Analysis
-
max time kernel
82s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2025 20:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe
Resource
win7-20240903-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
37 signatures
150 seconds
General
-
Target
JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe
-
Size
6.1MB
-
MD5
757839be7d20eef30809a52a774df7ab
-
SHA1
992a32971b84eb6b9db71ba22e70fef4c635b8ad
-
SHA256
27c6086a75d379eda91fdc5c3212c7e8ea7b4f668efb9873aaa639ccaf9b3c74
-
SHA512
68a0469c0d98468a542fda3d4e65fb8064f5c2202120d06de9b1bdea0deeb999280badf5fe42e2b2fd7fec91f8c68726d3b007afbbb070f78b52bdc158da35f8
-
SSDEEP
196608:FhMYfTWXjB33vQgUMW2TNW7bRnpySPHnlRyXyKEe5wO:F8nU8WtnpySHnlA0O
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" ConduitInstaller.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" ConduitInstaller.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" ConduitInstaller.exe -
Sality family
-
UAC bypass 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ConduitInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe -
Windows security bypass 2 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ConduitInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ConduitInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ConduitInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ConduitInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ConduitInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ConduitInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Set value (int) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" ConduitInstaller.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 9 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\hssdrv.sys HssInstaller64.exe File created C:\Windows\system32\DRIVERS\SETF26F.tmp HssInstaller64.exe File opened for modification C:\Windows\System32\drivers\SET1B05.tmp DrvInst.exe File created C:\Windows\System32\drivers\SET1B05.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\taphss.sys DrvInst.exe File opened for modification C:\Windows\system32\drivers\SETE4A3.tmp HssInstaller64.exe File created C:\Windows\system32\drivers\SETE4A3.tmp HssInstaller64.exe File opened for modification C:\Windows\system32\DRIVERS\SETF26F.tmp HssInstaller64.exe File opened for modification C:\Windows\system32\DRIVERS\HssDrv.sys HssInstaller64.exe -
Manipulates Digital Signatures 1 TTPs 2 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\53B1ED2A485E3413247358C0734BCA1AE9DFDADE\Blob = 03000000010000001400000053b1ed2a485e3413247358c0734bca1ae9dfdade040000000100000010000000759dbddd7bc9dd97bea6c78bc0b561b7190000000100000010000000ff517085f4d8710d99ab75d55e16b0881400000001000000140000001a478240f4636be10489052abdc9ac98881649890f000000010000001400000089ba9e7729442c3fea54303162b7545777de2fd52000000001000000e9040000308204e5308203cda00302010202103bd8c502dd23799e0549bd38965aa68d300d06092a864886f70d01010505003081b4310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313b3039060355040b13325465726d73206f66207573652061742068747470733a2f2f7777772e766572697369676e2e636f6d2f727061202863293034312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e672032303034204341301e170d3039303431343030303030305a170d3131303431343233353935395a3081a8310b3009060355040613025553311330110603550408130a43616c69666f726e6961311230100603550407130953756e6e7976616c6531173015060355040a140e416e63686f724672656520496e63313e303c060355040b13354469676974616c20494420436c6173732033202d204d6963726f736f667420536f6674776172652056616c69646174696f6e207632311730150603550403140e416e63686f724672656520496e6330819f300d06092a864886f70d010101050003818d0030818902818100c54d91762d2c49958d015ce83378307a607aeb08c523acf652a2766f3aa94a4127fa249f577835d7681720d9e62bc79dc260e8f0bc2feca0bf64a7c5f7faea29c22e246231f00b8269342f42e6f7048be9486f63f3c37595107d7ce187ce35182709c8e79fa7bd659d50e773e9d91b8bbf8fcaf5815ac9ecf150f0bed9b42bc90203010001a382017f3082017b30090603551d1304023000300e0603551d0f0101ff04040302078030400603551d1f043930373035a033a031862f687474703a2f2f435343332d323030342d63726c2e766572697369676e2e636f6d2f435343332d323030342e63726c30440603551d20043d303b3039060b6086480186f84501071703302a302806082b06010505070201161c68747470733a2f2f7777772e766572697369676e2e636f6d2f72706130130603551d25040c300a06082b06010505070303307506082b0601050507010104693067302406082b060105050730018618687474703a2f2f6f6373702e766572697369676e2e636f6d303f06082b060105050730028633687474703a2f2f435343332d323030342d6169612e766572697369676e2e636f6d2f435343332d323030342d6169612e636572301f0603551d2304183016801408f551e8fbfe3d3d64367c68cf5b78a8dfb9c537301106096086480186f84201010404030204103016060a2b06010401823702011b040830060101000101ff300d06092a864886f70d01010505000382010100b72ccf52a12f7dde70b019c3d892b8a5e469092817a7c73e94b2cc8734647eab9a1c88d4e00f8b3c72904218082028de0a7410b3656693500b7ffba33d72cdf574484e24e3dc0de13c2506ca27b1594aa703f7f4d93b017189f4c4de61af6831fca7f1036e9bc6dc254b1e0a14aa2a3c2a3de4147865a5d040be63f9951da9e938290fd9dc5754b600c37b807d1d467f36194f04bb6e7c9d7260da4848155fc514261cea8ed8286b97fa97c1902173b44b8ca2efaded720cc2ca1140763d7692c3ecccf26a9059478cd3b92865687e4334df729961129d38dca09fa4512b200f303650f837f36bc912310435d452584ff83f0a5baa8951087e27dfdc64731915 DrvInst.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\64B25F858FEFFF5D3E35E0992F516F060540E0FF\Blob = 03000000010000001400000064b25f858fefff5d3e35e0992f516f060540e0ff040000000100000010000000b7bfbe9d2d7f1db82ec1ea86e5064e7614000000010000001400000070986e7c65c25a323f36cc7918766e5c471bc934190000000100000010000000eee4ddbc6ac28cea506a5583f740ef050f00000001000000140000006e0f1b315372c488058c381a8d495e8054324652200000000100000069050000308205653082044da003020102021068a4a0cc448443c288a22a91d7f82126300d06092a864886f70d01010505003081b4310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313b3039060355040b13325465726d73206f66207573652061742068747470733a2f2f7777772e766572697369676e2e636f6d2f727061202863293130312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e672032303130204341301e170d3131303332383030303030305a170d3134303431333233353935395a3081a8310b3009060355040613025553311330110603550408130a43616c69666f726e6961311230100603550407130953756e6e7976616c6531173015060355040a140e416e63686f724672656520496e63313e303c060355040b13354469676974616c20494420436c6173732033202d204d6963726f736f667420536f6674776172652056616c69646174696f6e207632311730150603550403140e416e63686f724672656520496e6330820122300d06092a864886f70d01010105000382010f003082010a02820101008c735f2cc3be6342bb0d8e3f0312b533abd4bb31becb70457322f27e14cbedf0e4092d4c6245183217b5c541e2ffe9219a8dad42d42f158a583277c07e93e70f384c5473a77ac95a9da4051a747f43e915da0422eb7fc22349d52b575aeb6061dead7f5abdd01ca9f7367e36fa18f11dd03de330449c50d5ac025a18225a9d5faa177b64b0ed2a922a15b0e80138a26d1baf80c618653746e765d70c427b39b871523daad491c72e14b52adfdab7665c9e7856251ab1381c752d36e399bd378a26fe7bb73b1c2c8c94cda958f70be1f719e4f52cd10812c07a908bd4a83f713fb0d6b6ba1baf875264d55c082d1d1f4f1decfceabb4a6dd2ec1572c47a1ea1030203010001a382017b3082017730090603551d1304023000300e0603551d0f0101ff04040302078030400603551d1f043930373035a033a031862f687474703a2f2f637363332d323031302d63726c2e766572697369676e2e636f6d2f435343332d323031302e63726c30440603551d20043d303b3039060b6086480186f84501071703302a302806082b06010505070201161c68747470733a2f2f7777772e766572697369676e2e636f6d2f72706130130603551d25040c300a06082b06010505070303307106082b0601050507010104653063302406082b060105050730018618687474703a2f2f6f6373702e766572697369676e2e636f6d303b06082b06010505073002862f687474703a2f2f637363332d323031302d6169612e766572697369676e2e636f6d2f435343332d323031302e636572301f0603551d23041830168014cf99a9ea7b26f44bc98e8fd7f00526efe3d2a79d301106096086480186f84201010404030204103016060a2b06010401823702011b040830060101000101ff300d06092a864886f70d01010505000382010100d0d5f5e28ebf0b2a5d2077e2b207efa41f8126cbab76871e3745c01406a78dc252878425ca077c6420ca132515090c7c89a2e86c39b259c8a80a89eeb80e28d30b3c062c49ce7f02eeeb4b4a70f02a03c45ac8a969bf7c3800ded56b2aa29957c0975f69afa0b94dbfb6383328d3821bac7da69cb7d8d3ecb9ae8da9c5364f5de36ea86f259746af1c0f7a338e098c0f283b1f660e18f8e7d0c89c66cf4a479896c9eebce264d44400988cec0d7af82cacaa91831826de0d31506e69d927d87bbfa6c2b923e537d69322f5be9cdead955046e2e33d73e08d1a4b51fa8f20d27365e0c2b43397a9bb87a331e8c7289e4eb6a4e140ba3c04c8e4a12cee214cd3f4 DrvInst.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Key value queried \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation sdps.exe -
Deletes itself 1 IoCs
