Analysis
-
max time kernel
143s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2023, 18:33
Static task
static1
Behavioral task
behavioral1
Sample
Windscribe_2.5.18.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Windscribe_2.5.18.exe
Resource
win10v2004-20230703-en
General
-
Target
Windscribe_2.5.18.exe
-
Size
20.5MB
-
MD5
8b45ea7fa70ea3e60c1642001ab66bb1
-
SHA1
69ab31a64f4d1c7ab2d5bf08b6ff05fe29efcfe1
-
SHA256
34b8535955457b70007bc360d6f60a59dc70bd0aa8030ccaff77a07bd38ca320
-
SHA512
9175435ca08cfbd498c5ab2dc63a29ebea508178397db2413d830a997673a2d60b4ca2178972c75dc57a33e9122e7d51aee2169dcc2dce8b445dcf33646a9b8e
-
SSDEEP
393216:uVgDgNg+Vim3Tp8YTLz4Iom3CgnuhGQ5DtOCmJ6z5OqHCQZFsAIWKCYoyLV0:uV2WIiGYTX4VPhZs7JSFlIW9V
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
resource yara_rule behavioral2/files/0x0009000000023206-6.dat dcrat behavioral2/files/0x0009000000023206-9.dat dcrat behavioral2/files/0x0009000000023206-10.dat dcrat behavioral2/files/0x0007000000023210-31.dat dcrat behavioral2/files/0x0007000000023210-32.dat dcrat behavioral2/memory/4920-33-0x0000000000CF0000-0x0000000000EF8000-memory.dmp dcrat -
Creates new service(s) 1 TTPs
-
Drops file in Drivers directory 9 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\SETAE70.tmp DrvInst.exe File created C:\Windows\System32\drivers\SETB5F2.tmp DrvInst.exe File opened for modification C:\Windows\system32\DRIVERS\SETB769.tmp rundll32.exe File created C:\Windows\system32\DRIVERS\SETB769.tmp rundll32.exe File opened for modification C:\Windows\system32\DRIVERS\WindscribeSplitTunnel.sys rundll32.exe File created C:\Windows\System32\drivers\SETAE70.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\tapwindscribe0901.sys DrvInst.exe File opened for modification C:\Windows\System32\drivers\SETB5F2.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\windtun420.sys DrvInst.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WindscribeService\ImagePath = "\"C:\\Program Files\\Windscribe\\WindscribeService.exe\"" Windscribe_2.5.18_licensekey.exe -
Executes dropped EXE 10 IoCs
pid Process 860 Windscribe_2.5.18.exe 4500 Windscribe_2.5.18_licensekey.exe 4920 Runtime Broker.exe 3372 subinacl.exe 4908 tapinstall.exe 752 tapinstall.exe 2772 WindscribeLauncher.exe 1724 Windscribe.exe 5032 windscribeopenvpn_2_5_4.exe 5112 WindscribeService.exe -
Loads dropped DLL 30 IoCs
pid Process 4500 Windscribe_2.5.18_licensekey.exe 4500 Windscribe_2.5.18_licensekey.exe 2772 WindscribeLauncher.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 5032 windscribeopenvpn_2_5_4.exe 5032 windscribeopenvpn_2_5_4.exe 5032 windscribeopenvpn_2_5_4.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe -
Registers COM server for autorun 1 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\clsid\{B8E661E9-A6D5-463D-9EF3-0434D51AEA3B}\LocalServer32 Windscribe_2.5.18_licensekey.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B8E661E9-A6D5-463D-9EF3-0434D51AEA3B}\LocalServer32\ = "C:\\Program Files\\Windscribe\\ws_com_server.exe" Windscribe_2.5.18_licensekey.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B8E661E9-A6D5-463D-9EF3-0434D51AEA3B}\InProcServer32 Windscribe_2.5.18_licensekey.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B8E661E9-A6D5-463D-9EF3-0434D51AEA3B}\InProcServer32\ = "C:\\Program Files\\Windscribe\\ws_proxy_stub.dll" Windscribe_2.5.18_licensekey.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B8E661E9-A6D5-463D-9EF3-0434D51AEA3B}\InProcServer32\ThreadingModel = "Both" Windscribe_2.5.18_licensekey.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\clsid\{B8E661E9-A6D5-463D-9EF3-0434D51AEA3B}\InprocServer32 Windscribe_2.5.18_licensekey.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" rundll32.exe -
Drops file in System32 directory 36 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\Temp\{e3647958-d1d2-4a45-9dcc-b9aa37436177} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{563ed83f-677a-9a4a-b4e1-0cb0baa5b058}\windtun420.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\windtun420.inf_amd64_fef6efb45cfbe4be\windtun420.sys DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_CA1C2707CF388B18A492F7B630F8727E WindscribeService.exe File created C:\Windows\System32\DriverStore\Temp\{e3647958-d1d2-4a45-9dcc-b9aa37436177}\SETA4FC.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{e3647958-d1d2-4a45-9dcc-b9aa37436177}\tapwindscribe0901.sys DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{e3647958-d1d2-4a45-9dcc-b9aa37436177}\SETA4EB.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{563ed83f-677a-9a4a-b4e1-0cb0baa5b058}\SETB2D6.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\windtun420.inf_amd64_fef6efb45cfbe4be\windtun420.PNF tapinstall.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{563ed83f-677a-9a4a-b4e1-0cb0baa5b058}\SETB2C5.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\windtun420.inf_amd64_fef6efb45cfbe4be\windtun420.cat DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{e3647958-d1d2-4a45-9dcc-b9aa37436177}\oemvista.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{e3647958-d1d2-4a45-9dcc-b9aa37436177}\SETA4FB.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\windtun420.inf_amd64_fef6efb45cfbe4be\windtun420.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{563ed83f-677a-9a4a-b4e1-0cb0baa5b058}\SETB2D7.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{563ed83f-677a-9a4a-b4e1-0cb0baa5b058}\SETB2D7.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{e3647958-d1d2-4a45-9dcc-b9aa37436177}\SETA4EB.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{e3647958-d1d2-4a45-9dcc-b9aa37436177}\SETA4FB.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{e3647958-d1d2-4a45-9dcc-b9aa37436177}\tapwindscribe0901.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{563ed83f-677a-9a4a-b4e1-0cb0baa5b058}\windtun420.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{563ed83f-677a-9a4a-b4e1-0cb0baa5b058} DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 WindscribeService.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{e3647958-d1d2-4a45-9dcc-b9aa37436177}\SETA4FC.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_2c4931cd70af38ac\tapwindscribe0901.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_2c4931cd70af38ac\oemvista.inf DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 WindscribeService.exe File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_2c4931cd70af38ac\oemvista.PNF tapinstall.