cc8aadd479d95364429457b2911f166f48c396bee21e5a77316101674b0ad8f1

Analysis

max time kernel
502s
max time network
402s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2023 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SystemUtilities.exe
Size

7.8MB
MD5

133af41cfec522b7f583fcf77be37b1a
SHA1

50fde70e193eeea8d15c13dfc62cdcb4cbc2bcd0
SHA256

cc8aadd479d95364429457b2911f166f48c396bee21e5a77316101674b0ad8f1
SHA512

714baab2cbc51069b1c3cd47531727916ab9405174021ae2dbe2eabebe96e6abc77fef8b4f4ceccac61eff70487f10e87208294f58f683964dee5830d504b64d
SSDEEP

196608:JCXg6nbZkgUb74kWg/KrviA3YuC1HmkNCTcOPVftbnc:SgmZkr73SvQ7gkYT7Pttrc

Score

8^/10

discovery exploit persistence

Malware Config

Signatures

Executes dropped EXE 11 IoCs

Processes:

SystemUtilities.tmpSystemUtilities.exesHelper.exePCCleaner.exeStartupManager.exeServiceManager.exeTuneUP.exePrivacyGuardian.exeSystemUtilities.exePrivacyGuardian.exePCCleaner.exe

pid	process
4748	SystemUtilities.tmp
3076	SystemUtilities.exe
2768	sHelper.exe
4664	PCCleaner.exe
2584	StartupManager.exe
4488	ServiceManager.exe
2344	TuneUP.exe
1884	PrivacyGuardian.exe
3048	SystemUtilities.exe
1368	PrivacyGuardian.exe
984	PCCleaner.exe

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1904 takeown.exe
1176 icacls.exe

pid	process
1904	takeown.exe
1176	icacls.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exePCCleaner.exerundll32.exeSystemUtilities.tmpPCCleaner.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	PCCleaner.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	SystemUtilities.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	PCCleaner.exe

Loads dropped DLL 8 IoCs

Processes:

SystemUtilities.exePrivacyGuardian.exeSystemUtilities.exePrivacyGuardian.exe

pid	process
3076	SystemUtilities.exe
3076	SystemUtilities.exe
1884	PrivacyGuardian.exe
1884	PrivacyGuardian.exe
3048	SystemUtilities.exe
3048	SystemUtilities.exe
1368	PrivacyGuardian.exe
1368	PrivacyGuardian.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1904 takeown.exe
1176 icacls.exe
Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery
T1063

Processes:

PCCleaner.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Avira\Antivirus PCCleaner.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1904	takeown.exe
1176	icacls.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Avira\Antivirus	PCCleaner.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

rundll32.exerundll32.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Packages\windows_ie_ac_001\AC\INetHistory\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Admin\AppData\Local\Packages\windows_ie_ac_001\AC\INetHistory\desktop.ini	rundll32.exe

Modifies WinLogon 2 TTPs 1 IoCs
persistence

Winlogon Helper DLL
T1004

Modify Registry
T1112

Processes:

TuneUP.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "1" TuneUP.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "1"	TuneUP.exe

Drops file in Program Files directory 64 IoCs

Processes:

SystemUtilities.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\es\SystemUtilities.resources.dll	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\unins000.dat	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\is-SV2DM.tmp	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\Themes\BackgroundImages\is-PF3FF.tmp	SystemUtilities.tmp
File opened for modification	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\StartupManager.exe	SystemUtilities.tmp
File opened for modification	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\fr\SystemUtilities.resources.dll	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\is-KO65U.tmp	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\is-VIBCG.tmp	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\scripts\is-JKSBL.tmp	SystemUtilities.tmp
File opened for modification	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\ServiceManager.exe	SystemUtilities.tmp
File opened for modification	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\PrivacyGuardian.exe	SystemUtilities.tmp
File opened for modification	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\nl\SystemUtilities.resources.dll	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\is-MQP98.tmp	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\is-JVC8F.tmp	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\is-P5LFI.tmp	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\flags\is-P8HOV.tmp	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\zh\is-LALJO.tmp	SystemUtilities.tmp
File opened for modification	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\Microsoft.Win32.TaskScheduler.dll	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\fr\is-SOO9G.tmp	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\is-SLR8F.tmp	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\is-L2TFJ.tmp	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\is-LV6VI.tmp	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\fr\is-2KBLO.tmp	SystemUtilities.tmp
File opened for modification	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\fr\PCCleaner.resources.dll	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\is-UDSIC.tmp	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\nl\is-8V6M4.tmp	SystemUtilities.tmp
File opened for modification	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\de\SystemUtilities.resources.dll	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\is-7GMHD.tmp	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\is-9Q6OF.tmp	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\ar\is-IP0HA.tmp	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\ko\is-600BP.tmp	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\pt\is-Q6THL.tmp	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\tr\is-RPI81.tmp	SystemUtilities.tmp
File opened for modification	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\ru\PCCleaner.resources.dll	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\is-7N970.tmp	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\flags\is-AOM74.tmp	SystemUtilities.tmp
File opened for modification	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\PCCleaner.exe	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\is-OP22R.tmp	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\is-6T310.tmp	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\is-MM4A2.tmp	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\is-CRTI2.tmp	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\ar\is-OSTEQ.tmp	SystemUtilities.tmp
File opened for modification	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\Defragmentor.exe	SystemUtilities.tmp
File opened for modification	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\ko\SystemUtilities.resources.dll	SystemUtilities.tmp
File opened for modification	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\pl\SystemUtilities.resources.dll	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\is-4PJD5.tmp	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\is-BMLFC.tmp	SystemUtilities.tmp
File opened for modification	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\it\SystemUtilities.resources.dll	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\is-59DB6.tmp	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\de\is-MMH32.tmp	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\zh\is-JI7BK.tmp	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\is-1RUSQ.tmp	SystemUtilities.tmp
File opened for modification	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\System.Data.SQLite.dll	SystemUtilities.tmp
File opened for modification	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\SpywareDefender.exe	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\is-5796D.tmp	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\is-LAH5C.tmp	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\is-HL0P5.tmp	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\ja\is-KHJ04.tmp	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\pl\is-18240.tmp	SystemUtilities.tmp
File opened for modification	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\BackupManager.exe	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\flags\is-8NEMU.tmp	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\is-O979K.tmp	SystemUtilities.tmp
File opened for modification	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\lang\es\PCCleaner.resources.dll	SystemUtilities.tmp
File created	C:\Program Files (x86)\Pegasun\SystemUtilities\bin\is-VQC0U.tmp	SystemUtilities.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wermgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

wermgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3504 taskkill.exe

pid	process
3504	taskkill.exe

Modifies Control Panel 5 IoCs

evasion

Processes:

