vidar | 3bfbe7f602fdffa1b70a657767d1fa7cfe4f6111da191b94d1abe8f5d8f1ea3b

Analysis

max time kernel
152s
max time network
151s
platform
windows7_x64
resource
win7-de-20211014
submitted
21-10-2021 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Software-update-patc_612604768.exe
Size

4.7MB
MD5

567ab95af9696f0d0cea101efbd344f9
SHA1

78544ed738d9929e68b735448276c93166b61c37
SHA256

3bfbe7f602fdffa1b70a657767d1fa7cfe4f6111da191b94d1abe8f5d8f1ea3b
SHA512

36d16b04d74d41ef11b8dcef4c5e705d6660a0bb34c72abbd59fad36f37bde069b80af270dbd208b0956f1b8bd4abcb87cdb05a32265a6d4aeae2266dc7709bf

Score

10^/10

vidar 223 discovery evasion spyware stealer suricata trojan

Malware Config

Extracted

Family

vidar

Version

41.5

Botnet

223

https://mas.to/@xeroxxx

Attributes

profile_id
223

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral3/memory/1932-102-0x0000000000400000-0x00000000009A4000-memory.dmp	family_vidar

Blocklisted process makes network request 14 IoCs

Processes:

MsiExec.exe

flow	pid	process
64	1984	MsiExec.exe
66	1984	MsiExec.exe
68	1984	MsiExec.exe
70	1984	MsiExec.exe
72	1984	MsiExec.exe
74	1984	MsiExec.exe
76	1984	MsiExec.exe
77	1984	MsiExec.exe
78	1984	MsiExec.exe
79	1984	MsiExec.exe
80	1984	MsiExec.exe
81	1984	MsiExec.exe
83	1984	MsiExec.exe
84	1984	MsiExec.exe

Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

Software-update-patc_612604768.tmpQuibusdam.exeow5EvhTF5d.exeZembra.exekhpen2W9b.exeZembraBro.exe

pid process

432 Software-update-patc_612604768.tmp
684 Quibusdam.exe
884 ow5EvhTF5d.exe
1932 Zembra.exe
1780 khpen2W9b.exe
1512 ZembraBro.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Zembra.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Zembra.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Zembra.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Zembra.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Wine Zembra.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Wine	Zembra.exe

Loads dropped DLL 39 IoCs

Processes:

Software-update-patc_612604768.exeSoftware-update-patc_612604768.tmpQuibusdam.exeow5EvhTF5d.exeZembra.exekhpen2W9b.exeMsiExec.exeMsiExec.exeMsiExec.exe

pid	process
668	Software-update-patc_612604768.exe
432	Software-update-patc_612604768.tmp
432	Software-update-patc_612604768.tmp
432	Software-update-patc_612604768.tmp
432	Software-update-patc_612604768.tmp
684	Quibusdam.exe
884	ow5EvhTF5d.exe
884	ow5EvhTF5d.exe
1932	Zembra.exe
1932	Zembra.exe
1932	Zembra.exe
1932	Zembra.exe
684	Quibusdam.exe
1780	khpen2W9b.exe
1780	khpen2W9b.exe
884	ow5EvhTF5d.exe
1780	khpen2W9b.exe
1740	MsiExec.exe
1740	MsiExec.exe
1984	MsiExec.exe
1984	MsiExec.exe
1984	MsiExec.exe
1984	MsiExec.exe
1984	MsiExec.exe
1984	MsiExec.exe
1984	MsiExec.exe
1984	MsiExec.exe
1984	MsiExec.exe
1780	khpen2W9b.exe
1984	MsiExec.exe
1984	MsiExec.exe
428	MsiExec.exe
428	MsiExec.exe
428	MsiExec.exe
428	MsiExec.exe
428	MsiExec.exe
428	MsiExec.exe
428	MsiExec.exe
1984	MsiExec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Zembra.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Zembra.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Zembra.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exekhpen2W9b.exe

description	ioc	process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	khpen2W9b.exe
File opened (read-only)	\??\H:	khpen2W9b.exe
File opened (read-only)	\??\R:	khpen2W9b.exe
File opened (read-only)	\??\X:	khpen2W9b.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	khpen2W9b.exe
File opened (read-only)	\??\T:	khpen2W9b.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	khpen2W9b.exe
File opened (read-only)	\??\U:	khpen2W9b.exe
File opened (read-only)	\??\W:	khpen2W9b.exe
File opened (read-only)	\??\G:	khpen2W9b.exe
File opened (read-only)	\??\M:	khpen2W9b.exe
File opened (read-only)	\??\N:	khpen2W9b.exe
File opened (read-only)	\??\V:	khpen2W9b.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	khpen2W9b.exe
File opened (read-only)	\??\I:	khpen2W9b.exe
File opened (read-only)	\??\L:	khpen2W9b.exe
File opened (read-only)	\??\P:	khpen2W9b.exe
File opened (read-only)	\??\S:	khpen2W9b.exe
File opened (read-only)	\??\Y:	khpen2W9b.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Z:	khpen2W9b.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	khpen2W9b.exe
File opened (read-only)	\??\Q:	khpen2W9b.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	khpen2W9b.exe
File opened (read-only)	\??\O:	khpen2W9b.exe
File opened (read-only)	\??\R:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Zembra.exe

pid process

1932 Zembra.exe

pid	process
1932	Zembra.exe

autoit_exe 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\39dTKq8P\ow5EvhTF5d.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\39dTKq8P\ow5EvhTF5d.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\39dTKq8P\ow5EvhTF5d.exe	autoit_exe

Drops file in Program Files directory 22 IoCs

Processes:

