vidar | 3bfbe7f602fdffa1b70a657767d1fa7cfe4f6111da191b94d1abe8f5d8f1ea3b

Analysis

max time kernel
151s
max time network
152s
platform
windows7_x64
resource
win7-en-20211014
submitted
21-10-2021 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Software-update-patc_612604768.exe
Size

4.7MB
MD5

567ab95af9696f0d0cea101efbd344f9
SHA1

78544ed738d9929e68b735448276c93166b61c37
SHA256

3bfbe7f602fdffa1b70a657767d1fa7cfe4f6111da191b94d1abe8f5d8f1ea3b
SHA512

36d16b04d74d41ef11b8dcef4c5e705d6660a0bb34c72abbd59fad36f37bde069b80af270dbd208b0956f1b8bd4abcb87cdb05a32265a6d4aeae2266dc7709bf

Score

10^/10

vidar 223 discovery evasion spyware stealer suricata trojan

Malware Config

Extracted

Family

vidar

Version

41.5

Botnet

223

https://mas.to/@xeroxxx

Attributes

profile_id
223

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2416-179-0x0000000000400000-0x00000000009A4000-memory.dmp	family_vidar

Blocklisted process makes network request 64 IoCs

Processes:

MsiExec.exe

flow	pid	process
39	676	MsiExec.exe
42	676	MsiExec.exe
44	676	MsiExec.exe
46	676	MsiExec.exe
48	676	MsiExec.exe
50	676	MsiExec.exe
52	676	MsiExec.exe
54	676	MsiExec.exe
57	676	MsiExec.exe
64	676	MsiExec.exe
66	676	MsiExec.exe
67	676	MsiExec.exe
68	676	MsiExec.exe
69	676	MsiExec.exe
70	676	MsiExec.exe
71	676	MsiExec.exe
72	676	MsiExec.exe
73	676	MsiExec.exe
74	676	MsiExec.exe
75	676	MsiExec.exe
76	676	MsiExec.exe
77	676	MsiExec.exe
78	676	MsiExec.exe
79	676	MsiExec.exe
80	676	MsiExec.exe
81	676	MsiExec.exe
82	676	MsiExec.exe
83	676	MsiExec.exe
84	676	MsiExec.exe
85	676	MsiExec.exe
86	676	MsiExec.exe
87	676	MsiExec.exe
88	676	MsiExec.exe
89	676	MsiExec.exe
90	676	MsiExec.exe
99	676	MsiExec.exe
104	676	MsiExec.exe
108	676	MsiExec.exe
109	676	MsiExec.exe
110	676	MsiExec.exe
111	676	MsiExec.exe
112	676	MsiExec.exe
113	676	MsiExec.exe
114	676	MsiExec.exe
115	676	MsiExec.exe
116	676	MsiExec.exe
117	676	MsiExec.exe
118	676	MsiExec.exe
119	676	MsiExec.exe
120	676	MsiExec.exe
121	676	MsiExec.exe
122	676	MsiExec.exe
123	676	MsiExec.exe
124	676	MsiExec.exe
125	676	MsiExec.exe
126	676	MsiExec.exe
127	676	MsiExec.exe
129	676	MsiExec.exe
130	676	MsiExec.exe
134	676	MsiExec.exe
135	676	MsiExec.exe
138	676	MsiExec.exe
139	676	MsiExec.exe
140	676	MsiExec.exe

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

Processes:

Software-update-patc_612604768.tmpQuibusdam.exeE3co0XIMGGujXJx3V.exem49DwWX5UrJrD2vV.exeSLNRCNDZLKc.exeSLNRCNDZLKc.exeZembra.exeAdvancedWindowsManager.exeAdvancedWindowsManager.exeAdvancedWindowsManager.exeAdvancedWindowsManager.exeAdvancedWindowsManager.exeAdvancedWindowsManager.exeZembraBro.exe

pid	process
1084	Software-update-patc_612604768.tmp
1404	Quibusdam.exe
980	E3co0XIMGGujXJx3V.exe
1760	m49DwWX5UrJrD2vV.exe
1184	SLNRCNDZLKc.exe
2008	SLNRCNDZLKc.exe
2416	Zembra.exe
2568	AdvancedWindowsManager.exe
2600	AdvancedWindowsManager.exe
2628	AdvancedWindowsManager.exe
2656	AdvancedWindowsManager.exe
2688	AdvancedWindowsManager.exe
2700	AdvancedWindowsManager.exe
7588	ZembraBro.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Zembra.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Zembra.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Zembra.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Zembra.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Wine Zembra.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Wine	Zembra.exe

Loads dropped DLL 55 IoCs

Processes:

Software-update-patc_612604768.exeSoftware-update-patc_612604768.tmpQuibusdam.exem49DwWX5UrJrD2vV.exeMsiExec.exeMsiExec.exeSLNRCNDZLKc.exeMsiExec.exeE3co0XIMGGujXJx3V.exetaskeng.exeZembra.exe

pid	process
1640	Software-update-patc_612604768.exe
1084	Software-update-patc_612604768.tmp
1084	Software-update-patc_612604768.tmp
1084	Software-update-patc_612604768.tmp
1084	Software-update-patc_612604768.tmp
1404	Quibusdam.exe
1404	Quibusdam.exe
1760	m49DwWX5UrJrD2vV.exe
1760	m49DwWX5UrJrD2vV.exe
1760	m49DwWX5UrJrD2vV.exe
1748	MsiExec.exe
1748	MsiExec.exe
676	MsiExec.exe
676	MsiExec.exe
676	MsiExec.exe
676	MsiExec.exe
676	MsiExec.exe
676	MsiExec.exe
676	MsiExec.exe
676	MsiExec.exe
676	MsiExec.exe
1760	m49DwWX5UrJrD2vV.exe
676	MsiExec.exe
1404	Quibusdam.exe
1404	Quibusdam.exe
1184	SLNRCNDZLKc.exe
676	MsiExec.exe
1472	MsiExec.exe
1472	MsiExec.exe
1472	MsiExec.exe
1472	MsiExec.exe
1472	MsiExec.exe
1472	MsiExec.exe
1472	MsiExec.exe
676	MsiExec.exe
980	E3co0XIMGGujXJx3V.exe
980	E3co0XIMGGujXJx3V.exe
2536	taskeng.exe
2536	taskeng.exe
2580
2536	taskeng.exe
2536	taskeng.exe
2536	taskeng.exe
2536	taskeng.exe
2616
2640
2668
5576
2536	taskeng.exe
5596
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
980	E3co0XIMGGujXJx3V.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Zembra.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Zembra.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Zembra.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

