Analysis
-
max time kernel
1050s -
max time network
1048s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2024 08:02
Behavioral task
behavioral1
Sample
testit.exe
Resource
win10v2004-20241007-en
General
-
Target
testit.exe
-
Size
429KB
-
MD5
318532b3049a90d9bbf9578f6553c915
-
SHA1
edda51905d6ae0aca7fc721942a4f0a5753d70ef
-
SHA256
7b7f665e2a046ad30257ecd77257cd33b306dd73a17a5fce238b5a1038d592bd
-
SHA512
555fd4743fef350248aaf1cae55cae8fbfdc5c98440d254d67c6906f2ac213c490d535083ea831fc84f10174eecfd418f7979bca2e9e59af956842b3819b7cd9
-
SSDEEP
6144:b+d2+U+8RRJorR7zu6tF9x46YGg83lgnbJHZFXUU01yC5wJ/3AO2HyXGcKcONuf:b+d3UGddn4F83l0JjXUU0kXAHTciuf
Malware Config
Signatures
-
Hawkeye family
-
Modifies security service 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\Teredo svchost.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\PortKeywords\Teredo\Collection svchost.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\SET2AEE.tmp DrvInst.exe File created C:\Windows\System32\drivers\SET2AEE.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\RvNetMP60.sys DrvInst.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 5556 netsh.exe 5696 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation testit.exe -
Executes dropped EXE 5 IoCs
pid Process 3840 Radmin_VPN_1.4.4642.1.exe 1916 Radmin_VPN_1.4.4642.1.tmp 1504 MSI266B.tmp 5808 RvControlSvc.exe 6052 RvRvpnGui.exe -
Loads dropped DLL 25 IoCs
pid Process 1916 Radmin_VPN_1.4.4642.1.tmp 5484 MsiExec.exe 5808 RvControlSvc.exe 5808 RvControlSvc.exe 5808 RvControlSvc.exe 5808 RvControlSvc.exe 5808 RvControlSvc.exe 5808 RvControlSvc.exe 5808 RvControlSvc.exe 5808 RvControlSvc.exe 6052 RvRvpnGui.exe 6052 RvRvpnGui.exe 6052 RvRvpnGui.exe 6052 RvRvpnGui.exe 6052 RvRvpnGui.exe 6052 RvRvpnGui.exe 6052 RvRvpnGui.exe 6052 RvRvpnGui.exe 6052 RvRvpnGui.exe 6052 RvRvpnGui.exe 6052 RvRvpnGui.exe 6052 RvRvpnGui.exe 6052 RvRvpnGui.exe 6052 RvRvpnGui.exe 6052 RvRvpnGui.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RadminVPN = "\"C:\\Program Files (x86)\\Radmin VPN\\RvRvpnGui.exe\" /minimized" msiexec.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe -
Drops file in System32 directory 25 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netmp60.inf_amd64_f32b93923791d26a\netmp60.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{af12844a-224d-8445-b597-0526b8b9bc1e} DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netmp60.inf_amd64_f32b93923791d26a\netmp60.PNF MSI266B.tmp File created C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF dxdiag.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{af12844a-224d-8445-b597-0526b8b9bc1e}\RvNetMP60.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{af12844a-224d-8445-b597-0526b8b9bc1e}\netmp60.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{af12844a-224d-8445-b597-0526b8b9bc1e}\SET2860.tmp DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF dxdiag.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{af12844a-224d-8445-b597-0526b8b9bc1e}\SET283F.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{af12844a-224d-8445-b597-0526b8b9bc1e}\SET285F.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{af12844a-224d-8445-b597-0526b8b9bc1e}\SET283F.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{af12844a-224d-8445-b597-0526b8b9bc1e}\SET2860.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netmp60.inf_amd64_f32b93923791d26a\RvNetMP60.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netmp60.inf_amd64_f32b93923791d26a\NetMP60.cat DrvInst.exe File opened for modification C:\Windows\System32\RadminVpn_setupapi_20241205_080458493.log MSI266B.tmp File created C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF dxdiag.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{af12844a-224d-8445-b597-0526b8b9bc1e}\SET285F.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{af12844a-224d-8445-b597-0526b8b9bc1e}\NetMP60.cat DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF dxdiag.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Radmin VPN\amt.ini msiexec.exe File created C:\Program Files (x86)\Radmin VPN\api-ms-win-core-heap-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\Radmin VPN\api-ms-win-core-sysinfo-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\Radmin VPN\CHATLOGS\info.txt msiexec.exe File created C:\Program Files (x86)\Radmin VPN\Radmin30.chm msiexec.exe File created C:\Program Files (x86)\Radmin VPN\RvRvpnGui_hu_HU.qm msiexec.exe File created C:\Program Files (x86)\Radmin VPN\1048.lng_rad msiexec.exe File created C:\Program Files (x86)\Radmin VPN\api-ms-win-core-synch-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\Radmin VPN\RvRvpnGui_lt_LT.qm msiexec.exe File created C:\Program Files (x86)\Radmin VPN\RvRvpnGui_nb_NO.qm msiexec.exe File created C:\Program Files (x86)\Radmin VPN\1054.lng_rad msiexec.exe File created C:\Program Files (x86)\Radmin VPN\api-ms-win-core-handle-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\Radmin VPN\RvTCPConnect.dll msiexec.exe File created C:\Program Files (x86)\Radmin VPN\1037.lng_rad msiexec.exe File created C:\Program Files (x86)\Radmin VPN\api-ms-win-core-datetime-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\Radmin VPN\api-ms-win-crt-time-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\Radmin VPN\RvDownloader.dll msiexec.exe File created C:\Program Files (x86)\Radmin VPN\RvRvpnGui_da_DK.qm msiexec.exe File created C:\Program Files (x86)\Radmin VPN\eula.txt msiexec.exe File created C:\Program Files (x86)\Radmin VPN\vcruntime140.dll msiexec.exe File created C:\Program Files (x86)\Radmin VPN\1028.lng_rad msiexec.exe File created C:\Program Files (x86)\Radmin VPN\1041.lng_rad msiexec.exe File created C:\Program Files (x86)\Radmin VPN\1049.lng_rad msiexec.exe File created C:\Program Files (x86)\Radmin VPN\1086.lng_rad msiexec.exe File created C:\Program Files (x86)\Radmin VPN\api-ms-win-core-file-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\Radmin VPN\RvRvpnGui_pl_PL.qm msiexec.exe File created C:\Program Files (x86)\Radmin VPN\unicows.dll msiexec.exe File created C:\Program Files (x86)\Radmin VPN\2052.lng_rad msiexec.exe File created C:\Program Files (x86)\Radmin VPN\api-ms-win-core-debug-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\Radmin VPN\api-ms-win-core-util-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\Radmin VPN\Qt5Gui.dll msiexec.exe File created C:\Program Files (x86)\Radmin VPN\RvRvpnGui_id_ID.qm msiexec.exe File created C:\Program Files (x86)\Radmin VPN\vcintcx.dll msiexec.exe File created C:\Program Files (x86)\Radmin VPN\voicex.dll