Software-update-patc_612604768.tmpmsiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Dolore\in\is-00KB5.tmp	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\Dolore\in\is-Q04HP.tmp	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\Dolore\minus\is-93DAI.tmp	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\Dolore\quia\is-7RL1M.tmp	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\Dolore\quos\is-K7AMA.tmp	Software-update-patc_612604768.tmp
File opened for modification	C:\Program Files (x86)\Dolore\quia\Quibusdam.exe	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\Dolore\is-914LN.tmp	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\Dolore\is-VUGSE.tmp	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File created	C:\Program Files (x86)\Dolore\unins000.dat	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\Dolore\consectetur\is-69PN9.tmp	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe
File created	C:\Program Files (x86)\Dolore\in\is-TBL31.tmp	Software-update-patc_612604768.tmp
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File created	C:\Program Files (x86)\Dolore\quia\is-DJNLI.tmp	Software-update-patc_612604768.tmp
File opened for modification	C:\Program Files (x86)\Dolore\unins000.dat	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File created	C:\Program Files (x86)\Dolore\is-HRTOA.tmp	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\Dolore\consectetur\is-GQ55C.tmp	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\Dolore\minus\is-LAA6I.tmp	Software-update-patc_612604768.tmp

Drops file in Windows directory 30 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI1CB7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1E3F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2DA6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2DD5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2ED2.tmp	msiexec.exe
File created	C:\Windows\Installer\f781308.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1AB4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2333.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI23C0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2F40.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File created	C:\Windows\Installer\f781304.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1F3A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI247D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2B61.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2E15.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2B51.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI30D8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI20E0.tmp	msiexec.exe
File created	C:\Windows\Installer\f781306.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2E64.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f781304.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f781306.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1DA2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2219.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2C8C.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Zembra.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Zembra.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Zembra.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

964 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

856 taskkill.exe
1108 taskkill.exe

pid	process
964	timeout.exe

pid	process
856	taskkill.exe
1108	taskkill.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\26	msiexec.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Y.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductIcon = "C:\\Windows\\Installer\\{C845414C-903C-4218-9DE7-132AB97FDF62}\\logo.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "6BBF4B2F4524B25478C17BFBEE2559F7"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1"	msiexec.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

khpen2W9b.exeow5EvhTF5d.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	khpen2W9b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	khpen2W9b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ow5EvhTF5d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ow5EvhTF5d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	khpen2W9b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	khpen2W9b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	khpen2W9b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	khpen2W9b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	khpen2W9b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	ow5EvhTF5d.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

Software-update-patc_612604768.tmpQuibusdam.exeZembra.exeMsiExec.exeMsiExec.exemsiexec.exe

pid	process
432	Software-update-patc_612604768.tmp
432	Software-update-patc_612604768.tmp
684	Quibusdam.exe
684	Quibusdam.exe
684	Quibusdam.exe
1932	Zembra.exe
1932	Zembra.exe
1932	Zembra.exe
1932	Zembra.exe
1932	Zembra.exe
684	Quibusdam.exe
1740	MsiExec.exe
1984	MsiExec.exe
1984	MsiExec.exe
1060	msiexec.exe
1060	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exemsiexec.exekhpen2W9b.exe