pid Process 4268 ConduitInstaller.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 63 IoCs
pid Process 628 HssInstaller.exe 2724 HssInstaller.exe 408 HssInstaller64.exe 1396 HssInstaller.exe 1880 HssInstaller64.exe 3988 hsssrv.exe 3888 hsssrv.exe 1196 hsssrv.exe 4336 HssInstaller.exe 2860 hsswd.exe 956 hsswd.exe 2280 hsswd.exe 4424 hsspk.exe 3608 hsspk.exe 244 tapinstall.exe 3424 tapinstall.exe 832 cfg_mgr.exe 1484 cfg_mgr.exe 4608 cfg_mgr.exe 988 cfg_mgr.exe 5100 cfg_mgr.exe 2176 cfg_mgr.exe 4892 cfg_mgr.exe 3336 cfg_mgr.exe 2812 cfg_mgr.exe 3424 cfg_mgr.exe 2500 cfg_mgr.exe 4724 cfg_mgr.exe 3828 cfg_mgr.exe 4860 cfg_mgr.exe 4056 cfg_mgr.exe 3796 cfg_mgr.exe 2968 cfg_mgr.exe 3568 cfg_mgr.exe 3888 cfg_mgr.exe 2644 cfg_mgr.exe 1384 cfg_mgr.exe 1800 cfg_mgr.exe 1560 cfg_mgr.exe 1456 cfg_mgr.exe 4424 cfg_mgr.exe 244 cfg_mgr.exe 8 cfg_mgr.exe 5112 cfg_mgr.exe 4268 cfg_mgr.exe 2692 cfg_mgr.exe 2812 cfg_mgr.exe 4336 sdps.exe 1936 HssInstaller.exe 3496 HssTrayService.EXE 4052 openvpnas.exe 2180 openvpnas.exe 1620 openvpnas.exe 2744 HssInstaller.exe 4204 cfg_mgr.exe 4268 ConduitInstaller.exe 456 HssTrayService.EXE 1060 HssTrayService.EXE 3720 openvpntray.exe 3708 openvpn.exe 2500 openvpn.exe 4984 openvpn.exe 4344 openvpn.exe -
Loads dropped DLL 64 IoCs
pid Process 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 408 HssInstaller64.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 1396 HssInstaller.exe 2520 regsvr32.exe 116 regsvr32.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 1880 HssInstaller64.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2280 hsswd.exe 2280 hsswd.exe 2280 hsswd.exe 2280 hsswd.exe 2280 hsswd.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe -
Windows security modification 2 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ConduitInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc ConduitInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ConduitInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ConduitInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ConduitInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ConduitInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ConduitInstaller.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ConduitInstaller.exe -
Enumerates connected drives 3 TTPs 26 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File opened (read-only) \??\G: ConduitInstaller.exe File opened (read-only) \??\I: ConduitInstaller.exe File opened (read-only) \??\G: JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File opened (read-only) \??\J: JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File opened (read-only) \??\Q: JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File opened (read-only) \??\V: JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File opened (read-only) \??\X: JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File opened (read-only) \??\Z: JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File opened (read-only) \??\E: ConduitInstaller.exe File opened (read-only) \??\J: ConduitInstaller.exe File opened (read-only) \??\E: JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File opened (read-only) \??\K: JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File opened (read-only) \??\R: JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File opened (read-only) \??\T: JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File opened (read-only) \??\W: JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File opened (read-only) \??\I: JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File opened (read-only) \??\N: JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File opened (read-only) \??\P: JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File opened (read-only) \??\O: JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File opened (read-only) \??\U: JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File opened (read-only) \??\Y: JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File opened (read-only) \??\H: ConduitInstaller.exe File opened (read-only) \??\H: JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File opened (read-only) \??\L: JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File opened (read-only) \??\M: JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170} HssInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170} regsvr32.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File opened for modification F:\autorun.inf JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe -
Drops file in System32 directory 52 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\Temp\{0fa5787d-4eb0-284f-9177-e94fbc2fd714}\SETE57E.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\nethss.inf_amd64_8028d194cee25616\HssDrv.sys DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_7f701cb29b5389d3\netrass.PNF HssInstaller64.exe File created C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_73adce5afe861093\netserv.PNF HssInstaller64.exe File created C:\Windows\System32\DriverStore\FileRepository\nethss.inf_amd64_8028d194cee25616\nethss.PNF HssInstaller64.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{95ae0119-7db8-364d-a8f1-19afc11a07cb}\SET607.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{95ae0119-7db8-364d-a8f1-19afc11a07cb}\SET608.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_38b8aee5d93fd631\oemwin2k.PNF tapinstall.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_9ab9cf10857f7349\c_netservice.PNF HssInstaller64.exe File created C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_7d294c7fa012d315\netpacer.PNF HssInstaller64.exe File created C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_a2bfd066656fe297\netnwifi.PNF HssInstaller64.exe File created C:\Windows\System32\DriverStore\Temp\{95ae0119-7db8-364d-a8f1-19afc11a07cb}\SET608.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_38b8aee5d93fd631\taphss.cat DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{95ae0119-7db8-364d-a8f1-19afc11a07cb} DrvInst.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\microsoft\rdm openvpnas.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0fa5787d-4eb0-284f-9177-e94fbc2fd714}\SETE58E.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{57cbb2ee-dbb2-4446-bc7d-10fb87447556}\SETEE2D.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0fa5787d-4eb0-284f-9177-e94fbc2fd714} DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF HssInstaller64.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{95ae0119-7db8-364d-a8f1-19afc11a07cb}\taphss.sys DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_38b8aee5d93fd631\oemwin2k.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{0fa5787d-4eb0-284f-9177-e94fbc2fd714}\SETE59F.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\nethss.inf_amd64_8028d194cee25616\nethss.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{57cbb2ee-dbb2-4446-bc7d-10fb87447556}\nethss_m.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{57cbb2ee-dbb2-4446-bc7d-10fb87447556}\SETEE2D.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\nethss_m.inf_amd64_a1f6680758544bc8\hssdrv_m.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{57cbb2ee-dbb2-4446-bc7d-10fb87447556} DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_a009d240f9b4a192\ndiscap.PNF HssInstaller64.exe File created C:\Windows\System32\DriverStore\Temp\{95ae0119-7db8-364d-a8f1-19afc11a07cb}\SET5F6.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{95ae0119-7db8-364d-a8f1-19afc11a07cb}\oemwin2k.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0fa5787d-4eb0-284f-9177-e94fbc2fd714}\hssdrv.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{57cbb2ee-dbb2-4446-bc7d-10fb87447556}\SETEE1C.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_0dc913ad00b14824\netnb.PNF HssInstaller64.exe File created C:\Windows\System32\DriverStore\Temp\{95ae0119-7db8-364d-a8f1-19afc11a07cb}\SET607.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_38b8aee5d93fd631\taphss.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0fa5787d-4eb0-284f-9177-e94fbc2fd714}\SETE57E.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0fa5787d-4eb0-284f-9177-e94fbc2fd714}\HssDrv.sys DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{57cbb2ee-dbb2-4446-bc7d-10fb87447556}\SETEE1C.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_c5e19aab2305f37f\netvwififlt.PNF HssInstaller64.exe File created C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_8a737d38f201aeb1\netbrdg.PNF HssInstaller64.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{95ae0119-7db8-364d-a8f1-19afc11a07cb}\SET5F6.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{95ae0119-7db8-364d-a8f1-19afc11a07cb}\taphss.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0fa5787d-4eb0-284f-9177-e94fbc2fd714}\SETE59F.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{57cbb2ee-dbb2-4446-bc7d-10fb87447556}\hssdrv_m.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0fa5787d-4eb0-284f-9177-e94fbc2fd714}\nethss.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{0fa5787d-4eb0-284f-9177-e94fbc2fd714}\SETE58E.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\nethss.inf_amd64_8028d194cee25616\hssdrv.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\nethss_m.inf_amd64_a1f6680758544bc8\nethss_m.inf DrvInst.exe -
