCB96E491}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.MOV\shell\open\command	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.SHN\shellex\	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources	SetACL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C54F71E-EA15-43A5-8EA5-ADB91283D3D7}\VersionIndependentProgID	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F9745F7-D3E1-4FDE-A0FD-1A01AC97C9BD}	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B28141B3-ACE4-4746-8C38-64035BF8A6B4}\InprocServer32	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F13D3732-96BD-4108-AFEB-E85F68FF64DC}\InprocServer32\ThreadingModel = "Both"	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{564FD788-86C9-4444-971E-CC4A243DA150}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C2D6D98F-09CA-4524-AF64-1049B5665C9C}\InprocServer32\ = "C:\\Windows\\SysWow64\\VSFilter.dll"	windows.10.codec.pack.v2.2.0.setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{EE30215D-164F-4A92-A4EB-9D4C13390F9F}\FilterData = 02000000030080000200000000000000307069330000000000000000e800000000000000000000003074793300000000200f0000300f00003174793300000000200f0000400f00003274793300000000200f0000500f00003374793300000000200f0000600f00003474793300000000200f0000700f00003574793300000000200f0000800f00003674793300000000200f0000900f00003774793300000000200f0000a00f00003874793300000000200f0000b00f00003974793300000000200f0000c00f00003a74793300000000200f0000d00f00003b74793300000000200f0000e00f00003c74793300000000200f0000f00f00003d74793300000000200f0000001000003e74793300000000200f0000101000003f74793300000000200f0000201000004074793300000000200f0000301000004174793300000000401000003010000042747933000000005010000030100000437479330000000060100000301000004474793300000000200f0000701000004574793300000000200f0000801000004674793300000000200f0000901000004774793300000000200f0000a01000004874793300000000200f0000b01000004974793300000000200f0000c01000004a74793300000000200f0000d01000004b74793300000000200f0000e01000004c74793300000000200f0000f01000004d74793300000000200f0000001100004e74793300000000200f0000101100004f74793300000000200f0000201100005074793300000000200f0000301100005174793300000000200f0000401100005274793300000000200f0000501100005374793300000000200f0000601100005474793300000000200f0000701100005574793300000000200f0000801100005674793300000000200f0000901100005774793300000000200f0000a01100005874793300000000200f0000b01100005974793300000000200f0000c01100005a74793300000000200f0000d01100005b74793300000000200f0000e01100005c74793300000000200f0000f01100005d74793300000000200f0000001200005e74793300000000200f0000101200005f74793300000000200f0000201200006074793300000000200f0000301200006174793300000000200f0000401200006274793300000000200f0000501200006374793300000000200f0000601200006474793300000000200f0000701200006574793300000000200f0000801200006674793300000000200f0000901200006774793300000000200f0000a01200006874793300000000200f0000b01200006974793300000000200f0000c01200006a74793300000000200f0000d01200006b74793300000000200f0000e01200006c74793300000000200f0000f01200006d74793300000000200f0000001300006e74793300000000200f0000101300006f74793300000000200f0000201300007074793300000000200f0000301300007174793300000000200f0000401300007274793300000000200f0000501300007374793300000000200f0000601300007474793300000000200f0000701300007574793300000000200f0000801300007674793300000000200f0000901300007774793300000000200f0000a01300007874793300000000200f0000b01300007974793300000000200f0000c01300007a74793300000000200f0000d01300007b74793300000000200f0000e01300007c74793300000000200f0000f01300007d74793300000000200f0000001400007e74793300000000200f0000101400007f74793300000000200f0000201400008074793300000000200f0000301400008174793300000000200f0000401400008274793300000000200f0000501400008374793300000000200f0000601400008474793300000000200f0000701400008574793300000000200f0000801400008674793300000000200f0000901400008774793300000000200f0000a01400008874793300000000200f0000b01400008974793300000000200f0000c01400008a74793300000000200f0000d01400008b74793300000000200f0000e01400008c74793300000000200f0000f01400008d74793300000000200f0000001500008e74793300000000200f0000101500008f74793300000000200f0000201500009074793300000000200f0000301500009174793300000000200f0000401500009274793300000000200f0000501500009374793300000000200f0000601500009474793300000000200f0000701500009574793300000000200f0000801500009674793300000000200f0000901500009774793300000000200f0000a01500009874793300000000200f0000b01500009974793300000000200f0000c01500009a74793300000000200f0000d01500009b74793300000000200f0000e01500009c74793300000000200f0000f01500009d74793300000000200f0000001600009e74793300000000200f0000101600009f74793300000000200f000020160000a074793300000000200f000030160000a174793300000000200f000040160000a274793300000000200f000050160000a374793300000000200f000060160000a474793300000000200f000070160000a574793300000000200f000080160000a674793300000000200f000090160000a774793300000000200f0000a0160000a874793300000000200f0000b0160000a974793300000000200f0000c0160000aa74793300000000200f0000d0160000ab74793300000000200f0000e0160000ac74793300000000200f0000f0160000ad74793300000000200f000000170000ae74793300000000200f000010170000af74793300000000200f000020170000b074793300000000200f000030170000