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{563ed83f-677a-9a4a-b4e1-0cb0baa5b058}\SETB2D6.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{563ed83f-677a-9a4a-b4e1-0cb0baa5b058}\windtun420.sys DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_CA1C2707CF388B18A492F7B630F8727E WindscribeService.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_2c4931cd70af38ac\tapwindscribe0901.cat DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{563ed83f-677a-9a4a-b4e1-0cb0baa5b058}\SETB2C5.tmp DrvInst.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Windscribe\Qt6Widgets.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\ws_com_server.exe Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\api-ms-win-core-libraryloader-l1-1-0.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\api-ms-win-crt-process-l1-1-0.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\api-ms-win-crt-utility-l1-1-0.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\imageformats\qgif.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\imageformats\qico.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\Qt6Network.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\tap\tapwindscribe0901.cat Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\api-ms-win-core-processthreads-l1-1-1.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\api-ms-win-crt-environment-l1-1-0.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\windscribeopenvpn_2_5_4.exe Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\wireguard.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\libcrypto-1_1-x64.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\Qt6Core.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\splittunnel\windscribesplittunnel.cat Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\api-ms-win-core-file-l1-1-0.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\api-ms-win-core-profile-l1-1-0.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\api-ms-win-core-rtlsupport-l1-1-0.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\cares.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\imageformats\qsvg.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\tls\qschannelbackend.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\WireguardService.exe Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\windscribeservice.log WindscribeService.exe File created C:\Program Files\Windscribe\api-ms-win-core-debug-l1-1-0.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\api-ms-win-core-errorhandling-l1-1-0.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\api-ms-win-core-handle-l1-1-0.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\api-ms-win-crt-heap-l1-1-0.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\windscribe-cli.exe Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\ws_com.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\api-ms-win-core-timezone-l1-1-0.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\api-ms-win-core-util-l1-1-0.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\imageformats\qjpeg.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\tap\tapwindscribe0901.sys Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\api-ms-win-core-string-l1-1-0.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\api-ms-win-crt-conio-l1-1-0.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\tls\qopensslbackend.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\msvcp140.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\msvcp140_1.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\api-ms-win-core-console-l1-1-0.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\api-ms-win-core-namedpipe-l1-1-0.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\api-ms-win-core-processenvironment-l1-1-0.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\api-ms-win-core-processthreads-l1-1-0.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\api-ms-win-core-synch-l1-1-0.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\api-ms-win-core-synch-l1-2-0.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\vcruntime140_1.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\tap\OemVista.inf Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\api-ms-win-core-file-l1-2-0.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\libcurl.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\tap\tapinstall.exe Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\api-ms-win-core-localization-l1-2-0.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\api-ms-win-core-sysinfo-l1-1-0.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\api-ms-win-crt-locale-l1-1-0.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\api-ms-win-crt-time-l1-1-0.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\networkinformation\qnetworklistmanager.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\splittunnel\windscribesplittunnel.inf Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\Qt6Svg.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\wintun\windtun420.sys Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\ws_proxy_stub.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\tstunnel.exe Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\uninstall.exe Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\wintun\windtun420.cat Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\api-ms-win-crt-filesystem-l1-1-0.dll Windscribe_2.5.18_licensekey.exe File created C:\Program Files\Windscribe\api-ms-win-crt-string-l1-1-0.dll Windscribe_2.5.18_licensekey.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log tapinstall.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log tapinstall.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\inf\oem4.inf DrvInst.exe File created C:\Windows\inf\oem4.