Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
19/11/2024, 16:51
Static task
static1
Behavioral task
behavioral1
Sample
Hide.me-Setup-4.2.1.exe
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
Hide.me-Setup-4.2.1.exe
Resource
win11-20241007-en
windows11-21h2-x64
20 signatures
150 seconds
General
-
Target
Hide.me-Setup-4.2.1.exe
-
Size
18.5MB
-
MD5
074a7929ea64805d3406c86ca3e4d9be
-
SHA1
08ee722d9d3f85c14b6c7d47fdbfb2c3db019097
-
SHA256
7b70566316b614060caa472243d87321d0bf7bfcf493493f94f842c9837d27ce
-
SHA512
f6dcdf1ac978d1a1c7bc81f887b7426df5c89d14a644968d10ac85b41672fd7c40d38b075ea1ad312a6ea6754f9c3c2c936651ea032c534e177bd2efda82de05
-
SSDEEP
393216:cE1kKDaqKzbCiXoQMO0Ya6FD/9coRQY4a3QZl4P7PzALAWSQbBdk0A3E5:FDaVz+iXDMOBl59fQja3QbAPcMWLtdPx
Score
8/10
Malware Config
Signatures
-
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation NetRuntimeInstaller86.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation hidemesvc.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation Hide.me.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation hidemesvc.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hide.me VPN.lnk Hide.me-Setup-4.2.1.tmp File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hide.me VPN.lnk Hide.me.exe -
Executes dropped EXE 7 IoCs
pid Process 2648 Hide.me-Setup-4.2.1.tmp 3032 NetRuntimeInstaller86.exe 4648 NetRuntimeInstaller86.exe 3164 windowsdesktop-runtime-6.0.26-win-x86.exe 4364 hidemesvc.exe 4920 Hide.me.exe 4612 hidemesvc.exe -
Loads dropped DLL 64 IoCs
pid Process 2648 Hide.me-Setup-4.2.1.tmp 4648 NetRuntimeInstaller86.exe 112 MsiExec.exe 1140 MsiExec.exe 976 MsiExec.exe 4808 MsiExec.exe 440 MsiExec.exe 3892 MsiExec.exe 4136 MsiExec.exe 3868 MsiExec.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4364 hidemesvc.exe 4612 hidemesvc.exe 4612 hidemesvc.exe 4612 hidemesvc.exe 4612 hidemesvc.exe 4612 hidemesvc.exe 4612 hidemesvc.exe 4612 hidemesvc.exe 4612 hidemesvc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{185963d2-4c1e-4ef1-a6a4-5219e12fb512} = "\"C:\\ProgramData\\Package Cache\\{185963d2-4c1e-4ef1-a6a4-5219e12fb512}\\windowsdesktop-runtime-6.0.26-win-x86.exe\" /burn.runonce" windowsdesktop-runtime-6.0.26-win-x86.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 47 376 msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\FileRepository\netrndis.inf_amd64_02db5c384e07aa47\netrndis.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netvwwanmp.inf_amd64_f9e30429669d7fff\netvwwanmp.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netjme.inf_amd64_752bf22f1598bb7e\netjme.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\net1ic64.inf_amd64_5f033e913d34d111\net1ic64.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtwlane_13.inf_amd64_992f4f46e65f30d4\netrtwlane_13.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{1338da56-be05-7744-9a83-c3f420781c84}\ovpn-dco.cat DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\net44amd.inf_amd64_450d4b1e35cc8e0d\net44amd.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\kdnic.inf_amd64_6649425cdcae9b5f\kdnic.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{16d528f7-0b51-fd42-b949-c2777bb2b293}\SET52CB.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{1338da56-be05-7744-9a83-c3f420781c84} DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netnvm64.inf_amd64_35bbbe80dec15683\netnvm64.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netg664.inf_amd64_84cd7b2798e0a666\netg664.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netr28x.inf_amd64_5d63c7bcbf29107f\netr28x.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netwtw08.inf_amd64_7c0c516fb22456cd\netwtw08.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\net8187bv64.inf_amd64_bc859d32f3e2f0d5\net8187bv64.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netmlx5.inf_amd64_101a408e6cb1d8f8\netmlx5.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netnvma.inf_amd64_7080f6b8ea1744fb\netnvma.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\net8192se64.inf_amd64_167684f9283b4eca\net8192se64.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\rt640x64.inf_amd64_8984d8483eef476c\rt640x64.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netsstpa.inf_amd64_e76c5387d67e3fd6\netsstpa.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\wceisvista.inf_amd64_07ad61d07466a58a\wceisvista.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{16d528f7-0b51-fd42-b949-c2777bb2b293}\SET52AA.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{16d528f7-0b51-fd42-b949-c2777bb2b293}\SET52CA.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{1338da56-be05-7744-9a83-c3f420781c84}\SET39D4.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ovpn-dco.inf_amd64_b737bb7e846ccda6\ovpn-dco.cat DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\net819xp.inf_amd64_ff7a5dd4f9b1ceba\net819xp.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netwtw06.inf_amd64_2edd50e7a54d503b\netwtw06.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\Temp\{16d528f7-0b51-fd42-b949-c2777bb2b293}\SET52AA.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netbc64.inf_amd64_b96cdf411c43c00c\netbc64.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netmlx4eth63.inf_amd64_3809a4a3e7e07703\netmlx4eth63.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{1338da56-be05-7744-9a83-c3f420781c84}\SET39D4.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netvchannel.inf_amd64_ba3e73aa330c95d6\netvchannel.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\net7800-x64-n650f.inf_amd64_178f1bdb49a6e2fd\net7800-x64-n650f.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\ndisimplatformmp.inf_amd64_8de1181bfd1f1628\ndisimplatformmp.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\netathr10x.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ovpn-dco.inf_amd64_b737bb7e846ccda6\ovpn-dco.inf DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtwlane01.inf_amd64_b02695ef070d7a42\netrtwlane01.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\nett4x64.inf_amd64_54eacac1858c78ab\nett4x64.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netwbw02.inf_amd64_1c4077fa004e73b4\netwbw02.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\Temp\{1338da56-be05-7744-9a83-c3f420781c84}\SET39D5.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netwmbclass.inf_amd64_0533a202a2a4615d\netwmbclass.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netl260a.inf_amd64_783312763f8749c7\netl260a.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtwlans.inf_amd64_97cd1a72c2a7829c\netrtwlans.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{1338da56-be05-7744-9a83-c3f420781c84}\SET39A4.