7177c05a6f7a7759098d5f94b67a8a5c168a4718f5ac04bd4743bf34d1af8945

Analysis

max time kernel
150s
max time network
106s
platform
windows7_x64
resource
win7v20201028
submitted
14-01-2021 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SlimCleanerPlus.exe
Size

247KB
MD5

69484c39e6aa358b57617b6e6e300d5a
SHA1

f9665fae82d5f02250b25825e36de974593623f3
SHA256

7177c05a6f7a7759098d5f94b67a8a5c168a4718f5ac04bd4743bf34d1af8945
SHA512

0e7ee6f2243edf62d4af0b7bd034080d3a4c4d56e0efe44888ff097906479a13936dfed53b037d129f0785857560ed89ce97ad0d64d41306e71a5dd4e1a17f06

Score

10^/10

persistence upx

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Executes dropped EXE 5 IoCs

Processes:

DriverUpdate-setup.exeDriverUpdate.exeSlimWare.Services.exeSlimWare.Session.exe

pid process

1252 DriverUpdate-setup.exe
920 DriverUpdate.exe
336
568 SlimWare.Services.exe
924 SlimWare.Session.exe

pid	process
1252	DriverUpdate-setup.exe
920	DriverUpdate.exe
336
568	SlimWare.Services.exe
924	SlimWare.Session.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\SlimWare Utilities Inc\DriverUpdate\htmlayout.dll	upx

Loads dropped DLL 36 IoCs

Processes:

SlimCleanerPlus.exeMsiExec.exeDriverUpdate.exeSlimWare.Services.exeSlimWare.Session.exe

pid	process
532	SlimCleanerPlus.exe
1144	MsiExec.exe
1144	MsiExec.exe
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
852
852
852
852
852
852
920	DriverUpdate.exe
464
336
568	SlimWare.Services.exe
580
336
336
924	SlimWare.Session.exe
924	SlimWare.Session.exe
568	SlimWare.Services.exe
924	SlimWare.Session.exe
568	SlimWare.Services.exe
924	SlimWare.Session.exe
924	SlimWare.Session.exe
924	SlimWare.Session.exe
924	SlimWare.Session.exe
920	DriverUpdate.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

DriverUpdate.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	DriverUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\DriverUpdate = "\"C:\\Program Files\\DriverUpdate\\DriverUpdate.exe\" -boot"	DriverUpdate.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

JavaScript code in executable 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Downloaded Installers\{42F25DDC-1AEF-428B-A479-ED2201B43DA6}\setup.msi	js

Drops file in System32 directory 6 IoCs

Processes:

SlimWare.Session.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416	SlimWare.Session.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416	SlimWare.Session.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	SlimWare.Session.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	SlimWare.Session.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	SlimWare.Session.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	SlimWare.Session.exe

Drops file in Program Files directory 29 IoCs

Processes:

msiexec.exeMsiExec.exe

description	ioc	process
File created	C:\Program Files\DriverUpdate\DriverUpdate.exe	msiexec.exe
File created	C:\Program Files\SlimWare Utilities\Services\DriverUpdate.UpdateLauncher.exe	msiexec.exe
File created	C:\Program Files\DriverUpdate\InAppBrowserProxy.dll	msiexec.exe
File created	C:\Program Files\SlimWare Utilities\Services\SlimWare.Core.dll	msiexec.exe
File created	C:\Program Files\SlimWare Utilities\Services\BugSplat.dll	msiexec.exe
File created	C:\Program Files\DriverUpdate\BugSplat.dll	msiexec.exe
File created	C:\Program Files\DriverUpdate\dbghelp.dll	msiexec.exe
File created	C:\Program Files\DriverUpdate\UnifiedLogger.dll	msiexec.exe
File opened for modification	C:\Program Files\DriverUpdate\DriverUpdate.exe	MsiExec.exe
File created	C:\Program Files\DriverUpdate\BsSndRpt.exe	msiexec.exe
File created	C:\Program Files\DriverUpdate\SlimWare.DriverUpdate.Services.dll	msiexec.exe
File created	C:\Program Files\DriverUpdate\SlimWare.PushNotification.Services.dll	msiexec.exe
File created	C:\Program Files\DriverUpdate\UninstallStub.exe	msiexec.exe
File created	C:\Program Files\SlimWare Utilities\Services\BsSndRpt64.exe	msiexec.exe
File created	C:\Program Files\SlimWare Utilities\Services\BsSndRpt.exe	msiexec.exe
File created	C:\Program Files\SlimWare Utilities\Services\BugSplatRC.dll	msiexec.exe
File created	C:\Program Files\DriverUpdate\BugSplatRc.dll	msiexec.exe
File created	C:\Program Files\SlimWare Utilities\Services\SlimWare.Services.exe	msiexec.exe
File created	C:\Program Files\SlimWare Utilities\Services\dbghelp.dll	msiexec.exe
File created	C:\Program Files\DriverUpdate\dbghelp-app.dll	msiexec.exe
File created	C:\Program Files\SlimWare Utilities\Services\BugSplat64.dll	msiexec.exe
File created	C:\Program Files\DriverUpdate\htmlayout.dll	msiexec.exe
File created	C:\Program Files\DriverUpdate\lib-inappbrowser.dll	msiexec.exe
File created	C:\Program Files\DriverUpdate\Open-Source Licenses.txt	msiexec.exe
File created	C:\Program Files\SlimWare Utilities\Services\SlimWare.Services.ProxyStub.dll	msiexec.exe
File created	C:\Program Files\DriverUpdate\SlimWare.Messaging.dll	msiexec.exe
File created	C:\Program Files\SlimWare Utilities\Services\SlimWare.Session.exe	msiexec.exe
File created	C:\Program Files\SlimWare Utilities\Services\SlimWare.Session.ProxyStub.dll	msiexec.exe
File created	C:\Program Files\SlimWare Utilities\Services\BugSplatRC64.dll	msiexec.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exeSlimWare.Session.exeDriverUpdate.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\f743ee4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4BC3.tmp	msiexec.exe
File created	C:\Windows\Installer\f743ee8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f743ee6.ipi	msiexec.exe
File opened for modification	C:\Windows\WindowsUpdate.log	SlimWare.Session.exe
File opened for modification	C:\Windows\WindowsUpdate.log	DriverUpdate.exe
File created	C:\Windows\Installer\f743ee4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4378.tmp	msiexec.exe
File created	C:\Windows\Installer\f743ee6.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4D3A.tmp	msiexec.exe
File created	C:\Windows\Installer\{42F25DDC-1AEF-428B-A479-ED2201B43DA6}\Icon.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{42F25DDC-1AEF-428B-A479-ED2201B43DA6}\Icon.exe	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

MsiExec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\DriverUpdate.exe = "11001"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\DriverUpdate.exe = "11001"	MsiExec.exe