TuneUP.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\Desktop\MenuShowDelay = "0"	TuneUP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\Desktop\AutoEndTasks = "1"	TuneUP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\Desktop\ForegroundLockTimeout = "150000"	TuneUP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\Desktop\HungAppTimeout = "4000"	TuneUP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\Desktop\WaitToKillAppTimeout = "5000"	TuneUP.exe

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\VersionLow = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-SubSysId = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-VersionHigh = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\VendorId = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\SubSysId = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-VendorId = "0"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Cleared_TIMESTAMP = 6454dc1b322cd901	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomStorageState	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-DeviceId = "0"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomStorageState\EdpCleanupState = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\VersionHigh = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Cleared = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomStorageState	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\DeviceId = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-VersionLow = "0"	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\DXFeatureLevel = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-Revision = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-DXFeatureLevel = "0"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Cleared_TIMESTAMP = 8c490ce8322cd901	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\DOMStorage	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Cleared = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\GPU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Revision = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomStorageState\EdpCleanupState = "0"	rundll32.exe

Modifies data under HKEY_USERS 13 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133186257703895696"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	rundll32.exe

Modifies registry class 44 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\Main\OperationalData = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheLimit = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CachePrefix	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\DomStorageState\EdpCleanupState = "0"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheVersion = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\EdpDomStorage	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\DomStorageState\EdpCleanupState = "0"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\EdpDomStorage	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\DomStorageState	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CachePrefix	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheVersion = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheLimit = "51200"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheVersion = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Extensible Cache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\Main	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\DOMStorage	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CachePrefix	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CachePrefix	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\DOMStorage	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\MuiCache	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\Main	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheLimit = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\DomStorageState	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CachePrefix	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CachePrefix	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies	rundll32.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

SystemUtilities.tmppowershell.exe

pid process

4748 SystemUtilities.tmp
4748 SystemUtilities.tmp
1892 powershell.exe
1892 powershell.exe
1892 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

SystemUtilities.exe

pid process

3076 SystemUtilities.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

sHelper.exerundll32.exerundll32.exepowershell.exetaskkill.exerundll32.exe

description	pid	process
Token: SeDebugPrivilege	2768	sHelper.exe
Token: SeDebugPrivilege	2644	rundll32.exe
Token: SeDebugPrivilege	2644	rundll32.exe
Token: SeDebugPrivilege	2644	rundll32.exe
Token: SeDebugPrivilege	2644	rundll32.exe
Token: SeDebugPrivilege	2644	rundll32.exe
Token: SeDebugPrivilege	2644	rundll32.exe
Token: SeDebugPrivilege	2644	rundll32.exe
Token: SeDebugPrivilege	2644	rundll32.exe
Token: SeDebugPrivilege	2732	rundll32.exe
Token: SeDebugPrivilege	2732	rundll32.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	3504	taskkill.exe
Token: SeDebugPrivilege	5104	rundll32.exe
Token: SeDebugPrivilege	5104	rundll32.exe
Token: SeDebugPrivilege	5104	rundll32.exe
Token: SeDebugPrivilege	5104	rundll32.exe
Token: SeDebugPrivilege	5104	rundll32.exe
Token: SeDebugPrivilege	5104	rundll32.exe
Token: SeDebugPrivilege	5104	rundll32.exe
Token: SeDebugPrivilege	5104	rundll32.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

SystemUtilities.tmpSystemUtilities.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid	process
4748	SystemUtilities.tmp
3076	SystemUtilities.exe
2692	rundll32.exe
1172	rundll32.exe
3508	rundll32.exe
3076	SystemUtilities.exe
3076	SystemUtilities.exe
1120	rundll32.exe
332	rundll32.exe
552	rundll32.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

SystemUtilities.exe

pid process

3076 SystemUtilities.exe
3076 SystemUtilities.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SystemUtilities.exeSystemUtilities.tmpSystemUtilities.exePCCleaner.exerundll32.exerundll32.exerundll32.exePrivacyGuardian.execmd.execmd.execmd.exePCCleaner.exeSearchIndexer.exerundll32.exerundll32.exe

