hxxps://www[.]poweriso[.]net/PowerISO8-x64[.]exe

Resubmissions

20-08-2024 21:56

240820-1td1pavgjb 8

20-08-2024 21:54

240820-1r7vzsvfnb 8

Analysis

max time kernel
70s
max time network
78s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.poweriso.net/PowerISO8-x64.exe

Score

8^/10

discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\scdemu.sys	setup64.exe
File opened for modification	C:\Windows\system32\Drivers\scdemu.sys	setup64.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	rsStubActivator.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	PowerISO8-x64.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 9 IoCs

pid	Process
4132	PowerISO8-x64.exe
5964	devcon.exe
5860	setup64.exe
2504	rsStubActivator.exe
780	t0tdp0ze.exe
3676	UnifiedStub-installer.exe
5312	rsSyncSvc.exe
5400	rsSyncSvc.exe
5748	PWRISOVM.EXE

Loads dropped DLL 9 IoCs

pid	Process
4132	PowerISO8-x64.exe
4132	PowerISO8-x64.exe
4132	PowerISO8-x64.exe
4132	PowerISO8-x64.exe
4132	PowerISO8-x64.exe
4132	PowerISO8-x64.exe
3676	UnifiedStub-installer.exe
5444	regsvr32.exe
5752	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PWRISOVM.EXE = "C:\\Program Files\\PowerISO\\PWRISOVM.EXE -startup"	PowerISO8-x64.exe

