3b634f6fcf8d34329c87c84bcdd2797716f91c1280e84eac0b1a53709555a7ed

Analysis

max time kernel
106s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2023, 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ibVPN-AIO-Setup.exe
Size

10.7MB
MD5

fafdb1773e105a9e7cb07aaac954ffed
SHA1

4c7a05c314e7dc8cf36d6b156f43f867cdb10f7b
SHA256

3b634f6fcf8d34329c87c84bcdd2797716f91c1280e84eac0b1a53709555a7ed
SHA512

419e06187f669a20bea97519ebbe7e09a249ed9f80aceb2f5a042e0afb2275205ac633336e019b9aa0a159ad2c8f885dbb8b0ea7bebab0ba7709bbcef347707a
SSDEEP

196608:idwM9sF+myQlARKMIoL6RYh0tf9L6gU8BoyP7T3YYSxjYxavaMB:Z9FCQGKboO5tFjUeL33BSFfvaQ

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\SETD844.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SETD844.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\tap0901.sys	DrvInst.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SstpSvc\Parameters\ServiceDll = "%SystemRoot%\\system32\\sstpsvc.dll"	ibVPN-AIO-Setup.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	ibVPN.exe

Executes dropped EXE 9 IoCs

pid	Process
1760	tapinstall.exe
4432	ibVPNServiceUninstaller.exe
5056	ibVPNServiceInstaller.exe
1668	ibVPNLauncher.exe
2800	ibVPN.exe
932	ibVPNLauncher.exe
1592	ibVPN.exe
1708	ibVPNLauncher.exe
4112	ibVPN.exe

Loads dropped DLL 46 IoCs

pid	Process
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
4432	ibVPNServiceUninstaller.exe
4432	ibVPNServiceUninstaller.exe
5056	ibVPNServiceInstaller.exe
5056	ibVPNServiceInstaller.exe
1668	ibVPNLauncher.exe
1668	ibVPNLauncher.exe
2800	ibVPN.exe
2800	ibVPN.exe
932	ibVPNLauncher.exe
932	ibVPNLauncher.exe
2800	ibVPN.exe
2800	ibVPN.exe
2800	ibVPN.exe
2800	ibVPN.exe
1708	ibVPNLauncher.exe
1708	ibVPNLauncher.exe
2800	ibVPN.exe
2800	ibVPN.exe
2800	ibVPN.exe
2800	ibVPN.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{69d1c90c-8619-aa43-9da9-d1105ea77a10}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_690431ea2d4f48b2\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{69d1c90c-8619-aa43-9da9-d1105ea77a10}\tap0901.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{69d1c90c-8619-aa43-9da9-d1105ea77a10}\SETBE84.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{69d1c90c-8619-aa43-9da9-d1105ea77a10}\SETBE15.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{69d1c90c-8619-aa43-9da9-d1105ea77a10}\SETBE45.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{69d1c90c-8619-aa43-9da9-d1105ea77a10}\SETBE84.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_690431ea2d4f48b2\tap0901.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_690431ea2d4f48b2\oemwin2k.PNF	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{69d1c90c-8619-aa43-9da9-d1105ea77a10}\SETBE15.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{69d1c90c-8619-aa43-9da9-d1105ea77a10}\SETBE45.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{69d1c90c-8619-aa43-9da9-d1105ea77a10}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{69d1c90c-8619-aa43-9da9-d1105ea77a10}\oemwin2k.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_690431ea2d4f48b2\oemwin2k.inf	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ibVPN_2.x\HtmlAgilityPack.dll	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\OpenVPN\driver\x32\tap0901.sys	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\6bdd40b4-2452-4db2-a307-245f3be4e685.tmp	setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\DefaultSettings.xml	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\OpenVPN\bin\openvpn.exe	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\script\py\Crypto.Util._counter.pyd	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\script\py\_socket.pyd	ibVPN-AIO-Setup.exe
File opened for modification	C:\Program Files (x86)\ibVPN_2.x\UserSettings.xml	ibVPN.exe
File created	C:\Program Files (x86)\ibVPN_2.x\de-DE\ibVPN.resources.dll	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\enableDebug.pdb	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\ibVPN.pdb	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\script\ss\cygmbedcrypto-0.dll	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\DotRas.dll	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\ibVPNServiceUninstaller.exe.config	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\OpenVPN\driver\x32\OemWin2k.inf	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\Resources\icon-not-connected-status-red.png	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\Resources\icon-not-connected-status.png	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\script\py\obfsproxy.zip	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\debugLauncher.txt	ibVPNServiceInstaller.exe
File opened for modification	C:\Program Files (x86)\ibVPN_2.x\SmartDNSAdaptersBackup.xml	ibVPN.exe
File created	C:\Program Files (x86)\ibVPN_2.x\ibVPNServiceInstaller.pdb	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\OpenVPN\bin\libpkcs11-helper-1.dll	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\OpenVPN\driver\x64\tap0901.sys	ibVPN-AIO-Setup.exe
File opened for modification	C:\Program Files (x86)\ibVPN_2.x\OpenVPN\bin\tapinstall.exe	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\ibDAL.pdb	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\ibVPNServiceUninstaller.pdb	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\Profiles\BypassChina.xml	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\OpenVPN\bin\ssleay32.dll	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\script\ss\cygsodium-18.dll	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\Icon.ico	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\ksw.txt	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\Profiles\USStreaming.xml	ibVPN-AIO-Setup.exe
File opened for modification	C:\Program Files (x86)\ibVPN_2.x\debugLauncher.txt	ibVPNServiceInstaller.exe
File created	C:\Program Files (x86)\ibVPN_2.x\AutoUpdater.NET.dll	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\DevComponents.DotNetBar2.dll	ibVPN-AIO-Setup.exe
File opened for modification	C:\Program Files (x86)\ibVPN_2.x\Resources\RoutePrint.bat	ibVPN.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230529061053.pma	setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\DevComponents.DotNetBar.SuperGrid.dll	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\Profiles\FastestConnection.xml	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\OpenVPN\bin\tapinstall.exe	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\SmartDNSAdaptersBackupInitial.xml	ibVPN.exe
File created	C:\Program Files (x86)\ibVPN_2.x\DotRas.xml	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\OpenVPN.dll	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\Settings.bin	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\OpenVPN\driver\x32\tap0901.cat	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\script\py\Crypto.Util.strxor.pyd	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\script\ss\cygev-4.dll	ibVPN-AIO-Setup.exe
File opened for modification	C:\Program Files (x86)\ibVPN_2.x\DefaultGateways.xml	ibVPN.exe
File created	C:\Program Files (x86)\ibVPN_2.x\ibVPN.exe	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\ibVPNLauncher.pdb	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\script\ss\cyggcc_s-seh-1.dll	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\script\ss\cygssp-0.dll	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\ibBLL.dll	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\OpenVPN\config\route-up.bat	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\Profiles\UKStreaming.xml	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\Resources\ibvpn.ico	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\script\ss\cygpcre-1.dll	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\UserSettings.xml	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\Resources\btn-collapse.gif	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\script\py\py.exe	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\OpenVPN\bin\addtap.bat	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\KillSwitchTable.xml	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\ibVPNLauncher.exe	ibVPN-AIO-Setup.exe
File created	C:\Program Files (x86)\ibVPN_2.x\script\py\select.pyd	ibVPN-AIO-Setup.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	ibVPN.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 62 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2120	ibVPN-AIO-Setup.exe
2800	ibVPN.exe
1592	ibVPN.exe
1592	ibVPN.exe
4112	ibVPN.exe
4112	ibVPN.exe
4348	msedge.exe
4348	msedge.exe
2688	msedge.exe
2688	msedge.exe
2528	identity_helper.exe
2528	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeAuditPrivilege	1100	svchost.exe
Token: SeSecurityPrivilege	1100	svchost.exe
Token: SeLoadDriverPrivilege	1760	tapinstall.exe
Token: SeRestorePrivilege	1428	DrvInst.exe
Token: SeBackupPrivilege	1428	DrvInst.exe
Token: SeLoadDriverPrivilege	1428	DrvInst.exe
Token: SeLoadDriverPrivilege	1428	DrvInst.exe
Token: SeLoadDriverPrivilege	1428	DrvInst.exe
Token: SeDebugPrivilege	2800	ibVPN.exe
Token: SeDebugPrivilege	1592	ibVPN.exe
Token: SeDebugPrivilege	4112	ibVPN.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2800	ibVPN.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2800	ibVPN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 1760	2120	ibVPN-AIO-Setup.exe	89
PID 2120 wrote to memory of 1760	2120	ibVPN-AIO-Setup.exe	89
PID 1100 wrote to memory of 864	1100	svchost.exe	92
PID 1100 wrote to memory of 864	1100	svchost.exe	92
PID 864 wrote to memory of 2432	864	DrvInst.exe	93
PID 864 wrote to memory of 2432	864	DrvInst.exe	93
PID 1100 wrote to memory of 1428	1100	svchost.exe	96
PID 1100 wrote to memory of 1428	1100	svchost.exe	96
PID 2120 wrote to memory of 4432	2120	ibVPN-AIO-Setup.exe	99
PID 2120 wrote to memory of 4432	2120	ibVPN-AIO-Setup.exe	99
PID 2120 wrote to memory of 4432	2120	ibVPN-AIO-Setup.exe	99
PID 2120 wrote to memory of 5056	2120	ibVPN-AIO-Setup.exe	100
PID 2120 wrote to memory of 5056	2120	ibVPN-AIO-Setup.exe	100
PID 2120 wrote to memory of 5056	2120	ibVPN-AIO-Setup.exe	100
PID 2120 wrote to memory of 1668	2120	ibVPN-AIO-Setup.exe	101
PID 2120 wrote to memory of 1668	2120	ibVPN-AIO-Setup.exe	101
PID 2120 wrote to memory of 1668	2120	ibVPN-AIO-Setup.exe	101
PID 2800 wrote to memory of 3208	2800	ibVPN.exe	110
PID 2800 wrote to memory of 3208	2800	ibVPN.exe	110
PID 2800 wrote to memory of 3208	2800	ibVPN.exe	110
PID 3208 wrote to memory of 428	3208	cmd.exe	112
PID 3208 wrote to memory of 428	3208	cmd.exe	112
PID 3208 wrote to memory of 428	3208	cmd.exe	112
PID 2800 wrote to memory of 2688	2800	ibVPN.exe	114
PID 2800 wrote to memory of 2688	2800	ibVPN.exe	114
PID 2688 wrote to memory of 2936	2688	msedge.exe	115
PID 2688 wrote to memory of 2936	2688	msedge.exe	115
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116
PID 2688 wrote to memory of 3656	2688	msedge.exe	116