Modifies data under HKEY_USERS 95 IoCs

Processes:

msiexec.exeSlimWare.Services.exeSlimWare.Session.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	SlimWare.Session.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	SlimWare.Session.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	SlimWare.Session.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	SlimWare.Session.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	SlimWare.Session.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	SlimWare.Session.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	SlimWare.Session.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10 = "System Health Authentication"	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	SlimWare.Services.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SlimWare.Session.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SlimWare.Session.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	SlimWare.Session.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	SlimWare.Session.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	SlimWare.Session.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	SlimWare.Session.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	SlimWare.Session.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	SlimWare.Session.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	SlimWare.Session.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	SlimWare.Services.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	SlimWare.Session.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	SlimWare.Session.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	SlimWare.Session.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	SlimWare.Session.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	SlimWare.Services.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	SlimWare.Session.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	SlimWare.Session.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	SlimWare.Session.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	SlimWare.Session.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	SlimWare.Session.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	SlimWare.Services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	SlimWare.Session.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	SlimWare.Session.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	SlimWare.Session.exe

Modifies registry class 166 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E58DA376-0D39-45ED-A6EE-A7B6DD10BED2}\InprocServer32\ = "C:\\Program Files\\SlimWare Utilities\\Services\\SlimWare.Services.ProxyStub.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5139FDE1-9FDE-4D4C-89D0-5D016161B13A}\LocalServer32\ = "\"C:\\Program Files\\SlimWare Utilities\\Services\\DriverUpdate.UpdateLauncher.exe\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDD52F24FEA1B8244A97DE22104BD36A\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Downloaded Installers\\{42F25DDC-1AEF-428B-A479-ED2201B43DA6}\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36137FA3-91C0-48EF-B1A8-27C1974708B8}\TypeLib\ = "{58A8BF1A-3608-41EA-AAD1-581AB79105E6}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5139FDE1-9FDE-4D4C-89D0-5D016161B13A}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E58DA376-0D39-45ED-A6EE-A7B6DD10BED2}\NumMethods\ = "11"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{3B8B86CB-0248-4F00-AC0E-EE5C6795D7F4}\BaseInterface	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{25C88C47-EB26-40D1-BDC7-BBB30E0F752B}\LocalServer32\ThreadingModel = "Free"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDD52F24FEA1B8244A97DE22104BD36A\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDD52F24FEA1B8244A97DE22104BD36A\SourceList\PackageName = "setup.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{36137FA3-91C0-48EF-B1A8-27C1974708B8}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{58A8BF1A-3608-41EA-AAD1-581AB79105E6}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDF76960-B341-4592-BDBA-DFC8C74165A9}\ = "ISlimWareSessionServerFactory"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{CE74B1E6-4EBC-42A1-A4EF-E03F45195608}\1.0\FLAGS	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{9AEC63C2-831A-4134-8EB0-02C0B7B97620}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDD52F24FEA1B8244A97DE22104BD36A	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDD52F24FEA1B8244A97DE22104BD36A\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{58A8BF1A-3608-41EA-AAD1-581AB79105E6}\1.0\FLAGS	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9AEC63C2-831A-4134-8EB0-02C0B7B97620}\TypeLib\ = "{31E87E80-E113-49FD-9789-A97E83CEA4F1}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{5139FDE1-9FDE-4D4C-89D0-5D016161B13A}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{E58DA376-0D39-45ED-A6EE-A7B6DD10BED2}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE74B1E6-4EBC-42A1-A4EF-E03F45195608}\1.0\0\win64	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{BDF76960-B341-4592-BDBA-DFC8C74165A9}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31E87E80-E113-49FD-9789-A97E83CEA4F1}\1.0\ = "DriverUpdate.UpdateLauncher"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36137FA3-91C0-48EF-B1A8-27C1974708B8}\LocalServer32\ = "\"C:\\Program Files\\SlimWare Utilities\\Services\\SlimWare.Services.exe\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B8B86CB-0248-4F00-AC0E-EE5C6795D7F4}\TypeLib\ = "{CE74B1E6-4EBC-42A1-A4EF-E03F45195608}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDF76960-B341-4592-BDBA-DFC8C74165A9}\TypeLib\Version = "1.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{25C88C47-EB26-40D1-BDC7-BBB30E0F752B}\AppID = "{6D3BC646-CFCD-4098-8495-B7BD0DF13133}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{25C88C47-EB26-40D1-BDC7-BBB30E0F752B}\Version	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE74B1E6-4EBC-42A1-A4EF-E03F45195608}\1.0\ = "SlimWareSession"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{58A8BF1A-3608-41EA-AAD1-581AB79105E6}\1.0\0	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{E58DA376-0D39-45ED-A6EE-A7B6DD10BED2}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BDF76960-B341-4592-BDBA-DFC8C74165A9}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDD52F24FEA1B8244A97DE22104BD36A\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDD52F24FEA1B8244A97DE22104BD36A\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDF76960-B341-4592-BDBA-DFC8C74165A9}\TypeLib\ = "{CE74B1E6-4EBC-42A1-A4EF-E03F45195608}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{25C88C47-EB26-40D1-BDC7-BBB30E0F752B}\LocalServer32\ = "\"C:\\Program Files\\SlimWare Utilities\\Services\\SlimWare.Session.exe\""	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{9AEC63C2-831A-4134-8EB0-02C0B7B97620}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CDD52F24FEA1B8244A97DE22104BD36A	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{25C88C47-EB26-40D1-BDC7-BBB30E0F752B}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE74B1E6-4EBC-42A1-A4EF-E03F45195608}\1.0\FLAGS\ = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5139FDE1-9FDE-4D4C-89D0-5D016161B13A}\TypeLib\ = "{31E87E80-E113-49FD-9789-A97E83CEA4F1}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5139FDE1-9FDE-4D4C-89D0-5D016161B13A}\Version\ = "1.0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31E87E80-E113-49FD-9789-A97E83CEA4F1}\1.0	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{BDF76960-B341-4592-BDBA-DFC8C74165A9}\BaseInterface	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BAF61B64-5D1A-4108-97CB-A10B7DDF730E}\ = "DriverUpdate.UpdateLauncher"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9AEC63C2-831A-4134-8EB0-02C0B7B97620}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9276E23-AD64-404D-8D3C-1EBB1F965E40}\TypeLib\ = "{31E87E80-E113-49FD-9789-A97E83CEA4F1}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{E58DA376-0D39-45ED-A6EE-A7B6DD10BED2}\BaseInterface	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{36137FA3-91C0-48EF-B1A8-27C1974708B8}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{BDF76960-B341-4592-BDBA-DFC8C74165A9}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{25C88C47-EB26-40D1-BDC7-BBB30E0F752B}\ = "SlimWare Services Session Server"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{25C88C47-EB26-40D1-BDC7-BBB30E0F752B}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{CE74B1E6-4EBC-42A1-A4EF-E03F45195608}\1.0	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{C9276E23-AD64-404D-8D3C-1EBB1F965E40}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5139FDE1-9FDE-4D4C-89D0-5D016161B13A}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5139FDE1-9FDE-4D4C-89D0-5D016161B13A}\ = "Update Launcher Server"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5139FDE1-9FDE-4D4C-89D0-5D016161B13A}\LocalizedString = "@C:\\Program Files\\SlimWare Utilities\\Services\\DriverUpdate.UpdateLauncher.exe,-100"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{31E87E80-E113-49FD-9789-A97E83CEA4F1}\1.0\0\win64	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31E87E80-E113-49FD-9789-A97E83CEA4F1}\1.0\FLAGS\ = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{F6A8CE42-CB2D-4920-85E7-24966D63D4B9}\LocalService = "SlimWareServices"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B8B86CB-0248-4F00-AC0E-EE5C6795D7F4}\ = "ISlimWareSessionServer"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{3B8B86CB-0248-4F00-AC0E-EE5C6795D7F4}\NumMethods	msiexec.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