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	PowerISO8-x64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV	PowerISO8-x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\PowerISO\Lang\kazakh.ini	PowerISO8-x64.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\da.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\nl.pak	UnifiedStub-installer.exe
File created	C:\Program Files\PowerISO\Lang\Armenian.ini	PowerISO8-x64.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\fa.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\id.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\pl.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sw.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\snapshot_blob.bin	UnifiedStub-installer.exe
File created	C:\Program Files\PowerISO\Lang\Bulgarian.ini	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Russian.ini	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Portuguese(Brazil).ini	PowerISO8-x64.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\af.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\hi.pak	UnifiedStub-installer.exe
File created	C:\Program Files\PowerISO\Lang\french.ini	PowerISO8-x64.exe
File created	C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\chrome_100_percent.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\chrome_200_percent.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\v8_context_snapshot.bin	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vk_swiftshader.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vulkan-1.dll	UnifiedStub-installer.exe
File created	C:\Program Files\PowerISO\Lang\Lithuanian.ini	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Thai.ini	PowerISO8-x64.exe
File opened for modification	C:\Program Files\PowerISO\PWRISOSH.DLL	PowerISO8-x64.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ar.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\cs.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\el.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\th.pak	UnifiedStub-installer.exe
File created	C:\Program Files\PowerISO\Lang\TradChinese.ini	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\MACDll.DLL	PowerISO8-x64.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\es-419.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\fil.pak	UnifiedStub-installer.exe
File created	C:\Program Files\PowerISO\Lang\Urdu(Pakistan).ini	PowerISO8-x64.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\uk.pak	UnifiedStub-installer.exe
File created	C:\Program Files\PowerISO\setup64.exe	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Serbian(cyrl).ini	PowerISO8-x64.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\de.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\gu.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\lv.pak	UnifiedStub-installer.exe
File created	C:\Program Files\PowerISO\Lang\Burmese.ini	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Arabic.ini	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Azerbaijani.ini	PowerISO8-x64.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\am.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\et.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\pt-BR.pak	UnifiedStub-installer.exe
File created	C:\Program Files\PowerISO\Lang\Spanish.ini	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\libvorbis.DLL	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\unrar64.dll	PowerISO8-x64.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ru.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\zh-CN.pak	UnifiedStub-installer.exe
File created	C:\Program Files\PowerISO\Lang\Greek.ini	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Turkish.ini	PowerISO8-x64.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sr.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sv.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ta.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\tr.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar	UnifiedStub-installer.exe
File created	C:\Program Files\PowerISO\Lang\Finnish.ini	PowerISO8-x64.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\it.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vk_swiftshader_icd.json	UnifiedStub-installer.exe
File created	C:\Program Files\PowerISO\Lang\Polish.ini	PowerISO8-x64.exe
File created	C:\Program Files\PowerISO\Lang\Hungarian.ini	PowerISO8-x64.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\hu.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ja.pak	UnifiedStub-installer.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	t0tdp0ze.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerISO8-x64.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 61 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.b5i	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vcd	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerISO\DefaultIcon	PowerISO8-x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.uif	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\PowerISO\ = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.isz	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gi	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fcd	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.daa	PowerISO8-x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.xdi	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bin	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerISO	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerISO\shell\open	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cif	PowerISO8-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.iso\ = "PowerISO"	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mds	PowerISO8-x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.iso	PowerISO8-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerISO\DefaultIcon\ = "C:\\Program Files\\PowerISO\\PowerISO.exe,0"	PowerISO8-x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.isz	PowerISO8-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\ = "PowerISO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ = "C:\\Program Files\\PowerISO\\PWRISOSH.DLL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PowerISO	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bif	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.flp	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wim	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.p01	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerISO\shell\open\command	PowerISO8-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.daa\ = "PowerISO"	PowerISO8-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xdi\ = "PowerISO"	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\PowerISO	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ashdisc	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bwi	PowerISO8-x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.daa	PowerISO8-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerISO\shell\open\command\ = "\"C:\\Program Files\\PowerISO\\PowerISO.exe\" \"%1\""	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xdi	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.nrg	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ncd	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerISO\shell	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lcd	PowerISO8-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.isz\ = "PowerISO"	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dmg	PowerISO8-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerISO\ = "PowerISO File"	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\PowerISO	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.c2d	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.iso	PowerISO8-x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.iso\OpenWithProgids	PowerISO8-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\PowerISO\ = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cdi	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdi	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.img	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uif	PowerISO8-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PowerISO\ = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ima	PowerISO8-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uif\ = "PowerISO"	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cue	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mdf	PowerISO8-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pxi	PowerISO8-x64.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 105899.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
2592	msedge.exe
2592	msedge.exe
4732	msedge.exe
4732	msedge.exe
1048	identity_helper.exe
1048	identity_helper.exe
5700	msedge.exe
5700	msedge.exe
4132	PowerISO8-x64.exe
4132	PowerISO8-x64.exe
4132	PowerISO8-x64.exe
4132	PowerISO8-x64.exe
4132	PowerISO8-x64.exe
4132	PowerISO8-x64.exe
4132	PowerISO8-x64.exe
4132	PowerISO8-x64.exe
4132	PowerISO8-x64.exe
4132	PowerISO8-x64.exe
4132	PowerISO8-x64.exe
4132	PowerISO8-x64.exe
4132	PowerISO8-x64.exe
4132	PowerISO8-x64.exe
4132	PowerISO8-x64.exe
3676	UnifiedStub-installer.exe
3676	UnifiedStub-installer.exe
3676	UnifiedStub-installer.exe
3676	UnifiedStub-installer.exe
3676	UnifiedStub-installer.exe
3676	UnifiedStub-installer.exe
3676	UnifiedStub-installer.exe
3676	UnifiedStub-installer.exe
3676	UnifiedStub-installer.exe
3676	UnifiedStub-installer.exe
3676	UnifiedStub-installer.exe
3676	UnifiedStub-installer.exe
3676	UnifiedStub-installer.exe
3676	UnifiedStub-installer.exe
3676	UnifiedStub-installer.exe
3676	UnifiedStub-installer.exe
3676	UnifiedStub-installer.exe
3676	UnifiedStub-installer.exe
3676	UnifiedStub-installer.exe
3676	UnifiedStub-installer.exe
3676	UnifiedStub-installer.exe
3676	UnifiedStub-installer.exe
3676	UnifiedStub-installer.exe
3676	UnifiedStub-installer.exe
3036	msedge.exe
3036	msedge.exe
5176	msedge.exe
5176	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
5176	msedge.exe
5176	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4132	PowerISO8-x64.exe
Token: SeShutdownPrivilege	4132	PowerISO8-x64.exe
Token: SeCreatePagefilePrivilege	4132	PowerISO8-x64.exe
Token: SeDebugPrivilege	2504	rsStubActivator.exe
Token: SeDebugPrivilege	3676	UnifiedStub-installer.exe
Token: SeShutdownPrivilege	3676	UnifiedStub-installer.exe
Token: SeCreatePagefilePrivilege	3676	UnifiedStub-installer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
5176	msedge.exe
5176	msedge.exe
5176	msedge.exe
5176	msedge.exe
5176	msedge.exe
5176	msedge.exe
5176	msedge.exe
5176	msedge.exe
5176	msedge.exe
5176	msedge.exe
5176	msedge.exe
5176	msedge.exe
5176	msedge.exe
5176	msedge.exe
5176	msedge.exe
5176	msedge.exe
5176	msedge.exe
5176	msedge.exe
5176	msedge.exe
5176	msedge.exe
5176	msedge.exe
5176	msedge.exe
5176	msedge.exe
5176	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4132	PowerISO8-x64.exe
5964	devcon.exe
5748	PWRISOVM.EXE
5748	PWRISOVM.EXE
5748	PWRISOVM.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 904	4732	msedge.exe	84
PID 4732 wrote to memory of 904	4732	msedge.exe	84
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 3496	4732	msedge.exe	87
PID 4732 wrote to memory of 2592	4732	msedge.exe	88
PID 4732 wrote to memory of 2592	4732	msedge.exe	88
PID 4732 wrote to memory of 2668	4732	msedge.exe	89
PID 4732 wrote to memory of 2668	4732	msedge.exe	89
PID 4732 wrote to memory of 2668	4732	msedge.exe	89
PID 4732 wrote to memory of 2668	4732	msedge.exe	89
PID 4732 wrote to memory of 2668	4732	msedge.exe	89
PID 4732 wrote to memory of 2668	4732	msedge.exe	89
PID 4732 wrote to memory of 2668	4732	msedge.exe	89
PID 4732 wrote to memory of 2668	4732	msedge.exe	89
PID 4732 wrote to memory of 2668	4732	msedge.exe	89
PID 4732 wrote to memory of 2668	4732	msedge.exe	89
PID 4732 wrote to memory of 2668	4732	msedge.exe	89
PID 4732 wrote to memory of 2668	4732	msedge.exe	89
PID 4732 wrote to memory of 2668	4732	msedge.exe	89
PID 4732 wrote to memory of 2668	4732	msedge.exe	89
PID 4732 wrote to memory of 2668	4732	msedge.exe	89
PID 4732 wrote to memory of 2668	4732	msedge.exe	89
PID 4732 wrote to memory of 2668	4732	msedge.exe	89
PID 4732 wrote to memory of 2668	4732	msedge.exe	89
PID 4732 wrote to memory of 2668	4732	msedge.exe	89
PID 4732 wrote to memory of 2668	4732	msedge.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.poweriso.net/PowerISO8-x64.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9023646f8,0x7ff902364708,0x7ff902364718
  2⤵
  PID:904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1468,15961541943106961026,14733493290723858046,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1844 /prefetch:2
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1468,15961541943106961026,14733493290723858046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1468,15961541943106961026,14733493290723858046,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
  2⤵
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,15961541943106961026,14733493290723858046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,15961541943106961026,14733493290723858046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1468,15961541943106961026,14733493290723858046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1468,15961541943106961026,14733493290723858046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1468,15961541943106961026,14733493290723858046,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,15961541943106961026,14733493290723858046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
  2⤵
  PID:64
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1468,15961541943106961026,14733493290723858046,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5840 /prefetch:8
  2⤵
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,15961541943106961026,14733493290723858046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,15961541943106961026,14733493290723858046,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
  2⤵
  PID:5372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,15961541943106961026,14733493290723858046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:5524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,15961541943106961026,14733493290723858046,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:5532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1468,15961541943106961026,14733493290723858046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:492

