Analysis
-
max time kernel
153s -
max time network
157s -
platform
windows7_x64 -
resource
win7-ja-20211014 -
submitted
21-10-2021 12:46
Static task
static1
Behavioral task
behavioral1
Sample
Software-update-patc_612604768.exe
Resource
win7-ja-20211014
Behavioral task
behavioral2
Sample
Software-update-patc_612604768.exe
Resource
win7-en-20211014
Behavioral task
behavioral3
Sample
Software-update-patc_612604768.exe
Resource
win7-de-20211014
Behavioral task
behavioral4
Sample
Software-update-patc_612604768.exe
Resource
win11
Behavioral task
behavioral5
Sample
Software-update-patc_612604768.exe
Resource
win10-ja-20211014
Behavioral task
behavioral6
Sample
Software-update-patc_612604768.exe
Resource
win10-en-20210920
Behavioral task
behavioral7
Sample
Software-update-patc_612604768.exe
Resource
win10-de-20211014
General
-
Target
Software-update-patc_612604768.exe
-
Size
4.7MB
-
MD5
567ab95af9696f0d0cea101efbd344f9
-
SHA1
78544ed738d9929e68b735448276c93166b61c37
-
SHA256
3bfbe7f602fdffa1b70a657767d1fa7cfe4f6111da191b94d1abe8f5d8f1ea3b
-
SHA512
36d16b04d74d41ef11b8dcef4c5e705d6660a0bb34c72abbd59fad36f37bde069b80af270dbd208b0956f1b8bd4abcb87cdb05a32265a6d4aeae2266dc7709bf
Malware Config
Extracted
vidar
41.5
223
https://mas.to/@xeroxxx
-
profile_id
223
Extracted
redline
lllolly666123
87.251.71.82:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2248-196-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2248-197-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2248-198-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2248-199-0x000000000041B23E-mapping.dmp family_redline behavioral1/memory/2248-200-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1136-158-0x0000000000400000-0x00000000009A4000-memory.dmp family_vidar -
Blocklisted process makes network request 64 IoCs
Processes:
MsiExec.exeflow pid process 57 1208 MsiExec.exe 60 1208 MsiExec.exe 61 1208 MsiExec.exe 65 1208 MsiExec.exe 67 1208 MsiExec.exe 70 1208 MsiExec.exe 72 1208 MsiExec.exe 73 1208 MsiExec.exe 74 1208 MsiExec.exe 75 1208 MsiExec.exe 77 1208 MsiExec.exe 78 1208 MsiExec.exe 79 1208 MsiExec.exe 80 1208 MsiExec.exe 82 1208 MsiExec.exe 83 1208 MsiExec.exe 84 1208 MsiExec.exe 85 1208 MsiExec.exe 86 1208 MsiExec.exe 87 1208 MsiExec.exe 88 1208 MsiExec.exe 90 1208 MsiExec.exe 91 1208 MsiExec.exe 92 1208 MsiExec.exe 93 1208 MsiExec.exe 94 1208 MsiExec.exe 95 1208 MsiExec.exe 96 1208 MsiExec.exe 97 1208 MsiExec.exe 98 1208 MsiExec.exe 100 1208 MsiExec.exe 101 1208 MsiExec.exe 102 1208 MsiExec.exe 103 1208 MsiExec.exe 105 1208 MsiExec.exe 106 1208 MsiExec.exe 107 1208 MsiExec.exe 108 1208 MsiExec.exe 109 1208 MsiExec.exe 110 1208 MsiExec.exe 111 1208 MsiExec.exe 112 1208 MsiExec.exe 113 1208 MsiExec.exe 114 1208 MsiExec.exe 115 1208 MsiExec.exe 117 1208 MsiExec.exe 118 1208 MsiExec.exe 119 1208 MsiExec.exe 120 1208 MsiExec.exe 121 1208 MsiExec.exe 122 1208 MsiExec.exe 123 1208 MsiExec.exe 124 1208 MsiExec.exe 125 1208 MsiExec.exe 126 1208 MsiExec.exe 127 1208 MsiExec.exe 128 1208 MsiExec.exe 132 1208 MsiExec.exe 133 1208 MsiExec.exe 134 1208 MsiExec.exe 135 1208 MsiExec.exe 136 1208 MsiExec.exe 137 1208 MsiExec.exe 138 1208 MsiExec.exe -
Downloads MZ/PE file
-
Executes dropped EXE 9 IoCs
Processes:
Software-update-patc_612604768.tmpQuibusdam.exeQcDIZx6q.exeFTxEfaSIb.exeZembra.exenmf1aPaRyDs4GOpB.exenmf1aPaRyDs4GOpB.exeZembraBro.exeZembraBro.exepid process 1684 Software-update-patc_612604768.tmp 812 Quibusdam.exe 1948 QcDIZx6q.exe 1388 FTxEfaSIb.exe 1136 Zembra.exe 2788 nmf1aPaRyDs4GOpB.exe 2808 nmf1aPaRyDs4GOpB.exe 3052 ZembraBro.exe 2248 ZembraBro.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Zembra.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Zembra.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Zembra.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
Zembra.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Wine Zembra.exe -
Loads dropped DLL 43 IoCs
Processes:
Software-update-patc_612604768.exeSoftware-update-patc_612604768.tmpQuibusdam.exeFTxEfaSIb.exeMsiExec.exeQcDIZx6q.exeMsiExec.exeMsiExec.exenmf1aPaRyDs4GOpB.exeZembra.exeZembraBro.exepid process 360 Software-update-patc_612604768.exe 1684 Software-update-patc_612604768.tmp 1684 Software-update-patc_612604768.tmp 1684 Software-update-patc_612604768.tmp 1684 Software-update-patc_612604768.tmp 812 Quibusdam.exe 812 Quibusdam.exe 1388 FTxEfaSIb.exe 1388 FTxEfaSIb.exe 1388 FTxEfaSIb.exe 1692 MsiExec.exe 1948 QcDIZx6q.exe 1948 QcDIZx6q.exe 1692 MsiExec.exe 1208 MsiExec.exe 1208 MsiExec.exe 1208 MsiExec.exe 1208 MsiExec.exe 1208 MsiExec.exe 1208 MsiExec.exe 1208 MsiExec.exe 1208 MsiExec.exe 1208 MsiExec.exe 1388 FTxEfaSIb.exe 1208 MsiExec.exe 1208 MsiExec.exe 2316 MsiExec.exe 2316 MsiExec.exe 2316 MsiExec.exe 2316 MsiExec.exe 2316 MsiExec.exe 2316 MsiExec.exe 2316 MsiExec.exe 1208 MsiExec.exe 812 Quibusdam.exe 812 Quibusdam.exe 2788 nmf1aPaRyDs4GOpB.exe 1136 Zembra.exe 1136 Zembra.exe 1136 Zembra.exe 1136 Zembra.exe 1948 QcDIZx6q.exe 3052 ZembraBro.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Zembra.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Zembra.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