resource yara_rule behavioral2/memory/2984-4-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-9-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-10-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-5-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-8-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-3-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-74-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-73-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-75-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-107-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-108-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-109-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-175-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-173-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-243-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-245-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-298-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-321-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-360-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-361-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-521-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-520-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-597-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-599-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-607-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-608-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-609-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-611-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-625-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-626-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-628-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-718-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-735-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-780-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-838-0x0000000002960000-0x00000000039EE000-memory.dmp upx behavioral2/memory/2984-1181-0x0000000002960000-0x00000000039EE000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE.dll_29083 HssInstaller.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\faq_hss_logo.png JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\thankyou.html JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\HssWPR\hssdrv.sys JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\connecting12.png JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\oac.html JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\bin\lang\gui-tur.dll JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File opened for modification C:\Program Files (x86)\Hotspot Shield\bin\HssInstaller.exe JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\Chunkfive-webfont.eot JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\connected12.png JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\yellow_shield_tool.png JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\bin\lang\gui-ger.dll JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\chbox_off.png JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\lang.js JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\tooltip_bg.png JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\close_button.png JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\connected16.png JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\bin\lang\gui-bur.dll JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\config\hsserr.cfg openvpn.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\connecting24.png JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\bin\lang\gui-jpn.dll JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\driver\OemWin2k.inf JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\btn_close.png JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\btn_share.png JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\red_btn_point.png JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\log\config.log openvpnas.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\btn_install_patch.png JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\redico.png JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\bin\lang\gui-ara.dll JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\bin\lang\gui-spa.dll JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\HssWPR\hssinst.dll JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\HssWPR\hssdrv.cat JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\HssWPR\wpr.conf JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\config\icooff.cfg JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\radio_off.png JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\bin\libcurl.dll JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File opened for modification C:\Program Files (x86)\Hotspot Shield\config\hssst.cfg.bak openvpnas.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\first_prompt.html JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\connected20.png JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\disconnected20.bmp JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\green_btn_point_big.png JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\yellow_shield.png JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\bin\curl-ca-bundle.crt JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File opened for modification C:\Program Files (x86)\Hotspot Shield\hsswd\default\default.cfg JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\config\hsserr.cfg openvpn.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\Chunkfive-webfont.svg JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\disconnected.png JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\greenico.png JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\config\proxy.hvpn JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\progress.gif JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\tooltip.html JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\config\upd_dat.cfg openvpnas.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\connected20.bmp JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\disconnected16.bmp JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\bin\lang\gui-rus.dll JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\elite_sign.png JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\red_tape.png JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\red_shield_new.png JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\connected24.bmp JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\connecting.png JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\green_btn_point.png JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File created C:\Program Files (x86)\Hotspot Shield\htdocs\prompt.html JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File opened for modification C:\Windows\inf\oem4.inf DrvInst.exe File created C:\Windows\INF\oem3.PNF HssInstaller64.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log HssInstaller64.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\INF\setupapi.dev.log tapinstall.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\inf\oem4.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\inf\oem5.inf DrvInst.exe File opened for modification C:\Windows\SYSTEM.INI JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\inf\oem5.inf DrvInst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 58 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hsssrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hsspk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HssInstaller.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language openvpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HssInstaller.