9ba5de063e64a823aaaa28caf5948e018555fad03a1ff1c0a2a8fba9470fbbd1

Analysis

max time kernel
150s
max time network
163s
platform
windows10_x64
resource
win10v20210408
submitted
24-06-2021 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fae43452c24227f9acb314d82c4cb45a.exe
Size

15.6MB
MD5

fae43452c24227f9acb314d82c4cb45a
SHA1

7465d5fdf59f0a0a9ec2d21aae6647e4c703f983
SHA256

9ba5de063e64a823aaaa28caf5948e018555fad03a1ff1c0a2a8fba9470fbbd1
SHA512

b163aaa286b7817a942ae308351e01532c573803a7c41d3fd31707a8bb9fac2d4d5ecc12186689af8ecb3e9d9802b24cf271da537fe75420586fa8306fb3b6a2

Score

9^/10

discovery exploit spyware stealer

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

Processes:

attrib.exeAutodeskInstallOnlineCheck3.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AutodeskInstallOnlineCheck3.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	attrib.exe

Executes dropped EXE 6 IoCs

Processes:

AutodeskInstallOnlineCheck3.exeAutodeskInstallOnlineCheck3.exeAIOC_3.1.127.2319.exeAutodeskInstallOnlineCheck3.exe7za.exearia2c.exe

pid	process
3776	AutodeskInstallOnlineCheck3.exe
3144	AutodeskInstallOnlineCheck3.exe
2296	AIOC_3.1.127.2319.exe
4720	AutodeskInstallOnlineCheck3.exe
4032	7za.exe
4912	aria2c.exe

Possible privilege escalation attempt 11 IoCs

exploit

Processes:

icacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exe

pid	process
4204	icacls.exe
3808	takeown.exe
4324	takeown.exe
4588	icacls.exe
5116	icacls.exe
2084	takeown.exe
4136	icacls.exe
2160	takeown.exe
4264	icacls.exe
3960	icacls.exe
3640	takeown.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AutodeskInstallOnlineCheck3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	AutodeskInstallOnlineCheck3.exe

Modifies file permissions 1 TTPs 11 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exe

pid	process
4204	icacls.exe
4136	icacls.exe
4324	takeown.exe
3960	icacls.exe
3640	takeown.exe
4588	icacls.exe
5116	icacls.exe
2084	takeown.exe
2160	takeown.exe
4264	icacls.exe
3808	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

fae43452c24227f9acb314d82c4cb45a.exeAIOC_3.1.127.2319.exe

description	ioc	process
File created	C:\Program Files\AIOC3\Newtonsoft.Json.dll	fae43452c24227f9acb314d82c4cb45a.exe
File opened for modification	C:\Program Files\AIOC3\xcopy_x64.exe	fae43452c24227f9acb314d82c4cb45a.exe
File opened for modification	C:\Program Files\AIOC3\aria2\x86\aria2.conf	AIOC_3.1.127.2319.exe
File opened for modification	C:\Program Files\AIOC3\aria2	fae43452c24227f9acb314d82c4cb45a.exe
File opened for modification	C:\Program Files\AIOC3\7-Zip\x64\7z.dll	fae43452c24227f9acb314d82c4cb45a.exe
File opened for modification	C:\Program Files\AIOC3\cmd_x86.exe	AIOC_3.1.127.2319.exe
File opened for modification	C:\Program Files\AIOC3\msi_x64.dll	AIOC_3.1.127.2319.exe
File opened for modification	C:\Program Files\AIOC3\aria2\x86\aria2.exe	fae43452c24227f9acb314d82c4cb45a.exe
File opened for modification	C:\Program Files\AIOC3\aria2\x64\aria2.session	fae43452c24227f9acb314d82c4cb45a.exe
File created	C:\Program Files\AIOC3\SetACL64.exe	fae43452c24227f9acb314d82c4cb45a.exe
File created	C:\Program Files\AIOC3\7-Zip\x64\7z.exe	fae43452c24227f9acb314d82c4cb45a.exe
File opened for modification	C:\Program Files\AIOC3\7-Zip\x86\7zxa.dll	fae43452c24227f9acb314d82c4cb45a.exe
File opened for modification	C:\Program Files\AIOC3\7-Zip\x86\7zxa.dll	AIOC_3.1.127.2319.exe
File created	C:\Program Files\AIOC3\7-Zip\x64\7zxa.dll	fae43452c24227f9acb314d82c4cb45a.exe
File created	C:\Program Files\AIOC3\aria2\x86\aria2c.exe	fae43452c24227f9acb314d82c4cb45a.exe
File created	C:\Program Files\AIOC3\CSkin.dll	fae43452c24227f9acb314d82c4cb45a.exe
File opened for modification	C:\Program Files\AIOC3\Resources\AA\MayaChangeLanguage.exe	fae43452c24227f9acb314d82c4cb45a.exe
File created	C:\Program Files\AIOC3\taskkill_x64.exe	fae43452c24227f9acb314d82c4cb45a.exe
File opened for modification	C:\Program Files\AIOC3\7-Zip\x86\7z.dll	fae43452c24227f9acb314d82c4cb45a.exe
File opened for modification	C:\Program Files\AIOC3\7-Zip\x86\7za.dll	fae43452c24227f9acb314d82c4cb45a.exe
File created	C:\Program Files\AIOC3\7-Zip\x64\7za.dll	fae43452c24227f9acb314d82c4cb45a.exe
File opened for modification	C:\Program Files\AIOC3\System.Numerics.dll	AIOC_3.1.127.2319.exe
File opened for modification	C:\Program Files\AIOC3\aria2\x86\aria2c.exe	fae43452c24227f9acb314d82c4cb45a.exe
File opened for modification	C:\Program Files\AIOC3\Resources\AA\3dsMaxDefaultOpen.exe	fae43452c24227f9acb314d82c4cb45a.exe
File opened for modification	C:\Program Files\AIOC3\Resources\AA\ShowWindow.exe	fae43452c24227f9acb314d82c4cb45a.exe
File opened for modification	C:\Program Files\AIOC3\aria2\x86\dht6.dat	fae43452c24227f9acb314d82c4cb45a.exe
File created	C:\Program Files\AIOC3\Resources\AA\SetACL.exe	fae43452c24227f9acb314d82c4cb45a.exe
File created	C:\Program Files\AIOC3\Language\61AB279C057A758C9E64F407FEC837E4\zh-CN.ini	fae43452c24227f9acb314d82c4cb45a.exe
File created	C:\Program Files\AIOC3\Language\zh-CN\GetLastError.ini	fae43452c24227f9acb314d82c4cb45a.exe
File opened for modification	C:\Program Files\AIOC3\Language\61AB279C057A758C9E64F407FEC837E4\zh-CN.ini	fae43452c24227f9acb314d82c4cb45a.exe
File opened for modification	C:\Program Files\AIOC3\icacls_x64.exe	AIOC_3.1.127.2319.exe
File created	C:\Program Files\AIOC3\msi_x86.dll	fae43452c24227f9acb314d82c4cb45a.exe
File created	C:\Program Files\AIOC3\ICSharpCode.SharpZipLib.dll	fae43452c24227f9acb314d82c4cb45a.exe
File created	C:\Program Files\AIOC3\aria2\x86\aria2.conf	fae43452c24227f9acb314d82c4cb45a.exe
File created	C:\Program Files\AIOC3\aria2\x86\dht6.dat	fae43452c24227f9acb314d82c4cb45a.exe
File opened for modification	C:\Program Files\AIOC3\taskkill_x64.exe	fae43452c24227f9acb314d82c4cb45a.exe
File opened for modification	C:\Program Files\AIOC3\7-Zip\x64\7za.exe	AIOC_3.1.127.2319.exe
File opened for modification	C:\Program Files\AIOC3\aria2\x86\aria2.conf	fae43452c24227f9acb314d82c4cb45a.exe
File created	C:\Program Files\AIOC3\attrib_x86.exe	fae43452c24227f9acb314d82c4cb45a.exe
File opened for modification	C:\Program Files\AIOC3\cmd_x86.exe	fae43452c24227f9acb314d82c4cb45a.exe
File created	C:\Program Files\AIOC3\takeown_x86.exe	fae43452c24227f9acb314d82c4cb45a.exe
File opened for modification	C:\Program Files\AIOC3\7-Zip\x64\7z.exe	AIOC_3.1.127.2319.exe
File opened for modification	C:\Program Files\AIOC3\7-Zip\x64\7zxa.dll	AIOC_3.1.127.2319.exe
File created	C:\Program Files\AIOC3\__tmp_rar_sfx_access_check_259285265	fae43452c24227f9acb314d82c4cb45a.exe
File created	C:\Program Files\AIOC3\machine.config	fae43452c24227f9acb314d82c4cb45a.exe
File opened for modification	C:\Program Files\AIOC3\Language\61AB279C057A758C9E64F407FEC837E4	AIOC_3.1.127.2319.exe
File opened for modification	C:\Program Files\AIOC3\7-Zip	AIOC_3.1.127.2319.exe
File opened for modification	C:\Program Files\AIOC3\taskkill_x86.exe	AIOC_3.1.127.2319.exe
File opened for modification	C:\Program Files\AIOC3\Language	fae43452c24227f9acb314d82c4cb45a.exe
File created	C:\Program Files\AIOC3\Microsoft.VisualBasic.dll	fae43452c24227f9acb314d82c4cb45a.exe
File created	C:\Program Files\AIOC3\attrib_x64.exe	fae43452c24227f9acb314d82c4cb45a.exe
File created	C:\Program Files\AIOC3\AutodeskInstallOnlineCheck3.pdb	fae43452c24227f9acb314d82c4cb45a.exe
File opened for modification	C:\Program Files\AIOC3\AutodeskInstallOnlineCheck3.exe.config	AIOC_3.1.127.2319.exe
File opened for modification	C:\Program Files\AIOC3\Language	AIOC_3.1.127.2319.exe
File opened for modification	C:\Program Files\AIOC3\System.Numerics.dll	fae43452c24227f9acb314d82c4cb45a.exe
File opened for modification	C:\Program Files\AIOC3\aria2\x64\aria2.exe	AIOC_3.1.127.2319.exe
File opened for modification	C:\Program Files\AIOC3\aria2\x64	fae43452c24227f9acb314d82c4cb45a.exe
File opened for modification	C:\Program Files\AIOC3\aria2\x86\aria2.session	fae43452c24227f9acb314d82c4cb45a.exe
File opened for modification	C:\Program Files\AIOC3\AutodeskInstallOnlineCheck3.pdb	fae43452c24227f9acb314d82c4cb45a.exe
File opened for modification	C:\Program Files\AIOC3\Newtonsoft.Json.dll	AIOC_3.1.127.2319.exe
File opened for modification	C:\Program Files\AIOC3\xcopy_x64.exe	AIOC_3.1.127.2319.exe
File created	C:\Program Files\AIOC3\Resources\AA\ShowWindow.exe	fae43452c24227f9acb314d82c4cb45a.exe
File opened for modification	C:\Program Files\AIOC3\netsh_x86.exe	AIOC_3.1.127.2319.exe
File opened for modification	C:\Program Files\AIOC3\7-Zip\x64\7zxa.dll	fae43452c24227f9acb314d82c4cb45a.exe