m49DwWX5UrJrD2vV.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\E:	m49DwWX5UrJrD2vV.exe
File opened (read-only)	\??\K:	m49DwWX5UrJrD2vV.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	m49DwWX5UrJrD2vV.exe
File opened (read-only)	\??\U:	m49DwWX5UrJrD2vV.exe
File opened (read-only)	\??\X:	m49DwWX5UrJrD2vV.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	m49DwWX5UrJrD2vV.exe
File opened (read-only)	\??\O:	m49DwWX5UrJrD2vV.exe
File opened (read-only)	\??\R:	m49DwWX5UrJrD2vV.exe
File opened (read-only)	\??\T:	m49DwWX5UrJrD2vV.exe
File opened (read-only)	\??\V:	m49DwWX5UrJrD2vV.exe
File opened (read-only)	\??\Y:	m49DwWX5UrJrD2vV.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	m49DwWX5UrJrD2vV.exe
File opened (read-only)	\??\P:	m49DwWX5UrJrD2vV.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	m49DwWX5UrJrD2vV.exe
File opened (read-only)	\??\L:	m49DwWX5UrJrD2vV.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	m49DwWX5UrJrD2vV.exe
File opened (read-only)	\??\M:	m49DwWX5UrJrD2vV.exe
File opened (read-only)	\??\W:	m49DwWX5UrJrD2vV.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	m49DwWX5UrJrD2vV.exe
File opened (read-only)	\??\I:	m49DwWX5UrJrD2vV.exe
File opened (read-only)	\??\N:	m49DwWX5UrJrD2vV.exe
File opened (read-only)	\??\Z:	m49DwWX5UrJrD2vV.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	m49DwWX5UrJrD2vV.exe
File opened (read-only)	\??\S:	m49DwWX5UrJrD2vV.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Zembra.exe

pid process

2416 Zembra.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

SLNRCNDZLKc.exe

description pid process target process

PID 1184 set thread context of 2008 1184 SLNRCNDZLKc.exe SLNRCNDZLKc.exe

pid	process
2416	Zembra.exe

description	pid	process	target process
PID 1184 set thread context of 2008	1184	SLNRCNDZLKc.exe	SLNRCNDZLKc.exe

autoit_exe 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\047ZyNkh\E3co0XIMGGujXJx3V.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\047ZyNkh\E3co0XIMGGujXJx3V.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\047ZyNkh\E3co0XIMGGujXJx3V.exe	autoit_exe

Drops file in Program Files directory 22 IoCs

Processes:

Software-update-patc_612604768.tmpmsiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Dolore\minus\is-JAOVA.tmp	Software-update-patc_612604768.tmp
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File opened for modification	C:\Program Files (x86)\Dolore\quia\Quibusdam.exe	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\Dolore\consectetur\is-B533R.tmp	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\Dolore\minus\is-MH9BV.tmp	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\Dolore\quia\is-KF3M6.tmp	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File created	C:\Program Files (x86)\Dolore\is-AEAO2.tmp	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\Dolore\consectetur\is-P3LIE.tmp	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\Dolore\in\is-JNL1U.tmp	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe
File created	C:\Program Files (x86)\Dolore\is-DJKDM.tmp	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\Dolore\quia\is-6RGNR.tmp	Software-update-patc_612604768.tmp
File opened for modification	C:\Program Files (x86)\Dolore\unins000.dat	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\Dolore\in\is-068BI.tmp	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\Dolore\quos\is-T2FCD.tmp	Software-update-patc_612604768.tmp
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File created	C:\Program Files (x86)\Dolore\unins000.dat	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\Dolore\is-G3JO6.tmp	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\Dolore\in\is-UCM0L.tmp	Software-update-patc_612604768.tmp

Drops file in Windows directory 30 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI2B08.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2ED5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f77118e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2B66.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2690.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI27CB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2A1D.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File created	C:\Windows\Installer\f771190.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1CDE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1DE8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2C52.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI18A5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File created	C:\Windows\Installer\f771192.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1827.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI173C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B56.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI16AF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1981.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1C50.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2CC1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI13E0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2691.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2BE4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f771190.ipi	msiexec.exe
File created	C:\Windows\Installer\f77118e.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Zembra.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Zembra.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Zembra.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

7568 timeout.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

2008 taskkill.exe
2384 taskkill.exe
7516 taskkill.exe

pid	process
7568	timeout.exe

pid	process
2008	taskkill.exe
2384	taskkill.exe
7516	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductIcon = "C:\\Windows\\Installer\\{C845414C-903C-4218-9DE7-132AB97FDF62}\\logo.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Y.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "6BBF4B2F4524B25478C17BFBEE2559F7"	msiexec.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

m49DwWX5UrJrD2vV.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	m49DwWX5UrJrD2vV.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	m49DwWX5UrJrD2vV.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	m49DwWX5UrJrD2vV.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	m49DwWX5UrJrD2vV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	m49DwWX5UrJrD2vV.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	m49DwWX5UrJrD2vV.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	m49DwWX5UrJrD2vV.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