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netax88179_178a.inf_amd64_b6748bc8bb8ccf4d\netax88179_178a.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netwtw04.inf_amd64_c8f5ae6576289a2d\netwtw04.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\athw8x.inf_amd64_55014eff4ceefbdf\athw8x.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netwew00.inf_amd64_325c0bd6349ed81c\netwew00.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\usbncm.inf_amd64_9957a38c3d2283ed\usbncm.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_ba3e477187f1080b\tap0901.cat DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\net9500-x64-n650f.inf_amd64_e92c5a65e41993f9\net9500-x64-n650f.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\net7400-x64-n650.inf_amd64_557ce3b37c3e0e3b\net7400-x64-n650.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{1338da56-be05-7744-9a83-c3f420781c84}\ovpn-dco.inf DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netwsw00.inf_amd64_24d55504ae3587aa\netwsw00.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\rtwlanu_oldic.inf_amd64_1a82423cc076e882\rtwlanu_oldic.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtwlanu.inf_amd64_1815bafd14dc59f0\netrtwlanu.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netrasa.inf_amd64_1bdf7a435cb3580d\netrasa.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\net7500-x64-n650f.inf_amd64_cc87c915f33d1c27\net7500-x64-n650f.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\nete1e3e.inf_amd64_895623810c19146a\nete1e3e.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netefe3e.inf_amd64_7830581a689ef40d\netefe3e.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\mwlu97w8x64.inf_amd64_23bc3dc6d91eebdc\mwlu97w8x64.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netr7364.inf_amd64_310ee0bc0af86ba3\netr7364.PNF MsiExec.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\hide.me VPN\OpenVPN\x86\libssl-3.dll Hide.me-Setup-4.2.1.tmp File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.Xml.Serialization.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.26\api-ms-win-core-console-l1-2-0.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\PresentationFramework-SystemCore.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\zh-Hant\PresentationUI.resources.dll msiexec.exe File created C:\Program Files (x86)\hide.me VPN\unins000.dat Hide.me-Setup-4.2.1.tmp File created C:\Program Files (x86)\hide.me VPN\OpenVPN\drivers\is-QS57P.tmp Hide.me-Setup-4.2.1.tmp File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.IO.FileSystem.AccessControl.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\zh-Hans\WindowsBase.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\es\ReachFramework.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\D3DCompiler_47_cor3.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\de\UIAutomationClient.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\zh-Hant\System.Windows.Forms.Design.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.26\api-ms-win-core-timezone-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.IO.FileSystem.Primitives.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.Xml.XmlDocument.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\ja\UIAutomationProvider.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\it\WindowsBase.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\tr\System.Windows.Forms.resources.dll msiexec.exe File created C:\Program Files (x86)\hide.me VPN\is-HMMQ5.tmp Hide.me-Setup-4.2.1.tmp File created C:\Program Files (x86)\hide.me VPN\is-BQSSU.tmp Hide.me-Setup-4.2.1.tmp File opened for modification C:\Program Files (x86)\hide.me VPN\OpenVPN\x86\nvspbind.exe Hide.me-Setup-4.2.1.tmp File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\UIAutomationClient.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\es\System.Windows.Input.Manipulations.resources.dll msiexec.exe File opened for modification C:\Program Files (x86)\hide.me VPN\System.Management.dll Hide.me-Setup-4.2.1.tmp File opened for modification C:\Program Files (x86)\hide.me VPN\H.Pipes.AccessControl.dll Hide.me-Setup-4.2.1.tmp File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\Microsoft.WindowsDesktop.App.deps.json msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\cs\System.Windows.Input.Manipulations.resources.dll msiexec.exe File created C:\Program Files (x86)\hide.me VPN\is-C3A6A.tmp Hide.me-Setup-4.2.1.tmp File created C:\Program Files (x86)\hide.me VPN\HideFirewall\is-TSMNL.tmp Hide.me-Setup-4.2.1.tmp File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.Resources.Writer.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\ja\WindowsBase.resources.dll msiexec.exe File opened for modification C:\Program Files (x86)\hide.me VPN\runtimes\win\lib\net6.0\System.Management.dll Hide.me-Setup-4.2.1.tmp File opened for modification C:\Program Files (x86)\hide.me VPN\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dll Hide.me-Setup-4.2.1.tmp File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.26\api-ms-win-crt-conio-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.Net.ServicePoint.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\fr\UIAutomationProvider.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\pt-BR\Microsoft.VisualBasic.Forms.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\it\UIAutomationClient.resources.dll msiexec.exe File created C:\Program Files (x86)\hide.me VPN\is-NE01S.tmp Hide.me-Setup-4.2.1.tmp File created C:\Program Files (x86)\hide.me VPN\is-QI3F2.tmp Hide.me-Setup-4.2.1.tmp File opened for modification C:\Program Files (x86)\hide.me VPN\AsyncAwaitBestPractices.dll Hide.me-Setup-4.2.1.tmp File opened for modification C:\Program Files (x86)\hide.me VPN\System.Diagnostics.EventLog.dll Hide.me-Setup-4.2.1.tmp File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\fr\System.Windows.Forms.Primitives.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\ko\PresentationFramework.resources.dll msiexec.exe File created C:\Program Files (x86)\hide.me VPN\is-JVV7G.tmp Hide.me-Setup-4.2.1.tmp File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.26\netstandard.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.Reflection.Emit.ILGeneration.dll msiexec.exe File opened for modification C:\Program Files (x86)\hide.me VPN\GongSolutions.WPF.DragDrop.dll Hide.me-Setup-4.2.1.tmp File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.26\msquic.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.ComponentModel.DataAnnotations.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\it\UIAutomationProvider.