C:\Users\Admin\AppData\Local\Temp\ibVPN-AIO-Setup.exe
"C:\Users\Admin\AppData\Local\Temp\ibVPN-AIO-Setup.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Program Files (x86)\ibVPN_2.x\OpenVPN\bin\tapinstall.exe
  "C:\Program Files (x86)\ibVPN_2.x\OpenVPN\bin\tapinstall.exe" install "C:\Program Files (x86)\ibVPN_2.x\OpenVPN\driver\x64\OemWin2k.inf" tap0901
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Program Files (x86)\ibVPN_2.x\ibVPNServiceUninstaller.exe
  "C:\Program Files (x86)\ibVPN_2.x\ibVPNServiceUninstaller.exe" -setup-service
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4432
- C:\Program Files (x86)\ibVPN_2.x\ibVPNServiceInstaller.exe
  "C:\Program Files (x86)\ibVPN_2.x\ibVPNServiceInstaller.exe" -setup-service
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:5056
- C:\Program Files (x86)\ibVPN_2.x\ibVPNLauncher.exe
  "C:\Program Files (x86)\ibVPN_2.x\ibVPNLauncher.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{4cf8b4db-8ba9-984e-a7bc-fd94e465e4d1}\oemwin2k.inf" "9" "4d14a44ff" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "c:\program files (x86)\ibvpn_2.x\openvpn\driver\x64"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{c0396134-b915-5e43-a9e3-4037571fd3c1} Global\{3550bef7-34f6-f944-8cc5-48468e2c2c9a} C:\Windows\System32\DriverStore\Temp\{69d1c90c-8619-aa43-9da9-d1105ea77a10}\oemwin2k.inf C:\Windows\System32\DriverStore\Temp\{69d1c90c-8619-aa43-9da9-d1105ea77a10}\tap0901.cat
    3⤵
    PID:2432
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000158"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:1428

C:\Program Files (x86)\ibVPN_2.x\ibVPN.exe
"C:\Program Files (x86)\ibVPN_2.x\ibVPN.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ibVPN_2.x\Resources\RoutePrint.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3208
- - C:\Windows\SysWOW64\ROUTE.EXE
    route print
    3⤵
    PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://my.ibvpn.com/cart.php?a=add&pid=10
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdaccf46f8,0x7ffdaccf4708,0x7ffdaccf4718
    3⤵
    PID:2936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,16482277031061565460,8750504683380779193,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:2
    3⤵
    PID:3656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,16482277031061565460,8750504683380779193,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,16482277031061565460,8750504683380779193,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3008 /prefetch:8
    3⤵
    PID:4312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16482277031061565460,8750504683380779193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:1
    3⤵
    PID:1524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16482277031061565460,8750504683380779193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
    3⤵
    PID:2192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16482277031061565460,8750504683380779193,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
    3⤵
    PID:3288
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16482277031061565460,8750504683380779193,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:1
    3⤵
    PID:4044
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,16482277031061565460,8750504683380779193,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 /prefetch:8
    3⤵
    PID:4424
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:3184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x114,0x12c,0x128,0x234,0x120,0x7ff64c1a5460,0x7ff64c1a5470,0x7ff64c1a5480
      4⤵
      PID:1076
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,16482277031061565460,8750504683380779193,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16482277031061565460,8750504683380779193,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
    3⤵
    PID:2336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16482277031061565460,8750504683380779193,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2244 /prefetch:1
    3⤵
    PID:5108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16482277031061565460,8750504683380779193,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
    3⤵
    PID:5268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16482277031061565460,8750504683380779193,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
    3⤵
    PID:5280

C:\Program Files (x86)\ibVPN_2.x\ibVPNLauncher.exe
"C:\Program Files (x86)\ibVPN_2.x\ibVPNLauncher.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:932

C:\Program Files (x86)\ibVPN_2.x\ibVPN.exe
"C:\Program Files (x86)\ibVPN_2.x\ibVPN.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Program Files (x86)\ibVPN_2.x\ibVPNLauncher.exe
"C:\Program Files (x86)\ibVPN_2.x\ibVPNLauncher.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708

C:\Program Files (x86)\ibVPN_2.x\ibVPN.exe
"C:\Program Files (x86)\ibVPN_2.x\ibVPN.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ibVPN_2.x\DevComponents.DotNetBar2.dll

Filesize
5.3MB

MD5
265f0033bd4fb4c34b4c201ff6a5aac6

SHA1
8b6da4e410df38a8cbacf035c87fa409344f6463

SHA256
dc0e5b913e0665aded99878a569ceea0fd434f47a7ceb5ee9fc1b2db2bd70b93

SHA512
e126380f44b3fddde40be6ae423403c19dead19a9c79a6029a0f73ff0e917680a740883acb34a304d62d697ad8ed0eab526641ce929a5124ed828e11913b1c56

Download Submit
C:\Program Files (x86)\ibVPN_2.x\DevComponents.DotNetBar2.dll

Filesize
5.3MB

MD5
265f0033bd4fb4c34b4c201ff6a5aac6

SHA1
8b6da4e410df38a8cbacf035c87fa409344f6463

SHA256
dc0e5b913e0665aded99878a569ceea0fd434f47a7ceb5ee9fc1b2db2bd70b93

SHA512
e126380f44b3fddde40be6ae423403c19dead19a9c79a6029a0f73ff0e917680a740883acb34a304d62d697ad8ed0eab526641ce929a5124ed828e11913b1c56