Software-update-patc_612604768.tmpQuibusdam.exeMsiExec.exeMsiExec.exemsiexec.exeZembra.exe

pid	process
1084	Software-update-patc_612604768.tmp
1084	Software-update-patc_612604768.tmp
1404	Quibusdam.exe
1404	Quibusdam.exe
1404	Quibusdam.exe
1748	MsiExec.exe
676	MsiExec.exe
676	MsiExec.exe
1460	msiexec.exe
1460	msiexec.exe
1404	Quibusdam.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe
2416	Zembra.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exem49DwWX5UrJrD2vV.exe

description	pid	process
Token: SeRestorePrivilege	1460	msiexec.exe
Token: SeTakeOwnershipPrivilege	1460	msiexec.exe
Token: SeSecurityPrivilege	1460	msiexec.exe
Token: SeCreateTokenPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeAssignPrimaryTokenPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeLockMemoryPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeIncreaseQuotaPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeMachineAccountPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeTcbPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeSecurityPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeTakeOwnershipPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeLoadDriverPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeSystemProfilePrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeSystemtimePrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeProfSingleProcessPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeIncBasePriorityPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeCreatePagefilePrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeCreatePermanentPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeBackupPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeRestorePrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeShutdownPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeDebugPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeAuditPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeSystemEnvironmentPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeChangeNotifyPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeRemoteShutdownPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeUndockPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeSyncAgentPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeEnableDelegationPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeManageVolumePrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeImpersonatePrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeCreateGlobalPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeCreateTokenPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeAssignPrimaryTokenPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeLockMemoryPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeIncreaseQuotaPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeMachineAccountPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeTcbPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeSecurityPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeTakeOwnershipPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeLoadDriverPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeSystemProfilePrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeSystemtimePrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeProfSingleProcessPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeIncBasePriorityPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeCreatePagefilePrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeCreatePermanentPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeBackupPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeRestorePrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeShutdownPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeDebugPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeAuditPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeSystemEnvironmentPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeChangeNotifyPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeRemoteShutdownPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeUndockPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeSyncAgentPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeEnableDelegationPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeManageVolumePrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeImpersonatePrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeCreateGlobalPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeCreateTokenPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeAssignPrimaryTokenPrivilege	1760	m49DwWX5UrJrD2vV.exe
Token: SeLockMemoryPrivilege	1760	m49DwWX5UrJrD2vV.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Software-update-patc_612604768.tmpm49DwWX5UrJrD2vV.exe

pid process

1084 Software-update-patc_612604768.tmp
1760 m49DwWX5UrJrD2vV.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Software-update-patc_612604768.exeSoftware-update-patc_612604768.tmpQuibusdam.exemsiexec.exem49DwWX5UrJrD2vV.exeMsiExec.exeSLNRCNDZLKc.exe

description	pid	process	target process
PID 1640 wrote to memory of 1084	1640	Software-update-patc_612604768.exe	Software-update-patc_612604768.tmp
PID 1640 wrote to memory of 1084	1640	Software-update-patc_612604768.exe	Software-update-patc_612604768.tmp
PID 1640 wrote to memory of 1084	1640	Software-update-patc_612604768.exe	Software-update-patc_612604768.tmp
PID 1640 wrote to memory of 1084	1640	Software-update-patc_612604768.exe	Software-update-patc_612604768.tmp
PID 1640 wrote to memory of 1084	1640	Software-update-patc_612604768.exe	Software-update-patc_612604768.tmp
PID 1640 wrote to memory of 1084	1640	Software-update-patc_612604768.exe	Software-update-patc_612604768.tmp
PID 1640 wrote to memory of 1084	1640	Software-update-patc_612604768.exe	Software-update-patc_612604768.tmp
PID 1084 wrote to memory of 1404	1084	Software-update-patc_612604768.tmp	Quibusdam.exe
PID 1084 wrote to memory of 1404	1084	Software-update-patc_612604768.tmp	Quibusdam.exe
PID 1084 wrote to memory of 1404	1084	Software-update-patc_612604768.tmp	Quibusdam.exe
PID 1084 wrote to memory of 1404	1084	Software-update-patc_612604768.tmp	Quibusdam.exe
PID 1404 wrote to memory of 980	1404	Quibusdam.exe	E3co0XIMGGujXJx3V.exe
PID 1404 wrote to memory of 980	1404	Quibusdam.exe	E3co0XIMGGujXJx3V.exe
PID 1404 wrote to memory of 980	1404	Quibusdam.exe	E3co0XIMGGujXJx3V.exe
PID 1404 wrote to memory of 980	1404	Quibusdam.exe	E3co0XIMGGujXJx3V.exe
PID 1404 wrote to memory of 1760	1404	Quibusdam.exe	m49DwWX5UrJrD2vV.exe
PID 1404 wrote to memory of 1760	1404	Quibusdam.exe	m49DwWX5UrJrD2vV.exe
PID 1404 wrote to memory of 1760	1404	Quibusdam.exe	m49DwWX5UrJrD2vV.exe
PID 1404 wrote to memory of 1760	1404	Quibusdam.exe	m49DwWX5UrJrD2vV.exe
PID 1404 wrote to memory of 1760	1404	Quibusdam.exe	m49DwWX5UrJrD2vV.exe
PID 1404 wrote to memory of 1760	1404	Quibusdam.exe	m49DwWX5UrJrD2vV.exe
PID 1404 wrote to memory of 1760	1404	Quibusdam.exe	m49DwWX5UrJrD2vV.exe
PID 1460 wrote to memory of 1748	1460	msiexec.exe	MsiExec.exe
PID 1460 wrote to memory of 1748	1460	msiexec.exe	MsiExec.exe
PID 1460 wrote to memory of 1748	1460	msiexec.exe	MsiExec.exe
PID 1460 wrote to memory of 1748	1460	msiexec.exe	MsiExec.exe
PID 1460 wrote to memory of 1748	1460	msiexec.exe	MsiExec.exe
PID 1460 wrote to memory of 1748	1460	msiexec.exe	MsiExec.exe
PID 1460 wrote to memory of 1748	1460	msiexec.exe	MsiExec.exe
PID 1760 wrote to memory of 1712	1760	m49DwWX5UrJrD2vV.exe	msiexec.exe
PID 1760 wrote to memory of 1712	1760	m49DwWX5UrJrD2vV.exe	msiexec.exe
PID 1760 wrote to memory of 1712	1760	m49DwWX5UrJrD2vV.exe	msiexec.exe
PID 1760 wrote to memory of 1712	1760	m49DwWX5UrJrD2vV.exe	msiexec.exe
PID 1760 wrote to memory of 1712	1760	m49DwWX5UrJrD2vV.exe	msiexec.exe
PID 1760 wrote to memory of 1712	1760	m49DwWX5UrJrD2vV.exe	msiexec.exe
PID 1760 wrote to memory of 1712	1760	m49DwWX5UrJrD2vV.exe	msiexec.exe
PID 1460 wrote to memory of 676	1460	msiexec.exe	MsiExec.exe
PID 1460 wrote to memory of 676	1460	msiexec.exe	MsiExec.exe
PID 1460 wrote to memory of 676	1460	msiexec.exe	MsiExec.exe
PID 1460 wrote to memory of 676	1460	msiexec.exe	MsiExec.exe
PID 1460 wrote to memory of 676	1460	msiexec.exe	MsiExec.exe
PID 1460 wrote to memory of 676	1460	msiexec.exe	MsiExec.exe
PID 1460 wrote to memory of 676	1460	msiexec.exe	MsiExec.exe
PID 676 wrote to memory of 2008	676	MsiExec.exe	taskkill.exe
PID 676 wrote to memory of 2008	676	MsiExec.exe	taskkill.exe
PID 676 wrote to memory of 2008	676	MsiExec.exe	taskkill.exe
PID 676 wrote to memory of 2008	676	MsiExec.exe	taskkill.exe
PID 1404 wrote to memory of 1184	1404	Quibusdam.exe	SLNRCNDZLKc.exe
PID 1404 wrote to memory of 1184	1404	Quibusdam.exe	SLNRCNDZLKc.exe
PID 1404 wrote to memory of 1184	1404	Quibusdam.exe	SLNRCNDZLKc.exe
PID 1404 wrote to memory of 1184	1404	Quibusdam.exe	SLNRCNDZLKc.exe
PID 1184 wrote to memory of 2008	1184	SLNRCNDZLKc.exe	SLNRCNDZLKc.exe
PID 1184 wrote to memory of 2008	1184	SLNRCNDZLKc.exe	SLNRCNDZLKc.exe
PID 1184 wrote to memory of 2008	1184	SLNRCNDZLKc.exe	SLNRCNDZLKc.exe
PID 1184 wrote to memory of 2008	1184	SLNRCNDZLKc.exe	SLNRCNDZLKc.exe
PID 1184 wrote to memory of 2008	1184	SLNRCNDZLKc.exe	SLNRCNDZLKc.exe
PID 1184 wrote to memory of 2008	1184	SLNRCNDZLKc.exe	SLNRCNDZLKc.exe
PID 1460 wrote to memory of 1472	1460	msiexec.exe	MsiExec.exe
PID 1460 wrote to memory of 1472	1460	msiexec.exe	MsiExec.exe
PID 1460 wrote to memory of 1472	1460	msiexec.exe	MsiExec.exe
PID 1460 wrote to memory of 1472	1460	msiexec.exe	MsiExec.exe
PID 1460 wrote to memory of 1472	1460	msiexec.exe	MsiExec.exe
PID 1460 wrote to memory of 1472	1460	msiexec.exe	MsiExec.exe
PID 1460 wrote to memory of 1472	1460	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\Software-update-patc_612604768.exe
"C:\Users\Admin\AppData\Local\Temp\Software-update-patc_612604768.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Local\Temp\is-NEQ2F.tmp\Software-update-patc_612604768.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NEQ2F.tmp\Software-update-patc_612604768.tmp" /SL5="$40156,4477466,466944,C:\Users\Admin\AppData\Local\Temp\Software-update-patc_612604768.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1084