Drops file in Windows directory 1 IoCs

Processes:

MicrosoftEdge.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2096 timeout.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

pid	process
2096	timeout.exe

Modifies Internet Explorer settings 1 TTPs 19 IoCs

adware spyware

Modify Registry

T1112

Processes:

AutodeskInstallOnlineCheck3.exeMicrosoftEdge.exeAutodeskInstallOnlineCheck3.exebrowser_broker.exeAutodeskInstallOnlineCheck3.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\TestSubKey	AutodeskInstallOnlineCheck3.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\TestSubKey	AutodeskInstallOnlineCheck3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\TestSubKey	AutodeskInstallOnlineCheck3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\AutodeskInstallOnlineCheck3.exe = "11001"	AutodeskInstallOnlineCheck3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\TestSubKey	AutodeskInstallOnlineCheck3.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\AutodeskInstallOnlineCheck3.exe = "11001"	AutodeskInstallOnlineCheck3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\TestSubKey	AutodeskInstallOnlineCheck3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\TestValue = "TestValue"	AutodeskInstallOnlineCheck3.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	AutodeskInstallOnlineCheck3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\TestSubKey	AutodeskInstallOnlineCheck3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\TestValue = "TestValue"	AutodeskInstallOnlineCheck3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\TestSubKey	AutodeskInstallOnlineCheck3.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	AutodeskInstallOnlineCheck3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\TestValue = "TestValue"	AutodeskInstallOnlineCheck3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\TestValue = "TestValue"	AutodeskInstallOnlineCheck3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\TestSubKey	AutodeskInstallOnlineCheck3.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\qbgxl.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{E76A0527-F3CA-4129-A682-1DD39947BFFC} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "9jooylu"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\qbgxl.com\NumberOfSubdomains = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 0b1f5134ab68d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000ec331f3bfeb25734de41a8c77171f81f744eb2f2727335706bd0893c8155235734f2025e25980f854032d75deedbd4ff5f378383571c9419410f	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\design.qbgxl.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\qbgxl.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\qbgxl.com\Total = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000fd25cd59cd60cde2dbadd807a6d5827bd53550cf5281f481d25a92f0049a081f9e77d6ba220bc86eb4cd27836b12121d0aa02e505ce262e74c584dc07f41928bfaa2b14a3a2a6c00ee8f87cdf06b71088cb37be3d14730191247e7af1815395df746ef72e1de46429692a9233e022dc40910e836a8d2be3fcbc6d0ac6236d48f9d0330edec476704ff7632d4c6f52e337155303970a23ed31a7748880dc4c60584793c087a8647645cdca16578665322ea2359677dd7dbaf28f97db736df98475a48f17e51b9604c7862d3c8b073a1aa001bf8aa46918878eeeb7b274ba7660464102fde8601093f35a9654c1b3ebb60e8db45cac8efcb4e6befbb1e823cc16d3d717d7c0c7ff0749f51ce9992e5ca556105de65aa1384d33ca47031fdbeaa600b0baaff3d515d45a0fa0cc60d8ac0e8143708862b1cbd7edaa95f40f14d8c5d327ebb73a19812e89c44221d974b1f65821286bb742a664211a0c08fe9099c50d36998f0ab74dd7f5ad00dfb054a6d762c376acd8d5cfe7d792882e6d0120f2aae6e0fd259067d735c3c44b77ba68063b344d0f3bed40745da91dfa2c6b14437ea4d46584708	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 1d24df8b702cd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\qbgxl.com\NumberOfSubdomains = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 0100000057bcc190bf85edf891851ebe2872de714fe85517e3d1b9441c315f0368bf6bd27e10006644290504ffbadfce81365a42a4277905a64aa85336f3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe

Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3640 PING.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

1560 MicrosoftEdgeCP.exe
1560 MicrosoftEdgeCP.exe

pid	process
3640	PING.EXE

pid	process
1560	MicrosoftEdgeCP.exe
1560	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

Processes:

AutodeskInstallOnlineCheck3.exeAutodeskInstallOnlineCheck3.exetakeown.exeAutodeskInstallOnlineCheck3.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe7za.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3776	AutodeskInstallOnlineCheck3.exe
Token: SeDebugPrivilege	3144	AutodeskInstallOnlineCheck3.exe
Token: SeTakeOwnershipPrivilege	2084	takeown.exe
Token: SeDebugPrivilege	4720	AutodeskInstallOnlineCheck3.exe
Token: SeDebugPrivilege	4204	MicrosoftEdge.exe
Token: SeDebugPrivilege	4204	MicrosoftEdge.exe
Token: SeDebugPrivilege	4204	MicrosoftEdge.exe
Token: SeDebugPrivilege	4204	MicrosoftEdge.exe
Token: SeDebugPrivilege	3720	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3720	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3720	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3720	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3832	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3832	MicrosoftEdgeCP.exe
Token: SeRestorePrivilege	4032	7za.exe
Token: 35	4032	7za.exe
Token: SeSecurityPrivilege	4032	7za.exe
Token: SeSecurityPrivilege	4032	7za.exe
Token: SeIncreaseQuotaPrivilege	1876	WMIC.exe
Token: SeSecurityPrivilege	1876	WMIC.exe
Token: SeTakeOwnershipPrivilege	1876	WMIC.exe
Token: SeLoadDriverPrivilege	1876	WMIC.exe
Token: SeSystemProfilePrivilege	1876	WMIC.exe
Token: SeSystemtimePrivilege	1876	WMIC.exe
Token: SeProfSingleProcessPrivilege	1876	WMIC.exe
Token: SeIncBasePriorityPrivilege	1876	WMIC.exe
Token: SeCreatePagefilePrivilege	1876	WMIC.exe
Token: SeBackupPrivilege	1876	WMIC.exe
Token: SeRestorePrivilege	1876	WMIC.exe
Token: SeShutdownPrivilege	1876	WMIC.exe
Token: SeDebugPrivilege	1876	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1876	WMIC.exe
Token: SeRemoteShutdownPrivilege	1876	WMIC.exe
Token: SeUndockPrivilege	1876	WMIC.exe
Token: SeManageVolumePrivilege	1876	WMIC.exe
Token: 33	1876	WMIC.exe
Token: 34	1876	WMIC.exe
Token: 35	1876	WMIC.exe
Token: 36	1876	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1876	WMIC.exe
Token: SeSecurityPrivilege	1876	WMIC.exe
Token: SeTakeOwnershipPrivilege	1876	WMIC.exe
Token: SeLoadDriverPrivilege	1876	WMIC.exe
Token: SeSystemProfilePrivilege	1876	WMIC.exe
Token: SeSystemtimePrivilege	1876	WMIC.exe
Token: SeProfSingleProcessPrivilege	1876	WMIC.exe
Token: SeIncBasePriorityPrivilege	1876	WMIC.exe
Token: SeCreatePagefilePrivilege	1876	WMIC.exe
Token: SeBackupPrivilege	1876	WMIC.exe
Token: SeRestorePrivilege	1876	WMIC.exe
Token: SeShutdownPrivilege	1876	WMIC.exe
Token: SeDebugPrivilege	1876	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1876	WMIC.exe
Token: SeRemoteShutdownPrivilege	1876	WMIC.exe
Token: SeUndockPrivilege	1876	WMIC.exe
Token: SeManageVolumePrivilege	1876	WMIC.exe
Token: 33	1876	WMIC.exe
Token: 34	1876	WMIC.exe
Token: 35	1876	WMIC.exe
Token: 36	1876	WMIC.exe
Token: SeShutdownPrivilege	4720	AutodeskInstallOnlineCheck3.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