FTxEfaSIb.exemsiexec.exedescription ioc process File opened (read-only) \??\W: FTxEfaSIb.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: FTxEfaSIb.exe File opened (read-only) \??\P: FTxEfaSIb.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: FTxEfaSIb.exe File opened (read-only) \??\U: FTxEfaSIb.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\S: FTxEfaSIb.exe File opened (read-only) \??\Z: FTxEfaSIb.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: FTxEfaSIb.exe File opened (read-only) \??\X: FTxEfaSIb.exe File opened (read-only) \??\N: FTxEfaSIb.exe File opened (read-only) \??\Q: FTxEfaSIb.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: FTxEfaSIb.exe File opened (read-only) \??\I: FTxEfaSIb.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: FTxEfaSIb.exe File opened (read-only) \??\R: FTxEfaSIb.exe File opened (read-only) \??\F: FTxEfaSIb.exe File opened (read-only) \??\L: FTxEfaSIb.exe File opened (read-only) \??\O: FTxEfaSIb.exe File opened (read-only) \??\V: FTxEfaSIb.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: FTxEfaSIb.exe File opened (read-only) \??\B: FTxEfaSIb.exe File opened (read-only) \??\Y: FTxEfaSIb.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: FTxEfaSIb.exe File opened (read-only) \??\T: FTxEfaSIb.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Zembra.exepid process 1136 Zembra.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
nmf1aPaRyDs4GOpB.exeZembraBro.exedescription pid process target process PID 2788 set thread context of 2808 2788 nmf1aPaRyDs4GOpB.exe nmf1aPaRyDs4GOpB.exe PID 3052 set thread context of 2248 3052 ZembraBro.exe ZembraBro.exe -
autoit_exe 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\C4cPtPB3\QcDIZx6q.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\C4cPtPB3\QcDIZx6q.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\C4cPtPB3\QcDIZx6q.exe autoit_exe -
Drops file in Program Files directory 22 IoCs
Processes:
Software-update-patc_612604768.tmpmsiexec.exedescription ioc process File created C:\Program Files (x86)\Dolore\minus\is-JCPJP.tmp Software-update-patc_612604768.tmp File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini msiexec.exe File created C:\Program Files (x86)\Dolore\unins000.dat Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Dolore\is-6LLGR.tmp Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Dolore\in\is-BVS3D.tmp Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Dolore\quia\is-OLRNU.tmp Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Dolore\quos\is-31PSU.tmp Software-update-patc_612604768.tmp File created C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe msiexec.exe File created C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk msiexec.exe File created C:\Program Files (x86)\Dolore\consectetur\is-M9HSG.tmp Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Dolore\in\is-NDL2S.tmp Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Dolore\minus\is-QSNJ9.tmp Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Dolore\is-EI043.tmp Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Dolore\consectetur\is-QEEFF.tmp Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Dolore\quia\is-HL6CJ.tmp Software-update-patc_612604768.tmp File opened for modification C:\Program Files (x86)\Dolore\unins000.dat Software-update-patc_612604768.tmp File created C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe msiexec.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url msiexec.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url msiexec.exe File opened for modification C:\Program Files (x86)\Dolore\quia\Quibusdam.exe Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Dolore\is-B2JPM.tmp Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Dolore\in\is-LU7T3.tmp Software-update-patc_612604768.tmp -
Drops file in Windows directory 30 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI6909.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI7CA6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI62DB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6492.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6B3C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI780D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI788B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7AB1.tmp msiexec.exe File created C:\Windows\Installer\f775afc.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI6378.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6A23.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7388.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI74E1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7A33.tmp msiexec.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI682D.tmp msiexec.exe File opened for modification C:\Windows\Installer\f775afe.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI66A6.tmp msiexec.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI5F42.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI656D.tmp msiexec.exe File created C:\Windows\Installer\f775afe.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI7928.tmp msiexec.exe File created C:\Windows\Installer\f775b00.msi msiexec.exe File opened for modification C:\Windows\Installer\f775afc.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI7377.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI79A6.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Zembra.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Zembra.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Zembra.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3032 timeout.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 2980 taskkill.exe 2120 taskkill.exe 2076 taskkill.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8CAD3581-327E-11EC-BF70-46166E0FD2EB} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE -
Modifies data under HKEY_USERS 4 IoCs
Processes:
msiexec.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\6CF876C7 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe -
Modifies registry class 24 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9\C414548CC3098124D97E31A29BF7FD26 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductIcon = "C:\\Windows\\Installer\\{C845414C-903C-4218-9DE7-132AB97FDF62}\\logo.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Y.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "6BBF4B2F4524B25478C17BFBEE2559F7" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media msiexec.exe -