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5104 sc.exe 2276 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 3252 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WindscribeService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WindscribeService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WindscribeService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WindscribeService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WindscribeService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WindscribeService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WindscribeService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WindscribeService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WindscribeService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WindscribeService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WindscribeService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WindscribeService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WindscribeService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WindscribeService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WindscribeService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WindscribeService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WindscribeService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WindscribeService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WindscribeService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WindscribeService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WindscribeService.exe -
Modifies registry class 23 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\CLSID Windscribe_2.5.18_licensekey.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Interface Windscribe_2.5.18_licensekey.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\clsid\{B8E661E9-A6D5-463D-9EF3-0434D51AEA3B} Windscribe_2.5.18_licensekey.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B8E661E9-A6D5-463D-9EF3-0434D51AEA3B}\LocalServer32\ = "C:\\Program Files\\Windscribe\\ws_com_server.exe" Windscribe_2.5.18_licensekey.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings Windscribe_2.5.18.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7160B73-174A-4559-89B5-F1E99BA45F1B}\ProxyStubClsid32 Windscribe_2.5.18_licensekey.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7160B73-174A-4559-89B5-F1E99BA45F1B}\NumMethods Windscribe_2.5.18_licensekey.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B8E661E9-A6D5-463D-9EF3-0434D51AEA3B}\LocalizedString = "@C:\\Program Files\\Windscribe\\ws_com.dll,-101" Windscribe_2.5.18_licensekey.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\clsid\{B8E661E9-A6D5-463D-9EF3-0434D51AEA3B}\LocalServer32 Windscribe_2.5.18_licensekey.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B8E661E9-A6D5-463D-9EF3-0434D51AEA3B}\Elevation\Enabled = "1" Windscribe_2.5.18_licensekey.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B8E661E9-A6D5-463D-9EF3-0434D51AEA3B}\InProcServer32\ThreadingModel = "Both" Windscribe_2.5.18_licensekey.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B8E661E9-A6D5-463D-9EF3-0434D51AEA3B}\ = "PSFactoryBuffer" Windscribe_2.5.18_licensekey.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7160B73-174A-4559-89B5-F1E99BA45F1B}\ = "IAuthHelper" Windscribe_2.5.18_licensekey.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7160B73-174A-4559-89B5-F1E99BA45F1B}\NumMethods\ = "3" Windscribe_2.5.18_licensekey.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B8E661E9-A6D5-463D-9EF3-0434D51AEA3B}\ = "Windscribe CAuthHelper" Windscribe_2.5.18_licensekey.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\clsid\{B8E661E9-A6D5-463D-9EF3-0434D51AEA3B}\InprocServer32 Windscribe_2.5.18_licensekey.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B8E661E9-A6D5-463D-9EF3-0434D51AEA3B}\Elevation\IconReference = "@C:\\Program Files\\Windscribe\\ws_com.dll,-102" Windscribe_2.5.18_licensekey.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B8E661E9-A6D5-463D-9EF3-0434D51AEA3B} Windscribe_2.5.18_licensekey.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B8E661E9-A6D5-463D-9EF3-0434D51AEA3B}\InProcServer32\ = "C:\\Program Files\\Windscribe\\ws_proxy_stub.dll" Windscribe_2.5.18_licensekey.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7160B73-174A-4559-89B5-F1E99BA45F1B} Windscribe_2.5.18_licensekey.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7160B73-174A-4559-89B5-F1E99BA45F1B}\ProxyStubClsid32\ = "{B8E661E9-A6D5-463D-9EF3-0434D51AEA3B}" Windscribe_2.5.18_licensekey.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\clsid\{B8E661E9-A6D5-463D-9EF3-0434D51AEA3B}\Elevation Windscribe_2.5.18_licensekey.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B8E661E9-A6D5-463D-9EF3-0434D51AEA3B}\InProcServer32 Windscribe_2.5.18_licensekey.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1724 Windscribe.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1724 Windscribe.exe 1724 Windscribe.exe 2552 msedge.exe 2552 msedge.exe 4912 msedge.exe 4912 msedge.exe 5112 WindscribeService.exe 5112 WindscribeService.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1724 Windscribe.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 4912 msedge.exe 4912 msedge.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 4920 Runtime Broker.exe Token: SeSecurityPrivilege 3372 subinacl.exe Token: SeBackupPrivilege 3372 subinacl.exe Token: SeRestorePrivilege 3372 subinacl.exe Token: SeRestorePrivilege 3372 subinacl.exe Token: SeTakeOwnershipPrivilege 3372 subinacl.exe Token: SeChangeNotifyPrivilege 3372 subinacl.exe Token: SeDebugPrivilege 3372 subinacl.exe Token: SeAuditPrivilege 452 svchost.exe Token: SeSecurityPrivilege 452 svchost.exe Token: SeLoadDriverPrivilege 4908 tapinstall.exe Token: SeRestorePrivilege 3904 DrvInst.exe Token: SeBackupPrivilege 3904 DrvInst.exe Token: SeLoadDriverPrivilege 3904 DrvInst.exe Token: SeLoadDriverPrivilege 3904 DrvInst.exe Token: SeLoadDriverPrivilege 3904 DrvInst.exe Token: SeLoadDriverPrivilege 752 tapinstall.exe Token: SeRestorePrivilege 1576 DrvInst.exe Token: SeBackupPrivilege 1576 DrvInst.exe Token: SeLoadDriverPrivilege 1576 DrvInst.exe Token: SeLoadDriverPrivilege 1576 DrvInst.exe Token: SeLoadDriverPrivilege 1576 DrvInst.exe Token: SeDebugPrivilege 3252 taskkill.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
pid Process 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 1724 Windscribe.exe 1724 Windscribe.exe 4912 msedge.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe -
Suspicious use of SendNotifyMessage 57 IoCs