AutodeskInstallOnlineCheck3.exeAIOC_3.1.127.2319.exeAutodeskInstallOnlineCheck3.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe7za.exearia2c.exeLogonUI.exe

pid	process
3144	AutodeskInstallOnlineCheck3.exe
3144	AutodeskInstallOnlineCheck3.exe
2296	AIOC_3.1.127.2319.exe
4720	AutodeskInstallOnlineCheck3.exe
4720	AutodeskInstallOnlineCheck3.exe
4204	MicrosoftEdge.exe
1560	MicrosoftEdgeCP.exe
1560	MicrosoftEdgeCP.exe
4032	7za.exe
4912	aria2c.exe
5108	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fae43452c24227f9acb314d82c4cb45a.exeAutodeskInstallOnlineCheck3.exeAutodeskInstallOnlineCheck3.exe

description	pid	process	target process
PID 3920 wrote to memory of 3776	3920	fae43452c24227f9acb314d82c4cb45a.exe	AutodeskInstallOnlineCheck3.exe
PID 3920 wrote to memory of 3776	3920	fae43452c24227f9acb314d82c4cb45a.exe	AutodeskInstallOnlineCheck3.exe
PID 3776 wrote to memory of 3144	3776	AutodeskInstallOnlineCheck3.exe	AutodeskInstallOnlineCheck3.exe
PID 3776 wrote to memory of 3144	3776	AutodeskInstallOnlineCheck3.exe	AutodeskInstallOnlineCheck3.exe
PID 3144 wrote to memory of 3008	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 3008	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 1624	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 1624	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 3248	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 3248	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 208	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 208	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 368	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 368	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 1876	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 1876	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 2096	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 2096	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 3748	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 3748	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 1544	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 1544	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 3964	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 3964	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 3844	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 3844	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 2292	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 2292	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 2836	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 2836	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 1136	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 1136	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 1288	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 1288	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 2180	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 2180	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 4144	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 4144	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 4196	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 4196	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 4244	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 4244	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 4304	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 4304	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 4332	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 4332	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 4388	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 4388	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 4444	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 4444	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 4496	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 4496	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 4524	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 4524	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 4560	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 4560	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 4620	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 4620	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 4688	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 4688	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 4740	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 4740	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 4800	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe
PID 3144 wrote to memory of 4800	3144	AutodeskInstallOnlineCheck3.exe	cmd.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

1500 attrib.exe
5064 attrib.exe
4576 attrib.exe

pid	process
1500	attrib.exe
5064	attrib.exe
4576	attrib.exe

C:\Users\Admin\AppData\Local\Temp\fae43452c24227f9acb314d82c4cb45a.exe
"C:\Users\Admin\AppData\Local\Temp\fae43452c24227f9acb314d82c4cb45a.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3920

C:\Program Files\AIOC3\AutodeskInstallOnlineCheck3.exe
"C:\Program Files\AIOC3\AutodeskInstallOnlineCheck3.exe"
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3776

C:\Program Files\AIOC3\AutodeskInstallOnlineCheck3.exe
"C:\Program Files\AIOC3\AutodeskInstallOnlineCheck3.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3144

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\ProgramData\J.R.A"
4⤵
PID:1624

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\$Recycle.Bin\*AUTO*Uninstaller*"
4⤵
PID:3008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\$Recycle.Bin\msicuu2.*"
4⤵
PID:3248

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\$Recycle.Bin\msicuu.*"
4⤵
PID:208

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\$Recycle.Bin\*Easy*remove*"
4⤵
PID:368

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Documents and Settings\*AUTO*Uninstaller*"
4⤵
PID:1876

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Documents and Settings\msicuu2.*"
4⤵
PID:2096

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Documents and Settings\msicuu.*"
4⤵
PID:3748

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Documents and Settings\*Easy*remove*"
4⤵
PID:1544

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\odt\*AUTO*Uninstaller*"
4⤵
PID:3964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\odt\msicuu2.*"
4⤵
PID:2292

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C MD "C:\ProgramData\J.R.A"
4⤵
PID:3844

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\odt\msicuu.*"
4⤵
PID:2836

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\odt\*Easy*remove*"
4⤵
PID:1136

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Program Files\*AUTO*Uninstaller*"
4⤵
PID:1288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Program Files\msicuu2.*"
4⤵
PID:2180

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Program Files\msicuu.*"
4⤵
PID:4144

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Program Files\*Easy*remove*"
4⤵
PID:4196

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Program Files (x86)\*AUTO*Uninstaller*"
4⤵
PID:4244

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Program Files (x86)\msicuu2.*"
4⤵
PID:4304

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Program Files (x86)\msicuu.*"
4⤵
PID:4332

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Program Files (x86)\*Easy*remove*"
4⤵
PID:4388

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\ProgramData\*AUTO*Uninstaller*"
4⤵
PID:4444

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\ProgramData\msicuu2.*"
4⤵
PID:4496

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\ProgramData\msicuu.*"
4⤵
PID:4524

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\ProgramData\*Easy*remove*"
4⤵
PID:4560

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Users\*AUTO*Uninstaller*"
4⤵
PID:4620

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Users\msicuu2.*"
4⤵
PID:4688

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Users\msicuu.*"
4⤵
PID:4740

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Users\*Easy*remove*"
4⤵
PID:4800

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C DIR /AD /B C:\*AUTO*Uninstaller*
4⤵
PID:4832

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C DIR /AD /S /B C:\$Recycle.Bin\*AUTO*Uninstaller*
4⤵
PID:4928

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C DIR /AD /S /B C:\Documents and Settings\*AUTO*Uninstaller*
4⤵
PID:4964

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C DIR /AD /S /B C:\odt\*AUTO*Uninstaller*
4⤵
PID:5000

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C DIR /AD /S /B C:\Program Files\*AUTO*Uninstaller*
4⤵
PID:5036

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C DIR /AD /S /B C:\Program Files (x86)\*AUTO*Uninstaller*
4⤵
PID:5072

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C DIR /AD /S /B C:\ProgramData\*AUTO*Uninstaller*
4⤵
PID:5108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Windows\system32\drivers\etc" /R /D Y
4⤵
PID:4100

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\system32\drivers\etc" /R /D Y
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C DIR /AD /S /B C:\Users\*AUTO*Uninstaller*
4⤵
PID:3124

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ICACLS "C:\Windows\system32\drivers\etc" /grant:r Everyone:(OI)(CI)(F)
4⤵
PID:2100

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\system32\drivers\etc" /grant:r Everyone:(OI)(CI)(F)
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4204

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Windows\system32\drivers\etc\hosts"
4⤵
PID:2192

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\system32\drivers\etc\hosts"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3808

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ICACLS "C:\Windows\system32\drivers\etc\hosts" /grant:r Everyone:(F)
4⤵
PID:4312

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\system32\drivers\etc\hosts" /grant:r Everyone:(F)
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4136