Processes:
FTxEfaSIb.exeQcDIZx6q.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 FTxEfaSIb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 FTxEfaSIb.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e QcDIZx6q.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e QcDIZx6q.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 FTxEfaSIb.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 FTxEfaSIb.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a FTxEfaSIb.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a FTxEfaSIb.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 FTxEfaSIb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 QcDIZx6q.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
Software-update-patc_612604768.tmpQuibusdam.exeMsiExec.exeZembra.exeMsiExec.exemsiexec.exepid process 1684 Software-update-patc_612604768.tmp 1684 Software-update-patc_612604768.tmp 812 Quibusdam.exe 812 Quibusdam.exe 812 Quibusdam.exe 1692 MsiExec.exe 1136 Zembra.exe 1208 MsiExec.exe 1208 MsiExec.exe 1796 msiexec.exe 1796 msiexec.exe 1136 Zembra.exe 1136 Zembra.exe 1136 Zembra.exe 1136 Zembra.exe 812 Quibusdam.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exeFTxEfaSIb.exedescription pid process Token: SeRestorePrivilege 1796 msiexec.exe Token: SeTakeOwnershipPrivilege 1796 msiexec.exe Token: SeSecurityPrivilege 1796 msiexec.exe Token: SeCreateTokenPrivilege 1388 FTxEfaSIb.exe Token: SeAssignPrimaryTokenPrivilege 1388 FTxEfaSIb.exe Token: SeLockMemoryPrivilege 1388 FTxEfaSIb.exe Token: SeIncreaseQuotaPrivilege 1388 FTxEfaSIb.exe Token: SeMachineAccountPrivilege 1388 FTxEfaSIb.exe Token: SeTcbPrivilege 1388 FTxEfaSIb.exe Token: SeSecurityPrivilege 1388 FTxEfaSIb.exe Token: SeTakeOwnershipPrivilege 1388 FTxEfaSIb.exe Token: SeLoadDriverPrivilege 1388 FTxEfaSIb.exe Token: SeSystemProfilePrivilege 1388 FTxEfaSIb.exe Token: SeSystemtimePrivilege 1388 FTxEfaSIb.exe Token: SeProfSingleProcessPrivilege 1388 FTxEfaSIb.exe Token: SeIncBasePriorityPrivilege 1388 FTxEfaSIb.exe Token: SeCreatePagefilePrivilege 1388 FTxEfaSIb.exe Token: SeCreatePermanentPrivilege 1388 FTxEfaSIb.exe Token: SeBackupPrivilege 1388 FTxEfaSIb.exe Token: SeRestorePrivilege 1388 FTxEfaSIb.exe Token: SeShutdownPrivilege 1388 FTxEfaSIb.exe Token: SeDebugPrivilege 1388 FTxEfaSIb.exe Token: SeAuditPrivilege 1388 FTxEfaSIb.exe Token: SeSystemEnvironmentPrivilege 1388 FTxEfaSIb.exe Token: SeChangeNotifyPrivilege 1388 FTxEfaSIb.exe Token: SeRemoteShutdownPrivilege 1388 FTxEfaSIb.exe Token: SeUndockPrivilege 1388 FTxEfaSIb.exe Token: SeSyncAgentPrivilege 1388 FTxEfaSIb.exe Token: SeEnableDelegationPrivilege 1388 FTxEfaSIb.exe Token: SeManageVolumePrivilege 1388 FTxEfaSIb.exe Token: SeImpersonatePrivilege 1388 FTxEfaSIb.exe Token: SeCreateGlobalPrivilege 1388 FTxEfaSIb.exe Token: SeCreateTokenPrivilege 1388 FTxEfaSIb.exe Token: SeAssignPrimaryTokenPrivilege 1388 FTxEfaSIb.exe Token: SeLockMemoryPrivilege 1388 FTxEfaSIb.exe Token: SeIncreaseQuotaPrivilege 1388 FTxEfaSIb.exe Token: SeMachineAccountPrivilege 1388 FTxEfaSIb.exe Token: SeTcbPrivilege 1388 FTxEfaSIb.exe Token: SeSecurityPrivilege 1388 FTxEfaSIb.exe Token: SeTakeOwnershipPrivilege 1388 FTxEfaSIb.exe Token: SeLoadDriverPrivilege 1388 FTxEfaSIb.exe Token: SeSystemProfilePrivilege 1388 FTxEfaSIb.exe Token: SeSystemtimePrivilege 1388 FTxEfaSIb.exe Token: SeProfSingleProcessPrivilege 1388 FTxEfaSIb.exe Token: SeIncBasePriorityPrivilege 1388 FTxEfaSIb.exe Token: SeCreatePagefilePrivilege 1388 FTxEfaSIb.exe Token: SeCreatePermanentPrivilege 1388 FTxEfaSIb.exe Token: SeBackupPrivilege 1388 FTxEfaSIb.exe Token: SeRestorePrivilege 1388 FTxEfaSIb.exe Token: SeShutdownPrivilege 1388 FTxEfaSIb.exe Token: SeDebugPrivilege 1388 FTxEfaSIb.exe Token: SeAuditPrivilege 1388 FTxEfaSIb.exe Token: SeSystemEnvironmentPrivilege 1388 FTxEfaSIb.exe Token: SeChangeNotifyPrivilege 1388 FTxEfaSIb.exe Token: SeRemoteShutdownPrivilege 1388 FTxEfaSIb.exe Token: SeUndockPrivilege 1388 FTxEfaSIb.exe Token: SeSyncAgentPrivilege 1388 FTxEfaSIb.exe Token: SeEnableDelegationPrivilege 1388 FTxEfaSIb.exe Token: SeManageVolumePrivilege 1388 FTxEfaSIb.exe Token: SeImpersonatePrivilege 1388 FTxEfaSIb.exe Token: SeCreateGlobalPrivilege 1388 FTxEfaSIb.exe Token: SeCreateTokenPrivilege 1388 FTxEfaSIb.exe Token: SeAssignPrimaryTokenPrivilege 1388 FTxEfaSIb.exe Token: SeLockMemoryPrivilege 1388 FTxEfaSIb.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Software-update-patc_612604768.tmpFTxEfaSIb.exeiexplore.exepid process 1684 Software-update-patc_612604768.tmp 1388 FTxEfaSIb.exe 2332 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2332 iexplore.exe 2332 iexplore.exe 2520 IEXPLORE.EXE 2520 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Software-update-patc_612604768.exeSoftware-update-patc_612604768.tmpQuibusdam.exemsiexec.exeQcDIZx6q.exeFTxEfaSIb.exeMsiExec.exenmf1aPaRyDs4GOpB.exedescription pid process target process PID 360 wrote to memory of 1684 360 Software-update-patc_612604768.exe Software-update-patc_612604768.tmp PID 360 wrote to memory of 1684 360 Software-update-patc_612604768.exe Software-update-patc_612604768.tmp PID 360 wrote to memory of 1684 360 Software-update-patc_612604768.exe Software-update-patc_612604768.tmp PID 360 wrote to memory of 1684 360 Software-update-patc_612604768.exe Software-update-patc_612604768.tmp PID 360 wrote to memory of 1684 360 Software-update-patc_612604768.exe Software-update-patc_612604768.tmp PID 360 wrote to memory of 1684 360 Software-update-patc_612604768.exe Software-update-patc_612604768.tmp PID 360 wrote to memory of 1684 360 Software-update-patc_612604768.exe Software-update-patc_612604768.tmp PID 1684 wrote to memory of 812 1684 