msiexec.exe File created C:\Program Files (x86)\Radmin VPN\api-ms-win-core-errorhandling-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\Radmin VPN\api-ms-win-core-processthreads-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\Radmin VPN\RvFwHelper.exe msiexec.exe File created C:\Program Files (x86)\Radmin VPN\Driver.1.1\NetMP60.inf msiexec.exe File created C:\Program Files (x86)\Radmin VPN\Qt5Widgets.dll msiexec.exe File created C:\Program Files (x86)\Radmin VPN\RvRvpnGui_ar_SA.qm msiexec.exe File created C:\Program Files (x86)\Radmin VPN\RvRvpnGui_el_GR.qm msiexec.exe File created C:\Program Files (x86)\Radmin VPN\RvRvpnGui_uk_UA.qm msiexec.exe File created C:\Program Files (x86)\Radmin VPN\1046.lng_rad msiexec.exe File created C:\Program Files (x86)\Radmin VPN\api-ms-win-core-rtlsupport-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\Radmin VPN\ChatLPCx.dll msiexec.exe File created C:\Program Files (x86)\Radmin VPN\Qt5Core.dll msiexec.exe File created C:\Program Files (x86)\Radmin VPN\Qt5WinExtras.dll msiexec.exe File created C:\Program Files (x86)\Radmin VPN\RvRvpnGui_cs_CZ.qm msiexec.exe File created C:\Program Files (x86)\Radmin VPN\RvRvpnGui_he_IL.qm msiexec.exe File created C:\Program Files (x86)\Radmin VPN\1044.lng_rad msiexec.exe File created C:\Program Files (x86)\Radmin VPN\drvinst.exe msiexec.exe File created C:\Program Files (x86)\Radmin VPN\RvRolUpdater.dll msiexec.exe File created C:\Program Files (x86)\Radmin VPN\RvRvpnGui.exe msiexec.exe File created C:\Program Files (x86)\Radmin VPN\RvRvpnGui_th_TH.qm msiexec.exe File created C:\Program Files (x86)\Radmin VPN\WinLpcDl.dll msiexec.exe File created C:\Program Files (x86)\Radmin VPN\api-ms-win-crt-utility-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\Radmin VPN\Driver.1.0\NetMP60.inf msiexec.exe File created C:\Program Files (x86)\Radmin VPN\RvGuiStarter.exe msiexec.exe File created C:\Program Files (x86)\Radmin VPN\3082.lng_rad msiexec.exe File created C:\Program Files (x86)\Radmin VPN\api-ms-win-core-synch-l1-2-0.dll msiexec.exe File created C:\Program Files (x86)\Radmin VPN\api-ms-win-crt-environment-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\Radmin VPN\api-ms-win-crt-locale-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\Radmin VPN\Qt5Svg.dll msiexec.exe File created C:\Program Files (x86)\Radmin VPN\RvEnetConnect.dll msiexec.exe -
Drops file in Windows directory 18 IoCs
description ioc Process File opened for modification C:\Windows\Installer\e59141b.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\{2CDA3179-67A1-410A-81A9-AB1A4FD89DF9}\ProductIcon msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI1EC9.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log MSI266B.tmp File created C:\Windows\Installer\e59141b.msi msiexec.exe File opened for modification C:\Windows\Installer\{2CDA3179-67A1-410A-81A9-AB1A4FD89DF9}\ProductIcon msiexec.exe File opened for modification C:\Windows\Installer\MSI266B.tmp msiexec.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSI2CB5.tmp msiexec.exe File created C:\Windows\Installer\e59141f.msi msiexec.exe File created C:\Windows\Installer\SourceHash{2CDA3179-67A1-410A-81A9-AB1A4FD89DF9} msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 21 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Radmin_VPN_1.4.4642.1.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Radmin_VPN_1.4.4642.1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dxdiag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RvControlSvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RvRvpnGui.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language testit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs MSI266B.tmp Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID MSI266B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom MSI266B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 dxdiag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 MSI266B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 MSI266B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs dxdiag.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs dxdiag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 MSI266B.tmp Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID MSI266B.tmp Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID MSI266B.tmp Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID dxdiag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 dxdiag.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID MSI266B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs MSI266B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom MSI266B.tmp Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags MSI266B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 MSI266B.tmp Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs MSI266B.tmp Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID dxdiag.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags MSI266B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters DrvInst.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MSI266B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MSI266B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MSI266B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MSI266B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MSI266B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MSI266B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MSI266B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MSI266B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MSI266B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MSI266B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MSI266B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MSI266B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MSI266B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MSI266B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MSI266B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MSI266B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MSI266B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MSI266B.tmp Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\system32\FirewallControlPanel.dll,-12122 = "Windows Defender Firewall" RvControlSvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MSI266B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople MSI266B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MSI266B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs MSI266B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MSI266B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MSI266B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MSI266B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs MSI266B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MSI266B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MSI266B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MSI266B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MSI266B.tmp -