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ATTRIB -R -H -S "C:\Windows\system32\drivers\etc\hosts" /S /D /L
4⤵
PID:2884

C:\Windows\system32\attrib.exe
ATTRIB -R -H -S "C:\Windows\system32\drivers\etc\hosts" /S /D /L
5⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:1500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C MD "AIOC_Cache\UpdateError\"
4⤵
PID:2308

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C @ECHO OFF&&timeout /t 3&ping -n 3 -w 1000 2.2.2.2>nul&"AIOC_3.1.127.2319.exe"&&DEL /F "AIOC_3.1.127.2319.exe"
4⤵
PID:4872

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:2096

C:\Windows\system32\PING.EXE
ping -n 3 -w 1000 2.2.2.2
5⤵
- Runs ping.exe
PID:3640

C:\Program Files\AIOC3\AIOC_3.1.127.2319.exe
"AIOC_3.1.127.2319.exe"
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2296

C:\Program Files\AIOC3\AutodeskInstallOnlineCheck3.exe
"C:\Program Files\AIOC3\AutodeskInstallOnlineCheck3.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4720

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\$Recycle.Bin\*AUTO*Uninstaller*"
7⤵
PID:4884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\ProgramData\J.R.A"
7⤵
PID:4860

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\$Recycle.Bin\msicuu2.*"
7⤵
PID:3428

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\$Recycle.Bin\msicuu.*"
7⤵
PID:4472

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\$Recycle.Bin\*Easy*remove*"
7⤵
PID:4432

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Documents and Settings\*AUTO*Uninstaller*"
7⤵
PID:4396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Documents and Settings\msicuu2.*"
7⤵
PID:4232

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Documents and Settings\msicuu.*"
7⤵
PID:3308

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Documents and Settings\*Easy*remove*"
7⤵
PID:1996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C MD "C:\ProgramData\J.R.A"
7⤵
PID:4324

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\odt\msicuu2.*"
7⤵
PID:4228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\odt\*AUTO*Uninstaller*"
7⤵
PID:4136

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\odt\msicuu.*"
7⤵
PID:4172

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\odt\*Easy*remove*"
7⤵
PID:4192

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Program Files\*AUTO*Uninstaller*"
7⤵
PID:4488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Program Files\msicuu2.*"
7⤵
PID:3604

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Program Files\msicuu.*"
7⤵
PID:1476

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Program Files\*Easy*remove*"
7⤵
PID:3324

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Program Files (x86)\*AUTO*Uninstaller*"
7⤵
PID:2456

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Program Files (x86)\msicuu2.*"
7⤵
PID:1188

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Program Files (x86)\*Easy*remove*"
7⤵
PID:3760

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Program Files (x86)\msicuu.*"
7⤵
PID:1628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\ProgramData\*AUTO*Uninstaller*"
7⤵
PID:4892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\ProgramData\msicuu.*"
7⤵
PID:4100

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\ProgramData\*Easy*remove*"
7⤵
PID:3832

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Users\*AUTO*Uninstaller*"
7⤵
PID:3248

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\ProgramData\msicuu2.*"
7⤵
PID:5072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Users\msicuu2.*"
7⤵
PID:3640

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Users\*Easy*remove*"
7⤵
PID:5004

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q "C:\Users\msicuu.*"
7⤵
PID:5008

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C DIR /AD /B C:\*AUTO*Uninstaller*
7⤵
PID:5104

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C DIR /AD /S /B C:\$Recycle.Bin\*AUTO*Uninstaller*
7⤵
PID:2660

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C DIR /AD /S /B C:\Documents and Settings\*AUTO*Uninstaller*
7⤵
PID:4896

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C DIR /AD /S /B C:\odt\*AUTO*Uninstaller*
7⤵
PID:2484

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C DIR /AD /S /B C:\Program Files\*AUTO*Uninstaller*
7⤵
PID:4408

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C DIR /AD /S /B C:\Program Files (x86)\*AUTO*Uninstaller*
7⤵
PID:2172

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C DIR /AD /S /B C:\ProgramData\*AUTO*Uninstaller*
7⤵
PID:4768

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C DIR /AD /S /B C:\Users\*AUTO*Uninstaller*
7⤵
PID:4844

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Windows\system32\drivers\etc" /R /D Y
7⤵
PID:1868

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\system32\drivers\etc" /R /D Y
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2160

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ICACLS "C:\Windows\system32\drivers\etc" /grant:r Everyone:(OI)(CI)(F)
7⤵
PID:4224

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\system32\drivers\etc" /grant:r Everyone:(OI)(CI)(F)
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4264

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Windows\system32\drivers\etc\hosts"
7⤵
PID:948

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\system32\drivers\etc\hosts"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4324

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ICACLS "C:\Windows\system32\drivers\etc\hosts" /grant:r Everyone:(F)
7⤵
PID:3428

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\system32\drivers\etc\hosts" /grant:r Everyone:(F)
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3960

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ATTRIB -R -H -S "C:\Windows\system32\drivers\etc\hosts" /S /D /L
7⤵
PID:1980

C:\Windows\system32\attrib.exe
ATTRIB -R -H -S "C:\Windows\system32\drivers\etc\hosts" /S /D /L
8⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:5064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Program Files\AIOC3\Language\B0FA33D8FBA48017CA9E1A3FF761B778\zh-CN.ini"
7⤵
PID:368

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Program Files\AIOC3\Language\B0FA33D8FBA48017CA9E1A3FF761B778\zh-CN.ini"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3640

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ICACLS "C:\Program Files\AIOC3\Language\B0FA33D8FBA48017CA9E1A3FF761B778\zh-CN.ini" /RESET /C /L
7⤵
PID:3636

C:\Windows\system32\icacls.exe
ICACLS "C:\Program Files\AIOC3\Language\B0FA33D8FBA48017CA9E1A3FF761B778\zh-CN.ini" /RESET /C /L
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ICACLS "C:\Program Files\AIOC3\Language\B0FA33D8FBA48017CA9E1A3FF761B778\zh-CN.ini" /grant:r Everyone:(F)
7⤵
PID:1576

C:\Windows\system32\icacls.exe
ICACLS "C:\Program Files\AIOC3\Language\B0FA33D8FBA48017CA9E1A3FF761B778\zh-CN.ini" /grant:r Everyone:(F)
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ATTRIB -R "C:\Program Files\AIOC3\Language\B0FA33D8FBA48017CA9E1A3FF761B778\zh-CN.ini" /S /D /L
7⤵
PID:4520

C:\Windows\system32\attrib.exe
ATTRIB -R "C:\Program Files\AIOC3\Language\B0FA33D8FBA48017CA9E1A3FF761B778\zh-CN.ini" /S /D /L
8⤵
- Views/modifies file attributes
PID:4576

C:\Program Files\AIOC3\7-Zip\x64\7za.exe
"C:\Program Files\AIOC3\7-Zip\x64\7za.exe" a "C:\Program Files\AIOC3\Log\F6-C5-06-3C-24-68.20210624 034428.3.1.127.2319.7z" "Log\Exception.Log"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4032

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c ver
7⤵
PID:5104

C:\Program Files\AIOC3\aria2\x64\aria2c.exe
"aria2\x64\aria2c.exe" http://speed.qbgxl.com/-2007679313/speedtest.7z -s 2 -x 2 -d Resources -o SpeedTest-2007679313
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4912

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C NET USER "Admin"|FIND /I "*Administrators"
7⤵
PID:4684

C:\Windows\system32\net.exe
NET USER "Admin"
8⤵
PID:2892

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 USER "Admin"
9⤵
PID:4240

C:\Windows\system32\find.exe
FIND /I "*Administrators"
8⤵
PID:4436

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C NET LOCALGROUP Administrators "Admin" /ADD
7⤵
PID:2260

C:\Windows\system32\net.exe
NET LOCALGROUP Administrators "Admin" /ADD
8⤵
PID:4268

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP Administrators "Admin" /ADD
9⤵
PID:1288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C NET LOCALGROUP Guests "Admin" /DELETE
7⤵
PID:5036

C:\Windows\system32\net.exe
NET LOCALGROUP Guests "Admin" /DELETE
8⤵
PID:4232

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP Guests "Admin" /DELETE
9⤵
PID:4136

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C NET LOCALGROUP Users "Admin" /DELETE
7⤵
PID:4472

C:\Windows\system32\net.exe
NET LOCALGROUP Users "Admin" /DELETE
8⤵
PID:4460

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP Users "Admin" /DELETE
9⤵
PID:4504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C NET LOCALGROUP "Power Users" "Admin" /DELETE
7⤵
PID:4848