Software-update-patc_612604768.tmp Quibusdam.exe PID 1684 wrote to memory of 812 1684 Software-update-patc_612604768.tmp Quibusdam.exe PID 1684 wrote to memory of 812 1684 Software-update-patc_612604768.tmp Quibusdam.exe PID 1684 wrote to memory of 812 1684 Software-update-patc_612604768.tmp Quibusdam.exe PID 812 wrote to memory of 1948 812 Quibusdam.exe QcDIZx6q.exe PID 812 wrote to memory of 1948 812 Quibusdam.exe QcDIZx6q.exe PID 812 wrote to memory of 1948 812 Quibusdam.exe QcDIZx6q.exe PID 812 wrote to memory of 1948 812 Quibusdam.exe QcDIZx6q.exe PID 812 wrote to memory of 1388 812 Quibusdam.exe FTxEfaSIb.exe PID 812 wrote to memory of 1388 812 Quibusdam.exe FTxEfaSIb.exe PID 812 wrote to memory of 1388 812 Quibusdam.exe FTxEfaSIb.exe PID 812 wrote to memory of 1388 812 Quibusdam.exe FTxEfaSIb.exe PID 812 wrote to memory of 1388 812 Quibusdam.exe FTxEfaSIb.exe PID 812 wrote to memory of 1388 812 Quibusdam.exe FTxEfaSIb.exe PID 812 wrote to memory of 1388 812 Quibusdam.exe FTxEfaSIb.exe PID 1796 wrote to memory of 1692 1796 msiexec.exe MsiExec.exe PID 1796 wrote to memory of 1692 1796 msiexec.exe MsiExec.exe PID 1796 wrote to memory of 1692 1796 msiexec.exe MsiExec.exe PID 1796 wrote to memory of 1692 1796 msiexec.exe MsiExec.exe PID 1796 wrote to memory of 1692 1796 msiexec.exe MsiExec.exe PID 1796 wrote to memory of 1692 1796 msiexec.exe MsiExec.exe PID 1796 wrote to memory of 1692 1796 msiexec.exe MsiExec.exe PID 1948 wrote to memory of 1136 1948 QcDIZx6q.exe Zembra.exe PID 1948 wrote to memory of 1136 1948 QcDIZx6q.exe Zembra.exe PID 1948 wrote to memory of 1136 1948 QcDIZx6q.exe Zembra.exe PID 1948 wrote to memory of 1136 1948 QcDIZx6q.exe Zembra.exe PID 1388 wrote to memory of 1676 1388 FTxEfaSIb.exe msiexec.exe PID 1388 wrote to memory of 1676 1388 FTxEfaSIb.exe msiexec.exe PID 1388 wrote to memory of 1676 1388 FTxEfaSIb.exe msiexec.exe PID 1388 wrote to memory of 1676 1388 FTxEfaSIb.exe msiexec.exe PID 1388 wrote to memory of 1676 1388 FTxEfaSIb.exe msiexec.exe PID 1388 wrote to memory of 1676 1388 FTxEfaSIb.exe msiexec.exe PID 1388 wrote to memory of 1676 1388 FTxEfaSIb.exe msiexec.exe PID 1796 wrote to memory of 1208 1796 msiexec.exe MsiExec.exe PID 1796 wrote to memory of 1208 1796 msiexec.exe MsiExec.exe PID 1796 wrote to memory of 1208 1796 msiexec.exe MsiExec.exe PID 1796 wrote to memory of 1208 1796 msiexec.exe MsiExec.exe PID 1796 wrote to memory of 1208 1796 msiexec.exe MsiExec.exe PID 1796 wrote to memory of 1208 1796 msiexec.exe MsiExec.exe PID 1796 wrote to memory of 1208 1796 msiexec.exe MsiExec.exe PID 1208 wrote to memory of 2076 1208 MsiExec.exe taskkill.exe PID 1208 wrote to memory of 2076 1208 MsiExec.exe taskkill.exe PID 1208 wrote to memory of 2076 1208 MsiExec.exe taskkill.exe PID 1208 wrote to memory of 2076 1208 MsiExec.exe taskkill.exe PID 1796 wrote to memory of 2316 1796 msiexec.exe MsiExec.exe PID 1796 wrote to memory of 2316 1796 msiexec.exe MsiExec.exe PID 1796 wrote to memory of 2316 1796 msiexec.exe MsiExec.exe PID 1796 wrote to memory of 2316 1796 msiexec.exe MsiExec.exe PID 1796 wrote to memory of 2316 1796 msiexec.exe MsiExec.exe PID 1796 wrote to memory of 2316 1796 msiexec.exe MsiExec.exe PID 1796 wrote to memory of 2316 1796 msiexec.exe MsiExec.exe PID 812 wrote to memory of 2788 812 Quibusdam.exe nmf1aPaRyDs4GOpB.exe PID 812 wrote to memory of 2788 812 Quibusdam.exe nmf1aPaRyDs4GOpB.exe PID 812 wrote to memory of 2788 812 Quibusdam.exe nmf1aPaRyDs4GOpB.exe PID 812 wrote to memory of 2788 812 Quibusdam.exe nmf1aPaRyDs4GOpB.exe PID 2788 wrote to memory of 2808 2788 nmf1aPaRyDs4GOpB.exe nmf1aPaRyDs4GOpB.exe PID 2788 wrote to memory of 2808 2788 nmf1aPaRyDs4GOpB.exe nmf1aPaRyDs4GOpB.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Software-update-patc_612604768.exe"C:\Users\Admin\AppData\Local\Temp\Software-update-patc_612604768.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-F2GT3.tmp\Software-update-patc_612604768.tmp"C:\Users\Admin\AppData\Local\Temp\is-F2GT3.tmp\Software-update-patc_612604768.tmp" /SL5="$70152,4477466,466944,C:\Users\Admin\AppData\Local\Temp\Software-update-patc_612604768.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Dolore\quia\Quibusdam.exe"C:\Program Files (x86)\Dolore/\quia\Quibusdam.exe" 2fe3d428284ff9b385bc1c941892777b3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\C4cPtPB3\QcDIZx6q.exeC:\Users\Admin\AppData\Local\Temp\C4cPtPB3\QcDIZx6q.exe /VERYSILENT4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Zembra.exeC:\Users\Admin\AppData\Local\Temp\Zembra.exe5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Zembra.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Zembra.exe" & del C:\ProgramData\*.dll & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Zembra.exe /f7⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 67⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\ZembraBro.exeC:\Users\Admin\AppData\Local\Temp\ZembraBro.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\ZembraBro.exe"C:\Users\Admin\AppData\Local\Temp\ZembraBro.exe"6⤵
- Executes dropped EXE
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.binance.com/en/register?ref=WDA8929C5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2332 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\AppData\Local\Temp\C4cPtPB3\QcDIZx6q.exe & exit5⤵
-
C:\Windows\SysWOW64\PING.EXEping 06⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\NloCjN7K\FTxEfaSIb.exeC:\Users\Admin\AppData\Local\Temp\NloCjN7K\FTxEfaSIb.exe /qn CAMPAIGN="642"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=642 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\NloCjN7K\FTxEfaSIb.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\NloCjN7K\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634568427 /qn CAMPAIGN=""642"" " CAMPAIGN="642"5⤵