C:\Program Files (x86)\Dolore\quia\Quibusdam.exe
"C:\Program Files (x86)\Dolore/\quia\Quibusdam.exe" 2fe3d428284ff9b385bc1c941892777b
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1404

C:\Users\Admin\AppData\Local\Temp\047ZyNkh\E3co0XIMGGujXJx3V.exe
C:\Users\Admin\AppData\Local\Temp\047ZyNkh\E3co0XIMGGujXJx3V.exe /VERYSILENT
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:980

C:\Users\Admin\AppData\Local\Temp\Zembra.exe
C:\Users\Admin\AppData\Local\Temp\Zembra.exe
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2416

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Zembra.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Zembra.exe" & del C:\ProgramData\*.dll & exit
6⤵
PID:7488

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Zembra.exe /f
7⤵
- Kills process with taskkill
PID:7516

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
7⤵
- Delays execution with timeout.exe
PID:7568

C:\Users\Admin\AppData\Local\Temp\ZembraBro.exe
C:\Users\Admin\AppData\Local\Temp\ZembraBro.exe
5⤵
- Executes dropped EXE
PID:7588

C:\Users\Admin\AppData\Local\Temp\mlRgNuUE\m49DwWX5UrJrD2vV.exe
C:\Users\Admin\AppData\Local\Temp\mlRgNuUE\m49DwWX5UrJrD2vV.exe /qn CAMPAIGN="642"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=642 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\mlRgNuUE\m49DwWX5UrJrD2vV.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\mlRgNuUE\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634568022 /qn CAMPAIGN=""642"" " CAMPAIGN="642"
5⤵
PID:1712

C:\Users\Admin\AppData\Local\Temp\E4xeDt0y\SLNRCNDZLKc.exe
C:\Users\Admin\AppData\Local\Temp\E4xeDt0y\SLNRCNDZLKc.exe /usthree SUB=2fe3d428284ff9b385bc1c941892777b
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1184

C:\Users\Admin\AppData\Local\Temp\E4xeDt0y\SLNRCNDZLKc.exe
C:\Users\Admin\AppData\Local\Temp\E4xeDt0y\SLNRCNDZLKc.exe /usthree SUB=2fe3d428284ff9b385bc1c941892777b
5⤵
- Executes dropped EXE
PID:2008

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "SLNRCNDZLKc.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\E4xeDt0y\SLNRCNDZLKc.exe" & exit
6⤵
PID:2352

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "SLNRCNDZLKc.exe" /f
7⤵
- Kills process with taskkill
PID:2384

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 15D031C79133DEDCD9277147592476E4 C
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1748

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A3DBDB6EA7BA86CE81DDBB1203C0A804
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
3⤵
- Kills process with taskkill
PID:2008

