xmrig | hxxps://github[.]com/Lachine1/xmrig-scripts/blob/main/linux[.]sh

Resubmissions

24-12-2024 18:43

241224-xc9jgstng1 10

24-12-2024 18:43

241224-xczdhstngw 1

Analysis

max time kernel
1320s
max time network
1321s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
24-12-2024 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Lachine1/xmrig-scripts/blob/main/linux.sh

Score

10^/10

xmrig defense_evasion discovery evasion miner persistence privilege_escalation upx

Malware Config

Signatures

XMRig Miner payload 3 IoCs

miner

resource	yara_rule
behavioral1/files/0x001900000002ac6c-419.dat	family_xmrig_powershell_dropper
behavioral1/files/0x001700000002acab-748.dat	family_xmrig
behavioral1/files/0x001700000002acab-748.dat	xmrig

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
83	3280	powershell.exe
85	3280	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\ViGEmBus.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\AvicaVirtualDisplayDriver.dll	DrvInst.exe

Modifies Windows Firewall 2 TTPs 28 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2408	netsh.exe
4384	netsh.exe
2212	netsh.exe
4164	netsh.exe
4000	netsh.exe
656	netsh.exe
2440	netsh.exe
2440	netsh.exe
2848	netsh.exe
4228	netsh.exe
1660	netsh.exe
1576	netsh.exe
1500	netsh.exe
2088	netsh.exe
2068	netsh.exe
1480	netsh.exe
1236	netsh.exe
4100	netsh.exe
2940	netsh.exe
1392	netsh.exe
2692	netsh.exe
4952	netsh.exe
4048	netsh.exe
4620	netsh.exe
3892	netsh.exe
2904	netsh.exe
4404	netsh.exe
4608	netsh.exe

Executes dropped EXE 16 IoCs

pid	Process
3596	xmrig.exe
2996	Avica_setup.exe
2052	Avica_Setup_1735066893.exe
2940	devcon.exe
4708	devcon.exe
1256	AvicaService.exe
4884	AvicaService.exe
3132	AvicaWatch.exe
1384	AvicaService.exe
2464	AvicaCapturer.exe
2828	AvicaCapturer.exe
1076	AvicaService.exe
5216	Avica.exe
5848	Avica.exe
5508	AvicaService.exe
424	AvicaService.exe

Loads dropped DLL 48 IoCs

pid	Process
2052	Avica_Setup_1735066893.exe
2052	Avica_Setup_1735066893.exe
2052	Avica_Setup_1735066893.exe
2052	Avica_Setup_1735066893.exe
2052	Avica_Setup_1735066893.exe
2052	Avica_Setup_1735066893.exe
2052	Avica_Setup_1735066893.exe
2052	Avica_Setup_1735066893.exe
2052	Avica_Setup_1735066893.exe
2052	Avica_Setup_1735066893.exe
2052	Avica_Setup_1735066893.exe
2052	Avica_Setup_1735066893.exe
2052	Avica_Setup_1735066893.exe
1256	AvicaService.exe
1256	AvicaService.exe
1256	AvicaService.exe
1256	AvicaService.exe
4884	AvicaService.exe
4884	AvicaService.exe
4884	AvicaService.exe
4884	AvicaService.exe
4884	AvicaService.exe
2052	Avica_Setup_1735066893.exe
1384	AvicaService.exe
1384	AvicaService.exe
1384	AvicaService.exe
1384	AvicaService.exe
2464	AvicaCapturer.exe
2828	AvicaCapturer.exe
2464	AvicaCapturer.exe
2464	AvicaCapturer.exe
2464	AvicaCapturer.exe
2828	AvicaCapturer.exe
2828	AvicaCapturer.exe
2828	AvicaCapturer.exe
1076	AvicaService.exe
1076	AvicaService.exe
1076	AvicaService.exe
1076	AvicaService.exe
1076	AvicaService.exe
5508	AvicaService.exe
5508	AvicaService.exe
5508	AvicaService.exe
5508	AvicaService.exe
424	AvicaService.exe
424	AvicaService.exe
424	AvicaService.exe
424	AvicaService.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5996	icacls.exe
5948	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\Avica = "C:\\Program Files (x86)\\Avica\\Avica.exe --autoRun 1"	Avica.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
42	raw.githubusercontent.com