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\ja\System.Windows.Forms.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\zh-Hant\WindowsBase.resources.dll msiexec.exe File opened for modification C:\Program Files (x86)\hide.me VPN\Common.Rpc.dll Hide.me-Setup-4.2.1.tmp File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\ja\PresentationFramework.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\ko\System.Xaml.resources.dll msiexec.exe File created C:\Program Files (x86)\hide.me VPN\is-EGTVS.tmp Hide.me-Setup-4.2.1.tmp File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\ru\System.Xaml.resources.dll msiexec.exe File created C:\Program Files (x86)\hide.me VPN\is-LMFAM.tmp Hide.me-Setup-4.2.1.tmp File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.26\api-ms-win-core-heap-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\de\System.Windows.Forms.Primitives.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\zh-Hans\UIAutomationTypes.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\ko\UIAutomationClientSideProviders.resources.dll msiexec.exe -
Drops file in Windows directory 51 IoCs
description ioc Process File opened for modification C:\Windows\Installer\e588dd4.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI99BA.tmp msiexec.exe File created C:\Windows\Installer\e588ddd.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIB14D.tmp msiexec.exe File opened for modification C:\Windows\Installer\e588de8.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSI3F4D.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log MsiExec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\e588dd8.msi msiexec.exe File opened for modification C:\Windows\Installer\e588de3.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\Installer\e588ded.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\SourceHash{0E018729-7EC9-4539-BA27-7F010E3D4FDC} msiexec.exe File opened for modification C:\Windows\Installer\MSID081.tmp msiexec.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\Installer\e588ded.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI4171.tmp msiexec.exe File opened for modification C:\Windows\inf\oem4.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSIA890.tmp msiexec.exe File created C:\Windows\Installer\e588dd9.msi msiexec.exe File created C:\Windows\Installer\SourceHash{1BCFF523-F68B-4E85-AB83-FF03A3AC041A} msiexec.exe File created C:\Windows\Installer\e588dd4.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\e588dd9.msi msiexec.exe File created C:\Windows\Installer\SourceHash{B69C5B6E-E6D4-4DF8-B71D-8BC56D025D9A} msiexec.exe File created C:\Windows\Installer\e588de2.msi msiexec.exe File created C:\Windows\inf\oem4.inf DrvInst.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Installer\MSIAF29.tmp msiexec.exe File created C:\Windows\Installer\e588dde.msi msiexec.exe File created C:\Windows\Installer\SourceHash{C912D2DF-06E9-49D2-9CBB-96AB945AC2DC} msiexec.exe File opened for modification C:\Windows\Installer\MSIC17C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI374D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB5F1.tmp msiexec.exe File created C:\Windows\Installer\e588de3.msi msiexec.exe File created C:\Windows\Installer\SourceHash{1F64DDDC-3D6E-40FC-A0B2-FC5FD649ACD9} msiexec.exe File created C:\Windows\Installer\e588de8.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI36AF.tmp msiexec.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\Installer\e588dec.msi msiexec.exe File created C:\Windows\Installer\e588df1.msi msiexec.exe File opened for modification C:\Windows\Installer\e588dde.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIB892.tmp msiexec.exe File created C:\Windows\Installer\e588de7.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI369F.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log MsiExec.exe File created C:\Windows\Installer\SourceHash{70818D8B-0770-438F-AFD7-7FD6605EF97B} msiexec.exe File opened for modification C:\Windows\Installer\MSI3F0E.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4588 sc.exe 1848 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hide.me-Setup-4.2.1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hidemesvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hide.me-Setup-4.2.1.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NetRuntimeInstaller86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hidemesvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NetRuntimeInstaller86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsdesktop-runtime-6.0.26-win-x86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
System Time Discovery 1 TTPs 2 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
pid Process 4648 NetRuntimeInstaller86.exe 3032 NetRuntimeInstaller86.exe -
Checks SCSI registry key(s) 3 TTPs 63 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags MsiExec.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000cda9a9d9adcb43940000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000cda9a9d90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900cda9a9d9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dcda9a9d9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000cda9a9d900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe -
Modifies Control Panel 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\Colors Hide.me.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28 msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\25\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F4AC49065E65CEF78FFF797E05706888 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\325FFCB1B86F58E4BA38FF303ACA40A1 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\325FFCB1B86F58E4BA38FF303ACA40A1\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FE4041CA974DDAC479077912718EE726 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\927810E09CE79354AB72F710E0D3F4CD\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F875A1B8D6551536AF75FF1D328CBE2B\927810E09CE79354AB72F710E0D3F4CD msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E6B5C96B4D6E8FD47BD1B85CD620D5A9\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD2D219C9E602D94C9BB69BA49A52CCD\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B8D818070770F834FA7DF76D06E59FB7\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E6B5C96B4D6E8FD47BD1B85CD620D5A9\ProductName = "Microsoft .NET Host FX Resolver - 6.0.26 (x86)" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B8D818070770F834FA7DF76D06E59FB7\SourceList\LastUsedSource = "n;1;C:\\Program Files (x86)\\hide.me VPN\\OpenVPN\\drivers\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F875A1B8D6551536AF75FF1D328CBE2B msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.104.7000_x86\Dependents windowsdesktop-runtime-6.0.26-win-x86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDDD46F1E6D3CF040A2BCFF56D94CA9D\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B8D818070770F834FA7DF76D06E59FB7\SourceList\Media\1 = ";" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDDD46F1E6D3CF040A2BCFF56D94CA9D\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\927810E09CE79354AB72F710E0D3F4CD\ProductName = "Microsoft .NET Runtime - 6.0.26 (x86)" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\927810E09CE79354AB72F710E0D3F4CD\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\927810E09CE79354AB72F710E0D3F4CD\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDDD46F1E6D3CF040A2BCFF56D94CA9D\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B8D818070770F834FA7DF76D06E59FB7\Version = "152764416" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.104.7000_x86\DisplayName = "Microsoft .NET Host FX Resolver - 6.0.26 (x86)" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E6B5C96B4D6E8FD47BD1B85CD620D5A9\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x86\Dependents\{185963d2-4c1e-4ef1-a6a4-5219e12fb512} windowsdesktop-runtime-6.0.26-win-x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\325FFCB1B86F58E4BA38FF303ACA40A1\Drivers.OvpnDco msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E6B5C96B4D6E8FD47BD1B85CD620D5A9\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{B69C5B6E-E6D4-4DF8-B71D-8BC56D025D9A}v48.104.7000\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDDD46F1E6D3CF040A2BCFF56D94CA9D\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{185963d2-4c1e-4ef1-a6a4-5219e12fb512}\DisplayName = "Microsoft Windows Desktop Runtime - 6.0.26 (x86)" windowsdesktop-runtime-6.0.26-win-x86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\927810E09CE79354AB72F710E0D3F4CD msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.104.7000_x86\Dependents\{185963d2-4c1e-4ef1-a6a4-5219e12fb512} windowsdesktop-runtime-6.0.26-win-x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.104.7000_x86\ = "{B69C5B6E-E6D4-4DF8-B71D-8BC56D025D9A}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.104.6996_x86\Dependents\{185963d2-4c1e-4ef1-a6a4-5219e12fb512} windowsdesktop-runtime-6.0.26-win-x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\325FFCB1B86F58E4BA38FF303ACA40A1\ProductName = "hide.me ovpn-dco" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B8D818070770F834FA7DF76D06E59FB7\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E6B5C96B4D6E8FD47BD1B85CD620D5A9 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E6B5C96B4D6E8FD47BD1B85CD620D5A9\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9F53D5E5FD65CD852ABE15798D58B7B3 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E6B5C96B4D6E8FD47BD1B85CD620D5A9\SourceList\PackageName = "dotnet-hostfxr-6.0.26-win-x86.msi" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\325FFCB1B86F58E4BA38FF303ACA40A1\Language = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B8D818070770F834FA7DF76D06E59FB7\Language = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{185963d2-4c1e-4ef1-a6a4-5219e12fb512}\Dependents\{185963d2-4c1e-4ef1-a6a4-5219e12fb512} windowsdesktop-runtime-6.0.26-win-x86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\927810E09CE79354AB72F710E0D3F4CD\Version = "812129112" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD2D219C9E602D94C9BB69BA49A52CCD\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{C912D2DF-06E9-49D2-9CBB-96AB945AC2DC}v48.104.7000\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDDD46F1E6D3CF040A2BCFF56D94CA9D\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{1F64DDDC-3D6E-40FC-A0B2-FC5FD649ACD9}v48.104.6996\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x86\Dependents windowsdesktop-runtime-6.0.26-win-x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B8D818070770F834FA7DF76D06E59FB7\PackageCode = "6ABEB4EEB602A0C408EF834672725E09" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\927810E09CE79354AB72F710E0D3F4CD\PackageCode = "E250100FF7942264B9B881BEB21B60C0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\927810E09CE79354AB72F710E0D3F4CD\SourceList\Media\1 = ";" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E6B5C96B4D6E8FD47BD1B85CD620D5A9\Version = "812129112" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E6B5C96B4D6E8FD47BD1B85CD620D5A9\SourceList\Net msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\325FFCB1B86F58E4BA38FF303ACA40A1\Version = "16908289" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B8D818070770F834FA7DF76D06E59FB7\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\dotnet_runtime_48.104.7000_x86 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\927810E09CE79354AB72F710E0D3F4CD\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{0E018729-7EC9-4539-BA27-7F010E3D4FDC}v48.104.7000\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FD2D219C9E602D94C9BB69BA49A52CCD\MainFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD2D219C9E602D94C9BB69BA49A52CCD\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD2D219C9E602D94C9BB69BA49A52CCD\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD2D219C9E602D94C9BB69BA49A52CCD\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.104.6996_x86\Version = "48.104.6996" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\325FFCB1B86F58E4BA38FF303ACA40A1\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B8D818070770F834FA7DF76D06E59FB7\SourceList\Net\1 = "C:\\Program Files (x86)\\hide.me VPN\\OpenVPN\\drivers\\" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\dotnet_runtime_48.104.7000_x86 windowsdesktop-runtime-6.0.26-win-x86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E6B5C96B4D6E8FD47BD1B85CD620D5A9\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CDDD46F1E6D3CF040A2BCFF56D94CA9D\MainFeature msiexec.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 376 msiexec.exe 376 msiexec.exe 376 msiexec.exe 376 msiexec.exe 376 msiexec.exe 376 msiexec.exe 376 msiexec.exe 376 msiexec.exe 376 msiexec.exe 376 msiexec.exe 376 msiexec.exe 376 msiexec.exe 3828 mspaint.exe 3828 mspaint.exe -