description	pid	process	target process
PID 2248 wrote to memory of 4748	2248	SystemUtilities.exe	SystemUtilities.tmp
PID 2248 wrote to memory of 4748	2248	SystemUtilities.exe	SystemUtilities.tmp
PID 2248 wrote to memory of 4748	2248	SystemUtilities.exe	SystemUtilities.tmp
PID 4748 wrote to memory of 3076	4748	SystemUtilities.tmp	SystemUtilities.exe
PID 4748 wrote to memory of 3076	4748	SystemUtilities.tmp	SystemUtilities.exe
PID 4748 wrote to memory of 3076	4748	SystemUtilities.tmp	SystemUtilities.exe
PID 3076 wrote to memory of 2768	3076	SystemUtilities.exe	sHelper.exe
PID 3076 wrote to memory of 2768	3076	SystemUtilities.exe	sHelper.exe
PID 3076 wrote to memory of 4664	3076	SystemUtilities.exe	PCCleaner.exe
PID 3076 wrote to memory of 4664	3076	SystemUtilities.exe	PCCleaner.exe
PID 4664 wrote to memory of 2692	4664	PCCleaner.exe	rundll32.exe
PID 4664 wrote to memory of 2692	4664	PCCleaner.exe	rundll32.exe
PID 4664 wrote to memory of 1172	4664	PCCleaner.exe	rundll32.exe
PID 4664 wrote to memory of 1172	4664	PCCleaner.exe	rundll32.exe
PID 4664 wrote to memory of 3508	4664	PCCleaner.exe	rundll32.exe
PID 4664 wrote to memory of 3508	4664	PCCleaner.exe	rundll32.exe
PID 1172 wrote to memory of 3932	1172	rundll32.exe	iexplore.exe
PID 1172 wrote to memory of 3932	1172	rundll32.exe	iexplore.exe
PID 3508 wrote to memory of 1540	3508	rundll32.exe	rundll32.exe
PID 3508 wrote to memory of 1540	3508	rundll32.exe	rundll32.exe
PID 2692 wrote to memory of 2732	2692	rundll32.exe	rundll32.exe
PID 2692 wrote to memory of 2732	2692	rundll32.exe	rundll32.exe
PID 1172 wrote to memory of 2644	1172	rundll32.exe	rundll32.exe
PID 1172 wrote to memory of 2644	1172	rundll32.exe	rundll32.exe
PID 3076 wrote to memory of 2584	3076	SystemUtilities.exe	StartupManager.exe
PID 3076 wrote to memory of 2584	3076	SystemUtilities.exe	StartupManager.exe
PID 3076 wrote to memory of 4488	3076	SystemUtilities.exe	ServiceManager.exe
PID 3076 wrote to memory of 4488	3076	SystemUtilities.exe	ServiceManager.exe
PID 3076 wrote to memory of 2344	3076	SystemUtilities.exe	TuneUP.exe
PID 3076 wrote to memory of 2344	3076	SystemUtilities.exe	TuneUP.exe
PID 3076 wrote to memory of 1884	3076	SystemUtilities.exe	PrivacyGuardian.exe
PID 3076 wrote to memory of 1884	3076	SystemUtilities.exe	PrivacyGuardian.exe
PID 3076 wrote to memory of 1884	3076	SystemUtilities.exe	PrivacyGuardian.exe
PID 1884 wrote to memory of 1892	1884	PrivacyGuardian.exe	powershell.exe
PID 1884 wrote to memory of 1892	1884	PrivacyGuardian.exe	powershell.exe
PID 1884 wrote to memory of 1892	1884	PrivacyGuardian.exe	powershell.exe
PID 1884 wrote to memory of 1920	1884	PrivacyGuardian.exe	cmd.exe
PID 1884 wrote to memory of 1920	1884	PrivacyGuardian.exe	cmd.exe
PID 1920 wrote to memory of 3504	1920	cmd.exe	taskkill.exe
PID 1920 wrote to memory of 3504	1920	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 3136	1884	PrivacyGuardian.exe	cmd.exe
PID 1884 wrote to memory of 3136	1884	PrivacyGuardian.exe	cmd.exe
PID 3136 wrote to memory of 1904	3136	cmd.exe	takeown.exe
PID 3136 wrote to memory of 1904	3136	cmd.exe	takeown.exe
PID 1884 wrote to memory of 1300	1884	PrivacyGuardian.exe	cmd.exe
PID 1884 wrote to memory of 1300	1884	PrivacyGuardian.exe	cmd.exe
PID 1300 wrote to memory of 1176	1300	cmd.exe	icacls.exe
PID 1300 wrote to memory of 1176	1300	cmd.exe	icacls.exe
PID 3076 wrote to memory of 1368	3076	SystemUtilities.exe	PrivacyGuardian.exe
PID 3076 wrote to memory of 1368	3076	SystemUtilities.exe	PrivacyGuardian.exe
PID 3076 wrote to memory of 1368	3076	SystemUtilities.exe	PrivacyGuardian.exe
PID 3076 wrote to memory of 984	3076	SystemUtilities.exe	PCCleaner.exe
PID 3076 wrote to memory of 984	3076	SystemUtilities.exe	PCCleaner.exe
PID 984 wrote to memory of 1120	984	PCCleaner.exe	rundll32.exe
PID 984 wrote to memory of 1120	984	PCCleaner.exe	rundll32.exe
PID 984 wrote to memory of 332	984	PCCleaner.exe	rundll32.exe
PID 984 wrote to memory of 332	984	PCCleaner.exe	rundll32.exe
PID 984 wrote to memory of 552	984	PCCleaner.exe	rundll32.exe
PID 984 wrote to memory of 552	984	PCCleaner.exe	rundll32.exe
PID 5032 wrote to memory of 4248	5032	SearchIndexer.exe	wermgr.exe
PID 5032 wrote to memory of 4248	5032	SearchIndexer.exe	wermgr.exe
PID 552 wrote to memory of 4908	552	rundll32.exe	rundll32.exe
PID 552 wrote to memory of 4908	552	rundll32.exe	rundll32.exe
PID 1120 wrote to memory of 760	1120	rundll32.exe	rundll32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

TuneUP.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\LinkResolveIgnoreLinkInfo = "0"	TuneUP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoResolveSearch = "1"	TuneUP.exe

C:\Users\Admin\AppData\Local\Temp\SystemUtilities.exe
"C:\Users\Admin\AppData\Local\Temp\SystemUtilities.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2248

C:\Users\Admin\AppData\Local\Temp\is-F4HMG.tmp\SystemUtilities.tmp
"C:\Users\Admin\AppData\Local\Temp\is-F4HMG.tmp\SystemUtilities.tmp" /SL5="$601F8,7279327,811008,C:\Users\Admin\AppData\Local\Temp\SystemUtilities.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4748

C:\Program Files (x86)\Pegasun\SystemUtilities\SystemUtilities.exe
"C:\Program Files (x86)\Pegasun\SystemUtilities\SystemUtilities.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3076

C:\Program Files (x86)\Pegasun\SystemUtilities\bin\sHelper.exe
"bin/sHelper.exe" -update -check
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Program Files (x86)\Pegasun\SystemUtilities\bin\PCCleaner.exe
"bin/PCCleaner.exe" -cleannow -autoclose -hide -normal
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4664

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" InetCpl.cpl,ClearMyTracksByProcess 2
5⤵
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:2 WinX:0 WinY:0 IEFrame:0000000000000000
6⤵
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" InetCpl.cpl,ClearMyTracksByProcess 1
5⤵
- Checks computer location settings
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1172

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -ResetDestinationList
6⤵
PID:3932

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:1 WinX:0 WinY:0 IEFrame:0000000000000000
6⤵
- Drops desktop.ini file(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" InetCpl.cpl,ClearMyTracksByProcess 8
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3508

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:8 WinX:0 WinY:0 IEFrame:0000000000000000
6⤵
- Modifies registry class
PID:1540

C:\Program Files (x86)\Pegasun\SystemUtilities\bin\StartupManager.exe
"bin/StartupManager.exe" -optimizenow -autoclose -hide -ucDisable -nn -df
4⤵
- Executes dropped EXE
PID:2584

C:\Program Files (x86)\Pegasun\SystemUtilities\bin\ServiceManager.exe
"bin/ServiceManager.exe" -optimizenow -autoclose -hide -nb
4⤵
- Executes dropped EXE
PID:4488

C:\Program Files (x86)\Pegasun\SystemUtilities\bin\TuneUP.exe
"bin/TuneUP.exe" -optimizenow -autoclose -hide
4⤵
- Executes dropped EXE
- Modifies WinLogon
- Modifies Control Panel
- System policy modification
PID:2344

C:\Program Files (x86)\Pegasun\SystemUtilities\bin\PrivacyGuardian.exe
"bin/PrivacyGuardian.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -ExecutionPolicy UnRestricted -File scripts/w10_disable_onedrive.ps1
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c TASKKILL /F /IM msosync.exe
5⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM msosync.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c takeown /f "C:\Program Files\Microsoft Office\root\Office16\msosync.exe" /d y
5⤵
- Suspicious use of WriteProcessMemory
PID:3136

C:\Windows\system32\takeown.exe
takeown /f "C:\Program Files\Microsoft Office\root\Office16\msosync.exe" /d y
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1904