-
C:\Users\Admin\AppData\Local\Temp\EqJmAo4h\nmf1aPaRyDs4GOpB.exeC:\Users\Admin\AppData\Local\Temp\EqJmAo4h\nmf1aPaRyDs4GOpB.exe /usthree SUB=2fe3d428284ff9b385bc1c941892777b4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\EqJmAo4h\nmf1aPaRyDs4GOpB.exeC:\Users\Admin\AppData\Local\Temp\EqJmAo4h\nmf1aPaRyDs4GOpB.exe /usthree SUB=2fe3d428284ff9b385bc1c941892777b5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "nmf1aPaRyDs4GOpB.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\EqJmAo4h\nmf1aPaRyDs4GOpB.exe" & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "nmf1aPaRyDs4GOpB.exe" /f7⤵
- Kills process with taskkill
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DBD9F13227815E00292EE9DFCFA5C103 C2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DC2A3459F5BBAD23C0CEDE76273C5FC62⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 315E56FEB27186B6C67CFC74BA68D0E1 M Global\MSI00002⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Dolore\quia\Quibusdam.exeMD5
9b872933c0915fc132fe0a8246ea9298
SHA1603f68a5bd95bbfe1faa9bac3760e8a2b5ea4b08
SHA256da035b6389687dc5389b77c75b0ed3a99ce2e6cb1a0d7a96c29380a77f84d900
SHA51227db5e85d4d3ae77428a58ce83f66d6f71c4131c473c2e8243423e223b4883621709bb517af5b675255eecbcd237aafc2ce7da712f64c45d91d472767b6dcade
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44DMD5
5bbd4ca409d0e3d9e1356f6aa0e72821
SHA109fb93b1b1bdbcd87acdc4c21d5e3ca8f9a0e0a0
SHA2566cd79e569127f8895878251f5d848131dc1c7d22437236ade6dca522ba93af59
SHA5129fbb7a6d6ce18b76895efde9ab586321375678299ab0c275c6d085fdc81c780daf586d09af5af692585ad48be2d917fb0412d9c6e68c5a1fbe886979ef5c0836
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_7ACDCC18BE3F9272783F723CF7E4C78BMD5
bd4ceda56f9ffd6244ad66f6f33c4b10
SHA154d0b14bac6f1e9fb4507b4a363d4263aeba0c5d
SHA2561cd958aa3dc68a314ae995cb12b5d503647380c55cbfe46eb86578e5e550f650
SHA5127154bc08984df4508ea0498b012b435d774506c4dfed4bb28f968b13889496589d3b54d229a48ad7225687a83e31f34d027399d52490fabb0afa420622a3d5da
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44DMD5
2ae8533ac6bf615c97548f30008b1fd3
SHA1c53e618829b2c0ec35842b6e87a44dec94e923e2
SHA256079cab1ed8c11e2236fc2ef294d0ff046fa33b1a37fa1ea9d13703805c4318d2
SHA5128bdc4892b8365e8dd9939164e1c3358037e54da1f7645a18676a8ff6d3606b09adf76a23241dd361616acae65503d8af98449d39299ecfc34640b924efca01f3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
171b5f4f4c104ea26c52198c5d3a38d1
SHA111bc8472943b23266cc42de988133bb02b5230ae
SHA2568e9d25c57b940fd6ed781d59441f7c00eb6dde1c6cbcbbe0d8e71f9d8b7e536f
SHA51265c6f78b82ed4e7d4626f3dd0a20c44b4e80cbaf81672d97eb639b7f69e5a34c6da5ac18959217a197e3f14e3d8f78a12fd7d9d95dd400ccbfcc15387a089bbb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
c447d9a2470fcb264601a68e7249b332
SHA1779acbc363e7ceddd8e979c777fa1913edb3c076
SHA25662860b57ded6ed7f2f37cf923aa17cd90f630a1f9f2a4a64c603b128549c1f77
SHA51203be1e66eb20940c27abff772c3c39ea9d194a88b342df46ea065e701241c72b341d3ed7eb93c7804620b0e4ee9438fb033c17e5f1425e98346e030c1c54b4a7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
24d5d543f55a837739cd40a5795c2716
SHA162c92672540b97647dbb6d975d1b39506f046d83
SHA256508650eeefc2198f33e331fd5f0978bf13fd0efe23abb9b24158452573e18eba
SHA51275d341dd13194d99b9b69471a6b92ff05fcc061bc7cd4e5f781e47aaa26595e2a656f0e5a8b9766c4f337dda7b2d7e3fd909262c68c2cf1f132ec81800c7ebc7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_7ACDCC18BE3F9272783F723CF7E4C78BMD5
db8106de6892e8dfe428f9db13b4f3b0
SHA16aca3dbc01865fa58efb38d2cf4e57c4f0517cb4
SHA25643b77c133d225d1fd7022d9eb42c00ea35c3aa7a21f44c8bee3ea5395aeaf5aa
SHA51224a180b361e108d1a4b4f7012a7a71fbbcf50b24cb67837127956c4da5fdc67e944b6dfc7377983bcfadf14d4599518e6a59cf8724bc217e07a80f72b4f10403
-
C:\Users\Admin\AppData\Local\AdvinstAnalytics\6073fee5118372253d99d22b\1.0.0\tracking.iniMD5
9f4ea2a5a82053389dac5e89c07e12da
SHA1e58c31c47699050eece2df9042276af02fa3f791
SHA256e31994cea2b94ccd4f94f3449428c5ad2d8c4a3848addfe2479da004b67639c2
SHA512657d95936c825e6b8be0cd075d27746f9a3e320662b883a56a6a5deb59925c16b8e3486c9528e5020cfc601f284b22d6c7ee73d32b692e478ba98e687d2591a6
-
C:\Users\Admin\AppData\Local\Temp\C4cPtPB3\QcDIZx6q.exeMD5
9d06a0509951399f7ccc94a8952f041d
SHA1933f524ca176564706f8062bfbc631e321a4bbe4
SHA2568e1501f1418f652681acdecf629ac0c27a1fb87ddb939a5fa5dba53a7635b7f6
SHA51264d919b896c9e79012a778709bf5563f1cb0a6ecfbbaa11030b8cc68ac46404e5c2cd4cbeec5c6170f49fcd5acb60d5d323700b4376a5c0357e4a826c79d2787
-
C:\Users\Admin\AppData\Local\Temp\C4cPtPB3\QcDIZx6q.exeMD5
9d06a0509951399f7ccc94a8952f041d
SHA1933f524ca176564706f8062bfbc631e321a4bbe4
SHA2568e1501f1418f652681acdecf629ac0c27a1fb87ddb939a5fa5dba53a7635b7f6
SHA51264d919b896c9e79012a778709bf5563f1cb0a6ecfbbaa11030b8cc68ac46404e5c2cd4cbeec5c6170f49fcd5acb60d5d323700b4376a5c0357e4a826c79d2787
-
C:\Users\Admin\AppData\Local\Temp\MSI49BA.tmpMD5
0981d5c068a9c33f4e8110f81ffbb92e
SHA1badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA51259cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8
-
C:\Users\Admin\AppData\Local\Temp\MSI5050.tmpMD5
43d68e8389e7df33189d1c1a05a19ac8
SHA1caf9cc610985e5cfdbae0c057233a6194ecbfed4
SHA25685dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae
SHA51258a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e
-
C:\Users\Admin\AppData\Local\Temp\NloCjN7K\FTxEfaSIb.exeMD5
c313ddb7df24003d25bf62c5a218b215
SHA120a3404b7e17b530885fa0be130e784f827986ee
SHA256e3bc81a59fc45dfdfcc57b0078437061cb8c3396e1d593fcf187e3cdf0373ed1
SHA512542e2746626a066f3e875ae2f0d15e2c4beb5887376bb0218090f0e8492a6fdb11fa02b035d7d4200562811df7d2187b8a993a0b7f65489535919bdf11eb4cff
-
C:\Users\Admin\AppData\Local\Temp\NloCjN7K\FTxEfaSIb.exeMD5
c313ddb7df24003d25bf62c5a218b215
SHA120a3404b7e17b530885fa0be130e784f827986ee