Modifies registry class 62 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1 dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9713ADC21A76A014189ABAA1F48DD99F\f_exe msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\is-6C3LR.tmp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7} dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9713ADC21A76A014189ABAA1F48DD99F msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment" dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1 dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\is-6C3LR.tmp\\" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3227495264-2217614367-4027411560-1000\{FE5A1463-4AF5-46D8-9570-26F468707DF8} dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class" dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32 dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9713ADC21A76A014189ABAA1F48DD99F\f_viewer msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DC8202FE7C90E71498671B8FE6BB092E msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class" dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\PackageCode = "17C5BD852BFC91540874754C6DF8C806" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\SourceList\PackageName = "RadminVPN_1.4.4642.1.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove dxdiag.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DC8202FE7C90E71498671B8FE6BB092E\9713ADC21A76A014189ABAA1F48DD99F msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\Clients = 3a0000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer dxdiag.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\Version = "17044002" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class" dxdiag.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B} dxdiag.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3227495264-2217614367-4027411560-1000\{4DB36D8A-118B-43F9-A5BF-C72A2D0352EF} dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\ProductName = "Radmin VPN 1.4.1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\ProductIcon = "C:\\Windows\\Installer\\{2CDA3179-67A1-410A-81A9-AB1A4FD89DF9}\\ProductIcon" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9713ADC21A76A014189ABAA1F48DD99F\f_radmin msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32 dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class" dxdiag.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 429674.crdownload:SmartScreen msedge.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 6052 RvRvpnGui.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1432 msedge.exe 1432 msedge.exe 3164 msedge.exe 3164 msedge.exe 2976 identity_helper.exe 2976 identity_helper.exe 3528 msedge.exe 3528 msedge.exe 1916 Radmin_VPN_1.4.4642.1.tmp 1916 Radmin_VPN_1.4.4642.1.tmp 2500 msiexec.exe 2500 msiexec.exe 5808 RvControlSvc.exe 5808 RvControlSvc.exe 5124 dxdiag.exe 5124 dxdiag.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 6052 RvRvpnGui.exe 4856 testit.exe -
Suspicious behavior: LoadsDriver 19 IoCs
pid Process 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
pid Process 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1784 firefox.exe Token: SeDebugPrivilege 1784 firefox.exe Token: SeShutdownPrivilege 1916 Radmin_VPN_1.4.4642.1.tmp Token: SeIncreaseQuotaPrivilege 1916 Radmin_VPN_1.4.4642.1.tmp Token: SeSecurityPrivilege 2500 msiexec.exe Token: SeCreateTokenPrivilege 1916 Radmin_VPN_1.4.4642.1.tmp Token: SeAssignPrimaryTokenPrivilege 1916 Radmin_VPN_1.4.4642.1.tmp Token: SeLockMemoryPrivilege 1916 Radmin_VPN_1.4.4642.1.tmp Token: SeIncreaseQuotaPrivilege 1916 Radmin_VPN_1.4.4642.1.tmp Token: SeMachineAccountPrivilege 1916 Radmin_VPN_1.4.4642.1.tmp Token: SeTcbPrivilege 1916 Radmin_VPN_1.4.4642.1.tmp Token: SeSecurityPrivilege 1916 Radmin_VPN_1.4.4642.1.tmp Token: SeTakeOwnershipPrivilege 1916 Radmin_VPN_1.4.4642.1.tmp Token: SeLoadDriverPrivilege 1916 Radmin_VPN_1.4.4642.1.tmp Token: SeSystemProfilePrivilege 1916 Radmin_VPN_1.4.4642.1.tmp Token: SeSystemtimePrivilege 1916 Radmin_VPN_1.4.4642.1.tmp Token: SeProfSingleProcessPrivilege 1916 Radmin_VPN_1.4.4642.1.tmp Token: SeIncBasePriorityPrivilege 1916 Radmin_VPN_1.4.4642.1.tmp Token: SeCreatePagefilePrivilege 1916 Radmin_VPN_1.4.4642.1.tmp Token: SeCreatePermanentPrivilege 1916 Radmin_VPN_1.4.4642.1.tmp Token: SeBackupPrivilege 1916 Radmin_VPN_1.4.4642.1.tmp Token: SeRestorePrivilege 1916 Radmin_VPN_1.4.4642.1.tmp Token: SeShutdownPrivilege 1916 Radmin_VPN_1.4.4642.1.tmp Token: SeDebugPrivilege 1916 Radmin_VPN_1.4.4642.1.tmp Token: SeAuditPrivilege 1916 Radmin_VPN_1.4.4642.1.tmp Token: SeSystemEnvironmentPrivilege 1916 Radmin_VPN_1.4.4642.1.tmp Token: SeChangeNotifyPrivilege 1916 Radmin_VPN_1.4.4642.1.tmp Token: SeRemoteShutdownPrivilege 1916 Radmin_VPN_1.4.4642.1.tmp Token: SeUndockPrivilege 1916 Radmin_VPN_1.4.4642.1.tmp Token: SeSyncAgentPrivilege 1916 Radmin_VPN_1.4.4642.1.tmp Token: SeEnableDelegationPrivilege 1916 Radmin_VPN_1.4.4642.1.tmp Token: SeManageVolumePrivilege 1916 Radmin_VPN_1.4.4642.1.tmp Token: SeImpersonatePrivilege 1916 Radmin_VPN_1.4.4642.1.tmp Token: SeCreateGlobalPrivilege 1916 Radmin_VPN_1.4.4642.1.tmp Token: SeRestorePrivilege 2500 msiexec.exe Token: SeTakeOwnershipPrivilege 2500 msiexec.exe Token: SeRestorePrivilege 2500 msiexec.exe Token: SeTakeOwnershipPrivilege 2500 msiexec.exe Token: SeRestorePrivilege 2500 msiexec.exe Token: SeTakeOwnershipPrivilege 2500 msiexec.exe Token: SeAuditPrivilege 2072 svchost.exe Token: SeSecurityPrivilege 2072 svchost.exe Token: SeLoadDriverPrivilege 1504 MSI266B.tmp Token: SeRestorePrivilege 4980 DrvInst.exe Token: SeBackupPrivilege 4980 DrvInst.exe Token: SeLoadDriverPrivilege 4980 DrvInst.exe Token: SeLoadDriverPrivilege 4980 DrvInst.exe Token: SeLoadDriverPrivilege 4980 DrvInst.exe Token: SeRestorePrivilege 2500 msiexec.exe Token: SeTakeOwnershipPrivilege 2500 msiexec.exe Token: SeTakeOwnershipPrivilege 5808 RvControlSvc.exe Token: SeIncBasePriorityPrivilege 5808 RvControlSvc.exe Token: SeRestorePrivilege 2500 msiexec.exe Token: SeTakeOwnershipPrivilege 2500 msiexec.exe Token: SeRestorePrivilege 2500 msiexec.exe Token: SeTakeOwnershipPrivilege 2500 msiexec.exe Token: SeRestorePrivilege 2500 msiexec.exe Token: SeTakeOwnershipPrivilege 2500 msiexec.exe Token: SeRestorePrivilege 2500 msiexec.exe Token: SeTakeOwnershipPrivilege 2500 msiexec.exe Token: SeRestorePrivilege 2500 msiexec.exe Token: SeTakeOwnershipPrivilege 2500 msiexec.exe Token: SeRestorePrivilege 2500 msiexec.exe Token: SeTakeOwnershipPrivilege 2500 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4856 testit.