Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-04-2024 17:30
Static task
static1
Behavioral task
behavioral1
Sample
HotspotShield-9.8.7-plain-773-PreActive.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
HotspotShield-9.8.7-plain-773-PreActive.exe
Resource
win10v2004-20240226-en
General
-
Target
HotspotShield-9.8.7-plain-773-PreActive.exe
-
Size
25.5MB
-
MD5
e7ff4977ea73d84aaf8e5de447489f20
-
SHA1
df200d238f5860279040a03eeb5eb0ab0afa7f08
-
SHA256
17b9f275942054333847e4584d794ed7429ad83b72038ff20e04161332095460
-
SHA512
46f3125e0c6d0e23de2cf665a70562e7685721b0e06fb50f204047cbb138b20d53603bd138798f0fd31bfcc4d2eb54e7e82385e2e9df4dd23d4ef6d97c52b584
-
SSDEEP
786432:94hCXFF1fPYah+tZGgX1ozNSq0gpxDcrX:6IXFF11+tZtlozNSq5peL
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral1/memory/912-686-0x0000000019B70000-0x0000000019C06000-memory.dmp family_zgrat_v1 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
cmw_srv.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cmw_srv.exe -
Drops file in Drivers directory 3 IoCs
Processes:
DrvInst.exedescription ioc process File opened for modification C:\Windows\system32\DRIVERS\SET43C4.tmp DrvInst.exe File created C:\Windows\system32\DRIVERS\SET43C4.tmp DrvInst.exe File opened for modification C:\Windows\system32\DRIVERS\tap0901.sys DrvInst.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
cmw_srv.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cmw_srv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cmw_srv.exe -
Executes dropped EXE 9 IoCs
Processes:
tap-windows-9.21.2.exetap-windows-9.21.2.EXEtapinstall.exetapinstall.execmw_srv.exehsscp.exehsscp.exehsscp.exeMSI7480.tmppid process 2232 tap-windows-9.21.2.exe 384 tap-windows-9.21.2.EXE 1104 tapinstall.exe 1632 tapinstall.exe 912 cmw_srv.exe 1948 hsscp.exe 2976 hsscp.exe 2332 hsscp.exe 1596 MSI7480.tmp -
Loads dropped DLL 48 IoCs
Processes:
MsiExec.exeHotspotShield-9.8.7-plain-773-PreActive.exetap-windows-9.21.2.exetap-windows-9.21.2.EXEMsiExec.exeMsiExec.execmw_srv.exepid process 2972 MsiExec.exe 2972 MsiExec.exe 2972 MsiExec.exe 2972 MsiExec.exe 2972 MsiExec.exe 2972 MsiExec.exe 2972 MsiExec.exe 2972 MsiExec.exe 2972 MsiExec.exe 2972 MsiExec.exe 2972 MsiExec.exe 1936 HotspotShield-9.8.7-plain-773-PreActive.exe 1936 HotspotShield-9.8.7-plain-773-PreActive.exe 2232 tap-windows-9.21.2.exe 2232 tap-windows-9.21.2.exe 2232 tap-windows-9.21.2.exe 2232 tap-windows-9.21.2.exe 2232 tap-windows-9.21.2.exe 2232 tap-windows-9.21.2.exe 384 tap-windows-9.21.2.EXE 384 tap-windows-9.21.2.EXE 384 tap-windows-9.21.2.EXE 384 tap-windows-9.21.2.EXE 384 tap-windows-9.21.2.EXE 384 tap-windows-9.21.2.EXE 384 tap-windows-9.21.2.EXE 384 tap-windows-9.21.2.EXE 384 tap-windows-9.21.2.EXE 384 tap-windows-9.21.2.EXE 384 tap-windows-9.21.2.EXE 2740 MsiExec.exe 2740 MsiExec.exe 2740 MsiExec.exe 2740 MsiExec.exe 2740 MsiExec.exe 2740 MsiExec.exe 2740 MsiExec.exe 2740 MsiExec.exe 1036 MsiExec.exe 2972 MsiExec.exe 2972 MsiExec.exe 2972 MsiExec.exe 2972 MsiExec.exe 2972 MsiExec.exe 1936 HotspotShield-9.8.7-plain-773-PreActive.exe 912 cmw_srv.exe 912 cmw_srv.exe 912 cmw_srv.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/912-1357-0x000000001DD50000-0x000000001E2B4000-memory.dmp agile_net -
Processes:
resource yara_rule C:\Windows\Temp\24364f73-9b8c-4dad-9bac-b5c9a01136f2\AgileDotNetRT64.dll themida behavioral1/memory/912-1368-0x000007FEE7E70000-0x000007FEE86DC000-memory.dmp themida behavioral1/memory/912-1382-0x000007FEE7E70000-0x000007FEE86DC000-memory.dmp themida behavioral1/memory/912-1411-0x000007FEE7E70000-0x000007FEE86DC000-memory.dmp themida behavioral1/memory/912-1864-0x000007FEE7E70000-0x000007FEE86DC000-memory.dmp themida behavioral1/memory/912-1865-0x000007FEE7E70000-0x000007FEE86DC000-memory.dmp themida behavioral1/memory/912-1866-0x000007FEE7E70000-0x000007FEE86DC000-memory.dmp themida behavioral1/memory/912-1871-0x000007FEE7E70000-0x000007FEE86DC000-memory.dmp themida behavioral1/memory/912-1879-0x000007FEE7E70000-0x000007FEE86DC000-memory.dmp themida behavioral1/memory/912-1881-0x000007FEE7E70000-0x000007FEE86DC000-memory.dmp themida behavioral1/memory/912-1882-0x000007FEE7E70000-0x000007FEE86DC000-memory.dmp themida behavioral1/memory/912-1883-0x000007FEE7E70000-0x000007FEE86DC000-memory.dmp themida behavioral1/memory/912-1884-0x000007FEE7E70000-0x000007FEE86DC000-memory.dmp themida behavioral1/memory/912-1885-0x000007FEE7E70000-0x000007FEE86DC000-memory.dmp themida -
Blocklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 11 2416 msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
MSI7480.tmpcmw_srv.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MSI7480.tmp Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmw_srv.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
HotspotShield-9.8.7-plain-773-PreActive.exeHotspotShield-9.8.7-plain-773-PreActive.exemsiexec.exedescription ioc process File opened (read-only) \??\S: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\A: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\J: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\L: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\V: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\J: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\L: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\S: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\G: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\H: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\T: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\V: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\Y: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\O: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\N: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\R: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\E: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\O: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\W: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\Q: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\X: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\Y: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\X: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\B: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\T: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\I: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\K: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\K: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\Z: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\E: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\U: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\G: msiexec.exe -
Drops file in System32 directory 27 IoCs
Processes:
DrvInst.exetapinstall.execmw_srv.exeDrvInst.exedescription ioc process File opened for modification C:\Windows\System32\DriverStore\Temp\{2c00829c-b87d-7d13-ed3c-302f7386734f}\oemvista.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2c00829c-b87d-7d13-ed3c-302f7386734f}\SET1F36.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_a572b7f20c402d28\oemvista.PNF DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2c00829c-b87d-7d13-ed3c-302f7386734f}\tap0901.cat DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt tapinstall.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat tapinstall.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 cmw_srv.exe File created C:\Windows\System32\DriverStore\Temp\{2c00829c-b87d-7d13-ed3c-302f7386734f}\SET1F35.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2c00829c-b87d-7d13-ed3c-302f7386734f}\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstor.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_a572b7f20c402d28\oemvista.PNF DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416 cmw_srv.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416 cmw_srv.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 cmw_srv.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 cmw_srv.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2c00829c-b87d-7d13-ed3c-302f7386734f}\SET1F24.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{2c00829c-b87d-7d13-ed3c-302f7386734f}\SET1F24.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{2c00829c-b87d-7d13-ed3c-302f7386734f}\SET1F36.tmp DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 cmw_srv.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2c00829c-b87d-7d13-ed3c-302f7386734f}\SET1F35.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat DrvInst.exe File created C:\Windows\System32\DriverStore\INFCACHE.0 DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2c00829c-b87d-7d13-ed3c-302f7386734f} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat tapinstall.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
cmw_srv.exepid process 912 cmw_srv.exe -
Drops file in Program Files directory 64 IoCs
Processes:
msiexec.exetap-windows-9.21.2.EXEdescription ioc process File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\System.Threading.Tasks.Extensions.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\x64\hydra.exe msiexec.exe File created C:\Program Files\TAP-Windows\Uninstall.exe tap-windows-9.21.2.EXE File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\Hss.Service.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\es\Hss.Client.UI.View.resources.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\x86\hydra.exe msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\CommonServiceLocator.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\Foundation.ExtProc.Hydra.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\Foundation.Vpn.Sdk.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\Ninject.Extensions.Factory.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\Foundation.Analytics.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\Foundation.UnifiedApi.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\Hss.Client.UI.View.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\SimpleInjector.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\driver\pango_netfilter2\nfregdrv.exe msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\Hss.Common.Wcf.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\ru\Hss.Client.UI.View.resources.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\pt\Hss.Client.UI.View.resources.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\Foundation.NetFilterSdk.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\x86\afvpn.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\ko\Hss.Client.UI.View.resources.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\Prism.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\Hss.Client.Management.Contract.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\ar\Hss.Client.UI.View.resources.dll msiexec.exe File created C:\Program Files\TAP-Windows\driver\tap0901.sys tap-windows-9.21.2.EXE File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\Foundation.NativeCrashReport.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\Foundation.Update.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\Ninject.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\driver\pango_netfilter2\pango_netfilter2.sys msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\license.txt msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\Foundation.Interop.Wfp.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\Foundation.Vpn.Ipsec.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\Hss.Client.Management.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\Hardcodet.Wpf.TaskbarNotification.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\ja\Hss.Client.UI.View.resources.dll msiexec.exe File created C:\Program Files\TAP-Windows\driver\tap0901.cat tap-windows-9.21.2.EXE File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\LiveCharts.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\de\Hss.Client.UI.View.resources.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\fr\Hss.Client.UI.View.resources.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\hss.ico msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\Interop.NETWORKLIST.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\Foundation.Extensions.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\x86\49F631DB-450A-4108-8F5C-434AF3FEE6DC.DLL msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\Foundation.ExtProc.Hydra.ComTypes.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\System.Memory.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\AutoMapper.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\cmw_srv.exe msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\Foundation.Premium.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\tr\Hss.Client.UI.View.resources.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\driver\openvpn-sha1.cer msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\ZendeskApi_v2.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\x64\49F631DB-450A-4108-8F5C-434AF3FEE6DC.DLL msiexec.exe File created C:\Program Files\TAP-Windows\bin\tapinstall.exe tap-windows-9.21.2.EXE File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\Castle.Core.AsyncInterceptor.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\stdole.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\Google.Protobuf.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\System.Runtime.CompilerServices.Unsafe.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\Hss.Client.UI.ViewModel.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\System.Buffers.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\LiveCharts.Wpf.dll msiexec.exe File created C:\Program Files\TAP-Windows\driver\OemVista.inf tap-windows-9.21.2.EXE File created C:\Program Files\TAP-Windows\icon.ico tap-windows-9.21.2.EXE File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\Hss.Client.Application.dll msiexec.exe File created C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\Hss.Client.Framework.dll msiexec.exe -
Drops file in Windows directory 32 IoCs
Processes:
DrvInst.exemsiexec.exetapinstall.exeDrvInst.exeDrvInst.exeHotspotShield-9.8.7-plain-773-PreActive.exedescription ioc process File created C:\Windows\INF\oem2.PNF DrvInst.exe File created C:\Windows\Installer\f764bff.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI5B29.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log tapinstall.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSI4EB4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4D3A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4ED5.tmp msiexec.exe File created C:\Windows\INF\oem2.inf DrvInst.exe File opened for modification C:\Windows\INF\oem2.inf DrvInst.exe File created C:\Windows\Installer\f764bfe.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\Installer\f764bff.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\Installer\MSI58B8.tmp msiexec.exe File opened for modification C:\Windows\Installer\{AF8F7C05-B9CA-42C2-8F1B-BF9609AD7C28}\hsscp.exe msiexec.exe File created C:\Windows\Installer\{AF8F7C05-B9CA-42C2-8F1B-BF9609AD7C28}\hsscp.exe msiexec.exe File created C:\Windows\Tasks\{AF8F7C05-B9CA-42C2-8F1B-BF9609AD7C28}.job HotspotShield-9.8.7-plain-773-PreActive.exe File opened for modification C:\Windows\INF\setupapi.app.log tapinstall.exe File opened for modification C:\Windows\Installer\MSI4E46.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4F04.tmp msiexec.exe File created C:\Windows\Installer\f764c01.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev2 DrvInst.exe File opened for modification C:\Windows\Installer\MSI4DD8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4D89.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI4F15.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\f764bfe.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\tap-windows-9.21.2\tap-windows-9.21.2.EXE nsis_installer_1 \Users\Admin\AppData\Local\Temp\tap-windows-9.21.2\tap-windows-9.21.2.EXE nsis_installer_2 -