SHA256e3bc81a59fc45dfdfcc57b0078437061cb8c3396e1d593fcf187e3cdf0373ed1
SHA512542e2746626a066f3e875ae2f0d15e2c4beb5887376bb0218090f0e8492a6fdb11fa02b035d7d4200562811df7d2187b8a993a0b7f65489535919bdf11eb4cff
-
C:\Users\Admin\AppData\Local\Temp\Zembra.exeMD5
0dcce39047700778b4e36188b6eea28e
SHA11b323820dfd9da3d1da039c79a8514e69fb31698
SHA256f477238d3021193a2ba26c4be732dfe949976f7d02a55662dcc21a46f6d87845
SHA512e971094ee925baf465f0e29a481c11fb176aed9e6605e8b25f0003f033ac1d124490e94a7e343ab1fd1a0601aec446d47592c22608297a2d5e7df8a1a13b788c
-
C:\Users\Admin\AppData\Local\Temp\is-F2GT3.tmp\Software-update-patc_612604768.tmpMD5
4caf2ca22417bb2cd44c0d0daf5fdd8b
SHA1bdb2b86d9c033785c9b1db5618986030b2852ffd
SHA256a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4
SHA512ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da
-
C:\Users\Admin\AppData\Local\Temp\is-F2GT3.tmp\Software-update-patc_612604768.tmpMD5
4caf2ca22417bb2cd44c0d0daf5fdd8b
SHA1bdb2b86d9c033785c9b1db5618986030b2852ffd
SHA256a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4
SHA512ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da
-
C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msiMD5
98e537669f4ce0062f230a14bcfcaf35
SHA1a19344f6a5e59c71f51e86119f5fa52030a92810
SHA2566f515aac05311f411968ee6e48d287a1eb452e404ffeff75ee0530dcf3243735
SHA5121ebc254289610be65882a6ceb1beebbf2be83006117f0a6ccbddd19ab7dc807978232a13ad5fa39b6f06f694d4f7c75760b773d70b87c0badef1da89bb7af3ac
-
C:\Windows\Installer\MSI5F42.tmpMD5
7468eca4e3b4dbea0711a81ae9e6e3f2
SHA14a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d
SHA25673af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837
SHA5123f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56
-
C:\Windows\Installer\MSI62DB.tmpMD5
0981d5c068a9c33f4e8110f81ffbb92e
SHA1badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA51259cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8
-
C:\Windows\Installer\MSI6378.tmpMD5
0981d5c068a9c33f4e8110f81ffbb92e
SHA1badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA51259cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8
-
C:\Windows\Installer\MSI6492.tmpMD5
0981d5c068a9c33f4e8110f81ffbb92e
SHA1badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA51259cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8
-
C:\Windows\Installer\MSI656D.tmpMD5
7468eca4e3b4dbea0711a81ae9e6e3f2
SHA14a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d
SHA25673af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837
SHA5123f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56
-
C:\Windows\Installer\MSI66A6.tmpMD5
43d68e8389e7df33189d1c1a05a19ac8
SHA1caf9cc610985e5cfdbae0c057233a6194ecbfed4
SHA25685dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae
SHA51258a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e
-
C:\Windows\Installer\MSI682D.tmpMD5
7468eca4e3b4dbea0711a81ae9e6e3f2
SHA14a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d
SHA25673af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837
SHA5123f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56
-
C:\Windows\Installer\MSI6909.tmpMD5
0981d5c068a9c33f4e8110f81ffbb92e
SHA1badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA51259cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8
-
C:\Windows\Installer\MSI6A23.tmpMD5
5f1b243813a203c66ba735139d8ce0c7
SHA1c60a57668d348a61e4e2f12115afb9f9024162ba
SHA25652d5b228221cd5276e4ee2a038e0ce0cf494d5af9c23ac45dcbfadc3115c8cb2
SHA512083c6d1af44847db4b6fb90349234128141a838d1d438d5c24f5063539a8087f0814d06cfa162aeace20e162292f64c7635b4a0e81b2ca972706cfbc484adfb5
-
C:\Windows\Installer\MSI6B3C.tmpMD5
7468eca4e3b4dbea0711a81ae9e6e3f2
SHA14a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d
SHA25673af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837
SHA5123f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56
-
C:\Windows\Installer\MSI7388.tmpMD5
9824aa0d785bef52b2f5ca21b7eacf8e
SHA154ae25b7ea5e6bd3e0a77f10650c6f441a0b1764
SHA256e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a
SHA51267d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a
-
C:\Windows\Installer\MSI74E1.tmpMD5
9824aa0d785bef52b2f5ca21b7eacf8e
SHA154ae25b7ea5e6bd3e0a77f10650c6f441a0b1764
SHA256e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a
SHA51267d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a
-
C:\Windows\Installer\MSI780D.tmpMD5
9824aa0d785bef52b2f5ca21b7eacf8e
SHA154ae25b7ea5e6bd3e0a77f10650c6f441a0b1764
SHA256e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a
SHA51267d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a
-
C:\Windows\Installer\MSI788B.tmpMD5
9824aa0d785bef52b2f5ca21b7eacf8e
SHA154ae25b7ea5e6bd3e0a77f10650c6f441a0b1764
SHA256e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a
SHA51267d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a
-
C:\Windows\Installer\MSI7928.tmpMD5
9824aa0d785bef52b2f5ca21b7eacf8e
SHA154ae25b7ea5e6bd3e0a77f10650c6f441a0b1764
SHA256e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a
SHA51267d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a
-
\Program Files (x86)\Dolore\quia\Quibusdam.exeMD5
9b872933c0915fc132fe0a8246ea9298
SHA1603f68a5bd95bbfe1faa9bac3760e8a2b5ea4b08
SHA256da035b6389687dc5389b77c75b0ed3a99ce2e6cb1a0d7a96c29380a77f84d900
SHA51227db5e85d4d3ae77428a58ce83f66d6f71c4131c473c2e8243423e223b4883621709bb517af5b675255eecbcd237aafc2ce7da712f64c45d91d472767b6dcade
-
\Users\Admin\AppData\Local\Temp\C4cPtPB3\QcDIZx6q.exeMD5
9d06a0509951399f7ccc94a8952f041d
SHA1933f524ca176564706f8062bfbc631e321a4bbe4
SHA2568e1501f1418f652681acdecf629ac0c27a1fb87ddb939a5fa5dba53a7635b7f6
SHA51264d919b896c9e79012a778709bf5563f1cb0a6ecfbbaa11030b8cc68ac46404e5c2cd4cbeec5c6170f49fcd5acb60d5d323700b4376a5c0357e4a826c79d2787
-
\Users\Admin\AppData\Local\Temp\INA490E.tmpMD5
7468eca4e3b4dbea0711a81ae9e6e3f2