description	pid	process
Token: SeDebugPrivilege	856	taskkill.exe
Token: SeRestorePrivilege	1060	msiexec.exe
Token: SeTakeOwnershipPrivilege	1060	msiexec.exe
Token: SeSecurityPrivilege	1060	msiexec.exe
Token: SeCreateTokenPrivilege	1780	khpen2W9b.exe
Token: SeAssignPrimaryTokenPrivilege	1780	khpen2W9b.exe
Token: SeLockMemoryPrivilege	1780	khpen2W9b.exe
Token: SeIncreaseQuotaPrivilege	1780	khpen2W9b.exe
Token: SeMachineAccountPrivilege	1780	khpen2W9b.exe
Token: SeTcbPrivilege	1780	khpen2W9b.exe
Token: SeSecurityPrivilege	1780	khpen2W9b.exe
Token: SeTakeOwnershipPrivilege	1780	khpen2W9b.exe
Token: SeLoadDriverPrivilege	1780	khpen2W9b.exe
Token: SeSystemProfilePrivilege	1780	khpen2W9b.exe
Token: SeSystemtimePrivilege	1780	khpen2W9b.exe
Token: SeProfSingleProcessPrivilege	1780	khpen2W9b.exe
Token: SeIncBasePriorityPrivilege	1780	khpen2W9b.exe
Token: SeCreatePagefilePrivilege	1780	khpen2W9b.exe
Token: SeCreatePermanentPrivilege	1780	khpen2W9b.exe
Token: SeBackupPrivilege	1780	khpen2W9b.exe
Token: SeRestorePrivilege	1780	khpen2W9b.exe
Token: SeShutdownPrivilege	1780	khpen2W9b.exe
Token: SeDebugPrivilege	1780	khpen2W9b.exe
Token: SeAuditPrivilege	1780	khpen2W9b.exe
Token: SeSystemEnvironmentPrivilege	1780	khpen2W9b.exe
Token: SeChangeNotifyPrivilege	1780	khpen2W9b.exe
Token: SeRemoteShutdownPrivilege	1780	khpen2W9b.exe
Token: SeUndockPrivilege	1780	khpen2W9b.exe
Token: SeSyncAgentPrivilege	1780	khpen2W9b.exe
Token: SeEnableDelegationPrivilege	1780	khpen2W9b.exe
Token: SeManageVolumePrivilege	1780	khpen2W9b.exe
Token: SeImpersonatePrivilege	1780	khpen2W9b.exe
Token: SeCreateGlobalPrivilege	1780	khpen2W9b.exe
Token: SeCreateTokenPrivilege	1780	khpen2W9b.exe
Token: SeAssignPrimaryTokenPrivilege	1780	khpen2W9b.exe
Token: SeLockMemoryPrivilege	1780	khpen2W9b.exe
Token: SeIncreaseQuotaPrivilege	1780	khpen2W9b.exe
Token: SeMachineAccountPrivilege	1780	khpen2W9b.exe
Token: SeTcbPrivilege	1780	khpen2W9b.exe
Token: SeSecurityPrivilege	1780	khpen2W9b.exe
Token: SeTakeOwnershipPrivilege	1780	khpen2W9b.exe
Token: SeLoadDriverPrivilege	1780	khpen2W9b.exe
Token: SeSystemProfilePrivilege	1780	khpen2W9b.exe
Token: SeSystemtimePrivilege	1780	khpen2W9b.exe
Token: SeProfSingleProcessPrivilege	1780	khpen2W9b.exe
Token: SeIncBasePriorityPrivilege	1780	khpen2W9b.exe
Token: SeCreatePagefilePrivilege	1780	khpen2W9b.exe
Token: SeCreatePermanentPrivilege	1780	khpen2W9b.exe
Token: SeBackupPrivilege	1780	khpen2W9b.exe
Token: SeRestorePrivilege	1780	khpen2W9b.exe
Token: SeShutdownPrivilege	1780	khpen2W9b.exe
Token: SeDebugPrivilege	1780	khpen2W9b.exe
Token: SeAuditPrivilege	1780	khpen2W9b.exe
Token: SeSystemEnvironmentPrivilege	1780	khpen2W9b.exe
Token: SeChangeNotifyPrivilege	1780	khpen2W9b.exe
Token: SeRemoteShutdownPrivilege	1780	khpen2W9b.exe
Token: SeUndockPrivilege	1780	khpen2W9b.exe
Token: SeSyncAgentPrivilege	1780	khpen2W9b.exe
Token: SeEnableDelegationPrivilege	1780	khpen2W9b.exe
Token: SeManageVolumePrivilege	1780	khpen2W9b.exe
Token: SeImpersonatePrivilege	1780	khpen2W9b.exe
Token: SeCreateGlobalPrivilege	1780	khpen2W9b.exe
Token: SeCreateTokenPrivilege	1780	khpen2W9b.exe
Token: SeAssignPrimaryTokenPrivilege	1780	khpen2W9b.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Software-update-patc_612604768.tmpkhpen2W9b.exe

pid process

432 Software-update-patc_612604768.tmp
1780 khpen2W9b.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Software-update-patc_612604768.exeSoftware-update-patc_612604768.tmpQuibusdam.exeow5EvhTF5d.exeZembra.execmd.exemsiexec.exekhpen2W9b.exeMsiExec.exe