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{95afc67e-fc7c-604c-bfe8-abf0ff98c531}\SET47F3.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{95afc67e-fc7c-604c-bfe8-abf0ff98c531}\SET47F3.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{95afc67e-fc7c-604c-bfe8-abf0ff98c531}\SET47F4.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b18e0367-9ff8-c14f-a9e0-5b912be839ad}\SET4A35.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\avicavirtualdisplaydriver.inf_amd64_afb4a5d0d8ce984e\AvicaVirtualDisplayDriver.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_f92aab85c34952aa\ViGEmBus.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_f92aab85c34952aa\vigembus.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\avicavirtualdisplaydriver.inf_amd64_afb4a5d0d8ce984e\AvicaVirtualDisplayDriver.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{95afc67e-fc7c-604c-bfe8-abf0ff98c531}\vigembus.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{95afc67e-fc7c-604c-bfe8-abf0ff98c531}\ViGEmBus.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b18e0367-9ff8-c14f-a9e0-5b912be839ad}\AvicaVirtualDisplayDriver.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b18e0367-9ff8-c14f-a9e0-5b912be839ad}\AvicaVirtualDisplayDriver.dll	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{b18e0367-9ff8-c14f-a9e0-5b912be839ad}\SET4A56.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_f92aab85c34952aa\vigembus.PNF	devcon.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b18e0367-9ff8-c14f-a9e0-5b912be839ad}\SET4A46.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\avicavirtualdisplaydriver.inf_amd64_afb4a5d0d8ce984e\AvicaVirtualDisplayDriver.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{95afc67e-fc7c-604c-bfe8-abf0ff98c531}\ViGEmBus.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{95afc67e-fc7c-604c-bfe8-abf0ff98c531}\SET4805.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b18e0367-9ff8-c14f-a9e0-5b912be839ad}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{95afc67e-fc7c-604c-bfe8-abf0ff98c531}\SET47F4.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_f92aab85c34952aa\ViGEmBus.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_f92aab85c34952aa\ViGEmBus.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b18e0367-9ff8-c14f-a9e0-5b912be839ad}\SET4A56.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b18e0367-9ff8-c14f-a9e0-5b912be839ad}\AvicaVirtualDisplayDriver.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\avicavirtualdisplaydriver.inf_amd64_afb4a5d0d8ce984e\AvicaVirtualDisplayDriver.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{95afc67e-fc7c-604c-bfe8-abf0ff98c531}\SET4805.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{95afc67e-fc7c-604c-bfe8-abf0ff98c531}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{b18e0367-9ff8-c14f-a9e0-5b912be839ad}\SET4A35.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{b18e0367-9ff8-c14f-a9e0-5b912be839ad}\SET4A46.tmp	DrvInst.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001e00000002ad84-1388.dat	upx
behavioral1/memory/2996-1446-0x00007FF657E50000-0x00007FF6582B7000-memory.dmp	upx
behavioral1/memory/2996-1474-0x00007FF657E50000-0x00007FF6582B7000-memory.dmp	upx
behavioral1/memory/2996-1504-0x00007FF657E50000-0x00007FF6582B7000-memory.dmp	upx
behavioral1/memory/2996-1794-0x00007FF657E50000-0x00007FF6582B7000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Avica\drivers\AvicaVirtualDisplayDriver\AvicaVirtualDisplayDriver.inf	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\resources\progress_background.png	Avica_Setup_1735066893.exe
File created	C:\Program Files (x86)\Avica\drivers\AvicaVirtualDisplayDriver\AvicaVirtualDisplayDriver.dll	Avica_Setup_1735066893.exe
File created	C:\Program Files (x86)\Avica\VDAController.dll	Avica_Setup_1735066893.exe
File created	C:\Program Files (x86)\Avica\WEBRTCAPI.dll	Avica_Setup_1735066893.exe
File created	C:\Program Files (x86)\Avica\uninst.exe	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\resources	Avica_Setup_1735066893.exe
File created	C:\Program Files (x86)\Avica\AvicaCapturer.ini	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\drivers\AvicaVirtualDisplayDriver\AvicaVirtualDisplayDriver.inf	Avica_Setup_1735066893.exe
File created	C:\Program Files (x86)\Avica\drivers\ViGEmBusSetup_x64\ViGEmBus.sys	Avica_Setup_1735066893.exe
File created	C:\Program Files (x86)\Avica\transport.dll	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\vigem_client.dll	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\Avica.url	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\firewall.bat	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\server.ini	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\drivers\AvicaVirtualDisplayDriver\AvicaVirtualDisplayDriver.dll	Avica_Setup_1735066893.exe
File created	C:\Program Files (x86)\Avica\drivers\devcon.exe	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\transport.dll	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\upgrade64.exe	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\drivers\AvicaVirtualDisplayDriver	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\drivers\devcon.exe	Avica_Setup_1735066893.exe
File created	C:\Program Files (x86)\Avica\msdk.dll	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\WEBRTCAPI.dll	Avica_Setup_1735066893.exe
File created	C:\Program Files (x86)\Avica\drivers\ViGEmBusSetup_x64\ViGEmBus.cat	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\drivers\ViGEmBusSetup_x64\ViGEmBus.inf	Avica_Setup_1735066893.exe
File created	C:\Program Files (x86)\Avica\resources\background.png	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\resources\cencel_es.png	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\AvicaCapturer.exe	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\Avica.7z	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\AvicaService.exe	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\libAuthentication.dll	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\transport-proxy-server.dll	Avica_Setup_1735066893.exe
File created	C:\Program Files (x86)\Avica\drivers\AvicaVirtualDisplayDriver\avicavirtualdisplaydriver.cat	Avica_Setup_1735066893.exe
File created	C:\Program Files (x86)\Avica\resources\logo.png	Avica_Setup_1735066893.exe
File created	C:\Program Files (x86)\Avica\Avica.exe	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\drivers\ViGEmBusSetup_x64\ViGEmBus.sys	Avica_Setup_1735066893.exe
File created	C:\Program Files (x86)\Avica\transport-proxy-client.dll	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\drivers	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\drivers\AvicaVirtualDisplayDriver\avicavirtualdisplaydriver.cat	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\guid.txt	Avica_Setup_1735066893.exe
File created	C:\Program Files (x86)\Avica\resources\cancel.png	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\AvicaWatch.exe	Avica_Setup_1735066893.exe
File created	C:\Program Files (x86)\Avica\Avica.7z	Avica_Setup_1735066893.exe
File created	C:\Program Files (x86)\Avica\guid.txt	Avica_Setup_1735066893.exe
File created	C:\Program Files (x86)\Avica\AvicaWatch.exe	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\drivers\ViGEmBusSetup_x64\ViGEmBus.cat	Avica_Setup_1735066893.exe
File created	C:\Program Files (x86)\Avica\drivers\ViGEmBusSetup_x64\ViGEmBus.inf	Avica_Setup_1735066893.exe
File created	C:\Program Files (x86)\Avica\resources\disconnect_background.png	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\resources\disconnect_background.png	Avica_Setup_1735066893.exe
File created	C:\Program Files (x86)\Avica\resources\network_disconnected.png	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\AvicaCapturer.ini	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\resources\network_disconnected.png	Avica_Setup_1735066893.exe
File created	C:\Program Files (x86)\Avica\resources\progress_background.png	Avica_Setup_1735066893.exe
File created	C:\Program Files (x86)\Avica\transport-proxy-server.dll	Avica_Setup_1735066893.exe
File created	C:\Program Files (x86)\Avica\resources\progress_ing.png	Avica_Setup_1735066893.exe
File created	C:\Program Files (x86)\Avica\resources\progress_logo.png	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\msdk.dll	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\VDAController.dll	Avica_Setup_1735066893.exe
File created	C:\Program Files (x86)\Avica\vigem_client.dll	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\resources\logo.png	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\resources\progress_ing.png	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\resources\progress_logo.png	Avica_Setup_1735066893.exe
File opened for modification	C:\Program Files (x86)\Avica\Avica.exe	Avica_Setup_1735066893.exe
File created	C:\Program Files (x86)\Avica\AvicaCapturer.exe	Avica_Setup_1735066893.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	pnputil.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\New folder\Avica_setup.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avica_Setup_1735066893.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	Avica.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AvicaCapturer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AvicaService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AvicaService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	AvicaService.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	AvicaService.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AvicaCapturer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AvicaCapturer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AvicaCapturer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AvicaService.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	AvicaService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	AvicaService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\4\0\0\1\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "15"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Music"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\FFlags = "1092616257"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\Mode = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\MRUListEx = ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3 = 63031f00e902d5dfa323db02040000000000d70200003153505305d5cdd59c2e1b10939708002b2cf9ae0b02000012000000004100750074006f004c006900730074000000420000001e000000700072006f007000340032003900340039003600370032003900350000000000c3010000aea54e38e1ad8a4e8a9b7bea78fff1e9060000800000000001000000020000800100000001000000020000002000000000000000bb0014001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c000000000000000000000000000000000000008c003100000000004759b466110050524f4752417e310000740009000400efbec55259614759b4662e0000003f0000000000010000000000000000004a000000000067036600500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000000000000000000000000000000000000000000001000000010000800100000004006900740065006d00000000000000000000000000000000000000000000000000000000000000000000000000000000001e1ade7f318ba54993b86be14cfa4943ffffffffffffffffffffffff00000000010000001f00530065006100720063006800200052006500730075006c0074007300200069006e002000500072006f006700720061006d002000460069006c006500730000000000000000000000000000000000000000000000000000000000003900000024000000004100750074006f006c0069007300740043006100630068006500540069006d0065000000140000008fb22c8c1a0000007700000022000000004100750074006f006c00690073007400430061006300680065004b006500790000001f00000021000000530065006100720063006800200052006500730075006c0074007300200069006e002000500072006f006700720061006d002000460069006c006500730030000000000000000000000000000000741a595e96dfd3488d671733bcee28ba671b730433d90a4590e64acd2e9408fe2a0000001300efbe00000020000000000000000000000000000000000000000000000000010000000f032a0000001900efbe1e1ade7f318ba54993b86be14cfa49436f73bebdf5342948abe8b550e65146c40f030000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\MRUListEx = ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 02000000010000000300000000000000ffffffff	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Avica\DefaultIcon	Avica_Setup_1735066893.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\4\0\NodeSlot = "7"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\4\0\0\0\MRUListEx = ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\4\0\0\1\0\NodeSlot = "12"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 02000000000000000300000001000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\GroupByKey:PID = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\4\0\0\1\0\0\0\NodeSlot = "14"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 = 1c060000160681191410ec05200000000060000000000000000000000000000000000000000000000000000100002d00000031535053901c6949177e1a10a91c08002b2ecda91100000003000000000300000000000000000000008002000031535053a66a63283d95d211b5d600c04fd918d0110000001900000000130000007f01807001020000200000000011100000ed01000014001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c000000000000000000000000000000000000008c003100000000004759b466110050524f4752417e310000740009000400efbec55259614759b4662e0000003f0000000000010000000000000000004a000000000067036600500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018007400310000000000c5525961100057696e646f7773506f7765725368656c6c00540009000400efbec55259619859ba962e000000e5030000000001000000000000000000000000000000f63cac00570069006e0064006f007700730050006f007700650072005300680065006c006c00000020005600310000000000c552596110004d6f64756c657300400009000400efbec55259619859ba962e000000e90300000000010000000000000000000000000000007cdaa9004d006f00640075006c0065007300000016006800310000000000c55259611000506f7765725368656c6c476574004c0009000400efbec55259619859ba962e000000120400000000010000000000000000000000000000007cdaa90050006f007700650072005300680065006c006c0047006500740000001c000000000000250000000b000000001f0000000a0000004400690072006500630074006f007200790000002d00000018000000001f0000000e00000050006f007700650072005300680065006c006c004700650074000000000000003100000031535053b1166d44ad8d7048a748402ea43d788c15000000640000000015000000baf34838ed11e68b00000000590100003153505340e83e1e2bbc6c4782372acd1a839b220d0000000c000000000100000011000000140000000003000000010000002500000003000000001f100000010000000700000066006f006c00640065007200000000007500000011000000001f000000310000007b00310036003800350044003400410042002d0041003500310042002d0034004100460031002d0041003400450035002d004300450045003800370030003000320034003300310044007d002e004d006500720067006500200041006e007900000000008500000008000000001f0000003900000043003a005c00500072006f006700720061006d002000460069006c00650073005c00570069006e0064006f007700730050006f007700650072005300680065006c006c005c004d006f00640075006c00650073005c0050006f007700650072005300680065006c006c004700650074000000000000000000940000003153505330f125b7ef471a10a5f102608c9eebac2900000004000000001f0000000c000000460069006c006500200066006f006c0064006500720000002d0000000a000000001f0000000e00000050006f007700650072005300680065006c006c0047006500740000000d0000000c0000000001000000150000000e000000004000000084e635d2035ad701000000003e00000031535053aadb6f004f861c4da8e8e62772e454fe110000000b000000000300000003000000110000000d00000000130000006f018070000000008900000031535053ed30bdda43008947a7f8d013a47366226d00000064000000001f0000002d0000004d006f00640075006c00650073002000280043003a005c00500072006f006700720061006d002000460069006c00650073005c00570069006e0064006f007700730050006f007700650072005300680065006c006c00290000000000000000002900000031535053fcb3b4b9512b424ab5d8324146afcf250d000000080000000001000000000000002d00000031535053c0e85bcf6c23d34abacecd608a2748d71100000064000000000b000000ffff0000000000000000000000000000	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202020202	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\FFlags = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\NodeSlot = "18"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\4\0\0\NodeSlot = "8"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\ComDlg	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 01000000030000000200000000000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	devcon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	devcon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e30300000001000000140000002796bae63f1801e277261ba0d77770028f20eee40f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	devcon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760300000001000000140000002796bae63f1801e277261ba0d77770028f20eee4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e320000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	devcon.exe

NTFS ADS 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 654354.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\windows.ps1:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Videos\New folder\Unconfirmed 24223.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Videos\New folder\windows.ps1:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Videos\New folder\Unconfirmed 622879.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Videos\New folder\Avica_setup.exe:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
2464	AvicaCapturer.exe
2828	AvicaCapturer.exe
5216	Avica.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3848	msedge.exe
3848	msedge.exe
2564	msedge.exe
2564	msedge.exe
1672	msedge.exe
1672	msedge.exe
2560	identity_helper.exe
2560	identity_helper.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
2688	msedge.exe
2688	msedge.exe
4780	msedge.exe
4780	msedge.exe
1672	msedge.exe
1672	msedge.exe
3280	powershell.exe
3280	powershell.exe
1096	msedge.exe
1096	msedge.exe
2052	Avica_Setup_1735066893.exe
2052	Avica_Setup_1735066893.exe
2052	Avica_Setup_1735066893.exe
2052	Avica_Setup_1735066893.exe
2052	Avica_Setup_1735066893.exe
2052	Avica_Setup_1735066893.exe
2052	Avica_Setup_1735066893.exe
2052	Avica_Setup_1735066893.exe
5216	Avica.exe
5216	Avica.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2688	msedge.exe
4004	OpenWith.exe
5216	Avica.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid
4