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c icacls "C:\Program Files\Microsoft Office\root\Office16\msosync.exe" /grant Admin:F /q
5⤵
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Microsoft Office\root\Office16\msosync.exe" /grant Admin:F /q
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1176

C:\Program Files (x86)\Pegasun\SystemUtilities\bin\PrivacyGuardian.exe
"bin/PrivacyGuardian.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1368

C:\Program Files (x86)\Pegasun\SystemUtilities\bin\PCCleaner.exe
"bin\PCCleaner.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Checks for any installed AV software in registry
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" InetCpl.cpl,ClearMyTracksByProcess 2
5⤵
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:2 WinX:0 WinY:0 IEFrame:0000000000000000
6⤵
- Modifies data under HKEY_USERS
- Modifies registry class
PID:760

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" InetCpl.cpl,ClearMyTracksByProcess 1
5⤵
- Checks computer location settings
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:332

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -ResetDestinationList
6⤵
PID:1428

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:1 WinX:0 WinY:0 IEFrame:0000000000000000
6⤵
- Drops desktop.ini file(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" InetCpl.cpl,ClearMyTracksByProcess 8
5⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:8 WinX:0 WinY:0 IEFrame:0000000000000000
6⤵
- Modifies registry class
PID:4908

C:\Program Files (x86)\Pegasun\SystemUtilities\SystemUtilities.exe
"C:\Program Files (x86)\Pegasun\SystemUtilities\SystemUtilities.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:5032

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "5032" "1368" "1264" "1372" "0" "0" "1376" "0" "0" "0" "0" "0"
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4248

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:3408

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Security Software Discovery

T1063

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Pegasun\SystemUtilities\SystemUtilities.exe
Filesize
961KB

MD5
0d821417868bea9b82fb8f32f61b785b

SHA1
d42316045e8dfbe19905aa8b3ca6e870307108a8

SHA256
a24a3c0e5495e52ac86caafbb78c0736ecd260e61e8f108cf16208f03084c9af

SHA512
9e2c3e878a2d7b929f40ff1600ee20bd8937278c7b85e792b506307308b081a6a97b350f414f9daf6f1550dbd2a045f0bc580022c1529925008c939e2fea3796

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\SystemUtilities.exe
Filesize
961KB

MD5
0d821417868bea9b82fb8f32f61b785b

SHA1
d42316045e8dfbe19905aa8b3ca6e870307108a8

SHA256
a24a3c0e5495e52ac86caafbb78c0736ecd260e61e8f108cf16208f03084c9af

SHA512
9e2c3e878a2d7b929f40ff1600ee20bd8937278c7b85e792b506307308b081a6a97b350f414f9daf6f1550dbd2a045f0bc580022c1529925008c939e2fea3796

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\SystemUtilities.exe
Filesize
961KB

MD5
0d821417868bea9b82fb8f32f61b785b

SHA1
d42316045e8dfbe19905aa8b3ca6e870307108a8

SHA256
a24a3c0e5495e52ac86caafbb78c0736ecd260e61e8f108cf16208f03084c9af

SHA512
9e2c3e878a2d7b929f40ff1600ee20bd8937278c7b85e792b506307308b081a6a97b350f414f9daf6f1550dbd2a045f0bc580022c1529925008c939e2fea3796

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\SystemUtilities.exe.config
Filesize
332B

MD5
e61a71a9a53bb67492cbcfe554a7dd5a

SHA1
1731658bcb9cbfb6b5d61bed8cf6191154ec71f3

SHA256
f5b283c1d922ea650bca7e733d241a7fcadfb12e2cf9a2d33a0a0b2f40e14c0f

SHA512
a6528ece1328002c0bbe794411ae2ebc17659b77fd34bcc5faf14e25ecebe1deed04c83623721b61d25c9f18f1d16742e3b167fa2a3a20b47748d65681f4b8d5

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\BackupManager.exe
Filesize
1.0MB

MD5
614f7db446d9f9136e79eca22f7af2f3

SHA1
afcc37281bb6aa811e147c72ce0e186131bdcbfe

SHA256
8098201433c0925a01bbb678a21cb51fd90dc794d96ed97a880337e71e4f18ab

SHA512
c3dd68275abc74859fd9a4e8f0a9de6ee7090d7661e040aab99016a7e1d6fa4174912f58cee11600dd884ff07b07df78762d8ffdf9817600ab32872814b76cdc

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\PCCleaner.exe
Filesize
716KB

MD5
9c952342548e3390a94298ce1bf9016e

SHA1
4f09f927677d26f2e29cf64dfc60ebf97e4019cf

SHA256
c20dbe14b36ab49d4e44609bda6a3ef687e1ede0fdd5c36fbd9bf7d892e2e3fb

SHA512
4388ff1b56edbd3b94d6154a83fa020f0680938da807beb3510b81edd3a733793697b95cddfb42a3faca87cda55285d6a680358aa2255d39650f9cdbae847e61

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\PCCleaner.exe
Filesize
716KB

MD5
9c952342548e3390a94298ce1bf9016e

SHA1
4f09f927677d26f2e29cf64dfc60ebf97e4019cf

SHA256
c20dbe14b36ab49d4e44609bda6a3ef687e1ede0fdd5c36fbd9bf7d892e2e3fb

SHA512
4388ff1b56edbd3b94d6154a83fa020f0680938da807beb3510b81edd3a733793697b95cddfb42a3faca87cda55285d6a680358aa2255d39650f9cdbae847e61

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\PCCleaner.exe
Filesize
716KB

MD5
9c952342548e3390a94298ce1bf9016e

SHA1
4f09f927677d26f2e29cf64dfc60ebf97e4019cf

SHA256
c20dbe14b36ab49d4e44609bda6a3ef687e1ede0fdd5c36fbd9bf7d892e2e3fb

SHA512
4388ff1b56edbd3b94d6154a83fa020f0680938da807beb3510b81edd3a733793697b95cddfb42a3faca87cda55285d6a680358aa2255d39650f9cdbae847e61

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\PCCleaner.exe.config
Filesize
231B

MD5
2577e4b144efcb577e51c1439155079a

SHA1
8ac376d232d195179755bbfd1b20555e28fffddd

SHA256
bb7acfd577ed69baff19c245537c289b340d559f2b4152f9f3c1db9cc97ecde9

SHA512
321506f74ca86e344bac3a79520de995501d18d634471f980fb314d1ee32ee2dd2705a2a608625f3d6b109eb444fc50ab83754d9a88f40ca86ebb0b8f5468578

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\PegasunHelper.dll
Filesize
102KB

MD5
180215aa45b45000ef645322e960d9cc

SHA1
6ed5e3a0fd2784eb85e76c81450930503f699d30

SHA256
8f02d7ca06d1a3a1e13e90fdc2c5fa405eba9b384e7aec1617b71a3aeabaa215

SHA512
b35ce208cc00a35589fe2771c4dfa2feaf205c461c25469d9fa0233b9e9407406bf4886068ba13e949026475cb06f9e0c78ca2436aa75f3a8115b6d63f48d4e3