description	pid	process	target process
PID 668 wrote to memory of 432	668	Software-update-patc_612604768.exe	Software-update-patc_612604768.tmp
PID 668 wrote to memory of 432	668	Software-update-patc_612604768.exe	Software-update-patc_612604768.tmp
PID 668 wrote to memory of 432	668	Software-update-patc_612604768.exe	Software-update-patc_612604768.tmp
PID 668 wrote to memory of 432	668	Software-update-patc_612604768.exe	Software-update-patc_612604768.tmp
PID 668 wrote to memory of 432	668	Software-update-patc_612604768.exe	Software-update-patc_612604768.tmp
PID 668 wrote to memory of 432	668	Software-update-patc_612604768.exe	Software-update-patc_612604768.tmp
PID 668 wrote to memory of 432	668	Software-update-patc_612604768.exe	Software-update-patc_612604768.tmp
PID 432 wrote to memory of 684	432	Software-update-patc_612604768.tmp	Quibusdam.exe
PID 432 wrote to memory of 684	432	Software-update-patc_612604768.tmp	Quibusdam.exe
PID 432 wrote to memory of 684	432	Software-update-patc_612604768.tmp	Quibusdam.exe
PID 432 wrote to memory of 684	432	Software-update-patc_612604768.tmp	Quibusdam.exe
PID 684 wrote to memory of 884	684	Quibusdam.exe	ow5EvhTF5d.exe
PID 684 wrote to memory of 884	684	Quibusdam.exe	ow5EvhTF5d.exe
PID 684 wrote to memory of 884	684	Quibusdam.exe	ow5EvhTF5d.exe
PID 684 wrote to memory of 884	684	Quibusdam.exe	ow5EvhTF5d.exe
PID 884 wrote to memory of 1932	884	ow5EvhTF5d.exe	Zembra.exe
PID 884 wrote to memory of 1932	884	ow5EvhTF5d.exe	Zembra.exe
PID 884 wrote to memory of 1932	884	ow5EvhTF5d.exe	Zembra.exe
PID 884 wrote to memory of 1932	884	ow5EvhTF5d.exe	Zembra.exe
PID 684 wrote to memory of 1780	684	Quibusdam.exe	khpen2W9b.exe
PID 684 wrote to memory of 1780	684	Quibusdam.exe	khpen2W9b.exe
PID 684 wrote to memory of 1780	684	Quibusdam.exe	khpen2W9b.exe
PID 684 wrote to memory of 1780	684	Quibusdam.exe	khpen2W9b.exe
PID 684 wrote to memory of 1780	684	Quibusdam.exe	khpen2W9b.exe
PID 684 wrote to memory of 1780	684	Quibusdam.exe	khpen2W9b.exe
PID 684 wrote to memory of 1780	684	Quibusdam.exe	khpen2W9b.exe
PID 1932 wrote to memory of 1652	1932	Zembra.exe	cmd.exe
PID 1932 wrote to memory of 1652	1932	Zembra.exe	cmd.exe
PID 1932 wrote to memory of 1652	1932	Zembra.exe	cmd.exe
PID 1932 wrote to memory of 1652	1932	Zembra.exe	cmd.exe
PID 1652 wrote to memory of 856	1652	cmd.exe	taskkill.exe
PID 1652 wrote to memory of 856	1652	cmd.exe	taskkill.exe
PID 1652 wrote to memory of 856	1652	cmd.exe	taskkill.exe
PID 1652 wrote to memory of 856	1652	cmd.exe	taskkill.exe
PID 1652 wrote to memory of 964	1652	cmd.exe	timeout.exe
PID 1652 wrote to memory of 964	1652	cmd.exe	timeout.exe
PID 1652 wrote to memory of 964	1652	cmd.exe	timeout.exe
PID 1652 wrote to memory of 964	1652	cmd.exe	timeout.exe
PID 884 wrote to memory of 1512	884	ow5EvhTF5d.exe	ZembraBro.exe
PID 884 wrote to memory of 1512	884	ow5EvhTF5d.exe	ZembraBro.exe
PID 884 wrote to memory of 1512	884	ow5EvhTF5d.exe	ZembraBro.exe
PID 884 wrote to memory of 1512	884	ow5EvhTF5d.exe	ZembraBro.exe
PID 1060 wrote to memory of 1740	1060	msiexec.exe	MsiExec.exe
PID 1060 wrote to memory of 1740	1060	msiexec.exe	MsiExec.exe
PID 1060 wrote to memory of 1740	1060	msiexec.exe	MsiExec.exe
PID 1060 wrote to memory of 1740	1060	msiexec.exe	MsiExec.exe
PID 1060 wrote to memory of 1740	1060	msiexec.exe	MsiExec.exe
PID 1060 wrote to memory of 1740	1060	msiexec.exe	MsiExec.exe
PID 1060 wrote to memory of 1740	1060	msiexec.exe	MsiExec.exe
PID 1780 wrote to memory of 1700	1780	khpen2W9b.exe	msiexec.exe
PID 1780 wrote to memory of 1700	1780	khpen2W9b.exe	msiexec.exe
PID 1780 wrote to memory of 1700	1780	khpen2W9b.exe	msiexec.exe
PID 1780 wrote to memory of 1700	1780	khpen2W9b.exe	msiexec.exe
PID 1780 wrote to memory of 1700	1780	khpen2W9b.exe	msiexec.exe
PID 1780 wrote to memory of 1700	1780	khpen2W9b.exe	msiexec.exe
PID 1780 wrote to memory of 1700	1780	khpen2W9b.exe	msiexec.exe
PID 1060 wrote to memory of 1984	1060	msiexec.exe	MsiExec.exe
PID 1060 wrote to memory of 1984	1060	msiexec.exe	MsiExec.exe
PID 1060 wrote to memory of 1984	1060	msiexec.exe	MsiExec.exe
PID 1060 wrote to memory of 1984	1060	msiexec.exe	MsiExec.exe
PID 1060 wrote to memory of 1984	1060	msiexec.exe	MsiExec.exe
PID 1060 wrote to memory of 1984	1060	msiexec.exe	MsiExec.exe
PID 1060 wrote to memory of 1984	1060	msiexec.exe	MsiExec.exe
PID 1984 wrote to memory of 1108	1984	MsiExec.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\Software-update-patc_612604768.exe
"C:\Users\Admin\AppData\Local\Temp\Software-update-patc_612604768.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:668

C:\Users\Admin\AppData\Local\Temp\is-HM3G7.tmp\Software-update-patc_612604768.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HM3G7.tmp\Software-update-patc_612604768.tmp" /SL5="$40154,4477466,466944,C:\Users\Admin\AppData\Local\Temp\Software-update-patc_612604768.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:432

C:\Program Files (x86)\Dolore\quia\Quibusdam.exe
"C:\Program Files (x86)\Dolore/\quia\Quibusdam.exe" 2fe3d428284ff9b385bc1c941892777b
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:684

C:\Users\Admin\AppData\Local\Temp\39dTKq8P\ow5EvhTF5d.exe
C:\Users\Admin\AppData\Local\Temp\39dTKq8P\ow5EvhTF5d.exe /VERYSILENT
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:884

C:\Users\Admin\AppData\Local\Temp\Zembra.exe
C:\Users\Admin\AppData\Local\Temp\Zembra.exe
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Zembra.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Zembra.exe" & del C:\ProgramData\*.dll & exit
6⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Zembra.exe /f
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
7⤵
- Delays execution with timeout.exe
PID:964

C:\Users\Admin\AppData\Local\Temp\ZembraBro.exe
C:\Users\Admin\AppData\Local\Temp\ZembraBro.exe
5⤵
- Executes dropped EXE
PID:1512

C:\Users\Admin\AppData\Local\Temp\8utNM3JP\khpen2W9b.exe
C:\Users\Admin\AppData\Local\Temp\8utNM3JP\khpen2W9b.exe /qn CAMPAIGN="642"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=642 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\8utNM3JP\khpen2W9b.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\8utNM3JP\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634568017 /qn CAMPAIGN=""642"" " CAMPAIGN="642"
5⤵
PID:1700

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9617DF0E9FD9DED0CEBAFCA7C9245F8F C
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1740

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 3199D00EFCA1342203D0FDD7D95E12DD
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
3⤵
- Kills process with taskkill
PID:1108