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4856 testit.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 1784 firefox.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 6052 RvRvpnGui.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1784 firefox.exe 6052 RvRvpnGui.exe 6052 RvRvpnGui.exe 5124 dxdiag.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 344 wrote to memory of 1784 344 firefox.exe 85 PID 344 wrote to memory of 1784 344 firefox.exe 85 PID 344 wrote to memory of 1784 344 firefox.exe 85 PID 344 wrote to memory of 1784 344 firefox.exe 85 PID 344 wrote to memory of 1784 344 firefox.exe 85 PID 344 wrote to memory of 1784 344 firefox.exe 85 PID 344 wrote to memory of 1784 344 firefox.exe 85 PID 344 wrote to memory of 1784 344 firefox.exe 85 PID 344 wrote to memory of 1784 344 firefox.exe 85 PID 344 wrote to memory of 1784 344 firefox.exe 85 PID 344 wrote to memory of 1784 344 firefox.exe 85 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 1952 1784 firefox.exe 86 PID 1784 wrote to memory of 3008 1784 firefox.exe 87 PID 1784 wrote to memory of 3008 1784 firefox.exe 87 PID 1784 wrote to memory of 3008 1784 firefox.exe 87 PID 1784 wrote to memory of 3008 1784 firefox.exe 87 PID 1784 wrote to memory of 3008 1784 firefox.exe 87 PID 1784 wrote to memory of 3008 1784 firefox.exe 87 PID 1784 wrote to memory of 3008 1784 firefox.exe 87 PID 1784 wrote to memory of 3008 1784 firefox.exe 87 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\testit.exe"C:\Users\Admin\AppData\Local\Temp\testit.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4856 -
C:\Windows\SysWOW64\dxdiag.exe"C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5124
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {05e1fa1d-7453-4c5b-b82c-bcc0818415a6} 1784 "\\.\pipe\gecko-crash-server-pipe.1784" gpu3⤵PID:1952
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2400 -prefMapHandle 2396 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3eaa0297-0b6f-4f9a-b6fc-f098655dcd8f} 1784 "\\.\pipe\gecko-crash-server-pipe.1784" socket3⤵
- Checks processor information in registry
PID:3008
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2864 -childID 1 -isForBrowser -prefsHandle 2856 -prefMapHandle 2860 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54f1c148-71a3-4350-8482-2b64c76f69be} 1784 "\\.\pipe\gecko-crash-server-pipe.1784" tab3⤵PID:5036
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4084 -childID 2 -isForBrowser -prefsHandle 4076 -prefMapHandle 4072 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96c1a0bd-b8f0-4aee-ad84-437576f1316c} 1784 "\\.\pipe\gecko-crash-server-pipe.1784" tab3⤵PID:3700
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4804 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4992 -prefMapHandle 4692 -prefsLen 29197 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b04005ba-fdb0-45d0-92c1-6d52ce39befd} 1784 "\\.\pipe\gecko-crash-server-pipe.1784" utility3⤵
- Checks processor information in registry
PID:3740
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5384 -childID 3 -isForBrowser -prefsHandle 5364 -prefMapHandle 5360 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {507512e9-4feb-4a8c-8cdc-e3bec51e8014} 1784 "\\.\pipe\gecko-crash-server-pipe.1784" tab3⤵PID:4660
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1516 -childID 4 -isForBrowser -prefsHandle 5644 -prefMapHandle 5548 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f38fbf5-bb36-4bf7-b4bb-32c63282ce0c} 1784 "\\.\pipe\gecko-crash-server-pipe.1784" tab3⤵PID:4088
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2752 -childID 5 -isForBrowser -prefsHandle 5556 -prefMapHandle 2820 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {794b9df2-ead6-4c31-a2b7-58df19887c06} 1784 "\\.\pipe\gecko-crash-server-pipe.1784" tab3⤵PID:2384
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6136 -childID 6 -isForBrowser -prefsHandle 6068 -prefMapHandle 6060 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9db86d93-1503-4102-a880-453e759247eb} 1784 "\\.\pipe\gecko-crash-server-pipe.1784" tab3⤵PID:3528
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3164 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff901ff46f8,0x7ff901ff4708,0x7ff901ff47182⤵PID:1544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,107587314809498862,4578581162249901102,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:22⤵PID:4552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,107587314809498862,4578581162249901102,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,107587314809498862,4578581162249901102,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:82⤵PID:2964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,107587314809498862,4578581162249901102,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:12⤵PID:4408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,107587314809498862,4578581162249901102,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:12⤵PID:1508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,107587314809498862,4578581162249901102,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:12⤵PID:420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,107587314809498862,4578581162249901102,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:12⤵PID:2532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,107587314809498862,4578581162249901102,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:12⤵PID:1564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,107587314809498862,4578581162249901102,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:12⤵PID:4052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,107587314809498862,4578581162249901102,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:12⤵PID:3352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,107587314809498862,4578581162249901102,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 /prefetch:82⤵PID:4420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,107587314809498862,4578581162249901102,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,107587314809498862,4578581162249901102,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:12⤵PID:3528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,107587314809498862,4578581162249901102,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:12⤵PID:3064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,107587314809498862,4578581162249901102,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:12⤵PID:1116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2044,107587314809498862,4578581162249901102,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5436 /prefetch:82⤵PID:1496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,107587314809498862,4578581162249901102,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:12⤵PID:1844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2044,107587314809498862,4578581162249901102,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6276 /prefetch:82⤵PID:568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,107587314809498862,4578581162249901102,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6436 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3528
-
-
C:\Users\Admin\Downloads\Radmin_VPN_1.4.4642.1.exe"C:\Users\Admin\Downloads\Radmin_VPN_1.4.4642.1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3840 -
C:\Users\Admin\AppData\Local\Temp\is-BNKGK.tmp\Radmin_VPN_1.4.4642.1.tmp"C:\Users\Admin\AppData\Local\Temp\is-BNKGK.tmp\Radmin_VPN_1.4.4642.1.tmp" /SL5="$90220,21145108,189952,C:\Users\Admin\Downloads\Radmin_VPN_1.4.4642.1.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,107587314809498862,4578581162249901102,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=244 /prefetch:12⤵PID:4660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,107587314809498862,4578581162249901102,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:12⤵PID:3720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,107587314809498862,4578581162249901102,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2996 /prefetch:12⤵PID:1064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,107587314809498862,4578581162249901102,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6580 /prefetch:12⤵PID:4172
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2956
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2164
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding AF8EC9CD94CC81B7EA8AB0068D8209B62⤵
- System Location Discovery: System Language Discovery
PID:3672
-
-
C:\Windows\Installer\MSI266B.tmp"C:\Windows\Installer\MSI266B.tmp" install "C:\Program Files (x86)\Radmin VPN\Driver.1.1\NetMP60.inf" "C:\Program Files (x86)\Radmin VPN\Driver.1.0\NetMP60.inf" ad_InstallDriver_64 ""2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 85A4D45C701A289D12FB684A48662C1D E Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5484 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Radmin VPN Control Service" dir=in action=allow program="C:\Program Files (x86)\Radmin VPN\RvControlSvc.exe" enable=yes profile=any edge=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5556
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Radmin VPN icmpv4" action=allow enable=yes dir=in profile=any remoteip=26.0.0.0/8 protocol=icmpv43⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5696
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2072 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "c:\program files (x86)\radmin vpn\driver.1.1\netmp60.inf" "9" "42f731a47" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "c:\program files (x86)\radmin vpn\driver.1.1"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1196
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:c36c271bc64eefc9:RVpnNetMP.ndi:15.39.54.8:{b06d84d1-af78-41ec-a5b9-3cce676528b2}\rvnetmp60," "42f731a47" "000000000000014C"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
-
C:\Program Files (x86)\Radmin VPN\RvControlSvc.exe"C:\Program Files (x86)\Radmin VPN\RvControlSvc.exe" /service1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\system32\netsh.exe interface ipv4 set interface interface="Radmin VPN" metric=12⤵
- System Location Discovery: System Language Discovery
PID:4764 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe interface ipv4 set interface interface="Radmin VPN" metric=13⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3028
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\system32\netsh.exe interface ip delete route prefix=0.0.0.0/0 interface="Radmin VPN" nexthop=26.0.0.12⤵
- System Location Discovery: System Language Discovery
PID:5664 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe interface ip delete route prefix=0.0.0.0/0 interface="Radmin VPN" nexthop=26.0.0.13⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5572
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\system32\netsh.exe interface ip add route prefix=0.0.0.0/0 interface="Radmin VPN" nexthop=26.0.0.1 publish=Yes metric=92562⤵
- System Location Discovery: System Language Discovery
PID:5716 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe interface ip add route prefix=0.0.0.0/0 interface="Radmin VPN" nexthop=26.0.0.1 publish=Yes metric=92563⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5704
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\system32\netsh.exe interface ip add address name="Radmin VPN" addr=26.127.113.186 mask=255.0.0.0 gateway=26.0.0.1 gwmetric=92562⤵
- System Location Discovery: System Language Discovery
PID:5864 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe interface ip add address name="Radmin VPN" addr=26.127.113.186 mask=255.0.0.0 gateway=26.0.0.1 gwmetric=92563⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5796
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\system32\netsh.exe interface ipv6 add address interface="Radmin VPN" address=fdfd::1a7f:71ba2⤵
- System Location Discovery: System Language Discovery
PID:6024 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe interface ipv6 add address interface="Radmin VPN" address=fdfd::1a7f:71ba3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:6044
-
-
-
C:\Program Files (x86)\Radmin VPN\RvRvpnGui.exe"C:\Program Files (x86)\Radmin VPN\RvRvpnGui.exe" /show1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:6052
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Modifies data under HKEY_USERS
PID:5632
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetSvcs -p -s iphlpsvc1⤵
- Modifies security service
PID:5488
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4832
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
921KB
MD5d4879decd56b964f4722860126176fbb
SHA13355523f1772f32b2036007233abf2ebe4fb0945