Download Submit
C:\Program Files (x86)\ibVPN_2.x\DevComponents.DotNetBar2.dll

Filesize
5.3MB

MD5
265f0033bd4fb4c34b4c201ff6a5aac6

SHA1
8b6da4e410df38a8cbacf035c87fa409344f6463

SHA256
dc0e5b913e0665aded99878a569ceea0fd434f47a7ceb5ee9fc1b2db2bd70b93

SHA512
e126380f44b3fddde40be6ae423403c19dead19a9c79a6029a0f73ff0e917680a740883acb34a304d62d697ad8ed0eab526641ce929a5124ed828e11913b1c56

Download Submit
C:\Program Files (x86)\ibVPN_2.x\Microsoft.Win32.TaskScheduler.dll

Filesize
277KB

MD5
ae72d84821a4bff0a85ad524ab7dc582

SHA1
8e25728fa18210279cba6abec81b3c09460a354e

SHA256
4cd61e20dc9164806fcae50ff727bd7a49504e71c70fa5b226b9a30a37c027fc

SHA512
9adef8704caabe9b8e6e04bb5320c82fec81e196188d7ff23b3477cf937efe18258286399faaa0ddca5e10db1ff3844a8d74be6b757068d1d87c3bcc5d001c57

Download Submit
C:\Program Files (x86)\ibVPN_2.x\Microsoft.Win32.TaskScheduler.dll

Filesize
277KB

MD5
ae72d84821a4bff0a85ad524ab7dc582

SHA1
8e25728fa18210279cba6abec81b3c09460a354e

SHA256
4cd61e20dc9164806fcae50ff727bd7a49504e71c70fa5b226b9a30a37c027fc

SHA512
9adef8704caabe9b8e6e04bb5320c82fec81e196188d7ff23b3477cf937efe18258286399faaa0ddca5e10db1ff3844a8d74be6b757068d1d87c3bcc5d001c57

Download Submit
C:\Program Files (x86)\ibVPN_2.x\Microsoft.Win32.TaskScheduler.dll

Filesize
277KB

MD5
ae72d84821a4bff0a85ad524ab7dc582

SHA1
8e25728fa18210279cba6abec81b3c09460a354e

SHA256
4cd61e20dc9164806fcae50ff727bd7a49504e71c70fa5b226b9a30a37c027fc

SHA512
9adef8704caabe9b8e6e04bb5320c82fec81e196188d7ff23b3477cf937efe18258286399faaa0ddca5e10db1ff3844a8d74be6b757068d1d87c3bcc5d001c57

Download Submit
C:\Program Files (x86)\ibVPN_2.x\Microsoft.Win32.TaskScheduler.dll

Filesize
277KB

MD5
ae72d84821a4bff0a85ad524ab7dc582

SHA1
8e25728fa18210279cba6abec81b3c09460a354e

SHA256
4cd61e20dc9164806fcae50ff727bd7a49504e71c70fa5b226b9a30a37c027fc

SHA512
9adef8704caabe9b8e6e04bb5320c82fec81e196188d7ff23b3477cf937efe18258286399faaa0ddca5e10db1ff3844a8d74be6b757068d1d87c3bcc5d001c57

Download Submit
C:\Program Files (x86)\ibVPN_2.x\Microsoft.Win32.TaskScheduler.dll

Filesize
277KB

MD5
ae72d84821a4bff0a85ad524ab7dc582

SHA1
8e25728fa18210279cba6abec81b3c09460a354e

SHA256
4cd61e20dc9164806fcae50ff727bd7a49504e71c70fa5b226b9a30a37c027fc

SHA512
9adef8704caabe9b8e6e04bb5320c82fec81e196188d7ff23b3477cf937efe18258286399faaa0ddca5e10db1ff3844a8d74be6b757068d1d87c3bcc5d001c57

Download Submit
C:\Program Files (x86)\ibVPN_2.x\Microsoft.Win32.TaskScheduler.dll

Filesize
277KB

MD5
ae72d84821a4bff0a85ad524ab7dc582

SHA1
8e25728fa18210279cba6abec81b3c09460a354e

SHA256
4cd61e20dc9164806fcae50ff727bd7a49504e71c70fa5b226b9a30a37c027fc

SHA512
9adef8704caabe9b8e6e04bb5320c82fec81e196188d7ff23b3477cf937efe18258286399faaa0ddca5e10db1ff3844a8d74be6b757068d1d87c3bcc5d001c57

Download Submit
C:\Program Files (x86)\ibVPN_2.x\Microsoft.Win32.TaskScheduler.dll

Filesize
277KB

MD5
ae72d84821a4bff0a85ad524ab7dc582

SHA1
8e25728fa18210279cba6abec81b3c09460a354e

SHA256
4cd61e20dc9164806fcae50ff727bd7a49504e71c70fa5b226b9a30a37c027fc

SHA512
9adef8704caabe9b8e6e04bb5320c82fec81e196188d7ff23b3477cf937efe18258286399faaa0ddca5e10db1ff3844a8d74be6b757068d1d87c3bcc5d001c57

Download Submit
C:\Program Files (x86)\ibVPN_2.x\Microsoft.Win32.TaskScheduler.dll

Filesize
277KB

MD5
ae72d84821a4bff0a85ad524ab7dc582

SHA1
8e25728fa18210279cba6abec81b3c09460a354e

SHA256
4cd61e20dc9164806fcae50ff727bd7a49504e71c70fa5b226b9a30a37c027fc

SHA512
9adef8704caabe9b8e6e04bb5320c82fec81e196188d7ff23b3477cf937efe18258286399faaa0ddca5e10db1ff3844a8d74be6b757068d1d87c3bcc5d001c57

Download Submit
C:\Program Files (x86)\ibVPN_2.x\OpenVPN\bin\tapinstall.exe

Filesize
81KB

MD5
9c60df77fff30ed27d955da6f06174d5

SHA1
3fe1413d10ac0824c8acac531fd7382f6f098b43

SHA256
6cc6f4bc8d06ada3cbd90cb65b6ebb0ff3b3924f22e9acb53713c3ab0da1de79

SHA512
06cbad2f29ecbce0942018553c501d0fce9bc4bcfe89a70646d50ac97527a21cf91037ed22fce16a9ea097e96233fac69cac06aa5589c3b23f1c2decac18d965

Download Submit
C:\Program Files (x86)\ibVPN_2.x\OpenVPN\bin\tapinstall.exe

Filesize
81KB

MD5
9c60df77fff30ed27d955da6f06174d5

SHA1
3fe1413d10ac0824c8acac531fd7382f6f098b43

SHA256
6cc6f4bc8d06ada3cbd90cb65b6ebb0ff3b3924f22e9acb53713c3ab0da1de79

SHA512
06cbad2f29ecbce0942018553c501d0fce9bc4bcfe89a70646d50ac97527a21cf91037ed22fce16a9ea097e96233fac69cac06aa5589c3b23f1c2decac18d965

Download Submit
C:\Program Files (x86)\ibVPN_2.x\OpenVPN\driver\x64\OemWin2k.inf

Filesize
7KB

MD5
ddad0e498f5e36a013bc9a004451125e

SHA1
b5935ed307061ddb4d9e72605d45c2552b54ec4f

SHA256
27480e50875acecb90d80cbdde91b4948521f9d809a0d72e07a00ffcfaab9167

SHA512
66981744d209e39e7e1c52861d03ace799677b288f7e3e4788b5253d13b0c58d48a0ee0637de1a16860a111569586570a878e43700294a461a1aa53de21bfac0

Download Submit
C:\Program Files (x86)\ibVPN_2.x\UserSettings.xml

Filesize
1KB

MD5
3fa157e5409b1200a95d6c42f97c2cd7

SHA1
c5cf52ed3ff49416adacae794ec3fe6a3cb3711d

SHA256
8766c8aa16132a74f26db7617acf2504990ef1310e236d344617b577e6b975a0

SHA512
9f3561c9eb8d2b7022b933f603c0e442c27efa63314f0e48a051d9423a1528cb8fd38ac91c0266a1f24aea93c6a00b2ede3fce507da5ce389ee94ac0fe13b246