pid Process 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe 1724 Windscribe.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 860 Windscribe_2.5.18.exe 4500 Windscribe_2.5.18_licensekey.exe 3372 subinacl.exe 4908 tapinstall.exe 752 tapinstall.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2176 wrote to memory of 860 2176 Windscribe_2.5.18.exe 84 PID 2176 wrote to memory of 860 2176 Windscribe_2.5.18.exe 84 PID 2176 wrote to memory of 860 2176 Windscribe_2.5.18.exe 84 PID 860 wrote to memory of 3660 860 Windscribe_2.5.18.exe 86 PID 860 wrote to memory of 3660 860 Windscribe_2.5.18.exe 86 PID 860 wrote to memory of 3660 860 Windscribe_2.5.18.exe 86 PID 2176 wrote to memory of 4500 2176 Windscribe_2.5.18.exe 87 PID 2176 wrote to memory of 4500 2176 Windscribe_2.5.18.exe 87 PID 3660 wrote to memory of 2272 3660 WScript.exe 91 PID 3660 wrote to memory of 2272 3660 WScript.exe 91 PID 3660 wrote to memory of 2272 3660 WScript.exe 91 PID 2272 wrote to memory of 4920 2272 cmd.exe 94 PID 2272 wrote to memory of 4920 2272 cmd.exe 94 PID 4500 wrote to memory of 5104 4500 Windscribe_2.5.18_licensekey.exe 99 PID 4500 wrote to memory of 5104 4500 Windscribe_2.5.18_licensekey.exe 99 PID 4500 wrote to memory of 2276 4500 Windscribe_2.5.18_licensekey.exe 101 PID 4500 wrote to memory of 2276 4500 Windscribe_2.5.18_licensekey.exe 101 PID 4500 wrote to memory of 3372 4500 Windscribe_2.5.18_licensekey.exe 103 PID 4500 wrote to memory of 3372 4500 Windscribe_2.5.18_licensekey.exe 103 PID 4500 wrote to memory of 3372 4500 Windscribe_2.5.18_licensekey.exe 103 PID 4500 wrote to memory of 4908 4500 Windscribe_2.5.18_licensekey.exe 105 PID 4500 wrote to memory of 4908 4500 Windscribe_2.5.18_licensekey.exe 105 PID 452 wrote to memory of 1504 452 svchost.exe 108 PID 452 wrote to memory of 1504 452 svchost.exe 108 PID 452 wrote to memory of 3904 452 svchost.exe 109 PID 452 wrote to memory of 3904 452 svchost.exe 109 PID 4500 wrote to memory of 752 4500 Windscribe_2.5.18_licensekey.exe 112 PID 4500 wrote to memory of 752 4500 Windscribe_2.5.18_licensekey.exe 112 PID 452 wrote to memory of 4556 452 svchost.exe 114 PID 452 wrote to memory of 4556 452 svchost.exe 114 PID 452 wrote to memory of 1576 452 svchost.exe 115 PID 452 wrote to memory of 1576 452 svchost.exe 115 PID 4500 wrote to memory of 4472 4500 Windscribe_2.5.18_licensekey.exe 116 PID 4500 wrote to memory of 4472 4500 Windscribe_2.5.18_licensekey.exe 116 PID 4472 wrote to memory of 2980 4472 rundll32.exe 117 PID 4472 wrote to memory of 2980 4472 rundll32.exe 117 PID 2980 wrote to memory of 884 2980 runonce.exe 118 PID 2980 wrote to memory of 884 2980 runonce.exe 118 PID 2772 wrote to memory of 1724 2772 WindscribeLauncher.exe 121 PID 2772 wrote to memory of 1724 2772 WindscribeLauncher.exe 121 PID 1724 wrote to memory of 5032 1724 Windscribe.exe 124 PID 1724 wrote to memory of 5032 1724 Windscribe.exe 124 PID 5112 wrote to memory of 3252 5112 WindscribeService.exe 128 PID 5112 wrote to memory of 3252 5112 WindscribeService.exe 128 PID 1724 wrote to memory of 4912 1724 Windscribe.exe 130 PID 1724 wrote to memory of 4912 1724 Windscribe.exe 130 PID 4912 wrote to memory of 5044 4912 msedge.exe 131 PID 4912 wrote to memory of 5044 4912 msedge.exe 131 PID 4912 wrote to memory of 3516 4912 msedge.exe 132 PID 4912 wrote to memory of 3516 4912 msedge.exe 132 PID 4912 wrote to memory of 3516 4912 msedge.exe 132 PID 4912 wrote to memory of 3516 4912 msedge.exe 132 PID 4912 wrote to memory of 3516 4912 msedge.exe 132 PID 4912 wrote to memory of 3516 4912 msedge.exe 132 PID 4912 wrote to memory of 3516 4912 msedge.exe 132 PID 4912 wrote to memory of 3516 4912 msedge.exe 132 PID 4912 wrote to memory of 3516 4912 msedge.exe 132 PID 4912 wrote to memory of 3516 4912 msedge.exe 132 PID 4912 wrote to memory of 3516 4912 msedge.exe 132 PID 4912 wrote to memory of 3516 4912 msedge.exe 132 PID 4912 wrote to memory of 3516 4912 msedge.exe 132 PID 4912 wrote to memory of 3516 4912 msedge.exe 132 PID 4912 wrote to memory of 3516 4912 msedge.exe 132 PID 4912 wrote to memory of 3516 4912 msedge.exe 132
Processes
-
C:\Users\Admin\AppData\Local\Temp\Windscribe_2.5.18.exe"C:\Users\Admin\AppData\Local\Temp\Windscribe_2.5.18.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Windscribe_2.5.18.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Windscribe_2.5.18.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\tmTZAu0ww6EK.vbe"3⤵
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\2b3nvEZbyOKVLO0rFX9CQNCe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Temp\Runtime Broker.exe"C:\Temp\Runtime Broker.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Windscribe_2.5.18_licensekey.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Windscribe_2.5.18_licensekey.exe"2⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SYSTEM32\sc.exe"sc" create WindscribeService binPath= "C:\Program Files\Windscribe\WindscribeService.exe" start= auto3⤵
- Launches sc.exe
PID:5104
-
-
C:\Windows\SYSTEM32\sc.exe"sc" description WindscribeService "Manages the firewall and controls the VPN tunnel"3⤵
- Launches sc.exe
PID:2276
-
-
C:\Program Files\Windscribe\subinacl.exe"C:\Program Files\Windscribe\subinacl" /SERVICE WindscribeService /grant=S-1-5-11=STO3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3372
-
-
C:\Program Files\Windscribe\tap\tapinstall.exe"C:\Program Files\Windscribe\tap\tapinstall.exe" install OemVista.inf tapwindscribe09013⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4908
-
-
C:\Program Files\Windscribe\wintun\tapinstall.exe"C:\Program Files\Windscribe\wintun\tapinstall.exe" install windtun420.inf windtun4203⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:752
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" setupapi,InstallHinfSection DefaultInstall 132 C:\Program Files\Windscribe\splittunnel\windscribesplittunnel.inf3⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\system32\runonce.exe"C:\Windows\system32\runonce.exe" -r4⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\System32\grpconv.exe"C:\Windows\System32\grpconv.exe" -o5⤵PID:884
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{18432bbe-e558-8142-b299-937b60cc2d9d}\oemvista.inf" "9" "40e41e9d3" "000000000000014C" "WinSta0\Default" "0000000000000158" "208" "c:\program files\windscribe\tap"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1504
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:tapwindscribe0901.ndi:9.24.2.601:tapwindscribe0901," "40e41e9d3" "000000000000014C"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3904
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{405b23cd-fe78-3045-ab2f-6c19c7b8fc15}\windtun420.inf" "9" "4fd9b412f" "0000000000000170" "WinSta0\Default" "0000000000000138" "208" "c:\program files\windscribe\wintun"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4556