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ConduitInstaller.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HssInstaller.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language openvpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HssInstaller.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hsssrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hsswd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HssInstaller.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hsspk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language openvpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language openvpnas.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HssTrayService.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language openvpntray.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language openvpnas.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hsssrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sdps.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hsswd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HssInstaller.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HssTrayService.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language openvpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfg_mgr.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ HssInstaller64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 HssInstaller64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ HssInstaller64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A HssInstaller64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 HssInstaller64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ HssInstaller64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 tapinstall.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" hsssrv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ hsssrv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" hsssrv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" hsssrv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" hsssrv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4F6AFF86-4D81-45B8-8CAD-22ABA529C091}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" HssInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HssIE.HssIEApp.1\CLSID\ = "{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}" HssInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}\InprocServer32 HssInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}\TypeLib HssInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4F6AFF86-4D81-45B8-8CAD-22ABA529C091}\ = "_IHssIEAppEvents" HssInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{307A31DF-F8B5-426C-9594-FBC1E819AED2}\ = "IHssIEApp" HssInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E69D4A59-73DE-4E38-9FB3-740EC4D9060D}\1.0\0\win64\ = "C:\\Program Files (x86)\\Hotspot Shield\\HssIE\\HssIE_64.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HssIE.HssIEApp HssInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}\VersionIndependentProgID HssInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E69D4A59-73DE-4E38-9FB3-740EC4D9060D}\1.0\FLAGS\ = "0" HssInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4F6AFF86-4D81-45B8-8CAD-22ABA529C091}\TypeLib\Version = "1.0" HssInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HssIE.HssIEApp.1\ = "Hotspot Shield Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}\ = "Hotspot Shield Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HssIE.HssIEApp\CurVer HssInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}\ProgID HssInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4F6AFF86-4D81-45B8-8CAD-22ABA529C091}\TypeLib HssInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{307A31DF-F8B5-426C-9594-FBC1E819AED2}\TypeLib\ = "{E69D4A59-73DE-4E38-9FB3-740EC4D9060D}" HssInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4F6AFF86-4D81-45B8-8CAD-22ABA529C091}\TypeLib\ = "{E69D4A59-73DE-4E38-9FB3-740EC4D9060D}" HssInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307A31DF-F8B5-426C-9594-FBC1E819AED2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" HssInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HssIE.HssIEApp\ = "Hotspot Shield Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}\ = "Hotspot Shield Class" HssInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}\InprocServer32\ThreadingModel = "Apartment" HssInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}\TypeLib\ = "{E69D4A59-73DE-4E38-9FB3-740EC4D9060D}" HssInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E69D4A59-73DE-4E38-9FB3-740EC4D9060D}\1.0\0\win32 HssInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4F6AFF86-4D81-45B8-8CAD-22ABA529C091}\TypeLib HssInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E69D4A59-73DE-4E38-9FB3-740EC4D9060D}\1.0\0\win64 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307A31DF-F8B5-426C-9594-FBC1E819AED2}\ = "IHssIEApp" HssInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HssIE.HssIEApp.1\CLSID\ = "{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170} HssInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}\Programmable HssInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E69D4A59-73DE-4E38-9FB3-740EC4D9060D}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Hotspot Shield\\HssIE" HssInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4F6AFF86-4D81-45B8-8CAD-22ABA529C091}\ProxyStubClsid32 HssInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}\InprocServer32\ = "C:\\Program Files (x86)\\Hotspot Shield\\HssIE\\HssIE.dll" HssInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4F6AFF86-4D81-45B8-8CAD-22ABA529C091}\ = "_IHssIEAppEvents" HssInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}\VersionIndependentProgID\ = "HssIE.HssIEApp" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4F6AFF86-4D81-45B8-8CAD-22ABA529C091}\TypeLib\Version = "1.0" HssInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{307A31DF-F8B5-426C-9594-FBC1E819AED2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" HssInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{307A31DF-F8B5-426C-9594-FBC1E819AED2}\TypeLib HssInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HssIE.HssIEApp\CLSID\ = "{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}" HssInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}\ProgID\ = "HssIE.HssIEApp.1" HssInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307A31DF-F8B5-426C-9594-FBC1E819AED2} HssInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307A31DF-F8B5-426C-9594-FBC1E819AED2}\TypeLib\ = "{E69D4A59-73DE-4E38-9FB3-740EC4D9060D}" HssInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HssIE.HssIEApp\CLSID HssInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4F6AFF86-4D81-45B8-8CAD-22ABA529C091}\ProxyStubClsid32 HssInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{307A31DF-F8B5-426C-9594-FBC1E819AED2}\ProxyStubClsid32 HssInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HssIE.HssIEApp\CLSID\ = "{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E69D4A59-73DE-4E38-9FB3-740EC4D9060D} HssInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4F6AFF86-4D81-45B8-8CAD-22ABA529C091}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" HssInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4F6AFF86-4D81-45B8-8CAD-22ABA529C091} HssInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}\TypeLib\ = "{E69D4A59-73DE-4E38-9FB3-740EC4D9060D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HssIE.HssIEApp\CurVer\ = "HssIE.HssIEApp.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}\InprocServer32\ = "C:\\Program Files (x86)\\Hotspot Shield\\HssIE\\HssIE_64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HssIE.HssIEApp\CurVer\ = "HssIE.HssIEApp.1" HssInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}\VersionIndependentProgID\ = "HssIE.HssIEApp" HssInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E69D4A59-73DE-4E38-9FB3-740EC4D9060D}\1.0\0 HssInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4F6AFF86-4D81-45B8-8CAD-22ABA529C091} HssInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307A31DF-F8B5-426C-9594-FBC1E819AED2}\ProxyStubClsid32 HssInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{307A31DF-F8B5-426C-9594-FBC1E819AED2} HssInstaller.exe -