Suspicious behavior: LoadsDriver 18 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 664 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3164 windowsdesktop-runtime-6.0.26-win-x86.exe Token: SeIncreaseQuotaPrivilege 3164 windowsdesktop-runtime-6.0.26-win-x86.exe Token: SeSecurityPrivilege 376 msiexec.exe Token: SeCreateTokenPrivilege 3164 windowsdesktop-runtime-6.0.26-win-x86.exe Token: SeAssignPrimaryTokenPrivilege 3164 windowsdesktop-runtime-6.0.26-win-x86.exe Token: SeLockMemoryPrivilege 3164 windowsdesktop-runtime-6.0.26-win-x86.exe Token: SeIncreaseQuotaPrivilege 3164 windowsdesktop-runtime-6.0.26-win-x86.exe Token: SeMachineAccountPrivilege 3164 windowsdesktop-runtime-6.0.26-win-x86.exe Token: SeTcbPrivilege 3164 windowsdesktop-runtime-6.0.26-win-x86.exe Token: SeSecurityPrivilege 3164 windowsdesktop-runtime-6.0.26-win-x86.exe Token: SeTakeOwnershipPrivilege 3164 windowsdesktop-runtime-6.0.26-win-x86.exe Token: SeLoadDriverPrivilege 3164 windowsdesktop-runtime-6.0.26-win-x86.exe Token: SeSystemProfilePrivilege 3164 windowsdesktop-runtime-6.0.26-win-x86.exe Token: SeSystemtimePrivilege 3164 windowsdesktop-runtime-6.0.26-win-x86.exe Token: SeProfSingleProcessPrivilege 3164 windowsdesktop-runtime-6.0.26-win-x86.exe Token: SeIncBasePriorityPrivilege 3164 windowsdesktop-runtime-6.0.26-win-x86.exe Token: SeCreatePagefilePrivilege 3164 windowsdesktop-runtime-6.0.26-win-x86.exe Token: SeCreatePermanentPrivilege 3164 windowsdesktop-runtime-6.0.26-win-x86.exe Token: SeBackupPrivilege 3164 windowsdesktop-runtime-6.0.26-win-x86.exe Token: SeRestorePrivilege 3164 windowsdesktop-runtime-6.0.26-win-x86.exe Token: SeShutdownPrivilege 3164 windowsdesktop-runtime-6.0.26-win-x86.exe Token: SeDebugPrivilege 3164 windowsdesktop-runtime-6.0.26-win-x86.exe Token: SeAuditPrivilege 3164 windowsdesktop-runtime-6.0.26-win-x86.exe Token: SeSystemEnvironmentPrivilege 3164 windowsdesktop-runtime-6.0.26-win-x86.exe Token: SeChangeNotifyPrivilege 3164 windowsdesktop-runtime-6.0.26-win-x86.exe Token: SeRemoteShutdownPrivilege 3164 windowsdesktop-runtime-6.0.26-win-x86.exe Token: SeUndockPrivilege 3164 windowsdesktop-runtime-6.0.26-win-x86.exe Token: SeSyncAgentPrivilege 3164 windowsdesktop-runtime-6.0.26-win-x86.exe Token: SeEnableDelegationPrivilege 3164 windowsdesktop-runtime-6.0.26-win-x86.exe Token: SeManageVolumePrivilege 3164 windowsdesktop-runtime-6.0.26-win-x86.exe Token: SeImpersonatePrivilege 3164 windowsdesktop-runtime-6.0.26-win-x86.exe Token: SeCreateGlobalPrivilege 3164 windowsdesktop-runtime-6.0.26-win-x86.exe Token: SeRestorePrivilege 376 msiexec.exe Token: SeTakeOwnershipPrivilege 376 msiexec.exe Token: SeRestorePrivilege 376 msiexec.exe Token: SeTakeOwnershipPrivilege 376 msiexec.exe Token: SeRestorePrivilege 376 msiexec.exe Token: SeTakeOwnershipPrivilege 376 msiexec.exe Token: SeRestorePrivilege 376 msiexec.exe Token: SeTakeOwnershipPrivilege 376 msiexec.exe Token: SeRestorePrivilege 376 msiexec.exe Token: SeTakeOwnershipPrivilege 376 msiexec.exe Token: SeRestorePrivilege 376 msiexec.exe Token: SeTakeOwnershipPrivilege 376 msiexec.exe Token: SeRestorePrivilege 376 msiexec.exe Token: SeTakeOwnershipPrivilege 376 msiexec.exe Token: SeRestorePrivilege 376 msiexec.exe Token: SeTakeOwnershipPrivilege 376 msiexec.exe Token: SeRestorePrivilege 376 msiexec.exe Token: SeTakeOwnershipPrivilege 376 msiexec.exe Token: SeRestorePrivilege 376 msiexec.exe Token: SeTakeOwnershipPrivilege 376 msiexec.exe Token: SeRestorePrivilege 376 msiexec.exe Token: SeTakeOwnershipPrivilege 376 msiexec.exe Token: SeRestorePrivilege 376 msiexec.exe Token: SeTakeOwnershipPrivilege 376 msiexec.exe Token: SeRestorePrivilege 376 msiexec.exe Token: SeTakeOwnershipPrivilege 376 msiexec.exe Token: SeRestorePrivilege 376 msiexec.exe Token: SeTakeOwnershipPrivilege 376 msiexec.exe Token: SeRestorePrivilege 376 msiexec.exe Token: SeTakeOwnershipPrivilege 376 msiexec.exe Token: SeRestorePrivilege 376 msiexec.exe Token: SeTakeOwnershipPrivilege 376 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp 2648 Hide.me-Setup-4.2.1.tmp -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3828 mspaint.exe 3828 mspaint.exe 3828 mspaint.exe 3828 mspaint.exe -
Suspicious use of WriteProcessMemory 58 IoCs
description pid Process procid_target PID 2004 wrote to memory of 2648 2004 Hide.me-Setup-4.2.1.exe 81 PID 2004 wrote to memory of 2648 2004 Hide.me-Setup-4.2.1.exe 81 PID 2004 wrote to memory of 2648 2004 Hide.me-Setup-4.2.1.exe 81 PID 2648 wrote to memory of 3032 2648 Hide.me-Setup-4.2.1.tmp 91 PID 2648 wrote to memory of 3032 2648 Hide.me-Setup-4.2.1.tmp 91 PID 2648 wrote to memory of 3032 2648 Hide.me-Setup-4.2.1.tmp 91 PID 3032 wrote to memory of 4648 3032 NetRuntimeInstaller86.exe 92 PID 3032 wrote to memory of 4648 3032 NetRuntimeInstaller86.exe 92 PID 3032 wrote to memory of 4648 3032 NetRuntimeInstaller86.exe 92 PID 4648 wrote to memory of 3164 4648 NetRuntimeInstaller86.exe 93 PID 4648 wrote to memory of 3164 4648 NetRuntimeInstaller86.exe 93 PID 4648 wrote to memory of 3164 4648 NetRuntimeInstaller86.exe 93 PID 376 wrote to memory of 112 376 msiexec.exe 96 PID 376 wrote to memory of 112 376 msiexec.exe 96 PID 376 wrote to memory of 112 376 msiexec.exe 96 PID 376 wrote to memory of 1140 376 msiexec.exe 97 PID 376 wrote to memory of 1140 376 msiexec.exe 97 PID 376 wrote to memory of 1140 376 msiexec.exe 97 PID 376 wrote to memory of 976 376 msiexec.exe 98 PID 376 wrote to memory of 976 376 msiexec.exe 98 PID 376 wrote to memory of 976 376 msiexec.exe 98 PID 376 wrote to memory of 4808 376 msiexec.exe 99 PID 376 wrote to memory of 4808 376 msiexec.exe 99 PID 376 wrote to memory of 4808 376 msiexec.exe 99 PID 2648 wrote to memory of 1716 2648 Hide.me-Setup-4.2.1.tmp 101 PID 2648 wrote to memory of 1716 2648 Hide.me-Setup-4.2.1.tmp 101 PID 2648 wrote to memory of 1716 2648 Hide.me-Setup-4.2.1.tmp 101 PID 376 wrote to memory of 3920 376 msiexec.exe 106 PID 376 wrote to memory of 3920 376 msiexec.exe 106 PID 376 wrote to memory of 440 376 msiexec.exe 108 PID 376 wrote to memory of 440 376 msiexec.exe 108 PID 376 wrote to memory of 3892 376 msiexec.exe 109 PID 376 wrote to memory of 3892 376 msiexec.exe 109 PID 1252 wrote to memory of 3660 1252 svchost.exe 111 PID 1252 wrote to memory of 3660 1252 svchost.exe 111 PID 2648 wrote to memory of 5012 2648 Hide.me-Setup-4.2.1.tmp 112 PID 2648 wrote to memory of 5012 2648 Hide.me-Setup-4.2.1.tmp 112 PID 2648 wrote to memory of 5012 2648 Hide.me-Setup-4.2.1.tmp 112 PID 376 wrote to memory of 4136 376 msiexec.exe 113 PID 376 wrote to memory of 4136 376 msiexec.exe 113 PID 376 wrote to memory of 3868 376 msiexec.exe 114 PID 376 wrote to memory of 3868 376 msiexec.exe 114 PID 1252 wrote to memory of 3828 1252 svchost.exe 115 PID 1252 wrote to memory of 3828 1252 svchost.exe 115 PID 2648 wrote to memory of 4364 2648 Hide.me-Setup-4.2.1.tmp 116 PID 2648 wrote to memory of 4364 2648 Hide.me-Setup-4.2.1.tmp 116 PID 2648 wrote to memory of 4364 2648 Hide.me-Setup-4.2.1.tmp 116 PID 4364 wrote to memory of 1848 4364 hidemesvc.exe 118 PID 4364 wrote to memory of 1848 4364 hidemesvc.exe 118 PID 4364 wrote to memory of 1848 4364 hidemesvc.exe 118 PID 4364 wrote to memory of 4588 4364 hidemesvc.exe 120 PID 4364 wrote to memory of 4588 4364 hidemesvc.exe 120 PID 4364 wrote to memory of 4588 4364 hidemesvc.exe 120 PID 2648 wrote to memory of 4920 2648 Hide.me-Setup-4.2.1.tmp 125 PID 2648 wrote to memory of 4920 2648 Hide.me-Setup-4.2.1.tmp 125 PID 4920 wrote to memory of 4612 4920 Hide.me.exe 133 PID 4920 wrote to memory of 4612 4920 Hide.me.exe 133 PID 4920 wrote to memory of 4612 4920 Hide.me.exe 133 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Hide.me-Setup-4.2.1.exe"C:\Users\Admin\AppData\Local\Temp\Hide.me-Setup-4.2.1.