C:\Windows\system32\net.exe
NET LOCALGROUP "Power Users" "Admin" /DELETE
8⤵
PID:4180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Power Users" "Admin" /DELETE
9⤵
PID:4408

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C NET USER
7⤵
PID:4844

C:\Windows\system32\net.exe
NET USER
8⤵
PID:4952

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 USER
9⤵
PID:3248

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C WMIC USERACCOUNT WHERE (NOT Name='Guest' AND NOT Name='DefaultAccount' AND Status='OK') GET /VALUE
7⤵
PID:4772

C:\Windows\System32\Wbem\WMIC.exe
WMIC USERACCOUNT WHERE (NOT Name='Guest' AND NOT Name='DefaultAccount' AND Status='OK') GET /VALUE
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F "C:\Program Files\AIOC3\Resources\SpeedTest*"
7⤵
PID:5020

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4204

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2576

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1560

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ae0055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5108

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:368

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:4300

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:3444

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\AIOC3\7-Zip\x64\7z.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\AIOC3\7-Zip\x64\7za.exe
MD5
badea99cf535f9593e021eac45a70e0f

SHA1
385590839233cfa6d84427acd11f3bea2eba4261

SHA256
e9ee300e254062ce2434a603323107e7b33ef74bb564f16f026a3b0a9b3e5aa9

SHA512
366e82e0d2b08bb2d096df519102126478387bea4e92d0dfd2dd77787fdb5cc1b0f62723645df29e9c4624d3963f46ea3829e14049b9f8d69f29286e0c550acf

Download Submit
C:\Program Files\AIOC3\7-Zip\x86\7z.dll
MD5
85045c904a8ac0da985a5ebd3a828740

SHA1
8c5168de8d105a4019610fa5dbad8c3eb535370e

SHA256
81d8f2107cf276efd0684003a3afc36ab51829d451f08f71854d49c53d7cb6d3

SHA512
3d8538bc0511a0823688a4b7c1e03fb0bd652335a49467f8ca55529813424185a599557d123be757b692795ef71848208bf4ce3712931fd70fa1fc214240c0d5

Download Submit
C:\Program Files\AIOC3\7-Zip\x86\7z.exe
MD5
480551da8becc9bf06c6f1732963d4fe

SHA1
4c280c3b43935040a632e336d30924eb2591063e

SHA256
0dbb51fbdaef248251db8b9f21d6e8e04e1ddfe61a202d6cc5f2f723eb627b9b

SHA512
e99e3402d38160b785387f3797ab9e370849b3327950c46a70ca82f8a96d277a48536e0274d0f043be2002ff1307193291c4fa76137ad5b914bc8aa47158e021

Download Submit
C:\Program Files\AIOC3\7-Zip\x86\7za.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\AIOC3\AIOC_3.1.127.2319.exe
MD5
e9c50fe4824c2e9beb865ac93318cf84

SHA1
d459a51da15bd45b3521cd728c0d14656d7dddcd

SHA256
ade63ff1f106406550efe5ea48a6a4e068745f1e3c73fba26ac1014b33499ed0

SHA512
8e7c40917c32338e1336daba017ede9796b63b4b704cb4c40aea5a4011e303f7a37e7b56f4c26b3fa25b1e0c30b1bb19121ec64dc9649c29a71b0c7c10afd1f4

Download Submit
C:\Program Files\AIOC3\AIOC_3.1.127.2319.exe
MD5
e9c50fe4824c2e9beb865ac93318cf84

SHA1
d459a51da15bd45b3521cd728c0d14656d7dddcd

SHA256
ade63ff1f106406550efe5ea48a6a4e068745f1e3c73fba26ac1014b33499ed0

SHA512
8e7c40917c32338e1336daba017ede9796b63b4b704cb4c40aea5a4011e303f7a37e7b56f4c26b3fa25b1e0c30b1bb19121ec64dc9649c29a71b0c7c10afd1f4

Download Submit
C:\Program Files\AIOC3\Accessibility.dll
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\AIOC3\AutodeskInstallOnlineCheck3.exe
MD5
ff3020f1a0b25663f6f57bc88002ad69

SHA1
b8a8f7dda327f26c30103f5b187e517e47c9f77a

SHA256
dba6300629f1c31b37d28ed269b8f134cf84b9f82c81fc2c963a553ff295212c

SHA512
94f6e7bda0c56414c52c8d9626eb28cb54c7171b8617e9a69e8789d0a84f0eb07d1c657342c65b6f70e534fc61ce88d83b4969b7adf98acc3b9fde9ad6784309

Download Submit
C:\Program Files\AIOC3\AutodeskInstallOnlineCheck3.exe
MD5
ff3020f1a0b25663f6f57bc88002ad69

SHA1
b8a8f7dda327f26c30103f5b187e517e47c9f77a

SHA256
dba6300629f1c31b37d28ed269b8f134cf84b9f82c81fc2c963a553ff295212c

SHA512
94f6e7bda0c56414c52c8d9626eb28cb54c7171b8617e9a69e8789d0a84f0eb07d1c657342c65b6f70e534fc61ce88d83b4969b7adf98acc3b9fde9ad6784309

Download Submit
C:\Program Files\AIOC3\AutodeskInstallOnlineCheck3.exe
MD5
ff3020f1a0b25663f6f57bc88002ad69

SHA1
b8a8f7dda327f26c30103f5b187e517e47c9f77a

SHA256
dba6300629f1c31b37d28ed269b8f134cf84b9f82c81fc2c963a553ff295212c

SHA512
94f6e7bda0c56414c52c8d9626eb28cb54c7171b8617e9a69e8789d0a84f0eb07d1c657342c65b6f70e534fc61ce88d83b4969b7adf98acc3b9fde9ad6784309

Download Submit
C:\Program Files\AIOC3\AutodeskInstallOnlineCheck3.exe.config
MD5
312788103822de83bfcc14977cf85ce2

SHA1
ad849ac3d9f865f51233ef91069b195768a72e08

SHA256
42bb5911dc77bee5fef62a7557d76f57e03a615900ebc720cd0a8b7573e3fa3b

SHA512
dd8140619b7b31b0195671080f3ee4a18197458835fc9c38e3a5f02c15b539ba92dcd978bf0231ed4857e3a0b9215a8df860503099542bf5b0d87821ff0b2558

Download Submit
C:\Program Files\AIOC3\AutodeskInstallOnlineCheck3.pdb
MD5
87aa1111b44d39db07c1a55aed6149cb

SHA1
d8cab866523bd95e22a0e2cd6b7a7b42297a5836

SHA256
a17dc339f35632bfe60489052a5a6ed7be6e7af34d6c6ce4f4071226efff0544

SHA512
d9225be355945ce9ba96615b2662fd039c96b5873f4cf384f628566b7ad2e7c8145908d3b0349d642b875072ad74e9c68b3983b4f86bbe670184f6879e474467

Download Submit
C:\Program Files\AIOC3\CSkin.dll
MD5
64788240f6be72aa31ee2ec5fd511bd0

SHA1
c762fc8df14fc668de1954f80c5d5865b2a4ed8f

SHA256
bd4c6bf0564d0df979fdd370dfefb7f0038a041c05f1a4185ba60b8c1554e351

SHA512
421b71001f28f2ba134ab38ac8b0d84d4e8bba468c122691b69bfd795121bfc64a61f8b22768c44b8d7f88c26c86af7261adbd8c077e16ed808f1690b3b546b3

Download Submit
C:\Program Files\AIOC3\ICSharpCode.SharpZipLib.dll
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\AIOC3\Language\61AB279C057A758C9E64F407FEC837E4\zh-CN.ini
MD5
d5143dbdbfd1c198c70fc4142fec9283

SHA1
c0fa2270a601decca01f0992438fe46bd7c404c4

SHA256
446928d7e0da3aea3eeffe1a789b5ffc42959f36c8c4e15753f2ae973ea3407e

SHA512
3396896cb1da5af4d6adc1c0ee0ad7cfdc51a9285cb0b2977d5bc6030daf810aff7fc3a02ece3d51e509d2a95091759a4d8ca13d98fe46958e5ae15165134d9e

Download Submit
C:\Program Files\AIOC3\Language\B0FA33D8FBA48017CA9E1A3FF761B778\zh-CN.ini
MD5
5a89968fa851d6a1c11cd82dbd449cff

SHA1
e6586e6e12c88acde8b3a639681f4d0819b36132

SHA256
11c6ef68fcaa461e5a7781b86298cd453b7531accb88de974511f27d7201bc72

SHA512
3653af4f56180d1f6ed941110787a7493b4a8c57595bc5e531c59ed6a84e04e028a125c997d0477b6803287faef324223f9e7c57a57408029b20084a3b81a793