SHA2568ca66d6fd3da3cbc55863515e308250628a417856d44e7fc038a6cfbb2b9df43
SHA512d1134177b39b1d06f47139d28b3284c197d5a8168ae4c2d87388bc97558b3c12ab90f5895b11326c20c94844afcf928ee92fe5f6f8438a3e57c9a6c7d5fe3721
-
Filesize
5KB
MD579e0ccabcf7d9d6077deeb2c1acbc926
SHA14577c7377043569adc29804d0b7585b63f4252ca
SHA256ef6769520c94a3b5885458cd19696b45cf79010e9757729b2049ba6782fecfd7
SHA5122d4343e011f1557acbda0fdb096dc106c4345aed8fc220f4d496d72052441331d1568e0974fc4df72e9ce6f1a6aaaa727c66e0b70be91457bf80e4e9e5e45844
-
Filesize
5.8MB
MD584f0b48079bbdcbdaac889074e90cef6
SHA113be727af609a5aad66144c8f3771ceee1223e27
SHA25636a668c0bc57a86bbdb2ae183110cbacff479eac02e62b405abb7b4da67630c4
SHA51240b60f1716a2cb21b822830208e4951c7edcd902593544b08cda662eb9e2b72d732675051c5f00e9e3e7de4bf681f767d2e8222a4ce587267fb831ee7fd7a048
-
Filesize
6.3MB
MD5b2d36d9e7aeb6fe317deaaf7cc4a34ed
SHA17eb1cdcf9a59a348064c2f41eedfd73bc00e7724
SHA25663c05cfdd2ee44057e619d1a9acead538e867cbee55873529d01686d1ec678a6
SHA5125bdedc810d891158e3d7b35c402a29d6eb0523fcd75465f0ccd620ddfdb21871f41795535cea6b999cf3de6a2994603be0d02db9258b2afea07bda4e658b4178
-
Filesize
1.1MB
MD5d52831bba5f65db7a1dd310c65c63ca1
SHA132ea3c1ec75c919ea587ae69d172345bb78b3aa0
SHA2565ffbf8fd312922fc7aab26654f0da5d41cde2734c5321f8f4bcfd596c2660825
SHA512796e9be75a43167bef2d8a8f5539a59a97c30ca5c2392309a3e447a1eb5369a623a3979bd214c2d210664587b289ecc31c7e92a8b14faf264d5c81f70743aa60
-
Filesize
1.1MB
MD53d1b360c5a73c72cbdeac1ada8813c38
SHA106d0cb4c0a15a2a62df9f15e4c4dc016c1350517
SHA2567e9b855c9bd2932e94a21635a58c572c4c7c2b0d2ce44dc2200b299290ea281a
SHA512f57adad8bfe7784c5d5bcc82156582d7ff479b4acccd04b6b7658960aab3989651f9fc2b144f468d778272670f263adc6df95fbcfb8716242f19371eb3017ddd
-
Filesize
374KB
MD5dbd19ec366fdc6cb44a6b879d5b0b25e
SHA17eef3bef49d5c49baba2b38d2f6751fe3f78d194
SHA2562b6e0e7ab342da05460986fa161c5ec60803235852c1277599064459395e30fc
SHA5127f93fb753c8bf803f21b95dae4754b3edb967428918567da6825b7a4f68b3a4950d9442f4f666643b3d37fda32a6b4a05e8069d79fc49756fd9b9fdd3b83d34b
-
Filesize
439KB
MD55dc885ab290f62810981f54861382c10
SHA1a39867ff6efe6d5ac90f8573f61c24189c14b6e0
SHA25602829cb94bae4385e197be5dd2a932a2477f9239bb0d89dc117020d1e09d2f46
SHA512f61ec585e2eaaa350afaf35eee04d258d3fdfeecf367378f3e5c6595dfb8e515a0184ab50c40979b9afd35b88567d991989074bb376eff9ea42522b0c67b216c
-
Filesize
1.4MB
MD51f4369227916423f70da0112077cc180
SHA1fb4ae9f45a31346121b138b545bdc05412c6fa5e
SHA2565af3ab5bcd4d0edcd3294a2dc816f2669ddd08bbfc565c51ddaf3a276c38c6e9
SHA51245bcd06ab4ac0bf86af3377d07cba6110b00ed912b377b2e2f04079bbc0a7d6ecdac511d76bcc33878543b053f294e1c98ebb60a65692ea901b5cc829f735e04
-
Filesize
505KB
MD58ea6a38a4d7b4e51f1ab046658135c4e
SHA17f06702a94d3073a975d31c4627639f7f046ba7c
SHA256c77034de1ffebac41a6f299a07ee19b7324e20cb7270ed0351d339efcbce4992
SHA5120bcfa7d4c50e9baa00275ce7a9c9c1d4142686b1c332e486f50503cc6b47b847e04848aa06f54afe0f910f20044b9b7b3b569739de8399510b20b70a3e274082
-
Filesize
2.0MB
MD58dfb8feccc75f737363de85f66e753a6
SHA17265f3dc35904256e1f33f8cc3bab085e7bb4eb2
SHA256716a11cdc1b12827ee18027caa947f813cb3550412b5dcaae427be3bbcc0221f
SHA5120bc0ff8c7a95ca26320c3161116d1bdd868eb36b6eea254f08718a4be1961ffa386c9d6ee4dfbcda434130d7139ce230c7b7c620361169e5e5c4b8a74875015c
-
Filesize
444KB
MD51686fc54af6d8e1297fe811c8a12c193
SHA17646435404c3766fc2e895799b7cf3ff8a202f4a
SHA25622470f4001c91b695826db8b89fa470b3a211344c4c43e3c45aac371c6f4bd94
SHA51233d68b3f22f32fce2c743f61799dd58b4a177d18a031e2bf8196821f6d5bb0c5c09178775eab0dc9136d4c2e677ce09603b2ea76f2929633e1d463261a8da1f6
-
Filesize
731KB
MD5734a2822348ab0a4e249f2b065847077
SHA1002c8dfc2e63ab51dbba1c6cebd18b2d025912bc
SHA256c2c024be677b875bf9f88dae7135ba92614e983d28c2dac513d09061400e661f
SHA51270f5cccbb7236a0a845487324bbe6f9cf3ef635389f96ed54e5b678917bd90b53a610621c8eb9980d8f596b8769c3779984eaa08bf4671d01a465ec2cc3aced9
-
Filesize
376KB
MD51cc25786d6c26010f5552d9a3f4db024
SHA1c4d07fb9608c2c594efa79dfed75d32d39e8bb2a
SHA256042a6c071a8b4d6230ea0b5c292aa2f6ca926e81f7a834c0a8e974d07f5c484f
SHA512fd4f18bd9d35ac2a6dea88bfe38b4b4144b40dd67214ebf2c6695b5123d2d10af4420eaf553042cd3983d7f21d15fd216c0b2639c207b53960998b719996a69d
-
Filesize
726KB
MD537146d9781bdd07f09849ce762ce3217
SHA1a0b1d8943aecf9a35b330e5f3c3d63bea9b2ceac
SHA256d89daf6bcd5cafa3c7f6173f835ccf045baf8e7134f868819db6fd7615959ac4
SHA51298973fd690cb43a6c88b6d53808ec998a9b627759c316e84621e6527d1ad1734d7cbc9d9f5ebf422a639c1946fffd284306a505eb4395abdec8aee32257ff609
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_E8A1D4619D52FB86B679531C48D42087
Filesize727B
MD5eea5a4dfb0082008a00e19af0675a56a
SHA163aa90d2392891e5ec77eb8394df0760201b00b1
SHA256dac11d282aad6bca0c33b3adbb219df9627c88524e94e22e284780477629544d
SHA512f3b236dd389352152c4e5a4d6ae2f2ecb6fc2b47964c3d0bba8e73c63447bb3d742b4b512a0ff908185425a6f3e93f17174d640fb4157b02646ba5405fbd33ba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD54165b81b68ffb0444ef0ce862027e86b
SHA1e2eca2a98ad765c2bd329e311d071e03e6853701
SHA2565bc6098b57cb923ba66f448cd3651d42159aebf038bfa6b1d383701bf16029ed
SHA5122860e27fc5edd449aca2853971bf675f7645b92902df767d2d707cf96841772685cf307cc710649d5eed4e233bce9030f187614fed4d5cf67046d3dbb124463d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_E8A1D4619D52FB86B679531C48D42087
Filesize416B
MD52180607b0a50abf73a139c5b9091877b
SHA19dd0dd9202e77ad0e5ffa6f825842506b32c6048
SHA256a3a062885041e50a5f511310173843932c5514f53cee6d20651c004f71ef970f
SHA512aabab6cb07b6dd79a4d02d40565fecb439c1eca2e3506c7a4cf0bd7a8a896508b4ebb8545bd80ee4456cd0023cab240f0db3ed73004197a48f50d5e95f63076a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD59d1b9cb89aa96055aff3ec2781f0c3f1
SHA152a1a3cf872057f5e94fa218d296a98e2abb678f
SHA2560cf57ec607c54e1ed674bcff44f96349bd75bf79b2ef84f216e4917ad815243f
SHA51273987ef10a790ac4c51203ddf277ef499a74bbeaacde9e88f736b8f336dd8fb3b397e35fc5ee0064fd7b2ad8f0298a467cde829210b773d8c3c53de21d458e46
-
Filesize
152B
MD536988ca14952e1848e81a959880ea217
SHA1a0482ef725657760502c2d1a5abe0bb37aebaadb
SHA256d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6
SHA512d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173
-
Filesize
152B
MD5fab8d8d865e33fe195732aa7dcb91c30
SHA12637e832f38acc70af3e511f5eba80fbd7461f2c
SHA2561b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea
SHA51239a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5f35bd1c705455448631a50a8e91603dd
SHA190be158dea16e7fb664ca9e89a870f322c68c888
SHA256ce896b314065631e75a02cabedf1efa9f36d48e688c362c3312b9588cecab199
SHA512a18bf5cc71273f48aced0af23dbb007a2fe40b0b6e766f79e5229df3b08aa3d10a9eb032c1f5bb98c957546c071896daad80f60341ef740c7eebf7c56c19eb3a