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DB8538F8B791528F07DC6CCF19A0295E M Global\MSI0000
2⤵
- Loads dropped DLL
PID:428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Dolore\quia\Quibusdam.exe
MD5
9b872933c0915fc132fe0a8246ea9298

SHA1
603f68a5bd95bbfe1faa9bac3760e8a2b5ea4b08

SHA256
da035b6389687dc5389b77c75b0ed3a99ce2e6cb1a0d7a96c29380a77f84d900

SHA512
27db5e85d4d3ae77428a58ce83f66d6f71c4131c473c2e8243423e223b4883621709bb517af5b675255eecbcd237aafc2ce7da712f64c45d91d472767b6dcade

Download Submit
C:\ProgramData\freebl3.dll
MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\softokn3.dll
MD5
a2ee53de9167bf0d6c019303b7ca84e5

SHA1
2a3c737fa1157e8483815e98b666408a18c0db42

SHA256
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

SHA512
45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

Download Submit
C:\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
5bbd4ca409d0e3d9e1356f6aa0e72821

SHA1
09fb93b1b1bdbcd87acdc4c21d5e3ca8f9a0e0a0

SHA256
6cd79e569127f8895878251f5d848131dc1c7d22437236ade6dca522ba93af59

SHA512
9fbb7a6d6ce18b76895efde9ab586321375678299ab0c275c6d085fdc81c780daf586d09af5af692585ad48be2d917fb0412d9c6e68c5a1fbe886979ef5c0836

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_7ACDCC18BE3F9272783F723CF7E4C78B
MD5
bd4ceda56f9ffd6244ad66f6f33c4b10

SHA1
54d0b14bac6f1e9fb4507b4a363d4263aeba0c5d

SHA256
1cd958aa3dc68a314ae995cb12b5d503647380c55cbfe46eb86578e5e550f650

SHA512
7154bc08984df4508ea0498b012b435d774506c4dfed4bb28f968b13889496589d3b54d229a48ad7225687a83e31f34d027399d52490fabb0afa420622a3d5da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
4a29b71fbf738e02c3850c2ef9b7f3c9

SHA1
4e6b9158ce9bd1a9f7776a5d966fe8a7e6983229

SHA256
eb02440c4c15935ccd1cd07fb0adcb06f5b677bf65ca8ffd0c121dfb62a6c3ad

SHA512
02d655c951d321ce526c412fd7902a45db902bb30186c99fd217a76caf0680ac3672b6389d5143c30da6f8be6bdb3ffeaf386c9c2f71b9f8b70f07ad7c8bf862

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
e531407fe52827bf6e9f73cdf7a33a20

SHA1
7225b0107f84c51d2a7c82c674ed69b97d0d9143

SHA256
0c900099f1734ea3ea00ad3075f10ef10b9d440a5a4211b5bf62406354f204c8

SHA512
c5bbccc6cae980b5f4ff7097239269affc0a06094ca0ef22d62f05e4c852acc3853da8feff2536fd01f312461f61495f67f9fa132dd9ba33782b4706be2ecf31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
ca9c3202db4e72188db36f0fe0c8b242

SHA1
38739b55abbc870cbf2557a8773435404a1b9cec

SHA256
eeb8ab075f24b3e7f021057bdf56d5f5e3e6cd43bc3a367d7db44877297a73ef

SHA512
d19695e89bf57174e0917afc6adce355026d9a92899569d697a64da35abc09a47753ee204bcbec925aef25a373f86dc25bc8faba62df4868894c25928a147090

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
cd4a5c09655bfe7c15862531b045440d

SHA1
bd0623563369e7ae399bfb319923b334149d1c78

SHA256
bd5923cfb8a031e418e8e99565bba9328247197123794d06a4e3f651f030fc26

SHA512
4acd4bb8072ccdb32a89f230e072a49b99039e21f33375ea64ed882eac318fc8193dfaaa7db46841751d732d44f3404c260779943293aa3b2f9e40db5b2abc2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
41410c7cfa9aad1e9fc489ee5de41827

SHA1
9484cbd32f95e8584c644f8248cb578a02c5a2f6

SHA256
84cb97d083ab9504099cf906d81de7c9994325100d76bb4c95ae07f689c28bae

SHA512
a77b7bc8a7ed467ae4f6c12230211410d3798dbb74a7d63c2c5ec18c528ab7586379f05b897ebb7f59aac27c8e209e610de90b7072025edd6f46ffa125e55a52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
bd22f70a56a8916b6e1364b7902b27ed

SHA1
059dfc93b802c8ba16fcaaf6084c2f62b62db2c3

SHA256
f20a987e6021db985764fd7f999ba4c36bc0378c8d070ba5661a0845da54a454

SHA512
543261cae3e20c84d3cdd15d5df72cc5c83bad5e95834b93e3e97d2fdee80bc3ac2df1a7539f53e066ee9566ec52f6cc4956431bdc6d1ddc90bf0015e0b6497a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_7ACDCC18BE3F9272783F723CF7E4C78B
MD5
d424f80ff1d71f2e6c7b178c439e142b

SHA1
6166ed53efd9221df9d77b1edbbb652923c87c0f

SHA256
0a851b639338c1ff72016561afc509b02db547106c5ac03adc32b1a62df82568

SHA512
74340dcb554fc6fcb92ca4a492839c05648610b026ecf136d133dadfdf38f56c89aad6fc045859c359c8049e84f2d6f9e465c466cb6b1ee458872f8b70724cc4

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\6073fee5118372253d99d22b\1.0.0\tracking.ini
MD5
2aeba2f019889558530cfefa81565ae4