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5168

C:\Users\Admin\Downloads\PowerISO8-x64.exe
"C:\Users\Admin\Downloads\PowerISO8-x64.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4132
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s /u "C:\Program Files\PowerISO\PWRISOSH.DLL"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5920
- C:\Program Files\PowerISO\devcon.exe
  "C:\Program Files\PowerISO\devcon.exe" remove *scdbusDevice
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious use of SetWindowsHookEx
  PID:5964
- C:\Program Files\PowerISO\setup64.exe
  "C:\Program Files\PowerISO\setup64.exe" cp C:\Users\Admin\AppData\Local\Temp\nsx5795.tmp "C:\Windows\system32\Drivers\scdemu.sys"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  PID:5860
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files\PowerISO\PWRISOSH.DLL"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5444
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files\PowerISO\PWRISOSH.DLL"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:5752
- C:\Program Files\PowerISO\PWRISOVM.EXE
  "C:\Program Files\PowerISO\PWRISOVM.EXE" 999
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.poweriso.com/thankyou.htm
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of SendNotifyMessage
  PID:5176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x98,0x7ff9023646f8,0x7ff902364708,0x7ff902364718
    3⤵
    PID:4692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,10137472106059130464,17566947106472137001,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
    3⤵
    PID:2240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,10137472106059130464,17566947106472137001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,10137472106059130464,17566947106472137001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
    3⤵
    PID:4316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10137472106059130464,17566947106472137001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
    3⤵
    PID:2356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10137472106059130464,17566947106472137001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
    3⤵
    PID:1556

C:\Users\Admin\AppData\Local\Temp\PowerISO_Pub_files\rsStubActivator.exe
"C:\Users\Admin\AppData\Local\Temp\PowerISO_Pub_files\rsStubActivator.exe" -ip:"dui=f995c12b4048b1cfcf246213e8557993f469ffac&dit=20240820215496812&is_silent=true&oc=DOT_RAV_Cross_Tri_NCB&p=e189&a=100&b=&se=true" -vp:"dui=f995c12b4048b1cfcf246213e8557993f469ffac&dit=20240820215496812&oc=DOT_RAV_Cross_Tri_NCB&p=e189&a=100&oip=26&ptl=7&dta=true" -dp:"dui=f995c12b4048b1cfcf246213e8557993f469ffac&dit=20240820215496812&oc=DOT_RAV_Cross_Tri_NCB&p=e189&a=100" -i -v -d
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2504
- C:\Users\Admin\AppData\Local\Temp\t0tdp0ze.exe
  "C:\Users\Admin\AppData\Local\Temp\t0tdp0ze.exe" /silent
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:780
- - C:\Users\Admin\AppData\Local\Temp\7zSC039EE78\UnifiedStub-installer.exe
    .\UnifiedStub-installer.exe /silent
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3676
  - - C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
      "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
      4⤵
      Executes dropped EXE
      PID:5312