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3280	powershell.exe
Token: SeLockMemoryPrivilege	3596	xmrig.exe
Token: SeLockMemoryPrivilege	3596	xmrig.exe
Token: 33	4880	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4880	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	1384	wmic.exe
Token: SeSecurityPrivilege	1384	wmic.exe
Token: SeTakeOwnershipPrivilege	1384	wmic.exe
Token: SeLoadDriverPrivilege	1384	wmic.exe
Token: SeSystemProfilePrivilege	1384	wmic.exe
Token: SeSystemtimePrivilege	1384	wmic.exe
Token: SeProfSingleProcessPrivilege	1384	wmic.exe
Token: SeIncBasePriorityPrivilege	1384	wmic.exe
Token: SeCreatePagefilePrivilege	1384	wmic.exe
Token: SeBackupPrivilege	1384	wmic.exe
Token: SeRestorePrivilege	1384	wmic.exe
Token: SeShutdownPrivilege	1384	wmic.exe
Token: SeDebugPrivilege	1384	wmic.exe
Token: SeSystemEnvironmentPrivilege	1384	wmic.exe
Token: SeRemoteShutdownPrivilege	1384	wmic.exe
Token: SeUndockPrivilege	1384	wmic.exe
Token: SeManageVolumePrivilege	1384	wmic.exe
Token: 33	1384	wmic.exe
Token: 34	1384	wmic.exe
Token: 35	1384	wmic.exe
Token: 36	1384	wmic.exe
Token: SeIncreaseQuotaPrivilege	1384	wmic.exe
Token: SeSecurityPrivilege	1384	wmic.exe
Token: SeTakeOwnershipPrivilege	1384	wmic.exe
Token: SeLoadDriverPrivilege	1384	wmic.exe
Token: SeSystemProfilePrivilege	1384	wmic.exe
Token: SeSystemtimePrivilege	1384	wmic.exe
Token: SeProfSingleProcessPrivilege	1384	wmic.exe
Token: SeIncBasePriorityPrivilege	1384	wmic.exe
Token: SeCreatePagefilePrivilege	1384	wmic.exe
Token: SeBackupPrivilege	1384	wmic.exe
Token: SeRestorePrivilege	1384	wmic.exe
Token: SeShutdownPrivilege	1384	wmic.exe
Token: SeDebugPrivilege	1384	wmic.exe
Token: SeSystemEnvironmentPrivilege	1384	wmic.exe
Token: SeRemoteShutdownPrivilege	1384	wmic.exe
Token: SeUndockPrivilege	1384	wmic.exe
Token: SeManageVolumePrivilege	1384	wmic.exe
Token: 33	1384	wmic.exe
Token: 34	1384	wmic.exe
Token: 35	1384	wmic.exe
Token: 36	1384	wmic.exe
Token: SeIncreaseQuotaPrivilege	568	wmic.exe
Token: SeSecurityPrivilege	568	wmic.exe
Token: SeTakeOwnershipPrivilege	568	wmic.exe
Token: SeLoadDriverPrivilege	568	wmic.exe
Token: SeSystemProfilePrivilege	568	wmic.exe
Token: SeSystemtimePrivilege	568	wmic.exe
Token: SeProfSingleProcessPrivilege	568	wmic.exe
Token: SeIncBasePriorityPrivilege	568	wmic.exe
Token: SeCreatePagefilePrivilege	568	wmic.exe
Token: SeBackupPrivilege	568	wmic.exe
Token: SeRestorePrivilege	568	wmic.exe
Token: SeShutdownPrivilege	568	wmic.exe
Token: SeDebugPrivilege	568	wmic.exe
Token: SeSystemEnvironmentPrivilege	568	wmic.exe
Token: SeRemoteShutdownPrivilege	568	wmic.exe
Token: SeUndockPrivilege	568	wmic.exe
Token: SeManageVolumePrivilege	568	wmic.exe

Suspicious use of FindShellTrayWindow 62 IoCs

pid	Process
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
3596	xmrig.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
5216	Avica.exe
5216	Avica.exe
5216	Avica.exe
5216	Avica.exe
5216	Avica.exe
5216	Avica.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
5216	Avica.exe
5216	Avica.exe
5216	Avica.exe
5216	Avica.exe
5216	Avica.exe
5216	Avica.exe

Suspicious use of SetWindowsHookEx 45 IoCs

pid	Process
2688	msedge.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
3676	MiniSearchHost.exe
2996	Avica_setup.exe
2052	Avica_Setup_1735066893.exe
2940	devcon.exe
4708	devcon.exe
1256	AvicaService.exe
1384	AvicaService.exe
2828	AvicaCapturer.exe
2828	AvicaCapturer.exe
5216	Avica.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2056	2564	msedge.exe	77
PID 2564 wrote to memory of 2056	2564	msedge.exe	77
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3248	2564	msedge.exe	78
PID 2564 wrote to memory of 3848	2564	msedge.exe	79
PID 2564 wrote to memory of 3848	2564	msedge.exe	79
PID 2564 wrote to memory of 2836	2564	msedge.exe	80
PID 2564 wrote to memory of 2836	2564	msedge.exe	80
PID 2564 wrote to memory of 2836	2564	msedge.exe	80
PID 2564 wrote to memory of 2836	2564	msedge.exe	80
PID 2564 wrote to memory of 2836	2564	msedge.exe	80
PID 2564 wrote to memory of 2836	2564	msedge.exe	80
PID 2564 wrote to memory of 2836	2564	msedge.exe	80
PID 2564 wrote to memory of 2836	2564	msedge.exe	80
PID 2564 wrote to memory of 2836	2564	msedge.exe	80
PID 2564 wrote to memory of 2836	2564	msedge.exe	80
PID 2564 wrote to memory of 2836	2564	msedge.exe	80
PID 2564 wrote to memory of 2836	2564	msedge.exe	80
PID 2564 wrote to memory of 2836	2564	msedge.exe	80
PID 2564 wrote to memory of 2836	2564	msedge.exe	80
PID 2564 wrote to memory of 2836	2564	msedge.exe	80
PID 2564 wrote to memory of 2836	2564	msedge.exe	80
PID 2564 wrote to memory of 2836	2564	msedge.exe	80
PID 2564 wrote to memory of 2836	2564	msedge.exe	80
PID 2564 wrote to memory of 2836	2564	msedge.exe	80
PID 2564 wrote to memory of 2836	2564	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Lachine1/xmrig-scripts/blob/main/linux.sh
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xe4,0xe8,0xdc,0xe0,0x10c,0x7ffbef0e3cb8,0x7ffbef0e3cc8,0x7ffbef0e3cd8
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,14351128310936151227,3524634946626741510,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1984 /prefetch:2
  2⤵
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,14351128310936151227,3524634946626741510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1960,14351128310936151227,3524634946626741510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14351128310936151227,3524634946626741510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14351128310936151227,3524634946626741510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1960,14351128310936151227,3524634946626741510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,14351128310936151227,3524634946626741510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14351128310936151227,3524634946626741510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14351128310936151227,3524634946626741510,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14351128310936151227,3524634946626741510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14351128310936151227,3524634946626741510,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,14351128310936151227,3524634946626741510,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2936 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1960,14351128310936151227,3524634946626741510,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4592 /prefetch:8
  2⤵
  PID:904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14351128310936151227,3524634946626741510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14351128310936151227,3524634946626741510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1960,14351128310936151227,3524634946626741510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6568 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14351128310936151227,3524634946626741510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,14351128310936151227,3524634946626741510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6772 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14351128310936151227,3524634946626741510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,14351128310936151227,3524634946626741510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6556 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14351128310936151227,3524634946626741510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14351128310936151227,3524634946626741510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6600 /prefetch:1
  2⤵
  PID:1356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14351128310936151227,3524634946626741510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14351128310936151227,3524634946626741510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14351128310936151227,3524634946626741510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:1
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14351128310936151227,3524634946626741510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2860 /prefetch:1
  2⤵
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1960,14351128310936151227,3524634946626741510,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6732 /prefetch:8
  2⤵
  PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14351128310936151227,3524634946626741510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1960,14351128310936151227,3524634946626741510,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6928 /prefetch:8
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,14351128310936151227,3524634946626741510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7040 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1096
- C:\Users\Admin\Videos\New folder\Avica_setup.exe
  "C:\Users\Admin\Videos\New folder\Avica_setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2996
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1384
- - C:\Users\Admin\Videos\New folder\Avica_Setup_1735066893.exe
    "C:\Users\Admin\Videos\New folder\Avica_Setup_1735066893.exe" /d "C:\Program Files (x86)\Avica"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2052
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic os get Caption
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Avica\firewall.bat""
      4⤵
      PID:840
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        5⤵
        
        PID:2068
    - - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall delete rule name="AvicaService"
        5⤵
        
        PID:4792
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall delete rule name="AvicaService"
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4620
    - - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="AvicaService" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaService.exe" protocol=tcp enable=yes profile=public
        5⤵
        
        PID:3304
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="AvicaService" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaService.exe" protocol=tcp enable=yes profile=public
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3892
    - - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="AvicaService" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaService.exe" protocol=udp enable=yes profile=public
        5⤵
        
        PID:4548
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="AvicaService" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaService.exe" protocol=udp enable=yes profile=public
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4228
    - - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="AvicaService" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaService.exe" protocol=tcp enable=yes profile=domain
        5⤵
        
        PID:4400
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="AvicaService" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaService.exe" protocol=tcp enable=yes profile=domain
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2440
    - - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="AvicaService" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaService.exe" protocol=udp enable=yes profile=domain
        5⤵
        
        PID:1384
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="AvicaService" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaService.exe" protocol=udp enable=yes profile=domain
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2408
    - - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="AvicaService" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaService.exe" protocol=tcp enable=yes profile=private
        5⤵
        