SHA1
5a05ef066671ee80077c8a21e33ec179c60c5d5c

SHA256
4c5881a647781e2bcd9a73e02696575eeb93282cf82f82facd7224665665fd20

SHA512
c4fd9fd0b9eba03d2481fd6dd902d1fb022b975a3571665d1ab577276fec56db0aaae1831595cc41e59dc96b9e48cce131dfd5ccbbddf4d57b76702d3639ec3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\39dTKq8P\ow5EvhTF5d.exe
MD5
9d06a0509951399f7ccc94a8952f041d

SHA1
933f524ca176564706f8062bfbc631e321a4bbe4

SHA256
8e1501f1418f652681acdecf629ac0c27a1fb87ddb939a5fa5dba53a7635b7f6

SHA512
64d919b896c9e79012a778709bf5563f1cb0a6ecfbbaa11030b8cc68ac46404e5c2cd4cbeec5c6170f49fcd5acb60d5d323700b4376a5c0357e4a826c79d2787

Download Submit
C:\Users\Admin\AppData\Local\Temp\39dTKq8P\ow5EvhTF5d.exe
MD5
9d06a0509951399f7ccc94a8952f041d

SHA1
933f524ca176564706f8062bfbc631e321a4bbe4

SHA256
8e1501f1418f652681acdecf629ac0c27a1fb87ddb939a5fa5dba53a7635b7f6

SHA512
64d919b896c9e79012a778709bf5563f1cb0a6ecfbbaa11030b8cc68ac46404e5c2cd4cbeec5c6170f49fcd5acb60d5d323700b4376a5c0357e4a826c79d2787

Download Submit
C:\Users\Admin\AppData\Local\Temp\8utNM3JP\khpen2W9b.exe
MD5
c313ddb7df24003d25bf62c5a218b215

SHA1
20a3404b7e17b530885fa0be130e784f827986ee

SHA256
e3bc81a59fc45dfdfcc57b0078437061cb8c3396e1d593fcf187e3cdf0373ed1

SHA512
542e2746626a066f3e875ae2f0d15e2c4beb5887376bb0218090f0e8492a6fdb11fa02b035d7d4200562811df7d2187b8a993a0b7f65489535919bdf11eb4cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\8utNM3JP\khpen2W9b.exe
MD5
c313ddb7df24003d25bf62c5a218b215

SHA1
20a3404b7e17b530885fa0be130e784f827986ee

SHA256
e3bc81a59fc45dfdfcc57b0078437061cb8c3396e1d593fcf187e3cdf0373ed1

SHA512
542e2746626a066f3e875ae2f0d15e2c4beb5887376bb0218090f0e8492a6fdb11fa02b035d7d4200562811df7d2187b8a993a0b7f65489535919bdf11eb4cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI368.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6F2.tmp
MD5
43d68e8389e7df33189d1c1a05a19ac8

SHA1
caf9cc610985e5cfdbae0c057233a6194ecbfed4

SHA256
85dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae

SHA512
58a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zembra.exe
MD5
0dcce39047700778b4e36188b6eea28e

SHA1
1b323820dfd9da3d1da039c79a8514e69fb31698

SHA256
f477238d3021193a2ba26c4be732dfe949976f7d02a55662dcc21a46f6d87845

SHA512
e971094ee925baf465f0e29a481c11fb176aed9e6605e8b25f0003f033ac1d124490e94a7e343ab1fd1a0601aec446d47592c22608297a2d5e7df8a1a13b788c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zembra.exe
MD5
0dcce39047700778b4e36188b6eea28e

SHA1
1b323820dfd9da3d1da039c79a8514e69fb31698

SHA256
f477238d3021193a2ba26c4be732dfe949976f7d02a55662dcc21a46f6d87845

SHA512
e971094ee925baf465f0e29a481c11fb176aed9e6605e8b25f0003f033ac1d124490e94a7e343ab1fd1a0601aec446d47592c22608297a2d5e7df8a1a13b788c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZembraBro.exe
MD5
743ff63db58e903983552a32125db378

SHA1
2411ac74d27e8efd6d1f2681a295d685ba629f32

SHA256
5b54c653b32d68f1d0bad9b54acc83da08fd0b173934c969033cbdab6b9109ff

SHA512
03bdd38f2a00e4632f7a1cd426df9bc9d91c507b7dff06426b92b9067a9b6946e5256bbf6ad2b2ad67d37b2a45ad4b0568512783aaeafdaf130562aa660dcbda

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZembraBro.exe
MD5
743ff63db58e903983552a32125db378

SHA1
2411ac74d27e8efd6d1f2681a295d685ba629f32

SHA256
5b54c653b32d68f1d0bad9b54acc83da08fd0b173934c969033cbdab6b9109ff

SHA512
03bdd38f2a00e4632f7a1cd426df9bc9d91c507b7dff06426b92b9067a9b6946e5256bbf6ad2b2ad67d37b2a45ad4b0568512783aaeafdaf130562aa660dcbda

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HM3G7.tmp\Software-update-patc_612604768.tmp
MD5
4caf2ca22417bb2cd44c0d0daf5fdd8b

SHA1
bdb2b86d9c033785c9b1db5618986030b2852ffd

SHA256
a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4

SHA512
ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HM3G7.tmp\Software-update-patc_612604768.tmp
MD5
4caf2ca22417bb2cd44c0d0daf5fdd8b

SHA1
bdb2b86d9c033785c9b1db5618986030b2852ffd

SHA256
a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4

SHA512
ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da

Download Submit
C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi
MD5
98e537669f4ce0062f230a14bcfcaf35