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Users\Admin\AppData\Local\Temp\is-BECAC.tmp\Hide.me-Setup-4.2.1.tmp"C:\Users\Admin\AppData\Local\Temp\is-BECAC.tmp\Hide.me-Setup-4.2.1.tmp" /SL5="$401C6,18456089,857600,C:\Users\Admin\AppData\Local\Temp\Hide.me-Setup-4.2.1.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\is-61P8L.tmp\NetRuntimeInstaller86.exe"C:\Users\Admin\AppData\Local\Temp\is-61P8L.tmp\NetRuntimeInstaller86.exe" /passive /norestart /showrmui /showfinalerror3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- System Time Discovery
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\Temp\{9721FD40-41D4-4D85-A4FC-E8BD146EC557}\.cr\NetRuntimeInstaller86.exe"C:\Windows\Temp\{9721FD40-41D4-4D85-A4FC-E8BD146EC557}\.cr\NetRuntimeInstaller86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-61P8L.tmp\NetRuntimeInstaller86.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /passive /norestart /showrmui /showfinalerror4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Time Discovery
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\Temp\{DF8BD840-0833-4E1B-ADB5-49602CB0B595}\.be\windowsdesktop-runtime-6.0.26-win-x86.exe"C:\Windows\Temp\{DF8BD840-0833-4E1B-ADB5-49602CB0B595}\.be\windowsdesktop-runtime-6.0.26-win-x86.exe" -q -burn.elevated BurnPipe.{BA683C54-1DAF-43D0-844B-E9D963ADC31A} {CAE0D9F8-BFFD-4136-9874-C9F046A7507A} 46485⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3164
-
-
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Program Files (x86)\hide.me VPN\OpenVPN\drivers\ovpn-dco-x64.msi" /passive3⤵
- System Location Discovery: System Language Discovery
PID:1716
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Program Files (x86)\hide.me VPN\OpenVPN\drivers\tap-windows-x64.msi" /passive3⤵
- System Location Discovery: System Language Discovery
PID:5012
-
-
C:\Program Files (x86)\hide.me VPN\hidemesvc.exe"C:\Program Files (x86)\hide.me VPN\hidemesvc.exe" -i -start3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\sc.exe"sc" create hmevpnsvc start= auto binPath= "C:\Program Files (x86)\hide.me VPN\hidemesvc.exe" depend= RasMan obj= LocalSystem DisplayName= "hide.me VPN Service"4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1848
-
-
C:\Windows\SysWOW64\sc.exe"sc" description hmevpnsvc "Provides network services for hide.me VPN"4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4588
-
-
-
C:\Program Files (x86)\hide.me VPN\Hide.me.exe"C:\Program Files (x86)\hide.me VPN\Hide.me.exe" -i QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxUZW1wXEhpZGUubWUtU2V0dXAtNC4yLjEuZXhl -a ""3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Program Files (x86)\hide.me VPN\hidemesvc.exe"C:\Program Files (x86)\hide.me VPN\hidemesvc.exe" -start4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4612
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 90C55CF323C1347DE7916F6C587F55D42⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:112
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6F7FB299447770181546E597BCAE75602⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1140
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A75880B355154AD0B0D56B167FD30A212⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:976
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 06B10EAC86A7753118B7DB80FDE5FE882⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4808
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:42⤵PID:3920
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 49300B6A9ADD3AD01FCBE3C167827E772⤵
- Loads dropped DLL
PID:440
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding ED90EBEDF8516611F703D777FDD16F4E E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:3892
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 9E39D7CBAE951A011396F0997C56E6B02⤵
- Loads dropped DLL
PID:4136
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 2ABCB71C8FB6911A3243C1A6E6D62382 E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
PID:3868
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:4024
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Program Files\Common Files\ovpn-dco\Win10\ovpn-dco.inf" "9" "4e1f3ffd3" "00000000000001B8" "WinSta0\Default" "00000000000001D8" "208" "C:\Program Files\Common Files\ovpn-dco\Win10"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3660
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Windows\Temp\3c44d95b385823c5417ed89f37147c3c1f8d223d6fb66ad59b9424192fa6b728\OemVista.inf" "9" "4d4bf17c3" "00000000000000E8" "WinSta0\Default" "00000000000001E4" "208" "C:\Windows\Temp\3c44d95b385823c5417ed89f37147c3c1f8d223d6fb66ad59b9424192fa6b728"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3828
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\StartRestart.jpeg"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3828
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:5076
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD59db9c3fee4f331fda5e18c4d32587201
SHA1e248ae8016a46ff55b3934ce20d67be3006226e2
SHA256ba6b1243ffe27be9300234e866b65d890f2b7d5db02bc66affed2a96a7c4553f
SHA512ad9ec241320b6df639f4cbf06504462ae59f4af933e2934bdea8fb0e8e3d790e305c0d81798b0199a8717113c5e291c9e4c52db77182cce64db4ba7f5fe76ff1
-
Filesize
8KB
MD521533ad16bba61fff25c01d943763d58
SHA16a6e8a75b81bd044eb5a3efd28ea4e445717955c
SHA2566d846520af8931287d9affe4106ea994858819e5ae41ab4ebd26f38459e6d1ea
SHA5122510b326b28d75ace4e9677e0fe94bad63f75027d23bd21c07b5a522b337d380a93b11f7f5566bf944e5ba3694e48eb9932453ae435ea2a9d90cb9cf8ee7b79b
-
Filesize
9KB
MD5e2e85468028b43efb078857f105f0f82
SHA17880a71ec1488345ef53e3b8f6e7cbb162491d98
SHA256684341fa5cb513f92f0527b79446b3c0ea69b5cf657c60978d584a825666713d
SHA51238e05400ea5c5e16ce68db6d7b0a86fc891d6c9967587ea56308919e9594777d250e4401d4267ccf474a64d4fafa779f40b54cdbfc5471c5fa5e4272ef86da9d
-
Filesize
90KB
MD5d353e3607e8948252acc5451cec92270
SHA1ae557af62cec5a578aa10931d46bc17d6d68fcaa
SHA256fa8a1bbc8c2bdb3012c53817c4cb0f01fa17d11cba26890bbc765b2d2792a5ed