Modifies system certificate store 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a tapinstall.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 1620 openvpnas.exe 1620 openvpnas.exe 1620 openvpnas.exe 1620 openvpnas.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 1060 HssTrayService.EXE 1060 HssTrayService.EXE 1060 HssTrayService.EXE 1060 HssTrayService.EXE 3708 openvpn.exe 3708 openvpn.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2500 openvpn.exe 2500 openvpn.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 4984 openvpn.exe 4984 openvpn.exe 4268 ConduitInstaller.exe 4268 ConduitInstaller.exe 4344 openvpn.exe 4344 openvpn.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Token: SeDebugPrivilege 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3720 openvpntray.exe 3720 openvpntray.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3720 openvpntray.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3720 openvpntray.exe 3720 openvpntray.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2984 wrote to memory of 772 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 8 PID 2984 wrote to memory of 780 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 9 PID 2984 wrote to memory of 1012 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 13 PID 2984 wrote to memory of 2956 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 49 PID 2984 wrote to memory of 3056 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 51 PID 2984 wrote to memory of 2468 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 52 PID 2984 wrote to memory of 3408 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 56 PID 2984 wrote to memory of 3536 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 57 PID 2984 wrote to memory of 3736 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 58 PID 2984 wrote to memory of 3832 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 59 PID 2984 wrote to memory of 3896 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 60 PID 2984 wrote to memory of 4000 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 61 PID 2984 wrote to memory of 4144 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 62 PID 2984 wrote to memory of 1268 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 74 PID 2984 wrote to memory of 1044 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 76 PID 2984 wrote to memory of 2628 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 80 PID 2984 wrote to memory of 4636 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 81 PID 2984 wrote to memory of 2132 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 83 PID 2984 wrote to memory of 628 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 84 PID 2984 wrote to memory of 628 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 84 PID 2984 wrote to memory of 628 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 84 PID 2984 wrote to memory of 2724 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 86 PID 2984 wrote to memory of 2724 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 86 PID 2984 wrote to memory of 2724 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 86 PID 2984 wrote to memory of 408 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 88 PID 2984 wrote to memory of 408 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 88 PID 2984 wrote to memory of 1396 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 93 PID 2984 wrote to memory of 1396 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 93 PID 2984 wrote to memory of 1396 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 93 PID 1396 wrote to memory of 2520 1396 HssInstaller.exe 95 PID 1396 wrote to memory of 2520 1396 HssInstaller.exe 95 PID 1396 wrote to memory of 2520 1396 HssInstaller.exe 95 PID 2520 wrote to memory of 116 2520 regsvr32.exe 96 PID 2520 wrote to memory of 116 2520 regsvr32.exe 96 PID 2984 wrote to memory of 1880 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 97 PID 2984 wrote to memory of 1880 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 97 PID 2984 wrote to memory of 772 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 8 PID 2984 wrote to memory of 780 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 9 PID 2984 wrote to memory of 1012 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 13 PID 2984 wrote to memory of 2956 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 49 PID 2984 wrote to memory of 3056 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 51 PID 2984 wrote to memory of 2468 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 52 PID 2984 wrote to memory of 3408 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 56 PID 2984 wrote to memory of 3536 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 57 PID 2984 wrote to memory of 3736 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 58 PID 2984 wrote to memory of 3832 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 59 PID 2984 wrote to memory of 3896 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 60 PID 2984 wrote to memory of 4000 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 61 PID 2984 wrote to memory of 4144 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 62 PID 2984 wrote to memory of 1268 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 74 PID 2984 wrote to memory of 1044 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 76 PID 2984 wrote to memory of 2628 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 80 PID 2984 wrote to memory of 4636 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 81 PID 2984 wrote to memory of 112 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 90 PID 2984 wrote to memory of 4036 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 92 PID 2984 wrote to memory of 1880 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 97 PID 2984 wrote to memory of 2252 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 98 PID 2592 wrote to memory of 1516 2592 svchost.exe 101 PID 2592 wrote to memory of 1516 2592 svchost.exe 101 PID 1516 wrote to memory of 1716 1516 DrvInst.exe 102 PID 1516 wrote to memory of 1716 1516 DrvInst.exe 102 PID 2984 wrote to memory of 3988 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 104 PID 2984 wrote to memory of 3988 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 104 PID 2984 wrote to memory of 3988 2984 JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe 104 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ConduitInstaller.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1012
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2956
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3056
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2468
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3408
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\HssInstaller.exe"C:\Users\Admin\AppData\Local\Temp\HssInstaller.exe" -iswow643⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:628
-
-
C:\Users\Admin\AppData\Local\Temp\HssInstaller.exe"C:\Users\Admin\AppData\Local\Temp\HssInstaller.exe" -vmcheck3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2724
-
-
C:\Users\Admin\AppData\Local\Temp\HssInstaller64.exe"C:\Users\Admin\AppData\Local\Temp\HssInstaller64.exe" -installdriver -c3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:408
-
-
C:\Program Files (x86)\Hotspot Shield\bin\HssInstaller.exe"C:\Program Files (x86)\Hotspot Shield\bin\HssInstaller.exe" -installhssie "C:\Program Files (x86)\Hotspot Shield\HssIE" "C:\Users\Admin\AppData\Local\Temp\nspB99C.tmp\HssIE.dll" "C:\Users\Admin\AppData\Local\Temp\nspB99C.tmp\HssIE_64.dll" -product hss3⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE_64.dll"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE_64.dll"5⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:116
-
-
-
-
C:\Program Files (x86)\Hotspot Shield\HssWPR\HssInstaller64.exe"C:\Program Files (x86)\Hotspot Shield\HssWPR\HssInstaller64.exe" -installdriver -i "C:\Program Files (x86)\Hotspot Shield\HssWPR"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:1880 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2252
-
-
-
C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe"C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe" -i -product hss3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3988
-
-
C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe"C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe" -start -product hss3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3888
-
-