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\PegasunHelper.dll
Filesize
102KB

MD5
180215aa45b45000ef645322e960d9cc

SHA1
6ed5e3a0fd2784eb85e76c81450930503f699d30

SHA256
8f02d7ca06d1a3a1e13e90fdc2c5fa405eba9b384e7aec1617b71a3aeabaa215

SHA512
b35ce208cc00a35589fe2771c4dfa2feaf205c461c25469d9fa0233b9e9407406bf4886068ba13e949026475cb06f9e0c78ca2436aa75f3a8115b6d63f48d4e3

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\PegasunHelper.dll
Filesize
102KB

MD5
180215aa45b45000ef645322e960d9cc

SHA1
6ed5e3a0fd2784eb85e76c81450930503f699d30

SHA256
8f02d7ca06d1a3a1e13e90fdc2c5fa405eba9b384e7aec1617b71a3aeabaa215

SHA512
b35ce208cc00a35589fe2771c4dfa2feaf205c461c25469d9fa0233b9e9407406bf4886068ba13e949026475cb06f9e0c78ca2436aa75f3a8115b6d63f48d4e3

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\PegasunHelper.dll
Filesize
102KB

MD5
180215aa45b45000ef645322e960d9cc

SHA1
6ed5e3a0fd2784eb85e76c81450930503f699d30

SHA256
8f02d7ca06d1a3a1e13e90fdc2c5fa405eba9b384e7aec1617b71a3aeabaa215

SHA512
b35ce208cc00a35589fe2771c4dfa2feaf205c461c25469d9fa0233b9e9407406bf4886068ba13e949026475cb06f9e0c78ca2436aa75f3a8115b6d63f48d4e3

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\PegasunHelper.dll
Filesize
102KB

MD5
180215aa45b45000ef645322e960d9cc

SHA1
6ed5e3a0fd2784eb85e76c81450930503f699d30

SHA256
8f02d7ca06d1a3a1e13e90fdc2c5fa405eba9b384e7aec1617b71a3aeabaa215

SHA512
b35ce208cc00a35589fe2771c4dfa2feaf205c461c25469d9fa0233b9e9407406bf4886068ba13e949026475cb06f9e0c78ca2436aa75f3a8115b6d63f48d4e3

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\PegasunHelper.dll
Filesize
102KB

MD5
180215aa45b45000ef645322e960d9cc

SHA1
6ed5e3a0fd2784eb85e76c81450930503f699d30

SHA256
8f02d7ca06d1a3a1e13e90fdc2c5fa405eba9b384e7aec1617b71a3aeabaa215

SHA512
b35ce208cc00a35589fe2771c4dfa2feaf205c461c25469d9fa0233b9e9407406bf4886068ba13e949026475cb06f9e0c78ca2436aa75f3a8115b6d63f48d4e3

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\PegasunHelper.dll
Filesize
102KB

MD5
180215aa45b45000ef645322e960d9cc

SHA1
6ed5e3a0fd2784eb85e76c81450930503f699d30

SHA256
8f02d7ca06d1a3a1e13e90fdc2c5fa405eba9b384e7aec1617b71a3aeabaa215

SHA512
b35ce208cc00a35589fe2771c4dfa2feaf205c461c25469d9fa0233b9e9407406bf4886068ba13e949026475cb06f9e0c78ca2436aa75f3a8115b6d63f48d4e3

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\PegasunHelper.dll
Filesize
102KB

MD5
180215aa45b45000ef645322e960d9cc

SHA1
6ed5e3a0fd2784eb85e76c81450930503f699d30

SHA256
8f02d7ca06d1a3a1e13e90fdc2c5fa405eba9b384e7aec1617b71a3aeabaa215

SHA512
b35ce208cc00a35589fe2771c4dfa2feaf205c461c25469d9fa0233b9e9407406bf4886068ba13e949026475cb06f9e0c78ca2436aa75f3a8115b6d63f48d4e3

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\PegasunHelper.dll
Filesize
102KB

MD5
180215aa45b45000ef645322e960d9cc

SHA1
6ed5e3a0fd2784eb85e76c81450930503f699d30

SHA256
8f02d7ca06d1a3a1e13e90fdc2c5fa405eba9b384e7aec1617b71a3aeabaa215

SHA512
b35ce208cc00a35589fe2771c4dfa2feaf205c461c25469d9fa0233b9e9407406bf4886068ba13e949026475cb06f9e0c78ca2436aa75f3a8115b6d63f48d4e3

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\PrivacyGuardian.exe
Filesize
250KB

MD5
ef27d1136ab31b8c9a865511f731cfb2

SHA1
88bf2884b2e758b83c33a3ae6ae5a0caee4d81f7

SHA256
2f5a607f4fa9cd9e548b5ba8598ddf42fbae0b9031b3d9d1af63ee33af50416e

SHA512
6e94303fd52f28418c24bf0c2dc7133a178069dceb52bc14adb5f897bef5988567b942ab9822c76f29c7efaf78ce441607e298e851951c9a97e916bfe6d50a11

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\PrivacyGuardian.exe
Filesize
250KB

MD5
ef27d1136ab31b8c9a865511f731cfb2

SHA1
88bf2884b2e758b83c33a3ae6ae5a0caee4d81f7

SHA256
2f5a607f4fa9cd9e548b5ba8598ddf42fbae0b9031b3d9d1af63ee33af50416e

SHA512
6e94303fd52f28418c24bf0c2dc7133a178069dceb52bc14adb5f897bef5988567b942ab9822c76f29c7efaf78ce441607e298e851951c9a97e916bfe6d50a11

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\PrivacyGuardian.exe
Filesize
250KB

MD5
ef27d1136ab31b8c9a865511f731cfb2

SHA1
88bf2884b2e758b83c33a3ae6ae5a0caee4d81f7

SHA256
2f5a607f4fa9cd9e548b5ba8598ddf42fbae0b9031b3d9d1af63ee33af50416e

SHA512
6e94303fd52f28418c24bf0c2dc7133a178069dceb52bc14adb5f897bef5988567b942ab9822c76f29c7efaf78ce441607e298e851951c9a97e916bfe6d50a11

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\PrivacyGuardian.exe.config
Filesize
231B

MD5
2577e4b144efcb577e51c1439155079a

SHA1
8ac376d232d195179755bbfd1b20555e28fffddd

SHA256
bb7acfd577ed69baff19c245537c289b340d559f2b4152f9f3c1db9cc97ecde9

SHA512
321506f74ca86e344bac3a79520de995501d18d634471f980fb314d1ee32ee2dd2705a2a608625f3d6b109eb444fc50ab83754d9a88f40ca86ebb0b8f5468578