Processes:
iexplore.exehsscp.exehsscp.exeIEXPLORE.EXEdescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10919596ff97da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl hsscp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\hsscp.exe = "11000" hsscp.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main hsscp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\hsscp.exe = "11000" hsscp.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION hsscp.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000b14b7c8c8defc490fad81f0b8cfd79f381c8572452ad68dadf4c74605c8b3e25000000000e8000000002000020000000e4daddd840e225300a13f1870ab2aaef3ed87c0bfa42e6d26671ab04fd1265ab90000000c0f5b4235324609f034311d4ba71246456182e05f72d74f6b2bf40ad03876174ba012955d917e0202801797ae7ef43b94b9e493acc547776f7d1499aec964db6bda80d8079fbc93c58084336da316e7d3da9e1e9e49eac00ff2676a81bc1657bf78d55a32b72fe010623800b1ac9e72ecaabe06d92a8b0c975dbc0658cf3a4cc756d626717efb7f6135b500ef060295040000000207079c2c4eea068a604a574fa7532033800ce44ceac82eb47094b17e5cab69aca7b24c26afb584817bf9f12ccc81fc98785577cd3f677b2f1f51b41d6019e61 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C0A21F51-03F2-11EF-9387-E25BC60B6402} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000395f22723dea25292fe3eb59f86d73cb987e4742f867ecbeb148fcf25dcdae1a000000000e8000000002000020000000a9ef4094d01672e4dfd35ab05996de52b85c3e3e4869b5fee2b3f0577e6f00ba20000000805240c7fe53ea1bebc68af12ed4ed8310a067d931d918f88bbc6e45f4ea9d4140000000c255e7ba3f8187d990e1253ea19abaefcd54d8c84203ad7c40dc617753a000f7ab30e10adf56d8a1afacd91d5bd8c5f02f252c069ba21c0e9aec9c5e622d8c03 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE -
Modifies data under HKEY_USERS 64 IoCs
Processes:
netsh.exeDrvInst.execmw_srv.exeDrvInst.exeDrvInst.exemsiexec.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA cmw_srv.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates cmw_srv.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs cmw_srv.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs cmw_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10 = "System Health Authentication" netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs cmw_srv.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot cmw_srv.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 cmw_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs cmw_srv.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates cmw_srv.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rascfg.dll,-32010 = "Provides the abilitiy to connect a host to a Remote Access Concentrator that supports RFC2516." DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA cmw_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe -
Modifies registry class 26 IoCs
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50C7F8FAAC9B2C24F8B1FB6990DAC782\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50C7F8FAAC9B2C24F8B1FB6990DAC782\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\50C7F8FAAC9B2C24F8B1FB6990DAC782\A9671777F4B80B73AA78F8959964D msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50C7F8FAAC9B2C24F8B1FB6990DAC782\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50C7F8FAAC9B2C24F8B1FB6990DAC782\SourceList\PackageName = "lockHotspot Shield 9.8.7.1155_New.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\50C7F8FAAC9B2C24F8B1FB6990DAC782 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50C7F8FAAC9B2C24F8B1FB6990DAC782\ProductIcon = "C:\\Windows\\Installer\\{AF8F7C05-B9CA-42C2-8F1B-BF9609AD7C28}\\hsscp.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50C7F8FAAC9B2C24F8B1FB6990DAC782\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50C7F8FAAC9B2C24F8B1FB6990DAC782\Clients = 3a0000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50C7F8FAAC9B2C24F8B1FB6990DAC782\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50C7F8FAAC9B2C24F8B1FB6990DAC782\Version = "151519239" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50C7F8FAAC9B2C24F8B1FB6990DAC782\AuthorizedLUAApp = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\CDBBCE8EC90D60142879B119A6310A5E msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50C7F8FAAC9B2C24F8B1FB6990DAC782\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\50C7F8FAAC9B2C24F8B1FB6990DAC782\MainFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50C7F8FAAC9B2C24F8B1FB6990DAC782\SourceList\Media\1 = "Disk1;Disk1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\50C7F8FAAC9B2C24F8B1FB6990DAC782\AIOtherFiles msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50C7F8FAAC9B2C24F8B1FB6990DAC782\PackageCode = "EC866ADCA8E25CE40B0C53A15783F8FE" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50C7F8FAAC9B2C24F8B1FB6990DAC782\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50C7F8FAAC9B2C24F8B1FB6990DAC782\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\hss721.blogspot.com\\Hotspot Shield 9.8.7 Pre-Active 9.8.7.11577\\install\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50C7F8FAAC9B2C24F8B1FB6990DAC782 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\CDBBCE8EC90D60142879B119A6310A5E\50C7F8FAAC9B2C24F8B1FB6990DAC782 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50C7F8FAAC9B2C24F8B1FB6990DAC782\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\hss721.blogspot.com\\Hotspot Shield 9.8.7 Pre-Active 9.8.7.11577\\install\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50C7F8FAAC9B2C24F8B1FB6990DAC782\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50C7F8FAAC9B2C24F8B1FB6990DAC782\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\50C7F8FAAC9B2C24F8B1FB6990DAC782\ProductName = "Hotspot Shield 9.8.7 Pre-Active" msiexec.exe -
Processes:
cmw_srv.exeHotspotShield-9.8.7-plain-773-PreActive.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 cmw_srv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 HotspotShield-9.8.7-plain-773-PreActive.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 HotspotShield-9.8.7-plain-773-PreActive.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 HotspotShield-9.8.7-plain-773-PreActive.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 HotspotShield-9.8.7-plain-773-PreActive.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 cmw_srv.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd cmw_srv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A cmw_srv.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