        PID:572
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="AvicaService" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaService.exe" protocol=tcp enable=yes profile=private
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4384
    - - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="AvicaService" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaService.exe" protocol=udp enable=yes profile=private
        5⤵
        
        PID:3020
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="AvicaService" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaService.exe" protocol=udp enable=yes profile=private
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2940
    - - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall delete rule name="Avica"
        5⤵
        
        PID:4600
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall delete rule name="Avica"
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2904
    - - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="Avica" dir=in action=allow program="C:\Program Files (x86)\Avica\Avica.exe" protocol=tcp enable=yes profile=public
        5⤵
        
        PID:4608
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Avica" dir=in action=allow program="C:\Program Files (x86)\Avica\Avica.exe" protocol=tcp enable=yes profile=public
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1392
    - - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="Avica" dir=in action=allow program="C:\Program Files (x86)\Avica\Avica.exe" protocol=udp enable=yes profile=public
        5⤵
        
        PID:2692
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Avica" dir=in action=allow program="C:\Program Files (x86)\Avica\Avica.exe" protocol=udp enable=yes profile=public
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4404
    - - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="Avica" dir=in action=allow program="C:\Program Files (x86)\Avica\Avica.exe" protocol=tcp enable=yes profile=domain
        5⤵
        
        PID:4428
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Avica" dir=in action=allow program="C:\Program Files (x86)\Avica\Avica.exe" protocol=tcp enable=yes profile=domain
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1660
    - - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="Avica" dir=in action=allow program="C:\Program Files (x86)\Avica\Avica.exe" protocol=udp enable=yes profile=domain
        5⤵
        
        PID:3052
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Avica" dir=in action=allow program="C:\Program Files (x86)\Avica\Avica.exe" protocol=udp enable=yes profile=domain
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4952
    - - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="Avica" dir=in action=allow program="C:\Program Files (x86)\Avica\Avica.exe" protocol=tcp enable=yes profile=private
        5⤵
        
        PID:3840
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Avica" dir=in action=allow program="C:\Program Files (x86)\Avica\Avica.exe" protocol=tcp enable=yes profile=private
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2440
    - - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="Avica" dir=in action=allow program="C:\Program Files (x86)\Avica\Avica.exe" protocol=udp enable=yes profile=private
        5⤵
        
        PID:4924
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Avica" dir=in action=allow program="C:\Program Files (x86)\Avica\Avica.exe" protocol=udp enable=yes profile=private
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2848
    - - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall delete rule name="AvicaCapturer"
        5⤵
        
        PID:4840
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall delete rule name="AvicaCapturer"
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1500
    - - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="AvicaCapturer" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaCapturer.exe" protocol=tcp enable=yes profile=public
        5⤵
        
        PID:1268
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="AvicaCapturer" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaCapturer.exe" protocol=tcp enable=yes profile=public
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4164
    - - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="AvicaCapturer" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaCapturer.exe" protocol=udp enable=yes profile=public
        5⤵
        
        PID:2812
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="AvicaCapturer" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaCapturer.exe" protocol=udp enable=yes profile=public
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2212
    - - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="AvicaCapturer" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaCapturer.exe" protocol=tcp enable=yes profile=domain
        5⤵
        
        PID:1108
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="AvicaCapturer" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaCapturer.exe" protocol=tcp enable=yes profile=domain
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2692
    - - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="AvicaCapturer" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaCapturer.exe" protocol=udp enable=yes profile=domain
        5⤵
        
        PID:3372
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="AvicaCapturer" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaCapturer.exe" protocol=udp enable=yes profile=domain
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4000
    - - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="AvicaCapturer" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaCapturer.exe" protocol=tcp enable=yes profile=private
        5⤵
        
        PID:684
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="AvicaCapturer" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaCapturer.exe" protocol=tcp enable=yes profile=private
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2088
    - - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="AvicaCapturer" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaCapturer.exe" protocol=udp enable=yes profile=private
        5⤵
        
        PID:2232
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="AvicaCapturer" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaCapturer.exe" protocol=udp enable=yes profile=private
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1236
    - - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall delete rule name="AvicaWatch"
        5⤵
        
        PID:4636
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall delete rule name="AvicaWatch"
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1576
    - - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="AvicaWatch" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaWatch.exe" protocol=tcp enable=yes profile=public
        5⤵
        
        PID:2848
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="AvicaWatch" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaWatch.exe" protocol=tcp enable=yes profile=public
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4100
    - - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="AvicaWatch" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaWatch.exe" protocol=udp enable=yes profile=public
        5⤵
        
        PID:2392
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="AvicaWatch" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaWatch.exe" protocol=udp enable=yes profile=public
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2068
    - - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="AvicaWatch" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaWatch.exe" protocol=tcp enable=yes profile=domain
        5⤵
        
        PID:2332
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="AvicaWatch" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaWatch.exe" protocol=tcp enable=yes profile=domain
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4608
    - - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="AvicaWatch" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaWatch.exe" protocol=udp enable=yes profile=domain
        5⤵
        
        PID:2628
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="AvicaWatch" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaWatch.exe" protocol=udp enable=yes profile=domain
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4048
    - - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="AvicaWatch" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaWatch.exe" protocol=tcp enable=yes profile=private
        5⤵
        
        PID:3420
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="AvicaWatch" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaWatch.exe" protocol=tcp enable=yes profile=private
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:656
    - - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="AvicaWatch" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaWatch.exe" protocol=udp enable=yes profile=private
        5⤵
        
        PID:684
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="AvicaWatch" dir=in action=allow program="C:\Program Files (x86)\Avica\AvicaWatch.exe" protocol=udp enable=yes profile=private
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1480
  - - C:\Windows\SYSTEM32\certutil.exe
      certutil.exe -addstore Root "C:\Program Files (x86)\Avica\Go_Daddy.cer"
      4⤵
      PID:3488
  - - C:\Program Files (x86)\Avica\drivers\devcon.exe
      "C:\Program Files (x86)\Avica\drivers\devcon.exe" remove nefarius\vigembus\gen1
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious use of SetWindowsHookEx
      PID:2940
  - - C:\Program Files (x86)\Avica\drivers\devcon.exe
      "C:\Program Files (x86)\Avica\drivers\devcon.exe" install "C:\Program Files (x86)\Avica\drivers\ViGEmBusSetup_x64\ViGEmBus.inf" nefarius\vigembus\gen1
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Checks SCSI registry key(s)
      Modifies system certificate store
      Suspicious use of SetWindowsHookEx
      PID:4708
  - - C:\Windows\SYSTEM32\pnputil.exe
      pnputil /add-driver "C:\Program Files (x86)\Avica\drivers\AvicaVirtualDisplayDriver\AvicaVirtualDisplayDriver.inf" /install
      4⤵
      Drops file in Windows directory
      Checks SCSI registry key(s)
      PID:4512
  - - C:\Program Files (x86)\Avica\AvicaService.exe
      "C:\Program Files (x86)\Avica\AvicaService.exe" -o install
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1256
  - - C:\Program Files (x86)\Avica\AvicaService.exe
      "C:\Program Files (x86)\Avica\AvicaService.exe" -s demand
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1384
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\System32\explorer.exe" /e,C:\Program Files (x86)\Avica\Avica.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:5148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2028

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
PID:1320

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2336

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4004

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3280
- C:\Users\Admin\xmrig\xmrig-6.21.3\xmrig.exe
  "C:\Users\Admin\xmrig\xmrig-6.21.3\xmrig.exe" -o xmr-eu1.nanopool.org:10300 -u 4BCzRFseZPce3GUMsqGEHjeSgzzBhE3C72JdGdapz3kgdWpq4ri7NbNfTKCotSdAP2a6c6f4Qq3XHWRMJX1EYJnrDrSeJG3 --cpu-priority 4
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3596

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004D4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:1096
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{44f5b21f-eeba-a442-b3a6-c8d6a35c62f9}\vigembus.inf" "9" "429a86e87" "0000000000000140" "WinSta0\Default" "0000000000000164" "208" "c:\program files (x86)\avica\drivers\vigembussetup_x64"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:1060
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem3.inf" "oem3.inf:c14ce88408607219:ViGEmBus_Device:1.17.333.0:nefarius\vigembus\gen1," "429a86e87" "0000000000000140" "b0a0"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:1392
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{9bd316e8-fd44-ab48-8f31-c2a3918b070a}\AvicaVirtualDisplayDriver.inf" "9" "4a9ef22b3" "000000000000017C" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files (x86)\Avica\drivers\AvicaVirtualDisplayDriver"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:5068
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "1" "0" "SWD\AvicaVirtualDisplayAdapter\AvicaVirtualDisplayAdapter" "" "" "4a1e769f7" "0000000000000000" "b0a0"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:1500

C:\Program Files (x86)\Avica\AvicaService.exe
"C:\Program Files (x86)\Avica\AvicaService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4884
- C:\Program Files (x86)\Avica\AvicaWatch.exe
  ./AvicaWatch.exe --port 51647
  2⤵
  - Executes dropped EXE
  PID:3132
- C:\Program Files (x86)\Avica\AvicaCapturer.exe
  AvicaCapturer.exe port1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: AddClipboardFormatListener
  PID:2464
- C:\Program Files (x86)\Avica\AvicaCapturer.exe
  AvicaCapturer.exe port2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2828
- C:\Program Files (x86)\Avica\AvicaService.exe
  "C:\Program Files (x86)\Avica\AvicaService.exe" --file 51647
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1076
- C:\Program Files (x86)\Avica\Avica.exe
  Avica.exe --yuv444_check
  2⤵
  - Executes dropped EXE
  PID:5848
- C:\Windows\System32\icacls.exe
  C:\Windows\System32\icacls.exe "C:\ProgramData\Avica/SDN/\id.sec" /inheritance:d /Q
  2⤵
  - Modifies file permissions
  PID:5948
- C:\Windows\System32\icacls.exe
  C:\Windows\System32\icacls.exe "C:\ProgramData\Avica/SDN/\id.sec" /remove *S-1-5-32-545 /Q
  2⤵
  - Modifies file permissions
  PID:5996
- C:\Windows\System32\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  PID:6076
- C:\Program Files (x86)\Avica\AvicaService.exe
  "C:\Program Files (x86)\Avica\AvicaService.exe" -c wake
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5508
- C:\Program Files (x86)\Avica\AvicaService.exe
  "C:\Program Files (x86)\Avica\AvicaService.exe" -c wake
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:424