b174793300000000200f000040170000b274793300000000200f000050170000b374793300000000200f000060170000b474793300000000200f000070170000b574793300000000200f000080170000b674793300000000200f000090170000b774793300000000200f0000a0170000b874793300000000200f0000b0170000b974793300000000200f0000c0170000ba74793300000000200f0000d0170000bb74793300000000200f0000e0170000bc74793300000000200f0000f0170000bd74793300000000200f000000180000be74793300000000200f000010180000bf74793300000000200f000010180000c074793300000000200f000020180000c174793300000000200f000030180000c274793300000000200f000040180000c374793300000000200f000050180000c474793300000000200f000060180000c574793300000000200f000070180000c674793300000000200f000080180000c774793300000000200f000090180000c874793300000000200f0000a0180000c974793300000000200f0000b0180000ca74793300000000200f0000c0180000cb74793300000000200f0000d0180000cc74793300000000200f0000e0180000cd74793300000000200f0000f0180000ce74793300000000200f000000190000cf74793300000000200f000010190000d074793300000000200f000020190000d174793300000000200f000030190000d274793300000000200f000040190000d374793300000000200f000050190000d474793300000000200f000060190000d574793300000000200f000070190000d674793300000000200f000080190000d774793300000000200f000090190000d874793300000000200f0000a0190000d974793300000000200f0000b0190000da74793300000000200f0000c0190000db74793300000000200f0000d0190000dc74793300000000200f0000e0190000dd74793300000000200f0000f0190000de74793300000000200f0000001a0000df74793300000000200f0000101a0000e074793300000000200f0000201a0000e174793300000000200f0000301a0000e274793300000000200f0000401a0000e374793300000000200f0000501a0000e474793300000000200f0000601a0000e574793300000000200f0000701a0000e674793300000000200f0000801a0000e774793300000000200f0000901a0000e874793300000000200f0000a01a0000e974793300000000200f0000b01a0000ea74793300000000200f0000c01a0000eb74793300000000200f0000d01a0000ec74793300000000200f0000e01a0000ed74793300000000200f0000f01a0000ee74793300000000200f0000001b0000ef74793300000000200f0000101b0000f074793300000000200f0000201b0000f174793300000000200f0000301b0000f274793300000000200f0000401b0000f374793300000000200f0000501b0000f474793300000000200f0000601b0000f574793300000000200f0000701b0000f674793300000000200f0000801b0000f774793300000000200f0000901b0000f874793300000000200f0000a01b0000f974793300000000200f0000b01b0000fa74793300000000200f0000c01b0000fb74793300000000200f0000d01b0000fc74793300000000200f0000e01b0000fd74793300000000200f0000f01b0000fe74793300000000200f0000001c0000ff74793300000000200f0000101c00000074793300000000200f0000201c00000174793300000000200f0000301c00000274793300000000200f0000401c00000374793300000000200f0000501c00000474793300000000200f0000601c00000574793300000000200f0000701c00000674793300000000200f0000801c00000774793300000000200f0000901c00000874793300000000200f0000a01c00000974793300000000200f0000b01c00000a74793300000000200f0000c01c00000b74793300000000200f0000d01c00000c74793300000000200f0000e01c00000d74793300000000200f0000f01c00000e74793300000000200f0000001d00000f74793300000000200f0000101d00001074793300000000200f0000201d00001174793300000000200f0000301d00001274793300000000200f0000401d00001374793300000000200f0000501d00001474793300000000200f0000601d00001574793300000000200f0000701d00001674793300000000200f0000801d00001774793300000000200f0000901d00003170693308000000000000000600000000000000000000003074793300000000200f0000a01d00003174793300000000200f0000b01d00003274793300000000200f0000c01d00003374793300000000200f0000d01d00003474793300000000200f0000e01d00003574793300000000200f0000f01d00007669647300001000800000aa00389b714832363400001000800000aa00389b716832363400001000800000aa00389b715832363400001000800000aa00389b717832363400001000800000aa00389b714156433100001000800000aa00389b716176633100001000800000aa00389b714343563100001000800000aa00389b71cb712d8d3f24e345b2d85fd7967ec09b414d564300001000800000aa00389b714d56433100001000800000aa00389b714845564300001000800000aa00389b714856433100001000800000aa00389b71484d313000001000800000aa00389b714832363500001000800000aa00389b7181eb36e44f52ce119f530020af0ba77086eb36e44f52ce119f530020af0ba77026806de046dbcf11b4d100805f6cbbea6a910bed4d04d111aa7800c04fc31d60133b5236e58ed1118ca30060b057664a20806de046dbcf11b4d100805f6cbbea4d4a504700001000800000aa00389b716a70656700001000800000aa00389b716d6a706200001000800000aa00389b715756433100001000800000aa00389b717776633100001000800000aa00389b71574d564100001000800000aa00389b71776d766100001000800000aa00389b715756503200001000800000aa00389b717776703200001000800000aa00389b71574d563100001000800000aa00389b71776d763100001000800000aa00389b71574d563200001000800000aa00389b71776d763200001000800000aa00389b71574d563300001000800000aa00389b71776d763300001000800000aa00389b71574d565000001000800000aa00389b71776d767000001000800000aa00389b715650373000001000800000aa00389b715650383000001000800000aa00389b715650393000001000800000aa00389b714156303100001000800000aa00389b715856494400001000800000aa00389b717876696400001000800000aa00389b714449565800001000800000aa00389b716469767800001000800000aa00389b714469767800001000800000aa00389b714458353000001000800000aa00389b716478353000001000800000aa00389b714d50345600001000800000aa00389b716d70347600001000800000aa00389b714d34533200001000800000aa00389b716d34733200001000800000aa00389b714d50345300001