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0001" "C:\Windows\INF\oem4.inf" "oem4.inf:f101f9793a5fdf02:Windtun420.Install:0.9.0.0:windtun420," "4fd9b412f" "0000000000000178"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
C:\Program Files\Windscribe\WindscribeLauncher.exe"C:\Program Files\Windscribe\WindscribeLauncher.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Program Files\Windscribe\Windscribe.exe"C:\Program Files\Windscribe\Windscribe.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Program Files\Windscribe\windscribeopenvpn_2_5_4.exe"C:\Program Files\Windscribe\windscribeopenvpn_2_5_4.exe" --version3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.windscribe.com/installed/desktop?jdz6q20s3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffaaa4746f8,0x7ffaaa474708,0x7ffaaa4747184⤵PID:5044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,8950744402499926315,16817837955825138860,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:24⤵PID:3516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,8950744402499926315,16817837955825138860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:2552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,8950744402499926315,16817837955825138860,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:84⤵PID:4116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8950744402499926315,16817837955825138860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:14⤵PID:3720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8950744402499926315,16817837955825138860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:14⤵PID:4792
-
-
-
-
C:\Program Files\Windscribe\WindscribeService.exe"C:\Program Files\Windscribe\WindscribeService.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\system32\taskkill.exetaskkill /f /t /im windscribeopenvpn_2_5_4.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3252
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3648
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2228
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD51ba24e35575d93b69f8360cd746cda79
SHA118b0b826a0f58d4516a84c4e78a0acc38c1c268c
SHA25624d6796707101b425226ad85f43a0fac921ba3f25c6129061781edd172bec095
SHA512c85e17e3178fc98ee3a1f1c3e619910fd76a7081ed41c24c4622e01d09993cd8f68b7eea358c0141d01ec24e08cb8d923a7b5c7c6213b9eff3262c2534848410
-
Filesize
553KB
MD56da7f4530edb350cf9d967d969ccecf8
SHA13e2681ea91f60a7a9ef2407399d13c1ca6aa71e9
SHA2569fee6f36547d6f6ea7ca0338655555dba6bb0f798bc60334d29b94d1547da4da
SHA5121f77f900215a4966f7f4e5d23b4aaad203136cb8561f4e36f03f13659fe1ff4b81caa75fef557c890e108f28f0484ad2baa825559114c0daa588cf1de6c1afab
-
Filesize
5.4MB
MD5810662542c206d6fcb743b22be26a4a1
SHA1d8465d53bf5e9d9be17130ee2879f8a6a4b5ab07
SHA2564d04ca5c783b56977821387b25c6976843ac3dbe9da344d705e3019ad491517f
SHA512d43d702dc8f7ed9fdadfb9e82c9aaa75f546f75a681bba8be45f35dbfae45da1d03c40b1bf11fb73e87030ec7c54fb81e06fe4126c5815bf14168fc14dfc7cd4
-
Filesize
5.4MB
MD5810662542c206d6fcb743b22be26a4a1
SHA1d8465d53bf5e9d9be17130ee2879f8a6a4b5ab07
SHA2564d04ca5c783b56977821387b25c6976843ac3dbe9da344d705e3019ad491517f
SHA512d43d702dc8f7ed9fdadfb9e82c9aaa75f546f75a681bba8be45f35dbfae45da1d03c40b1bf11fb73e87030ec7c54fb81e06fe4126c5815bf14168fc14dfc7cd4
-
Filesize
814KB
MD5b08d2a888b1fef612c33039f454d668d
SHA1cffb1b508600459c68d4f694ce51551bda315f53
SHA2562858bfc330c64b653937d768d0b6e00e652b47cea1d7d42f3ff2db7f59cdfffb
SHA5123efccb30455d8064d14ef98d8777be20ee796198db4d42f634439cc0b18123df166804c945a31f605f8e725a54d1b3b8c30d88890bf223b83e8b9b8eac750151
-
Filesize
814KB
MD5b08d2a888b1fef612c33039f454d668d
SHA1cffb1b508600459c68d4f694ce51551bda315f53
SHA2562858bfc330c64b653937d768d0b6e00e652b47cea1d7d42f3ff2db7f59cdfffb
SHA5123efccb30455d8064d14ef98d8777be20ee796198db4d42f634439cc0b18123df166804c945a31f605f8e725a54d1b3b8c30d88890bf223b83e8b9b8eac750151
-
Filesize
7.2MB
MD53e474a9c2022407f68e53a8707c43a0f
SHA105cc00a87525001d1cc840a26f9ab7a8ffaeb4cb
SHA256b293a4e5a73432b34b74f6047eb83a2301062aa5c37c1a7a8e8b266f4a9346ef
SHA5126b595d4e0aec2e0b74ec4919d2b08ce8604e18927620ae1eb9f5d3cd3a9eb89f0b860cf53dc256455839ef438d7151931bd3b568b155fc10ec24a46e46016f13
-
Filesize
7.2MB
MD53e474a9c2022407f68e53a8707c43a0f
SHA105cc00a87525001d1cc840a26f9ab7a8ffaeb4cb
SHA256b293a4e5a73432b34b74f6047eb83a2301062aa5c37c1a7a8e8b266f4a9346ef
SHA5126b595d4e0aec2e0b74ec4919d2b08ce8604e18927620ae1eb9f5d3cd3a9eb89f0b860cf53dc256455839ef438d7151931bd3b568b155fc10ec24a46e46016f13
-
Filesize
1.4MB
MD54b429615187bfcc469d4df92ebba1918
SHA1d0c51a5e8e8a5b7dddc04abdb81a07823038783d
SHA25676d4c36318f301783615ea238d58f7523dd811c299a75c66b18c52e311c55856
SHA5121f9f6d9c7dcdff8dd189027bfd4f9df2a141a7c3f68737bceb57d68824e43c9272710ac9749f563ef4aa81fd54724f7c756249e6b0680aed3da7cdbba7067491
-
Filesize
1.4MB
MD54b429615187bfcc469d4df92ebba1918
SHA1d0c51a5e8e8a5b7dddc04abdb81a07823038783d
SHA25676d4c36318f301783615ea238d58f7523dd811c299a75c66b18c52e311c55856
SHA5121f9f6d9c7dcdff8dd189027bfd4f9df2a141a7c3f68737bceb57d68824e43c9272710ac9749f563ef4aa81fd54724f7c756249e6b0680aed3da7cdbba7067491
-
Filesize
352KB
MD553a7317fe3a2a3d65efa632613832647
SHA131d96658cc726f7c18c6bc16253b1c31181568ea
SHA256040553e25037e715be71c6b7106e701406092d932aba29e8d00cfe22ebc3499e
SHA512be3d902428700ecd4c15481b00787b36d246063ce265f66887f6d29935158b7c2f996a579af99db5d28be871be0bfd0b77c020c221e6e51ade7c85f9a70af329
-
Filesize
352KB
MD553a7317fe3a2a3d65efa632613832647
SHA131d96658cc726f7c18c6bc16253b1c31181568ea
SHA256040553e25037e715be71c6b7106e701406092d932aba29e8d00cfe22ebc3499e
SHA512be3d902428700ecd4c15481b00787b36d246063ce265f66887f6d29935158b7c2f996a579af99db5d28be871be0bfd0b77c020c221e6e51ade7c85f9a70af329
-
Filesize
5.7MB
MD5a4c2a7999942f52dd7f89c82c8bd82f3
SHA14a4dba97e84659a2a5feb5acbc294ca65283c768
SHA25677206c28d16d2b8f8e4a436567fe6821f8d51f9dad33c9f62ba5fee41733d204
SHA512622a673ce59915742bae8fa27215a809f63a7c844a98658cb0f65b42062fe738cb30a4c26cbc70c1125d2e28ed316439608c29ac7a4a02ae4e79e4494142a173
-
Filesize
5.7MB
MD5a4c2a7999942f52dd7f89c82c8bd82f3
SHA14a4dba97e84659a2a5feb5acbc294ca65283c768
SHA25677206c28d16d2b8f8e4a436567fe6821f8d51f9dad33c9f62ba5fee41733d204
SHA512622a673ce59915742bae8fa27215a809f63a7c844a98658cb0f65b42062fe738cb30a4c26cbc70c1125d2e28ed316439608c29ac7a4a02ae4e79e4494142a173
-
Filesize
95KB
MD5f34eb034aa4a9735218686590cba2e8b
SHA12bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA2569d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af