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
1⤵
- Executes dropped EXE
PID:5400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\PowerISO\PWRISOSH.DLL

Filesize
362KB

MD5
36fae211cba9f01a3d2dc05935375d34

SHA1
ba0811b9ca2e38deb9d7b90db7da4d5df19257ce

SHA256
6419b8bbc93abf5b92eac3e9330c0ec0725f4be41a3f2b2dfc2a0b55a9acd6d2

SHA512
c3dce9722b1e5136db5415fd08affad3e5b4dd039c3b3947ab43ee5afe308c4853e59b448f5ea3449d587bd634cdf9a4cb673bd58690fcaae1a68fb8fe8ef5f7

Download Submit
C:\Program Files\PowerISO\PWRISOVM.EXE

Filesize
452KB

MD5
aafd81807ed721109cd1acd364ef33a7

SHA1
99a44b7db8e742811ac45cbd55ebcb3bcf304753

SHA256
d62cd0a8983760002bdde90167fbcade25fa044c4f32f5ca2e2e0c4551bc079c

SHA512
79acd6fc8f44477320d98dbeb4d90dd45b5a7c852de96f9c3c8afd7e0d57f997fa99fe6d50a7f1bbc363e1fbe1d1baaf2c46ebb992a03a621e02e9e71368145a

Download Submit
C:\Program Files\PowerISO\PowerISO.exe

Filesize
6.5MB

MD5
3287989c4ebd64496788a61291bad6be

SHA1
37ce3048c236e96220da13c6086f6fde7f508c69

SHA256
2417d3b8e12a82914b0f4e182f0c907d466f6a12bba70a1cd9cc13f6e26f062e

SHA512
421514828a058916afaaf646d8dd9a5adb19ab3c7be77f8577864591f77b9f3aced35a6d6a99cbb4519f7e91cc21b47309a24be25970e1da60134dad27db309b

Download Submit
C:\Program Files\PowerISO\devcon.exe

Filesize
69KB

MD5
9d199564b65a91a531b23844649459e9

SHA1
8d84359ced1c51d14e70cb5ed36a6083c8b914cf

SHA256
8dc2490d1d650e3ffbf70922b81ae9800ddd29a644e4d7d29e9616e22a7d0f42

SHA512
ae522945d3ddcd7c2d99da14ba62d556928b7e6dfcb07114f13481777878a8ffa448170cebbf76da80d9ae45d0e3a509b0f2a7bd702773c1efcaca26496010d1

Download Submit
C:\Program Files\PowerISO\setup64.exe

Filesize
20KB

MD5
857eace9d87bd6c43142b2b4eed5c1c4

SHA1
03707b309e647ff6f89993e7ba03f1c98750b8a0

SHA256
10bb1c98ab4fb8e18b349fdbdf33f61038318b33e7b04810a71035a7320f00bd

SHA512
af784f62ae993ad83022a098d4aca4e3850018976362ec559f611bec76ef7f5ec70763fa167f255ed13745d496e7ed501b638afbe107e244da652da2a84a129d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3000a0ff8ffbbc34b9480fc96b9284ef

SHA1
dcf297abe33d48bf9eaf2efdc82feb1b8ec8eeea

SHA256
16576ec8777581e57e751d5cb3d9a130b131ed2f4cc8b7221224f61eb7533fdb

SHA512
0363630d899ce4461a7d6c9ae62115efe449cc0f7bb3549c0a360af20eb214b37ccb791df535aba571dd167838347981e7d85ee2f5e9d3a78fabfa0945cf056b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
72f1d4b6a108d07ae3fafb9d42a31b41

SHA1
8ed84ec22b598d3a1f30d33c39788792ba378a65

SHA256
0a41a87524b41448c2cb4d0d2b0bf4334827a0c7601eee0152d45c3d85469401

SHA512
4e0c52ebd13d294841b446936c27599a534a4cb11c05e7aa3ffa183bd79f415ec4ebb0d0076c31239ac09c01b5fe32cbf9a18ea0c90c419761834161befbaecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
6aff695aa0cdf7d7de3590104f3966e5