C:\Users\Admin\AppData\Local\Temp\HssInstaller.exe"C:\Users\Admin\AppData\Local\Temp\HssInstaller.exe" -reencrypt "" "C:\Program Files (x86)\Hotspot Shield\config\sd-info-direct.cfg"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4336
-
-
C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe"C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe" -install_nr -product hss3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2860
-
-
C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe"C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe" -start -product hss3⤵
- Executes dropped EXE
PID:956
-
-
C:\Users\Admin\AppData\Local\Temp\hsspk.exe"C:\Users\Admin\AppData\Local\Temp\hsspk.exe" -killpopups3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\hsspk.exe"C:\Users\Admin\AppData\Local\Temp\hsspk.exe" -killpopupsloop4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3608
-
-
-
C:\Program Files (x86)\Hotspot Shield\bin\tapinstall.exe"C:\Program Files (x86)\Hotspot Shield\bin\tapinstall.exe" hwids taphss3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:244
-
-
C:\Program Files (x86)\Hotspot Shield\bin\tapinstall.exe"C:\Program Files (x86)\Hotspot Shield\bin\tapinstall.exe" install "C:\Program Files (x86)\Hotspot Shield\driver\OemWin2k.inf" taphss3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
PID:3424 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3376
-
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/home_path" "C:\Program Files (x86)\Hotspot Shield"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:832
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/installer" "HSS-2.53-install-softpedia-391-conduit.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1484
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/config_dir" "C:\Program Files (x86)\Hotspot Shield\config"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4608
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/htdocs_dir" "C:\Program Files (x86)\Hotspot Shield\htdocs"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:988
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/verify_dir" "C:\Program Files (x86)\Hotspot Shield\log\verify"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5100
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/config_ext" "hvpn"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2176
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/exe_path" "C:\Program Files (x86)\Hotspot Shield\bin\openvpn.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4892
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/proxy_path" "C:\Program Files (x86)\Hotspot Shield\bin\af_proxy_cmd.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3336
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/priority" "NORMAL_PRIORITY_CLASS"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2812
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/log_dir" "C:\Program Files (x86)\Hotspot Shield\log"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3424
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/log_path" "C:\Program Files (x86)\Hotspot Shield\log\oas.log"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2500
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/log_append" "0"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4724
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/dport_start" "56700"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3828
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/dport_end" "56999"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4860
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/local_addr" "127.0.0.1"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4056
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/http_port" "895"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3796
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/fbw_port" "896"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2968
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/tray_port" "897"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3568
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/hssie_dir" "C:\Program Files (x86)\Hotspot Shield\HssIE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3888
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/hssie_config" "config"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2644
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/hss_ff_dir" "C:\Program Files (x86)\Hotspot Shield\HssFF"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1384
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/hss_wd_dir" "C:\Program Files (x86)\Hotspot Shield\hsswd"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1800
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/update_dir" "C:\Program Files (x86)\Hotspot Shield\update"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1560
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/client_tag" "softpedia-391-conduit"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1456
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/page_not_found" "0"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4424
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/privacy_alert" "0"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:244 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1572
-
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/search_default" "0"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:8
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/search_home" "0"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5112
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/hsswd_flags" "0"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4268
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/proxy_flags" "0"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2692
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/install_path" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_757839be7d20eef30809a52a774df7ab.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2812
-
-
C:\Users\Admin\AppData\Local\Temp\nspB99C.tmp\sdps.exeC:\Users\Admin\AppData\Local\Temp\nspB99C.tmp\sdps.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4336
-
-
C:\Users\Admin\AppData\Local\Temp\HssInstaller.exe"C:\Users\Admin\AppData\Local\Temp\HssInstaller.exe" -updatelang eng -product hss3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1936
-
-
C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE"C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE" -i3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3496
-
-
C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe"C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe" -install3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4052
-
-
C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe"C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe" -start3⤵
- Executes dropped EXE
PID:2180
-
-
C:\Users\Admin\AppData\Local\Temp\HssInstaller.exe"C:\Users\Admin\AppData\Local\Temp\HssInstaller.exe" -time3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2744
-
-
C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe"C:\Program Files (x86)\Hotspot Shield\bin\cfg_mgr.exe" -add "Hotspot Shield" "/config/install_time" "1738441850"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4204
-
-
C:\Users\Admin\AppData\Local\Temp\ConduitInstaller.exe"C:\Users\Admin\AppData\Local\Temp\ConduitInstaller.exe" -ctid=CT1561552 -ie -ff -openwelcomedialog=FALSE -showpersonalcompdialog=FALSE -startpage=FALSE -defaultsearch=FALSE3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:4268
-
-
C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE"C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE" -r HssTrayService3⤵
- Executes dropped EXE
PID:456
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3536
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3736
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3832
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3896
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4000
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4144
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1268
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1044
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:2628
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4636
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:2132
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:112
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4036