SHA14a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d
SHA25673af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837
SHA5123f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56
-
\Users\Admin\AppData\Local\Temp\MSI49BA.tmpMD5
0981d5c068a9c33f4e8110f81ffbb92e
SHA1badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA51259cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8
-
\Users\Admin\AppData\Local\Temp\MSI5050.tmpMD5
43d68e8389e7df33189d1c1a05a19ac8
SHA1caf9cc610985e5cfdbae0c057233a6194ecbfed4
SHA25685dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae
SHA51258a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e
-
\Users\Admin\AppData\Local\Temp\NloCjN7K\FTxEfaSIb.exeMD5
c313ddb7df24003d25bf62c5a218b215
SHA120a3404b7e17b530885fa0be130e784f827986ee
SHA256e3bc81a59fc45dfdfcc57b0078437061cb8c3396e1d593fcf187e3cdf0373ed1
SHA512542e2746626a066f3e875ae2f0d15e2c4beb5887376bb0218090f0e8492a6fdb11fa02b035d7d4200562811df7d2187b8a993a0b7f65489535919bdf11eb4cff
-
\Users\Admin\AppData\Local\Temp\Zembra.exeMD5
0dcce39047700778b4e36188b6eea28e
SHA11b323820dfd9da3d1da039c79a8514e69fb31698
SHA256f477238d3021193a2ba26c4be732dfe949976f7d02a55662dcc21a46f6d87845
SHA512e971094ee925baf465f0e29a481c11fb176aed9e6605e8b25f0003f033ac1d124490e94a7e343ab1fd1a0601aec446d47592c22608297a2d5e7df8a1a13b788c
-
\Users\Admin\AppData\Local\Temp\Zembra.exeMD5
0dcce39047700778b4e36188b6eea28e
SHA11b323820dfd9da3d1da039c79a8514e69fb31698
SHA256f477238d3021193a2ba26c4be732dfe949976f7d02a55662dcc21a46f6d87845
SHA512e971094ee925baf465f0e29a481c11fb176aed9e6605e8b25f0003f033ac1d124490e94a7e343ab1fd1a0601aec446d47592c22608297a2d5e7df8a1a13b788c
-
\Users\Admin\AppData\Local\Temp\is-66Q7B.tmp\_isetup\_iscrypt.dllMD5
a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
\Users\Admin\AppData\Local\Temp\is-66Q7B.tmp\_isetup\_shfoldr.dllMD5
92dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-66Q7B.tmp\_isetup\_shfoldr.dllMD5
92dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-F2GT3.tmp\Software-update-patc_612604768.tmpMD5
4caf2ca22417bb2cd44c0d0daf5fdd8b
SHA1bdb2b86d9c033785c9b1db5618986030b2852ffd
SHA256a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4
SHA512ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da
-
\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dllMD5
2ca6d4ed5dd15fb7934c87e857f5ebfc
SHA1383a55cc0ab890f41b71ca67e070ac7c903adeb6
SHA25639412aacdcddc4b2b3cfeb126456edb125ce8cadb131ca5c23c031db4431c5fc
SHA512ce11aa5bd7b0da4baf07146e8377ff0331c1d4b04aaa4408373b4dd0fe2c3f82c84b179d9a90d26cdaa02180f22276d96cf491f9ede66f5f1da6f43cc72e5ac4
-
\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dllMD5
2ca6d4ed5dd15fb7934c87e857f5ebfc
SHA1383a55cc0ab890f41b71ca67e070ac7c903adeb6
SHA25639412aacdcddc4b2b3cfeb126456edb125ce8cadb131ca5c23c031db4431c5fc
SHA512ce11aa5bd7b0da4baf07146e8377ff0331c1d4b04aaa4408373b4dd0fe2c3f82c84b179d9a90d26cdaa02180f22276d96cf491f9ede66f5f1da6f43cc72e5ac4
-
\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dllMD5
2ca6d4ed5dd15fb7934c87e857f5ebfc
SHA1383a55cc0ab890f41b71ca67e070ac7c903adeb6
SHA25639412aacdcddc4b2b3cfeb126456edb125ce8cadb131ca5c23c031db4431c5fc
SHA512ce11aa5bd7b0da4baf07146e8377ff0331c1d4b04aaa4408373b4dd0fe2c3f82c84b179d9a90d26cdaa02180f22276d96cf491f9ede66f5f1da6f43cc72e5ac4
-
\Windows\Installer\MSI5F42.tmpMD5
7468eca4e3b4dbea0711a81ae9e6e3f2
SHA14a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d
SHA25673af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837
SHA5123f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56
-
\Windows\Installer\MSI62DB.tmpMD5
0981d5c068a9c33f4e8110f81ffbb92e
SHA1badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA51259cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8
-
\Windows\Installer\MSI6378.tmpMD5
0981d5c068a9c33f4e8110f81ffbb92e
SHA1badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA51259cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8
-
\Windows\Installer\MSI6492.tmpMD5
0981d5c068a9c33f4e8110f81ffbb92e
SHA1badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA51259cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8
-
\Windows\Installer\MSI656D.tmpMD5
7468eca4e3b4dbea0711a81ae9e6e3f2
SHA14a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d
SHA25673af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837
SHA5123f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56
-
\Windows\Installer\MSI66A6.tmpMD5
43d68e8389e7df33189d1c1a05a19ac8
SHA1caf9cc610985e5cfdbae0c057233a6194ecbfed4
SHA25685dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae
SHA51258a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e
-
\Windows\Installer\MSI682D.tmpMD5
7468eca4e3b4dbea0711a81ae9e6e3f2
SHA14a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d
SHA25673af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837
SHA5123f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56
-
\Windows\Installer\MSI6909.tmpMD5
0981d5c068a9c33f4e8110f81ffbb92e
SHA1badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA51259cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8
-
\Windows\Installer\MSI6A23.tmpMD5
5f1b243813a203c66ba735139d8ce0c7
SHA1c60a57668d348a61e4e2f12115afb9f9024162ba
SHA25652d5b228221cd5276e4ee2a038e0ce0cf494d5af9c23ac45dcbfadc3115c8cb2
SHA512083c6d1af44847db4b6fb90349234128141a838d1d438d5c24f5063539a8087f0814d06cfa162aeace20e162292f64c7635b4a0e81b2ca972706cfbc484adfb5
-
\Windows\Installer\MSI6B3C.tmpMD5
7468eca4e3b4dbea0711a81ae9e6e3f2
SHA14a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d
SHA25673af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837
SHA5123f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56
-
\Windows\Installer\MSI7388.tmpMD5
9824aa0d785bef52b2f5ca21b7eacf8e
SHA154ae25b7ea5e6bd3e0a77f10650c6f441a0b1764