SHA1
ff1a603fbe1b92a601a2a0228b478f0ca11fc9d3

SHA256
b2bbfa51020f74d4a71a689ad85a3c7a37e0ff1f6ce6937bbc83d7193dddc6e8

SHA512
95f86cf93c4bed206b279d4cd7db3fa8f0535d0176c09c402900df9277ac0093c5e5994cd6e39bc677413ca1167beb54f8763910a6b1d3e98f22a54e328a899f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
5cccb7f824588f5253a13350fe01ff79

SHA1
239488dab9cfdccdfb61ea288d5d061eb2454f2e

SHA256
5f0f48f4925f7aeae328787e88e537208085300b3d673fede0d866001756f604

SHA512
1365af8ac6acfe3473bc8409d44bea748fa765166431ade3f365b36c7399320391c8a203b684d77cd631597cd8c07bbf161b31c91d2ef6ba28c09297e01dbada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
cff4fb78fd46568afbd7d4073b4c5cf2

SHA1
206c0ea7009ffdac9cf75414c75a9697e3f62ed0

SHA256
e138b8340ada47b51e617dc1127f070879f3519aef07e3532fb8e8088c018738

SHA512
3c04d5642ba60437c1edf9842670e1b0d04328a4d1f249eff4defc4c49b67d77d3f6d5b3ab85748a0567442588e81f201723fecaa980fe8fc6f9953f27ab51ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
794B

MD5
72fd75bd97c6ddf59599220438859003

SHA1
33a9f84f1740de3d0cc3dd6a3e7c9f115814fe6f

SHA256
53a242715c0dfaac0150ea081e4109370fc82c8619c432cc12b84c423c854c3e

SHA512
2d7cfd616b37be9f79caa5f874958176de07a90bde03106865f3958791d6cd9948e4dacfaf9966aa78d732d5128b06b91ad6318481956c58385eb0e60e365e9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
514848dc59078f411eaa24c34f98dd67

SHA1
4f93c0c483e971985b776a2c282b85a84fc46df8

SHA256
4c783f5ac4bcb0dc875579891e2c608b84635211b6717f60b22ac49386107fca

SHA512
a6ff6b6b7e0e1806a7c557028b03dbe1a8c4029d8c135e02a4c15f580b426f46cebc61fa516328a8d7f85ea9a168ac076d226f2e95e88bed56869e57c8ffa1a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f690a81900aba722255a06f89f17bf0c

SHA1
f63af83d656cf74eb0a719be9020db88aefa4eb1

SHA256
52b4c8d20c7ee3332dfb6a29e1d5da8ef3ba912f542d706dd6f34d5fa6c724fc

SHA512
d61f6754bf651efde3dcc9ba6e23a9d55f2275bf42a829103d2919a796d846b5c2574312a0957d1f78c901ebf6f5ccaad22f463247b93b7447957b845e2cf53b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ee7817a0f4e664851612776e155a45dc

SHA1
f85871e96b3ea7a0fa66c12b20b9ddf0765e8648

SHA256
6bc87180eb160dbd3e78b3937642711401685f8c09376c8c8c9afdb9459a56dd

SHA512
198622057e51c13cd6ce6d7cfa2389ef29c906ce145a84d09137298b1b8841eaf1bc1362271a24f82c31f03b25da625cc1e48e031b42fef3b6f9666fe16d6a3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fd3832bf78245170be94d5e0718153ad

SHA1
b887593505f10deda72bd99c27b67e3c49d27a11

SHA256
1ff9d2b3f13866c214cb08c582e195df5224e87c24f71aaa2375f98ef6012ebb

SHA512
9ed9f74f49ef2fee85e582517c3a8c3908cf3eff151b3877c9d913e74a6b40d9e097fb953347948103ae0caab65c4af6bc5a625efbadc64c6f546e377183c5fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
02367c0e52067b9476b61ffc33168360

SHA1
2fa382e1681b28bd6572a82d5ce4feb2a8a8265a

SHA256
e529747d760c0141b32454cc47ea9aab262f79b155c45fabf3f96bef7612a544

SHA512
e1138a06f4f5f53a1199686c0daa5b8144e070a65e013a24e2641f8de61874d8af4c4dd848c2aa1fc2996ddff5ff683960530d5494b2a6f4f6e8be5aa98b3987

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13368664461710960

Filesize
933B

MD5
ebecd86ad1ac8bd549a8ff5788f11890

SHA1
db6e13fa4d4e84a093bf5e2ca0773f95a069c38b

SHA256
aca71ca7fa596aa1670e4223c38add782b9fae969328348aed585a1471d9ffd8

SHA512
5f659d16c04fd50802663356e3fda38a5e801faeeb0ab148ac48ca159aa5e6bfe390d9152250315eae854453c8f32d130a54ceaa72d428e9f92e19d78225dd49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
618716afc8f83a5ccfcf6f7269597591