000800000aa00389b716d70347300001000800000aa00389b71464d503400001000800000aa00389b713349565800001000800000aa00389b713369767800001000800000aa00389b713349563100001000800000aa00389b713369763100001000800000aa00389b713349563200001000800000aa00389b713369763200001000800000aa00389b71424c5a3000001000800000aa00389b7147454f5600001000800000aa00389b714d50473400001000800000aa00389b716d70673400001000800000aa00389b714d50343100001000800000aa00389b716d70343100001000800000aa00389b714449563100001000800000aa00389b716469763100001000800000aa00389b714d50343200001000800000aa00389b716d70343200001000800000aa00389b714449563200001000800000aa00389b716469763200001000800000aa00389b714d50343300001000800000aa00389b716d70343300001000800000aa00389b714449563300001000800000aa00389b716469763300001000800000aa00389b714d50473300001000800000aa00389b716d70673300001000800000aa00389b714449563400001000800000aa00389b716469763400001000800000aa00389b714449563500001000800000aa00389b716469763500001000800000aa00389b714449563600001000800000aa00389b716469763600001000800000aa00389b714456583300001000800000aa00389b716476783300001000800000aa00389b713349564400001000800000aa00389b71464c563100001000800000aa00389b71666c763100001000800000aa00389b715650363000001000800000aa00389b717670363000001000800000aa00389b715650363100001000800000aa00389b717670363100001000800000aa00389b715650363200001000800000aa00389b717670363200001000800000aa00389b715650364100001000800000aa00389b717670366100001000800000aa00389b715650364600001000800000aa00389b717670366600001000800000aa00389b71464c563400001000800000aa00389b71666c763400001000800000aa00389b714653563100001000800000aa00389b715256313000001000800000aa00389b715256323000001000800000aa00389b715256333000001000800000aa00389b715256343000001000800000aa00389b716476736400001000800000aa00389b714456534400001000800000aa00389b714344564800001000800000aa00389b714344564300001000800000aa00389b714344563500001000800000aa00389b716476323500001000800000aa00389b714456323500001000800000aa00389b716476353000001000800000aa00389b714456353000001000800000aa00389b716476637000001000800000aa00389b716476357000001000800000aa00389b716476356e00001000800000aa00389b716476707000001000800000aa00389b716476632000001000800000aa00389b716476683100001000800000aa00389b716476683200001000800000aa00389b716476683300001000800000aa00389b716476683400001000800000aa00389b716476683500001000800000aa00389b716476683600001000800000aa00389b716476687100001000800000aa00389b716476687000001000800000aa00389b714156647600001000800000aa00389b714156643100001000800000aa00389b716d6a703200001000800000aa00389b714d4a324300001000800000aa00389b714c4a324300001000800000aa00389b714c4a324b00001000800000aa00389b7149504a3200001000800000aa00389b715356513100001000800000aa00389b715356513300001000800000aa00389b714832363100001000800000aa00389b716832363100001000800000aa00389b714832363300001000800000aa00389b716832363300001000800000aa00389b717332363300001000800000aa00389b714932363300001000800000aa00389b716932363300001000800000aa00389b715448454f00001000800000aa00389b717468656f00001000800000aa00389b717473636300001000800000aa00389b717473633200001000800000aa00389b714956353000001000800000aa00389b714956343100001000800000aa00389b714956333100001000800000aa00389b714956333200001000800000aa00389b714650533100001000800000aa00389b714846595500001000800000aa00389b714c41475300001000800000aa00389b716376696400001000800000aa00389b71726c652000001000800000aa00389b715650333000001000800000aa00389b715650333100001000800000aa00389b714353434400001000800000aa00389b715150454700001000800000aa00389b7151312e3000001000800000aa00389b7151312e3100001000800000aa00389b714d535a4800001000800000aa00389b715a4c494200001000800000aa00389b7172707a6100001000800000aa00389b710100000000001000800000aa00389b716170636800001000800000aa00389b716170636e00001000800000aa00389b716170637300001000800000aa00389b716170636f00001000800000aa00389b716170346800001000800000aa00389b716170347800001000800000aa00389b71554c524100001000800000aa00389b71554c524700001000800000aa00389b71554c593000001000800000aa00389b71554c593200001000800000aa00389b71554c593400001000800000aa00389b715551593200001000800000aa00389b715551524700001000800000aa00389b715551524100001000800000aa00389b71554c483000001000800000aa00389b71554c483200001000800000aa00389b71554c483400001000800000aa00389b71554d593200001000800000aa00389b71554d483200001000800000aa00389b71554d593400001000800000aa00389b71554d483400001000800000aa00389b71554d524700001000800000aa00389b71554d524100001000800000aa00389b71414d565600001000800000aa00389b71414d564600001000800000aa00389b717663726400001000800000aa00389b716472616300001000800000aa00389b714156646e00001000800000aa00389b714156646800001000800000aa00389b714352414d00001000800000aa00389b714d53564300001000800000aa00389b715748414d00001000800000aa00389b713842505300001000800000aa00389b714c4f434f00001000800000aa00389b715a4d425600001000800000aa00389b715643523100001000800000aa00389b714141534300001000800000aa00389b71534e4f5700001000800000aa00389b714646563100001000800000aa00389b714646564800001000800000aa00389b71564d6e6300001000800000aa00389b7141464c4300001000800000aa00389b7147324d3400001000800000aa00389b7169636f6400001000800000aa00389b714455434b00001000800000aa00389b71544d323000001000800000aa00389b714346484400001000800000aa00389b714d41475900001000800000aa00389b714649435600001000800000aa00389b7142494b6900001000800000aa00389b7142494b6200001000800000aa00389b71534d4b3200001000800000aa00389b71534d4b3400001000800000aa00389b715448505600001000800000aa00389b71526f515600001000800000aa00389b71706e672000001000800000aa00389b715449464600001000800000aa00389b71424d502000001000800000aa00389b714749462000001000800000aa00389b715447412000001000800000aa00389b717632313000001000800000aa00389b717634313000001000800000aa00389b713ca00fd8c135a14f8c8e375c8667166e5956313200001000800000aa00389b714e56313200001000800000aa00389b715955593200001000800000aa00389b715559565900001000800000aa00389b717eeb36e44f52ce119f530020af0ba7707deb36e44f52ce119f530020af0ba770	