-
Filesize
5.5MB
MD5423476c801b7ee35e066e758276b904d
SHA1a5bc2641a78e7991cce7f8c4ce94109930ad2268
SHA256612ad77c2c26b8cfb51e3fe71730bc6797c381175ffa57439ef1d311bb82875d
SHA51282dcb77d7109947a5b7132c2dc5c2bf260edc7f723e805a8e1bc02f196127886d04d7687019441cba47e08c3d9d680bd32270b3186178984a0d5c3c10b720944
-
Filesize
5.5MB
MD5423476c801b7ee35e066e758276b904d
SHA1a5bc2641a78e7991cce7f8c4ce94109930ad2268
SHA256612ad77c2c26b8cfb51e3fe71730bc6797c381175ffa57439ef1d311bb82875d
SHA51282dcb77d7109947a5b7132c2dc5c2bf260edc7f723e805a8e1bc02f196127886d04d7687019441cba47e08c3d9d680bd32270b3186178984a0d5c3c10b720944
-
Filesize
329KB
MD587055aecaf0fd21b32c276b9a296f133
SHA1a1849caa6eeb2b83458881c336be84d2a5c346cb
SHA25677cdad81d9e9c5b515230c8b1eebc2af2c09edfa6130768aec6df4b8d0e003b2
SHA512f8fbd86670a2bd4db1b08eb7ecf35347f9e2fac886b7faab06e01eb4782b650adaa9ea506bb3d05611520efb14d15921f7dae2d7fe7f23f8633119faa197cc4b
-
Filesize
329KB
MD587055aecaf0fd21b32c276b9a296f133
SHA1a1849caa6eeb2b83458881c336be84d2a5c346cb
SHA25677cdad81d9e9c5b515230c8b1eebc2af2c09edfa6130768aec6df4b8d0e003b2
SHA512f8fbd86670a2bd4db1b08eb7ecf35347f9e2fac886b7faab06e01eb4782b650adaa9ea506bb3d05611520efb14d15921f7dae2d7fe7f23f8633119faa197cc4b
-
Filesize
213KB
MD5cefca7a7494b32c43aa9f29d6d98837e
SHA11298b6298f912556a565bfd880e5dfc7e808e527
SHA2560ca51b86740bfc116f43c8adffc0826a2311c80b889c35d8659fb2c512efd3a3
SHA512c106ced195d5871d1eecfa30a5ad77ceae099a4f9b6fec0222332daeecebf1d5f25871ab4a687db9055cae410b34f86112820c28a4baf0405dfe85e8b1c0033a
-
Filesize
213KB
MD5cefca7a7494b32c43aa9f29d6d98837e
SHA11298b6298f912556a565bfd880e5dfc7e808e527
SHA2560ca51b86740bfc116f43c8adffc0826a2311c80b889c35d8659fb2c512efd3a3
SHA512c106ced195d5871d1eecfa30a5ad77ceae099a4f9b6fec0222332daeecebf1d5f25871ab4a687db9055cae410b34f86112820c28a4baf0405dfe85e8b1c0033a
-
Filesize
2.7MB
MD536846b5d42bfb8ad2f11ed0fc5b50876
SHA1fd73bbba4c8ee30d6ef6f3d5ce6f98135dbf5412
SHA256ce896e9c01bc34843bac4aa5aa5badad82a240f393627958e1cc44ac0755316d
SHA512cae0d84d9ba529027f9fcb13fd49f83f220c6cf73350d79bd7b8f4c1fe8f3485883124e840339031e7626086baf0b40054a3c457a7ea7dd1ff3abba194e18f7f
-
Filesize
2.7MB
MD536846b5d42bfb8ad2f11ed0fc5b50876
SHA1fd73bbba4c8ee30d6ef6f3d5ce6f98135dbf5412
SHA256ce896e9c01bc34843bac4aa5aa5badad82a240f393627958e1cc44ac0755316d
SHA512cae0d84d9ba529027f9fcb13fd49f83f220c6cf73350d79bd7b8f4c1fe8f3485883124e840339031e7626086baf0b40054a3c457a7ea7dd1ff3abba194e18f7f
-
Filesize
484KB
MD586b0e373384f593fd83a312efba7ca8f
SHA136a352f0b0658d359af10396df4287360b629d72
SHA25641be6574b16c357298c07c556af8992ecdf11d2fe3688cfbf5eb2d3c1e46ae4f
SHA512eacf846381e8f117e1868fa4606adbc5a1203c1b3b9e059e056f04176677965f94409a3a755ab9948f6fa16c0b4dcaae03008468907a513f35732fbb61967a67
-
Filesize
484KB
MD586b0e373384f593fd83a312efba7ca8f
SHA136a352f0b0658d359af10396df4287360b629d72
SHA25641be6574b16c357298c07c556af8992ecdf11d2fe3688cfbf5eb2d3c1e46ae4f
SHA512eacf846381e8f117e1868fa4606adbc5a1203c1b3b9e059e056f04176677965f94409a3a755ab9948f6fa16c0b4dcaae03008468907a513f35732fbb61967a67
-
Filesize
679KB
MD5864b237c026048ac618d4bb2eba28aaa
SHA14c145e752b38fbba9f375f1b44cd60b70369bda5
SHA2568a9aa07e4ba061573e252e45732df02775c78506738bdccfd9f30e7ef9dc9655
SHA512195c4e8cde3e5daea7700f784fcff67b66fd341474ab981362568a12691ca66542864e59a479c05f2fce83f8520081b78e287736babb72eced2d06ec5d0133a7
-
Filesize
679KB
MD5864b237c026048ac618d4bb2eba28aaa
SHA14c145e752b38fbba9f375f1b44cd60b70369bda5
SHA2568a9aa07e4ba061573e252e45732df02775c78506738bdccfd9f30e7ef9dc9655
SHA512195c4e8cde3e5daea7700f784fcff67b66fd341474ab981362568a12691ca66542864e59a479c05f2fce83f8520081b78e287736babb72eced2d06ec5d0133a7
-
Filesize
1KB
MD529eceac8c34357624a1517c7d7013ef9
SHA1d07447b098c07f119be11de37ade8d95a9ad6bec
SHA256b1f52a014cc72cdafc97f325f420c88e835c6a0f8eb8b8881bcad9e85aa9b648
SHA512cba0a5bf1832fcc6268fa6d3d159980e8c27e6a4f6b3004678daad9ed6a8908528b0255e0096883fe845a3e909b794c2af5c78ac1cf84e020081f135988b5eb1
-
Filesize
292KB
MD5f933eb373fcd096535064d73e3ebedb1
SHA18e5242ffab6615c51ba3902dbb4427f774731eb6
SHA256724ef5480cbc2133e2b19d1edd994499756bdb4c92842bc2ab0c9ee441cab492
SHA5127963d2fe9cd325ad77213c452ca98412e311da67574fdfbe17fb26c65e4a5dfc8112ed8046e4c7812e1069a790e2e40ef2b5168f51b72e34482336d6b5b0267f
-
Filesize
292KB
MD5f933eb373fcd096535064d73e3ebedb1
SHA18e5242ffab6615c51ba3902dbb4427f774731eb6
SHA256724ef5480cbc2133e2b19d1edd994499756bdb4c92842bc2ab0c9ee441cab492
SHA5127963d2fe9cd325ad77213c452ca98412e311da67574fdfbe17fb26c65e4a5dfc8112ed8046e4c7812e1069a790e2e40ef2b5168f51b72e34482336d6b5b0267f
-
Filesize
7KB
MD551b1f2168f66b3efb3ab6ef3d3e39e2e
SHA128950c1715fb88f9bba794c99eceea2af45c620b
SHA256edc65872fa478033c623c4f29fc65ae34820deff38c04bdb472a242255051af0
SHA512bb608013d9dec301a5d354e2128defc99db6c01575b1b409fad6756cc3a4474ad7bac7c95e1e2d658eac258c5bd9a51438b6ed05c0369fe90376b5be398d811c
-
Filesize
97KB
MD5fbddee14978c60a90eccb2b9304304f1
SHA19f726861b81c570860c2922b128bbbe2004e6295
SHA256cdd68fd57d504110f27224c135f56aa68ad5b148ce3776aaeaf92a718552f7e0
SHA512bc734e2aae853d736851a109c58ceff645abdf25a1e038e4325e972b75ec35bb5512eb771c46889a9fe992c5098fe4b00ae33e7ecd720a97b2375f0ca52493b2
-
Filesize
97KB
MD5fbddee14978c60a90eccb2b9304304f1
SHA19f726861b81c570860c2922b128bbbe2004e6295
SHA256cdd68fd57d504110f27224c135f56aa68ad5b148ce3776aaeaf92a718552f7e0
SHA512bc734e2aae853d736851a109c58ceff645abdf25a1e038e4325e972b75ec35bb5512eb771c46889a9fe992c5098fe4b00ae33e7ecd720a97b2375f0ca52493b2
-
Filesize
95KB
MD5f34eb034aa4a9735218686590cba2e8b
SHA12bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA2569d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af
-
Filesize
97KB
MD5fbddee14978c60a90eccb2b9304304f1
SHA19f726861b81c570860c2922b128bbbe2004e6295
SHA256cdd68fd57d504110f27224c135f56aa68ad5b148ce3776aaeaf92a718552f7e0
SHA512bc734e2aae853d736851a109c58ceff645abdf25a1e038e4325e972b75ec35bb5512eb771c46889a9fe992c5098fe4b00ae33e7ecd720a97b2375f0ca52493b2
-
Filesize
97KB
MD5fbddee14978c60a90eccb2b9304304f1
SHA19f726861b81c570860c2922b128bbbe2004e6295
SHA256cdd68fd57d504110f27224c135f56aa68ad5b148ce3776aaeaf92a718552f7e0
SHA512bc734e2aae853d736851a109c58ceff645abdf25a1e038e4325e972b75ec35bb5512eb771c46889a9fe992c5098fe4b00ae33e7ecd720a97b2375f0ca52493b2
-
Filesize
1KB
MD585db3aa1f72f02c9a731a83d7c8a479c
SHA11d133344ff4dd14e16bc130b00d3f44520178e0c
SHA25614626c3fe1ddb392a87cb53bc1444a35d1f842d5b9943a2025a5c3c0dd2bd118