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\SDC-AdvSig.dat
Filesize
631KB

MD5
787b21478ccd817856c04664bf819495

SHA1
27bca852a2146401f82095a1239d7d394521d637

SHA256
3c835ec4122693ac4ba79998827b49517a6083e79401fbdf87593a43979acb74

SHA512
50de25926ab1a0e780333b71e069b5860310d9ed495e4f16b7f9c2974b576c73cfdde5c69485b672ee237bb557e91939580ee7595e64ebf93bf76278ffa6f6ba

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\SSM-Services.dat
Filesize
56KB

MD5
31f37b6d0729a57517e6f56a6e1121e7

SHA1
9711607232670245e75e2a7f804ab5e166ec0959

SHA256
3d6c814b84fc7b2209f1496c52a6d7525b7951d1008af7a563b8acb6035cc2fc

SHA512
c7e754c7a3638297484b3404ffd462e8bc80795d2f8f575cff53d72c9624c52b840016aa12884ff562557085357ddd8acd15f9021b3b16f9e5f5e6856496c198

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\SSM-Signature.dat
Filesize
473KB

MD5
2901f7365b0d53c2e498ba4e23e83705

SHA1
15922765d2487a000679f078cec343170202e037

SHA256
35469193c5fc936f24b280023062421e23b983c716d198cf05e4436ee472b9c8

SHA512
e4257c96f810b9f21b93a25ee1c3896a3799f5a7ecc896d77e5401e4580928d2535772dbd355ef118fd2def11d7edc4b557adca38883587f1b4e1ac2ed1a26d4

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\ServiceManager.exe
Filesize
488KB

MD5
2e5aeb9e78fa89d8542751f3fbd6b4ea

SHA1
b810e61b96393fbd3e332f18d9a4717a22af4d72

SHA256
ce3976f010c8981d9e016c8c9ad92fb2973ef290befbc4233f124ba5debbc6de

SHA512
a9ac65bc2b8e3c1a96aa073d0f5ea6371f4dd2dd33ea5dea1c932ae59811f9d95c054777a4b8a41dca03da95b084d81e94652eb43c19acda1c7e5d7b8a771d1b

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\ServiceManager.exe
Filesize
488KB

MD5
2e5aeb9e78fa89d8542751f3fbd6b4ea

SHA1
b810e61b96393fbd3e332f18d9a4717a22af4d72

SHA256
ce3976f010c8981d9e016c8c9ad92fb2973ef290befbc4233f124ba5debbc6de

SHA512
a9ac65bc2b8e3c1a96aa073d0f5ea6371f4dd2dd33ea5dea1c932ae59811f9d95c054777a4b8a41dca03da95b084d81e94652eb43c19acda1c7e5d7b8a771d1b

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\ServiceManager.exe.config
Filesize
214B

MD5
4194fa999171a240c821cc4a7b765439

SHA1
d88eb7d47ac4ef13b1468baed9a74ff7bf912523

SHA256
4665799ac4d842fa2b2ab354144d6ebcc7529f429d972048d778a06a05d29583

SHA512
60785ed9a2fb2bdfec4e13ccbece50e7e81c408727084317b60a1be88ae2b2d6a3b0008da82f507a7a2bdac1a22584759c3fbacaf0bc602fd53f19a7043bb8b7

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\StartupManager.exe
Filesize
596KB

MD5
ed2a656dfd2c4a29d708082a4fb67a05

SHA1
2fad348c549668e930c9f60389bed774fd172d0e

SHA256
d349a8dd399a8940ba2a3ef1237e4779a61dbd74e6adfb444566f26f1977ee03

SHA512
96e921506e45dd39bf9e8d10c6fb9d56437671e6ef03c7a9c011f49d5f90bada713c8ee9a50f1c60445122561fd8bfcaddbbb9f08be591a13ce32bc2c3d5b506

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\StartupManager.exe
Filesize
596KB

MD5
ed2a656dfd2c4a29d708082a4fb67a05

SHA1
2fad348c549668e930c9f60389bed774fd172d0e

SHA256
d349a8dd399a8940ba2a3ef1237e4779a61dbd74e6adfb444566f26f1977ee03

SHA512
96e921506e45dd39bf9e8d10c6fb9d56437671e6ef03c7a9c011f49d5f90bada713c8ee9a50f1c60445122561fd8bfcaddbbb9f08be591a13ce32bc2c3d5b506

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\StartupManager.exe.config
Filesize
214B

MD5
4194fa999171a240c821cc4a7b765439

SHA1
d88eb7d47ac4ef13b1468baed9a74ff7bf912523

SHA256
4665799ac4d842fa2b2ab354144d6ebcc7529f429d972048d778a06a05d29583

SHA512
60785ed9a2fb2bdfec4e13ccbece50e7e81c408727084317b60a1be88ae2b2d6a3b0008da82f507a7a2bdac1a22584759c3fbacaf0bc602fd53f19a7043bb8b7

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\TuneUP.exe
Filesize
158KB

MD5
05e70c660c36924d93a68e794078b416

SHA1
20231dd5654ed962a40146a8dfeaa1c8e3ad9407

SHA256
a7e91b0372ca4e28773311fcfbee440aaa405f6f784036d712e739cefc575a53

SHA512
ad59f4911651a4119c860e1ec9020cdaea108362883e932c60726b5a89bad72dc85c8b17872f45e108d6e4f420cc64ae8c7994c941d6a3ff8fa17860872a7376

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\TuneUP.exe
Filesize
158KB

MD5
05e70c660c36924d93a68e794078b416

SHA1
20231dd5654ed962a40146a8dfeaa1c8e3ad9407

SHA256
a7e91b0372ca4e28773311fcfbee440aaa405f6f784036d712e739cefc575a53

SHA512
ad59f4911651a4119c860e1ec9020cdaea108362883e932c60726b5a89bad72dc85c8b17872f45e108d6e4f420cc64ae8c7994c941d6a3ff8fa17860872a7376

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\TuneUP.exe.config
Filesize
214B

MD5
4194fa999171a240c821cc4a7b765439

SHA1
d88eb7d47ac4ef13b1468baed9a74ff7bf912523

SHA256
4665799ac4d842fa2b2ab354144d6ebcc7529f429d972048d778a06a05d29583

SHA512
60785ed9a2fb2bdfec4e13ccbece50e7e81c408727084317b60a1be88ae2b2d6a3b0008da82f507a7a2bdac1a22584759c3fbacaf0bc602fd53f19a7043bb8b7