Download Submit
C:\Program Files\AIOC3\Language\zh-CN\GetLastError.ini
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\AIOC3\MetroFramework.dll
MD5
34ea7f7d66563f724318e322ff08f4db

SHA1
d0aa8038a92eb43def2fffbbf4114b02636117c5

SHA256
c2c12d31b4844e29de31594fc9632a372a553631de0a0a04c8af91668e37cf49

SHA512
dceb1f9435b9479f6aea9b0644ba8c46338a7f458c313822a9d9b3266d79af395b9b2797ed3217c7048db8b22955ec6fe8b0b1778077fa1de587123ad9e6b148

Download Submit
C:\Program Files\AIOC3\Microsoft.VisualBasic.dll
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\AIOC3\Newtonsoft.Json.dll
MD5
8f6875148b45c300b95514cb40703c2e

SHA1
0015b8e21d84e0f6f174cf71b63651bad94582df

SHA256
ea7fd75e2bb069699d4da09f3601d70ca8e401f58949178cdbf2c5928720daa1

SHA512
e0670c00e0c5cb0e0e1c691f053a53de121e1771cffb17b2d08b8cc3f0498bdde3c6efe1419fd74103952a327c26bb6f29e5f817965873f8391ee8b8be80a6fb

Download Submit
C:\Program Files\AIOC3\Resources\AA\3dsMaxDefaultOpen.exe
MD5
08a5f6779688b6080bb373f99380f3ac

SHA1
d357caea8d112310e7176e667ec9783d49988314

SHA256
959ccd7e6e9d243fdb915fa34fa33357122aaaa52bfffe11af32b25d06743d20

SHA512
7b5b617340320138bd515ad90b3f18104707682d01e267ce92e950fd266850aae99faa78ab8c8fb04e75b53086bbb628e54cc4501d94c3ef10ce840fec7d0286

Download Submit
C:\Program Files\AIOC3\Resources\AA\Maya2015英文版.lnk
MD5
0ec4990e38ace72489dff54163cfb0b8

SHA1
43c17273e7246e0623ee2c6eff38601257047e32

SHA256
f04e23ce823cea6531572114a3b61645660fb89e4fff7bcbf2322c4d68e01ad3

SHA512
cf5a622226b9f987a78c28e547c878306ec557686932c7d4cfd3fbd616ec8901572376fd5ebf09a7ae6b63f31e96fdc1e9b8612eccc1ad0c66a11621ef9fce8a

Download Submit
C:\Program Files\AIOC3\Resources\AA\MayaChangeLanguage.exe
MD5
0a2428e8e7d8e937726a46bf749782b9

SHA1
d5ff3c4c8ac1e219a877fbd319f22d8bd61b76f1

SHA256
52f7b31e27b8fe5039213f19e958d6b90758826ecc93cfe2539447c3da521e65

SHA512
37882e7a8f5d677bb6e6bfe279ab0a16082a3fbc394ed64faf7c59e179049fef3da7569fd039a9e1312aebfacfa16882b0dedf79e6f8b8de7977e25cb4a36763

Download Submit
C:\Program Files\AIOC3\Resources\AA\SetACL.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\AIOC3\Resources\AA\SetACL64.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\AIOC3\Resources\AA\ShowWindow.exe
MD5
8c353e6dbe24116c9fcd5fcfd5032695

SHA1
bab8b26f09c98b23654d14e5a4a3a50d752cf800

SHA256
10a887f6749ff75622778da594fb41ca24713e128ab9a3efc1d4896a17a08ca6

SHA512
8f2312ee0324dbf3cf41639773ee35702c5bf2320a817cc7f272309220f1d258fecf96d3b5a06b0106ce448e8796a51ac3685f2236259c26630a01699a85824f

Download Submit
C:\Program Files\AIOC3\Resources\AA\Updater.exe
MD5
299c7307a248430606d803c8ef8fc993

SHA1
052e757d27602b49701f713eebd0b885c5243de6

SHA256
73ce5813a0dd60db8e14c4e9d3ad3d0e45890d2a70a8a9187e9ccb94561abfc2

SHA512
daeabcca34f9b0b6dc4cfd885d192c7c8cffb7da0d208520ea914e70fe95bc92bd79fddd01cbe19f07a90fb8901d06be993a0383ba5b03e4900d9a6b0aaf5d67

Download Submit
C:\Program Files\AIOC3\Robocopy_x64.exe
MD5
cf3436f867c5d757cd38deba970efdc2

SHA1
361cf56ef2e6f9e11d4506b53701c42a7041a07b

SHA256
546ca67e58bba45f73ae3430ef08c950295382ec323b992c5830b8ed99da02cb

SHA512
e502db79e9165e6daceafd231afec904f4248c100d71451e868d32b2b8857e98040f59141423b4d063054ad48b610e4dbddab3dd4203a526d27537c877f80ed3

Download Submit
C:\Program Files\AIOC3\Robocopy_x86.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\AIOC3\SetACL64.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\AIOC3\System.Deployment.dll
MD5
f0767d83c07cc54b39cada3b1003dea8

SHA1
74ff781f3e2e6ed96282be23669363ab6e1a84c8

SHA256
20acb0859c308d1f7f07ddce50a3fec7b8bad23f96c36e7cfecc3700ef755ccc

SHA512
6eead2a0132a5dbef83d33957f021ac2b4c4bf8c5a7625a6e1f3aac145c0833179c4d1af5dc6390bc5ac8d15a59f35799f0400e33435e97c9b69bcae08144e2e

Download Submit
C:\Program Files\AIOC3\System.Management.dll
MD5
c3be97a00816d714800f5e5c07a2b7ca

SHA1
438dd4eb4bd3512e26f9ec1b0fb42609e99df9f1

SHA256
66ba731f4f474c158dbdf9bf5550b604b3bc02d0f63497a0b3d2387d1af1e21f

SHA512
b4a12d9e39765257a08e00e4ac9e060c6ff4e833a9409a06f46bd9139309ea1802cd1d629cf4a89556b6661662a0c8be5fc534d1f5757ab69e57773f952d2741

Download Submit
C:\Program Files\AIOC3\System.Numerics.dll
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\AIOC3\aria2\AriaNg.url
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\AIOC3\aria2\x64\aria2.conf
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\AIOC3\aria2\x64\aria2.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\AIOC3\aria2\x64\aria2c.exe
MD5
da99ae2e9f7d3a54dc90b277faf3704a

SHA1
f23ea23e23963557975fdb2d2bb2aba4f5b029cb

SHA256
6f5a1b7315c157a2a6544929e661c44675a41e6f4e41b5cffa4bf20f9b97243e

SHA512
515d3eab2461917dff72088881fa97bf3b32c981ebce55dc124d6f3a28581c698aae62366bf8e5241173596c6039f85841b4b6dba7cd9de5695c81e70f3e4378

Download Submit
C:\Program Files\AIOC3\aria2\x64\dht.dat
MD5
3700a30ad23f9064b38fd944c9b4ed91

SHA1
212fe48d9b3e567f1d6c0ecaf46dfbdc642e6f52

SHA256
3e2912b2fe398033d5d9e344aef662902b3a29054b26494ba6e2bba43d2a52fa

SHA512
28e3a6bdb8ac769a737fc9ebdd8f8f7453c87418cb64395d093fc20634d72cb2504bb88cef841a4912e9ed8ce1eecfef6923558483532754146be64f3a96fd81

Download Submit
C:\Program Files\AIOC3\aria2\x64\dht6.dat
MD5
a67c59273ec5fd3f2b1ecf8db16f4723

SHA1
af8a543771abc47288f0ca3e265b5c844cbef662

SHA256
ef20ea16f0486825ff9c3242bb4fd725b99a2c685d9ea3db59b556afd5dab725

SHA512
fdd1040c1740805ff6ba2b8eeb492b7ffdd5fe4ec0b3f16f4791ec0664517e1a21aa31f0c64ad4fb5975cbffb6c4f594c35a8fb8517c510abb802540e8b97c49

Download Submit
C:\Program Files\AIOC3\aria2\x86\aria2.conf
MD5
329113a05731f2dfac2b00cc9b9b94bd

SHA1
d263a97bdfbe2395493690fbb1f3c780f2a7986d

SHA256
66654b681283b00e826f93b3c8d7365a2c8eb5ae03cf84a1a4806e7184266afd

SHA512
0d12de765195bae5a45a4b569f255caa3a7ede9b631571001077f9ceb1da257a7a80993dbd378617d322e22e3c6068be7241aa1c55a7d337e1f318de6e350243