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 57B6A8FCCF85C079F11BD0CE031C4632 M Global\MSI0000
2⤵
- Loads dropped DLL
PID:1472

C:\Windows\system32\taskeng.exe
taskeng.exe {7219D7D2-F68D-4774-BA74-39E728D69311} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:2536

C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 115 -t 8080
2⤵
- Executes dropped EXE
PID:2568

C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 114 -t 8080
2⤵
- Executes dropped EXE
PID:2600

C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 112 -t 8080
2⤵
- Executes dropped EXE
PID:2628

C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 8080
2⤵
- Executes dropped EXE
PID:2656

C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 8080
2⤵
- Executes dropped EXE
PID:2688

C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 8080
2⤵
- Executes dropped EXE
PID:2700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Dolore\quia\Quibusdam.exe
MD5
9b872933c0915fc132fe0a8246ea9298

SHA1
603f68a5bd95bbfe1faa9bac3760e8a2b5ea4b08

SHA256
da035b6389687dc5389b77c75b0ed3a99ce2e6cb1a0d7a96c29380a77f84d900

SHA512
27db5e85d4d3ae77428a58ce83f66d6f71c4131c473c2e8243423e223b4883621709bb517af5b675255eecbcd237aafc2ce7da712f64c45d91d472767b6dcade

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2659C1A560AB92C9C29D4B2B25815AE8
MD5
69ed59323f8f4630330583e322757614

SHA1
952bbe590f5b0060d42b899c491703f5be6d9060

SHA256
4dcb6c61803054e3bbe162ad1cfb40131a54702b1341fac2609ffd4cbd57bdd7

SHA512
8ecb98f1ff6144de7a812cd03b779387a17d37ea4a63a026bbf747c51a19a44f8601558fdd2c3f2105f0e0b97b9227ab21ac330d1d28af36b994c6596aaf1c8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_7ACDCC18BE3F9272783F723CF7E4C78B
MD5
bd4ceda56f9ffd6244ad66f6f33c4b10

SHA1
54d0b14bac6f1e9fb4507b4a363d4263aeba0c5d

SHA256
1cd958aa3dc68a314ae995cb12b5d503647380c55cbfe46eb86578e5e550f650

SHA512
7154bc08984df4508ea0498b012b435d774506c4dfed4bb28f968b13889496589d3b54d229a48ad7225687a83e31f34d027399d52490fabb0afa420622a3d5da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2659C1A560AB92C9C29D4B2B25815AE8
MD5
1dfba43f33d59a91b2917bc2aa31bae0

SHA1
350d8cc0187d9c927c71d8bd15d9dfbfe6317af9

SHA256
ebfea7268e0bd0f491b494a1621c92921c7e7e27aca68b88cb41a59044a4614c

SHA512
5966e4673361df098733b05e4d298d125a67f0c9ba75de83a19378870dd0beec34dae3225b160b4c53b28aebd345332e8d1621f42a8cc02ad9fe4a21d9ebebec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
a64054c2169601db791d94b0985dd931

SHA1
1995079ea216b7924da22acc93808c9eb1211812

SHA256
2fb12493bbdbdb126def2cc3494d140d35829b4340dbcece1ef718dff8a0683f

SHA512
4ab906d1c8ca6d8329b27a359054e0fedab1fde8b8448824b5196da50919eb72062c2b9d3e700045f7d7b6dbb203b7a23dd04cdbd322d4fb7f7b574ed1f2a168

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
0d7a89bb3587242e4fcd8fd73253404e

SHA1
1f3838fdce19922bc42f27339e865d667480b58c

SHA256
46bdb7f2bbf1ffa70c35821972a5d766e56aded12d7755b9c9d764d77cc94dbb

SHA512
3b78d2d7607048a2c2c85c0ee509e131a631303b82ee2c37402f5ef63b2c841e5b18e6e260ef065b3b458d050de9b0bbc4f5525bbf37ff9cc5b620fdeb560976

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_7ACDCC18BE3F9272783F723CF7E4C78B
MD5
64f262d21e883feb21c25c9ff71727e3

SHA1
0b225b33cd82c6d8fc20ec069e50463385a611b4

SHA256
535f860d902606ff5a8ed972e95a72b973fcf79a96f2a636433c306a0530dcf7

SHA512
dc126a3589b0cb03b1646c6bbe2032e0e5c8455fd60f005bddcdd7534fdfde13d6e52365a4bdb686908a5bc208a683adeca18599c103abdb96c1bb59b505ba01

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\6073fee5118372253d99d22b\1.0.0\tracking.ini
MD5
d0b136a975f59e7a95efaa5e6abcb17d

SHA1
e26912437741b115aa05fd4fdd00da36620bb3dc

SHA256
774702ddfbc1d31ffd62a4e22e4cd7280810c68353bb772ba33fadd6c9d69d55

SHA512
78541fbb7be2502d3bea6eb35ae9c81ea5fe83f2b906e8aa517600eb74ba640908ed12365b5c486df7802a20835a94b13c2e6bdf2b3f4dbdb6baeea51db19b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\047ZyNkh\E3co0XIMGGujXJx3V.exe
MD5
9d06a0509951399f7ccc94a8952f041d

SHA1
933f524ca176564706f8062bfbc631e321a4bbe4

SHA256
8e1501f1418f652681acdecf629ac0c27a1fb87ddb939a5fa5dba53a7635b7f6

SHA512
64d919b896c9e79012a778709bf5563f1cb0a6ecfbbaa11030b8cc68ac46404e5c2cd4cbeec5c6170f49fcd5acb60d5d323700b4376a5c0357e4a826c79d2787

Download Submit
C:\Users\Admin\AppData\Local\Temp\047ZyNkh\E3co0XIMGGujXJx3V.exe
MD5
9d06a0509951399f7ccc94a8952f041d

SHA1
933f524ca176564706f8062bfbc631e321a4bbe4

SHA256
8e1501f1418f652681acdecf629ac0c27a1fb87ddb939a5fa5dba53a7635b7f6

SHA512
64d919b896c9e79012a778709bf5563f1cb0a6ecfbbaa11030b8cc68ac46404e5c2cd4cbeec5c6170f49fcd5acb60d5d323700b4376a5c0357e4a826c79d2787