SHA51211e89da36c1ad5c32422473c80cba34301d7717edc5dee4b04fe263c179520afbcf84fd25178cbb206020c89262a0f843f714461aa1ef5a89ad860fa5b888822
-
Filesize
444KB
MD5c3ba9a97f27c4b76149c4b10aea9a7a9
SHA12f43e443fdad83c39124c9ab161fe31fbc3347af
SHA256cae0987b7a4906f80199b2768166c44877ef4f90280cea859dc4b41462b14b7a
SHA51259a820a2bc8098c199b523d3fdd178669f9fd84c6a698a421e9e8246844d04e0694e3bea35b8352c611050210a675f4343580911a20c1047a00190e3f724763c
-
Filesize
101KB
MD509cc99317316ebbd5816286e23d3c096
SHA128c8ab9ee0bbe6f3be77dc47d91837d98f81a669
SHA25638dc7470535b266471ae05c38f5b55fc0aaf5994bb1a01b1b8495d983111ec97
SHA51270f6828b1f7f017641f275bef04a4d8dcc17651af37a343ea0761a3bcabe99e63b3d0ecff544516f27aa2c880faf79de9e22d906cd4318c4289c09719d4e2a65
-
Filesize
28B
MD51c0820915b23fa02cd5c9d5ee69e2110
SHA1cb03a2ee3817d3fa191364429eada237f1fc15a4
SHA2561d73a85802574d06a478525aa333dcbed44c1c2cdec62e637a9a729c6c524fcb
SHA5122d16a37ca7542bd7d41f456ddbaa2d9f44f1fc0a862549f262abde4de8728766b8c2d13e641f700c81d7c4ca6158d7ec3ee97bf51a90603e08cbef288f465ec2
-
Filesize
2.0MB
MD567917ccf46c06770ac8b68d659e0de29
SHA12ab5ae38cc7fef5d40dcb99a75d64f70bb5e96bc
SHA2567a65428437ef2479cf54f7feb139f0dfd3c56fb75f51d1c1d373e1658c974c18
SHA5120d58f3de18aa45a90ba6c6f78ca07d81ee83c3608d096b4eed15065bda90435130e98990b34858a3b629ee0ef51e71cdbfa47c3429fbdfa0caac6809e6471947
-
Filesize
2.0MB
MD567917ccf46c06770ac8b68d659e0de29
SHA12ab5ae38cc7fef5d40dcb99a75d64f70bb5e96bc
SHA2567a65428437ef2479cf54f7feb139f0dfd3c56fb75f51d1c1d373e1658c974c18
SHA5120d58f3de18aa45a90ba6c6f78ca07d81ee83c3608d096b4eed15065bda90435130e98990b34858a3b629ee0ef51e71cdbfa47c3429fbdfa0caac6809e6471947
-
Filesize
205B
MD5c1b104067034ac2b7fdd77ed7da7cd0f
SHA19dc28714822c1a33ba6e634c0a068f7bb6c3ad2e
SHA25654d0b9ec8a5a9a11da51dec73b72633be8046c01798b78c89507594b3b4b0a49
SHA512869bafe2f1a2ae32362f4c9a6ac4ae82278c21b338773a9a818372f8b93b08ec2ad368338a17e049952a2f1bd9129cc34a1de1fc551a0c3ea58e8d563481ba52
-
Filesize
152B
MD5f6f47b83c67fe32ee32811d6611d269c
SHA1b32353d1d0ed26e0dd5b5f1f402ffd41a105d025
SHA256ac1866f15ff34d1df4dafa761dbb7dc2c712fe01ac0e171706ef29e205549cbc
SHA5126ee068efa9fbd3c972169427be2f6377a1204bf99b61579e4d78643e89e729ad65f2abcc70007fd0dd38428e7cd39010a253d6f9cd5e90409e207ddaf5d6720d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize120B
MD58f4f39a7bb7e7a5c4196643008aca17f
SHA1652a4efdfadce3bc303dd6411edcfdbaf49201d1
SHA256a68b3fc1d8420a549c6b9c8b49496bd7e20a26c116509a029c2fd1165426913e
SHA5125e04b29e064a71e49f6823d9d69f07c21a4b7927fb03a244ab8bdf47722dd8be6421f2c34185e3ba831e88acb6b4b4def0fe5b7eade9c96916743727c5c01ced
-
Filesize
858B
MD58516c1af4cca39375c6930425c7a4a1f
SHA1663bdf9321a2a9a3698b2ba23601e4ec1bb34392
SHA256f1366822a7fe83df08a615f86efdfeea1d9b45111789b7af94f4bd4f9a1bef97
SHA51294689ff30f2407a570bc82208c2215ead9cbd84c036d894db08874dbc329098c690eb3f2c1593c598269654e9afa5420905c61979a0b1615110be174e2917d13
-
Filesize
5KB
MD52b12de0e097bbc510267e5deb423ffd3
SHA14635dece4ab479847cad3f8b5fe5e24f491c98d5
SHA256d965a469324e5a37bf479191b252f590586e92769a846a10819a2dc924b2e486
SHA5127eaffc59e686ae686702363848eabc5375c63abe6bbbc3b49695db7bd46f65667dcfb6553ad955dae2aa2115e815369f6ae3b47f3ff18b2ae2e32dc53bb9c0be
-
Filesize
6KB
MD5b7cdf23f20fd6844bae3315128d3ee46
SHA14d5dc2b4f6a1b0c94af6dfa6df17495649b134c2
SHA2568b9cd55b54ae614f04758be1741a887c6e01dd8633a2604260d155da268b08f8
SHA5120d2c33d72b59dc96392fa0206b28c59e83038ce572a256280778f856499491778635bf1b0b6ccd5cc830a75f54fe3f0f9358f9ad2bac461c235dd65b414a981d
-
Filesize
24KB
MD54b781306eef375e7a60cf1e186ae3d54
SHA1e9d718868bb4f5bdeb1658da532477159c9e11d0
SHA2562171b47efeb585994751e106a8014a21fe355109b7de1d032cd7190242e59a4c
SHA512aa738ade4ba51982fec15d6da8368be77491c0d220b0b0340af52626f6b18478842705472d4fb18d61de9a39e21d5a7e70b53ccc63617ff3147ee9d5a05423dc
-
Filesize
10KB
MD5d379517243edb75292ae8f3bc8a4bf86
SHA15ea1a0b2fe878972dd23e95461901a06b73127c9
SHA2568f8ef3dd964f73568df16182cde6bb6c37425ae8aa7379a6dff5eefa7358eda4
SHA5127384b9c36b0c5e8d8e78a6980b5fb13c90031c41b29d3bdd0092f1f5f700473ea6b1f18923595890f43d5026a2adaaaa1e1a50ec2ecb5de838a46dc873b49fc3
-
Filesize
2.3MB
MD56a4743cb09423008c69f5051470aecb8
SHA13795816b9a20af3ad0ce0186e0978fc7d0b99908
SHA256ace228d260a36bdbf8d349d2140dfe5a98a9ef202129e02f1173d7baf1b6e261
SHA5121af678abd2d8670400695802fb2b3036feca2152baedc4ba841bd59d7763df4b220c3b27e65f29749b1b36eb0f1901622ad46958f46bf3e977f1c66292d0da4d
-
Filesize
2.3MB
MD56a4743cb09423008c69f5051470aecb8
SHA13795816b9a20af3ad0ce0186e0978fc7d0b99908
SHA256ace228d260a36bdbf8d349d2140dfe5a98a9ef202129e02f1173d7baf1b6e261
SHA5121af678abd2d8670400695802fb2b3036feca2152baedc4ba841bd59d7763df4b220c3b27e65f29749b1b36eb0f1901622ad46958f46bf3e977f1c66292d0da4d
-
Filesize
2.3MB
MD56a4743cb09423008c69f5051470aecb8
SHA13795816b9a20af3ad0ce0186e0978fc7d0b99908
SHA256ace228d260a36bdbf8d349d2140dfe5a98a9ef202129e02f1173d7baf1b6e261
SHA5121af678abd2d8670400695802fb2b3036feca2152baedc4ba841bd59d7763df4b220c3b27e65f29749b1b36eb0f1901622ad46958f46bf3e977f1c66292d0da4d
-
Filesize
18.8MB
MD55729d7f8fff698e46f35abc7d904ece9
SHA17017eb70ff16eeaf91e9e9f7d60b938f83fb0169
SHA256a58515e3c3b350de864bfd41ebd570724efdffe44e17de571f78da74b5ef7475
SHA512e7d7c26484daf285cdc0d436ba2e9298cb9594a32181fffc62ce3f2d5bfc894445417e28fd2af8e9c1558d15540be61f8154ac70f275fdec827db881201eace7
-
Filesize
18.8MB
MD55729d7f8fff698e46f35abc7d904ece9
SHA17017eb70ff16eeaf91e9e9f7d60b938f83fb0169
SHA256a58515e3c3b350de864bfd41ebd570724efdffe44e17de571f78da74b5ef7475
SHA512e7d7c26484daf285cdc0d436ba2e9298cb9594a32181fffc62ce3f2d5bfc894445417e28fd2af8e9c1558d15540be61f8154ac70f275fdec827db881201eace7
-
Filesize
18.8MB
MD55729d7f8fff698e46f35abc7d904ece9
SHA17017eb70ff16eeaf91e9e9f7d60b938f83fb0169
SHA256a58515e3c3b350de864bfd41ebd570724efdffe44e17de571f78da74b5ef7475
SHA512e7d7c26484daf285cdc0d436ba2e9298cb9594a32181fffc62ce3f2d5bfc894445417e28fd2af8e9c1558d15540be61f8154ac70f275fdec827db881201eace7
-
Filesize
7KB
MD551b1f2168f66b3efb3ab6ef3d3e39e2e
SHA128950c1715fb88f9bba794c99eceea2af45c620b
SHA256edc65872fa478033c623c4f29fc65ae34820deff38c04bdb472a242255051af0
SHA512bb608013d9dec301a5d354e2128defc99db6c01575b1b409fad6756cc3a4474ad7bac7c95e1e2d658eac258c5bd9a51438b6ed05c0369fe90376b5be398d811c
-
Filesize
10KB
MD518ef4501d1f4acb8de464796cb2780b5
SHA17e76c6703081ac711ac75c36616c4fc38fdee3e2
SHA2567a4e28d944340d2e739fdfe8e3de7c7a254b770e8060ad70ac09e26c1cb10a86