Download Submit
C:\Program Files\AIOC3\aria2\x86\aria2.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\AIOC3\aria2\x86\aria2c.exe
MD5
e4d0cd46d27694af9bff8a9d6fd22a3b

SHA1
a651d3538b0c72ab3728a12a601ae8e8908eabb7

SHA256
21386b36638fd565a16b917d9155c3645b1a3293e3cbc12e4c2cb1ace9ca806c

SHA512
5efdfb53f99c506e7c11241e68a9423bb1e4e6bde1ff9a495392dcf278fe4165c481d4e7f643d23df2392a317ab11f133b5eb68b2a182440478060b29d64bb47

Download Submit
C:\Program Files\AIOC3\aria2\x86\dht.dat
MD5
753d2fc69fe61307cda5fe3237a76551

SHA1
c75e99517292ed580ed57b4e9c923525f40983c3

SHA256
409b7bbaa18adc2f93638f7e7d52fab2fddb1e0eab2594b6ef8619767c0cd5a1

SHA512
c8a95e80f59d1f6b302e867c7580d9efc822772ec84d645a5ae776e4f658ea7653b520899124bede3bf46374b900288f2f1edcaee9b6a380266551e8f2016d31

Download Submit
C:\Program Files\AIOC3\aria2\x86\dht6.dat
MD5
a67c59273ec5fd3f2b1ecf8db16f4723

SHA1
af8a543771abc47288f0ca3e265b5c844cbef662

SHA256
ef20ea16f0486825ff9c3242bb4fd725b99a2c685d9ea3db59b556afd5dab725

SHA512
fdd1040c1740805ff6ba2b8eeb492b7ffdd5fe4ec0b3f16f4791ec0664517e1a21aa31f0c64ad4fb5975cbffb6c4f594c35a8fb8517c510abb802540e8b97c49

Download Submit
C:\Program Files\AIOC3\attrib_x64.exe
MD5
c65c20c89a255517f11dd18b056cadb5

SHA1
61e0beaa8bb4b28726a56dedf020140ffc67a649

SHA256
f4d77c1928bba3dc70b3d8e706666eb1c0a268bc3301d9c0b670c332e709ba01

SHA512
d6e7e833a7191321a89e5c0cc80afabf71d68968491fb4f0c0b7390699f71fbd7d49967017b3b38c47bdca7e5ae63a8f1e642f74dc1ad5781ef4d822dda70d42

Download Submit
C:\Program Files\AIOC3\attrib_x86.exe
MD5
459a5755afbb1cb3e67ca4c1296599e3

SHA1
c10b6995861da38e538a1ffd5acc0bb3fc147a6c

SHA256
db24550c3183fc38f9440134322f124447dfe0a3564490180418305d7899d159

SHA512
e2793e056fe8b4090a74ca3bf75b81bf194b913197b7ac4a8381c6c4802d92a34ab78d5af3390cff61cb94a9bd0ccb87df452c316ca188f8f5a7e32506cf7c88

Download Submit
C:\Program Files\AIOC3\cmd_x64.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\AIOC3\cmd_x86.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\AIOC3\icacls_x64.exe
MD5
10c661e0413e6837c1c5f84ae5006ecb

SHA1
b8b8f831df432a59ed13c22a976fb0269f2836fc

SHA256
e553761f4279298bf745ab1270eb4011b6d7667d6d8b762020de6f8b23832756

SHA512
cb32d0b93a2935c8e40cc1e66de0e533029257a6c17456e7a65c2f9228bb5338c3e8ec46a4dd385ccd30e80c35a155219726fdd6791b347f8f88da65003d7c4f

Download Submit
C:\Program Files\AIOC3\icacls_x86.exe
MD5
cf23429bd7082564226fd2b202bcce63

SHA1
f9cc889d1972b473e4f16696f6e9fc508381fd36

SHA256
c48c317ed6c7839112b9a87aec22f692542e1a61c0928e7410669d8cb2e851fe

SHA512
80559ba0152172072fdb31848903fc047ebbc2fe24740d02b61d34367617e06c5d477d74ae2b47e072f4a4fb7acefd41e0fc72c548b5ec0fa34dfc542f84d06a

Download Submit
C:\Program Files\AIOC3\machine.config
MD5
b49f592c393d5d8f1d120ce479e56441

SHA1
c7ebb9ecc76366d6767b5f0fb6973e656f0d1924

SHA256
9270d837b056608f1df5bb9ca9db0f814807e2d689ac53271b94c991a6c4347c

SHA512
0b4b5ff29d11e8b0857ee3c338683363740ab376d8f200c6882f6eb08d675cda6b3ab547544d0cc7f22352eb0f0a7e2ff29809e4ef6c9e7266433cc8089804d9

Download Submit
C:\Program Files\AIOC3\msi_x64.dll
MD5
745f3dbcd4970b15c98572ca2da5cde0

SHA1
ed78684a7f1ed4c93cd48a6daf47ba54807b97b5

SHA256
1712e3fc36c8f37261cba6d21bde320ac7c0f07ee2a681ac5ddfb2ab9fcf51ee

SHA512
ec886b002fcab0b027e50fe25e208529b9ae0f2808ee6e023532d69281d4cefd532454eddc9985c69be01ffef0c3c56cfc5f65f256c1253acb0f3b48241be383

Download Submit
C:\Program Files\AIOC3\msi_x86.dll
MD5
be6e6d37fda431652c08204586d72a6f

SHA1
2509e3819f300d47a54781e48c53188b76dbc618

SHA256
fe6f5a6d579e244377a8436df3f5e7f101e7cb39ca4534fc4ed84c287cb7e2b5

SHA512
8ba8b03d6e8a3ebb105f1773e2c7f9cb6d9b04ec0b144054221605edf3d76cb6cf26c9981798a1959c00752de486ff44eb262654204979b07b703e702a3c1be3

Download Submit
C:\Program Files\AIOC3\netsh_x64.exe
MD5
403ff29198c641b7fecbad416c0f9ce9

SHA1
c8a22d53e927a8437fd5c81284b77a1b1f4d4a5b

SHA256
546647c7e227cf24b67f8000a97a1528b43619946503e6827f1d463a8d260323

SHA512
09661bad14df9af0d98db692b37760d18a615bd1a030d777de7517dcaabfdff13297e6122cbabc7497622d1735b890f072848c60aa9d087481966ed3600ab648

Download Submit
C:\Program Files\AIOC3\netsh_x86.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\AIOC3\takeown_x64.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\AIOC3\takeown_x86.exe
MD5
1f6f5034662692c3e86ab2eae8a5101b

SHA1
2f2f901c983d40b2932ded9723ce2a2d82301fa4

SHA256
4de7f2353c759232b4f31c38be161f707652303658ebc2fc902f5df73ac9c665

SHA512
c0a3a9075c67eab39c1cbd7230f5e17fb682dcd661c0dbeffbd2ee64b7d726be4bb036115f07044a5534d0d984cd3234e7c9ba4550c2f01e6bed54c789af1c5b

Download Submit
C:\Program Files\AIOC3\taskkill_x64.exe
MD5
f352c3e73a62202064b61b5906358e42

SHA1
72faa504019d78c62aa965fcd4a775d0035618a0

SHA256
ae19935aab20bd0f31db71ea0a81bd4c938d339d17d802da5104bc7dad650bb4

SHA512
5ffdf4c66db3bc00857b61223178ab35af5b09236d8a86f7b875c3144dfefa0d19be970d9c6079e41da9c6d51016670db79e5b48f1a4aa3ee2e74f64da1860c7

Download Submit
C:\Program Files\AIOC3\taskkill_x86.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\AIOC3\xcopy_x64.exe
MD5
9dfa58e4a8bae16a47eb8d34af6ef724

SHA1
239f3f34be0e807f492ad35fd8bea38d633e23fa

SHA256
b7c7a1655e53c9657ce831fba37327224bf81dbf5cc2d16f721fdadf279859ba

SHA512
81591750a8e73cbdd7fd4531c1e344bed832fe3177404bfc42b27df19d4a5f958a295dc3d5e28caac54a03225c5a9ae600a26a81dcff45122dfb057496b4cca1

Download Submit
C:\Program Files\AIOC3\xcopy_x86.exe
MD5
f3c64d52049b31844fc282cdfa1038c4