Download Submit
C:\Users\Admin\AppData\Local\Temp\E4xeDt0y\SLNRCNDZLKc.exe
MD5
5a6718a7802387e91aa23cb9719b6a5a

SHA1
256c557989f7c713f9d703ea7d9e15060666b457

SHA256
78404403db083baea41b1286d701431e7e1650de97a2516de7783c6308325e3b

SHA512
f970bb5b5ae4a5c937d8bc272eefd74fa1afde8f1009431c187eaae4e56a9685a1d204a8aa63245f99ae957485dfe0a07e809bce4adbc29e8a80a70bc649e00d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E4xeDt0y\SLNRCNDZLKc.exe
MD5
5a6718a7802387e91aa23cb9719b6a5a

SHA1
256c557989f7c713f9d703ea7d9e15060666b457

SHA256
78404403db083baea41b1286d701431e7e1650de97a2516de7783c6308325e3b

SHA512
f970bb5b5ae4a5c937d8bc272eefd74fa1afde8f1009431c187eaae4e56a9685a1d204a8aa63245f99ae957485dfe0a07e809bce4adbc29e8a80a70bc649e00d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E4xeDt0y\SLNRCNDZLKc.exe
MD5
5a6718a7802387e91aa23cb9719b6a5a

SHA1
256c557989f7c713f9d703ea7d9e15060666b457

SHA256
78404403db083baea41b1286d701431e7e1650de97a2516de7783c6308325e3b

SHA512
f970bb5b5ae4a5c937d8bc272eefd74fa1afde8f1009431c187eaae4e56a9685a1d204a8aa63245f99ae957485dfe0a07e809bce4adbc29e8a80a70bc649e00d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC5D.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID58.tmp
MD5
43d68e8389e7df33189d1c1a05a19ac8

SHA1
caf9cc610985e5cfdbae0c057233a6194ecbfed4

SHA256
85dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae

SHA512
58a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NEQ2F.tmp\Software-update-patc_612604768.tmp
MD5
4caf2ca22417bb2cd44c0d0daf5fdd8b

SHA1
bdb2b86d9c033785c9b1db5618986030b2852ffd

SHA256
a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4

SHA512
ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NEQ2F.tmp\Software-update-patc_612604768.tmp
MD5
4caf2ca22417bb2cd44c0d0daf5fdd8b

SHA1
bdb2b86d9c033785c9b1db5618986030b2852ffd

SHA256
a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4

SHA512
ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da

Download Submit
C:\Users\Admin\AppData\Local\Temp\mlRgNuUE\m49DwWX5UrJrD2vV.exe
MD5
c313ddb7df24003d25bf62c5a218b215

SHA1
20a3404b7e17b530885fa0be130e784f827986ee

SHA256
e3bc81a59fc45dfdfcc57b0078437061cb8c3396e1d593fcf187e3cdf0373ed1

SHA512
542e2746626a066f3e875ae2f0d15e2c4beb5887376bb0218090f0e8492a6fdb11fa02b035d7d4200562811df7d2187b8a993a0b7f65489535919bdf11eb4cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\mlRgNuUE\m49DwWX5UrJrD2vV.exe
MD5
c313ddb7df24003d25bf62c5a218b215

SHA1
20a3404b7e17b530885fa0be130e784f827986ee

SHA256
e3bc81a59fc45dfdfcc57b0078437061cb8c3396e1d593fcf187e3cdf0373ed1

SHA512
542e2746626a066f3e875ae2f0d15e2c4beb5887376bb0218090f0e8492a6fdb11fa02b035d7d4200562811df7d2187b8a993a0b7f65489535919bdf11eb4cff

Download Submit
C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi
MD5
98e537669f4ce0062f230a14bcfcaf35

SHA1
a19344f6a5e59c71f51e86119f5fa52030a92810

SHA256
6f515aac05311f411968ee6e48d287a1eb452e404ffeff75ee0530dcf3243735

SHA512
1ebc254289610be65882a6ceb1beebbf2be83006117f0a6ccbddd19ab7dc807978232a13ad5fa39b6f06f694d4f7c75760b773d70b87c0badef1da89bb7af3ac

Download Submit
C:\Windows\Installer\MSI13E0.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
C:\Windows\Installer\MSI16AF.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Windows\Installer\MSI173C.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Windows\Installer\MSI1827.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Windows\Installer\MSI18A5.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
C:\Windows\Installer\MSI1981.tmp
MD5
43d68e8389e7df33189d1c1a05a19ac8

SHA1
caf9cc610985e5cfdbae0c057233a6194ecbfed4

SHA256
85dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae

SHA512
58a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e

Download Submit
C:\Windows\Installer\MSI1B56.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
C:\Windows\Installer\MSI1C50.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Windows\Installer\MSI1CDE.tmp
MD5
5f1b243813a203c66ba735139d8ce0c7

SHA1
c60a57668d348a61e4e2f12115afb9f9024162ba

SHA256
52d5b228221cd5276e4ee2a038e0ce0cf494d5af9c23ac45dcbfadc3115c8cb2

SHA512
083c6d1af44847db4b6fb90349234128141a838d1d438d5c24f5063539a8087f0814d06cfa162aeace20e162292f64c7635b4a0e81b2ca972706cfbc484adfb5

Download Submit
C:\Windows\Installer\MSI1DE8.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
C:\Windows\Installer\MSI2691.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
C:\Windows\Installer\MSI27CB.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
C:\Windows\Installer\MSI2A1D.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
C:\Windows\Installer\MSI2B08.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
\Program Files (x86)\Dolore\quia\Quibusdam.exe
MD5
9b872933c0915fc132fe0a8246ea9298

SHA1
603f68a5bd95bbfe1faa9bac3760e8a2b5ea4b08

SHA256
da035b6389687dc5389b77c75b0ed3a99ce2e6cb1a0d7a96c29380a77f84d900

SHA512
27db5e85d4d3ae77428a58ce83f66d6f71c4131c473c2e8243423e223b4883621709bb517af5b675255eecbcd237aafc2ce7da712f64c45d91d472767b6dcade