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5180
- C:\Program Files (x86)\Avica\Avica.exe
  "C:\Program Files (x86)\Avica\Avica.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks SCSI registry key(s)
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5216
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get Caption
    3⤵
    PID:5684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Avica\Go_Daddy.cer

Filesize
1KB

MD5
91de0625abdafd32170cbb25172a8467

SHA1
2796bae63f1801e277261ba0d77770028f20eee4

SHA256
c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4

SHA512
2df98b9df476d49399f0bd7f74627356cbf0e231bdd15575b03206a8c52bc6a010790543cd79a5d85254c9b7bde708ba1cfc03ab2138bdcc80004b88333d9843

Download Submit
C:\Program Files (x86)\Avica\drivers\ViGEmBusSetup_x64\ViGEmBus.inf

Filesize
3KB

MD5
cd0027aa0f5a8a47a6596d880f06964b

SHA1
167b62bfd7471179cf68cb5b2f83c8365edf4875

SHA256
634b032a33cecbf2e43c46c5896a3c359cdda452c632da6396452419ffa301d6

SHA512
19563a3fc7d985ee48a158f6f051e5b8ba200a092b2f1e902024aa9c6a8d6f5a6f04b80c8ea0587bd23802dcfd7775a7a625164387ae61ded5124ccea61b8ef9

Download Submit
C:\Program Files (x86)\Avica\drivers\devcon.exe

Filesize
85KB

MD5
bca378b16b514716bc0e675bb1b6bb6d

SHA1
05c4451205d778a560a1fa8cbd49cbdfe9afc928

SHA256
df2166c0d45909aaedb4256698ae99c9b7b462964bfbed75bdf93b2837e7776d

SHA512
460230cfaa64199e8f31caef27ccb25507baa25fb6076ee8fa5029d277aba23fa820f2d144badc214f9054b8018c3ffe6474d4188fd81121e74d613793149b30

Download Submit
C:\Program Files (x86)\Avica\firewall.bat

Filesize
5KB

MD5
da57f1ef77c4cb54dab7bc0d7069de18

SHA1
6e8a251500e69b6542a15989ee9c19fbc631acb8

SHA256
9c2dc07dd54047a62b77e24dbc05d91abd5ff139d9a392e3d6b653526023f905

SHA512
6e4e240d2499366cbad548ca606fc81f8bbbd5ece2ac460bfd57cc06c184714cf819198e5dc3b19c3deb250b5e50fc8699ae402082e2dcc58c6680d3081b1e80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c1a24fa898d2a98b540b20272c8e47b

SHA1
3218bff9ce95b52842fa1b8bd00be073177141ef

SHA256
bbcc378fcbf64580e7a48b4e7ca9be57fa0a1f2e747f488325685bdb18d73a95

SHA512
e61f196e7f1c9a5fe249abe9b11eea770fb2f4babc61f60b12c71f43e6fe9354cf14869daf46abc2c2655bce180252acd43c10562a2dcd31fa7d90d33253820e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1d2c7fd2ca29bb77a5da2d1847fbb92

SHA1
840de2cf36c22ba10ac96f90890b6a12a56526c6

SHA256
58d0f80310f4a84f687c5ce0adaa982eb42fe4480510399fa2ae975d40bb8bc5

SHA512
ede1fafea2404f16948fe0b5ea5161ccee3ee6e40c55ff98c337eac981a6776b9c73dc030a5c59e4347aec91259f497539206e71949c33adcecbf2c846709e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
18KB

MD5
7d54dd3fa3c51a1609e97e814ed449a0

SHA1
860bdd97dcd771d4ce96662a85c9328f95b17639

SHA256
7a258cd27f674e03eafc4f11af7076fb327d0202ce7a0a0e95a01fb33c989247

SHA512
17791e03584e77f2a6a03a7e3951bdc3220cd4c723a1f3be5d9b8196c5746a342a85226fcd0dd60031d3c3001c6bdfee0dcc21d7921ea2912225054d7f75c896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
18KB

MD5
8bd66dfc42a1353c5e996cd88dc1501f

SHA1
dc779a25ab37913f3198eb6f8c4d89e2a05635a6

SHA256
ef8772f5b2cf54057e1cfb7cb2e61f09cbd20db5ee307133caf517831a5df839

SHA512
203a46b2d09da788614b86480d81769011c7d42e833fa33a19e99c86a987a3bd8755b89906b9fd0497a80a5cf27f1c5e795a66fe3d1c4a921667ec745ccf22f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3a6253aabbc9676879b6c12d0fa1cf53

SHA1
ca1663a9390550ab981e14c1273410c54115e1a7

SHA256
d2fc10fb421022bf836507de3fb6c56d6d84276c12bba0d2946f6a653dbd37c8

SHA512
456c932d03b11fb8f1a57b1e2e1ca5dfcec81987276cd964bd1ee96ffc6154125cf19010d45650f25806e9782da7d76b1237c57dbdec5e4223a6a278748799e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
fe797e65ebba385aaaf82ec8d068ecdc

SHA1
56b8bee60d3ea1da646fe506c6d3a3589e4c0517

SHA256
7f81ccae35fa10747cb46ed0bdf3c184d810b580d0408f5976c54334cd8ad91d

SHA512
4d5a5a4d44c6eddbb4dfd68eddf3d491918bf64c5e3654ca75ad98d28d214db4fea9445cba569fc05b46822a7b0e62e78b9a142867a0bdbbc27271df0aca58e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d45e48a2f7d628ec2e2b921652eebaf4

SHA1
f7a96acb6f97c08eaf9869df9beec9e4ac5a0f26

SHA256
8b9d7acfb84290251d0b4bcdc2823d6100ee6b689365066ab061f8439bf9721d

SHA512
3afb87f86a645db82c33d7e79198a1cf0d6c4709e59a53cf61004bf10f488b4aa308fc1c1c4164d7124a765662f56c37bfb2b34d3968bdbc13e656aede9b72c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
c74ac6f4479c735351edc12700c7ca89

SHA1
cfa6b35bf0a03c43a49fcf6c191244380ab3819e

SHA256
8895428aebb9ddb9a6189a4e60f9f5b8c9c33d3b17977916a8be37bab1f09099

SHA512
183dcd6e93c94da1083fc7dc661135172610d424cf5e7ce9e2af950cd4929064721be771dac39d72bb3d14a04f39f663890e20a8a0080e832b39dda8a45b55a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d533af47c162cb1a7be14edc94b297a8

SHA1
ef35d9754b17a034c08848b6816d64dbbe9db705

SHA256
dc3c41f7a5c35c09c5f26823e6e2a2b2e50ccab657e3c117a4fad37ecb1c6075

SHA512
3e3c1eff2c956786d6cb50032a17b28e7a25779d227549dfe929435f2696ec3396b2adea77a3dfb5b82af82c15ff404367040d5206b803f8c776de549e34173b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
00949355f2a247fb5d5d042f80a314c4

SHA1
da6e7d7bd46e4b7dd603feea439649d874faf991

SHA256
e9358d92fb5da157ba2095910db9dde80e0f8963ad466753e0ced66a8c652363

SHA512
a85006d2763d588d42000309a72b87d2852c2a72eac1577fa0060f78835273ad33b6b54961f3d96dfeca5277246d657a37ee92c25202175a5f5f888b2b3d2f30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
65b004307debba749a1e5ac05639ad69

SHA1
468a530f282b69ae2d97f97b19c24e6198183ceb

SHA256
a7d46023b8c377f0fd46b78d097abfcf80c27f9d3e8fc808c4631be74c186441

SHA512
a2ca7cb4c2905c6875e31adcbf255f55953bb0fd1f1ff84e637668e486f223a83879010bd1607d9e00afe4f446555347fee8687a448e8a633fc26c43f71c5398

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
c4897aa78d9edac4710b6abd9081210d

SHA1
82fff6d6a6c64af2e1e64a0a56c46cfc2a3470bf

SHA256
1c2dbad9b7fe623f7907fe8875ae1df241de6ea09e8dbb063b885983420fc005

SHA512
207439940f16c3a029f465c4f4b6d290f15deea00c5d46365d2bbe5a27c48371315a7a5e39366638a4d256c843470b6e9acd6fc7c0b85aac10dde6176aba026c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
649B

MD5
a8a2a302dab287b5c7bf958dcdedc345

SHA1
9fbce9d69ae144080f88e7882f38ef15d36f96b5

SHA256
18b8bf2bdcbe6a893a9e80bb8d42b8506812e88cc568011a52fc5d2f14c09842

SHA512
2a7f59cf37f63a997ad8b97e1da16634552574facaf561af53c3974ceb8d67af8139a9908846a99186e72fbbd8bcb46f314e810e93cf86314fdb87ea986e61ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
871B

MD5
8f8d5b19575ef22d4d64dadb835a914a

SHA1
776313480d47ae0a76fc16badccd0cbf85ff3634

SHA256
4933047dae08e5b5cc2a579f59d1bd08be1a1dc919bfd0a5c211c03a242e858d

SHA512
b5d09d33e9045f4506f4244d7bd55e7b1ce40f1d748c530c27dd2f33e3eea3fd1f03ba17c6d74f094b1fe7525762b844e88343ef166f9e40771889adee390be9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
21a12926596aede45a070a57fa811944