SlimWare.Session.exeDriverUpdate.exeSlimCleanerPlus.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	SlimWare.Session.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	DriverUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	DriverUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	DriverUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	SlimCleanerPlus.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	SlimCleanerPlus.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	SlimCleanerPlus.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	SlimWare.Session.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	SlimCleanerPlus.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	SlimWare.Session.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	SlimWare.Session.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	DriverUpdate.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

MsiExec.exemsiexec.exeDriverUpdate.exe

pid	process
1144	MsiExec.exe
1144	MsiExec.exe
1144	MsiExec.exe
1144	MsiExec.exe
916	msiexec.exe
916	msiexec.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe

Suspicious use of AdjustPrivilegeToken 76 IoCs

Processes:

DriverUpdate-setup.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1252	DriverUpdate-setup.exe
Token: SeIncreaseQuotaPrivilege	1252	DriverUpdate-setup.exe
Token: SeRestorePrivilege	916	msiexec.exe
Token: SeTakeOwnershipPrivilege	916	msiexec.exe
Token: SeSecurityPrivilege	916	msiexec.exe
Token: SeCreateTokenPrivilege	1252	DriverUpdate-setup.exe
Token: SeAssignPrimaryTokenPrivilege	1252	DriverUpdate-setup.exe
Token: SeLockMemoryPrivilege	1252	DriverUpdate-setup.exe
Token: SeIncreaseQuotaPrivilege	1252	DriverUpdate-setup.exe
Token: SeMachineAccountPrivilege	1252	DriverUpdate-setup.exe
Token: SeTcbPrivilege	1252	DriverUpdate-setup.exe
Token: SeSecurityPrivilege	1252	DriverUpdate-setup.exe
Token: SeTakeOwnershipPrivilege	1252	DriverUpdate-setup.exe
Token: SeLoadDriverPrivilege	1252	DriverUpdate-setup.exe
Token: SeSystemProfilePrivilege	1252	DriverUpdate-setup.exe
Token: SeSystemtimePrivilege	1252	DriverUpdate-setup.exe
Token: SeProfSingleProcessPrivilege	1252	DriverUpdate-setup.exe
Token: SeIncBasePriorityPrivilege	1252	DriverUpdate-setup.exe
Token: SeCreatePagefilePrivilege	1252	DriverUpdate-setup.exe
Token: SeCreatePermanentPrivilege	1252	DriverUpdate-setup.exe
Token: SeBackupPrivilege	1252	DriverUpdate-setup.exe
Token: SeRestorePrivilege	1252	DriverUpdate-setup.exe
Token: SeShutdownPrivilege	1252	DriverUpdate-setup.exe
Token: SeDebugPrivilege	1252	DriverUpdate-setup.exe
Token: SeAuditPrivilege	1252	DriverUpdate-setup.exe
Token: SeSystemEnvironmentPrivilege	1252	DriverUpdate-setup.exe
Token: SeChangeNotifyPrivilege	1252	DriverUpdate-setup.exe
Token: SeRemoteShutdownPrivilege	1252	DriverUpdate-setup.exe
Token: SeUndockPrivilege	1252	DriverUpdate-setup.exe
Token: SeSyncAgentPrivilege	1252	DriverUpdate-setup.exe
Token: SeEnableDelegationPrivilege	1252	DriverUpdate-setup.exe
Token: SeManageVolumePrivilege	1252	DriverUpdate-setup.exe
Token: SeImpersonatePrivilege	1252	DriverUpdate-setup.exe
Token: SeCreateGlobalPrivilege	1252	DriverUpdate-setup.exe
Token: SeRestorePrivilege	916	msiexec.exe
Token: SeTakeOwnershipPrivilege	916	msiexec.exe
Token: SeRestorePrivilege	916	msiexec.exe
Token: SeTakeOwnershipPrivilege	916	msiexec.exe
Token: SeRestorePrivilege	916	msiexec.exe
Token: SeTakeOwnershipPrivilege	916	msiexec.exe
Token: SeRestorePrivilege	916	msiexec.exe
Token: SeTakeOwnershipPrivilege	916	msiexec.exe
Token: SeRestorePrivilege	916	msiexec.exe
Token: SeTakeOwnershipPrivilege	916	msiexec.exe
Token: SeRestorePrivilege	916	msiexec.exe
Token: SeTakeOwnershipPrivilege	916	msiexec.exe
Token: SeRestorePrivilege	916	msiexec.exe
Token: SeTakeOwnershipPrivilege	916	msiexec.exe
Token: SeRestorePrivilege	916	msiexec.exe
Token: SeTakeOwnershipPrivilege	916	msiexec.exe
Token: SeRestorePrivilege	916	msiexec.exe
Token: SeTakeOwnershipPrivilege	916	msiexec.exe
Token: SeRestorePrivilege	916	msiexec.exe
Token: SeTakeOwnershipPrivilege	916	msiexec.exe
Token: SeRestorePrivilege	916	msiexec.exe
Token: SeTakeOwnershipPrivilege	916	msiexec.exe
Token: SeRestorePrivilege	916	msiexec.exe
Token: SeTakeOwnershipPrivilege	916	msiexec.exe
Token: SeRestorePrivilege	916	msiexec.exe
Token: SeTakeOwnershipPrivilege	916	msiexec.exe
Token: SeRestorePrivilege	916	msiexec.exe
Token: SeTakeOwnershipPrivilege	916	msiexec.exe
Token: SeRestorePrivilege	916	msiexec.exe
Token: SeTakeOwnershipPrivilege	916	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DriverUpdate.exe

pid process

920 DriverUpdate.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

DriverUpdate.exe

pid process

920 DriverUpdate.exe

Suspicious use of SetWindowsHookEx 241 IoCs

Processes:

DriverUpdate.exe

pid	process
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe
920	DriverUpdate.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

SlimCleanerPlus.exemsiexec.exe

description	pid	process	target process
PID 532 wrote to memory of 1252	532	SlimCleanerPlus.exe	DriverUpdate-setup.exe
PID 532 wrote to memory of 1252	532	SlimCleanerPlus.exe	DriverUpdate-setup.exe
PID 532 wrote to memory of 1252	532	SlimCleanerPlus.exe	DriverUpdate-setup.exe
PID 532 wrote to memory of 1252	532	SlimCleanerPlus.exe	DriverUpdate-setup.exe
PID 532 wrote to memory of 1252	532	SlimCleanerPlus.exe	DriverUpdate-setup.exe
PID 532 wrote to memory of 1252	532	SlimCleanerPlus.exe	DriverUpdate-setup.exe
PID 532 wrote to memory of 1252	532	SlimCleanerPlus.exe	DriverUpdate-setup.exe
PID 916 wrote to memory of 1144	916	msiexec.exe	MsiExec.exe
PID 916 wrote to memory of 1144	916	msiexec.exe	MsiExec.exe
PID 916 wrote to memory of 1144	916	msiexec.exe	MsiExec.exe
PID 916 wrote to memory of 1144	916	msiexec.exe	MsiExec.exe
PID 916 wrote to memory of 1144	916	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\SlimCleanerPlus.exe
"C:\Users\Admin\AppData\Local\Temp\SlimCleanerPlus.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:532