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\sHelper.exe
Filesize
771KB

MD5
6d8aa359827a62c7aeafc114392680f5

SHA1
c7579e39f54b0d050eed389504dbc672f70af809

SHA256
3dac51c135d48579822474e0b8e297177a0bb5876028be03ee6ca8661320a609

SHA512
c61a8d5e9a4b4ed55ba774acaea32fee3a3583d3dd4d2b98f0f56a8cd8370be75299f76d7c9a74778bada7d87a9ef7bd9945753b28dd094738c566889c99669a

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\sHelper.exe
Filesize
771KB

MD5
6d8aa359827a62c7aeafc114392680f5

SHA1
c7579e39f54b0d050eed389504dbc672f70af809

SHA256
3dac51c135d48579822474e0b8e297177a0bb5876028be03ee6ca8661320a609

SHA512
c61a8d5e9a4b4ed55ba774acaea32fee3a3583d3dd4d2b98f0f56a8cd8370be75299f76d7c9a74778bada7d87a9ef7bd9945753b28dd094738c566889c99669a

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\sHelper.exe.config
Filesize
214B

MD5
4194fa999171a240c821cc4a7b765439

SHA1
d88eb7d47ac4ef13b1468baed9a74ff7bf912523

SHA256
4665799ac4d842fa2b2ab354144d6ebcc7529f429d972048d778a06a05d29583

SHA512
60785ed9a2fb2bdfec4e13ccbece50e7e81c408727084317b60a1be88ae2b2d6a3b0008da82f507a7a2bdac1a22584759c3fbacaf0bc602fd53f19a7043bb8b7

Download Submit
C:\Program Files (x86)\Pegasun\SystemUtilities\bin\scripts\w10_disable_onedrive.ps1
Filesize
5KB

MD5
60c83103a37abe692d1f81419cbe60b3

SHA1
3287e9336ea944ea8ee8858d0c167a8dc22b7db6

SHA256
7c792388af5d7abb727cce1b1a6fc7234b301f4538d641fe0d9f99ede948e732

SHA512
e779e76d2d1c551f4be71f4494967d8f4bd44875a0b01ef43aa4fc4ad98437244ccd86c974f4b93aa20539ef3f25ddef6bb869ec7de63defc81ab1e906958f73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PCCleaner.exe.log
Filesize
1KB

MD5
4e4c88f65ddfc7e4ed96042cb5da5b76

SHA1
086fcef3233df3ab47b63a174c8889a5540a2418

SHA256
b4135b7f9a2111e0478dff935711b7362150b72b6b4f9e4f17011b503322078b

SHA512
f817e9161abd0aa946678c324eeb61ffd7a573a3b64a8b05102be4250402be760119bc21715dcf7ab54e3992857e975802829a0003dc2d10fac8ec9f042ccb7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ServiceManager.exe.log
Filesize
1KB

MD5
4e1b541b4a1ef81dc10ea18ef45372b2

SHA1
a77bffdaa5f555ddf22909f2af6775c2c100de5b

SHA256
c9e9bd82b9987b496bf6ca7644e3a9033f01d6d42aebeed381a94286c32fc32f

SHA512
6a200528b4f5526e6778371ab2c39c700bc38172d77ecd456b54b75571a99b4812239b884941dfef3bcf082f7709a2b2a18a386f6ec742c6325f8aea56d305f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\StartupManager.exe.log
Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TuneUP.exe.log
Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sHelper.exe.log
Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PrivacyGuardian.exe.log
Filesize
1KB

MD5
34cbd6cacd9dcbb5ef57700495a1e5b5

SHA1
7c958355321473509463b48891460d1917b26561

SHA256
677dca42e75918a30ad70846e4821da40669da2895ebbffb09c828f1249fb93d

SHA512
ba998eb0f43db18e90f82cc904eee5e4b8d8fb0a2a32a79436a339ac49f0b1ccc46aec74b05804d5b37f65e49c904409bd42f9b9db4ef31e2bf6998dc90de396

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SystemUtilities.exe.log
Filesize
705B

MD5
f6f2f226b2dc55eb7754ca6e302960dc

SHA1
480ae974bb16d5a03cdf75996eedcbc7e747e248

SHA256
28fc3cea76cf8474c5b93a4b02dfab238a2ecb62ab49d1ee3d1b784f7da40345

SHA512
1beb82eaa28e95c0fada571a4c4334d4bfd047ccfcc5e97bcad9d102079054b5467796c62508f6aedb0072792d3f91c1eee32c765fb85221aeddaa09c464deb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F4HMG.tmp\SystemUtilities.tmp
Filesize
3.0MB

MD5
09607ade6083062f0efa283023d306fd

SHA1
0fbca0d80403d6d8c8f71e9ee0c55e7dc0a0c3d7

SHA256
8cea37f87c4d0089ec0d829c944ba93598af3a3eb9430dd076b33abd99f0b6ac

SHA512
d4b8ba680db352652902ef5d9e7feaf11e8036e1b2e9bc16b7132d889b190eed2ee386bd228927dd201f4ac6569f83c918f23217e643b6d816ec2851236ece49

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F4HMG.tmp\SystemUtilities.tmp
Filesize
3.0MB

MD5
09607ade6083062f0efa283023d306fd

SHA1
0fbca0d80403d6d8c8f71e9ee0c55e7dc0a0c3d7

SHA256
8cea37f87c4d0089ec0d829c944ba93598af3a3eb9430dd076b33abd99f0b6ac

SHA512
d4b8ba680db352652902ef5d9e7feaf11e8036e1b2e9bc16b7132d889b190eed2ee386bd228927dd201f4ac6569f83c918f23217e643b6d816ec2851236ece49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms
Filesize
3KB

MD5
a160f67c986a3055fda6c7e1dfd54d9a

SHA1
0732e2f410a650054d2a7607a0481eb3708a50b6

SHA256
09277383af125e6011b7568f2d3b15d6d6ebaf5bbff47a6bd13e4d7455ec3ba8

SHA512
297093dd58ff222fdd196ea2b45e0758aab6c56a98da8ae04a5c398ca78e9be6dcae3597298b8a7a5f102c94149e0795be848080db8bfb168f461d8775f8cc7b

Download Submit
C:\Users\Admin\AppData\Roaming\Pegasun\SystemUtilities\Update-Data.ini
Filesize
242B

MD5
b82cee1bd03f016171aeb57bdd1518c9

SHA1
708f63927ba475dbc57e64e1ba11336f6f0e367f

SHA256
8782c75a19f7e26e50a4d86d81c68590273479967945803bd68b20460d937bcb

SHA512
079f6d625d7f9e1c5cc9dc424cd79a15149a52abc46f33be67452594bd90fd1e49c7c508b13adfce79194b4d0c61d808db820f655605c957cc06879edae66046