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.webm	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{007FC171-01AA-4B3A-B2DB-062DEE815A1E}\InprocServer32	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MPC.AssocFile.HEVC\shell\open\command	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.HDMOV\FriendlyTypeName = "@%SystemRoot%\\system32\\unregmp2.exe,-9905"	windows.10.codec.pack.v2.2.0.setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.flv\OpenWithProgIds\WMP11.AssocFile.FLV	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mtm\ShellEx\	windows.10.codec.pack.v2.2.0.setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.flac\OpenWithProgIds\WMP11.AssocFile.FLAC	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.TAK\DefaultIcon	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE9F21C5-0118-45D6-A9B6-DE27B878E2A5}\TypeLib\ = "{28BEA0AB-AAE0-4A7E-B5CC-17D5D7AEE552}"	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E8B4A31-408B-4929-86A4-A9FA9F01BA43}\InprocServer32	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53D9DE0B-FC61-4650-9773-74D13CC7E582}\InprocServer32	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8F43B7D9-9D6B-4F48-BE18-4D787C795EEA}\InprocServer32\ThreadingModel = "Both"	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MPC.AssocFile.M2TS\FriendlyTypeName = "@%SystemRoot%\\system32\\unregmp2.exe,-9905"	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.AC3\shell\play\command\ = "\"%ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe\" /prefetch:6 /Play \"%L\""	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.OFR\shell\open	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.xm\InfoTip = "prop:System.ItemType;System.Size;System.Media.Duration;System.OfflineAvailability"	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mtm\OpenWithProgIds	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse	SetACL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53D9DE0B-FC61-4650-9773-74D13CC7E582}\InprocServer32\ = "C:\\Windows\\SysWOW64\\mkx.dll"	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.mka	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.mk3d\FullDetails = "prop:System.PropGroup.Description;System.Title;System.Media.SubTitle;System.Rating;System.Keywords;System.Comment;System.PropGroup.Video;System.Media.Duration;System.Video.FrameWidth;System.Video.FrameHeight;System.Video.EncodingBitrate;System.Video.TotalBitrate;System.Video.FrameRate;System.PropGroup.Audio;System.Audio.EncodingBitrate;System.Audio.ChannelCount;System.Audio.SampleRate;System.PropGroup.Media;System.Music.Artist;System.Media.Year;System.Music.Genre;System.PropGroup.Origin;System.Video.Director;System.Media.Producer;System.Media.Writer;System.Media.Publisher;System.Media.ContentDistributor;System.Media.DateEncoded;System.Media.EncodedBy;System.Media.AuthorUrl;System.Media.PromotionUrl;System.Copyright;System.PropGroup.Content;System.ParentalRating;System.ParentalRatingReason;System.Music.Composer;System.Music.Conductor;System.Music.Period;System.Music.Mood;System.Music.PartOfSet;System.Music.InitialKey;System.Music.BeatsPerMinute;System.DRM.IsProtected;System.PropGroup.FileSystem;System.ItemNam"	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MPC.AssocFile.M2TS	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{171252A0-8820-4AFE-9DF8-5C92B2D66B04}\CLSID = "{171252A0-8820-4AFE-9DF8-5C92B2D66B04}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE30215D-164F-4A92-A4EB-9D4C13390F9F}\ = "LAV Video Decoder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dff\ExtendedTileInfo = "prop:System.ItemType;System.Size;System.Media.Duration;System.OfflineAvailability"	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dts\ShellEx\	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A760-90C8-11D0-BD43-00A0C911CE86}\Instance\ffdshow video encoder	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4DB2B5D9-4556-4340-B189-AD20110D953F}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE9F21C5-0118-45D6-A9B6-DE27B878E2A5}\InprocServer32	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VzCs.VzCsManager\CLSID	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{760A8F35-97E7-479D-AAF5-DA9EFF95D751}	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.SHN\shell\Enqueue	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.OPUS	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.ALAC\shell\Enqueue\ = "&Add to Windows Media Player list"	windows.10.codec.pack.v2.2.0.setup.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