C:\Users\Admin\AppData\Local\Temp\DriverUpdate-setup.exe
"C:\Users\Admin\AppData\Local\Temp\DriverUpdate-setup.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 24274D33A0476E427D814376BA22B285
2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:1144

C:\Program Files\DriverUpdate\DriverUpdate.exe
"C:\Program Files\DriverUpdate\DriverUpdate.exe" /byUser
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:920

C:\Program Files\SlimWare Utilities\Services\SlimWare.Services.exe
"C:\Program Files\SlimWare Utilities\Services\SlimWare.Services.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:568

C:\Program Files\SlimWare Utilities\Services\SlimWare.Session.exe
"C:\Program Files\SlimWare Utilities\Services\SlimWare.Session.exe" -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
PID:924

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DriverUpdate\BugSplat.dll
MD5
e294d13f8b64989a2b15b558f567d7ba

SHA1
e10626ae59f1c888ed48c7be51e9e8b491259599

SHA256
6fd184e4e2b1d4ca2314f4d16b0e86a0e398054038a2235086d588f02bf39c67

SHA512
5292aaae51e82daf55e6dbe68182b253f238e5cbd50fd342bc51cb82ff13b64c2fba4fa97ddd07bbf6283301c0f84f5f6b5a3a762e995fc54f6d4ed9807fd407

Download Submit
C:\Program Files\DriverUpdate\DriverUpdate.exe
MD5
8af291afb5a9d7ddf7d0e2935068e2f1

SHA1
64604fa3dd2e2f13dfb7f844d93d0c712836d4a0

SHA256
47d5c386963dfdc42b673c597e9a67bdbffaa718b80be3d8d8e793857f03a057

SHA512
2da8158a93d4656bc511249d62909b404b0f761f0cfd4557d0d405d433cc370881823779fe04602651f3144e98b9cb66d7af622a23a7679249c6cd84c1dda2c7

Download Submit
C:\Program Files\DriverUpdate\DriverUpdate.exe
MD5
8af291afb5a9d7ddf7d0e2935068e2f1

SHA1
64604fa3dd2e2f13dfb7f844d93d0c712836d4a0

SHA256
47d5c386963dfdc42b673c597e9a67bdbffaa718b80be3d8d8e793857f03a057

SHA512
2da8158a93d4656bc511249d62909b404b0f761f0cfd4557d0d405d433cc370881823779fe04602651f3144e98b9cb66d7af622a23a7679249c6cd84c1dda2c7

Download Submit
C:\Program Files\DriverUpdate\SlimWare.DriverUpdate.Services.dll
MD5
2611df02d48c1ed0f7eda2f7b2020390

SHA1
e4999bbd0758f9f17cd97532f61308edb7dea385

SHA256
6941bf5e7a9022497bab9d9254335d214a6623ad20c9321879f18af2f0409494

SHA512
421aac2c3c04630d8fc4f87babfe757c6f3512051c56b91c8701c30f2e3d9071521c9c0d1958ae1846286f1b5d245101be2c7c41b6b06a961b954569a05e4e23

Download Submit
C:\Program Files\DriverUpdate\SlimWare.Messaging.dll
MD5
f26ee35dfdbf2ef289268dc8b244078c

SHA1
1523a81370fadbfa63c8ae84d81464e7ec6b83c3

SHA256
35f6bfc4f28df75e2b690f596b3eb3e3f0a5fb2fc664f325d803f7dfe036a309

SHA512
562dd87c48754d27d5d0815b99e16f79117e14e8271323755e266fc9a094fc6cccbf20bef50d1c3aad74340f2230f87d72fd3a98ac64dba88f4732936a753392

Download Submit
C:\Program Files\DriverUpdate\SlimWare.PushNotification.Services.dll
MD5
3384dcb5ad4b754ac81a287282384b6d

SHA1
14b223746d698793103274bf4c027c828b7e154d

SHA256
2b8c0c3a1dec6b036702cb900a9f90377246e164cdceea269c7b65dc5d3e0006

SHA512
23c50e771e10e7ba1c2cd2ee1f6aa9a6bf6e63b9ce44436344e33e2e57f3b1e8956b140461b00014274a0ec3e9907e2f91b025223099352dfee1815803a7d013

Download Submit
C:\Program Files\DriverUpdate\UnifiedLogger.dll
MD5
595836df7cdf3c1c51febd8a0f1d3ef9

SHA1
9c1a721c74982be20a1767affed8d24660a9b85c

SHA256
a45ae9e7bbf2f0a0ff3d92b4b24a24dee5fb06fa148a965465b07f79a0e8bd2f

SHA512
02f7626aa48318d3b7bc83a7c5ffba3e15197d4462727f3070444ca1009ecd122edeed89b899ea3f55d86ab46d1e808b1d42ccdc464652e4b6b533f60263c03b

Download Submit
C:\Program Files\SlimWare Utilities\Services\BugSplat64.dll
MD5
f1a2d92bb8738eab02b92c741a9c5299

SHA1
ac22734c386e3e2dabe9ac9767a23e8f01755d4f

SHA256
6859c336dc4f42dc70a542db8185948931907734978eeb7088d47256bd4199cd

SHA512
344ad89725e98636bae65b219f479a59c98e0131e2dbbab80c3c35443b776499d5c2a4e218ce62c0752cc67eb595c75b83775c54065a13986265885675b0cd99

Download Submit
C:\Program Files\SlimWare Utilities\Services\SlimWare.Core.dll
MD5
4ae1352e34bee2b1d51e92cb19be0343

SHA1
1b5d2fe506cc0de9c688693b8a4619ecdb92b30e

SHA256
c4fbabb2163face03d868132b691dc7ec774de246ebf822de21d92066baa5c61

SHA512
e677572469cc520210270febc7180d9b276b956cfe32346cc0825dce3a832c46f47d535719b5da966873924f48ae08110686676f6b089eec6e86c5d69ce5b4aa

Download Submit
C:\Program Files\SlimWare Utilities\Services\SlimWare.Services.exe
MD5
995ff280e8d1390e246c6f0205726652

SHA1
48f3d6db71b30e6e8537afcbf709a63d6652504d

SHA256
30cadd9db505515b4c07d409a19acd6b74e5d7e09eea56c0a164d72a1da061f5

SHA512
666bb8988c77b176c69de9d7d3f69357f63927442d0fa04c56cbf6424bacbc38affb2397224f44a11ace72e1d6f81ceb4c56a235991d98b2500fc3df2b579747

Download Submit
C:\Program Files\SlimWare Utilities\Services\SlimWare.Services.exe
MD5
995ff280e8d1390e246c6f0205726652

SHA1
48f3d6db71b30e6e8537afcbf709a63d6652504d

SHA256
30cadd9db505515b4c07d409a19acd6b74e5d7e09eea56c0a164d72a1da061f5

SHA512
666bb8988c77b176c69de9d7d3f69357f63927442d0fa04c56cbf6424bacbc38affb2397224f44a11ace72e1d6f81ceb4c56a235991d98b2500fc3df2b579747