Download Submit
C:\Program Files (x86)\ibVPN_2.x\UserSettings.xml

Filesize
1KB

MD5
8d0c99f83cf4f21a9e8d527aee2125ee

SHA1
6467c3eee1a1a7e3eceea47728ca0cc0bec18d30

SHA256
edf27ea4b3301e9905da5ff17778132ab45fedebbf351f7dcfd3bd1569f8d9a5

SHA512
117fdceab338b0c810a63f84238fae057be36b7df1def1efccf1b5942dcb591d81a011ffec0290ddd44bf452de633ca023a314c4d3be173c01c72a86d2a00637

Download Submit
C:\Program Files (x86)\ibVPN_2.x\debugLauncher.txt

Filesize
2KB

MD5
f98ec704597f619077efe3d0de8c8a7c

SHA1
d5e55a51c1c05878db821bae1d7b711e7c133325

SHA256
849abbed318cfde3ce9b4a2ccab48b9d862ba459046210cf4e3d280905224a22

SHA512
ebcbccb72e69612d3219b2fc6452a3b47c5e7d3e6a0650920973c78ae987791f1f8cbc822fe267597537fabcc7a7f88cf7b8b5bc743fd9db6786a119b15715e7

Download Submit
C:\Program Files (x86)\ibVPN_2.x\ibVPN.exe

Filesize
2.5MB

MD5
df5dd6c43e2010f449a90b36fa339b22

SHA1
f232b9b70d336268f5fe020ee229e70d4508cc78

SHA256
472f68a73f8c9e774e925dea885e922518d8d12deb1c875c21f87d260564e334

SHA512
ea62913de543a26fb2cf5ec110aed6d2e79775fb6726b52fd715974fda73c8348ac64fc6f935d0d832b419badc5335206fccf9de964e87312fd840c64dcb68f2

Download Submit
C:\Program Files (x86)\ibVPN_2.x\ibVPN.exe

Filesize
2.5MB

MD5
df5dd6c43e2010f449a90b36fa339b22

SHA1
f232b9b70d336268f5fe020ee229e70d4508cc78

SHA256
472f68a73f8c9e774e925dea885e922518d8d12deb1c875c21f87d260564e334

SHA512
ea62913de543a26fb2cf5ec110aed6d2e79775fb6726b52fd715974fda73c8348ac64fc6f935d0d832b419badc5335206fccf9de964e87312fd840c64dcb68f2

Download Submit
C:\Program Files (x86)\ibVPN_2.x\ibVPN.exe.config

Filesize
1KB

MD5
0d8fe729764f7e614672a6a1dc1c0649

SHA1
7fec2552fb2e91b98c23426b7f6c42c994a72d05

SHA256
cc2d7e65f9a0b6b108a9b0703f8d52c5aad9094289783c77cd8f0dc3ae4e4a51

SHA512
1f653653408f76a6201ed372816206024fc96e674e9e7d7ffbd027cdf11b89a850b7c959d0552f1f436722f925af5dc47a7ddca5a8136bccfc39e8910df5a0cd

Download Submit
C:\Program Files (x86)\ibVPN_2.x\ibVPNLauncher.exe

Filesize
60KB

MD5
80d27cd09a963f5d0409ab914c9dde21

SHA1
14dc44a4501adf33e3ada4c9f503d85ae438a050

SHA256
aeaf05b12422755bbf75dc10ad4e8d5bf921e0773f6434157005e45087253b40

SHA512
47ea1739e4c2544f57269c578c9272daeaffa355eecb49554d33c7890476e0bc91a7a487f0db84a1865a790107f868537003e92fc68707eac186b3ab216ea02f

Download Submit
C:\Program Files (x86)\ibVPN_2.x\ibVPNLauncher.exe

Filesize
60KB

MD5
80d27cd09a963f5d0409ab914c9dde21

SHA1
14dc44a4501adf33e3ada4c9f503d85ae438a050

SHA256
aeaf05b12422755bbf75dc10ad4e8d5bf921e0773f6434157005e45087253b40

SHA512
47ea1739e4c2544f57269c578c9272daeaffa355eecb49554d33c7890476e0bc91a7a487f0db84a1865a790107f868537003e92fc68707eac186b3ab216ea02f

Download Submit
C:\Program Files (x86)\ibVPN_2.x\ibVPNLauncher.exe

Filesize
60KB

MD5
80d27cd09a963f5d0409ab914c9dde21

SHA1
14dc44a4501adf33e3ada4c9f503d85ae438a050

SHA256
aeaf05b12422755bbf75dc10ad4e8d5bf921e0773f6434157005e45087253b40

SHA512
47ea1739e4c2544f57269c578c9272daeaffa355eecb49554d33c7890476e0bc91a7a487f0db84a1865a790107f868537003e92fc68707eac186b3ab216ea02f

Download Submit
C:\Program Files (x86)\ibVPN_2.x\ibVPNLauncher.exe

Filesize
60KB

MD5
80d27cd09a963f5d0409ab914c9dde21

SHA1
14dc44a4501adf33e3ada4c9f503d85ae438a050

SHA256
aeaf05b12422755bbf75dc10ad4e8d5bf921e0773f6434157005e45087253b40

SHA512
47ea1739e4c2544f57269c578c9272daeaffa355eecb49554d33c7890476e0bc91a7a487f0db84a1865a790107f868537003e92fc68707eac186b3ab216ea02f

Download Submit
C:\Program Files (x86)\ibVPN_2.x\ibVPNLauncher.exe.config

Filesize
184B

MD5
c64632957c9a46b320e412d857e176c0

SHA1
823615cc1ffa2033818aea94781da440662902bf

SHA256
16a5b2d1d7cc9914bce73914d4d956d3ba7a2ec34e3d41e876f2e265c15d8096

SHA512
2b89c7953194a7adf7ef77c98558c27f7cc968f89edb04a7e13ab84df7cad1f4e23588016f01afa2c0a4ad2768b6814e24a6342376b92dcad48d35b8d4725c6b

Download Submit
C:\Program Files (x86)\ibVPN_2.x\ibVPNServiceInstaller.exe

Filesize
25KB

MD5
fe372ea2a1f494a01de22f91084d859c

SHA1
979a208b485966b23693143f3f2115367d59b5fc

SHA256
c4e3588d9fcbfec1098fcade1f4621fdb6e953cade918baf374230d7215cdaba

SHA512
ea23579d6ff1420a60cf26ecc436d2936b4fa0ea39beced3c804d8ecbd180df8e6278d0d17105ddb47f8f15844c10a0ed7714d8d22fc6689b0413115a8bc9e23

Download Submit
C:\Program Files (x86)\ibVPN_2.x\ibVPNServiceInstaller.exe

Filesize
25KB

MD5
fe372ea2a1f494a01de22f91084d859c

SHA1
979a208b485966b23693143f3f2115367d59b5fc

SHA256
c4e3588d9fcbfec1098fcade1f4621fdb6e953cade918baf374230d7215cdaba

SHA512
ea23579d6ff1420a60cf26ecc436d2936b4fa0ea39beced3c804d8ecbd180df8e6278d0d17105ddb47f8f15844c10a0ed7714d8d22fc6689b0413115a8bc9e23

Download Submit
C:\Program Files (x86)\ibVPN_2.x\ibVPNServiceInstaller.exe.config

Filesize
184B

MD5
c64632957c9a46b320e412d857e176c0

SHA1
823615cc1ffa2033818aea94781da440662902bf

SHA256
16a5b2d1d7cc9914bce73914d4d956d3ba7a2ec34e3d41e876f2e265c15d8096

SHA512
2b89c7953194a7adf7ef77c98558c27f7cc968f89edb04a7e13ab84df7cad1f4e23588016f01afa2c0a4ad2768b6814e24a6342376b92dcad48d35b8d4725c6b

Download Submit
C:\Program Files (x86)\ibVPN_2.x\ibVPNServiceUninstaller.exe

Filesize
16KB

MD5
5dd8b7a44f1fcb286c6591f1a59c02e5

SHA1
7da87ace72b72dae3026a741e2570b00b3a72bbf

SHA256
68bb1344b068e66004a90500d0b0b47b1006ef63a40cb11074f30d1063054fb7

SHA512
6fa8c8bf79ee921f5aa8b33669e4586528e82ee246cead40a2e0ffd6a5c56462ea0b5e20e1fc7ac80a9f269097a4fb10e659b519dd63fb3ca8739279b5be9f01