Download Submit
\Users\Admin\AppData\Local\Temp\047ZyNkh\E3co0XIMGGujXJx3V.exe
MD5
9d06a0509951399f7ccc94a8952f041d

SHA1
933f524ca176564706f8062bfbc631e321a4bbe4

SHA256
8e1501f1418f652681acdecf629ac0c27a1fb87ddb939a5fa5dba53a7635b7f6

SHA512
64d919b896c9e79012a778709bf5563f1cb0a6ecfbbaa11030b8cc68ac46404e5c2cd4cbeec5c6170f49fcd5acb60d5d323700b4376a5c0357e4a826c79d2787

Download Submit
\Users\Admin\AppData\Local\Temp\E4xeDt0y\SLNRCNDZLKc.exe
MD5
5a6718a7802387e91aa23cb9719b6a5a

SHA1
256c557989f7c713f9d703ea7d9e15060666b457

SHA256
78404403db083baea41b1286d701431e7e1650de97a2516de7783c6308325e3b

SHA512
f970bb5b5ae4a5c937d8bc272eefd74fa1afde8f1009431c187eaae4e56a9685a1d204a8aa63245f99ae957485dfe0a07e809bce4adbc29e8a80a70bc649e00d

Download Submit
\Users\Admin\AppData\Local\Temp\E4xeDt0y\SLNRCNDZLKc.exe
MD5
5a6718a7802387e91aa23cb9719b6a5a

SHA1
256c557989f7c713f9d703ea7d9e15060666b457

SHA256
78404403db083baea41b1286d701431e7e1650de97a2516de7783c6308325e3b

SHA512
f970bb5b5ae4a5c937d8bc272eefd74fa1afde8f1009431c187eaae4e56a9685a1d204a8aa63245f99ae957485dfe0a07e809bce4adbc29e8a80a70bc649e00d

Download Submit
\Users\Admin\AppData\Local\Temp\E4xeDt0y\SLNRCNDZLKc.exe
MD5
5a6718a7802387e91aa23cb9719b6a5a

SHA1
256c557989f7c713f9d703ea7d9e15060666b457

SHA256
78404403db083baea41b1286d701431e7e1650de97a2516de7783c6308325e3b

SHA512
f970bb5b5ae4a5c937d8bc272eefd74fa1afde8f1009431c187eaae4e56a9685a1d204a8aa63245f99ae957485dfe0a07e809bce4adbc29e8a80a70bc649e00d

Download Submit
\Users\Admin\AppData\Local\Temp\INABD0.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
\Users\Admin\AppData\Local\Temp\MSIC5D.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
\Users\Admin\AppData\Local\Temp\MSID58.tmp
MD5
43d68e8389e7df33189d1c1a05a19ac8

SHA1
caf9cc610985e5cfdbae0c057233a6194ecbfed4

SHA256
85dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae

SHA512
58a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e

Download Submit
\Users\Admin\AppData\Local\Temp\is-0OABV.tmp\_isetup\_iscrypt.dll
MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-0OABV.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-0OABV.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-NEQ2F.tmp\Software-update-patc_612604768.tmp
MD5
4caf2ca22417bb2cd44c0d0daf5fdd8b

SHA1
bdb2b86d9c033785c9b1db5618986030b2852ffd

SHA256
a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4

SHA512
ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da

Download Submit
\Users\Admin\AppData\Local\Temp\mlRgNuUE\m49DwWX5UrJrD2vV.exe
MD5
c313ddb7df24003d25bf62c5a218b215

SHA1
20a3404b7e17b530885fa0be130e784f827986ee

SHA256
e3bc81a59fc45dfdfcc57b0078437061cb8c3396e1d593fcf187e3cdf0373ed1

SHA512
542e2746626a066f3e875ae2f0d15e2c4beb5887376bb0218090f0e8492a6fdb11fa02b035d7d4200562811df7d2187b8a993a0b7f65489535919bdf11eb4cff

Download Submit
\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll
MD5
2ca6d4ed5dd15fb7934c87e857f5ebfc

SHA1
383a55cc0ab890f41b71ca67e070ac7c903adeb6

SHA256
39412aacdcddc4b2b3cfeb126456edb125ce8cadb131ca5c23c031db4431c5fc

SHA512
ce11aa5bd7b0da4baf07146e8377ff0331c1d4b04aaa4408373b4dd0fe2c3f82c84b179d9a90d26cdaa02180f22276d96cf491f9ede66f5f1da6f43cc72e5ac4

Download Submit
\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll
MD5
2ca6d4ed5dd15fb7934c87e857f5ebfc

SHA1
383a55cc0ab890f41b71ca67e070ac7c903adeb6

SHA256
39412aacdcddc4b2b3cfeb126456edb125ce8cadb131ca5c23c031db4431c5fc

SHA512
ce11aa5bd7b0da4baf07146e8377ff0331c1d4b04aaa4408373b4dd0fe2c3f82c84b179d9a90d26cdaa02180f22276d96cf491f9ede66f5f1da6f43cc72e5ac4

Download Submit
\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll
MD5
2ca6d4ed5dd15fb7934c87e857f5ebfc

SHA1
383a55cc0ab890f41b71ca67e070ac7c903adeb6

SHA256
39412aacdcddc4b2b3cfeb126456edb125ce8cadb131ca5c23c031db4431c5fc

SHA512
ce11aa5bd7b0da4baf07146e8377ff0331c1d4b04aaa4408373b4dd0fe2c3f82c84b179d9a90d26cdaa02180f22276d96cf491f9ede66f5f1da6f43cc72e5ac4

Download Submit
\Windows\Installer\MSI13E0.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
\Windows\Installer\MSI16AF.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
\Windows\Installer\MSI173C.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
\Windows\Installer\MSI1827.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
\Windows\Installer\MSI18A5.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
\Windows\Installer\MSI1981.tmp
MD5
43d68e8389e7df33189d1c1a05a19ac8