Download Submit
C:\Program Files\SlimWare Utilities\Services\SlimWare.Session.ProxyStub.dll
MD5
e8a388c2d46682f8e4534dcb4e791b2d

SHA1
58562a122c62ef6149e2a23f77c82ef2175bb929

SHA256
0f6ab9a939cb5a41fc33f37a09c33018d46d05c218e7973d44b1aba6231a9afa

SHA512
a455ed39670ce899cb475509a28fde81cdf58167b85a4460f60522aa92041e425a8b24dd27b9bff7d8466c139cdb0f4163f4e2b4c60b8d8d65d8030fa5b5a362

Download Submit
C:\Program Files\SlimWare Utilities\Services\SlimWare.Session.exe
MD5
9e61f0cadd788cb37295c2f9e64a5fc5

SHA1
937975bdedded1adf7090f87d68e5086d44a144d

SHA256
754ffc8dbef9471a706ca0ab2f4d81c38d10fe764e0949adb02346fbb8f0c609

SHA512
bbf037a44c786ad8d1ffd2868da8baac33e329566d3377c862f5aec2daa8acdeb21eea4f2ee9ac77645a7f000d1b2cdc5e6bd7407d5f65f7701af0b336dbef60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6
MD5
f357eb4410a777a9c60906d56b7c52b1

SHA1
562c0bf5d1c5de1a3cf56a57a425f7258116bde8

SHA256
40d19aa62a6655f0f01eef57b71dce671ad824b8007641492c62e9ea78b7c081

SHA512
15b2074b173702f2e86e4852e3e94bd4b018aa03035bce05311833df36562dedf115b521c7f2a63c51ab582bf9083136e1d097c5167ac8c94e8f603e5cddafd6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9A19ADAD9D098E039450ABBEDD5616EB_0F3C35357610567825C1AF26DD5D8A86
MD5
5c0aa9f83b7eb0fdde43379e12ac24a4

SHA1
9f7d641b8be746dade5ed98c5457aece8e7b888b

SHA256
61bd32047515af10a69ddc96c95ef9e589baa4761319cce653eff0104693ee8f

SHA512
c1145491a6a55550573bf7ecb87255ec0f3e968423a15bbe84303a534117a07ad54d7be1a562e38f7bb32a81103ddf618b20b62c895a927e6a43d4430cc5d3d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6
MD5
6dd9fa473507146f24450f94d0b556de

SHA1
3c31179d445c069b37abde0ef65e892a9010cd85

SHA256
85df4b5c1330c48b954f12aca243db3aca01d66e52f273df8c75f390c0192000

SHA512
82a0f2365727939fd64a765a37e5c9c80e20b07ea727902ec792dbb9dd11f97956ed2972bec38209307f49915b94746845a7f7a1ff081d6c4ace068ef64b5593

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
10bb59d681abc576d6d2e8889d4bf531

SHA1
4066fdf59a48d445c07068c315f8aa933d04ab71

SHA256
0c68bac7ec89a9a07ef83fc37ffe440c1beafabf7c1055ce0e58a035fede3944

SHA512
a7b46b7d96479c30d9bcd7570ee230ddf47cf8d865c5eeff8a7f0b2c008903895461d0ae006108df3fe93a77f97d3ed600dd08f6eab28a6db83cbd08e5987dbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9A19ADAD9D098E039450ABBEDD5616EB_0F3C35357610567825C1AF26DD5D8A86
MD5
6abb06ba174499bb1587866e1a36c01a

SHA1
4d8bca6cf1e7f56b6955633f3011f061fd643152

SHA256
6f97119831ae95c8b8e779c5c2f66ccf89ad1331c4bb94366b6c1810d9778ba2

SHA512
533d23e7184d53e62efcd7ba98ddc0e6dd30167b362ba5acb8929cd7260e3bff41bbeafb5e54187a25591c6bf40e1299dcdc165427421e753a5d177c0227f259

Download Submit
C:\Users\Admin\AppData\Local\Downloaded Installers\{42F25DDC-1AEF-428B-A479-ED2201B43DA6}\setup.msi
MD5
801ba0fafddec68bac9810bc7f81b6c6

SHA1
ab903c9b132375c1adab91e4ef88f2971819c618

SHA256
1360e00043f228c856a0572c2df874736f38e82701f524e14eed196aaa9628bd

SHA512
aaab2600534902f4a89b60710770f8f0567115a1fd085838031844deaabfc81506739e8dfae22c94ab50c0476e14554eac169325b7ee02710eb4fde57c2c5517

Download Submit
C:\Users\Admin\AppData\Local\Temp\DriverUpdate-setup.exe
MD5
bbcc5cc6703387cbf4c33ec2a45dce4b

SHA1
2011027d000cf409be97759f36116e40f23fc49e

SHA256
55ca33616c468a86bd12044dd2f1628365511811878f47ce0fa868e0ce59d823

SHA512
d1cec1368c2246b3e3aab8191052ab6be0b7cdea496e37efb7f20fef73cb3e64be8fbd1d2c24882660e1f6bd8ced9cc9c9941f472182b9cefeae8161260535a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DriverUpdate-setup.exe
MD5
bbcc5cc6703387cbf4c33ec2a45dce4b

SHA1
2011027d000cf409be97759f36116e40f23fc49e

SHA256
55ca33616c468a86bd12044dd2f1628365511811878f47ce0fa868e0ce59d823

SHA512
d1cec1368c2246b3e3aab8191052ab6be0b7cdea496e37efb7f20fef73cb3e64be8fbd1d2c24882660e1f6bd8ced9cc9c9941f472182b9cefeae8161260535a3

Download Submit
C:\Windows\Installer\MSI4378.tmp
MD5
d2a8f90e612d94e082361d1e677096b8

SHA1
4d2765ab69e4aaedb8512315a78544fbde056229

SHA256
55f607d337ff05b247f9d4b7cafecd500d2058b4f2cd9702bf86bea18d8bb6e2

SHA512
83b932ca46fc64e1d2871daefff85169ccce5143c242f773851858531e7a6be9e3525618d6d020f09cccd8f31a8ba78a45cd75e739aed8cd7495d323e2df72c6

Download Submit
C:\Windows\Installer\MSI4D3A.tmp
MD5
d2a8f90e612d94e082361d1e677096b8

SHA1
4d2765ab69e4aaedb8512315a78544fbde056229

SHA256
55f607d337ff05b247f9d4b7cafecd500d2058b4f2cd9702bf86bea18d8bb6e2

SHA512
83b932ca46fc64e1d2871daefff85169ccce5143c242f773851858531e7a6be9e3525618d6d020f09cccd8f31a8ba78a45cd75e739aed8cd7495d323e2df72c6

Download Submit
\Program Files\DriverUpdate\BugSplat.dll
MD5
e294d13f8b64989a2b15b558f567d7ba

SHA1
e10626ae59f1c888ed48c7be51e9e8b491259599

SHA256
6fd184e4e2b1d4ca2314f4d16b0e86a0e398054038a2235086d588f02bf39c67

SHA512
5292aaae51e82daf55e6dbe68182b253f238e5cbd50fd342bc51cb82ff13b64c2fba4fa97ddd07bbf6283301c0f84f5f6b5a3a762e995fc54f6d4ed9807fd407