SHA1
a19344f6a5e59c71f51e86119f5fa52030a92810

SHA256
6f515aac05311f411968ee6e48d287a1eb452e404ffeff75ee0530dcf3243735

SHA512
1ebc254289610be65882a6ceb1beebbf2be83006117f0a6ccbddd19ab7dc807978232a13ad5fa39b6f06f694d4f7c75760b773d70b87c0badef1da89bb7af3ac

Download Submit
C:\Windows\Installer\MSI1AB4.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
C:\Windows\Installer\MSI1CB7.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Windows\Installer\MSI1DA2.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Windows\Installer\MSI1E3F.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Windows\Installer\MSI1F3A.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
C:\Windows\Installer\MSI20E0.tmp
MD5
43d68e8389e7df33189d1c1a05a19ac8

SHA1
caf9cc610985e5cfdbae0c057233a6194ecbfed4

SHA256
85dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae

SHA512
58a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e

Download Submit
C:\Windows\Installer\MSI2219.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
\Program Files (x86)\Dolore\quia\Quibusdam.exe
MD5
9b872933c0915fc132fe0a8246ea9298

SHA1
603f68a5bd95bbfe1faa9bac3760e8a2b5ea4b08

SHA256
da035b6389687dc5389b77c75b0ed3a99ce2e6cb1a0d7a96c29380a77f84d900

SHA512
27db5e85d4d3ae77428a58ce83f66d6f71c4131c473c2e8243423e223b4883621709bb517af5b675255eecbcd237aafc2ce7da712f64c45d91d472767b6dcade

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\Local\Temp\39dTKq8P\ow5EvhTF5d.exe
MD5
9d06a0509951399f7ccc94a8952f041d

SHA1
933f524ca176564706f8062bfbc631e321a4bbe4

SHA256
8e1501f1418f652681acdecf629ac0c27a1fb87ddb939a5fa5dba53a7635b7f6

SHA512
64d919b896c9e79012a778709bf5563f1cb0a6ecfbbaa11030b8cc68ac46404e5c2cd4cbeec5c6170f49fcd5acb60d5d323700b4376a5c0357e4a826c79d2787

Download Submit
\Users\Admin\AppData\Local\Temp\8utNM3JP\khpen2W9b.exe
MD5
c313ddb7df24003d25bf62c5a218b215

SHA1
20a3404b7e17b530885fa0be130e784f827986ee

SHA256
e3bc81a59fc45dfdfcc57b0078437061cb8c3396e1d593fcf187e3cdf0373ed1

SHA512
542e2746626a066f3e875ae2f0d15e2c4beb5887376bb0218090f0e8492a6fdb11fa02b035d7d4200562811df7d2187b8a993a0b7f65489535919bdf11eb4cff

Download Submit
\Users\Admin\AppData\Local\Temp\INA1B2.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
\Users\Admin\AppData\Local\Temp\MSI368.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
\Users\Admin\AppData\Local\Temp\MSI6F2.tmp
MD5
43d68e8389e7df33189d1c1a05a19ac8

SHA1
caf9cc610985e5cfdbae0c057233a6194ecbfed4

SHA256
85dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae

SHA512
58a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e

Download Submit
\Users\Admin\AppData\Local\Temp\Zembra.exe
MD5
0dcce39047700778b4e36188b6eea28e

SHA1
1b323820dfd9da3d1da039c79a8514e69fb31698

SHA256
f477238d3021193a2ba26c4be732dfe949976f7d02a55662dcc21a46f6d87845

SHA512
e971094ee925baf465f0e29a481c11fb176aed9e6605e8b25f0003f033ac1d124490e94a7e343ab1fd1a0601aec446d47592c22608297a2d5e7df8a1a13b788c

Download Submit
\Users\Admin\AppData\Local\Temp\Zembra.exe
MD5
0dcce39047700778b4e36188b6eea28e

SHA1
1b323820dfd9da3d1da039c79a8514e69fb31698

SHA256
f477238d3021193a2ba26c4be732dfe949976f7d02a55662dcc21a46f6d87845

SHA512
e971094ee925baf465f0e29a481c11fb176aed9e6605e8b25f0003f033ac1d124490e94a7e343ab1fd1a0601aec446d47592c22608297a2d5e7df8a1a13b788c

Download Submit
\Users\Admin\AppData\Local\Temp\ZembraBro.exe
MD5
743ff63db58e903983552a32125db378

SHA1
2411ac74d27e8efd6d1f2681a295d685ba629f32

SHA256
5b54c653b32d68f1d0bad9b54acc83da08fd0b173934c969033cbdab6b9109ff

SHA512
03bdd38f2a00e4632f7a1cd426df9bc9d91c507b7dff06426b92b9067a9b6946e5256bbf6ad2b2ad67d37b2a45ad4b0568512783aaeafdaf130562aa660dcbda

Download Submit
\Users\Admin\AppData\Local\Temp\is-A6TKR.tmp\_isetup\_iscrypt.dll
MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-A6TKR.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-A6TKR.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-HM3G7.tmp\Software-update-patc_612604768.tmp
MD5
4caf2ca22417bb2cd44c0d0daf5fdd8b

SHA1
bdb2b86d9c033785c9b1db5618986030b2852ffd

SHA256
a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4

SHA512
ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da

Download Submit
\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll
MD5
2ca6d4ed5dd15fb7934c87e857f5ebfc

SHA1
383a55cc0ab890f41b71ca67e070ac7c903adeb6

SHA256
39412aacdcddc4b2b3cfeb126456edb125ce8cadb131ca5c23c031db4431c5fc

SHA512
ce11aa5bd7b0da4baf07146e8377ff0331c1d4b04aaa4408373b4dd0fe2c3f82c84b179d9a90d26cdaa02180f22276d96cf491f9ede66f5f1da6f43cc72e5ac4