SHA1
6de4812dab98c4e4d32a28793cf7643e1fd77010

SHA256
6ec74fd047a55b1ca844181e992ba60d7c9f0891f1285b55c1c53894b80f6414

SHA512
dd02bb4a41a63d0d46ece93fa3a57b1fa12160fa46704e27a6344ca6d91e6ac804e32703eeb1baba3bb34092cc05147bcc9f784a6ec62b7b1098fcb75d2abde9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
97c121bdca1d6efa866a8beb7caad7c6

SHA1
9f3449425c92e9523c5045d2f68ffc192a505701

SHA256
e0e663dc4fa2f76a24ee10f5f8694646f0dc442d339fb7c8849210c55bf32dc7

SHA512
efe0fafe27b44e912cbb677f4a55c0e30659b0cf8957aeec1198ae7560ef764e9aa431b6a7337da0798dbed72f463063d4ed9fe1ca2030b07480201fe0612be7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
a7d1701142cca705f833d70023ef4e1e

SHA1
1b76853132abfcddb4fefac42bf9df5d013c9815

SHA256
6c92f51e7f056e73c407228fc280cb7ca4d00ab02674d1dda4eafd7dc9f070f7

SHA512
806b7ccb375cc6116e64a9fa15229d783615d13b54cf40251561d9b664f0925915c5375ad88f5ca8d061e01367de239c29da79adf693559af53eeb7d9b1ba1a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d3bb9bc7900b8ba534c29c023c875d97

SHA1
1ce1d92b20d8e11de0b9e4c2dbafb22f1616ea51

SHA256
28a577b57961d60543ec8e06fdb3c5b00ef46d984a2c01c6399e858e4d0a13cc

SHA512
6894a17a1670498b0d374fbb9e186370108c2ca1977a67729da39a1d736b0b097e2a60aad550ef01cb767a7a252e4054347e0754bd4a3861ffb7b0a40b1eea98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
5e66d30a040196089a0660bb83e0932f

SHA1
a7b1b591758daa7f5926881e2fd45d6cecd00c69

SHA256
f791d3c70f1e36f46e6fd5f9f465334f951f1c4ccc580b158cbbb01945426d25

SHA512
491396af10256995cfcbf95b08a8162582c11b99e06560c2f821a7ca15c558531fba933c161d3d512ff328aa71e646ee3b584ef9f5b83f3ed7b0d552f49ad4c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
45830fab8032239001ce666c2bc2382a

SHA1
cf80a1e40be66be30475e665044da4a4a58af674

SHA256
795bbf6ee3ba148a9afa97beb6eba050dd24493ae5e93529445eae82301a6e1d

SHA512
2f9e39eb873d72e438e94fc3b9507cd278595172a8722e1e85d5a8083077e89e2f94cced058971e328eb232f79bebe29c48d231ceca2c16f10c9e844dbca46a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
777ef151f1bcaaeb7fb86aaf7f0b9c32

SHA1
9d492f3beb8850e44638d5548b3c1abf05334842

SHA256
74883346d3e7bf7f89a04af246fbe50a00672967d9cd7c1578f9b67fe40edcc8

SHA512
d98b88990e2fac12b79e21a75dbe1adb4597a540a96eddd871ae889d44c2f497675e4ca44d204117737e535d9fa061f0807c627d4057dd9689288abba32d85bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
06138bf5c7d3c9e939958b69e7c8c8d6

SHA1
086b9f1f2e80adde4c9c6ae9c080751a41b9d56f

SHA256
54ee2732f0752afca80a7c5aee4a11d46417055d7ada73d7e9a4ed4c6cccff52

SHA512
8f3a1522a0e4feec67aa7fe0f2563adec0fef335d2b3711d8fd8fa703417f498db68d520e6cd02d0974bc4310761e8f73bd9939be24f50a3a2cb7edd40e1f35c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2668d611a59615a1a440e34d35f16031

SHA1
7adaf5c82c19c58681f9497305c969afbf0a4638

SHA256
81bca80041e1e1214ea4e512d51c01b8ed793102cc5cd4192463a930732e7ac7

SHA512
11ec769dea117b0d51f7104302307d52bcaa12fed51455ef470b209b335a1e36c1074348d0e6de0f085718e3b5acd48d7391d85763be2f4694bfa47fffff2c2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
652bf5573c631e2a4ebd2edc18451369

SHA1
5ff6d727ac4aed34d7a515acc3471e7ddea43d27

SHA256
df08345eda44c7ac69abd1c097591c65055cffcd406a3f4a53906470e2fffa15

SHA512
6a69334bc1f4b204bd5328d977ee6466ff7a05c7b7da4ccc88862d893b81f4b9064a148dba5bf7eef3521c9527bf460e254105d330d8565c03aec727126ff435

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8e9789d64876411622e5eeed69313d0e

SHA1
a2918f0135522655bcd82c316380dd25f2108993

SHA256
05f3bf4599aab09165fe3a682e48157f80b396689983f87d0917106390d43fd7

SHA512
fc3c96570ce7b9ee32bb2d638e9cfa9aef9c051d795df7aa5aaa676982624f73380d99aeaa721f4091d8a6a6d7c15f8ff1b6a1a9167fad4a00adf1a03cabe629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4d5ea920a2ac8dcb0aad879d71650026

SHA1
40d6e8d7eb1488a90d5314133544e78c0733aa32

SHA256
84de692af36ab5ef5ec81b8b0fc1dc86cfec14a50f240f7b449688151e40885e

SHA512
fc9d913aedf01cdc8cbe51493a439d076cbf8455837cfa2a0222a7c87cee543250d218fce9acab02e2a628ce21780da7ad0de5f8c1b47c56a807de1d04c1bcd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
be14e7f6cd8ca8cab4ceb6bb9d1f7387

SHA1
0dc0d755b3f10404f12f3e4f2fd112ad7a696444

SHA256
418a345dcdc9f9fba4d12989bb04964ae07f7ed32d5bb432ae5006893a22fa3d

SHA512
a8f44100d27a0f142e079de075772821b1e78fd95d0f410a233a82694d19632da0fc0659ac82a01c1ba1fb26a473b04a48324055ddf440f0236958186e5cdf82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe67189b.TMP

Filesize
48B

MD5
a478175c47b408d09d9dacbc41278257

SHA1
6c623b0d84d7fca37eae353eca41069dcf604f74

SHA256
410f50154a90ca53aa43d127997f992eb1131c179eec6d68939a2d1acda2cf75

SHA512
312ad465f7f2b2e4f2b7dcda704b442266bf9f802cb7350a3a2005fb619b370d65046e5284729e1f43309473d2ad2305f8a4b43ef1a18dc6eb534f63bbf2c1ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
f3a22e56f8d6ab3bf9a0409df0b155e4

SHA1
d9a9e5ba796d3e76855bfe86307a4e6dca69f7e1

SHA256
3cbf30efcfbfe3e553f2e14f78fac566084344645334df963e64554283e311a4

SHA512
e7cb80b3ae3a7332e56506b9d0c5bb1db53239868525c62cd5a6fe5aa7f0db091d2709d0960fd28b52a62e198d47a509cb4b82755e6e4854744f87442f70a723

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
8c83e979f9fcfc4840f8fcfca3c184c1

SHA1
0b17ba249572f5925d885d068343e83a5231fe0f

SHA256
9c9801828b8bc0286aab3d402fc07cb49dc49ee0b2b22b062c2929a4b936afa8

SHA512
c7390abfd44eaf888f16d817fe2c0809f95304c923888716e8853e0cfebdb8dee387a2bb967be226e090077b08b4556f26edf7f6d37d62a9cc45b19f2d75741e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9c929d3a1a5d6f931c5e3ed4d04abf08

SHA1
270d003a40ed9fd24b4a30f98502f8675b44587f

SHA256
48daf17a94d8308bc43819bd7693d65471b5b82513ba2b4112af23aea1df2aef

SHA512
425c6b4bd79398075d27be38059fdfbdac274519ccde41c27cfedbaf8613b5483adc8736049629bd1a2e4603a22d0caafdbd828e52e5b181b354a931f0e4bbba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fe839a0ac32d5b8f1d5556d4430fda12

SHA1
4cd7097f1dcef407c829d259decff65276df0eef

SHA256
a45826fa53493952616c16a738c50118b85a7b62b37a44f8652d657df926c956

SHA512
8465b4b108ec78be6379e2c8529e776d0e7bc3b292a2743a6f377a6ee3ce2c87f872f497e7ad0493e16cc8d318b7637e818a97a943aa74e403b4d904af299f6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f72ea280daaa5ae86798dda6a1234a03

SHA1
c703f28dc81e753b604397f9c58ffafd05d2a0b1

SHA256
d972fe345c3afb3c4593337da2638720bc5f377a0645ecbd301ac50729743ae9

SHA512
58ac3f8d61e6c6c1bafa7d1acbf99386d7b84591fcc924c216a65454a54755e62b9a0e9d083b23d884c3a507826102321eef4904d12df1eeecb66b78aacd1f0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ba5e5f8fa6d94a3f69c9df4c1e6d8efe

SHA1
ea03e5fba89b7da4f554333c3edd5d06264f0db5

SHA256
2eff6e80a2e2eaeedc5581efe8b9df2c3a0ea77a3697e1fdb7ee39747fb6c0f1

SHA512
11665a071226acc20c93523e26df8c20ad312ceaf5ad22d74772aac9e32e372cd1c3876fd5dfb2b5a97cffb8e10879d692a1cd6eb9e0c5e3eaece32a42d12965