Download Submit
\Program Files\DriverUpdate\SlimWare.DriverUpdate.Services.dll
MD5
2611df02d48c1ed0f7eda2f7b2020390

SHA1
e4999bbd0758f9f17cd97532f61308edb7dea385

SHA256
6941bf5e7a9022497bab9d9254335d214a6623ad20c9321879f18af2f0409494

SHA512
421aac2c3c04630d8fc4f87babfe757c6f3512051c56b91c8701c30f2e3d9071521c9c0d1958ae1846286f1b5d245101be2c7c41b6b06a961b954569a05e4e23

Download Submit
\Program Files\DriverUpdate\SlimWare.Messaging.dll
MD5
f26ee35dfdbf2ef289268dc8b244078c

SHA1
1523a81370fadbfa63c8ae84d81464e7ec6b83c3

SHA256
35f6bfc4f28df75e2b690f596b3eb3e3f0a5fb2fc664f325d803f7dfe036a309

SHA512
562dd87c48754d27d5d0815b99e16f79117e14e8271323755e266fc9a094fc6cccbf20bef50d1c3aad74340f2230f87d72fd3a98ac64dba88f4732936a753392

Download Submit
\Program Files\DriverUpdate\SlimWare.PushNotification.Services.dll
MD5
3384dcb5ad4b754ac81a287282384b6d

SHA1
14b223746d698793103274bf4c027c828b7e154d

SHA256
2b8c0c3a1dec6b036702cb900a9f90377246e164cdceea269c7b65dc5d3e0006

SHA512
23c50e771e10e7ba1c2cd2ee1f6aa9a6bf6e63b9ce44436344e33e2e57f3b1e8956b140461b00014274a0ec3e9907e2f91b025223099352dfee1815803a7d013

Download Submit
\Program Files\DriverUpdate\UnifiedLogger.dll
MD5
595836df7cdf3c1c51febd8a0f1d3ef9

SHA1
9c1a721c74982be20a1767affed8d24660a9b85c

SHA256
a45ae9e7bbf2f0a0ff3d92b4b24a24dee5fb06fa148a965465b07f79a0e8bd2f

SHA512
02f7626aa48318d3b7bc83a7c5ffba3e15197d4462727f3070444ca1009ecd122edeed89b899ea3f55d86ab46d1e808b1d42ccdc464652e4b6b533f60263c03b

Download Submit
\Program Files\SlimWare Utilities\Services\BugSplat64.dll
MD5
f1a2d92bb8738eab02b92c741a9c5299

SHA1
ac22734c386e3e2dabe9ac9767a23e8f01755d4f

SHA256
6859c336dc4f42dc70a542db8185948931907734978eeb7088d47256bd4199cd

SHA512
344ad89725e98636bae65b219f479a59c98e0131e2dbbab80c3c35443b776499d5c2a4e218ce62c0752cc67eb595c75b83775c54065a13986265885675b0cd99

Download Submit
\Program Files\SlimWare Utilities\Services\BugSplat64.dll
MD5
f1a2d92bb8738eab02b92c741a9c5299

SHA1
ac22734c386e3e2dabe9ac9767a23e8f01755d4f

SHA256
6859c336dc4f42dc70a542db8185948931907734978eeb7088d47256bd4199cd

SHA512
344ad89725e98636bae65b219f479a59c98e0131e2dbbab80c3c35443b776499d5c2a4e218ce62c0752cc67eb595c75b83775c54065a13986265885675b0cd99

Download Submit
\Program Files\SlimWare Utilities\Services\SlimWare.Core.dll
MD5
4ae1352e34bee2b1d51e92cb19be0343

SHA1
1b5d2fe506cc0de9c688693b8a4619ecdb92b30e

SHA256
c4fbabb2163face03d868132b691dc7ec774de246ebf822de21d92066baa5c61

SHA512
e677572469cc520210270febc7180d9b276b956cfe32346cc0825dce3a832c46f47d535719b5da966873924f48ae08110686676f6b089eec6e86c5d69ce5b4aa

Download Submit
\Program Files\SlimWare Utilities\Services\SlimWare.Core.dll
MD5
4ae1352e34bee2b1d51e92cb19be0343

SHA1
1b5d2fe506cc0de9c688693b8a4619ecdb92b30e

SHA256
c4fbabb2163face03d868132b691dc7ec774de246ebf822de21d92066baa5c61

SHA512
e677572469cc520210270febc7180d9b276b956cfe32346cc0825dce3a832c46f47d535719b5da966873924f48ae08110686676f6b089eec6e86c5d69ce5b4aa

Download Submit
\Program Files\SlimWare Utilities\Services\SlimWare.Core.dll
MD5
4ae1352e34bee2b1d51e92cb19be0343

SHA1
1b5d2fe506cc0de9c688693b8a4619ecdb92b30e

SHA256
c4fbabb2163face03d868132b691dc7ec774de246ebf822de21d92066baa5c61

SHA512
e677572469cc520210270febc7180d9b276b956cfe32346cc0825dce3a832c46f47d535719b5da966873924f48ae08110686676f6b089eec6e86c5d69ce5b4aa

Download Submit
\Program Files\SlimWare Utilities\Services\SlimWare.Core.dll
MD5
4ae1352e34bee2b1d51e92cb19be0343

SHA1
1b5d2fe506cc0de9c688693b8a4619ecdb92b30e

SHA256
c4fbabb2163face03d868132b691dc7ec774de246ebf822de21d92066baa5c61

SHA512
e677572469cc520210270febc7180d9b276b956cfe32346cc0825dce3a832c46f47d535719b5da966873924f48ae08110686676f6b089eec6e86c5d69ce5b4aa

Download Submit
\Program Files\SlimWare Utilities\Services\SlimWare.Core.dll
MD5
4ae1352e34bee2b1d51e92cb19be0343

SHA1
1b5d2fe506cc0de9c688693b8a4619ecdb92b30e

SHA256
c4fbabb2163face03d868132b691dc7ec774de246ebf822de21d92066baa5c61

SHA512
e677572469cc520210270febc7180d9b276b956cfe32346cc0825dce3a832c46f47d535719b5da966873924f48ae08110686676f6b089eec6e86c5d69ce5b4aa

Download Submit
\Program Files\SlimWare Utilities\Services\SlimWare.Core.dll
MD5
4ae1352e34bee2b1d51e92cb19be0343

SHA1
1b5d2fe506cc0de9c688693b8a4619ecdb92b30e

SHA256
c4fbabb2163face03d868132b691dc7ec774de246ebf822de21d92066baa5c61

SHA512
e677572469cc520210270febc7180d9b276b956cfe32346cc0825dce3a832c46f47d535719b5da966873924f48ae08110686676f6b089eec6e86c5d69ce5b4aa

Download Submit
\Program Files\SlimWare Utilities\Services\SlimWare.Services.exe
MD5
995ff280e8d1390e246c6f0205726652

SHA1
48f3d6db71b30e6e8537afcbf709a63d6652504d

SHA256
30cadd9db505515b4c07d409a19acd6b74e5d7e09eea56c0a164d72a1da061f5

SHA512
666bb8988c77b176c69de9d7d3f69357f63927442d0fa04c56cbf6424bacbc38affb2397224f44a11ace72e1d6f81ceb4c56a235991d98b2500fc3df2b579747