Download Submit
\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll
MD5
2ca6d4ed5dd15fb7934c87e857f5ebfc

SHA1
383a55cc0ab890f41b71ca67e070ac7c903adeb6

SHA256
39412aacdcddc4b2b3cfeb126456edb125ce8cadb131ca5c23c031db4431c5fc

SHA512
ce11aa5bd7b0da4baf07146e8377ff0331c1d4b04aaa4408373b4dd0fe2c3f82c84b179d9a90d26cdaa02180f22276d96cf491f9ede66f5f1da6f43cc72e5ac4

Download Submit
\Windows\Installer\MSI1AB4.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
\Windows\Installer\MSI1CB7.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
\Windows\Installer\MSI1DA2.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
\Windows\Installer\MSI1E3F.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
\Windows\Installer\MSI1F3A.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
\Windows\Installer\MSI20E0.tmp
MD5
43d68e8389e7df33189d1c1a05a19ac8

SHA1
caf9cc610985e5cfdbae0c057233a6194ecbfed4

SHA256
85dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae

SHA512
58a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e

Download Submit
\Windows\Installer\MSI2219.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
memory/428-182-0x0000000000000000-mapping.dmp

Download
memory/432-59-0x0000000000000000-mapping.dmp

Download
memory/432-67-0x0000000074561000-0x0000000074563000-memory.dmp

Filesize
8KB

Download
memory/432-63-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/668-61-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/668-55-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download
memory/684-77-0x00000000057E0000-0x00000000057E2000-memory.dmp

Filesize
8KB

Download
memory/684-75-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/684-74-0x0000000000400000-0x0000000001860000-memory.dmp

Filesize
20.4MB

Download
memory/684-72-0x0000000000400000-0x0000000001860000-memory.dmp

Filesize
20.4MB

Download
memory/684-70-0x0000000000000000-mapping.dmp

Download
memory/856-131-0x0000000000000000-mapping.dmp

Download
memory/884-79-0x0000000000000000-mapping.dmp

Download
memory/964-133-0x0000000000000000-mapping.dmp

Download
memory/1060-132-0x000007FEFB971000-0x000007FEFB973000-memory.dmp

Filesize
8KB

Download
memory/1108-169-0x0000000000000000-mapping.dmp

Download
memory/1512-147-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/1512-148-0x0000000000780000-0x0000000000787000-memory.dmp

Filesize
28KB

Download
memory/1512-140-0x0000000001250000-0x0000000001251000-memory.dmp

Filesize
4KB

Download
memory/1512-135-0x0000000000000000-mapping.dmp

Download
memory/1652-130-0x0000000000000000-mapping.dmp

Download
memory/1700-149-0x0000000000000000-mapping.dmp

Download
memory/1740-139-0x0000000000000000-mapping.dmp

Download
memory/1780-126-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1780-117-0x0000000000000000-mapping.dmp

Download
memory/1932-89-0x00000000044F0000-0x00000000044F1000-memory.dmp

Filesize
4KB

Download
memory/1932-94-0x0000000004590000-0x0000000004591000-memory.dmp

Filesize
4KB

Download
memory/1932-121-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download
memory/1932-122-0x0000000004540000-0x0000000004542000-memory.dmp

Filesize
8KB

Download
memory/1932-120-0x0000000004460000-0x0000000004461000-memory.dmp

Filesize
4KB

Download
memory/1932-114-0x00000000044A0000-0x00000000044A1000-memory.dmp

Filesize
4KB

Download
memory/1932-115-0x0000000004490000-0x0000000004491000-memory.dmp

Filesize
4KB

Download
memory/1932-85-0x0000000000000000-mapping.dmp

Download
memory/1932-112-0x0000000004480000-0x0000000004481000-memory.dmp

Filesize
4KB

Download
memory/1932-113-0x0000000004510000-0x0000000004511000-memory.dmp

Filesize
4KB

Download
memory/1932-107-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/1932-102-0x0000000000400000-0x00000000009A4000-memory.dmp

Filesize
5.6MB

Download
memory/1932-101-0x0000000004520000-0x0000000004521000-memory.dmp

Filesize
4KB

Download
memory/1932-99-0x0000000004580000-0x0000000004581000-memory.dmp

Filesize
4KB

Download
memory/1932-100-0x00000000044D0000-0x00000000044D1000-memory.dmp

Filesize
4KB

Download
memory/1932-97-0x00000000045A0000-0x00000000045A1000-memory.dmp

Filesize
4KB

Download
memory/1932-98-0x0000000004550000-0x0000000004551000-memory.dmp

Filesize
4KB

Download
memory/1932-93-0x0000000004570000-0x0000000004571000-memory.dmp

Filesize
4KB

Download
memory/1932-96-0x0000000004560000-0x0000000004561000-memory.dmp

Filesize
4KB

Download
memory/1932-123-0x0000000004530000-0x0000000004531000-memory.dmp

Filesize
4KB

Download
memory/1932-95-0x00000000044B0000-0x00000000044B2000-memory.dmp

Filesize
8KB

Download
memory/1932-92-0x00000000044C0000-0x00000000044C1000-memory.dmp

Filesize
4KB

Download
memory/1932-91-0x00000000044E0000-0x00000000044E1000-memory.dmp

Filesize
4KB

Download
memory/1932-90-0x0000000004470000-0x0000000004471000-memory.dmp

Filesize
4KB

Download
memory/1984-164-0x0000000000000000-mapping.dmp

Download