msiexec.execmw_srv.exepid process 2416 msiexec.exe 2416 msiexec.exe 912 cmw_srv.exe 912 cmw_srv.exe 912 cmw_srv.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exeHotspotShield-9.8.7-plain-773-PreActive.exedescription pid process Token: SeRestorePrivilege 2416 msiexec.exe Token: SeTakeOwnershipPrivilege 2416 msiexec.exe Token: SeSecurityPrivilege 2416 msiexec.exe Token: SeCreateTokenPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeAssignPrimaryTokenPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeLockMemoryPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeIncreaseQuotaPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeMachineAccountPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeTcbPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeSecurityPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeTakeOwnershipPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeLoadDriverPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeSystemProfilePrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeSystemtimePrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeProfSingleProcessPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeIncBasePriorityPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeCreatePagefilePrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeCreatePermanentPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeBackupPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeRestorePrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeShutdownPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeDebugPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeAuditPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeSystemEnvironmentPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeChangeNotifyPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeRemoteShutdownPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeUndockPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeSyncAgentPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeEnableDelegationPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeManageVolumePrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeImpersonatePrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeCreateGlobalPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeCreateTokenPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeAssignPrimaryTokenPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeLockMemoryPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeIncreaseQuotaPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeMachineAccountPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeTcbPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeSecurityPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeTakeOwnershipPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeLoadDriverPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeSystemProfilePrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeSystemtimePrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeProfSingleProcessPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeIncBasePriorityPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeCreatePagefilePrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeCreatePermanentPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeBackupPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeRestorePrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeShutdownPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeDebugPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeAuditPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeSystemEnvironmentPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeChangeNotifyPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeRemoteShutdownPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeUndockPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeSyncAgentPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeEnableDelegationPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeManageVolumePrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeImpersonatePrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeCreateGlobalPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeCreateTokenPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeAssignPrimaryTokenPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeLockMemoryPrivilege 1936 HotspotShield-9.8.7-plain-773-PreActive.exe -
Suspicious use of FindShellTrayWindow 22 IoCs
Processes:
HotspotShield-9.8.7-plain-773-PreActive.exehsscp.exehsscp.exeiexplore.exepid process 1936 HotspotShield-9.8.7-plain-773-PreActive.exe 1936 HotspotShield-9.8.7-plain-773-PreActive.exe 2976 hsscp.exe 2332 hsscp.exe 2976 hsscp.exe 2976 hsscp.exe 2976 hsscp.exe 2976 hsscp.exe 584 iexplore.exe 2976 hsscp.exe 2976 hsscp.exe 2976 hsscp.exe 2976 hsscp.exe 2976 hsscp.exe 2976 hsscp.exe 2976 hsscp.exe 2976 hsscp.exe 2976 hsscp.exe 2976 hsscp.exe 2976 hsscp.exe 2976 hsscp.exe 2976 hsscp.exe -
Suspicious use of SendNotifyMessage 16 IoCs
Processes:
hsscp.exepid process 2976 hsscp.exe 2976 hsscp.exe 2976 hsscp.exe 2976 hsscp.exe 2976 hsscp.exe 2976 hsscp.exe 2976 hsscp.exe 2976 hsscp.exe 2976 hsscp.exe 2976 hsscp.exe 2976 hsscp.exe 2976 hsscp.exe 2976 hsscp.exe 2976 hsscp.exe 2976 hsscp.exe 2976 hsscp.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 584 iexplore.exe 584 iexplore.exe 2368 IEXPLORE.EXE 2368 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msiexec.exeMsiExec.exeHotspotShield-9.8.7-plain-773-PreActive.exetap-windows-9.21.2.exetap-windows-9.21.2.EXEDrvInst.execmw_srv.exedescription pid process target process PID 2416 wrote to memory of 2972 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 2972 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 2972 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 2972 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 2972 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 2972 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 2972 2416 msiexec.exe MsiExec.exe PID 2972 wrote to memory of 1336 2972 MsiExec.exe HotspotShield-9.8.7-plain-773-PreActive.exe PID 2972 wrote to memory of 1336 2972 MsiExec.exe HotspotShield-9.8.7-plain-773-PreActive.exe PID 2972 wrote to memory of 1336 2972 MsiExec.exe HotspotShield-9.8.7-plain-773-PreActive.exe PID 2972 wrote to memory of 1336 2972 MsiExec.exe HotspotShield-9.8.7-plain-773-PreActive.exe PID 1936 wrote to memory of 2232 1936 HotspotShield-9.8.7-plain-773-PreActive.exe tap-windows-9.21.2.exe PID 1936 wrote to memory of 2232 1936 HotspotShield-9.8.7-plain-773-PreActive.exe tap-windows-9.21.2.exe PID 1936 wrote to memory of 2232 1936 HotspotShield-9.8.7-plain-773-PreActive.exe tap-windows-9.21.2.exe PID 1936 wrote to memory of 2232 1936 HotspotShield-9.8.7-plain-773-PreActive.exe tap-windows-9.21.2.exe PID 1936 wrote to memory of 2232 1936 HotspotShield-9.8.7-plain-773-PreActive.exe tap-windows-9.21.2.exe PID 1936 wrote to memory of 2232 1936 HotspotShield-9.8.7-plain-773-PreActive.exe tap-windows-9.21.2.exe PID 1936 wrote to memory of 2232 1936 HotspotShield-9.8.7-plain-773-PreActive.exe tap-windows-9.21.2.exe PID 2232 wrote to memory of 384 2232 tap-windows-9.21.2.exe tap-windows-9.21.2.EXE PID 2232 wrote to memory of 384 2232 tap-windows-9.21.2.exe tap-windows-9.21.2.EXE PID 2232 wrote to memory of 384 2232 tap-windows-9.21.2.exe tap-windows-9.21.2.EXE PID 2232 wrote to memory of 384 2232 tap-windows-9.21.2.exe tap-windows-9.21.2.EXE PID 2232 wrote to memory of 384 2232 tap-windows-9.21.2.exe tap-windows-9.21.2.EXE PID 2232 wrote to memory of 384 2232 tap-windows-9.21.2.exe tap-windows-9.21.2.EXE PID 2232 wrote to memory of 384 2232 tap-windows-9.21.2.exe tap-windows-9.21.2.EXE PID 384 wrote to memory of 1104 384 tap-windows-9.21.2.EXE tapinstall.exe PID 384 wrote to memory of 1104 384 tap-windows-9.21.2.EXE tapinstall.exe PID 384 wrote to memory of 1104 384 tap-windows-9.21.2.EXE tapinstall.exe PID 384 wrote to memory of 1104 384 tap-windows-9.21.2.EXE tapinstall.exe PID 384 wrote to memory of 1632 384 tap-windows-9.21.2.EXE tapinstall.exe PID 384 wrote to memory of 1632 384 tap-windows-9.21.2.EXE tapinstall.exe PID 384 wrote to memory of 1632 384 tap-windows-9.21.2.EXE tapinstall.exe PID 384 wrote to memory of 1632 384 tap-windows-9.21.2.EXE tapinstall.exe PID 1928 wrote to memory of 2588 1928 DrvInst.exe rundll32.exe PID 1928 wrote to memory of 2588 1928 DrvInst.exe rundll32.exe