windows.10.codec.pack.v2.2.0.setup.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	windows.10.codec.pack.v2.2.0.setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	windows.10.codec.pack.v2.2.0.setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	windows.10.codec.pack.v2.2.0.setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	windows.10.codec.pack.v2.2.0.setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	windows.10.codec.pack.v2.2.0.setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	windows.10.codec.pack.v2.2.0.setup.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

windows.10.codec.pack.v2.2.0.setup.exe

pid	process
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe
780	windows.10.codec.pack.v2.2.0.setup.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

windows.10.codec.pack.v2.2.0.setup.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exe

description	pid	process
Token: SeDebugPrivilege	780	windows.10.codec.pack.v2.2.0.setup.exe
Token: SeShutdownPrivilege	780	windows.10.codec.pack.v2.2.0.setup.exe
Token: SeIncBasePriorityPrivilege	780	windows.10.codec.pack.v2.2.0.setup.exe
Token: SeBackupPrivilege	1716	SetACL.exe
Token: SeRestorePrivilege	1716	SetACL.exe
Token: SeTakeOwnershipPrivilege	1716	SetACL.exe
Token: SeBackupPrivilege	804	SetACL.exe
Token: SeRestorePrivilege	804	SetACL.exe
Token: SeTakeOwnershipPrivilege	804	SetACL.exe
Token: SeBackupPrivilege	1108	SetACL.exe
Token: SeRestorePrivilege	1108	SetACL.exe
Token: SeTakeOwnershipPrivilege	1108	SetACL.exe
Token: SeBackupPrivilege	1424	SetACL.exe
Token: SeRestorePrivilege	1424	SetACL.exe
Token: SeTakeOwnershipPrivilege	1424	SetACL.exe
Token: SeBackupPrivilege	1496	SetACL.exe
Token: SeRestorePrivilege	1496	SetACL.exe
Token: SeTakeOwnershipPrivilege	1496	SetACL.exe
Token: SeBackupPrivilege	1368	SetACL.exe
Token: SeRestorePrivilege	1368	SetACL.exe
Token: SeTakeOwnershipPrivilege	1368	SetACL.exe
Token: SeBackupPrivilege	2016	SetACL.exe
Token: SeRestorePrivilege	2016	SetACL.exe
Token: SeTakeOwnershipPrivilege	2016	SetACL.exe
Token: SeBackupPrivilege	1444	SetACL.exe
Token: SeRestorePrivilege	1444	SetACL.exe
Token: SeTakeOwnershipPrivilege	1444	SetACL.exe
Token: SeBackupPrivilege	1120	SetACL.exe
Token: SeRestorePrivilege	1120	SetACL.exe
Token: SeTakeOwnershipPrivilege	1120	SetACL.exe
Token: SeBackupPrivilege	1676	SetACL.exe
Token: SeRestorePrivilege	1676	SetACL.exe
Token: SeTakeOwnershipPrivilege	1676	SetACL.exe
Token: SeBackupPrivilege	1884	SetACL.exe
Token: SeRestorePrivilege	1884	SetACL.exe
Token: SeTakeOwnershipPrivilege	1884	SetACL.exe
Token: SeBackupPrivilege	1616	SetACL.exe
Token: SeRestorePrivilege	1616	SetACL.exe
Token: SeTakeOwnershipPrivilege	1616	SetACL.exe
Token: SeBackupPrivilege	1076	SetACL.exe
Token: SeRestorePrivilege	1076	SetACL.exe
Token: SeTakeOwnershipPrivilege	1076	SetACL.exe
Token: SeBackupPrivilege	1224	SetACL.exe
Token: SeRestorePrivilege	1224	SetACL.exe
Token: SeTakeOwnershipPrivilege	1224	SetACL.exe
Token: SeBackupPrivilege	1336	SetACL.exe
Token: SeRestorePrivilege	1336	SetACL.exe
Token: SeTakeOwnershipPrivilege	1336	SetACL.exe
Token: SeBackupPrivilege	1572	SetACL.exe
Token: SeRestorePrivilege	1572	SetACL.exe
Token: SeTakeOwnershipPrivilege	1572	SetACL.exe
Token: SeBackupPrivilege	1540	SetACL.exe
Token: SeRestorePrivilege	1540	SetACL.exe
Token: SeTakeOwnershipPrivilege	1540	SetACL.exe
Token: SeBackupPrivilege	1424	SetACL.exe
Token: SeRestorePrivilege	1424	SetACL.exe
Token: SeTakeOwnershipPrivilege	1424	SetACL.exe
Token: SeBackupPrivilege	1940	SetACL.exe
Token: SeRestorePrivilege	1940	SetACL.exe
Token: SeTakeOwnershipPrivilege	1940	SetACL.exe
Token: SeBackupPrivilege	1704	SetACL.exe
Token: SeRestorePrivilege	1704	SetACL.exe
Token: SeTakeOwnershipPrivilege	1704	SetACL.exe
Token: SeBackupPrivilege	2016	SetACL.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

TrayMenu.exe

pid process

1840 TrayMenu.exe
1840 TrayMenu.exe
1840 TrayMenu.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

TrayMenu.exe

pid process

1840 TrayMenu.exe
1840 TrayMenu.exe
1840 TrayMenu.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

windows.10.codec.pack.v2.2.0.setup.exeregsvr32.exeTrayMenu.exe

pid process

780 windows.10.codec.pack.v2.2.0.setup.exe
952 regsvr32.exe
1840 TrayMenu.exe

pid	process
1840	TrayMenu.exe
1840	TrayMenu.exe
1840	TrayMenu.exe

pid	process
1840	TrayMenu.exe
1840	TrayMenu.exe
1840	TrayMenu.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

windows.10.codec.pack.v2.2.0.setup.exe

description	pid	process	target process
PID 780 wrote to memory of 1336	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1336	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1336	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1336	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1424	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1424	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1424	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1424	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1932	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1932	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1932	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1932	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1752	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1752	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1752	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1752	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1668	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1668	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1668	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1668	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 304	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 304	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 304	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 304	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1884	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1884	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1884	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1884	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1000	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1000	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1000	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1000	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1936	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1936	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1936	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1936	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1572	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1572	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1572	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1572	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 2012	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 2012	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 2012	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 2012	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1496	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1496	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1496	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1496	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1148	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1148	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1148	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1148	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 828	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 828	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 828	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 828	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 572	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 572	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 572	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 572	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1080	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1080	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1080	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 780 wrote to memory of 1080	780	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe

C:\Users\Admin\AppData\Local\Temp\windows.10.codec.pack.v2.2.0.setup.exe
"C:\Users\Admin\AppData\Local\Temp\windows.10.codec.pack.v2.2.0.setup.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Drops file in System32 directory
- Checks processor information in registry
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\DoNotUse /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:1336

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:1424

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:1932

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\Preferred /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:1752

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\DoNotUse /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:1668

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:304

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" "MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Media Foundation\ByteStreamHandlers\.avi" /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:1884

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" "MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Media Foundation\ByteStreamHandlers\.m4a" /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:1000

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" "MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Media Foundation\ByteStreamHandlers\.m4v" /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:1936

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" "MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Media Foundation\ByteStreamHandlers\.mp4" /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:1572

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" "MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Media Foundation\ByteStreamHandlers\.mp4v" /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:2012

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\DoNotUse /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:1496

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\Preferred /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:1148

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\DoNotUse /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:828

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" "MACHINE\SOFTWARE\Microsoft\Windows Media Foundation\ByteStreamHandlers\.avi" /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:572

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" "MACHINE\SOFTWARE\Microsoft\Windows Media Foundation\ByteStreamHandlers\.m4a" /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:1080

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" "MACHINE\SOFTWARE\Microsoft\Windows Media Foundation\ByteStreamHandlers\.m4v" /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:1680

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" "MACHINE\SOFTWARE\Microsoft\Windows Media Foundation\ByteStreamHandlers\.mp4" /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:1612

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" "MACHINE\SOFTWARE\Microsoft\Windows Media Foundation\ByteStreamHandlers\.mp4v" /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:1840

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\ffdshow.ax
2⤵
- Registers COM server for autorun
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:952

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\avi.x64.dll
2⤵
- Registers COM server for autorun
- Modifies registry class
PID:1648

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\dxr.x64.dll
2⤵
- Registers COM server for autorun
PID:1368

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\mkx.x64.dll
2⤵
- Registers COM server for autorun
PID:768

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\mp4.x64.dll
2⤵
- Registers COM server for autorun
PID:1980

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\ogm.x64.dll
2⤵
- Registers COM server for autorun
PID:1068

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\ts.x64.dll
2⤵
- Registers COM server for autorun
PID:1808

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\splitter.x64.ax
2⤵
- Registers COM server for autorun
- Modifies registry class
PID:1940

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\VSFilter.dll
2⤵
- Registers COM server for autorun
PID:1444

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\cdxareader.ax
2⤵
- Registers COM server for autorun
PID:1752

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\LAVSplitter.ax
2⤵
- Registers COM server for autorun
- Modifies registry class
PID:1344

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\LAVVideo.ax
2⤵
- Registers COM server for autorun
- Modifies registry class
PID:1500

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\LAVAudio.ax
2⤵
- Registers COM server for autorun
- Modifies registry class
PID:1028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\\Regasm.exe" "C:\Windows\SysWOW64\IcarosPropertyHandler.dll" /silent /codebase
2⤵
PID:1116

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Regasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\\Regasm.exe" "C:\Windows\system32\IcarosPropertyHandler.dll" /silent /codebase
2⤵
PID:1792

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\IcarosThumbnailProvider.dll
2⤵
PID:2004

C:\Windows\SysWOW64\Codecs\TrayMenu.exe
C:\Windows\SysWOW64\Codecs\TrayMenu.exe
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1840

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DirectShow\Preferred -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DirectShow\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\Preferred -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectShow\Preferred -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectShow\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DirectShow\Preferred -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DirectShow\Preferred -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DirectShow\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
- Executes dropped EXE
PID:1444

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
- Executes dropped EXE
PID:304

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
- Executes dropped EXE
- Modifies registry class
PID:1588

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
- Executes dropped EXE
PID:1620

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
- Executes dropped EXE
PID:552

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
- Executes dropped EXE
PID:1076

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
- Executes dropped EXE
PID:1272

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\Preferred -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
- Executes dropped EXE
PID:1964

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
- Executes dropped EXE
PID:656

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
- Executes dropped EXE
PID:1156

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectShow\Preferred -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
- Executes dropped EXE
PID:1068

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectShow\Preferred -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
- Executes dropped EXE
PID:548

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectShow\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
- Executes dropped EXE
PID:1880

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
- Executes dropped EXE
PID:2008

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
- Executes dropped EXE
PID:1092

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
- Executes dropped EXE
PID:1800

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
- Executes dropped EXE
PID:1444

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
- Executes dropped EXE
PID:604

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
- Executes dropped EXE
PID:2032

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DirectShow\Preferred -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
- Executes dropped EXE
PID:1616

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DirectShow\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
- Executes dropped EXE
PID:1420

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
- Executes dropped EXE
PID:1636

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
- Executes dropped EXE
PID:824

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
PID:1272

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
PID:1964

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
PID:904

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
PID:768

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\Preferred -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
PID:752

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
PID:1980

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectShow\Preferred -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
PID:1268

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectShow\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
PID:1148

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
PID:2016

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
PID:1712

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
PID:1640

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
PID:304

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DirectShow\Preferred -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:1088

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DirectShow\Preferred -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:1804

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DirectShow\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:1660

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:1780

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
- Modifies registry class
PID:804

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
- Modifies registry class
PID:1072

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:1932

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:1488

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:1760

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:1748

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:548

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:976

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\Preferred -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:1512

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:1120

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:1116

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectShow\Preferred -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:1740