Download Submit
\Program Files\SlimWare Utilities\Services\SlimWare.Session.ProxyStub.dll
MD5
e8a388c2d46682f8e4534dcb4e791b2d

SHA1
58562a122c62ef6149e2a23f77c82ef2175bb929

SHA256
0f6ab9a939cb5a41fc33f37a09c33018d46d05c218e7973d44b1aba6231a9afa

SHA512
a455ed39670ce899cb475509a28fde81cdf58167b85a4460f60522aa92041e425a8b24dd27b9bff7d8466c139cdb0f4163f4e2b4c60b8d8d65d8030fa5b5a362

Download Submit
\Program Files\SlimWare Utilities\Services\SlimWare.Session.ProxyStub.dll
MD5
e8a388c2d46682f8e4534dcb4e791b2d

SHA1
58562a122c62ef6149e2a23f77c82ef2175bb929

SHA256
0f6ab9a939cb5a41fc33f37a09c33018d46d05c218e7973d44b1aba6231a9afa

SHA512
a455ed39670ce899cb475509a28fde81cdf58167b85a4460f60522aa92041e425a8b24dd27b9bff7d8466c139cdb0f4163f4e2b4c60b8d8d65d8030fa5b5a362

Download Submit
\Program Files\SlimWare Utilities\Services\SlimWare.Session.exe
MD5
9e61f0cadd788cb37295c2f9e64a5fc5

SHA1
937975bdedded1adf7090f87d68e5086d44a144d

SHA256
754ffc8dbef9471a706ca0ab2f4d81c38d10fe764e0949adb02346fbb8f0c609

SHA512
bbf037a44c786ad8d1ffd2868da8baac33e329566d3377c862f5aec2daa8acdeb21eea4f2ee9ac77645a7f000d1b2cdc5e6bd7407d5f65f7701af0b336dbef60

Download Submit
\Users\Admin\AppData\Local\SlimWare Utilities Inc\DriverUpdate\htmlayout.dll
MD5
ee2540c23fc04dd39a17cc466ff3c946

SHA1
d61d77d4def107fc63350f457c32d06ac675ef19

SHA256
5c43198ee7e9e4c94f4700a8032d368d3854c6b7e2f04a930d23b373f55ee003

SHA512
00ec2be28622b295b7ecf34a02d48085c4f4d399e6ed94df13d6c79b076e05cafb3d3c702bca612b51c6773726776797677b2642555718f3512db2b9bc2845df

Download Submit
\Users\Admin\AppData\Local\Temp\DriverUpdate-setup.exe
MD5
bbcc5cc6703387cbf4c33ec2a45dce4b

SHA1
2011027d000cf409be97759f36116e40f23fc49e

SHA256
55ca33616c468a86bd12044dd2f1628365511811878f47ce0fa868e0ce59d823

SHA512
d1cec1368c2246b3e3aab8191052ab6be0b7cdea496e37efb7f20fef73cb3e64be8fbd1d2c24882660e1f6bd8ced9cc9c9941f472182b9cefeae8161260535a3

Download Submit
\Windows\Installer\MSI4378.tmp
MD5
d2a8f90e612d94e082361d1e677096b8

SHA1
4d2765ab69e4aaedb8512315a78544fbde056229

SHA256
55f607d337ff05b247f9d4b7cafecd500d2058b4f2cd9702bf86bea18d8bb6e2

SHA512
83b932ca46fc64e1d2871daefff85169ccce5143c242f773851858531e7a6be9e3525618d6d020f09cccd8f31a8ba78a45cd75e739aed8cd7495d323e2df72c6

Download Submit
\Windows\Installer\MSI4D3A.tmp
MD5
d2a8f90e612d94e082361d1e677096b8

SHA1
4d2765ab69e4aaedb8512315a78544fbde056229

SHA256
55f607d337ff05b247f9d4b7cafecd500d2058b4f2cd9702bf86bea18d8bb6e2

SHA512
83b932ca46fc64e1d2871daefff85169ccce5143c242f773851858531e7a6be9e3525618d6d020f09cccd8f31a8ba78a45cd75e739aed8cd7495d323e2df72c6

Download Submit
\Windows\Installer\{42F25DDC-1AEF-428B-A479-ED2201B43DA6}\Icon.exe
MD5
34f6bc93e6fa938eed5b6cd29eb0e658

SHA1
0c0303e8a03b72cb89404e909700f5b9446d251d

SHA256
5821be677b00d113c35e432bb89f7c9fe6bd25e95530fd4b0d21cdc93e94d74d

SHA512
361146b79629c1b44b24f6d5c68db93a7c57e820ea786bdfa49edc2808d625d08788cdaa7e8695b214134ad606c10b3435253ad243c453e2c79e69671893ecab

Download Submit
\Windows\Installer\{42F25DDC-1AEF-428B-A479-ED2201B43DA6}\Icon.exe
MD5
34f6bc93e6fa938eed5b6cd29eb0e658

SHA1
0c0303e8a03b72cb89404e909700f5b9446d251d

SHA256
5821be677b00d113c35e432bb89f7c9fe6bd25e95530fd4b0d21cdc93e94d74d

SHA512
361146b79629c1b44b24f6d5c68db93a7c57e820ea786bdfa49edc2808d625d08788cdaa7e8695b214134ad606c10b3435253ad243c453e2c79e69671893ecab

Download Submit
\Windows\Installer\{42F25DDC-1AEF-428B-A479-ED2201B43DA6}\Icon.exe
MD5
34f6bc93e6fa938eed5b6cd29eb0e658

SHA1
0c0303e8a03b72cb89404e909700f5b9446d251d

SHA256
5821be677b00d113c35e432bb89f7c9fe6bd25e95530fd4b0d21cdc93e94d74d

SHA512
361146b79629c1b44b24f6d5c68db93a7c57e820ea786bdfa49edc2808d625d08788cdaa7e8695b214134ad606c10b3435253ad243c453e2c79e69671893ecab

Download Submit
\Windows\Installer\{42F25DDC-1AEF-428B-A479-ED2201B43DA6}\Icon.exe
MD5
34f6bc93e6fa938eed5b6cd29eb0e658

SHA1
0c0303e8a03b72cb89404e909700f5b9446d251d

SHA256
5821be677b00d113c35e432bb89f7c9fe6bd25e95530fd4b0d21cdc93e94d74d

SHA512
361146b79629c1b44b24f6d5c68db93a7c57e820ea786bdfa49edc2808d625d08788cdaa7e8695b214134ad606c10b3435253ad243c453e2c79e69671893ecab

Download Submit
\Windows\Installer\{42F25DDC-1AEF-428B-A479-ED2201B43DA6}\Icon.exe
MD5
34f6bc93e6fa938eed5b6cd29eb0e658

SHA1
0c0303e8a03b72cb89404e909700f5b9446d251d

SHA256
5821be677b00d113c35e432bb89f7c9fe6bd25e95530fd4b0d21cdc93e94d74d

SHA512
361146b79629c1b44b24f6d5c68db93a7c57e820ea786bdfa49edc2808d625d08788cdaa7e8695b214134ad606c10b3435253ad243c453e2c79e69671893ecab