SHA51269cc243017a1ca09342b5deaff8066365b3a64d954662037e89b27d6e48783a4e77293bd3875fc6527afd7fb4bbaa21d6c383eab78b0526e984b77458c643563
-
Filesize
8KB
MD5dc0f540df32a8123f1ffb38ee7579433
SHA1648482d4b7a04648be88ee8ed0bcdb2bb2893d1f
SHA256dfea1e243cae5e121dde10ab6547fa588605e125ade9e3ca3e1ce089c51b1797
SHA51230a31cf234020fbaca611fba9cdb4bdf747f4e805ad74f776f6da3f05148329515190cfdffc63c71dfe850bbcc3b1c4659c9769c67d6e996c50c85f204f30e85
-
Filesize
834B
MD5bd2f486aba9b099871a3794cac9f8b6a
SHA14286f83225a5ddb21a194cbf6cbec6a99b08a342
SHA256cdb3ec848732c36b433d5bb91cc0145f57f46f09e9c1d4c3856a9131b7b16186
SHA512ee1adaa9a56b6acfbaf1e9863cf833ef1dc3f832f68c1bfb06f6c7ec10d2811a7e0f24d41f2f4ba4756162df35b91550a5dabe23d2c3aecc3e0f8341c5e2b49a
-
Filesize
11KB
MD55551203f3f1095335ff00421b16fd7e2
SHA10d14402407d60952f631dffe35240de3a1f910cb
SHA25626c54ce26cb43407855ba24d10fbb30a87e5a1a0a35536025a02cb003fe474f4
SHA5123c31b8f60bb59e4ac3c0cda8335af1918927c51b203c8b68f2601b390ad0bc0228cb9d5566dedef05ff38cabfce46eb3d54c52cd59c828bc17dcf0b1c24a8b08
-
Filesize
89KB
MD55e69b6c42467b2673101e592a2b28638
SHA116d076f57b3cbdbe945c6666676823871f5c90d1
SHA2562357e4d2007f346a3d2b3bf05115caeaf3eb069a70be654ce472be71e6f7fc75
SHA512232e9441db8da52cd5e6f29baf5340b0540125074a7ccc9d4754762c56460b72327f89d6583a8afde71ed400433eb850e1eb2b9d5fc536d8f9c18992b83fa587
-
Filesize
9KB
MD531c5a77b3c57c8c2e82b9541b00bcd5a
SHA1153d4bc14e3a2c1485006f1752e797ca8684d06d
SHA2567f6839a61ce892b79c6549e2dc5a81fdbd240a0b260f8881216b45b7fda8b45d
SHA512ad33e3c0c3b060ad44c5b1b712c991b2d7042f6a60dc691c014d977c922a7e3a783ba9bade1a34de853c271fde1fb75bc2c47869acd863a40be3a6c6d754c0a6
-
Filesize
78KB
MD5f77a4aecfaf4640d801eb6dcdfddc478
SHA17424710f255f6205ef559e4d7e281a3b701183bb
SHA256d5db0ed54363e40717ae09e746dec99ad5b09223cc1273bb870703176dd226b7
SHA5121b729dfa561899980ba8b15128ea39bc1e609fe07b30b283001fd9cf9da62885d78c18082d0085edd81f09203f878549b48f7f888a8486a2a526b134c849fd6b
-
Filesize
304KB
MD55dcf1303f716e945e5f64c34a8e6d485
SHA190bcde7aedba529092ebdb07136f89c1fd7bd290
SHA256f6afec83f4df25da797e833f7d5221233113bec26bf6a4f7100bf5d9ca53df7b
SHA512b63b767fff14dfa6489e99a62a2522cf57c257ae1957120c42adabc6a080e4f1ec8c54a47d9280246262ef71eb721b80741e701e93c00153696a9a573412f983
-
Filesize
32KB
MD5b119ba5bdbf25afbe314e6ddd9bf9d8d
SHA1ee82eb19b3480f3f5847ae28ee77431e68018682
SHA256117c757f743fb72c4418a90b5eb6a5b0784f89576db6446c8989a18c7520e5be
SHA512f708b887aa9c0195222fbf122f5175d20e313b7703fd801f24b0c70d27619239726e39d9f234ade7a0b7d684acdccbbe860ce4a9da80b5eac95adac8d16dcb0f
-
C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.26\Microsoft.NETCore.App.runtimeconfig.json
Filesize159B
MD53fbd84a952d4bab02e11fec7b2bbc90e
SHA1e92de794f3c8d5a5a1a0b75318be9d5fb528d07d
SHA2561b7aa545d9d3216979a9efe8d72967f6e559a9c6a22288d14444d6c5c4c15738
SHA512c97c1da7ae94847d4edf11625dc5b5085838c3842a550310cca5c70ba54be907ff454ca1e0080ba451eacfc5954c3f778f8b4e26c0933e55c121c86c9a24400b
-
Filesize
9.5MB
MD50ff8e445f6054cfa02bc1b63286f6c70
SHA17ae6d67c7715f254e6d19a08254be4d8832edee1
SHA256b1a66759ff9855ae48cb7bfb7b4fdf5edd69261b760df4e921f4ee032ec3248a
SHA5128a6da0e21547598329cf047db3268c7a7787431f9625effc459a26ec8a46cbb64d1411a9b17ecf208a1ada8e003d39b2ef03063c3128eee36d2d10c59c7a753f
-
Filesize
1.2MB
MD56f96ca0da08ff182f1c7325ff9ca2686
SHA1f9b3f43217afd030032569f7e11e283666b50ac9
SHA2568a6c3d5146842a9accef2286570af991ae7320d58faab2374ad2b834dee87afc
SHA512f3ad85ea11c703be80f8bf6e2294c72f2515ca34a5c6f3ed89381fa4d78a553f204f24e868cbdeb8b501b2598f6d914a661e5602169a888c4c9d838713da9e63
-
Filesize
4.1MB
MD5ff12fad9ec5e76865e8d57f70f812489
SHA16c2162755b2a4581e1bc0c13e09ce12cd447195a
SHA25655d9251ae95ca09a18a1555dfe491dc61aafc3d0f2c24adb22f481b04441105b
SHA5124078bcf7268167d5b4e6a173a08f7c5dc58fede79adfa011883f682305d5be5f77b206800e09473dc817148a22f7c36fc7b38efaecc44cd79832ba08bfd1e8b1
-
Filesize
319KB
MD5c52ae53cb18e0b75d8f9da7c66be1767
SHA1b8417150ae1b61bda9a5f7ba70264e39af7b6ffa
SHA256de225df74d582da644a79fc558d8831a1992ef8007db150101bd5a83677d4c80
SHA51256b3609693ea3e23737d84721349c9a731a0a6b39f1b78a3f95eac7a0d231b89ca1a944afbe0c34c668c55a9bcd31f9118331d7b0e1991bc3d4f0ec1f2a7ab64
-
Filesize
143KB
MD54462fa3d31aeb739b61a64e242218cf4
SHA1af25283a38ba2a1a70f6450edbfc840cf9efbf68
SHA25676e8f7c7565cb7a71f101efcefa7137a8ae2702a459f26b6b8206d106d679430
SHA512f7a832c6c397fbecc907baf03c9a2e4b9dd042008172b3a36d7805b3361fc4eda678f1d960699e4c1237928d585a85d05e543984c7f432ab8209e652ec992084
-
Filesize
445KB
MD5a848cb531c31cd1810698506b004777c
SHA1524446cbc0d6a03bed6bd2ec8de2f39ad1b85492
SHA2569b3e582fd182fde0f8f97d84509cdd07870a92e55d3464ae0e39798faba3425e
SHA512d83f81adbeaca953cbaeba952b503688b8dfab33cdb5c267e387bcf5f697ade1b0562b882600e5318660478982cdde3ab6b50189e64c2018abcb391c76c0a579
-
Filesize
256KB
MD5b35e4e3cec593a0c9573f94bd1216f79
SHA19d83e761a502e205728606a458d9791abf084f12
SHA256f0bceaee27f6c945437a6d37bd34be4ed1f7245682f6a59b1a6587cc61386c31
SHA512a30506d1fd1d02e809a4cb9fb19f4637e02a6665e9390a8a75cb3ef21d2131b7410c30a3739b065b9896835b7152a887accc3970d3bc22caf7110dfc35d8572a
-
Filesize
332KB
MD5eca0ac91827335c42615639d5968eae9
SHA111093076102b5d6aefa6add8717b23dae2a074cd
SHA25626abd331f860db83481de91cfd185d2e71197ce5c4c521d944601c8924aac2a5
SHA512bb2043b352508da8169bb12653feb9aa0289c8907ca48aa4be1a5ed6204bf136229f5678243496697ae45becd09e49cfd17c954596cd8cb191ad0480d17006bf
-
Filesize
42KB
MD530e742ac3b6786dee4451ef6068838a0
SHA15a0d300fc744575768757debd135d3e1a47f57ea
SHA256683e1a98ec7eea4843f9592ff64c8386fe14c69a060aab0236b3e320d7ecb5fd
SHA512c028ae8ae32e59e8b4e81459be37c9160c54181f83d1f5a98e571154e0125e838a03a686bd4c73ddecb4320f70f27815c58fe183fa3c11d301ae3ccbf9771c31
-
Filesize
160KB
MD5a5ca51ed101fa808a32db95def8cbf7b
SHA15b1eee5bc27c57bc167b5ad6c016023fce2d86f7
SHA256a8416e7ae1cadd61fad95f1f91da9023e61aa741715ddfe32c7d7d895b3ad77c
SHA5122b465713ac0e9fb9dd4e7c9733ae4c53450c50743954c18a85c7b0c9150fa67d0c0601f46fec00605b4845019e9c5caef774fd5791c139a319e80457655f9290
-
Filesize
125KB
MD5860c9eab25bb5a274462ce415f4cfbc9
SHA18a4d0b5269c2bcf3a299679ab8bbbebe181c3566
SHA256a9f46bdca066b538724bae310c2aa5de1f4196d865d90c09907b894158f0b094
SHA512d9ea21058c57b6ff68dd7e2409db58e991f3d1752866bda6f6874d375d538c2ceac3d6cb3472bc6e5a3360cf34bf80a68fcd1e4546ce3a3103c28b6ac1015c4f
-
Filesize
253B
MD524e4653829de1022d01cd7ddd26e2f22
SHA19160a009cb381e044ba4c63e4435da6bfeb9dc6d
SHA256ded3aeb5856a11db0b654a785574490cab55839ebfb17efe9e39b89618fc5b91
SHA512efd4bbba1baec0b47003831510e3aa539db9ef468e0f06ba9d7ba6d0b3800035f7c818d7d90171bfd377ec97d08c4617555bcff635dd83efceb412b1a9cca820
-
Filesize
2KB
MD577da079a3665afc84d05c3d07bcaa0d0