Download Submit
C:\Program Files (x86)\ibVPN_2.x\ibVPNServiceUninstaller.exe

Filesize
16KB

MD5
5dd8b7a44f1fcb286c6591f1a59c02e5

SHA1
7da87ace72b72dae3026a741e2570b00b3a72bbf

SHA256
68bb1344b068e66004a90500d0b0b47b1006ef63a40cb11074f30d1063054fb7

SHA512
6fa8c8bf79ee921f5aa8b33669e4586528e82ee246cead40a2e0ffd6a5c56462ea0b5e20e1fc7ac80a9f269097a4fb10e659b519dd63fb3ca8739279b5be9f01

Download Submit
C:\Program Files (x86)\ibVPN_2.x\ibVPNServiceUninstaller.exe.config

Filesize
184B

MD5
c64632957c9a46b320e412d857e176c0

SHA1
823615cc1ffa2033818aea94781da440662902bf

SHA256
16a5b2d1d7cc9914bce73914d4d956d3ba7a2ec34e3d41e876f2e265c15d8096

SHA512
2b89c7953194a7adf7ef77c98558c27f7cc968f89edb04a7e13ab84df7cad1f4e23588016f01afa2c0a4ad2768b6814e24a6342376b92dcad48d35b8d4725c6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ibVPNLauncher.exe.log

Filesize
608B

MD5
6df4da023bcee38b14ea6856d0533144

SHA1
5ff890ea4ded02fc9bc35c76feea840b41dde72e

SHA256
a7148b21b03951a7d18ddb02193db257f3380a44592e213d24490afbca69393c

SHA512
9b5f325ef01c6b37b423a1097ae298ac5763961f9e9ef757a503cfc69000ad928ba533bdab6e0b6db660e15f8a96cfc67e7818682dcf17ece2caf8afdc2796be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0820611471c1bb55fa7be7430c7c6329

SHA1
5ce7a9712722684223aced2522764c1e3a43fbb9

SHA256
f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75

SHA512
77ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
425e83cc5a7b1f8edfbec7d986058b01

SHA1
432a90a25e714c618ff30631d9fdbe3606b0d0df

SHA256
060a2e5f65b8f3b79a8d4a0c54b877cfe032f558beb0888d6f810aaeef8579bd

SHA512
4bf074de60e7849ade26119ef778fe67ea47691efff45f3d5e0b25de2d06fcc6f95a2cfcdbed85759a5c078bb371fe57de725babda2f44290b4dc42d7b6001af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
7fdc4dac22e7b6e17b7d2fb922972516

SHA1
74457072b0e353b227ac5bc92dc4fe8912173c34

SHA256
092ff9d5278afa492733263c8bb6283380671854848b439e21ab63e544cb77c8

SHA512
2fcba678dfde2b2a8f9cecda831a175679deb83a8a43c4bcab3b3e4ecf6aa9df4d01b2de3d74df4781ea76924523ad96133d8b021f2b37e5af13b09c851463b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
634e29e87ae3bd1df8400565ccd3d786

SHA1
73e12d49a49bb731d3f666a5fbfc21723a15b9d7

SHA256
79a6198a3e377997d1433357684a3c2186d0bccb34828a1979472816fcab1911

SHA512
d95afb804b1fa838e766d487e6d80741c7f15603527cc59133e3a2b823d3644db631b3924aa7179bf0ec61debafbebcdbf2fdab722ef36a5948551b9ef27d3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
706aa7d7cb40e8132630fb2ac1a3dc7a

SHA1
cf4304070e9ba547cdb951405cfbce19516dec26

SHA256
a02ae0d56b599439d5645688ddc807cb2854082a9220794b8993086338eb63d9

SHA512
9beb313c84de4f2c35739c7d061db309d68bb7c95277568d6ed134e3efb248e6779016fa688990797d1e2b13e4d65b45cc331ce3875073d262ec88411ab21c3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
52a0a679300c83887448151d0c3b9ef4

SHA1
173f17fe346189440669a8c6858814a379ce41da

SHA256
62413c3ebc7679865322d908e13e5e619878d71176ed328e48e2763116f850ec

SHA512
aad4ca3ff28755039e3f58152a22e5796bc178e43aaf6df57f03274665ab565f958b73c62dc68491a336ee97d69cfee9acf618c88b562511209ab2ef4c649a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d53ac35ab3976e67caeed75c4d44ffc1

SHA1
c139ab66d75dc06f98ada34b5baf4d5693266176

SHA256
647867c7236bcb78b7d585b476d82a101a077fac43c78dc59e612253fbf69437

SHA512
391355c71734ded913239a6db10a3202087e756bccc8e29411108f21b3f2460d9a9c606619aadd785285be70eddcf61ef9519441cd387cd3823c1399a6967cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
85526c5793aa368cad1fb451b5387d22

SHA1
a63b1ed43b952d21d28925f8f1eeb22ae67bfaf3

SHA256
fd3ea103b35101b70d11daeceee75aaa6a559e3da4ba51ab0258fb3f636b44bc

SHA512
cf3fc7d13b69accd8a15ed023c6ee6e7a0b8ac166dfbdd9149dba2b3e2525c40b746f2dd6553e58880d138d152eee7e157ab00eb6679e11fae25de2daf04d1e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
8cd8519ec94c64689d02d74e3d730287

SHA1
b0b709342c3ab5f10101b983170900cbef941ef0

SHA256
e501514909400f1f36064788c7c5b65d2223db9c95834e8aae855040fed10df6

SHA512
9a76566fc0843cb98a3e793c82fc65350006b7c8af6751f62d449c650b433f7c8d0d0ec6142bb6c2d6a677c0a1708a1290a77bdd10c6f9de0345dd03935a39eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\InstallOptions.dll

Filesize
14KB

MD5
79327201915b7cf3ba0c5d1a143aa925

SHA1
185b6f5520b1c39d3e7d9d91ed099698fac46d92

SHA256
1edf8dc7b6ef67e7cf68f6b07f38be5b336b5e6b2d1d5500cdb3e121b8381394

SHA512
c51086b7e039c83abb727a33b7f1ccac4fa999373b0423ac4b253e87195a5515d29e98ea2ed64f30406a14db4bf94422d34e6c9db8fc80be5c4e3fc77fd0207e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\InstallOptions.dll

Filesize
14KB

MD5
79327201915b7cf3ba0c5d1a143aa925

SHA1
185b6f5520b1c39d3e7d9d91ed099698fac46d92

SHA256
1edf8dc7b6ef67e7cf68f6b07f38be5b336b5e6b2d1d5500cdb3e121b8381394

SHA512
c51086b7e039c83abb727a33b7f1ccac4fa999373b0423ac4b253e87195a5515d29e98ea2ed64f30406a14db4bf94422d34e6c9db8fc80be5c4e3fc77fd0207e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\InstallOptions.dll

Filesize
14KB

MD5
79327201915b7cf3ba0c5d1a143aa925

SHA1
185b6f5520b1c39d3e7d9d91ed099698fac46d92

SHA256
1edf8dc7b6ef67e7cf68f6b07f38be5b336b5e6b2d1d5500cdb3e121b8381394

SHA512
c51086b7e039c83abb727a33b7f1ccac4fa999373b0423ac4b253e87195a5515d29e98ea2ed64f30406a14db4bf94422d34e6c9db8fc80be5c4e3fc77fd0207e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\KillProcDLL.dll