-
Filesize
1KB
MD57074a69bd0857f65352b3217d624e0e1
SHA1fb8cb57f6883dbf38c2d9b2f1f0bcb51824292bc
SHA2560c43b106895a1168f938971ab8d4f3c13edaab85b1cb4f80f357a35f64f02e51
SHA5125e649b38c4ef84c93dbc478589b61f254ec3620cf1cb02b034e1dc07b417461cbd7f88b0911029bfb9ac2b66b4ab1c5efbb5583f8a567c092be7e4fda56b902d
-
Filesize
1KB
MD5abf062050f49e6c13a8b3ffb056d6653
SHA11b92ae8b7b20558d0a1c3735ee0ed676d6a9e353
SHA256f5930c83921d298dce3d148ac6b157f2bdb5a9fb20c78f554f419db1f49a2819
SHA512495c36ada2a3e57f02829d59d46ba87ad6fb40f9bec9e42240c05b588de347ba87f1deba9e4a6ce4c31ff8259496edaa2e7f2cd07b50132b91171a44a43561b6
-
Filesize
7KB
MD58e214f0a51d1c66f41fcdf26658d0982
SHA14aa636eb970b5883f6a553e6151fb2d7613d8585
SHA256bc404831c6911b4de9f52160d36a7c340c36f592428e9dc6587a34fc9cc1b922
SHA5122f42a1b9af0c7206a017f32925d99be5708634d8d08cb14a50658a16cf566c7a294084fb0ccfd9375442c2ab8f8ba08b6980c18a9854732e77d57277da2d46d5
-
Filesize
5KB
MD5889114b25b6a787e3ca85c9ce788d127
SHA14856c743309f9ecf4b9bb2aba32af0cde142e6fe
SHA256ffaed45f5e548b04ee8ce55edd1071bc6fc586b539f75e1a5c4b6e247d98cda6
SHA5126d66b993919920e060d69c26b702b8e66aa70af6ea948299396ba629fb94d2813c3867de4c9fb87fa846f874429df7314d53667ea65bba930871ec7bea6e9ff6
-
Filesize
6KB
MD584ea3998a1aaff51b306b78c9a11aa1b
SHA16bfb8fd7ffa49076145281e1bc9509f1b18c542a
SHA2565dda2b4e4abd29b3342853f653c7b0013b30302c62ce8cf5d34681928b5af997
SHA512b4371a942171a3d6fdd1154421f80ff041ffb6f0555be6745ca160d27d5c241ca0a96f25c75b9cd273a80ca3aa9d5ac633af5c550854f39ca8e54d80b10c9f36
-
Filesize
7KB
MD5e72bfc21be5f8d4e0972819b0666eb0f
SHA1edfab92a71a5396c19f89691e15d1bde9373c0e9
SHA256e716fe91c5e58e3571041d44ed77850c5b2ad9999ae34244a5f77021cf739cce
SHA512776ebca12ceb7b114b9728e4a66e59ba7c01cd90459cc7f8b855b50c8fe9f743ce227dd43d71b8629b1c4bc8dc22b4c4dec79bc62950ae66f830b972807b3ed0
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5e9938d465ed5e9a72f089811ec4b7b66
SHA17706e69c9955cb7ce38c5e873dab6ed76c330db0
SHA256a234166d56946b0d99e96d25cdf5fa7b0cddfe8fe001cfc312a931fe99d377df
SHA512febc73d9c31b0acef23b84b8ae6c4c531407e5f14f39360dfb97528b54fc7950c50d49dca57bf454767e2bc64df60e976878c4b80893b1678dacac2d819128d3
-
Filesize
10KB
MD5363c6fd7ebb580a2f5f5a3f37e7541bc
SHA1577ef105a02a8964f5de7ef91ca6b7aec3f3e41e
SHA256dd86dd764fa34f0f68add04b333aaca1dc75607d52eb941d7babb3bb49893b0a
SHA512a2a4ca7e2b99d5ebc0d85c9f0626caad929baeed953103466313259b0ba8b466e19e85e40a51fa66e80660b303c5ebed87adf78e70fceae62809b2fcd0810099
-
Filesize
11KB
MD5150cb4040f84a1be89d0085f2bef6955
SHA1b250e1335af12db2abd1a44389a1d2bac6385158
SHA256a3517cd8c2d15d5f1bd31aaf26b2aad2868af3b8eecc59233d6707b63892677c
SHA5124ae07129269c7bea553b701a7217a997defc0ae01829a5391f9ce5249b738b6771de10e0ca5baaf9ab1892f7b1b537a0e3aae3c47569d1a0d4132c7b4fcc58e9
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\activity-stream.discovery_stream.json
Filesize25KB
MD5eb28237c54f60f05340a5ba1bc611621
SHA145aa645ac6c64b20066e24af74117d80972d0bf5
SHA256497be32676333275a9d0b7f6980902627d730cfb358a88468efd69db3acf6178
SHA51262edf9028c407d1a6cf77a6a2f3af84d531aa126615318ebc320ae137aafd0c49bf77da7dce6c74ad0773101918cb89b7dae9735773cf769f9190eaab5cd9d2e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\C500E8C3949C9252B3999969CAB31B7432CC6DA1
Filesize224KB
MD5efcdf37e3a9143ee8a99f3e923b31cac
SHA1c69b6c527d913a64d5edbb0494d77c804919c12f
SHA256211dea817d0aab767ef2596d822eb1f1f33f3aad3e8a9333373cde62ea1c719a
SHA5129ff1e42361521f229f488f2169e03386a9b47ba1d761b1a09fd8b6ee23adcefd39edf8a2a73b553e65d744efa686d0cf17b74aa8f32afc408cb723dd3ac68d45
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\CE657C0FBE4D63BE45BB366353D75ADF9A52FF96
Filesize61KB
MD51053c6686c644ed085d27e4d773402c9
SHA15c1c2222f3bb043509c58a211fadc02305f4f520
SHA256df68dab8e6f6413b606587f78898ba21055d99c85b12a92e65743c363effe4db
SHA512e2e21e60d0a642aba35111727597c941f5b702df72615b69a67f1a697cc6ef8d880c74f7c5260c0ce4d53fad1d2a766afded23206635311d16239332d832ad74
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
19.9MB
MD5896d5c916b19c7a1ad8d11b1d0518c5e
SHA1351600ac2237432fec3e79db9e1d2a22a5e9a6d9
SHA25609388bf21b20c4f5ef0674bd8a00a0eb11225174f767b548b5bbb7bfab2b486f
SHA51273afa4574ce1b9e3804958c78015182f908836ed171efa6cfd11cebd0f3040ca129b290026f27f5fcc16b1c33c2f8d01cf4734bd60b30ad567cf65eb029cf076
-
Filesize
379KB
MD52cf9bac0b1e6af2f444e993659454476
SHA122ca45a9e2f9f17e95421c722954fdb352a4c008
SHA25619d00d00079177f3e78533ecb9f2e797092dd4d6bddae7d394218501afa4d51e
SHA512cb6ec66415c50bc9c807def6a0eea79dc4dda73a9c1d2a5d077121fb21c7f4486cbe28784eb5c4c5d9e95d98288ba6d4eece1ca0d3c838f7bd58e97c81294bdb
-
Filesize
1.2MB
MD5ec5312e06da51691d2e26820f3c93ece
SHA1552bceec2bbb0fdc0472eba0bb4c5993b35b0a83
SHA256421cb7e48e3063d927eefe28940e119fb1309a3990bc7325c7f7052a2b286a09
SHA5124fdbbb662b0a8ef4770cd18b358135557ec0134e87365eb800520ce8d87fb8cca2f28c572fd50346daea0964eb62524b9ac7a5fc0e34c30500358cce4b90fb0a
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
Filesize6KB
MD53b53be25c8f47d231e1e9ab3a196e97e
SHA1f0fcf926498ef2ebcc40c60560e58ba7796e12e6
SHA256864fc792735fa83e98d1e3cfd2565392793a0b01582daba8b3c601d14850427f
SHA5127e2cdcd4acd9b100d0e2e5ebdc70eab75a0bc6ff7b04447ff1a7bd776ffac937d9d7c7601725540679d07e00149352f72df4edce80242a8d51176b837f053cac
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
Filesize6KB
MD51f46f1501befc5fa693d81fd9ed7f236
SHA159d080b8f385176b665bd277534c4c6e3a3e6fc4
SHA25680005f8b69502e2a1868189e645ea094b29222620acc922f734472311d762b9d
SHA512fb38fab0bfbf94d18ddcb8c6c4e5e0f4d29f7ddf8f8d8dde01c80b2d3fe45ba5694e45ae34404e4fb650148054489fb627cafb477f214a5252928e4841e670fb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
Filesize12KB
MD5756595675d93688869c47b1ce34a0a1b
SHA1d4bc22d5ee9ed77aa79cfc31ab0258a402403e0f
SHA256f095bfaa775c7c844dac3079cbd5a5ca842a1b1a072b3a823d3b486d08ffe22a
SHA512aa053a442dd9928238a4012221e350f020bf71a3e80aefda9e9c7217dab09568e2c235919fceed8996232ac4766bbd57da3c184acdae0810c7238fa18cd82b06
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD54c7bcebf53d2d1ab2f2aaeba9b62334d
SHA1ddf9626fcc5f41dfba9a511f11f3bf056ee5e7fd
SHA256e4aacc43622da9a32f3ec47b58d08eec465499b30c17df15ddeb2adee985885c
SHA512e908baa8b8946c178b9b892527f2a43d735972101a4c1733c248f32871449eb9eb6baba68d7489ae5f94154346c394766c259eead593ccc68bcfd99241826da9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5300961055d40e63668dc6fe0d155cb90
SHA1cd614f927cac0c45f07e296a352eac56931b804e
SHA256b2b14bc939c7dfc3f2495e7a25d513a87052184bcadfc5e5c6dd3b574fb0ab92