SHA13fbfafe2c08100f5b46b792398c2ecb9157760e9
SHA2561f6c35bc11d910f91c32ea54894d0fddb0094876bdd526d04a9287d04d636242
SHA51210fcd8464c6aab386bf2f675175598764e0b784a898b7b450fef3d055ecf902c7a57ac0aef2725b9e6899146e4e9230c8677bfd2a8f18489b642fa6beca25507
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.26_(x86)_20241119165301_000_dotnet_runtime_6.0.26_win_x86.msi.log
Filesize3KB
MD5de14036d9ed31fba4c80956d481c3004
SHA184fc0c45bc16933c8ab362c652feffac724cfea0
SHA2562eb615cab54bbb101dbf517cc36bbf8b0cc5617fbfc34025cce26395a8c794b6
SHA512c2b28e72d11286bbef703f068e56eb5d5df3b6f7054694f5b101b4931d580287eeeaa3077d77d161e82c6bfcb5442fd514a0d9f0af22aca0c5943421dddf700e
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.26_(x86)_20241119165301_001_dotnet_hostfxr_6.0.26_win_x86.msi.log
Filesize2KB
MD5bbc64a4d5c1fcffe7e0cf2fdc2f88dd0
SHA1ec9db554ceb138db2328f2d6d050404fd0ee41e8
SHA25672010cb8f89b9514c8f7bde7e39008150ad4d066348cfd8ce7e57dbb5e3c10e0
SHA5120b445928973d6e691041c6bac36e6f1844981255697cdc0510ed6f06ca88c7006ec94584731233987c40edec7d6a24b10c16d22d2703c92df323fe4adef1c325
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.26_(x86)_20241119165301_002_dotnet_host_6.0.26_win_x86.msi.log
Filesize2KB
MD568aed11f1f209f4bef7676f1f7142b2e
SHA11f8aff91f04e2a62a177c55d1ede4f2356a7e02c
SHA2562f383a0ebf5d1c8e4638b61d9fd6bc0c304569050804319baed51dfa9b3ee866
SHA512fa5a11bb32d616348f8eb01f18bb86b8979b145460ebc1580cba2fe018ca8c44afced26670d1b1b25d6d78d2755f9389697df5a57aa81ca0c0aad9ef693d7326
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.26_(x86)_20241119165301_003_windowsdesktop_runtime_6.0.26_win_x86.msi.log
Filesize2KB
MD5d8150699806fa3b0e6e43bec58b9838a
SHA16598e658c9ed7e4710fe527dabaca0ddce605c6e
SHA25676c9397b2859ff7f0e38a823ad7e0ff3ad9e59af7006d85fb22d270ceac3ce27
SHA5124baad4208966a1cb9f4d49c3306b57ea527577fdce457aea43756e924ef8a16c253bcb48e1d823fbc25c2c0f6713c8e183fcacdd4a2306051658d6c9fd92ec36
-
Filesize
49.8MB
MD53fde4dd4227d7d2ee1522ccfd8990e98
SHA1d929f1757c89d3c5002151c913e7905b31b3871c
SHA256b6cc1012923f87eed87860dc0abd975e1366d41bc8598f4ec12234667471c2e1
SHA512bd0878b65750173e2d99479ae051daa9e71a0ee1949c600ed4a33856e4bdd2b658ebbd1439977d17c0d2fd8f3bb37c1592c4f46a4def9c534addac3a9f4a72a2
-
Filesize
232KB
MD555c310c0319260d798757557ab3bf636
SHA10892eb7ed31d8bb20a56c6835990749011a2d8de
SHA25654e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57
-
Filesize
3.2MB
MD5307ad78ad76fbbf81fb02b6778cc797e
SHA1b6e4cad64490502a89bc9bb3f5c1cbb2631d704a
SHA2564f59dca19ba2399323d8ab13b7b3493b3f651b94ed732edacf5260340dad267f
SHA5122281d3ce0c7450c926cbaf2baf2f88e4fe4122099f6c4b033e58e28c36213fa260f2d05bd720f5d36f9e3be71b020093e4af0b5d335b7989d23096645e147e6b
-
Filesize
143KB
MD584a1cc9540d5cdad74bc54f8090dd27a
SHA1c6f82d1491015457785ae0d365e7196d693d9a6b
SHA2562738720da0b6ce474ca6eb51a92372d047eca2d713c256f0cd6c147ac3a0db21
SHA5129c25d6e7331844d01d732ac923e99c68f305749d92407c873cd09b451e59a8864001e308864fda319fa4a2bcae9dbe50682201c67901dce14272291dedecd2c8
-
Filesize
281KB
MD5718222e232d11298dfbabbc2b70d8b14
SHA189fc560692111c2245694867b8772fd8969f46d2
SHA25645e855461f5d1be28a2f88416603070bd1778055abdd06834ae58e97b7ddf53c
SHA5129191961c28a7a4647ae8f9f9e1956d60b97f5f5c3e4e838d888bf78c1ea665e98e8e3c75cc1247a68a89b2413493ea6d39dbc60827eec919ddba0536d793c801
-
Filesize
225KB
MD5d711da8a6487aea301e05003f327879f
SHA1548d3779ed3ab7309328f174bfb18d7768d27747
SHA2563d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681
-
Filesize
135KB
MD597ef99e0754d97efdd87792712256726
SHA10b3c37bcb181d1748c3a9a827c6539f94c48611c
SHA2560dd5d4eb138ec1107c30f120fca570cff95b819ac84a4a837327ec3008cfc7ba
SHA5120abb28f796158f1cc84fa44e47a684c6c1f78644d41b6051fb4dee4be3e6ef421fe7ae9cd73b7403d2939da0681b285a653b28dfb8a6bb72449b1fd3936fc527
-
Filesize
11KB
MD571ecece58bb00bdc1e728ee28d7a5332
SHA14305889415cf95662a30d024f1138f1af224cf42
SHA256ee062e5ef2743ceab10c64830e4cefe52e35cc1ece85947ac4e61ddd1c0b05f7
SHA5129b23404d867fc4fd7c7beeba3768e8fed3113cc7430ec1bc9ca7faf6e6105388de7057b1402f9b4ba8fbc11e5fcd3afe14233721e8d15b6c0bed40f65aa5b58b
-
Filesize
40KB
MD51bb9772a05517e227d1dafd3936e8f66
SHA1d695ca5791a4b6a3509939aebdfaf5e229c6fbcf
SHA256581dcaace05d5c1ac9512457ff50565aca5d904d2c209bd3fc369ca4d4a0d2b1
SHA5123f1966038f91b887fe1a71474929bd87f3c75091846c6e9563f7424d3a7c19c908f1d874895341c61a868a616aba637e3d4188d4ebb7383087886a13a4dc0aa2
-
Filesize
7KB
MD56f5ffb58a9e406ab1643c890e2a198c6
SHA13ff1faba00ac18a93e88a6f2bbfa747c9fdc7e0c
SHA2561327ab3a8c50691f04bea8e2ca356c5b604092a719e219464f8cc4b42e192de9
SHA512af29bc13cc02238208c51e4e95dd0a4445a952755635a9eab38aa77a5c087cc8e2025af55d8f3a0e9f2430baa91534e7f892bb71aa0ef72bab4483211a845b4b
-
Filesize
610KB
MD5c11e43cbff11161bd30606b34ec53b5a
SHA14777d18990281636207fac89d6d1023a5195d21d
SHA2564b159537e29c9ea644c91a4ebf0724b43a8b1b1e70d23445f28cdf6a3154650d
SHA51243451b66da1fb53b6f8441ca7789564c86665f57682b5bd85f68ce8232b654aa66dcd397ec8412e38ef75ada11e49a139815ee4e787c90e7ad0212676a439894
-
Filesize
4KB
MD59eb0320dfbf2bd541e6a55c01ddc9f20
SHA1eb282a66d29594346531b1ff886d455e1dcd6d99
SHA2569095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79
SHA5129ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d
-
Filesize
197KB
MD54356ee50f0b1a878e270614780ddf095
SHA1b5c0915f023b2e4ed3e122322abc40c4437909af
SHA25641a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104
SHA512b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691
-
Filesize
728KB
MD57f625c16c646e9c4fc03610f092b1cc9
SHA151669a0bbed00dc661b7584b63a56934ca15fcdd
SHA256d148f17d0c1625155fc05ac4a273e261edaa78df75ca122776f263bb71aad540
SHA51277915ea1873478673fc15817926d3c8b87141905b55aa13354bfe1164704977814f10162b177b0b18015ccda0f62dd468f402dc88db15cba50028e6465913a09
-
Filesize
784KB
MD5bd192fa5306676cc76b6614f8dae788f
SHA120541b76e5ca99eb7919558d6683bf09a2019d64
SHA256e8b0f834fb360438e0c5cad96ff2f54b95a2be98eaf99f2a2c31f3da27b2e608
SHA5129a3b0bbc50cc4278409347d133cfdfe8f251e6627e533b669d740511c4527c3ecffc5cb2e76f46792fcb64b124c4b0115d9551968f7796431e4ef275705adabe
-
Filesize
23.4MB
MD542d20efa4e8ef7d2bf875acdaac2ce8b
SHA100e8877ec7d2c357aa5cd3e4118d27d758cb1f4e
SHA25615044c5df80c26cb12a5e39a3939067c1f00378d6c89cd67c93e0a6f36d436ee
SHA51259587686826c3d33859fb34c568ec65d0264ebd9c4bb685c5db9639073161169ebf7b8e6818f42ee569d469588ab10efea265697cd7db6b28922088d15b27741
-
Filesize
26.0MB
MD50d8558b91333c2aa2489939e597c06f2
SHA18e0044c675537c48b8c25d38e9a777ce9b82ad37
SHA2563b6dc59df5d57f9ca457488a96118d310f380dd222ca462f63b3e8593e929973
SHA5129af991dafbf0d593b3278867e11fcb5290102e33c0a565cc783018d75cf85135e05527b22c17e73f97f278879457e44f5ea632b80836446b92c945016b0dd70d