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{24e31355-b3d8-a740-8131-56e05bd812ec}\nethss.inf" "9" "4b33badeb" "000000000000013C" "WinSta0\Default" "0000000000000154" "208" "C:\Program Files (x86)\Hotspot Shield\HssWPR"2⤵
- Manipulates Digital Signatures
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{862585d3-aba4-6d42-8f80-0db56c584439} Global\{1756d5e7-4a71-e943-a235-07e14d7e4fab} C:\Windows\System32\DriverStore\Temp\{0fa5787d-4eb0-284f-9177-e94fbc2fd714}\nethss.inf C:\Windows\System32\DriverStore\Temp\{0fa5787d-4eb0-284f-9177-e94fbc2fd714}\hssdrv.cat3⤵PID:1716
-
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{8c169523-e026-a947-b8b3-fc631ec5e378}\oemwin2k.inf" "9" "463661877" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\hotspot shield\driver"2⤵
- Manipulates Digital Signatures
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4888 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{28f87b03-e5c1-5744-9084-961aff42f36f} Global\{0c49ca7a-0d87-ea43-b77d-ef738022211c} C:\Windows\System32\DriverStore\Temp\{95ae0119-7db8-364d-a8f1-19afc11a07cb}\oemwin2k.inf C:\Windows\System32\DriverStore\Temp\{95ae0119-7db8-364d-a8f1-19afc11a07cb}\taphss.cat3⤵PID:2312
-
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem5.inf" "oem5.inf:3beb73aff103cc24:taphss.ndi:16.0.0.4:taphss," "463661877" "0000000000000174"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:4436
-
-
\??\c:\windows\system32\NetCfgNotifyObjectHost.exec:\windows\system32\NetCfgNotifyObjectHost.exe {E22168BC-82FB-4607-983E-2DA480BB3042} 6481⤵PID:4056
-
C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe"C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1196
-
C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe"C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe" -product HSS1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2280
-
\??\c:\windows\system32\NetCfgNotifyObjectHost.exec:\windows\system32\NetCfgNotifyObjectHost.exe {8951A1EC-0679-471B-AA5B-185C9D45B845} 6361⤵PID:4060
-
\??\c:\windows\system32\NetCfgNotifyObjectHost.exec:\windows\system32\NetCfgNotifyObjectHost.exe {3FB5A27C-0BCE-4451-AEC8-D524B80643C6} 4881⤵PID:4836
-
C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe"C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1620 -
C:\Program Files (x86)\Hotspot Shield\bin\openvpn.exeopenvpn --service HotspotShield_exit_1 1 --config "C:\Program Files (x86)\Hotspot Shield\config\config.hvpn" --cv 0 --auth-user-pass softpedia-391-conduit_2.53_sip173.245.64.158_5231 --management 127.0.0.1 56700 --management-hold --management-query-passwords --management-client --remote 173.245.64.158 5231 --hand-window 102⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3708
-
-
C:\Program Files (x86)\Hotspot Shield\bin\openvpn.exeopenvpn --service HotspotShield_exit_1 1 --config "C:\Program Files (x86)\Hotspot Shield\config\config.hvpn" --cv 0 --auth-user-pass softpedia-391-conduit_2.53_sip173.245.64.249_3211 --management 127.0.0.1 56700 --management-hold --management-query-passwords --management-client --remote 173.245.64.249 3211 --hand-window 102⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2500
-
-
C:\Program Files (x86)\Hotspot Shield\bin\openvpn.exeopenvpn --service HotspotShield_exit_1 1 --config "C:\Program Files (x86)\Hotspot Shield\config\config.hvpn" --cv 0 --auth-user-pass softpedia-391-conduit_2.53_sip173.245.64.160_3398 --management 127.0.0.1 56700 --management-hold --management-query-passwords --management-client --remote 173.245.64.160 3398 --hand-window 102⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4984
-
-
C:\Program Files (x86)\Hotspot Shield\bin\openvpn.exeopenvpn --service HotspotShield_exit_1 1 --config "C:\Program Files (x86)\Hotspot Shield\config\config.hvpn" --cv 0 --auth-user-pass softpedia-391-conduit_2.53_sip173.245.64.127_3451 --management 127.0.0.1 56700 --management-hold --management-query-passwords --management-client --remote 173.245.64.127 3451 --hand-window 102⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4344
-
-
C:\Program Files (x86)\Hotspot Shield\bin\openvpn.exeopenvpn --service HotspotShield_exit_1 1 --config "C:\Program Files (x86)\Hotspot Shield\config\config.hvpn" --cv 0 --auth-user-pass softpedia-391-conduit_2.53_sip173.245.64.112_995 --management 127.0.0.1 56700 --management-hold --management-query-passwords --management-client --remote 173.245.64.112 995 --hand-window 102⤵PID:4668
-
-
C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.exe"C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.exe" -r HssTrayService -nolaunchurl2⤵PID:3288
-
-
C:\Program Files (x86)\Hotspot Shield\bin\openvpn.exeopenvpn --service HotspotShield_exit_1 1 --config "C:\Program Files (x86)\Hotspot Shield\config\config.hvpn" --cv 0 --auth-user-pass softpedia-391-conduit_2.53_sip173.245.64.43_995 --management 127.0.0.1 56700 --management-hold --management-query-passwords --management-client --remote 173.245.64.43 995 --hand-window 102⤵PID:1744
-
-
C:\Program Files (x86)\Hotspot Shield\bin\openvpn.exeopenvpn --service HotspotShield_exit_1 1 --config "C:\Program Files (x86)\Hotspot Shield\config\config.hvpn" --cv 0 --auth-user-pass softpedia-391-conduit_2.53_sip173.245.64.221_5050 --management 127.0.0.1 56700 --management-hold --management-query-passwords --management-client --proto tcp-client --remote 173.245.64.221 5050 --remap-usr1 SIGTERM --hand-window 30 --connect-retry 0 --connect-retry-max 12⤵PID:1392
-
-
C:\Program Files (x86)\Hotspot Shield\bin\openvpn.exeopenvpn --service HotspotShield_exit_1 1 --config "C:\Program Files (x86)\Hotspot Shield\config\config.hvpn" --cv 0 --auth-user-pass softpedia-391-conduit_2.53_sip173.245.64.227_10000 --management 127.0.0.1 56700 --management-hold --management-query-passwords --management-client --proto tcp-client --remote 173.245.64.227 10000 --remap-usr1 SIGTERM --hand-window 30 --connect-retry 0 --connect-retry-max 12⤵PID:5036
-
-
C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE"C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1060 -
C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe"C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3720
-
-
C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE"C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE"1⤵PID:3976
-
C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe"C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe" -nolaunchurl2⤵PID:2232
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Browser Extensions
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
7Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD51828771e6372c925b7c71db92e1b2138
SHA133ee1d52ab808d62c5e4d03a62f045954a7b3605
SHA256bc295cc5c8a08bfed3635205bf24d15cdd2697b58436bbb089077711155a0412
SHA512dabd9398f38951a15889d64cf9789db0002b6c00463c405771fc9e533d2c6c3eeefa2128f59660e16eb7e7ac0a781a508a414ec7324a9d287d26de2069676d4b
-
Filesize
7KB
MD5d19b0d6cca146ffc43352d17508c3105
SHA1f57c9c7b03685c4a783530d49347c7b6443c77c2
SHA256c9dc089906b9bf37c10f4041aa545f520118c703e44b70edf3b678692ca6d9b7
SHA512650e8d278a64bdbee5379b295125b3be32f682aca9cda739b67cccc96d16ce678fbe86fbad9e810bf9698a70ff34e7a8fbe586f49748461fa5cfd32f14fcd722
-
Filesize
55KB
MD5a60c877e1cd3aa2e4e5ccd8af305c0f1
SHA14e10e1332566fe04ff0cee89322d80099577a0a0
SHA256f7a673d88ed00cfe31db18d4f57d1c451fac12e86a95594d16a0d3d32bc410e0
SHA51203d0a6754fd39ad1c2689b42fb117f3210fbf247a6afaeaa9826f8bbd97fe5c6b69d7d742e538b087b59ea148e87afa46fc5978ba301f472e335bcccfd1229d6
-
Filesize
354KB
MD52cfea9c337b699aca38487e8a7438f35
SHA15c68eded7f6d487a809e3e81619b2998d03408fe
SHA2562bd6718798a246c996109745107834ae8f768ea7a01ee305f162c65aa5f7d4eb
SHA51272e30af80b446474da4190ae41ce9c7a0cd7a805e2f6a20e4982fc8058f49cee84485b05fd3ae72d9cdfdd951cb733b6a0c59e9e3ffb023ecfdf83196d1abbe1
-
Filesize
3KB
MD50d5e54d843689606b66159003839c203
SHA17ed49f6956d0c0272b9cf4964d45e5b12276c1bd
SHA25621a9b623a4b19916a53c6212cca8704cc790722797f90eca94e9abb735151259
SHA512386cdeec3cb76b97284bb200abacabbf0488466f73d8cb3866861141fcd7fb4d49c240bbb81d22a966a93665d4fefc61151a9310346a8887e2ae626ee8913644
-
Filesize
1KB
MD5779b00c222d8e41afe217cf0fa1cac51
SHA1b34fe746e4a37d6fcb05a75f075b27765d38e296
SHA256e5788162857db5cba89123686163931face249eabbe004f108651c7f7c2977ea
SHA5124d996eff46beae0d90ba79ad5d0986d887527aede3dc9958ad6f8113258ade8cc5c08de5551f9111b21959a3a12cd8a104869d5788c842dae8fd5bf0ef8a3cdf
-
Filesize
1.1MB
MD5ea064eec760c056e5c756915b9b7f2bb
SHA1ceb226ba27a5ea461ed10785904dad7cb9d79b03
SHA256ec2ba808c683ef491bce2530b81a5ab3e3685b4b41553a6d1ab8ae1e1a1ef778