SHA1
caf9cc610985e5cfdbae0c057233a6194ecbfed4

SHA256
85dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae

SHA512
58a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e

Download Submit
\Windows\Installer\MSI1B56.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
\Windows\Installer\MSI1C50.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
\Windows\Installer\MSI1CDE.tmp
MD5
5f1b243813a203c66ba735139d8ce0c7

SHA1
c60a57668d348a61e4e2f12115afb9f9024162ba

SHA256
52d5b228221cd5276e4ee2a038e0ce0cf494d5af9c23ac45dcbfadc3115c8cb2

SHA512
083c6d1af44847db4b6fb90349234128141a838d1d438d5c24f5063539a8087f0814d06cfa162aeace20e162292f64c7635b4a0e81b2ca972706cfbc484adfb5

Download Submit
\Windows\Installer\MSI1DE8.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
\Windows\Installer\MSI2691.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
\Windows\Installer\MSI27CB.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
\Windows\Installer\MSI2A1D.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
\Windows\Installer\MSI2B08.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
memory/676-109-0x0000000000000000-mapping.dmp

Download
memory/980-79-0x0000000000000000-mapping.dmp

Download
memory/1084-63-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1084-67-0x0000000074C21000-0x0000000074C23000-memory.dmp

Filesize
8KB

Download
memory/1084-60-0x0000000000000000-mapping.dmp

Download
memory/1184-136-0x0000000000000000-mapping.dmp

Download
memory/1404-77-0x00000000058E0000-0x00000000058E2000-memory.dmp

Filesize
8KB

Download
memory/1404-74-0x0000000000400000-0x0000000001860000-memory.dmp

Filesize
20.4MB

Download
memory/1404-75-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1404-72-0x0000000000400000-0x0000000001860000-memory.dmp

Filesize
20.4MB

Download
memory/1404-70-0x0000000000000000-mapping.dmp

Download
memory/1460-93-0x000007FEFBFE1000-0x000007FEFBFE3000-memory.dmp

Filesize
8KB

Download
memory/1472-148-0x0000000000000000-mapping.dmp

Download
memory/1640-58-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1640-55-0x0000000075F41000-0x0000000075F43000-memory.dmp

Filesize
8KB

Download
memory/1712-101-0x0000000000000000-mapping.dmp

Download
memory/1748-95-0x0000000000000000-mapping.dmp

Download
memory/1760-84-0x0000000000000000-mapping.dmp

Download
memory/1760-89-0x00000000002A0000-0x000000000033D000-memory.dmp

Filesize
628KB

Download
memory/2008-141-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2008-142-0x0000000000414F3A-mapping.dmp

Download
memory/2008-146-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2008-140-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2008-114-0x0000000000000000-mapping.dmp

Download
memory/2352-156-0x0000000000000000-mapping.dmp

Download
memory/2384-157-0x0000000000000000-mapping.dmp

Download
memory/2416-175-0x0000000004570000-0x0000000004571000-memory.dmp

Filesize
4KB

Download
memory/2416-167-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download
memory/2416-188-0x0000000004510000-0x0000000004511000-memory.dmp

Filesize
4KB

Download
memory/2416-189-0x0000000004550000-0x0000000004552000-memory.dmp

Filesize
8KB

Download
memory/2416-187-0x0000000004460000-0x0000000004461000-memory.dmp

Filesize
4KB

Download
memory/2416-185-0x00000000044A0000-0x00000000044A1000-memory.dmp

Filesize
4KB

Download
memory/2416-186-0x0000000004490000-0x0000000004491000-memory.dmp

Filesize
4KB

Download
memory/2416-178-0x0000000004540000-0x0000000004541000-memory.dmp

Filesize
4KB

Download
memory/2416-177-0x00000000044E0000-0x00000000044E1000-memory.dmp

Filesize
4KB

Download
memory/2416-176-0x0000000004560000-0x0000000004561000-memory.dmp

Filesize
4KB

Download
memory/2416-158-0x0000000000000000-mapping.dmp

Download
memory/2416-174-0x00000000045B0000-0x00000000045B1000-memory.dmp

Filesize
4KB

Download
memory/2416-173-0x00000000044B0000-0x00000000044B2000-memory.dmp

Filesize
8KB

Download
memory/2416-179-0x0000000000400000-0x00000000009A4000-memory.dmp

Filesize
5.6MB

Download
memory/2416-172-0x00000000045A0000-0x00000000045A1000-memory.dmp

Filesize
4KB

Download
memory/2416-171-0x0000000004580000-0x0000000004581000-memory.dmp

Filesize
4KB

Download
memory/2416-170-0x00000000044D0000-0x00000000044D1000-memory.dmp

Filesize
4KB

Download
memory/2416-169-0x00000000044F0000-0x00000000044F1000-memory.dmp

Filesize
4KB

Download
memory/2416-168-0x0000000004470000-0x0000000004471000-memory.dmp

Filesize
4KB

Download
memory/2416-184-0x0000000004530000-0x0000000004531000-memory.dmp

Filesize
4KB

Download
memory/2416-180-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/2416-181-0x0000000004480000-0x0000000004481000-memory.dmp

Filesize
4KB

Download
memory/2416-182-0x0000000004520000-0x0000000004521000-memory.dmp

Filesize
4KB

Download
memory/2416-183-0x00000000044C0000-0x00000000044C1000-memory.dmp

Filesize
4KB

Download
memory/2568-160-0x0000000000000000-mapping.dmp

Download
memory/2600-161-0x0000000000000000-mapping.dmp

Download
memory/2628-162-0x0000000000000000-mapping.dmp

Download
memory/2656-163-0x0000000000000000-mapping.dmp

Download
memory/2688-164-0x0000000000000000-mapping.dmp

Download
memory/2700-165-0x0000000000000000-mapping.dmp

Download
memory/7488-190-0x0000000000000000-mapping.dmp

Download
memory/7516-191-0x0000000000000000-mapping.dmp

Download
memory/7568-192-0x0000000000000000-mapping.dmp

Download
memory/7588-193-0x0000000000000000-mapping.dmp

Download
memory/7588-194-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/7588-196-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/7588-197-0x00000000003B0000-0x00000000003B7000-memory.dmp

Filesize
28KB

Download