SHA1
dbe793321b5d01127eed948830d84853c373bc44

SHA256
7c772a1742d7077a4e8c2ea2f53d5e4f7b859de0ac1a4e93d95798cd68c92956

SHA512
745c1ceece3445f760132d4a2de42510d8c1b22d1054424a938ac4b6dbf66dfe2630c1f75411cb52eec774b83ac8bdf5a62ce5aa343b425a606ebe300105299b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
389ad7af74acc1076b937ac89bea9a08

SHA1
3e242869acc66b4a964e3841384c8fac2e8dab4b

SHA256
7cf064d57d004124d85de18f09c598010adf4b99c107120bc6d3ddda0ab63f8c

SHA512
3b8a2c957f3fe8ca6139a04be20080b00309aafd376dbfc9252dd6dfad909e2dce00d79274dc136163d029cafa25f2441e0a7422fce2ec482f5583e2a9e355a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
27817ee030cdce0ab49ecfa13e210993

SHA1
18c48ebd434e76c54066c2e507a0301adeaa9152

SHA256
b3276578beb0ce12ff66540a5f222e9ad21fc619e86f889d82b6b4bf336fc83b

SHA512
965e31c12586e53ce68e0363348a2864d5063acde4b2852002d634433a29235702134271e391ad7083d3ae3d41d97b27734b0b3901b1700a46291e6b0872cdc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
64cbed9605e52ae2f62ed9b932bd8de7

SHA1
d0219f3029eaf36c9e1b5c3d14a30dd0a4333907

SHA256
e92859fdfc29d4d6929213acc98ff8bee7401dcb4f35f4ba46c2071a37213524

SHA512
1941fe49453032b2514e0c9c4777ae5b172941f1cd2804176f2d1553a2ef4d8a4dada0f41db8e55989a3f2bc4076f82e6d0379ff2ef9b1ea2ac6417726ba7d15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b1fa608ae1d66fe840f2250397b3fdc9

SHA1
745a36aa08bc7317424dd70fe3480808d840eb51

SHA256
04c0b42ad153cdd8183f78259572c669e2326d5dc3ffd53b236e77b9521354cd

SHA512
d43e59edab384bae7d3f25e01a620f5f925030731180ac2b8b9ccee412f47a658ab329611669cb563deed79805c3e5f9681143c4d07fa2ad88770488827b998f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b657976b9313f22fd7c257d16e1ee7b1

SHA1
4df23beae295537cc5ba2467b8c4679d76c0898b

SHA256
82893387fdcceac7e5762879b5882d8bf81be1777375c394691a5bdc6d5421ad

SHA512
f1d579e8917986014f418a7ea7145706547c5bdd6ebd681538eabcfe09c973962b9e2ca31971f973539d63ddb4d574d43ba09eae5f9d6e146b80a11cac4ab4f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
31bc936ac48e76110a73103ab8b63410

SHA1
059eca0e96f5aa01b90951f1a0e9d25fbbf26fd2

SHA256
eba5cc82418dc6f0211de0940ed3388debabd97a4eed16aeafed7ef83a2d1608

SHA512
83cf38e94596d92c02a0bf90ad03d159b9d659f922fc09343f05c575fd3b99a85118f97aa7ee5ed45bbd849e67107d0413b01a4cf9178b97e48954cbac868e45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC039EE78\Microsoft.Win32.TaskScheduler.dll

Filesize
340KB

MD5
e6a31390a180646d510dbba52c5023e6

SHA1
2ac7bac9afda5de2194ca71ee4850c81d1dabeca

SHA256
cccc64ba9bbe3897c32f586b898f60ad0495b03a16ee3246478ee35e7f1063ec

SHA512
9fd39169769b70a6befc6056d34740629fcf680c9ba2b7d52090735703d9599455c033394f233178ba352199015a384989acf1a48e6a5b765b4b33c5f2971d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC039EE78\Newtonsoft.Json.dll

Filesize
701KB

MD5
4f0f111120d0d8d4431974f70a1fdfe1

SHA1
b81833ac06afc6b76fb73c0857882f5f6d2a4326

SHA256
d043e6cde1f4d8396978cee2d41658b307be0ca4698c92333814505aa0ccab9a

SHA512
e123d2f9f707eb31741ef8615235e714a20c6d754a13a97d0414c46961c3676025633eb1f65881b2d6d808ec06a70459c860411d6dd300231847b01ed0ce9750

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC039EE78\UnifiedStub-installer.exe

Filesize
1.0MB

MD5
493d5868e37861c6492f3ac509bed205

SHA1
1050a57cf1d2a375e78cc8da517439b57a408f09

SHA256
dc5bc92e51f06e9c66e3933d98dc8f8d217bc74b71f93d900e4d42b1fb5cc64f

SHA512
e7e37075a1c389e0cad24ce2c899e89c4970e52b3f465d372a7bc171587ed1ee7d4f0a6ba44ab40b18fdf0689f4e29dfdbccbabb07e0f004ef2f894cb20d995d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC039EE78\rsAtom.dll