Filesize
4KB

MD5
99f345cf51b6c3c317d20a81acb11012

SHA1
b3d0355f527c536ea14a8ff51741c8739d66f727

SHA256
c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93

SHA512
937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\KillProcDLL.dll

Filesize
4KB

MD5
99f345cf51b6c3c317d20a81acb11012

SHA1
b3d0355f527c536ea14a8ff51741c8739d66f727

SHA256
c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93

SHA512
937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\KillProcDLL.dll

Filesize
4KB

MD5
99f345cf51b6c3c317d20a81acb11012

SHA1
b3d0355f527c536ea14a8ff51741c8739d66f727

SHA256
c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93

SHA512
937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\KillProcDLL.dll

Filesize
4KB

MD5
99f345cf51b6c3c317d20a81acb11012

SHA1
b3d0355f527c536ea14a8ff51741c8739d66f727

SHA256
c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93

SHA512
937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\KillProcDLL.dll

Filesize
4KB

MD5
99f345cf51b6c3c317d20a81acb11012

SHA1
b3d0355f527c536ea14a8ff51741c8739d66f727

SHA256
c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93

SHA512
937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\KillProcDLL.dll

Filesize
4KB

MD5
99f345cf51b6c3c317d20a81acb11012

SHA1
b3d0355f527c536ea14a8ff51741c8739d66f727

SHA256
c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93

SHA512
937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\KillProcDLL.dll

Filesize
4KB

MD5
99f345cf51b6c3c317d20a81acb11012

SHA1
b3d0355f527c536ea14a8ff51741c8739d66f727

SHA256
c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93

SHA512
937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\SkinnedControls.dll

Filesize
68KB

MD5
c3e5d1a39e1f4dc8317a9e71ce93d141

SHA1
7f1e4bcfb2a6b58b5e337d58713eb27dfb2afef4

SHA256
512d67d40f6c73a8c7ce63060962b7632c47b528f340f152fbbda6ab12883579

SHA512
32b5c5439a1d58f4fcc9348d0a91ed6c4ecf5bec3abc646a345a2256060a962978a7fc9a5ce155ad1498a1d6f77dac29d433e9398252bd66b1d89875447e4603

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\SkinnedControls.dll

Filesize
68KB

MD5
c3e5d1a39e1f4dc8317a9e71ce93d141

SHA1
7f1e4bcfb2a6b58b5e337d58713eb27dfb2afef4

SHA256
512d67d40f6c73a8c7ce63060962b7632c47b528f340f152fbbda6ab12883579

SHA512
32b5c5439a1d58f4fcc9348d0a91ed6c4ecf5bec3abc646a345a2256060a962978a7fc9a5ce155ad1498a1d6f77dac29d433e9398252bd66b1d89875447e4603

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\SkinnedControls.dll

Filesize
68KB

MD5
c3e5d1a39e1f4dc8317a9e71ce93d141

SHA1
7f1e4bcfb2a6b58b5e337d58713eb27dfb2afef4

SHA256
512d67d40f6c73a8c7ce63060962b7632c47b528f340f152fbbda6ab12883579

SHA512
32b5c5439a1d58f4fcc9348d0a91ed6c4ecf5bec3abc646a345a2256060a962978a7fc9a5ce155ad1498a1d6f77dac29d433e9398252bd66b1d89875447e4603

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\System.dll

Filesize
10KB

MD5
5c22bbf6730572e50eed4108af6081df

SHA1
8a13196f4d47ee7de2e35509058db954db10c72a

SHA256
3198d832c222a9907d3d5822116c944fd1c6670a263b775212104a9ecf88beec

SHA512
264b194a50cb523f5758569d918b5f60cb2959c4d091ae6712efc95644700a7bc2bb440a22acdf2285b754691a9cc04633fcc7c5b354dae75c7260d6b27ebb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\System.dll

Filesize
10KB

MD5
5c22bbf6730572e50eed4108af6081df

SHA1
8a13196f4d47ee7de2e35509058db954db10c72a

SHA256
3198d832c222a9907d3d5822116c944fd1c6670a263b775212104a9ecf88beec

SHA512
264b194a50cb523f5758569d918b5f60cb2959c4d091ae6712efc95644700a7bc2bb440a22acdf2285b754691a9cc04633fcc7c5b354dae75c7260d6b27ebb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\System.dll

Filesize
10KB

MD5
5c22bbf6730572e50eed4108af6081df

SHA1
8a13196f4d47ee7de2e35509058db954db10c72a

SHA256
3198d832c222a9907d3d5822116c944fd1c6670a263b775212104a9ecf88beec

SHA512
264b194a50cb523f5758569d918b5f60cb2959c4d091ae6712efc95644700a7bc2bb440a22acdf2285b754691a9cc04633fcc7c5b354dae75c7260d6b27ebb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\UserInfo.dll

Filesize
4KB

MD5
c67eca29f64117d142dd34dbb1b079b0

SHA1
c0636b4553be523dad534b3683f8d2d58e741e49

SHA256
df0213583653c6c49e572aadbefdcac2ace7d3ed76717dc4f779c15f8bd49f69

SHA512
edc8aa9284bd5cb98c3f7163ea6e9720fee428912e120feef83d11005e731772aa42277be8c3da5ef65b5c7db62f775ea8a87273c3b7748bae6b51cb308b2d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\UserInfo.dll

Filesize
4KB

MD5
c67eca29f64117d142dd34dbb1b079b0

SHA1
c0636b4553be523dad534b3683f8d2d58e741e49

SHA256
df0213583653c6c49e572aadbefdcac2ace7d3ed76717dc4f779c15f8bd49f69

SHA512
edc8aa9284bd5cb98c3f7163ea6e9720fee428912e120feef83d11005e731772aa42277be8c3da5ef65b5c7db62f775ea8a87273c3b7748bae6b51cb308b2d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\UserInfo.dll

Filesize
4KB

MD5
c67eca29f64117d142dd34dbb1b079b0

SHA1
c0636b4553be523dad534b3683f8d2d58e741e49

SHA256
df0213583653c6c49e572aadbefdcac2ace7d3ed76717dc4f779c15f8bd49f69

SHA512
edc8aa9284bd5cb98c3f7163ea6e9720fee428912e120feef83d11005e731772aa42277be8c3da5ef65b5c7db62f775ea8a87273c3b7748bae6b51cb308b2d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\UserInfo.dll

Filesize
4KB

MD5
c67eca29f64117d142dd34dbb1b079b0

SHA1
c0636b4553be523dad534b3683f8d2d58e741e49

SHA256
df0213583653c6c49e572aadbefdcac2ace7d3ed76717dc4f779c15f8bd49f69

SHA512
edc8aa9284bd5cb98c3f7163ea6e9720fee428912e120feef83d11005e731772aa42277be8c3da5ef65b5c7db62f775ea8a87273c3b7748bae6b51cb308b2d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\UserInfo.dll

Filesize
4KB

MD5
c67eca29f64117d142dd34dbb1b079b0

SHA1
c0636b4553be523dad534b3683f8d2d58e741e49

SHA256
df0213583653c6c49e572aadbefdcac2ace7d3ed76717dc4f779c15f8bd49f69

SHA512
edc8aa9284bd5cb98c3f7163ea6e9720fee428912e120feef83d11005e731772aa42277be8c3da5ef65b5c7db62f775ea8a87273c3b7748bae6b51cb308b2d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\ioSpecial.ini

Filesize
740B

MD5
80cd440ba955dbd8680c3581e6ed13c6

SHA1
325255c49361af1c86bafaf628ccc19ef12bf615

SHA256
4a3bac4b4022dcd2075fdddf0acb2025729830629e4f367dae7510e5854033af

SHA512
3cda51a736b001d493efa01f0b0a4a8fc1f04674308d817cc8f5d237982642d2ccb416dfc40f0a43ecaa13e12fc2fabb9d9d55e58e602cc3cb834296ee37ff19

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\ioSpecial.ini

Filesize
779B

MD5
c6b87896ee3f8a9af147fc390aa471d7

SHA1
1b0cfedde13f0fd48c086dd33c5d22313a22d342

SHA256
28a689c917df04711e56d563cff377dbbe4048c4fecdca757595365e60ee9665

SHA512
63b9b36a56b35612b558474b461c20464b49773e90dc27080fdd3788423b242c09e1b0833135d7dda342196daf6eb42c119ddc806caca4393a29bef4b2190b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\nsExec.dll