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectShow\Preferred -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:1416

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectShow\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:1508

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:1716

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:1076

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:1392

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:852

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:800

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:1964

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DirectShow\Preferred -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:1928

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DirectShow\Preferred -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:1872

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DirectShow\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:1808

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:1652

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:1592

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:1092

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:1484

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:1712

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:1444

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Media Foundation\ByteStreamHandlers\.avi" -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:604

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Media Foundation\ByteStreamHandlers\.avi" -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:1000

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Media Foundation\ByteStreamHandlers\.avi" -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:1976

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Media Foundation\ByteStreamHandlers\.m4a" -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:1420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
C:\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
C:\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
C:\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
C:\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
C:\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
C:\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
C:\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
C:\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
C:\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
C:\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF20F.tmp\InstallOptions.dll

Filesize
14KB

MD5
2a03c4a7ac5ee5e0e0a683949f70971b

SHA1
3bd9877caaea4804c0400420494ad1143179dcec

SHA256
d4f0042d8e7622b7e14395e926dd02edab3cdc77e82d88108b67a4d2cee9229b

SHA512
1942cdb522859f8dba46824786e361794a62e6201279201e1e0e2e07499fb6252933c5661782fccd77291c3650cafb2a7a08eee5431c8238f0da44840ee4c476

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF20F.tmp\System.dll

Filesize
11KB

MD5
6f5257c0b8c0ef4d440f4f4fce85fb1b

SHA1
b6ac111dfb0d1fc75ad09c56bde7830232395785

SHA256
b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

SHA512
a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF20F.tmp\UserInfo.dll

Filesize
4KB

MD5
8ef0e4eb7c89cdd2b552de746f5e2a53

SHA1
820f681e7cec409a02b194a487d1c8af1038acf0

SHA256
41293b9f6588e0fbdc8fcf2a9bd8e2b244cd5ff038fc13033378da337219c9dc

SHA512
a68533e8a19637d0d44219549b24baba0dc4824424842f125600fda3edcafc4bb6bb340d57a00815f262d82373b440d58d6e4e5b2ceb29bb3f6bc4cbde66c3c5

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF20F.tmp\UserInfo.dll

Filesize
4KB

MD5
8ef0e4eb7c89cdd2b552de746f5e2a53

SHA1
820f681e7cec409a02b194a487d1c8af1038acf0

SHA256
41293b9f6588e0fbdc8fcf2a9bd8e2b244cd5ff038fc13033378da337219c9dc

SHA512
a68533e8a19637d0d44219549b24baba0dc4824424842f125600fda3edcafc4bb6bb340d57a00815f262d82373b440d58d6e4e5b2ceb29bb3f6bc4cbde66c3c5

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF20F.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF20F.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF20F.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF20F.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF20F.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF20F.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF20F.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF20F.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF20F.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF20F.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF20F.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF20F.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF20F.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF20F.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF20F.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF20F.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF20F.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF20F.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF20F.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF20F.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF20F.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF20F.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF20F.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF20F.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF20F.tmp\nst4B6.tmp

Filesize
30KB

MD5
1bc3c1608ac94cf3fb4575dc96610fe0

SHA1
02a953629b0e272d8a9bbf5dacbb03402853bc8a

SHA256
64f426601f824c9ec361755cb157d5f80499b8bbf4a29455bfca1fb65f2aae5c

SHA512
63881bcdf359f22de1a7582d943ec241ab2fe32fd68e202befd940c4e2ee86092797bc2de4514685d122235465fcc992cb0b5c1b9899869f9ca5840bcd8bec05

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF20F.tmp\nst4B6.tmp

Filesize
30KB

MD5
1bc3c1608ac94cf3fb4575dc96610fe0

SHA1
02a953629b0e272d8a9bbf5dacbb03402853bc8a

SHA256
64f426601f824c9ec361755cb157d5f80499b8bbf4a29455bfca1fb65f2aae5c

SHA512
63881bcdf359f22de1a7582d943ec241ab2fe32fd68e202befd940c4e2ee86092797bc2de4514685d122235465fcc992cb0b5c1b9899869f9ca5840bcd8bec05

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF20F.tmp\nst4B6.tmp

Filesize
30KB

MD5
1bc3c1608ac94cf3fb4575dc96610fe0

SHA1
02a953629b0e272d8a9bbf5dacbb03402853bc8a

SHA256
64f426601f824c9ec361755cb157d5f80499b8bbf4a29455bfca1fb65f2aae5c

SHA512
63881bcdf359f22de1a7582d943ec241ab2fe32fd68e202befd940c4e2ee86092797bc2de4514685d122235465fcc992cb0b5c1b9899869f9ca5840bcd8bec05

Download Submit
\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
memory/304-240-0x0000000000000000-mapping.dmp