SHA5125e29e8e0e59ffebfd0a79db23778a4649341ead2ea048bcdd17bbdb2c0cd9a5ef0ff45bd29a7fd97c5af314e917ee4a62dc83f83edb46c2841cc31dc96dbb839
-
Filesize
2KB
MD5cba3667549764c2fb0cbac4ef99d94a4
SHA1a87070cf64bc67b178e92c0ae63c3db1e5129def
SHA25637cd8bb862e08bef7b8ddcb49b4c4bfad0b3f5b9529adce57458ea7780abe39d
SHA51200275bdee5cf69d2c5e42261d248b2987970ae45fbc2942b6650ada2aeebe69f9951af78fcacf2b21a07b590d5e8e0018281f9c3c0135644a9f159c95956bd13
-
Filesize
392B
MD5e2264704d93b9962a0a6b059a88a44a7
SHA101323769d33c2ad0287670c9c48e2cfd372171f2
SHA25618861a8017ca37ced937b2d3f1c0cb421c7ba1e369c8952cdb9c0a8d4508a5cb
SHA51298c7584d6f5bb4a6242610f99bb64a8dc990fa0866df22f20cad0e0b5129e8dd48a8cc0e07913b22c8935bb9ad348964c9e703b258eb3ed55a9b04d41ce5d934
-
Filesize
176B
MD58ead5de43ddbd8f4e44a5dac8684aaf9
SHA1564f9ec766cb0608ca976f5c208c59cc499ad64b
SHA25652756ffda1cc264328d04c7f5ae0068096a455f60b5949d028ae27d7d4ded807
SHA5123b69ee1dc8c3a273f7a9da60329872a600a85f17c8daa3619302a714b47bd8e4b44f5a2d3a5a363b0580ce18af9ea30bf92b2846598ffe3100e11daae6aeeafc
-
Filesize
222KB
MD5c8d4ee07811bdf6234eb6635e5b757fb
SHA132f629e9e77f8f28db2596cd4c1496c16bbbda5f
SHA256015265448e561aec92bf62fad633095707f833b7a3a3fa590b8cca4fd2f5ee27
SHA512dd6f6fb032b78224f0f2899b22688d131298ad1fdd6db2e3b9f45b924087e0d33d2a699c20876b90bd9ec4c68404229550fa1012410e4257b08a9215ff049993
-
Filesize
260KB
MD581e26824375b8c917d867c0e8ee65b01
SHA1f1eec07de42970a9e7419d0236ca3bdea9b59407
SHA256bbe452e43630298fc35c9d0a11e59ec0563b7edf3a68c208fabd17c1a2357d74
SHA512e1312372e9513017119372c17309e613c462c595f626813f26194f29064b7e466f5a28b6b2655ff87cead433a612f38a6d2f9d93fe9ffddeb0b7f2e7cc42bc93
-
Filesize
59B
MD53e2e8da3661e085091af16ba8629f4e8
SHA1f7d4cc68d76b8f85ae62eab6b2bd9a7fb9d84efe
SHA256eaac10a1e48b8ff4bb36b10457a4e5a090e977c809ba8b7dd76f5c442cf1e2e8
SHA512e27fe752b5c3fa662b8c9e8cb3ee8a9a89eab5f3e294ef153f967ac3ad57b59ecf9d777abedac96f43592d1dd845651904101ccde5ef8fa755d795425103e598
-
Filesize
212B
MD5b03d9ff7a373bb0b5130b9c299e41255
SHA1a89a3cbdf465e1ae9639e715f10544fa88b465a2
SHA25691612d4bc18e5fccd724c5a1172fde0daf557a6cf51a4d10a5610204e332a696
SHA512a719b08069ceaea6958b9f3bcc97133032ac09ac20f406a37a67d6c56ed0ff069e81c56097da86618e4b682613f13bf3932375264cf9a4ce8302829ba47010fa
-
Filesize
20KB
MD53cfe82b578587b0a4b42f6349769317d
SHA12bac488c226192af9f5f2e75a2ad16ba686dcb44
SHA2568b5a0403484876588f40c8af10abb977abffe56008886f9d1f081eb1727c2309
SHA5124b5420e6c9bca0fc74a5ca039b34d557a5d756a272d20732d0a83103965a431e1534ada5440aa1876d4f5e13e8abe53e74315a244ee0459d07a22a6c925135d4
-
Filesize
14KB
MD511a141ef74cb2449b53180c0c5b55460
SHA15ef96e4e09f440dc064aa31fcabfb3e86b91a8b7
SHA25632afcfe20cccd0512805790c54056f4e25d8f526c2c5cb595879513372f902d3
SHA512b8af53c0cdc0a77510c5259ae5029f980661370c92130261d609b07cda43e2e4d2a84a5b45260f13de70afd0a77c9985f9ef9a9a98f93be0ea8c89fe90ca0f0a
-
Filesize
49KB
MD50c9390ca38208327a25c7fa485e3418c
SHA178a35a8dcc4a766ba1b4adcde0d7618a1c4b80a2
SHA2566b0a82bc25e9fee4e9aedf2f449722406660e06cee223e60a5376c04ffe7ac39
SHA51269014f45fa85420fa4df7df7320b2582be1e5cf572fd6a6abd2d84527f1cab685e0a2d348fb986fcf3d4127f7ae59c36949ae312f40ee7c9b9c1318b8049c285
-
Filesize
11KB
MD577856a02074076ce80b75d196bafb73a
SHA16e098a79322376651b6b4474f2f443a213fbb373
SHA2560980dafe7f9723fe4c8254b597a76c399c8209985fc28c4e5ba85f82926c69dd
SHA51251aae4300fc27283073e4901d34158ae20c565837ace388710e8a9b240de92c8ea67b1e50b7bc32cc39fd4b950ad320f45e6dc1c50f239227521d9744f2bfd56
-
Filesize
227KB
MD5dd56e3271d8d63d655454b3f5c0f5c01
SHA1e9202a26011bf8e67a7702bc70ba5c8457a363d1
SHA256eeff4f2c3e3c3d5e7dbabcbb0d937a13b21cedd9a55cfaa4bc754cfade6ab276
SHA512c894196706e3236aeb963d0db6cac08cb023695461ebe5abb9be11c05f89b4f53e7b365487ec9a2d225f0269dbbe2f6475a507cbc7feecabc2986b0461813b76
-
Filesize
280KB
MD523f78fc0e3ab2623db282b3f14160e8a
SHA133fbec363f86b6c8d300fcb7a38fb3ce5236b302
SHA256fb77712b092fa130a78fc79796da774b843da7bd3c395fb9df247b0ea538ac30
SHA512058ad19f777b962502458750ed80dab047d9f0c23ce0e260374770c490de893a8936e45fb56d6be0ea96d9c625ed14ddcf5d6eddc29a09f1792b3cff276e4434
-
Filesize
241KB
MD53994ef7e1b58169b83753be688132bcd
SHA13e7e4aedbee4f5dd3e2692dc2b092b9a631ab985
SHA2564ef577015a13d1ee1b6e4aae1526961c56e57a21f9b64121810ea9e32fc08b0f
SHA512ea9643dd9071c0b7e4f7dca02433d7e140ca3bcbd1c1e196b95813e0a9675a385d25141056e7e2ae748f6574864dc96592efdb52e7ee6dc72999caf1c7ebabfb
-
Filesize
11KB
MD5b9f430f71c7144d8ff4ab94be2785aa6
SHA1c5c1e153caff7ad1d221a9acc8bbb831f05ccb05
SHA256b496e81a74ce871236abcd096fb9a6b210b456bebaa7464fa844b3241e51a655
SHA512c7ce431b6a1493fd7d1fe1b1c823ad22b582c43c8eb2fb6a471c648dd9df9953277c89932c66afd598d43ea36f4a8602e84cd175115266943071cbc8ce204099
-
Filesize
4KB
MD5351b802508ee5462cbf7f35454a9dca6
SHA17b9a1bc758e10af02124143680f636853b421da1
SHA25639275ee1767aac3ae0929a3e67a84a921610b45d5cfff3db1641893504d5c78d
SHA5126b0a4a500597fefaceb5eab79737d4f8dd253bb6bf8c263699314deda417763857b4407457d877b28f7a9c1f40a241d378ccae80c68541ff3f102eac8a6ff8d2
-
Filesize
30KB
MD508bf43c30f2492b38590e9cfb001715c
SHA106aef719733e16dac3cf776ffcdf3eccbd60249a
SHA2561a7d9e20c6be2a64914194cc67d1f3864bb76bcb33bc26dbaab3688d7320ba3b
SHA5123de927d11ee906798395745e44cb312ebc45cc440e8ff08696a945242b8979cdc9dc0c7afd2109796531b6eb68a1c002340ea40acc9d74a3ee98ca8bbce9c495
-
Filesize
9KB
MD57823fc560926dcd8741de6f0b900083f
SHA193dc0a704bc0b8f90668548e36daf459be0ae10a
SHA256ca869d6c6752aa4a8a6c874a694b543442992d7e854d0c48a1b60bca01a8c8c6
SHA512c79509cd306638ea9badec64ed9f7d0690e46fcab7ac77f25134065b628e76d2812f2d874ea2cc4283685c567b613a39d27b9fc4a6de2d4b9d30131f3161c4e9
-
Filesize
10KB
MD5a8392c7d42917a5218541b638d201aae
SHA1d102340daf8bb79e88c3650da91eb7f8fcbde0bf
SHA256785c151ac7cbf8c6abc886df0884ba8abdb7838b7161afdefe1a94feb70918eb
SHA512b970ef53c8069f302118e7fc605825901f658e2d30730f28d6875cd4985f857de0b1c55e5ff42ff0ebbc9cf873e586a5eaa60319064c44e00d7eb5df83521288
-
Filesize
7KB
MD59625309a9aa1109cfd3dd2fd10f37a3c
SHA16e19ca9e47f762d54b85f4d180887533206ffe9d
SHA256d19101fc059662010b527feac6f996d4752da27c26747be0a1cafaee109b9afc
SHA5126cc3c99d7fd923d100804822b0e7cb7ee29d8f67adc2c84df2fbaedb07938ab020f724f3278cb39e843eebb23f3de04c9912319c7e9a777c82a40cefb6e66ccd
-
Filesize
127KB
MD5f29413fbbfb8bdf73d760cd23b4e62f4
SHA1f6b5bbe6c999864308d9ef733eb68e8609f3e25f
SHA2567490b89d5ac01763bb7c973507e51659cafd70e7f4151fe1c840f76bebc48646
SHA51238f651cc9652cf78b49b5e885fa98df38f3f13670d265f66cdd1d99bb5605151df72a54d9c50395ecf5c647468fe2e84ef1dd2efaeb0f73929949d48dbc2f6d2
-
Filesize
181KB
MD53fec8709c36c83ec31a1717deef8be8e
SHA1581a30dbe8c1d3f218107c01674ae0f7d560f6ef
SHA2566e39d2257231910c27a3dca8d6defab416dd1fb16d2822fc61b0cd94ff9fc52f
SHA512582b7f2875beb071416396dcdb3c4a098861eecd4a06841a2d2091cd9f76bd5f67083708cc2c059386c536031ab08edbb09c60f1f2f32c749ce5aecc04b1900e
-
Filesize
183KB
MD50475b537eb6ddcf6b7aa05b122373505
SHA151bc4ab93ce70c44a5195b1fb281263ebc730c0b
SHA2563f9d97aa8bec28a50771dc2ae5082cc0aa744a552edd38950fbb7aba089c37ce
SHA512d1f344328d8f95ef0a8477eeaacbd4a8760c7201c4228441a501bd68f2d8d9ddfa8fd39833db7641a419bbd764f9e4f04b9c1c1fbd104bb684377fdc266e9306
-
Filesize
197KB
MD563d78f02396ed1789d643d956ae4d0cc
SHA1599ade25805111938c51eda024d10e4a3b6a95f5
SHA256a3faa068c126e9b55cf49080bfbe4f1555c161ef062e71621291944a721c2f17
SHA512cce42ed40e3870d7d36d8430a93b6f102c3012c4753df1f3b3affa0a93f6c4f5addf996bec7d444ddf2c70d6d8e1657a4c8e6dfdacf2cbaa6ed3ed9ee8dff71f
-
Filesize
37KB
MD5b70df208e97536ca9f29289e609f5b16
SHA18e5ebc69c66dfc2147b59d8443a824af05382226
SHA2565d2af3de64a6daf8f0ea8c1f05b13660ea9428450516a6b3fa8ab0c3b3218e2d
SHA512dff8ba65a9bb56f7bf7b3910571679d3bf378118901668c685baa0577f2b367612db5346bd9b967747b9ff7fdb59f4435297af546681ce184798e0ceb9108c0c
-
Filesize
6KB
MD5da5b4ed2e5c7421c67bc33cb46cbfe71
SHA103a6e78594d3c7ef7e776975c7a4cd1a5c5293cf
SHA25605f397f86b067428687240c937b213634e58d9417aeca8e314e951dd018421df
SHA51220ee953b71884277db0bd62ca3e23d510b23973f03321255aee56493a6a2c5fcff55891ac48ba9ae589e6eeb1c6cea34f5a4bfb3cb4908a67da96c278d5db1bc
-
Filesize
8KB
MD578dbff06f7cfb794b7cedc03b39046a6
SHA1b97c486d5afdb7b3afacd028bbeb8b206fcdc9af
SHA2562d1063aa362557eaf5e41cff617dc259a77cb25917e8ade7f7025fe8c5b67310
SHA512968e8f320e160ba14087b6f861b9eae87cb63b0be64d9478438902e9b32d94806bd8f039ad8b2ef6708db38140ba1d8e225d16602eff84267c1bb88a06346a8d
-
Filesize
100KB
MD5661de46ea826b9c6ece0e8a85cfbc913
SHA1a5865313d3b38d28dd044ebf52049bb2f8ff6657
SHA25637fc863b6f9fbe18a0eb3d22946a0d2b593d1bc0a0b84c3f6d4b8f4a35a0747c
SHA5129fa2d5cfabc9ea33540722f9768e03c87f81c578a6a8a30d1a41e2e8e02d7cfcf5d245583b555097cb17ca5d5c19c02bd733b3af3055c3b61bdfb939a147ccc0