PID 1928 wrote to memory of 2588 1928 DrvInst.exe rundll32.exe PID 1936 wrote to memory of 2804 1936 HotspotShield-9.8.7-plain-773-PreActive.exe HotspotShield-9.8.7-plain-773-PreActive.exe PID 1936 wrote to memory of 2804 1936 HotspotShield-9.8.7-plain-773-PreActive.exe HotspotShield-9.8.7-plain-773-PreActive.exe PID 1936 wrote to memory of 2804 1936 HotspotShield-9.8.7-plain-773-PreActive.exe HotspotShield-9.8.7-plain-773-PreActive.exe PID 1936 wrote to memory of 2804 1936 HotspotShield-9.8.7-plain-773-PreActive.exe HotspotShield-9.8.7-plain-773-PreActive.exe PID 2416 wrote to memory of 2740 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 2740 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 2740 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 2740 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 2740 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 2740 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 2740 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 1036 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 1036 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 1036 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 1036 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 1036 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 1036 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 1036 2416 msiexec.exe MsiExec.exe PID 912 wrote to memory of 1948 912 cmw_srv.exe hsscp.exe PID 912 wrote to memory of 1948 912 cmw_srv.exe hsscp.exe PID 912 wrote to memory of 1948 912 cmw_srv.exe hsscp.exe PID 912 wrote to memory of 2976 912 cmw_srv.exe hsscp.exe PID 912 wrote to memory of 2976 912 cmw_srv.exe hsscp.exe PID 912 wrote to memory of 2976 912 cmw_srv.exe hsscp.exe PID 1936 wrote to memory of 1596 1936 HotspotShield-9.8.7-plain-773-PreActive.exe MSI7480.tmp PID 1936 wrote to memory of 1596 1936 HotspotShield-9.8.7-plain-773-PreActive.exe MSI7480.tmp PID 1936 wrote to memory of 1596 1936 HotspotShield-9.8.7-plain-773-PreActive.exe MSI7480.tmp PID 1936 wrote to memory of 1596 1936 HotspotShield-9.8.7-plain-773-PreActive.exe MSI7480.tmp -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 4 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exepid process 544 attrib.exe 1764 attrib.exe 2800 attrib.exe 1104 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HotspotShield-9.8.7-plain-773-PreActive.exe"C:\Users\Admin\AppData\Local\Temp\HotspotShield-9.8.7-plain-773-PreActive.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\hss721.blogspot.com\Hotspot Shield 9.8.7 Pre-Active\prerequisites\tap-windows-9.21.2.exe"C:\Users\Admin\AppData\Roaming\hss721.blogspot.com\Hotspot Shield 9.8.7 Pre-Active\prerequisites\tap-windows-9.21.2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tap-windows-9.21.2\tap-windows-9.21.2.EXEC:\Users\Admin\AppData\Local\Temp\tap-windows-9.21.2\tap-windows-9.21.2.EXE /S3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\TAP-Windows\bin\tapinstall.exe"C:\Program Files\TAP-Windows\bin\tapinstall.exe" hwids tap09014⤵
- Executes dropped EXE
-
C:\Program Files\TAP-Windows\bin\tapinstall.exe"C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap09014⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\HotspotShield-9.8.7-plain-773-PreActive.exe"C:\Users\Admin\AppData\Local\Temp\HotspotShield-9.8.7-plain-773-PreActive.exe" /i "C:\Users\Admin\AppData\Roaming\hss721.blogspot.com\Hotspot Shield 9.8.7 Pre-Active 9.8.7.11577\install\lockHotspot Shield 9.8.7.1155_New.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Hotspot Shield" SECONDSEQUENCE="1" CLIENTPROCESSID="1936" AI_MORE_CMD_LINE=12⤵
- Enumerates connected drives
-
C:\Users\Admin\AppData\Local\Temp\MSI7480.tmp"C:\Users\Admin\AppData\Local\Temp\MSI7480.tmp" https://hss721.blogspot.com2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\EXE751D.bat" "2⤵
-
C:\Windows\SysWOW64\attrib.exeC:\Windows\System32\attrib.exe -r "\\?\C:\Users\Admin\AppData\Roaming\HSS721~1.COM\HOTSPO~1.115\install\LOCKHO~1.MSI"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeC:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXE751D.bat"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE751D.bat" "3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" cls"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\EXE752E.bat" "2⤵
-
C:\Windows\SysWOW64\attrib.exeC:\Windows\System32\attrib.exe -r "\\?\C:\Users\Admin\AppData\Roaming\HSS721~1.COM\HOTSPO~1.115\install\LOCKHO~1.MSI"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeC:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXE752E.bat"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE752E.bat" "3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" cls"3⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 31520F86245E4D9671DC9151DCD70545 C2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\HotspotShield-9.8.7-plain-773-PreActive.exe"C:\Users\Admin\AppData\Local\Temp\HotspotShield-9.8.7-plain-773-PreActive.exe" /groupsextract:100; /out:"C:\Users\Admin\AppData\Roaming\hss721.blogspot.com\Hotspot Shield 9.8.7 Pre-Active\prerequisites" /callbackid:29723⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 24A0A8CE209FE9E0244EBBEBC27685872⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 79BC2233DB6351CF913C5181B29F2991 M Global\MSI00002⤵
- Loads dropped DLL
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{3d165471-726d-2f03-e272-2f252b30f459}\oemvista.inf" "9" "6d14a44ff" "00000000000005A4" "WinSta0\Default" "00000000000002D0" "208" "c:\program files\tap-windows\driver"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{3f42a4ad-0ec0-1b3a-fee5-04153d957251} Global\{46e5b5f9-b713-2e9b-40bc-6a5837c37e48} C:\Windows\System32\DriverStore\Temp\{2c00829c-b87d-7d13-ed3c-302f7386734f}\oemvista.inf C:\Windows\System32\DriverStore\Temp\{2c00829c-b87d-7d13-ed3c-302f7386734f}\tap0901.cat2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005C0" "00000000000005D4"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:tap0901.NTamd64:tap0901.ndi:9.0.0.21:tap0901" "6d14a44ff" "00000000000005A0" "00000000000005C8" "00000000000005D8"1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\cmw_srv.exe"C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\cmw_srv.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\hsscp.exe"C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\hsscp.exe" "-closeupgrade" "-quit"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\hsscp.exe"C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\hsscp.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\netsh.exe"netsh.exe" wlan show interfaces2⤵
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\hsscp.exe"C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\hsscp.exe" -CONNECT1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:584 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Defense Evasion
Virtualization/Sandbox Evasion
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Hide Artifacts
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\f764c00.rbsFilesize
30KB
MD580dbb2a1a0d2ae8878b99fdd156258f8
SHA19c4de070aa321f3b4321e893772f0d6929603e48
SHA2561345519598c65dff4ae61599b3c07301584a424e68e4030fca0518f6071e3705
SHA51233cb4fd7823e1ec801af55335d44d41d81a328a58218d2a7cc559b6e2c09c019213849615eece102fab96b6ac59fa327ebd70a424d64ae5bffcb3ce3f9140668
-
C:\Program Files (x86)\Hotspot Shield\9.8.7\bin\hsscp.exeFilesize
93KB
MD578044db9f3477fe94d8276b0d355f4b4
SHA1a47d7aec6d5e57b71ea6cb5ccb5a8a047aea0bd3
SHA25699f547bff69548e7eb9b5d5bea45a8ab90a372732850db1e2ac8f641b2e2b6e5
SHA5129c7dd0215419019a072439c40b3cd9cba16270435d83c5f5f9f4190f9300461c41cc615ee913164546bc179ffc52386741bd17c8b8597c9a79fc81380b0b8723
-