SHA1
64b259aca09b5457293d79a4508e2f7d78a4e3d0

SHA256
66f2a2cc73f7c1226f44c629542635086fb5033d1942338c3ba671c2c1f18274

SHA512
f3513509c4e481b2c50ea7f8bcb0e2a02a64d4c0f79124da64114609624deabb9e5362b1abf9bf62de16a1cd284974c9c3b47bd3a418cd3f561488f5dce1f38e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AutodeskInstallOnlineCheck3.exe.log
MD5
be9ce8789ed64895e2b444842c638cc6

SHA1
e3037caabf3b6b0c82aad60eaa7ae5b6f6986fc2

SHA256
d55be247f65936b91654f2ab2b48d32ccc4b0484c0b034691e4c349dc6ca39cd

SHA512
0f2f1fcfca27f110e09039baa553356c0d0ecb9a8862dd511be48d0a20b58d210fa8c14b793c70287ba723d5b4cb02fad959f3b72a0daf7acb0217a14fdb379c

Download Submit
C:\Users\Admin\Desktop\AIOC超级工具箱.lnk
MD5
99da85f0b9804d41afdee5b46e98fab6

SHA1
c4dd8d88a1fcd9308457653250eda752bdee9286

SHA256
71bc8e28e15776f6508e555c7f101223bb5cfbc43bb4d5069560520700f6c519

SHA512
cbf81bdaad9a5b34279f5d02e92728966ca0795ab7bc472a50ce8ede357022051d5547fcd3c645152050a0aa360c4f7d20d578fbd746eb46f9b3025eb679bd92

Download Submit
memory/208-149-0x0000000000000000-mapping.dmp

Download
memory/368-150-0x0000000000000000-mapping.dmp

Download
memory/1136-159-0x0000000000000000-mapping.dmp

Download
memory/1288-160-0x0000000000000000-mapping.dmp

Download
memory/1500-197-0x0000000000000000-mapping.dmp

Download
memory/1544-154-0x0000000000000000-mapping.dmp

Download
memory/1624-147-0x0000000000000000-mapping.dmp

Download
memory/1876-151-0x0000000000000000-mapping.dmp

Download
memory/2084-189-0x0000000000000000-mapping.dmp

Download
memory/2096-152-0x0000000000000000-mapping.dmp

Download
memory/2096-201-0x0000000000000000-mapping.dmp

Download
memory/2100-190-0x0000000000000000-mapping.dmp

Download
memory/2180-161-0x0000000000000000-mapping.dmp

Download
memory/2192-192-0x0000000000000000-mapping.dmp

Download
memory/2292-157-0x0000000000000000-mapping.dmp

Download
memory/2296-203-0x0000000000000000-mapping.dmp

Download
memory/2308-198-0x0000000000000000-mapping.dmp

Download
memory/2836-158-0x0000000000000000-mapping.dmp

Download
memory/2884-196-0x0000000000000000-mapping.dmp

Download
memory/3008-146-0x0000000000000000-mapping.dmp

Download
memory/3124-188-0x0000000000000000-mapping.dmp

Download
memory/3144-141-0x000000001C1D5000-0x000000001C1D6000-memory.dmp

Filesize
4KB

Download
memory/3144-139-0x000000001C1D4000-0x000000001C1D5000-memory.dmp

Filesize
4KB

Download
memory/3144-126-0x0000000000000000-mapping.dmp

Download
memory/3144-133-0x000000001FFA0000-0x000000001FFA1000-memory.dmp

Filesize
4KB

Download
memory/3144-199-0x000000001FB20000-0x000000001FB21000-memory.dmp

Filesize
4KB

Download
memory/3144-135-0x000000001C1D0000-0x000000001C1D2000-memory.dmp

Filesize
8KB

Download
memory/3144-186-0x0000000023B80000-0x0000000023B81000-memory.dmp

Filesize
4KB

Download
memory/3144-136-0x0000000001AD0000-0x0000000001AD1000-memory.dmp

Filesize
4KB

Download
memory/3144-138-0x000000001C1D2000-0x000000001C1D4000-memory.dmp

Filesize
8KB

Download
memory/3144-143-0x0000000023F30000-0x0000000023F31000-memory.dmp

Filesize
4KB

Download
memory/3144-137-0x0000000003420000-0x0000000003421000-memory.dmp

Filesize
4KB

Download
memory/3144-140-0x000000001CFD0000-0x000000001D00E000-memory.dmp

Filesize
248KB

Download
memory/3144-142-0x0000000023EB0000-0x0000000023EB1000-memory.dmp

Filesize
4KB

Download
memory/3144-178-0x000000001C1D8000-0x000000001C1DA000-memory.dmp

Filesize
8KB

Download
memory/3144-177-0x000000001C1D7000-0x000000001C1D8000-memory.dmp

Filesize
4KB

Download
memory/3248-148-0x0000000000000000-mapping.dmp

Download
memory/3308-276-0x0000000000000000-mapping.dmp

Download
memory/3428-271-0x0000000000000000-mapping.dmp

Download
memory/3640-202-0x0000000000000000-mapping.dmp

Download
memory/3748-153-0x0000000000000000-mapping.dmp

Download
memory/3776-121-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/3776-118-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3776-122-0x000000001B340000-0x000000001B342000-memory.dmp

Filesize
8KB

Download
memory/3776-123-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/3776-125-0x000000001C3A0000-0x000000001C3A1000-memory.dmp

Filesize
4KB

Download
memory/3776-114-0x0000000000000000-mapping.dmp

Download
memory/3808-193-0x0000000000000000-mapping.dmp

Download
memory/3844-156-0x0000000000000000-mapping.dmp

Download
memory/3964-155-0x0000000000000000-mapping.dmp

Download
memory/4100-187-0x0000000000000000-mapping.dmp

Download
memory/4136-195-0x0000000000000000-mapping.dmp

Download
memory/4144-162-0x0000000000000000-mapping.dmp

Download
memory/4196-163-0x0000000000000000-mapping.dmp

Download
memory/4204-191-0x0000000000000000-mapping.dmp

Download
memory/4232-275-0x0000000000000000-mapping.dmp

Download
memory/4244-164-0x0000000000000000-mapping.dmp

Download
memory/4304-165-0x0000000000000000-mapping.dmp

Download
memory/4312-194-0x0000000000000000-mapping.dmp

Download
memory/4332-166-0x0000000000000000-mapping.dmp

Download
memory/4388-167-0x0000000000000000-mapping.dmp

Download
memory/4396-274-0x0000000000000000-mapping.dmp

Download
memory/4432-273-0x0000000000000000-mapping.dmp

Download
memory/4444-168-0x0000000000000000-mapping.dmp

Download
memory/4472-272-0x0000000000000000-mapping.dmp

Download
memory/4496-169-0x0000000000000000-mapping.dmp

Download
memory/4524-170-0x0000000000000000-mapping.dmp

Download
memory/4560-171-0x0000000000000000-mapping.dmp

Download
memory/4620-172-0x0000000000000000-mapping.dmp

Download
memory/4688-173-0x0000000000000000-mapping.dmp

Download
memory/4720-277-0x000000001B2B5000-0x000000001B2B6000-memory.dmp

Filesize
4KB

Download
memory/4720-265-0x000000001B2B2000-0x000000001B2B4000-memory.dmp

Filesize
8KB

Download
memory/4720-279-0x000000001B2B8000-0x000000001B2BA000-memory.dmp

Filesize
8KB

Download
memory/4720-268-0x000000001C080000-0x000000001C0BE000-memory.dmp

Filesize
248KB

Download
memory/4720-257-0x0000000000000000-mapping.dmp

Download
memory/4720-258-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/4720-263-0x000000001B2B0000-0x000000001B2B2000-memory.dmp

Filesize
8KB

Download
memory/4720-278-0x000000001B2B7000-0x000000001B2B8000-memory.dmp

Filesize
4KB

Download
memory/4720-264-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/4720-266-0x000000001B2B4000-0x000000001B2B5000-memory.dmp

Filesize
4KB

Download
memory/4720-267-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/4740-174-0x0000000000000000-mapping.dmp

Download
memory/4800-175-0x0000000000000000-mapping.dmp

Download
memory/4832-176-0x0000000000000000-mapping.dmp

Download
memory/4860-270-0x0000000000000000-mapping.dmp

Download
memory/4872-200-0x0000000000000000-mapping.dmp

Download
memory/4884-269-0x0000000000000000-mapping.dmp

Download
memory/4928-179-0x0000000000000000-mapping.dmp

Download
memory/4964-180-0x0000000000000000-mapping.dmp

Download
memory/5000-181-0x0000000000000000-mapping.dmp

Download
memory/5036-182-0x0000000000000000-mapping.dmp

Download
memory/5072-183-0x0000000000000000-mapping.dmp

Download
memory/5108-184-0x0000000000000000-mapping.dmp

Download