Download Submit
memory/332-242-0x0000000000000000-mapping.dmp

Download
memory/552-243-0x0000000000000000-mapping.dmp

Download
memory/760-253-0x0000000000000000-mapping.dmp

Download
memory/984-256-0x00007FF86EB90000-0x00007FF86F651000-memory.dmp

Filesize
10.8MB

Download
memory/984-239-0x00007FF86EB90000-0x00007FF86F651000-memory.dmp

Filesize
10.8MB

Download
memory/984-240-0x00007FF86EB90000-0x00007FF86F651000-memory.dmp

Filesize
10.8MB

Download
memory/984-235-0x0000000000000000-mapping.dmp

Download
memory/1120-241-0x0000000000000000-mapping.dmp

Download
memory/1172-179-0x0000000000000000-mapping.dmp

Download
memory/1176-226-0x0000000000000000-mapping.dmp

Download
memory/1300-225-0x0000000000000000-mapping.dmp

Download
memory/1368-230-0x0000000000000000-mapping.dmp

Download
memory/1540-181-0x0000000000000000-mapping.dmp

Download
memory/1884-205-0x0000000000000000-mapping.dmp

Download
memory/1884-208-0x0000000000840000-0x0000000000882000-memory.dmp

Filesize
264KB

Download
memory/1892-220-0x00000000078A0000-0x0000000007936000-memory.dmp

Filesize
600KB

Download
memory/1892-219-0x0000000006B10000-0x0000000006B2A000-memory.dmp

Filesize
104KB

Download
memory/1892-218-0x0000000007F20000-0x000000000859A000-memory.dmp

Filesize
6.5MB

Download
memory/1892-216-0x00000000065C0000-0x00000000065DE000-memory.dmp

Filesize
120KB

Download
memory/1892-215-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/1892-214-0x0000000005700000-0x0000000005722000-memory.dmp

Filesize
136KB

Download
memory/1892-213-0x00000000057F0000-0x0000000005E18000-memory.dmp

Filesize
6.2MB

Download
memory/1892-212-0x0000000005010000-0x0000000005046000-memory.dmp

Filesize
216KB

Download
memory/1892-211-0x0000000000000000-mapping.dmp

Download
memory/1904-224-0x0000000000000000-mapping.dmp

Download
memory/1920-221-0x0000000000000000-mapping.dmp

Download
memory/2248-136-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2248-132-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2248-137-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2248-151-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2344-202-0x0000000000E30000-0x0000000000E5A000-memory.dmp

Filesize
168KB

Download
memory/2344-204-0x00007FF86E8A0000-0x00007FF86F361000-memory.dmp

Filesize
10.8MB

Download
memory/2344-203-0x00007FF86E8A0000-0x00007FF86F361000-memory.dmp

Filesize
10.8MB

Download
memory/2344-199-0x0000000000000000-mapping.dmp

Download
memory/2584-191-0x00007FF86E8A0000-0x00007FF86F361000-memory.dmp

Filesize
10.8MB

Download
memory/2584-186-0x0000000000000000-mapping.dmp

Download
memory/2584-189-0x0000000000D00000-0x0000000000D98000-memory.dmp

Filesize
608KB

Download
memory/2644-185-0x0000000000000000-mapping.dmp

Download
memory/2692-178-0x0000000000000000-mapping.dmp

Download
memory/2732-184-0x0000000000000000-mapping.dmp

Download
memory/2768-163-0x00000000209F0000-0x0000000020AA6000-memory.dmp

Filesize
728KB

Download
memory/2768-172-0x00007FF86E780000-0x00007FF86F241000-memory.dmp

Filesize
10.8MB

Download
memory/2768-154-0x0000000000000000-mapping.dmp

Download
memory/2768-158-0x0000000000F30000-0x0000000000FF4000-memory.dmp

Filesize
784KB

Download
memory/2768-159-0x0000000003000000-0x000000000301E000-memory.dmp

Filesize
120KB

Download
memory/2768-160-0x00007FF86E780000-0x00007FF86F241000-memory.dmp

Filesize
10.8MB

Download
memory/2768-166-0x0000000020930000-0x00000000209AE000-memory.dmp

Filesize
504KB

Download
memory/2768-168-0x00000000209D0000-0x0000000020A68000-memory.dmp

Filesize
608KB

Download
memory/2768-170-0x00000000207A0000-0x00000000207CA000-memory.dmp

Filesize
168KB

Download
memory/3076-144-0x0000000005C40000-0x00000000061E4000-memory.dmp

Filesize
5.6MB

Download
memory/3076-153-0x00000000067B0000-0x0000000006816000-memory.dmp

Filesize
408KB

Download
memory/3076-139-0x0000000000000000-mapping.dmp

Download
memory/3076-143-0x0000000000C20000-0x0000000000D14000-memory.dmp

Filesize
976KB

Download
memory/3076-145-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/3076-146-0x0000000005590000-0x00000000055B2000-memory.dmp

Filesize
136KB

Download
memory/3076-150-0x0000000005560000-0x000000000557E000-memory.dmp

Filesize
120KB

Download
memory/3076-152-0x0000000005B80000-0x0000000005B8A000-memory.dmp

Filesize
40KB

Download
memory/3136-223-0x0000000000000000-mapping.dmp

Download
memory/3504-222-0x0000000000000000-mapping.dmp

Download
memory/3508-180-0x0000000000000000-mapping.dmp

Download
memory/4248-251-0x0000000000000000-mapping.dmp

Download
memory/4488-198-0x00007FF86E8A0000-0x00007FF86F361000-memory.dmp

Filesize
10.8MB

Download
memory/4488-196-0x00007FF86E8A0000-0x00007FF86F361000-memory.dmp

Filesize
10.8MB

Download
memory/4488-195-0x0000000000200000-0x000000000027E000-memory.dmp

Filesize
504KB

Download
memory/4488-192-0x0000000000000000-mapping.dmp

Download
memory/4664-177-0x00007FF86E8A0000-0x00007FF86F361000-memory.dmp

Filesize
10.8MB

Download
memory/4664-176-0x0000000000580000-0x0000000000636000-memory.dmp

Filesize
728KB

Download
memory/4664-183-0x00007FF86E8A0000-0x00007FF86F361000-memory.dmp

Filesize
10.8MB

Download
memory/4664-173-0x0000000000000000-mapping.dmp

Download
memory/4748-134-0x0000000000000000-mapping.dmp

Download
memory/4908-252-0x0000000000000000-mapping.dmp

Download
memory/5032-250-0x000001E9B1240000-0x000001E9B1250000-memory.dmp

Filesize
64KB

Download
memory/5032-249-0x000001E9B1140000-0x000001E9B1150000-memory.dmp

Filesize
64KB

Download
memory/5104-255-0x0000000000000000-mapping.dmp

Download