Filesize
169KB

MD5
dc15f01282dc0c87b1525f8792eaf34e

SHA1
ad4fdf68a8cffedde6e81954473dcd4293553a94

SHA256
cc036bcf74911fe5afb8e9fcc0d52b3f08b4961bcda4e50851eda4159b1c9998

SHA512
54ee7b7a638d0defcff3a80f0c87705647b722d3d177bc11e80bfe6062a41f138ef99fc8e4c42337b61c0407469ef684b704f710b8ead92b83a14f609f0bc078

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC039EE78\rsLogger.dll

Filesize
182KB

MD5
1cfc3fc56fe40842094c7506b165573a

SHA1
023b3b389fdfa7a9557623b2742f0f40e4784a5c

SHA256
187da6a5ab64c9b814ab8e1775554688ad3842c3f52f5f318291b9a37d846aa2

SHA512
6bd1ceaf12950d047a87fd2d9c1884c7ac6e45bd94f11be8df8144ddd3f71db096469d1c775cf1cb8bc7926f922e5a6676b759707053e2332aa66f86c951fbc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC039EE78\rsStubLib.dll

Filesize
271KB

MD5
3bcbeaab001f5d111d1db20039238753

SHA1
4a9c0048bbbf04aa9fe3dfb9ce3b959da5d960f8

SHA256
897131dd2f9d1e08d66ae407fe25618c8affb99b6da54378521bf4403421b01a

SHA512
de6cde3ad47e6f3982e089700f6184e147a61926f33ead4e2ff5b00926cfc55eb28be6f63eea53f7d15f555fd820453dd3211f0ba766cb3e939c14bb5e0cfc4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC039EE78\rsSyncSvc.exe

Filesize
798KB

MD5
f2738d0a3df39a5590c243025d9ecbda

SHA1
2c466f5307909fcb3e62106d99824898c33c7089

SHA256
6d61ac8384128e2cf3dcd451a33abafab4a77ed1dd3b5a313a8a3aaec2b86d21

SHA512
4b5ed5d80d224f9af1599e78b30c943827c947c3dc7ee18d07fe29b22c4e4ecdc87066392a03023a684c4f03adc8951bb5b6fb47de02fb7db380f13e48a7d872

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC039EE78\uninstall-epp.exe

Filesize
319KB

MD5
79638251b5204aa3929b8d379fa296bb

SHA1
9348e842ba18570d919f62fe0ed595ee7df3a975

SHA256
5bedfd5630ddcd6ab6cc6b2a4904224a3cb4f4d4ff0a59985e34eea5cd8cf79d

SHA512
ab234d5815b48555ddebc772fae5fa78a64a50053bdf08cc3db21c5f7d0e3154e0726dacfc3ea793a28765aea50c7a73011f880363cbc8d39a1c62e5ed20c5a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC039EE78\x64\Reason.ArchiveUtility-x64.dll

Filesize
154KB

MD5
366231ab413d0ce3ad65b38b4ab3e4a6

SHA1
f52e1886563137a4124d3096d7ede5ce1cd1e578

SHA256
ed349b2e11a4c6ada76a72f2462e84551d5451088212a6e0d6fbf4904c8cc19d

SHA512
55b7e9ecab6893331f9cc045a4d60b971fb208ca6f2c12592de98f91389413f9bd5f50460f06507a9cff650b4cec73c61a633f30d1ba869b2ecc93c5a3aaaca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PowerISO_Pub_files\rsStubActivator.exe

Filesize
32KB

MD5
445f9c89eea0d2ebb02401e07e94787b

SHA1
9e3a80263014e6b181a3640467741df213830414

SHA256
ffc537055ee01f179020223b6975e7dd720febc74aad3d3b8a80d6f1d819bac7

SHA512
a582825ff58a624724d2f3e013695c170584a453e0d535fccce2b8dd8eb44ed96e7d6ff5750d5d65ecb103a6b59abdebe0da715c2e9ac25291f58bb94799e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl1395.tmp\InstOpt.dll

Filesize
25KB

MD5
6a45ec125830c244261b28fe97fb9f9d

SHA1
f30e65fa3a84c9078bf29af4b4d08ec618a8e44f

SHA256
fa8b56b52dc7130d924d0060633b5763c032408385a47ec7438d5e1d481d2fe5

SHA512
5387439a2a1f235a2ffe934570db8ab200e2688496d2be39d8f6a47dc7fb55e6e30e957b5b2f6d79799581278bd57c03dc81908afa5e9707375a14ec8a34e4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl1395.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl1395.tmp\nsDialogs.dll