Filesize
6KB

MD5
6d376db8c870c88759ab0fac0f91bde4

SHA1
c1df9264442c84858735550af99c1af55204dc31

SHA256
7994b5dbbd63253b8e11ee5d4aa34c61852d5f86a9c4a35ef421de2c26c80cd9

SHA512
ed37d2b97e44c5f2e3bb63dcae3b7eafff0a00ea6d315b6764b322d4dd68ec5d3f9c8a5b8e23cf585612c8b6fdd5bd6eb03e13237c445f990eca86a59579fd23

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\nsExec.dll

Filesize
6KB

MD5
6d376db8c870c88759ab0fac0f91bde4

SHA1
c1df9264442c84858735550af99c1af55204dc31

SHA256
7994b5dbbd63253b8e11ee5d4aa34c61852d5f86a9c4a35ef421de2c26c80cd9

SHA512
ed37d2b97e44c5f2e3bb63dcae3b7eafff0a00ea6d315b6764b322d4dd68ec5d3f9c8a5b8e23cf585612c8b6fdd5bd6eb03e13237c445f990eca86a59579fd23

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\nsExec.dll

Filesize
6KB

MD5
6d376db8c870c88759ab0fac0f91bde4

SHA1
c1df9264442c84858735550af99c1af55204dc31

SHA256
7994b5dbbd63253b8e11ee5d4aa34c61852d5f86a9c4a35ef421de2c26c80cd9

SHA512
ed37d2b97e44c5f2e3bb63dcae3b7eafff0a00ea6d315b6764b322d4dd68ec5d3f9c8a5b8e23cf585612c8b6fdd5bd6eb03e13237c445f990eca86a59579fd23

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\nsExec.dll

Filesize
6KB

MD5
6d376db8c870c88759ab0fac0f91bde4

SHA1
c1df9264442c84858735550af99c1af55204dc31

SHA256
7994b5dbbd63253b8e11ee5d4aa34c61852d5f86a9c4a35ef421de2c26c80cd9

SHA512
ed37d2b97e44c5f2e3bb63dcae3b7eafff0a00ea6d315b6764b322d4dd68ec5d3f9c8a5b8e23cf585612c8b6fdd5bd6eb03e13237c445f990eca86a59579fd23

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\nsExec.dll

Filesize
6KB

MD5
6d376db8c870c88759ab0fac0f91bde4

SHA1
c1df9264442c84858735550af99c1af55204dc31

SHA256
7994b5dbbd63253b8e11ee5d4aa34c61852d5f86a9c4a35ef421de2c26c80cd9

SHA512
ed37d2b97e44c5f2e3bb63dcae3b7eafff0a00ea6d315b6764b322d4dd68ec5d3f9c8a5b8e23cf585612c8b6fdd5bd6eb03e13237c445f990eca86a59579fd23

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\nsExec.dll

Filesize
6KB

MD5
6d376db8c870c88759ab0fac0f91bde4

SHA1
c1df9264442c84858735550af99c1af55204dc31

SHA256
7994b5dbbd63253b8e11ee5d4aa34c61852d5f86a9c4a35ef421de2c26c80cd9

SHA512
ed37d2b97e44c5f2e3bb63dcae3b7eafff0a00ea6d315b6764b322d4dd68ec5d3f9c8a5b8e23cf585612c8b6fdd5bd6eb03e13237c445f990eca86a59579fd23

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\nsExec.dll

Filesize
6KB

MD5
6d376db8c870c88759ab0fac0f91bde4

SHA1
c1df9264442c84858735550af99c1af55204dc31

SHA256
7994b5dbbd63253b8e11ee5d4aa34c61852d5f86a9c4a35ef421de2c26c80cd9

SHA512
ed37d2b97e44c5f2e3bb63dcae3b7eafff0a00ea6d315b6764b322d4dd68ec5d3f9c8a5b8e23cf585612c8b6fdd5bd6eb03e13237c445f990eca86a59579fd23

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\nsProcess.dll

Filesize
4KB

MD5
faa7f034b38e729a983965c04cc70fc1

SHA1
df8bda55b498976ea47d25d8a77539b049dab55e

SHA256
579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf

SHA512
7868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\nsProcess.dll

Filesize
4KB

MD5
faa7f034b38e729a983965c04cc70fc1

SHA1
df8bda55b498976ea47d25d8a77539b049dab55e

SHA256
579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf

SHA512
7868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\nsProcess.dll

Filesize
4KB

MD5
faa7f034b38e729a983965c04cc70fc1

SHA1
df8bda55b498976ea47d25d8a77539b049dab55e

SHA256
579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf

SHA512
7868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\nsProcess.dll

Filesize
4KB

MD5
faa7f034b38e729a983965c04cc70fc1

SHA1
df8bda55b498976ea47d25d8a77539b049dab55e

SHA256
579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf

SHA512
7868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv89F6.tmp\nsProcess.dll

Filesize
4KB

MD5
faa7f034b38e729a983965c04cc70fc1

SHA1
df8bda55b498976ea47d25d8a77539b049dab55e

SHA256
579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf

SHA512
7868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4CF8B~1\tap0901.cat

Filesize
8KB

MD5
a224f308bb7a5274526159738b1afca4

SHA1
8d46c83d10292d03ca44448e3bdd220b1d26d8e2

SHA256
164c053767b33334680c586a1de9f6bb75943c47ea2489ada5d0f2bb0cc68df8

SHA512
58feb2c8b1b9a5899f78dfdc2fe311b2eb805a9922816d8cbb5e59bc7ed4f9efd45573c60d5cd559400979778a13341373db47f1b0129f96682b6b7d8ceb96fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4CF8B~1\tap0901.sys

Filesize
26KB

MD5
bd2f92d26b4b6f8d43b9ad997b1a7e4f

SHA1
dd2b6b6a38a9fe4f4883d77cdf40606a7c082b61

SHA256
c1553bb9908761ea946611d867466ea4e47ecda3d09587c8026c88b7e8ccc779

SHA512
46d0b3dc0783e82f30abfd99a93b1c3ebbee81f3ed47dfa49c5e76aecac77a462c77e200108b75e50ce5c3f59aa3be23de0a98ad74afdd141c30c3300b83bd68

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4cf8b4db-8ba9-984e-a7bc-fd94e465e4d1}\oemwin2k.inf

Filesize
7KB

MD5
ddad0e498f5e36a013bc9a004451125e

SHA1
b5935ed307061ddb4d9e72605d45c2552b54ec4f

SHA256
27480e50875acecb90d80cbdde91b4948521f9d809a0d72e07a00ffcfaab9167

SHA512
66981744d209e39e7e1c52861d03ace799677b288f7e3e4788b5253d13b0c58d48a0ee0637de1a16860a111569586570a878e43700294a461a1aa53de21bfac0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
3a3d0948131f3b77f3602449d5a0d978

SHA1
34e8f25b3dc4bc3fb8be73838bdc9607822703ca

SHA256
c2882c216f2a0a961c869b69efb8e809ce57eb1839ad7cf7117f07f3802d65bd

SHA512
b73020688b312aa278a89cb80b1f87117812d78cc0bf759c1f5188d75a1a88c90d183dc977f6f65721f7b90d02974af85b08b29d0359590013c0656f9b580ab3

Download Submit
C:\Windows\INF\oem3.inf

Filesize
7KB

MD5
ddad0e498f5e36a013bc9a004451125e

SHA1
b5935ed307061ddb4d9e72605d45c2552b54ec4f

SHA256
27480e50875acecb90d80cbdde91b4948521f9d809a0d72e07a00ffcfaab9167

SHA512
66981744d209e39e7e1c52861d03ace799677b288f7e3e4788b5253d13b0c58d48a0ee0637de1a16860a111569586570a878e43700294a461a1aa53de21bfac0

Download Submit
C:\Windows\System32\DriverStore\FileRepository\OEMWIN~1.INF\tap0901.sys

Filesize
26KB

MD5
bd2f92d26b4b6f8d43b9ad997b1a7e4f

SHA1
dd2b6b6a38a9fe4f4883d77cdf40606a7c082b61

SHA256
c1553bb9908761ea946611d867466ea4e47ecda3d09587c8026c88b7e8ccc779

SHA512
46d0b3dc0783e82f30abfd99a93b1c3ebbee81f3ed47dfa49c5e76aecac77a462c77e200108b75e50ce5c3f59aa3be23de0a98ad74afdd141c30c3300b83bd68