Download
memory/304-97-0x0000000000000000-mapping.dmp

Download
memory/552-243-0x0000000000000000-mapping.dmp

Download
memory/572-135-0x0000000000000000-mapping.dmp

Download
memory/768-188-0x0000000000130000-0x0000000000149000-memory.dmp

Filesize
100KB

Download
memory/768-178-0x0000000000000000-mapping.dmp

Download
memory/780-154-0x00000000061B0000-0x00000000061F1000-memory.dmp

Filesize
260KB

Download
memory/780-171-0x0000000006130000-0x00000000061AE000-memory.dmp

Filesize
504KB

Download
memory/780-221-0x0000000006130000-0x00000000061D9000-memory.dmp

Filesize
676KB

Download
memory/780-215-0x0000000006140000-0x0000000006143000-memory.dmp

Filesize
12KB

Download
memory/780-173-0x00000000061F0000-0x0000000006207000-memory.dmp

Filesize
92KB

Download
memory/780-214-0x0000000006140000-0x0000000006143000-memory.dmp

Filesize
12KB

Download
memory/780-61-0x0000000006B80000-0x0000000006BC4000-memory.dmp

Filesize
272KB

Download
memory/780-140-0x0000000006C30000-0x0000000006C33000-memory.dmp

Filesize
12KB

Download
memory/780-60-0x0000000003710000-0x0000000003720000-memory.dmp

Filesize
64KB

Download
memory/780-149-0x0000000006CAA000-0x0000000006D16000-memory.dmp

Filesize
432KB

Download
memory/780-54-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/780-211-0x0000000006140000-0x0000000006143000-memory.dmp

Filesize
12KB

Download
memory/780-190-0x0000000006130000-0x00000000061D9000-memory.dmp

Filesize
676KB

Download
memory/780-153-0x0000000006130000-0x00000000061AE000-memory.dmp

Filesize
504KB

Download
memory/804-218-0x0000000000000000-mapping.dmp

Download
memory/828-134-0x0000000000000000-mapping.dmp

Download
memory/952-142-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp

Filesize
8KB

Download
memory/952-141-0x0000000000000000-mapping.dmp

Download
memory/1000-109-0x0000000000000000-mapping.dmp

Download
memory/1028-199-0x0000000000000000-mapping.dmp

Download
memory/1068-182-0x0000000000000000-mapping.dmp

Download
memory/1076-244-0x0000000000000000-mapping.dmp

Download
memory/1076-230-0x0000000000000000-mapping.dmp

Download
memory/1080-136-0x0000000000000000-mapping.dmp

Download
memory/1108-219-0x0000000000000000-mapping.dmp

Download
memory/1116-205-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/1116-203-0x0000000000000000-mapping.dmp

Download
memory/1120-226-0x0000000000000000-mapping.dmp

Download
memory/1148-133-0x0000000000000000-mapping.dmp

Download
memory/1224-231-0x0000000000000000-mapping.dmp

Download
memory/1272-245-0x0000000000000000-mapping.dmp

Download
memory/1336-67-0x0000000000000000-mapping.dmp

Download
memory/1336-232-0x0000000000000000-mapping.dmp

Download
memory/1344-197-0x0000000000000000-mapping.dmp

Download
memory/1368-223-0x0000000000000000-mapping.dmp

Download
memory/1368-176-0x0000000000000000-mapping.dmp

Download
memory/1424-220-0x0000000000000000-mapping.dmp

Download
memory/1424-73-0x0000000000000000-mapping.dmp

Download
memory/1424-235-0x0000000000000000-mapping.dmp

Download
memory/1444-192-0x0000000000000000-mapping.dmp

Download
memory/1444-239-0x0000000000000000-mapping.dmp

Download
memory/1444-225-0x0000000000000000-mapping.dmp

Download
memory/1496-222-0x0000000000000000-mapping.dmp

Download
memory/1496-132-0x0000000000000000-mapping.dmp

Download
memory/1500-198-0x0000000000000000-mapping.dmp

Download
memory/1540-234-0x0000000000000000-mapping.dmp

Download
memory/1572-121-0x0000000000000000-mapping.dmp

Download
memory/1572-233-0x0000000000000000-mapping.dmp

Download
memory/1588-241-0x0000000000000000-mapping.dmp

Download
memory/1612-138-0x0000000000000000-mapping.dmp

Download
memory/1616-229-0x0000000000000000-mapping.dmp

Download
memory/1620-242-0x0000000000000000-mapping.dmp

Download
memory/1648-175-0x0000000000000000-mapping.dmp

Download
memory/1668-91-0x0000000000000000-mapping.dmp

Download
memory/1676-227-0x0000000000000000-mapping.dmp

Download
memory/1680-137-0x0000000000000000-mapping.dmp

Download
memory/1704-237-0x0000000000000000-mapping.dmp

Download
memory/1716-217-0x0000000000000000-mapping.dmp

Download
memory/1752-195-0x0000000000000000-mapping.dmp

Download
memory/1752-85-0x0000000000000000-mapping.dmp

Download
memory/1792-207-0x000000013F910000-0x000000013F920000-memory.dmp

Filesize
64KB

Download
memory/1792-206-0x0000000000000000-mapping.dmp

Download
memory/1808-183-0x0000000000000000-mapping.dmp

Download
memory/1840-210-0x0000000000000000-mapping.dmp

Download
memory/1840-139-0x0000000000000000-mapping.dmp

Download
memory/1884-228-0x0000000000000000-mapping.dmp

Download
memory/1884-103-0x0000000000000000-mapping.dmp

Download
memory/1932-79-0x0000000000000000-mapping.dmp

Download
memory/1936-115-0x0000000000000000-mapping.dmp

Download
memory/1940-236-0x0000000000000000-mapping.dmp

Download
memory/1940-186-0x0000000000000000-mapping.dmp

Download
memory/1940-191-0x00000000002A0000-0x00000000002B9000-memory.dmp

Filesize
100KB

Download
memory/1980-179-0x0000000000000000-mapping.dmp

Download
memory/2004-208-0x0000000000000000-mapping.dmp

Download
memory/2012-127-0x0000000000000000-mapping.dmp

Download
memory/2016-238-0x0000000000000000-mapping.dmp

Download
memory/2016-224-0x0000000000000000-mapping.dmp

Download