C:\Program Files\TAP-Windows\bin\tapinstall.exeFilesize
90KB
MD5d10f74d86cd350732657f542df533f82
SHA1c54074f8f162a780819175e7169c43f6706ad46c
SHA256c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67
SHA5120d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e
-
C:\Program Files\TAP-Windows\driver\OemVista.infFilesize
7KB
MD587868193626dc756d10885f46d76f42e
SHA194a5ce8ed7633ed77531b6cb14ceb1927c5cae1f
SHA256b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41
SHA51279751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277
-
C:\ProgramData\Hotspot Shield\logs\hssfx.2024-04-26.logFilesize
13KB
MD54f79a2161c95687f37d4b11c4c4f5356
SHA1cc4f214a3ccdec97b959d22982139c906943ba1d
SHA2569332963fb8b495e22db8df8f5c72056eb6a6f8440cb1f40aac8556ce08d6e772
SHA5122dec1ca4cf71796c6d6d7a016b912c5a0ab277119b7847fab5087afd548267971b485fc70909b0e7f9628fa4fd52c8bcbc349c98312067b266c4cc78c194033f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5cb059fe8dd78e9ad52769b37e9443bdd
SHA19efe27d3ee00acba596aa4f9b48ccf9219b40f06
SHA2563b69b970b26f95ee84af46cd7d494289a0dd4f1260b133c196057262d8492c6a
SHA5125e5dfdd56bd1c06e95bbcf658280b7631a9cc0261167ccb9e5ed530324a63fedd76e8c4eb22cbff42bf03a9426d8326269d0105bb6a650540af319c1ebde7845
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5152c8d9f5d06950550509d8909f6a84b
SHA1748fec6bd2618ab60f98fef16fb52c2820f74259
SHA256fbeb24bc83f093700dd251cf02a1c8d58f7f8b745782e87f19798cef4e2bb0af
SHA512500ce8e0cc3090b88eafc7a53c08f137f73a8f56ff78eb78ee69ada468a8a7c44a36546315b04800c9ed2fa4cb8214b938b125e01e4e0ca4910dbdba36b8ef57
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5a576f3c40f3340dba5aeb7b9f981e11f
SHA15b2074ca8df817a1273dbbfc0a7031c3857d0f76
SHA25625308a36d262a7c369453cfeb76d766740d22a5d86098bab84b2cb7a74f6abef
SHA512795fd3c90bef13dcbbbd96298977c98bd082ef47e92be395e81cdba06b878354d7456d7ce9decfe5206d80dbd38458e7b5c6c4025639f7a3ea3325bcf45fa3d4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5712a0a2389abdb898f959fcee6566a71
SHA17b326c582888429068f956782e2ea55e7616a63f
SHA256f008c41fc07b1ead0bea75b1adaf38decb7d689ce27ea6b45cca36d4901af576
SHA5127a4eed9d3cfd241afb085b18b7a70be5b0dc919609ded6021f8277929889a383312535a77e4470f1645e90c68ef1ddf0bcee513a87b5314a9ed2a1e7da504d6f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD51592b62b689108a7607d896754a70726
SHA123b3c1de876978a1cb1ecbc056de4131d3d0b343
SHA2563e09be7c9969dbbf76147234e6ebd20bb47bda307bfd1b022d4f2d1b949ad9d8
SHA512caa5b41f3dff63f321a82a21597aa433f47b3bb96b53c8d77ed3de9a3881e065d5809e5835031a296184039241579cc25f1028c7080f6f5db65cde2ac828cda1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5c92e581c6bfc459924e78b17d404ec30
SHA1d5aa53edf31812784e1e80329af76adacec41404
SHA2564524a46997506fd4b949a285259667f274a4b58a4770436ff266cc0440a682ec
SHA512cec9c51adb5c9cb3508132e596a21adc7b4ff7b20eac9293207e40770a0c0e94e44258efcc6f138b2737081261252dab470340f3e722441d07b7c759578dbbf7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD519bfff9a376bb7155c417841ac72cc27
SHA156a200d9e3c9fca55305af9ecb91fa6e38378d73
SHA2564a8c06d87c01e6385484583d65cde7cca10a5d7ad922e6b84df51896760866b2
SHA512876aa530ad2d9a25fb4016cfa56049326c07a3e22a585de6c9f64a77a3e0f1312a1f341170d8b8792234a39e5f2790de5eca0396b23556efb055d4468264bf0d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD57e601f52906cc5b4b389cd617684aa2a
SHA1760bd82bb35b5387b8cf4872f229f4b61be07b59
SHA2560bfdf65eb7ab5a08fda0cf94f7a9e00d4c7c6a14b57d58f4d699b649bc9bc4a3
SHA512753e568940a2bcdfffd98b90778c6eefd6d76a7ae24558dfff5efb6f7e6221c810fb1f235298e8643bb9146bdcc5ce5846443ba2df6dba647e710985d695ca67
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD569ad966c01b19da5264396cde96246c8
SHA1e92d2927bd44acb6be45ceaaa13ade73e7972b47
SHA256c69979013fd98acf664153176c2abcc062d13d3a2434bb117829eba0efe9c08f
SHA51255cb95072473e67caf950ea0b653a112542fd97d5581bb3c66efb84eac06e816c5a34261106318849aa332d9b3dcf17da64b608781057066ecc116529b3177e1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD56be9ee514ca1e51f8752aef67d3ea8ea
SHA1e0e397d011ec12a66bac80bb127822506e9e79c2
SHA256cc6f1052a5c349babc77a198d594e283ed98b38d7877319f2e76567ece176499
SHA51228581234bc087ba4b3e590e93601cc9a6660744510b8a75f0ae8f659dfdff6254e8c232cb1c8fa2b9797da0f94a3d1de452215689805b9abf37cc75670807060
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD531f016d362f677bec723ba982ed6259e
SHA14c609f74a98d78e832f1fa3d397d000ac2e1bd7d
SHA25668d717a56cb7c99d8c1feae936a636e30050183ad3e6c7033b74457667bd85fe
SHA512ad0c5bea186a41016bddf6b0f377a315bd3c1267a666d1c10c012afc0e60b21df3c71a5a0ef11547a125928bbd813ff0eead34443e771ba8c8994752cc607299
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\cb=gapi[1].jsFilesize
133KB
MD54d1bd282f5a3799d4e2880cf69af9269
SHA12ede61be138a7beaa7d6214aa278479dce258adb
SHA2565e075152b65966c0c6fcd3ee7d9f62550981a7bb4ed47611f4286c16e0d79693
SHA512615556b06959aae4229b228cd023f15526256311b5e06dc3c1b122dcbe1ff2f01863e09f5b86f600bcee885f180b5148e7813fde76d877b3e4a114a73169c349
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\favicon[1].icoFilesize
1KB
MD58172b1911cbc828a8526a2dd749f0e76
SHA13a6572f35572e800e63e1ac68f9d4f997da0f756
SHA2563090191e7bf9b5ad35c99de9d565708f43f38bac2007ec03031ebf42eafbbf99
SHA512ab7a1881870f3308e99ba6b7ef57253eb70b13d6c86c159f361327c8a61295bf1a7b395ae67fe932640901922cf1dbd10b17ec8df30798c796e21d074e51459e
-
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1936\i0002upd.pngFilesize
45KB
MD5983f1459240315a53676f954656aedab
SHA17cba018aba1743f729c59e8a46a02f72747d0a17
SHA2564e0d59b85db4a7d479b4afe722ff4f5e22a7f1d3b9226dac00a09e38ff33e0ea
SHA512be0f9af15a5be33f0eee4592b850767979705eb68a1b49967a1008918198965384c2492e3219add360b7bee22af69b37d4b515f840042fc99c6739bc4a83c935
-
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1936\i001upd.pngFilesize
50KB
MD59e3d2da837304d1e277568820bea4841
SHA168975bf7379ec097876d92154b6a7ce9f9394a15
SHA256dd4042ba64b4864526bf816035cc135c22ff125983edc0d7a7481afeb8633620
SHA5123e004395a0143cbca0196fb1910ad5aba312b031ef89fdf8f58243743fd20279db1aab6d202cb0bc39b4e357c66d1e3b55335f266124b58d1d8a37c2c9f9c4c7
-
C:\Users\Admin\AppData\Local\Temp\Cab11ED.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\EXE751D.batFilesize
477B
MD5cec2027d1263eb858f6f1813203995c4
SHA19a662518d95b7e8f4e98925e69e0bc57cab90022
SHA25635d93406e68cccef9835594e8f31edd173bdf8a51fbf58e592595dfc83bf3c1d
SHA512c9fae26f7a3929c942cfc7d9d275868768fcc04f40764dfd2947e199a35d9c497676da93b8a97328be1b26f5200f700ae8288b63049b3805cc0382d451775ee8
-
C:\Users\Admin\AppData\Local\Temp\EXE752E.batFilesize
477B
MD503eb717ccbf65cbd6c53a4e4a456ed53
SHA12b2827c7441f9bc02fa6bd851aba44d4a89548b3
SHA25695128a588bb9b0b7ef0c02ac0cb8e31b33c71809ab401c4678e7000986a95357
SHA512a3c82cfc2b9eeb37930883f1640e36841423bee1f78509757554a61bdd3b57932a994b267b139afd6a07ea6966d674644a8131f6a555215d5afc308dee47e530
-
C:\Users\Admin\AppData\Local\Temp\MSI135C.tmpFilesize
376KB
MD5c39daeba173815516c180ca4361f7895
SHA1db3ae54329834baa954569a35be5b947c86dc25e
SHA256a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc
SHA512e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929
-
C:\Users\Admin\AppData\Local\Temp\MSI13DA.tmpFilesize
834KB
MD5b0b2090c4200fb19e335598969a40f26
SHA1e31d5533f85ef03dd8eb21723df14ff71586bb60
SHA256e16ce1f8a1b24d03353502af35fa159ab9962b4ecce8f3bb9dd4b075552505cd
SHA512177dad69d6773dab432a39a91f113949573caa3f3513e1e79361e9d74efe813746bd25a9101ec6436be7476cd77b663102d7ee138a01afbc902738e3ad75fce2
-
C:\Users\Admin\AppData\Local\Temp\MSI1594.tmpFilesize
525KB
MD51c62521f4ade74fe465aaf61049c3634
SHA1758bd079f98c5f1153213a4c78ee25f89eb64fa6
SHA256ae5544ebfa8d92072562dcc4f3a6b48e77ab1a1e263e8e8dabebf6a627286f9e