SHA512dcef8a793ec4abe782fb07bb68bbf9997a11a7cb73b672ffdcace3ee4d409bb0da0a5ab8b28a0ede418d6d9f958679a9fb07b32a44adc36323384834ee45ef0c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize7KB
MD58798bd24323d7749ac300d9252930f03
SHA19b5730d2bd727486a546032c4e159553d3b5ec96
SHA256278abef8a36ccefbe9a287d4b11da07a6eb04bb4b588ae93de32fd251cfdded5
SHA51235e221fa9cb07b92bca888b35e2417aab01e9df5f4610ecc4be12f96ad904916947be1b9b95b2d253d8533e19b059f3f82c39ccbcec542fe6ffdc854e1f845c4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize3KB
MD5f72c9fec949960e5ed65a73ed6801416
SHA10cd81e9f6cb2c250cb984d979f1e51232430c6a1
SHA256da059a006a9939ebb191d6d34f3e89b1235ecad332c76b0285ef4588cb66280b
SHA5122fe4877efccc6c779d9176bacfeb2bd369d53bac161c83ea0609eb7c8b9b6423dca7cc6aca522a32f0425c8cf3bc32ca9be81fc43fb4d1137d1eba3ac70c0aab
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\08ad4501-5134-43fe-953a-00b5dbf1be74
Filesize982B
MD51e91bef77af6030a99ec403e51f3ffe2
SHA1b1abd84e18b31d1f44f9e503fab19a1d42f24e56
SHA25673128aa34eb1b3d1e6f1f1a3f41ee1d4eb711b9799fc0c44729d302b51d7e74e
SHA51217b4f85a14a5c00630d34229686c0f36b2275f0a745907177b23516370f5739e0811eb97c06fd5c09fefb09b4e5210f5fcbce240c587a3c7b3778abbabfa8abd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\987ce653-6645-4662-8df1-e971f5b981a8
Filesize25KB
MD5937c93cbac4758afcecf5012f9af2be5
SHA15317ce6f349cc0798c2b0d80fbe4dc1e1e58cf8d
SHA2561a5836a86e0a6b629d246f93e06b78f03e9aeac16cc3c49f784936887fd72564
SHA512a0c010613f57d5deb62b8d7b6e458e6922338ef098077ee0c5e1fe643dec2cf8cd481c87fab90e15120c74e0d86ff91fa0a53b16754568238efa53619bb120d5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\9db66288-552c-42bc-b744-cc0a854084a3
Filesize4KB
MD540bef18a84d124aa528e25de4ad4bd67
SHA1a7bbabc015ccddcd04f843abbbfb321562de2a06
SHA2563c3cb961eab754713f99c52b89239265b32d5123f7362090ad58b92892cfcf04
SHA5122efd21a612b34afbd23ba6fd45d7a9facee9cd9f04d1b602d4769aa4a3b538aba17179e5525c43a3ca6cbe208e4abb1c50a7abf65db5009b8a500237d90cc940
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\e9bf3638-91c9-4a0c-8e3f-3878a6e5484e
Filesize671B
MD5c208f737ff195d7443666fbdea569909
SHA1eeb418ecc6843dda3bddeb99c155aa7fa173f4ae
SHA2562a922aa920f51369095051165684848e40ff17464de3c4fe9a076777c7c53971
SHA512b2b0a2d6f0c876189c75984fab00e450217a2eb02dd13c4379bf1aed48533131010e5dd6cbb4f31a7f0abe24c6f46b19133106a9a7b832065e7ceba90d17754b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD594f52f46b09fe2937dc8ddb049cea6cf
SHA10f0324f30ef7788300ab2d2accc16a88b6264af7
SHA25676b4a728fe52e9382486b8438bb8c65b981a82f9bed94c04955481731b8a3338
SHA51291bd037de977ab36cbe218da07680af3e04247569a5f661fb8f5bf591010a714670a5341991a85e87b8b6304b498a4d46d9867d5ad6d4b21dcb7fd7d18f0c207
-
Filesize
10KB
MD5db167b476a7aca440d3f05b5d6840f32
SHA1c13b8cda7362ed406835be0d046c11f4e84d198a
SHA256db2fd6bf72587ca446caf44789c7fca2c7cdac3aad96a647274a91ad05e384de
SHA512d21c15b76683c3c8fa854ec7c88af23819276dc0d3516c7d20ee9f8c1d3fd598280ff01403a45e338ec3899deb634aab6ccfe13a6a33cf93958e812c753cec99
-
Filesize
10KB
MD5617158ec8cbc4d23bf156f74da5eea80
SHA1f1b316b45c105b5109471f768866b85118813fe1
SHA2561dcbf692dfd1c915fe902ee6c210f8ee627342b0835297b366a051515b66e1f5
SHA512b401ac829b84e38bd81f810a20ac4a094b3c2d211292f40aa72846d74024e2eb0e18f2d2d01f53873d691c75861a690863aa43f56bf7ed1da2c6572de2e53bce
-
Filesize
10KB
MD51157cfb69aff54c58ed55e2a0a33f1ff
SHA1159c7af1271aebbe24d95ffabd3b214773ef33eb
SHA256a7b1c50e970ed27e49844a967121856519a5031957c40764bb0b252a32b5a6f7
SHA512eb0d5c620425ed53f6678eda66c8da7c07863ba196ac8818a42df0ba109580d8cf43e94280bcdfa81b2f8680ff5853abd171c36f48e192f0915471528713eba7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\sessionstore-backups\recovery.baklz4
Filesize3KB
MD5105654dbaf0b3d131b3224a812ce8e5a
SHA1953e37b8ea89937f57b9cab2747eefd32875941f
SHA256e351a90e2040126771fd098da4f1ca13e82a34b24b49d8dd8412eb6e185e9447
SHA512e6062cc7f77c301230cab4063724f1f11d747155e7d343224221494481d796d8a48749f787be335c81845ca099fb7c3a36f0dc12cb1fe5918289a8682cab255c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\sessionstore-backups\recovery.baklz4
Filesize4KB
MD5886e68197b60048ac7a2b6df3f6f739a
SHA1b9a589d569f1aa4953fbd62ee7176a3362fc9550
SHA256a0a758f3bf9af159c660c388fe0a4570cbc40aaea0cde0be342d262dfa1866d8
SHA51207a2653f5e49fae93e6fb3e197903e9e8ebabb8248f4e1952c8d9fc6bf862e04ad928f199e1b909d81b8e52c5d1fc31f5efa4f2031739bebbd7096e927e6a52a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\sessionstore-backups\recovery.baklz4
Filesize4KB
MD5b5d95d5170e59d597f1b06293f0b9b9a
SHA1f0e4cc6857f60e3c445659b59d1ab9048086c4ec
SHA256e25b85bb3aaaecb8fab287e80b7a73a6f15868de1b056b80928216cd04ec83a7
SHA51237df51afffc90e51467a120922d23018344469570587359069d0d01d0f78801637a04b9aa36f48687de95e36ee959c7a29c284f7e725faf908f9e89c24d7bdb6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize368KB
MD57aa16d4ca07a987b9d3d7643f699f31f
SHA1cb27eb1c90e94565d835ead380476cdb9631bde4
SHA256f960390742d2f35627722ed7c03ee308de9bcc74f19e05a1520230e5798a398b
SHA51254685a5282fa8fec9ba08bfac71e445d9c66dcf1688ce09d6344905d66ee840f0d4ef94fc4991f4d45cbc249fb543432bf5fc6f8f7dbec6c2a9726c10b12d4e6
-
Filesize
20.8MB
MD55d8706970dd725471dcbc5acb4dbddce
SHA1c86dad0644fe6b38351fe16add60b12444e23fd0
SHA2568ca04d27ef8c28e0edac3b740ebe7fb8839b4794752a0d359ae18de22fc6be35
SHA5124a284ca5026cdb7dea9d860e51d141447b572d86dcc16bbe831416fb52a7d0ef8390aafd1b141842196c758208e461cfb013ff2e3e44774e022795b94e4ade74
-
Filesize
516KB
MD52a8bd75bda91871347497a88f1bd8a1d
SHA167f58b4506d51931df5f1e07ab0020e587308759
SHA256383e45cfe4d4f54e6d0743f2ee8c1c7a54540c59cd071df1e6b978770b1fcba6
SHA51258063c46af7c3c409cc1fa450af22849c82034c1046fc63e23f55f9ea70b4a3a9ae3a2e591f67569abc404ce0e415436f20973c4d37ac79762675e65d3b36df6
-
Filesize
383KB
MD5f6de727441d84b427e7d2b4e9ec1db17
SHA16d3b8159796bef81166271ae4f8372d5148d9488
SHA256b90ffb402c6dd7607fe48666f5944fea43083c30f54e41bc589226999b5a2b01
SHA5129e0333f6ad668bc268af9699dea98cf21c3ada33ccc254535b0b96c8cfb4f2e58392d55664b6ce8d05bc06c5fdbf156b300cb51503222e6d0121cfdce443818f
-
Filesize
56KB
MD54c175bfd31248cbade0f875dbf9f54e6
SHA1ce9074101ec98d66c46dfe2f52421e467dcf2694
SHA25688765957ac41e3f00f1fd98393342ea40ddcc05952aba418e099d866296c1bf2
SHA512ed999936d2593ea8895b177f532c7ee76a24a78365839c5c8761912a8848d2a650a834114c632853356aec8fb470e722a8e6771123c74a4185bf54250440fc3d
-
Filesize
10KB
MD5ceff01d9a2585878343f1b10ac597c7a
SHA1030e3b4382eb00f1ecfd1c2fc8e59c5b5594d991
SHA2566ba444527b66803b9fa43b80509788c761fa18b52360e27b74cc2e8a1c115b3a
SHA5128f7a6b4cf9e753778a63460f39bc1d82f53d8d01f531227f1c60202079a933471c6c4479e9aa8fe8020ba78f4762f0d4a985f8203542ab663799449291d9bec1