SHA256e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a
SHA51267d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a
-
\Windows\Installer\MSI74E1.tmpMD5
9824aa0d785bef52b2f5ca21b7eacf8e
SHA154ae25b7ea5e6bd3e0a77f10650c6f441a0b1764
SHA256e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a
SHA51267d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a
-
\Windows\Installer\MSI780D.tmpMD5
9824aa0d785bef52b2f5ca21b7eacf8e
SHA154ae25b7ea5e6bd3e0a77f10650c6f441a0b1764
SHA256e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a
SHA51267d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a
-
\Windows\Installer\MSI788B.tmpMD5
9824aa0d785bef52b2f5ca21b7eacf8e
SHA154ae25b7ea5e6bd3e0a77f10650c6f441a0b1764
SHA256e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a
SHA51267d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a
-
\Windows\Installer\MSI7928.tmpMD5
9824aa0d785bef52b2f5ca21b7eacf8e
SHA154ae25b7ea5e6bd3e0a77f10650c6f441a0b1764
SHA256e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a
SHA51267d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a
-
memory/360-55-0x0000000076AA1000-0x0000000076AA3000-memory.dmpFilesize
8KB
-
memory/360-58-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/812-72-0x0000000000400000-0x0000000001860000-memory.dmpFilesize
20.4MB
-
memory/812-77-0x0000000004220000-0x0000000004222000-memory.dmpFilesize
8KB
-
memory/812-70-0x0000000000000000-mapping.dmp
-
memory/812-74-0x0000000000400000-0x0000000001860000-memory.dmpFilesize
20.4MB
-
memory/812-75-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/1136-145-0x0000000004510000-0x0000000004511000-memory.dmpFilesize
4KB
-
memory/1136-179-0x00000000044A0000-0x00000000044A1000-memory.dmpFilesize
4KB
-
memory/1136-182-0x0000000004520000-0x0000000004521000-memory.dmpFilesize
4KB
-
memory/1136-180-0x0000000004460000-0x0000000004461000-memory.dmpFilesize
4KB
-
memory/1136-181-0x00000000044D0000-0x00000000044D1000-memory.dmpFilesize
4KB
-
memory/1136-178-0x00000000044B0000-0x00000000044B1000-memory.dmpFilesize
4KB
-
memory/1136-147-0x0000000004500000-0x0000000004501000-memory.dmpFilesize
4KB
-
memory/1136-146-0x0000000004470000-0x0000000004471000-memory.dmpFilesize
4KB
-
memory/1136-149-0x0000000004590000-0x0000000004591000-memory.dmpFilesize
4KB
-
memory/1136-148-0x00000000044E0000-0x00000000044E1000-memory.dmpFilesize
4KB
-
memory/1136-150-0x00000000045B0000-0x00000000045B1000-memory.dmpFilesize
4KB
-
memory/1136-151-0x00000000044C0000-0x00000000044C2000-memory.dmpFilesize
8KB
-
memory/1136-152-0x0000000004580000-0x0000000004581000-memory.dmpFilesize
4KB
-
memory/1136-153-0x0000000004570000-0x0000000004571000-memory.dmpFilesize
4KB
-
memory/1136-154-0x00000000045C0000-0x00000000045C1000-memory.dmpFilesize
4KB
-
memory/1136-156-0x00000000044F0000-0x00000000044F1000-memory.dmpFilesize
4KB
-
memory/1136-155-0x0000000004560000-0x0000000004562000-memory.dmpFilesize
8KB
-
memory/1136-157-0x0000000004550000-0x0000000004551000-memory.dmpFilesize
4KB
-
memory/1136-158-0x0000000000400000-0x00000000009A4000-memory.dmpFilesize
5.6MB
-
memory/1136-177-0x0000000004540000-0x0000000004541000-memory.dmpFilesize
4KB
-
memory/1136-176-0x0000000004530000-0x0000000004531000-memory.dmpFilesize
4KB
-
memory/1136-169-0x0000000004490000-0x0000000004491000-memory.dmpFilesize
4KB
-
memory/1136-167-0x0000000004450000-0x0000000004451000-memory.dmpFilesize
4KB
-
memory/1136-168-0x0000000004480000-0x0000000004481000-memory.dmpFilesize
4KB
-
memory/1136-103-0x0000000000000000-mapping.dmp
-
memory/1208-115-0x0000000000000000-mapping.dmp
-
memory/1388-84-0x0000000000000000-mapping.dmp
-
memory/1388-89-0x0000000000370000-0x0000000000371000-memory.dmpFilesize
4KB
-
memory/1676-107-0x0000000000000000-mapping.dmp
-
memory/1684-60-0x0000000000000000-mapping.dmp
-
memory/1684-63-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1684-67-0x0000000075021000-0x0000000075023000-memory.dmpFilesize
8KB
-
memory/1692-96-0x0000000000000000-mapping.dmp
-
memory/1796-94-0x000007FEFC3F1000-0x000007FEFC3F3000-memory.dmpFilesize
8KB
-
memory/1948-79-0x0000000000000000-mapping.dmp
-
memory/2076-120-0x0000000000000000-mapping.dmp
-
memory/2120-188-0x0000000000000000-mapping.dmp
-
memory/2248-194-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/2248-200-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/2248-196-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/2248-195-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/2248-206-0x0000000000D10000-0x0000000000D11000-memory.dmpFilesize
4KB
-
memory/2248-197-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/2248-198-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/2248-199-0x000000000041B23E-mapping.dmp
-
memory/2316-143-0x0000000000000000-mapping.dmp
-
memory/2332-202-0x0000000000000000-mapping.dmp
-
memory/2352-203-0x0000000000000000-mapping.dmp
-
memory/2384-204-0x0000000000000000-mapping.dmp
-
memory/2520-205-0x0000000000000000-mapping.dmp
-
memory/2788-170-0x0000000000000000-mapping.dmp
-
memory/2808-171-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2808-175-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2808-173-0x0000000000414F3A-mapping.dmp
-
memory/2808-172-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2952-183-0x0000000000000000-mapping.dmp
-
memory/2980-184-0x0000000000000000-mapping.dmp
-
memory/3032-185-0x0000000000000000-mapping.dmp
-
memory/3052-193-0x00000000009F0000-0x0000000000A2E000-memory.dmpFilesize
248KB
-
memory/3052-192-0x0000000000350000-0x0000000000357000-memory.dmpFilesize
28KB
-
memory/3052-191-0x0000000000A30000-0x0000000000A31000-memory.dmpFilesize
4KB
-
memory/3052-189-0x0000000000D50000-0x0000000000D51000-memory.dmpFilesize
4KB
-
memory/3052-186-0x0000000000000000-mapping.dmp
-
memory/3068-187-0x0000000000000000-mapping.dmp