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a531fa29ee9a1f9f44a3424969dcc3f3

SHA1
cadd18387aa8a609775ce6b566efcb70407c1c08

SHA256
d8be9479286bf4697f9eb78821873303129732e8bb8180ad641ab37ad6adc8d2

SHA512
a0ac2c63c7076931e3c70845b4a5a3d2eec720b8fbc3797c94b7eef1ba85c8ea103cdb73fa0dbbac760be9df9e756f23629bc2a6a0b5baa57738293400aa6cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dd1641493f5da4b2c2912515ff03c6cf

SHA1
d75e819be57a00d65dd891b280df0c7c51eacb09

SHA256
05bcc0172980091461e02146dbb7820d45ae02796772833e07b07fbbac6ae5e6

SHA512
b3fd8f11e7b0b7cd6334b7e009fc1469dd9e4b8dba388a44321ddca3bd540c9b54c41d6738cc88903ed3d9b1913091556befaf2b68c0fbe1e56006d0ead7299d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f8e0815eb648d6f11c7b1ae46cf894d1

SHA1
b9c619759c8435f9c42ea0dcac4409917171ea0e

SHA256
4a94fab231dfb03eb8c50bd81374f73b22d611913c314dd79b1290cade6f5fe9

SHA512
ceaabd8ec8886964c0dae5973063bdb1b6478beb0d9c68d7a06dd8614d26b87dad3fe5f53b2679a201e67221250023cdd1e293d699d759d558b3589cf2d63205

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
18fb8f17fdb1d6c0eb7fbdf236a897d5

SHA1
2b0a3a376bb52a97a4a0b709e7a3bbe5aba697e7

SHA256
79c3db116bffa4d2ec3c34209de0f1cd0c5d526b236ad7bfb26c07b38ae50581

SHA512
96712a8f3df0e2aca131b5be793fb74d2290d37bbd4ab7db271b8f4ea291a3310cf19fff1ba2784758d31a058aa2f95451321c89ade8c778e19eee8f8ca767d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2583f105dd2c9b3369add053dd0b3b14

SHA1
6a3919312a5fc853296875950ff1d77a2dd1e7ac

SHA256
b9914e1f5e5c96aba536dfbabb204b2fbb50a400322abee4fc32dad660191315

SHA512
cf388f7d04bd8a936d49f26c239a9dca97e2f951c878b75d6d98526e79e152930e38c0805f05f612666d65e35a3370b12cae93461a390e13159d17063bdbc275

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5c485b.TMP

Filesize
874B

MD5
969a808c8bfa1df0c2ed3355ac313854

SHA1
5f1c086445f67946515d20d958b986b7df1c75d8

SHA256
614adc3f05af815cc7db84580f7cd48a426a48ee80226ef1484934118ee74ddb

SHA512
6ad96c8cd5fb48e569d6577534558d611f79e8b68d34b270ac4bcc2e561e71c7773414d173ba1e3691dbad3e8a401b3b8a0d7e35d0f560e655789377fc68df4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_00000a

Filesize
26KB

MD5
8235f98068f731038d8520df4727c625

SHA1
6ef1e3ca36d59de490e593ec195b632e8e09565d

SHA256
98280dcf81e7ed7a29b2d383c12027481bf771aa6358012ee5ffcc8b3af21e38

SHA512
d75d4b688898ee9c9ee07f7be6e9dafd0154518ac54042270666969dd15dbc3b7c8cf92997c510f42f20a5ad8270d5324dd8f2ef91666a9d6d0450d60bacfd83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fab2a84b3c42ba0ec385d4f144255581

SHA1
9f23ee6de63d815d9dec6fd8b5720eea703cff26

SHA256
df841e34beefa1ac4fd3b6cc5df88d373e28ec4395c61bc4c9e0599f654b73fb

SHA512
735740a2d28ed6f21a48d32d41631f589f17c8eb685e98d60abcf777380aaf61071981b1cd9477fc4006c44ed9ab3e790dcf936da9290c649e5271c93325ef2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
311896ef3ead55848c9ac3b429602b48

SHA1
ae484d5553676537f6514bb12d16474c7b9a86cc

SHA256
70b1dd3d9dbba3436cd329143cd1c7251e74f4df53f10f8e2de0751930bb980d

SHA512
b3141ca00903ceef62a48e85fbf429caf2a20f78796b74ba4b95902f6295b92d0a3ac691e6640f3419823d55081337ee0cd0c2c81a66793a71b11cc79d139224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1e6aa2b935fe2e43abd26308b4c204ea

SHA1
360b996cc47824010c373e291b4bae67ac518bb1

SHA256
9635f2b77ceca3eb69140ea48383c22f1f9a77cfbc515f117823accd0495b249

SHA512
2a01583beea6e281088d1a4915c56b863a60042dd159c3b40e46cd85a0dbe3c6ba0b6e8b1747cfd1dcf1cba1c6c4836eb817c949d609e54b3ba83257bde96e65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5a48278e65706316351f4950de039df4

SHA1
2725ac39110c4e6fb82e78e5c5132780c6306f32

SHA256
06d000cd59b88d1b326b41424b465d4bc83d074f5cd6d2acfb1b7208c10079c5

SHA512
a0a2b4ecf8bdf53602c90b28e426871545c9730fb8dafe1408732dd9ad1560b7fca8f992410d15ffbf2f915ed665a963b963b8a774265679fac1a0d539e6eba0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ea082ffe0e8134410bcfd10d3bd05751

SHA1
1c11647824e98a94e15fef493d59148be65dc8cc

SHA256
bb6fe6a7c000e9bd4af0e4936b7749ea447f3fe2242e24223a8fb2cf8fdde677

SHA512
a0098e9a4789da018126d7a2618f2a6b75f0c340848daac50d61eb7934bc328302354678764708b784d0cd1aa1d2a3548b9106488d84f1a9545c909fa764f924

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8b4bd240af85850908f5dbe917c002fb

SHA1
5f5480b65099d8506fe43d1a123e8394400067d8

SHA256
ab3b8505e97e93938ce3e5dec4407d9f31502f2d22d661666ba4d236c02ad752

SHA512
2f15889b35583c9d5e5b23542cc8a8eede27f905ea772617b54eb3e1603484780f36d04c4f7ab89ce257f86d15fcf034ef879b6136b138de6855854574ad3351

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6189550bd71e0bba2e0cd8b42ac8114b

SHA1
0fa7ca2056bf2b7bb597020e5dee36e5bba9e616

SHA256
96ce1266adb30f60cf466e2416df6795a727fb3737ce539ea76f5b86dd3f810a

SHA512
b969646de8fa68a46da0cfd8036c3625d8c134aa5a12d3a8c81af5b28d675436a256b96386b12bd2f2889ed517a1d719936ab3a76d42a7c330fe9b5d1fc88662

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a196659445b5df587569d73e162d8de2

SHA1
e9946b4447434e3928f997801fbb4d5c15158c27

SHA256
7d180783d37229f209ae3dfdcf237182c25571b2077ece5550eece1badd3cada

SHA512
ab83699bcec7127c9c67bddd6cf7a44e247837a58c46f90258eb2209cbef2c0bba63efd1c3ef98a9a99816eb02eb0e5bcd3d18f375ab3ee9125bb974f2176d1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5e7211084e667e593e80d12e4d308d51

SHA1
4b9d8c2f373ba74dcd41540d9f9e26576c2ee715

SHA256
cb1248dac243bbdd046be92be3a428481e9743c3d0090b8a0f04d47b79549fb6

SHA512
d78692d3fc0c47d01c3e0cdfb9e850d8bfaa015477d32e0bcb0e3cad7aa519cdfd128a1106201d3abdc8c6d19b80526bdd57b709b264ac9ce96c57513cb0f2d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4691eacd1390bb1c0c3a61d96f15cb0f

SHA1
fc21c7597e119b757649d805e78b7dcdf5891cb9

SHA256
08e7eb77586162e7dc002a1f1ff265983e1079257e17faba3fe9f732d005a3fa

SHA512
dab0762afeb4a4094cf5471a3e2257ccfc9a99279d7888a158a830d45c77282e6a18ec65c2308e31bd79dd2c5ce566fa6119a5f992a90eea39865e3db3608065

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\50392bfc-2497-45f2-8472-e07f81194de4.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
327975ba2c226434c0009085b3702a06

SHA1
b7b8b25656b3caefad9c5a657f101f06e2024bbd

SHA256
6fa9064f304b70d6dcebee643ca017c2417ff325106917058f6e11341678583c

SHA512
150a57c143fc5ff2462f496f5a9451310b8d99e32c4d570641204c8062a78590f14bed438ac981e8b0609a0c87b859a1f8502a78687bc36c3a9529d633a58e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4xfiz20o.3tv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjFACE.tmp\BgWorker.dll

Filesize
2KB

MD5
33ec04738007e665059cf40bc0f0c22b

SHA1
4196759a922e333d9b17bda5369f14c33cd5e3bc

SHA256
50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be

SHA512
2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjFACE.tmp\System.dll

Filesize
11KB

MD5
75ed96254fbf894e42058062b4b4f0d1

SHA1
996503f1383b49021eb3427bc28d13b5bbd11977

SHA256
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

SHA512
58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjFACE.tmp\killer.dll

Filesize
6KB

MD5
90d4a02442dbf8cbe8acdd751c090e3a

SHA1
e45d21b5ccb7aa6014124c649caa29bf6cd0a0bd

SHA256
c38671ab01efc0e0242fb7e7c0336c2cdd0403182070a1b2075f04a8f6616a3a

SHA512
8df6423f857f974f3405ca0e21aba79f94b8dace39c9c1e78fa420de87fab5a149de484165f5fc8e1c0a2fdb80444d1887bdce63c23418c6a7a372c2d0d6cf95