SHA512bf834399a4dd776fb44514e2abce1e3ef6ea65543ad67bbc1267400fda8d837b2f42b016e01ea4a3f8d7368d5168157d90735699ce1836944031b5c501f77fff
-
Filesize
56KB
MD5a06a6cca3c5685775a54b1af6c0dc5f6
SHA15b7a5bf57610f7e06b30793c4196242cc238bb54
SHA25617c4ab6752636d286ac2bf511484bfa403019dc6ae51d4eb4259604377fce012
SHA5127179e7304b176f71aedd0f2a4d0ac9c4baee0603025ae72ec8c4d57aba3a13e598c8b505cff91dae18868cbf0d5e3f31d9cda4325cbfbfe99b4e9aa18264c184
-
Filesize
10KB
MD54d00baa194a2e39eaa0d9aa32bff8f04
SHA1a7d501754bb5d570a95c46ff1df6ad3cbce867fb
SHA2564e5c09d6260aab18dc288298f77c8ad977d395ce5fefd4b84bc93df3bdee231b
SHA512594d90de4568834f09dd233f28f8765fe8d7e4eca864932572388439462520bf55d19dd0dd3f5ed8544c107d6c0df4556ce37611ee3e7d727bf85d10236a1670
-
Filesize
46KB
MD5204f64debf2647874545421e6feaed2b
SHA1fc3b676f92d9579d90f4c7bee33eaeb395f9b27f
SHA256e36fc07fa803a4c949991ab0a16f5059eab1b91bb280f54ebfda2032ae096b92
SHA5125b58282d72e82361720b62f3eb4583f7f56c43fa262f6a335fb37f222288d39e88ec1855d7cd51769ce17cfc1f1c5ccd92f15a1d30be9ddf2df562caf6293195
-
Filesize
1KB
MD585db3aa1f72f02c9a731a83d7c8a479c
SHA11d133344ff4dd14e16bc130b00d3f44520178e0c
SHA25614626c3fe1ddb392a87cb53bc1444a35d1f842d5b9943a2025a5c3c0dd2bd118
SHA51211e89da36c1ad5c32422473c80cba34301d7717edc5dee4b04fe263c179520afbcf84fd25178cbb206020c89262a0f843f714461aa1ef5a89ad860fa5b888822
-
Filesize
7KB
MD551b1f2168f66b3efb3ab6ef3d3e39e2e
SHA128950c1715fb88f9bba794c99eceea2af45c620b
SHA256edc65872fa478033c623c4f29fc65ae34820deff38c04bdb472a242255051af0
SHA512bb608013d9dec301a5d354e2128defc99db6c01575b1b409fad6756cc3a4474ad7bac7c95e1e2d658eac258c5bd9a51438b6ed05c0369fe90376b5be398d811c
-
Filesize
1KB
MD585db3aa1f72f02c9a731a83d7c8a479c
SHA11d133344ff4dd14e16bc130b00d3f44520178e0c
SHA25614626c3fe1ddb392a87cb53bc1444a35d1f842d5b9943a2025a5c3c0dd2bd118
SHA51211e89da36c1ad5c32422473c80cba34301d7717edc5dee4b04fe263c179520afbcf84fd25178cbb206020c89262a0f843f714461aa1ef5a89ad860fa5b888822
-
Filesize
146KB
MD5063019b9dd281bb648eed9434730b19a
SHA150d100b4081a1c4db49448579336f5cccf7d65fc
SHA25678386dbd1eedff0eb0e83d52a79facef846dfe480cb384b26e35d29244a6f827
SHA512e248ca577cf144f2d050b3e7c7c75174025ec6b97f12f84e6bd8e4173d35a7929fc78cf8eb68dc5586154c03353a12535db856d65231be7d7d85c9d8a96c4607
-
Filesize
56KB
MD5a06a6cca3c5685775a54b1af6c0dc5f6
SHA15b7a5bf57610f7e06b30793c4196242cc238bb54
SHA25617c4ab6752636d286ac2bf511484bfa403019dc6ae51d4eb4259604377fce012
SHA5127179e7304b176f71aedd0f2a4d0ac9c4baee0603025ae72ec8c4d57aba3a13e598c8b505cff91dae18868cbf0d5e3f31d9cda4325cbfbfe99b4e9aa18264c184
-
Filesize
46KB
MD5204f64debf2647874545421e6feaed2b
SHA1fc3b676f92d9579d90f4c7bee33eaeb395f9b27f
SHA256e36fc07fa803a4c949991ab0a16f5059eab1b91bb280f54ebfda2032ae096b92
SHA5125b58282d72e82361720b62f3eb4583f7f56c43fa262f6a335fb37f222288d39e88ec1855d7cd51769ce17cfc1f1c5ccd92f15a1d30be9ddf2df562caf6293195
-
Filesize
7KB
MD551b1f2168f66b3efb3ab6ef3d3e39e2e
SHA128950c1715fb88f9bba794c99eceea2af45c620b
SHA256edc65872fa478033c623c4f29fc65ae34820deff38c04bdb472a242255051af0
SHA512bb608013d9dec301a5d354e2128defc99db6c01575b1b409fad6756cc3a4474ad7bac7c95e1e2d658eac258c5bd9a51438b6ed05c0369fe90376b5be398d811c
-
Filesize
1KB
MD585db3aa1f72f02c9a731a83d7c8a479c
SHA11d133344ff4dd14e16bc130b00d3f44520178e0c
SHA25614626c3fe1ddb392a87cb53bc1444a35d1f842d5b9943a2025a5c3c0dd2bd118
SHA51211e89da36c1ad5c32422473c80cba34301d7717edc5dee4b04fe263c179520afbcf84fd25178cbb206020c89262a0f843f714461aa1ef5a89ad860fa5b888822
-
Filesize
10KB
MD54d00baa194a2e39eaa0d9aa32bff8f04
SHA1a7d501754bb5d570a95c46ff1df6ad3cbce867fb
SHA2564e5c09d6260aab18dc288298f77c8ad977d395ce5fefd4b84bc93df3bdee231b
SHA512594d90de4568834f09dd233f28f8765fe8d7e4eca864932572388439462520bf55d19dd0dd3f5ed8544c107d6c0df4556ce37611ee3e7d727bf85d10236a1670
-
Filesize
1KB
MD585db3aa1f72f02c9a731a83d7c8a479c
SHA11d133344ff4dd14e16bc130b00d3f44520178e0c
SHA25614626c3fe1ddb392a87cb53bc1444a35d1f842d5b9943a2025a5c3c0dd2bd118
SHA51211e89da36c1ad5c32422473c80cba34301d7717edc5dee4b04fe263c179520afbcf84fd25178cbb206020c89262a0f843f714461aa1ef5a89ad860fa5b888822
-
Filesize
46KB
MD5204f64debf2647874545421e6feaed2b
SHA1fc3b676f92d9579d90f4c7bee33eaeb395f9b27f
SHA256e36fc07fa803a4c949991ab0a16f5059eab1b91bb280f54ebfda2032ae096b92
SHA5125b58282d72e82361720b62f3eb4583f7f56c43fa262f6a335fb37f222288d39e88ec1855d7cd51769ce17cfc1f1c5ccd92f15a1d30be9ddf2df562caf6293195
-
Filesize
7KB
MD551b1f2168f66b3efb3ab6ef3d3e39e2e
SHA128950c1715fb88f9bba794c99eceea2af45c620b
SHA256edc65872fa478033c623c4f29fc65ae34820deff38c04bdb472a242255051af0
SHA512bb608013d9dec301a5d354e2128defc99db6c01575b1b409fad6756cc3a4474ad7bac7c95e1e2d658eac258c5bd9a51438b6ed05c0369fe90376b5be398d811c
-
Filesize
10KB
MD518ef4501d1f4acb8de464796cb2780b5
SHA17e76c6703081ac711ac75c36616c4fc38fdee3e2
SHA2567a4e28d944340d2e739fdfe8e3de7c7a254b770e8060ad70ac09e26c1cb10a86
SHA512bf834399a4dd776fb44514e2abce1e3ef6ea65543ad67bbc1267400fda8d837b2f42b016e01ea4a3f8d7368d5168157d90735699ce1836944031b5c501f77fff
-
Filesize
56KB
MD5a06a6cca3c5685775a54b1af6c0dc5f6
SHA15b7a5bf57610f7e06b30793c4196242cc238bb54
SHA25617c4ab6752636d286ac2bf511484bfa403019dc6ae51d4eb4259604377fce012
SHA5127179e7304b176f71aedd0f2a4d0ac9c4baee0603025ae72ec8c4d57aba3a13e598c8b505cff91dae18868cbf0d5e3f31d9cda4325cbfbfe99b4e9aa18264c184
-
Filesize
56KB
MD5a06a6cca3c5685775a54b1af6c0dc5f6
SHA15b7a5bf57610f7e06b30793c4196242cc238bb54
SHA25617c4ab6752636d286ac2bf511484bfa403019dc6ae51d4eb4259604377fce012
SHA5127179e7304b176f71aedd0f2a4d0ac9c4baee0603025ae72ec8c4d57aba3a13e598c8b505cff91dae18868cbf0d5e3f31d9cda4325cbfbfe99b4e9aa18264c184
-
Filesize
46KB
MD5204f64debf2647874545421e6feaed2b
SHA1fc3b676f92d9579d90f4c7bee33eaeb395f9b27f
SHA256e36fc07fa803a4c949991ab0a16f5059eab1b91bb280f54ebfda2032ae096b92
SHA5125b58282d72e82361720b62f3eb4583f7f56c43fa262f6a335fb37f222288d39e88ec1855d7cd51769ce17cfc1f1c5ccd92f15a1d30be9ddf2df562caf6293195
-
Filesize
10KB
MD518ef4501d1f4acb8de464796cb2780b5
SHA17e76c6703081ac711ac75c36616c4fc38fdee3e2
SHA2567a4e28d944340d2e739fdfe8e3de7c7a254b770e8060ad70ac09e26c1cb10a86
SHA512bf834399a4dd776fb44514e2abce1e3ef6ea65543ad67bbc1267400fda8d837b2f42b016e01ea4a3f8d7368d5168157d90735699ce1836944031b5c501f77fff
-
Filesize
10KB
MD54d00baa194a2e39eaa0d9aa32bff8f04
SHA1a7d501754bb5d570a95c46ff1df6ad3cbce867fb
SHA2564e5c09d6260aab18dc288298f77c8ad977d395ce5fefd4b84bc93df3bdee231b
SHA512594d90de4568834f09dd233f28f8765fe8d7e4eca864932572388439462520bf55d19dd0dd3f5ed8544c107d6c0df4556ce37611ee3e7d727bf85d10236a1670