SHA5124b58f0216f2dcfff69f3e668d09e21c0c85a7087a01621f43a787344afcf31d05644b9374b2ee4719b2ede0019d88083104f7a8122409c1ea961a9c5016262fd
-
C:\Users\Admin\AppData\Local\Temp\MSI7480.tmpFilesize
400KB
MD5867b627b008d149f15e8df90d2648d41
SHA1543fc2763f98378c5777f0dc1f11f54ee3a71733
SHA25651d309734f25d009714a0e4d428ffee3f42bfaa3eaf21da68369405f3a0a8233
SHA5129c3beb4c8c5319f1f584c49fa66b1ee704b6ecb56184af0024a4e363979466c2933a99fa0662532b0ac8ca22536b1717de8214cd828094bbc38f9d8bb3d2da44
-
C:\Users\Admin\AppData\Local\Temp\Tar11F0.tmpFilesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
C:\Users\Admin\AppData\Local\Temp\Tar1E2E.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Roaming\hss721.blogspot.com\Hotspot Shield 9.8.7 Pre-Active 9.8.7.11577\install\lockHotspot Shield 9.8.7.1155_New.msiFilesize
3.1MB
MD5cf4269c3d102e0135c4bd545f2afc873
SHA1f69374358a9d630e06f96bb4f689e273f57d4b4d
SHA256f188a500beef2b19c7371a18c075ad75ee56d455b140f108a43ee6f139c85888
SHA5127b49b99403e717a8ced8691104d34e395327b1f55bcfb739a95437ca53fb74247f321e4c5c9254504925185f9404a30a648f1817d1f708a208290b806a3caf21
-
C:\Users\Admin\AppData\Roaming\hss721.blogspot.com\Hotspot Shield 9.8.7 Pre-Active\prerequisites\tap-windows-9.21.2.exeFilesize
410KB
MD5c76d5aac2e2b40835d531b8728b1c8fd
SHA1a6b6214d1558a3bea44895866aeafe54c01c709e
SHA25624769bd2906e7f46e11ab8669f8fc345497f914e006e8512b99d52f1077c4b48
SHA512e33e3549c4c72903712bb6dd85350d36e7a5de5bed27e54d19e8354ce2e0fe6e229299c761ce79045f6ce6da5da28d73c94c06b7957436c63c486ff91a072393
-
C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_a572b7f20c402d28\oemvista.PNFFilesize
8KB
MD5ccea12d4aa8d1a1b8736a0b5cde909f7
SHA1f29d60e350ec59ba77520b4dd9c631c227525443
SHA256ea254c2f5bf5660c97de39585c9ee819482b825dce9877cd041f2f82690b4416
SHA512f50bc79696fe84a4ecd5e77b07a85d0d6c40b8c4963bba6282a030c5ade2d513e0ffe8e299e20934dda487c475280e4e15a48e3c3c7ea3b08ed25aeb058084ee
-
C:\Windows\System32\DriverStore\INFCACHE.1Filesize
1.4MB
MD5e107e5137861ac98aca7ca7678a7c6ae
SHA1d9caf50da3516f8a0da502d9eb05100e76c181c2
SHA2565e9362ddabbe0577088bcb2e68cb43df86598c89ace3443092929fd45ad7f82d
SHA512921d3026cfe14f8458422cf1422177d7d2518d133c663b311891242a32ea84790dbd0e9698d88acec917c44a726c64755f982ab3d2b1a9bfbfbab7dd88765b67
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416Filesize
1KB
MD555540a230bdab55187a841cfe1aa1545
SHA1363e4734f757bdeb89868efe94907774a327695e
SHA256d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416Filesize
230B
MD5c2f49ec4e4d78e27dbc2025a6fc604dc
SHA1810afc01f803875780cad0eb0d751e5b573751f3
SHA25635324b98d0ada41dd46c6f89ab31d250bcc902ce00d604200610eaaabec8442f
SHA512d1951b2eddd1a48ed2c42f9736bc5210386d4add96e7118e4deb216714f75df236d173686b1729142b854255b6302143e6926118dba15e9e1aed4e57bdb171fd
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD53feb52628a758d96ccbfff61e72cffe6
SHA155badd96e1a171b891d40c664705e2119632e7c4
SHA256fb59bfdb687d34f345b550d6d20e68c6efe113fba0fe4c9211242b58f7398dd7
SHA51247e6d267d4eeee8b28e8245869f02b22b80b16f92b44cec0a7b83774a8d3241ab6b91718db7db2b7869d657a154ff6b3cff55049c8b92353a359fd2a2ae71e7d
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD580ca8339438d2f3082e3b8a1949c2ed3
SHA13bda36ac1a23607dc1ce5cab440309f970091345
SHA256ea3bd40087af39945d9a91b370a3f31dc4748a3d9a7d7e9c36f5e66d3230d379
SHA512ce1ffddc30976486497b19fa3b380c92c5f510dac4e07523bd563b6d1e9808420b46638d25cb44c3a06aeefc996461b3a3201b6306ef1dd78937abd939a0d9d0
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5ca9b5bc87b87cffd2336a862d4fd9cc4
SHA10152581b1c9ff7f4d3635fbc8ef2a3b44b765082
SHA256a72bba45eae5f984d031f441820807a80b324e0be54c3b505ea82e5c99b7a3ce
SHA51201d73f6efec788cdda1fee8ffa5b26883c23dc911f4872acb2cd9133b559112920afa9530520d3ca51617a35518222239e921a9931734fa7021f0cd5045f82f7
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5ac7bc6ad5d34396374ab1ce4deaeae85
SHA1c9cfb836d76f2b159330e74a86f099372f30b372
SHA256520df75650658872053b066af189117cc1ee2cff9dbabe4d039d4cd90810edbd
SHA512838be1e8410cf76488470035c0f8a304dd0ab918c14aa35c8e346bcd2cf105375067ce17a8773c1bd6c31fb529a0ebb4b03ae97262df8dae160d97b9158f09b7
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5b5555de66aae00f717bf344a716432fa
SHA1ecb2effc33819b41ade8b19f5e21ac5351e0196e
SHA256e87246be517d3df1655e9887c072d076e4a99b6ccf7a42dc08e681d8b89fd6a8
SHA5121197d0553498b0672fd974b78f1f4bfca4e8901aa2d5d812a3ff7e166241b7d41bfd748b53b3543ada9bf7a4d895c575993e3b5799b1d053558513318b3c2809
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
242B
MD56e17baa7d0490f49a068a988833d23a3
SHA154e147d02fedbccdad4776fb0c3b4f82e7bd125f
SHA256e3a40a55d0893a6131f8a12b0c4d150a8e49f0c1a2b2b2162de003ed53aa3ae6
SHA512b1127ddd08152d8cd2d474f5a46ed2d225911b9bbb54b79cfa1a3de3ca2ce145ac575be84f702d1735f5ecb4527e9839ab8521bed7154f6b88761b3fa848cff8
-
C:\Windows\Temp\24364f73-9b8c-4dad-9bac-b5c9a01136f2\AgileDotNetRT64.dllFilesize
3.1MB
MD54d8082b3de02f82db9a515e9dab5d2b6
SHA1057a20ade70244601d0fe50f7011c95bae335ea5
SHA256936b1537b6efcece032c05661238b06beefc61ff76e82b7c5d9fe558a9360a4c
SHA5127b9153e9948e0f911fcb0b145678a56cac4abd948fa99e07c331760f02dce096cf3be7d2d8493cf7a76460c7172e24eaa45c1283a28353501b2876c54752c60d
-
C:\Windows\Temp\Cab1F84.tmpFilesize
29KB
MD5d59a6b36c5a94916241a3ead50222b6f
SHA1e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA51217012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489
-
C:\Windows\Temp\Tar1FB6.tmpFilesize
81KB
MD5b13f51572f55a2d31ed9f266d581e9ea
SHA17eef3111b878e159e520f34410ad87adecf0ca92
SHA256725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15
SHA512f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c
-
C:\Windows\Temp\Tmp61D0.tmpFilesize
1KB
MD5bc814b85fd324ed82a1f6a5489e1ffc9
SHA1a2ce63f23ba167d9162233dff973a81905ce32a8
SHA25604493b0c31b139f4373efaec4416e955cd991aad901738d5eb17716616899e96
SHA51217cfa1502130259bee0671d3fa2a2c0583ac6c14d7f15f12616c55ebf21d40e448829121af2114be84423ba53f481ef644cefef8fa897f9baa55dd477155dfb9
-
C:\Windows\Temp\Tmp61E1.tmpFilesize
1KB
MD5b75fdcb58153f77358f11c2f21c9cc95
SHA1bff0d53ad4d8c20f3da759cd9a4ab5874325aaac
SHA25663bed24f4c3dd97aadfb055cee41af5d15512234e7d353550361c3d7fa5e13e4
SHA5129a10350c66fdfb99a6689ad1fae0d0a0df094a5dcd1f559bf90c5b1d301551a4adf3152a3cff1bd27f09eee24ea6c0fcc1ac5f40fa246dbff3aa2badc61d2374
-
C:\Windows\inf\oem2.PNFFilesize
8KB
MD526f9b880c6022e0ce55fd31efb11adfb
SHA1a6d3f9cfd5d6d3782817f7dd658519d3cbfe71fd
SHA2566d46f7956d927bb7a0ff443c6d5103972f50b4cc84f4b3b1910151587f22e0a5
SHA512e3f08a265c54e814a3e1f995bd510c6a887c31e2d888c1696c51898436ecf43a42ed7f694f7e1e8ddfbf494a267567c7cf430645b7e9d0bd185b7a7680a1e580
-
\??\c:\PROGRA~1\TAP-WI~1\driver\tap0901.sysFilesize
26KB
MD5d765f43cbea72d14c04af3d2b9c8e54b
SHA1daebe266073616e5fc931c319470fcf42a06867a
SHA25689c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0
SHA512ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2
-
\??\c:\program files\tap-windows\driver\tap0901.catFilesize
19KB
MD5c757503bc0c5a6679e07fe15b93324d6
SHA16a81aa87e4b07c7fea176c8adf1b27ddcdd44573
SHA25691ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e
SHA512efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99
-
\Users\Admin\AppData\Local\Temp\nsd1C96.tmp\NAct.dllFilesize
201KB
MD5829926ee865dd1f09171da907dec2859
SHA1037063d810aa6713104c9b1f86f8bf30c90bbe97
SHA2561f20ac9e70907377dc786cea35978bc11fb59f8cfd21e2ef69454ece306d60b2
SHA5122bfd4283cbc192500d50f1cffbf4e792bba64135cb069307c2affedc5811d4ef9ee8734b40866a2f6fe7c959d20e8e97542f71aa2aad44e9725aa92f9ae9b353
-
\Users\Admin\AppData\Local\Temp\nsd1C96.tmp\UAC.dllFilesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
\Users\Admin\AppData\Local\Temp\nso1D23.tmp\System.dllFilesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
\Users\Admin\AppData\Local\Temp\nso1D23.tmp\UserInfo.dllFilesize