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjFACE.tmp\nsDui_english.dll

Filesize
3.6MB

MD5
1149683c84211d751af12ebdc20b19b0

SHA1
c850128e27ba351c8499fc782e90a6459dd83c05

SHA256
2da4139072988cbb1473b631311a82443a23f378cdde5ad267b6c5c08dbd3098

SHA512
2563d5f8c0e973a3f0df7ba9cf48fa45e868adad4703699bf7a73f782b4abdffa356ad0df310cccd82533f67a90ca5367aba032ba7d94b4c9c7da345d1a10556

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjFACE.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjFACE.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9bd316e8-fd44-ab48-8f31-c2a3918b070a}\AvicaVirtualDisplayDriver.cat

Filesize
14KB

MD5
da04d7462383a8bcb21b2c5c599ce6ae

SHA1
2d441073dc9fdbdb747b0029cb54ad92208f06f7

SHA256
acd77e77dc9f23d039bafbb9434a7d147458b896001b44b3a823270f302fc0cb

SHA512
358cdc884c656199f1be4d7d8763e532d29f7d7df00c1982b61e492171331e3f227ec0984bf35268ca2cef0f0930f51476dcb633043bdd16278665b4bbcb00de

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9bd316e8-fd44-ab48-8f31-c2a3918b070a}\AvicaVirtualDisplayDriver.dll

Filesize
81KB

MD5
321b124c8f5edeaab2deaf3c47e53b82

SHA1
5e886e005e778d048cdb5a6c246e70db436c6f8e

SHA256
7d3a0a92f57a7ad38c3d880d20c1640bb19b5d1cb72fb7a8af1bcd5e55de6bed

SHA512
fd167fe22d5353ba5210c3941e80ecf8b4099c959234ea438cc3bc4e9647b91b4a617ee5dcd69828a2c37a6de29bc21d017b2f82291263829c4d421d74f268ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9bd316e8-fd44-ab48-8f31-c2a3918b070a}\AvicaVirtualDisplayDriver.inf

Filesize
4KB

MD5
74525bcc98bd5c32a49b0becfcbbd557

SHA1
812e84cf7f5230a351c128c001907e9bc092ae41

SHA256
d8e9dbd6ea59375be85357a22078314fe443335b4bcac4e0a034b8efc861e4b1

SHA512
70226afa26930052ef1bdd5f1dc1bcc9613f246355e3c6d2d7c65a59d3feef8333f6b7c5d57ff6c1addcea5523ed1bb3064cfff41841ae0c4ea5e5907e82f63e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 654354.crdownload

Filesize
333B

MD5
3b0d4d97c9eb562d69085f1ad944e8c0

SHA1
9379f5a4a092611c93f0aaa6d011327bc622387b

SHA256
bbeec4a61c66825352315b6375e6cc01717dadf40329ee881321863b4104cb2e

SHA512
298bc4aeb7ca06eddcfe4e013f5f6c099abc033e58dbd4766d7ab3baa51542e08bb1c05d9053958836ce4a0e098c5221db0498bf3b1045be7df5ed9bea6aaaac

Download Submit
C:\Users\Admin\Downloads\windows.ps1:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Videos\New folder\Avica_Setup_1735066893.exe

Filesize
45.2MB

MD5
2610a75d3d44f251c360fab5b3d668c0

SHA1
126e6b191acc298e98a5ff1db2015e35509875b7

SHA256
911f28b71f85a2f84a9b4169e39db11b44ec8afb061b0e0e91f66b5a67ac1db0

SHA512
5d993acb570652b3f6c0997df072b45f0c4d926b5945a06b91646fa504fdcda2d14c5fef2b5a81d35a12f13716bb151c1b6c62f40704596175d6a923c0b02285

Download Submit
C:\Users\Admin\Videos\New folder\Avica_setup.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Videos\New folder\Unconfirmed 622879.crdownload

Filesize
3.1MB

MD5
1297c8efb5b9a87255b93ae2af0036d2

SHA1
8c43dfe959b894595e2eee40083afdd77ab2dfa1

SHA256
78aba77129109aeb8d995c90432229509f18a953596b3a47ca1cd758bdc8b906

SHA512
ce9f226ac213ac293a3319282a2e3412028ee58ab58afd08cf7a86c414f7191a6a61ca97cd2801153868ee491cf41ed5409ed079c1bd1167b35742de8420782a

Download Submit
C:\Users\Admin\xmrig\xmrig-6.21.3\xmrig.exe

Filesize
6.1MB

MD5
c0f8959614ae06561216158d78a787e5

SHA1
73167d1fd0cee1c96a6505606d21cbfe4369eb00

SHA256
e199d88569fb54346d5fa20ee7b59b2ea6f16f4ecca3ea1e1c937b11aab7b2b0

SHA512
a24fcf344d08c64ac301d5e4979f062b5e28e8e4acf1d2790916149ffe7726b0c4a11e0775aeba6b841d2d5081e1bd13e2b80390bf9bfbc44d67e54ec07cd746

Download Submit
\??\c:\PROGRA~2\avica\drivers\VIGEMB~1\ViGEmBus.sys

Filesize
161KB

MD5
87fe350c6ffe8d60ce58dbc16a2d091e

SHA1
7e2727a31c54df2fe4fba73a6b0537afa5faf534

SHA256
8fb8402b7266fa9b9ea8841708317c8c25367b2947eeda9b6462c0e4801f05a4

SHA512
f892b87a8d45ddb14a99e736eff26f7257c492dade5754362acf4d2522927c337dd3d6ec4d47b0553681764e5cf15db61f8a96098889a7b5a56c052b53dced63

Download Submit
\??\c:\program files (x86)\avica\drivers\vigembussetup_x64\ViGEmBus.cat

Filesize
10KB

MD5
5312064607460baaa4562aabc42b8922

SHA1
c8a0758e5ae7158acb0f6f111ad298fbc0b1a2ae

SHA256
58b8a1bf9160fd4310a183b3431580eda2bc0a5ecaac2e0fbd6399184ff02404

SHA512
dcfc68f09d339695aa3b8eea02a7adafc21473d259df9d6dd7cbb7d29fb8f3ff9b3184f8921d9f829c665b1447ebec7ce97729914fb7367bf6e07d9fd02d2aba

Download Submit
memory/2996-1446-0x00007FF657E50000-0x00007FF6582B7000-memory.dmp

Filesize
4.4MB

Download
memory/2996-1794-0x00007FF657E50000-0x00007FF6582B7000-memory.dmp

Filesize
4.4MB

Download
memory/2996-1504-0x00007FF657E50000-0x00007FF6582B7000-memory.dmp

Filesize
4.4MB

Download
memory/2996-1474-0x00007FF657E50000-0x00007FF6582B7000-memory.dmp

Filesize
4.4MB

Download
memory/3280-704-0x0000023BC27B0000-0x0000023BC27BA000-memory.dmp

Filesize
40KB

Download
memory/3280-703-0x0000023BDA930000-0x0000023BDA942000-memory.dmp

Filesize
72KB

Download
memory/3280-659-0x0000023BC2760000-0x0000023BC27AB000-memory.dmp

Filesize
300KB

Download
memory/3280-649-0x0000023BC2250000-0x0000023BC2272000-memory.dmp

Filesize
136KB

Download
memory/3280-757-0x0000023BC2760000-0x0000023BC2795000-memory.dmp

Filesize
212KB

Download
memory/3280-726-0x0000023BC2760000-0x0000023BC2795000-memory.dmp

Filesize
212KB

Download
memory/3280-658-0x0000023BDA960000-0x0000023BDA9A6000-memory.dmp

Filesize
280KB

Download
memory/3596-751-0x000002506AB80000-0x000002506ABA0000-memory.dmp

Filesize
128KB

Download
memory/4004-609-0x000001DD54AD0000-0x000001DD54AE0000-memory.dmp

Filesize
64KB

Download
memory/4004-606-0x000001DD54AD0000-0x000001DD54AE0000-memory.dmp

Filesize
64KB

Download
memory/4004-597-0x000001DD54AD0000-0x000001DD54AE0000-memory.dmp

Filesize
64KB

Download
memory/4004-600-0x000001DD54AD0000-0x000001DD54AE0000-memory.dmp

Filesize
64KB

Download
memory/4004-604-0x000001DD54AD0000-0x000001DD54AE0000-memory.dmp

Filesize
64KB

Download
memory/4004-608-0x000001DD54AD0000-0x000001DD54AE0000-memory.dmp

Filesize
64KB

Download
memory/4004-607-0x000001DD54AD0000-0x000001DD54AE0000-memory.dmp

Filesize
64KB

Download
memory/4004-605-0x000001DD54AD0000-0x000001DD54AE0000-memory.dmp

Filesize
64KB

Download
memory/4004-603-0x000001DD54AD0000-0x000001DD54AE0000-memory.dmp

Filesize
64KB

Download
memory/4004-601-0x000001DD54AD0000-0x000001DD54AE0000-memory.dmp

Filesize
64KB

Download
memory/4004-602-0x000001DD54AD0000-0x000001DD54AE0000-memory.dmp

Filesize
64KB

Download
memory/4004-594-0x000001DD54AD0000-0x000001DD54AE0000-memory.dmp

Filesize
64KB

Download
memory/4004-595-0x000001DD54AD0000-0x000001DD54AE0000-memory.dmp

Filesize
64KB

Download
memory/4004-596-0x000001DD54AD0000-0x000001DD54AE0000-memory.dmp

Filesize
64KB

Download
memory/4004-599-0x000001DD54AD0000-0x000001DD54AE0000-memory.dmp

Filesize
64KB

Download
memory/4004-598-0x000001DD54AD0000-0x000001DD54AE0000-memory.dmp

Filesize
64KB

Download