Download Submit
C:\Windows\System32\DriverStore\Temp\{69d1c90c-8619-aa43-9da9-d1105ea77a10}\SETBE15.tmp

Filesize
7KB

MD5
ddad0e498f5e36a013bc9a004451125e

SHA1
b5935ed307061ddb4d9e72605d45c2552b54ec4f

SHA256
27480e50875acecb90d80cbdde91b4948521f9d809a0d72e07a00ffcfaab9167

SHA512
66981744d209e39e7e1c52861d03ace799677b288f7e3e4788b5253d13b0c58d48a0ee0637de1a16860a111569586570a878e43700294a461a1aa53de21bfac0

Download Submit
C:\Windows\System32\DriverStore\Temp\{69d1c90c-8619-aa43-9da9-d1105ea77a10}\SETBE45.tmp

Filesize
8KB

MD5
a224f308bb7a5274526159738b1afca4

SHA1
8d46c83d10292d03ca44448e3bdd220b1d26d8e2

SHA256
164c053767b33334680c586a1de9f6bb75943c47ea2489ada5d0f2bb0cc68df8

SHA512
58feb2c8b1b9a5899f78dfdc2fe311b2eb805a9922816d8cbb5e59bc7ed4f9efd45573c60d5cd559400979778a13341373db47f1b0129f96682b6b7d8ceb96fa

Download Submit
C:\Windows\System32\DriverStore\Temp\{69d1c90c-8619-aa43-9da9-d1105ea77a10}\SETBE84.tmp

Filesize
26KB

MD5
bd2f92d26b4b6f8d43b9ad997b1a7e4f

SHA1
dd2b6b6a38a9fe4f4883d77cdf40606a7c082b61

SHA256
c1553bb9908761ea946611d867466ea4e47ecda3d09587c8026c88b7e8ccc779

SHA512
46d0b3dc0783e82f30abfd99a93b1c3ebbee81f3ed47dfa49c5e76aecac77a462c77e200108b75e50ce5c3f59aa3be23de0a98ad74afdd141c30c3300b83bd68

Download Submit
C:\Windows\System32\DriverStore\Temp\{69d1c90c-8619-aa43-9da9-d1105ea77a10}\oemwin2k.inf

Filesize
7KB

MD5
ddad0e498f5e36a013bc9a004451125e

SHA1
b5935ed307061ddb4d9e72605d45c2552b54ec4f

SHA256
27480e50875acecb90d80cbdde91b4948521f9d809a0d72e07a00ffcfaab9167

SHA512
66981744d209e39e7e1c52861d03ace799677b288f7e3e4788b5253d13b0c58d48a0ee0637de1a16860a111569586570a878e43700294a461a1aa53de21bfac0

Download Submit
C:\Windows\System32\DriverStore\Temp\{69d1c90c-8619-aa43-9da9-d1105ea77a10}\tap0901.cat

Filesize
8KB

MD5
a224f308bb7a5274526159738b1afca4

SHA1
8d46c83d10292d03ca44448e3bdd220b1d26d8e2

SHA256
164c053767b33334680c586a1de9f6bb75943c47ea2489ada5d0f2bb0cc68df8

SHA512
58feb2c8b1b9a5899f78dfdc2fe311b2eb805a9922816d8cbb5e59bc7ed4f9efd45573c60d5cd559400979778a13341373db47f1b0129f96682b6b7d8ceb96fa

Download Submit
\??\c:\PROGRA~2\ibvpn_2.x\openvpn\driver\x64\tap0901.sys

Filesize
26KB

MD5
bd2f92d26b4b6f8d43b9ad997b1a7e4f

SHA1
dd2b6b6a38a9fe4f4883d77cdf40606a7c082b61

SHA256
c1553bb9908761ea946611d867466ea4e47ecda3d09587c8026c88b7e8ccc779

SHA512
46d0b3dc0783e82f30abfd99a93b1c3ebbee81f3ed47dfa49c5e76aecac77a462c77e200108b75e50ce5c3f59aa3be23de0a98ad74afdd141c30c3300b83bd68

Download Submit
\??\c:\program files (x86)\ibvpn_2.x\openvpn\driver\x64\tap0901.cat

Filesize
8KB

MD5
a224f308bb7a5274526159738b1afca4

SHA1
8d46c83d10292d03ca44448e3bdd220b1d26d8e2

SHA256
164c053767b33334680c586a1de9f6bb75943c47ea2489ada5d0f2bb0cc68df8

SHA512
58feb2c8b1b9a5899f78dfdc2fe311b2eb805a9922816d8cbb5e59bc7ed4f9efd45573c60d5cd559400979778a13341373db47f1b0129f96682b6b7d8ceb96fa

Download Submit
memory/1668-573-0x0000000000180000-0x0000000000194000-memory.dmp

Filesize
80KB

Download
memory/2120-206-0x00000000022D0000-0x00000000022E4000-memory.dmp

Filesize
80KB

Download
memory/2120-211-0x00000000022B0000-0x00000000022B3000-memory.dmp

Filesize
12KB

Download
memory/2800-585-0x0000000005870000-0x0000000005902000-memory.dmp

Filesize
584KB

Download
memory/2800-587-0x00000000066D0000-0x00000000066E0000-memory.dmp

Filesize
64KB

Download
memory/2800-619-0x00000000066D0000-0x00000000066E0000-memory.dmp

Filesize
64KB

Download
memory/2800-621-0x000000000AF70000-0x000000000AF96000-memory.dmp

Filesize
152KB

Download
memory/2800-633-0x00000000066D0000-0x00000000066E0000-memory.dmp

Filesize
64KB

Download
memory/2800-650-0x00000000066D0000-0x00000000066E0000-memory.dmp

Filesize
64KB

Download
memory/2800-615-0x000000000C0A0000-0x000000000C246000-memory.dmp

Filesize
1.6MB

Download
memory/2800-614-0x00000000066D0000-0x00000000066E0000-memory.dmp

Filesize
64KB

Download
memory/2800-613-0x000000000AAE0000-0x000000000AC04000-memory.dmp

Filesize
1.1MB

Download
memory/2800-599-0x00000000098A0000-0x0000000009906000-memory.dmp

Filesize
408KB

Download
memory/2800-597-0x0000000008DE0000-0x0000000008E10000-memory.dmp

Filesize
192KB

Download
memory/2800-596-0x0000000008D90000-0x0000000008DA4000-memory.dmp

Filesize
80KB

Download
memory/2800-588-0x00000000066D0000-0x00000000066E0000-memory.dmp

Filesize
64KB

Download
memory/2800-618-0x00000000066D0000-0x00000000066E0000-memory.dmp

Filesize
64KB

Download
memory/2800-586-0x0000000005A20000-0x0000000005A2A000-memory.dmp

Filesize
40KB

Download
memory/2800-580-0x0000000000860000-0x0000000000ADC000-memory.dmp

Filesize
2.5MB

Download
memory/2800-781-0x00000000066D0000-0x00000000066E0000-memory.dmp

Filesize
64KB

Download
memory/2800-794-0x00000000066D0000-0x00000000066E0000-memory.dmp

Filesize
64KB

Download
memory/2800-797-0x00000000066D0000-0x00000000066E0000-memory.dmp

Filesize
64KB

Download
memory/2800-584-0x0000000005FE0000-0x0000000006538000-memory.dmp

Filesize
5.3MB

Download
memory/4432-471-0x0000000000020000-0x0000000000028000-memory.dmp

Filesize
32KB

Download
memory/4432-475-0x0000000004920000-0x000000000496C000-memory.dmp

Filesize
304KB

Download
memory/4432-476-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

Filesize
64KB

Download
memory/5056-485-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download
memory/5056-482-0x0000000000950000-0x000000000095A000-memory.dmp

Filesize
40KB

Download
memory/5056-483-0x00000000057A0000-0x0000000005D44000-memory.dmp

Filesize
5.6MB

Download