4KB
MD57579ade7ae1747a31960a228ce02e666
SHA18ec8571a296737e819dcf86353a43fcf8ec63351
SHA256564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b
-
\Users\Admin\AppData\Local\Temp\nso1D23.tmp\nsExec.dllFilesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
\Users\Admin\AppData\Local\Temp\tap-windows-9.21.2\tap-windows-9.21.2.EXEFilesize
250KB
MD547fa5f0670cf191d066e5dfbf4f4ee70
SHA1db9d441c209fb28b7c07286a74fe000738304dac
SHA256645bee92ba4e9f32ddfdd9f8519dc1b9f9ff0b0a8e87e342f08d39da77e499a9
SHA512514f0dd1b7d8c4aad5cc06882a96be2096e57eb4228df1d78f2bcc60003af8ebc057cce5eedda9b8a2dc851a52895c0a4b07556b4535271767817d9ea45e0713
-
memory/912-744-0x000000001AA40000-0x000000001AA4C000-memory.dmpFilesize
48KB
-
memory/912-1411-0x000007FEE7E70000-0x000007FEE86DC000-memory.dmpFilesize
8.4MB
-
memory/912-712-0x000000001A830000-0x000000001A85E000-memory.dmpFilesize
184KB
-
memory/912-713-0x0000000000C80000-0x0000000000C8A000-memory.dmpFilesize
40KB
-
memory/912-714-0x0000000000EF0000-0x0000000000EF8000-memory.dmpFilesize
32KB
-
memory/912-715-0x0000000019750000-0x0000000019768000-memory.dmpFilesize
96KB
-
memory/912-716-0x000000001A960000-0x000000001A9CE000-memory.dmpFilesize
440KB
-
memory/912-717-0x000000001A6F0000-0x000000001A6F8000-memory.dmpFilesize
32KB
-
memory/912-710-0x0000000019CF0000-0x0000000019D0E000-memory.dmpFilesize
120KB
-
memory/912-709-0x0000000019CC0000-0x0000000019CE4000-memory.dmpFilesize
144KB
-
memory/912-738-0x000000001A700000-0x000000001A708000-memory.dmpFilesize
32KB
-
memory/912-739-0x000000001A9F0000-0x000000001A9FC000-memory.dmpFilesize
48KB
-
memory/912-740-0x000000001AB90000-0x000000001ABE6000-memory.dmpFilesize
344KB
-
memory/912-741-0x000000001ABF0000-0x000000001AC38000-memory.dmpFilesize
288KB
-
memory/912-743-0x000000001AFB0000-0x000000001B00A000-memory.dmpFilesize
360KB
-
memory/912-708-0x0000000019780000-0x0000000019794000-memory.dmpFilesize
80KB
-
memory/912-745-0x000000001B310000-0x000000001B358000-memory.dmpFilesize
288KB
-
memory/912-707-0x0000000019730000-0x000000001974C000-memory.dmpFilesize
112KB
-
memory/912-706-0x0000000019710000-0x000000001972C000-memory.dmpFilesize
112KB
-
memory/912-705-0x0000000019660000-0x0000000019684000-memory.dmpFilesize
144KB
-
memory/912-704-0x000000001A640000-0x000000001A6E6000-memory.dmpFilesize
664KB
-
memory/912-703-0x00000000194E0000-0x00000000194FA000-memory.dmpFilesize
104KB
-
memory/912-702-0x0000000000F00000-0x0000000000F08000-memory.dmpFilesize
32KB
-
memory/912-701-0x0000000019770000-0x0000000019778000-memory.dmpFilesize
32KB
-
memory/912-700-0x0000000001030000-0x0000000001060000-memory.dmpFilesize
192KB
-
memory/912-699-0x0000000019600000-0x0000000019656000-memory.dmpFilesize
344KB
-
memory/912-1885-0x000007FEE7E70000-0x000007FEE86DC000-memory.dmpFilesize
8.4MB
-
memory/912-1884-0x000007FEE7E70000-0x000007FEE86DC000-memory.dmpFilesize
8.4MB
-
memory/912-1883-0x000007FEE7E70000-0x000007FEE86DC000-memory.dmpFilesize
8.4MB
-
memory/912-1882-0x000007FEE7E70000-0x000007FEE86DC000-memory.dmpFilesize
8.4MB
-
memory/912-1881-0x000007FEE7E70000-0x000007FEE86DC000-memory.dmpFilesize
8.4MB
-
memory/912-1879-0x000007FEE7E70000-0x000007FEE86DC000-memory.dmpFilesize
8.4MB
-
memory/912-1871-0x000007FEE7E70000-0x000007FEE86DC000-memory.dmpFilesize
8.4MB
-
memory/912-1866-0x000007FEE7E70000-0x000007FEE86DC000-memory.dmpFilesize
8.4MB
-
memory/912-1865-0x000007FEE7E70000-0x000007FEE86DC000-memory.dmpFilesize
8.4MB
-
memory/912-1864-0x000007FEE7E70000-0x000007FEE86DC000-memory.dmpFilesize
8.4MB
-
memory/912-683-0x0000000000F10000-0x0000000000F46000-memory.dmpFilesize
216KB
-
memory/912-684-0x0000000000F50000-0x0000000001022000-memory.dmpFilesize
840KB
-
memory/912-685-0x0000000000B20000-0x0000000000B3A000-memory.dmpFilesize
104KB
-
memory/912-686-0x0000000019B70000-0x0000000019C06000-memory.dmpFilesize
600KB
-
memory/912-698-0x0000000000ED0000-0x0000000000EE6000-memory.dmpFilesize
88KB
-
memory/912-687-0x0000000000B80000-0x0000000000B98000-memory.dmpFilesize
96KB
-
memory/912-688-0x0000000000BA0000-0x0000000000BC6000-memory.dmpFilesize
152KB
-
memory/912-689-0x0000000019C10000-0x0000000019CBA000-memory.dmpFilesize
680KB
-
memory/912-690-0x00000000003E0000-0x00000000003E8000-memory.dmpFilesize
32KB
-
memory/912-711-0x000000001A810000-0x000000001A82E000-memory.dmpFilesize
120KB
-
memory/912-691-0x0000000000620000-0x000000000062A000-memory.dmpFilesize
40KB
-
memory/912-697-0x0000000000EA0000-0x0000000000EC2000-memory.dmpFilesize
136KB
-
memory/912-696-0x0000000000E80000-0x0000000000E9C000-memory.dmpFilesize
112KB
-
memory/912-695-0x0000000000CD0000-0x0000000000CE8000-memory.dmpFilesize
96KB
-
memory/912-692-0x0000000000C50000-0x0000000000C5A000-memory.dmpFilesize
40KB
-
memory/912-1386-0x000007FEF4310000-0x000007FEF443C000-memory.dmpFilesize
1.2MB
-
memory/912-694-0x0000000000C70000-0x0000000000C78000-memory.dmpFilesize
32KB
-
memory/912-1382-0x000007FEE7E70000-0x000007FEE86DC000-memory.dmpFilesize
8.4MB
-
memory/912-1368-0x000007FEE7E70000-0x000007FEE86DC000-memory.dmpFilesize
8.4MB
-
memory/912-1258-0x0000000000C90000-0x0000000000CB5000-memory.dmpFilesize
148KB
-
memory/912-1260-0x000000001AE90000-0x000000001AEAE000-memory.dmpFilesize
120KB
-
memory/912-1357-0x000000001DD50000-0x000000001E2B4000-memory.dmpFilesize
5.4MB
-
memory/912-693-0x0000000000C60000-0x0000000000C68000-memory.dmpFilesize
32KB
-
memory/1596-1253-0x0000000002230000-0x0000000002232000-memory.dmpFilesize
8KB
-
memory/1948-1130-0x0000000000EF0000-0x0000000000F0A000-memory.dmpFilesize
104KB
-
memory/1948-1131-0x00000000002D0000-0x00000000002FC000-memory.dmpFilesize
176KB
-
memory/1948-1148-0x0000000000550000-0x000000000057A000-memory.dmpFilesize
168KB
-
memory/2960-504-0x0000000000220000-0x0000000000246000-memory.dmpFilesize
152KB
-
memory/2972-1190-0x0000000000670000-0x0000000000672000-memory.dmpFilesize
8KB
-
memory/2976-1170-0x000000001A990000-0x000000001A9A6000-memory.dmpFilesize
88KB
-
memory/2976-1861-0x000000001C470000-0x000000001C47A000-memory.dmpFilesize
40KB
-
memory/2976-1193-0x0000000000EE0000-0x0000000000EF0000-memory.dmpFilesize
64KB
-
memory/2976-1426-0x000000001C4F0000-0x000000001C52C000-memory.dmpFilesize
240KB
-
memory/2976-1179-0x000000001B650000-0x000000001B666000-memory.dmpFilesize
88KB
-
memory/2976-1180-0x000000001B670000-0x000000001B698000-memory.dmpFilesize
160KB
-
memory/2976-1173-0x000000001B5D0000-0x000000001B5FA000-memory.dmpFilesize
168KB
-
memory/2976-1169-0x0000000000ED0000-0x0000000000ED8000-memory.dmpFilesize
32KB
-
memory/2976-1254-0x000000001C990000-0x000000001C9AC000-memory.dmpFilesize
112KB
-
memory/2976-1165-0x000000001AF40000-0x000000001AFB2000-memory.dmpFilesize
456KB
-
memory/2976-1194-0x000000001B6A0000-0x000000001B6BC000-memory.dmpFilesize
112KB
-
memory/2976-1425-0x000000001CAB0000-0x000000001CADC000-memory.dmpFilesize
176KB
-
memory/2976-1860-0x000000001C470000-0x000000001C47A000-memory.dmpFilesize
40KB
-
memory/2976-1164-0x0000000000B20000-0x0000000000B30000-memory.dmpFilesize
64KB
-
memory/2976-1163-0x0000000002370000-0x0000000002398000-memory.dmpFilesize
160KB
-
memory/2976-1161-0x000000001A830000-0x000000001A88C000-memory.dmpFilesize
368KB
-
memory/2976-1162-0x0000000000C40000-0x0000000000C58000-memory.dmpFilesize
96KB
-
memory/2976-1160-0x000000001C0E0000-0x000000001C452000-memory.dmpFilesize
3.4MB
-
memory/2976-1159-0x0000000002310000-0x0000000002364000-memory.dmpFilesize
336KB
-
memory/2976-1158-0x0000000000C20000-0x0000000000C38000-memory.dmpFilesize
96KB
-
memory/2976-1195-0x000000001BAA0000-0x000000001BAB2000-memory.dmpFilesize
72KB
-
memory/2976-1250-0x000000001C470000-0x000000001C47A000-memory.dmpFilesize
40KB
-
memory/2976-1249-0x000000001C470000-0x000000001C47A000-memory.dmpFilesize
40KB