Download Submit
\Windows\Installer\{42F25DDC-1AEF-428B-A479-ED2201B43DA6}\Icon.exe
MD5
34f6bc93e6fa938eed5b6cd29eb0e658

SHA1
0c0303e8a03b72cb89404e909700f5b9446d251d

SHA256
5821be677b00d113c35e432bb89f7c9fe6bd25e95530fd4b0d21cdc93e94d74d

SHA512
361146b79629c1b44b24f6d5c68db93a7c57e820ea786bdfa49edc2808d625d08788cdaa7e8695b214134ad606c10b3435253ad243c453e2c79e69671893ecab

Download Submit
\Windows\Installer\{42F25DDC-1AEF-428B-A479-ED2201B43DA6}\Icon.exe
MD5
34f6bc93e6fa938eed5b6cd29eb0e658

SHA1
0c0303e8a03b72cb89404e909700f5b9446d251d

SHA256
5821be677b00d113c35e432bb89f7c9fe6bd25e95530fd4b0d21cdc93e94d74d

SHA512
361146b79629c1b44b24f6d5c68db93a7c57e820ea786bdfa49edc2808d625d08788cdaa7e8695b214134ad606c10b3435253ad243c453e2c79e69671893ecab

Download Submit
\Windows\Installer\{42F25DDC-1AEF-428B-A479-ED2201B43DA6}\Icon.exe
MD5
34f6bc93e6fa938eed5b6cd29eb0e658

SHA1
0c0303e8a03b72cb89404e909700f5b9446d251d

SHA256
5821be677b00d113c35e432bb89f7c9fe6bd25e95530fd4b0d21cdc93e94d74d

SHA512
361146b79629c1b44b24f6d5c68db93a7c57e820ea786bdfa49edc2808d625d08788cdaa7e8695b214134ad606c10b3435253ad243c453e2c79e69671893ecab

Download Submit
\Windows\Installer\{42F25DDC-1AEF-428B-A479-ED2201B43DA6}\Icon.exe
MD5
34f6bc93e6fa938eed5b6cd29eb0e658

SHA1
0c0303e8a03b72cb89404e909700f5b9446d251d

SHA256
5821be677b00d113c35e432bb89f7c9fe6bd25e95530fd4b0d21cdc93e94d74d

SHA512
361146b79629c1b44b24f6d5c68db93a7c57e820ea786bdfa49edc2808d625d08788cdaa7e8695b214134ad606c10b3435253ad243c453e2c79e69671893ecab

Download Submit
\Windows\Installer\{42F25DDC-1AEF-428B-A479-ED2201B43DA6}\Icon.exe
MD5
34f6bc93e6fa938eed5b6cd29eb0e658

SHA1
0c0303e8a03b72cb89404e909700f5b9446d251d

SHA256
5821be677b00d113c35e432bb89f7c9fe6bd25e95530fd4b0d21cdc93e94d74d

SHA512
361146b79629c1b44b24f6d5c68db93a7c57e820ea786bdfa49edc2808d625d08788cdaa7e8695b214134ad606c10b3435253ad243c453e2c79e69671893ecab

Download Submit
\Windows\Installer\{42F25DDC-1AEF-428B-A479-ED2201B43DA6}\Icon.exe
MD5
34f6bc93e6fa938eed5b6cd29eb0e658

SHA1
0c0303e8a03b72cb89404e909700f5b9446d251d

SHA256
5821be677b00d113c35e432bb89f7c9fe6bd25e95530fd4b0d21cdc93e94d74d

SHA512
361146b79629c1b44b24f6d5c68db93a7c57e820ea786bdfa49edc2808d625d08788cdaa7e8695b214134ad606c10b3435253ad243c453e2c79e69671893ecab

Download Submit
\Windows\Installer\{42F25DDC-1AEF-428B-A479-ED2201B43DA6}\Icon.exe
MD5
34f6bc93e6fa938eed5b6cd29eb0e658

SHA1
0c0303e8a03b72cb89404e909700f5b9446d251d

SHA256
5821be677b00d113c35e432bb89f7c9fe6bd25e95530fd4b0d21cdc93e94d74d

SHA512
361146b79629c1b44b24f6d5c68db93a7c57e820ea786bdfa49edc2808d625d08788cdaa7e8695b214134ad606c10b3435253ad243c453e2c79e69671893ecab

Download Submit
\Windows\Installer\{42F25DDC-1AEF-428B-A479-ED2201B43DA6}\Icon.exe
MD5
34f6bc93e6fa938eed5b6cd29eb0e658

SHA1
0c0303e8a03b72cb89404e909700f5b9446d251d

SHA256
5821be677b00d113c35e432bb89f7c9fe6bd25e95530fd4b0d21cdc93e94d74d

SHA512
361146b79629c1b44b24f6d5c68db93a7c57e820ea786bdfa49edc2808d625d08788cdaa7e8695b214134ad606c10b3435253ad243c453e2c79e69671893ecab

Download Submit
\Windows\Installer\{42F25DDC-1AEF-428B-A479-ED2201B43DA6}\Icon.exe
MD5
34f6bc93e6fa938eed5b6cd29eb0e658

SHA1
0c0303e8a03b72cb89404e909700f5b9446d251d

SHA256
5821be677b00d113c35e432bb89f7c9fe6bd25e95530fd4b0d21cdc93e94d74d

SHA512
361146b79629c1b44b24f6d5c68db93a7c57e820ea786bdfa49edc2808d625d08788cdaa7e8695b214134ad606c10b3435253ad243c453e2c79e69671893ecab

Download Submit
\Windows\Installer\{42F25DDC-1AEF-428B-A479-ED2201B43DA6}\Icon.exe
MD5
34f6bc93e6fa938eed5b6cd29eb0e658

SHA1
0c0303e8a03b72cb89404e909700f5b9446d251d

SHA256
5821be677b00d113c35e432bb89f7c9fe6bd25e95530fd4b0d21cdc93e94d74d

SHA512
361146b79629c1b44b24f6d5c68db93a7c57e820ea786bdfa49edc2808d625d08788cdaa7e8695b214134ad606c10b3435253ad243c453e2c79e69671893ecab

Download Submit
\Windows\Installer\{42F25DDC-1AEF-428B-A479-ED2201B43DA6}\Icon.exe
MD5
34f6bc93e6fa938eed5b6cd29eb0e658

SHA1
0c0303e8a03b72cb89404e909700f5b9446d251d

SHA256
5821be677b00d113c35e432bb89f7c9fe6bd25e95530fd4b0d21cdc93e94d74d

SHA512
361146b79629c1b44b24f6d5c68db93a7c57e820ea786bdfa49edc2808d625d08788cdaa7e8695b214134ad606c10b3435253ad243c453e2c79e69671893ecab

Download Submit
memory/1144-14-0x0000000000000000-mapping.dmp

Download
memory/1252-19-0x0000000000D10000-0x0000000000D14000-memory.dmp

Filesize
16KB

Download
memory/1252-6-0x0000000002720000-0x0000000002724000-memory.dmp

Filesize
16KB

Download
memory/1252-3-0x0000000000000000-mapping.dmp

Download