Filesize
9KB

MD5
ec9640b70e07141febbe2cd4cc42510f

SHA1
64a5e4b90e5fe62aa40e7ac9e16342ed066f0306

SHA256
c5ba017732597a82f695b084d1aa7fe3b356168cc66105b9392a9c5b06be5188

SHA512
47605b217313c7fe6ce3e9a65da156a2fba8d91e4ed23731d3c5e432dd048ff5c8f9ae8bb85a6a39e1eac4e1b6a22862aa72d3b1b1c8255858997cdd4db5d1fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl1395.tmp\nsv1470.tmp

Filesize
29KB

MD5
2bdf5a9d2007c879b665b9c631a9cebb

SHA1
0937ebd3024adbf14e6c313434de078975fe2e14

SHA256
dd8c9f10e6115c70a774dd017b2d300108d7ab082d8475d6e3ad53a0dd45124c

SHA512
ee30588bd9c1f6c9c550cd50c3997ea4b14482af7c9fc0ad7ac918680e32e7984f3fb0ca2699f9a27d2e35868c282e1c0af3772609044770d67a753737c27bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx5795.tmp

Filesize
135KB

MD5
92eae8dec1f992db12aa23d9d55f264a

SHA1
add6697b8c1c71980e391619e81e0bada05e38ee

SHA256
d01a58e0a222e4d301b75ae80150d8cbc17f56b3f6458352d2c7c449be302eee

SHA512
443a12a1a49e388725ee347e650297ba5268d655acd08e623ea988cde07ae08ae861620b600fb223358339eeab926fee1c8377386501310c68a3eb9515649441

Download Submit
C:\Users\Admin\AppData\Local\Temp\t0tdp0ze.exe

Filesize
2.4MB

MD5
4a7ab4bcb61cfed7a5ccb6fe8a13660e

SHA1
76354b0c201a76f5d090b82c0db7b4558a9c2a66

SHA256
bff01aeca42bab7afc9e2ba10e8df7a32871f502572ed104f00ef36080dc8dfd

SHA512
25a0c3ea7510b46d802bb12d8ae9b5c3bc856e529f400d1abefe06ae2e218775e71d1ff56ec3cd6cd857db88cbbaf2a0a1ae16b438e9abf5bf499638e03609f1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 105899.crdownload

Filesize
4.9MB

MD5
d97f67727477fe53ad6ccfa39a105e73

SHA1
fa22f77021312b68bd367eb1a18b6d0452e35661

SHA256
7d767e17246f7c418cfb080bf3dd95f707f69eabd7588befa02bc22b9ffc9193

SHA512
424cef4b5e38262a2b176795336043868d7fbf889dd69a753e0b77474731016841839060f8ef4b7375bef077d1de915c5d19a1a40d09b131bd89ed0fd732f43b

Download Submit
memory/2504-273-0x0000024E76DC0000-0x0000024E772E8000-memory.dmp

Filesize
5.2MB

Download
memory/2504-272-0x0000024E5C3D0000-0x0000024E5C3D8000-memory.dmp

Filesize
32KB

Download
memory/3676-428-0x00000151CBDD0000-0x00000151CBEDC000-memory.dmp

Filesize
1.0MB

Download
memory/3676-432-0x00000151CC2A0000-0x00000151CC2D0000-memory.dmp

Filesize
192KB

Download
memory/3676-434-0x00000151E66A0000-0x00000151E6752000-memory.dmp

Filesize
712KB

Download
memory/3676-442-0x00000151E65E0000-0x00000151E6638000-memory.dmp

Filesize
352KB

Download
memory/3676-435-0x00000151CDC70000-0x00000151CDC92000-memory.dmp

Filesize
136KB

Download
memory/3676-437-0x00000151E6400000-0x00000151E642E000-memory.dmp

Filesize
184KB

Download
memory/3676-430-0x00000151CC2E0000-0x00000151CC326000-memory.dmp

Filesize
280KB

Download
memory/4132-206-0x0000000006550000-0x0000000006594000-memory.dmp

Filesize
272KB

Download
memory/4132-205-0x0000000005AF0000-0x0000000005B82000-memory.dmp

Filesize
584KB

Download
memory/4132-204-0x00000000054E0000-0x0000000005A84000-memory.dmp

Filesize
5.6MB

Download
memory/4132-203-0x0000000074760000-0x0000000074770000-memory.dmp

Filesize
64KB

Download
memory/4132-202-0x00000000032E0000-0x00000000032F0000-memory.dmp

Filesize
64KB

Download
memory/4132-207-0x00000000065A0000-0x000000000663C000-memory.dmp

Filesize
624KB

Download
memory/4132-208-0x0000000006640000-0x00000000066A6000-memory.dmp

Filesize
408KB

Download
memory/4132-209-0x0000000006700000-0x0000000006C2C000-memory.dmp

Filesize
5.2MB

Download
memory/4132-217-0x0000000005D20000-0x0000000005D2A000-memory.dmp

Filesize
40KB

Download