8dbbe3e8657d87e842026b7051a7b0680d3838749773997df91f123034a7566d

Analysis

max time kernel
146s
max time network
201s
platform
windows11_x64
resource
win11
submitted
29-10-2021 04:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

run_848a9.exe
Size

1.7MB
MD5

67c86865ba800ab9f761356d4cc5c08c
SHA1

1f3dcc460c3fb02704e69cd8509445a92ac3600d
SHA256

8dbbe3e8657d87e842026b7051a7b0680d3838749773997df91f123034a7566d
SHA512

328c47921cfa939403736e63d0a5f5659dce3a916a44e6d0b0434ae4672bf96530a86cb19c2709a67914381fd8fc1c40b6e12209a35735743a8988a6166b50ff

Score

10^/10

discovery persistence spyware stealer suricata

Malware Config

Signatures

suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata

Blocklisted process makes network request 48 IoCs

Processes:

MsiExec.exeMsiExec.exepowershell.exeMsiExec.exe

flow	pid	process
55	4540	MsiExec.exe
56	4540	MsiExec.exe
57	4540	MsiExec.exe
61	2016	MsiExec.exe
62	2016	MsiExec.exe
63	2016	MsiExec.exe
64	2016	MsiExec.exe
65	2016	MsiExec.exe
66	2016	MsiExec.exe
67	2016	MsiExec.exe
68	2016	MsiExec.exe
69	2016	MsiExec.exe
70	2016	MsiExec.exe
71	2016	MsiExec.exe
72	2016	MsiExec.exe
73	2016	MsiExec.exe
74	2016	MsiExec.exe
75	2016	MsiExec.exe
76	2016	MsiExec.exe
77	2016	MsiExec.exe
78	2016	MsiExec.exe
79	2016	MsiExec.exe
80	2016	MsiExec.exe
81	2016	MsiExec.exe
82	2016	MsiExec.exe
83	2016	MsiExec.exe
84	2016	MsiExec.exe
85	2016	MsiExec.exe
87	2016	MsiExec.exe
88	2016	MsiExec.exe
89	2016	MsiExec.exe
90	2016	MsiExec.exe
91	2016	MsiExec.exe
92	2016	MsiExec.exe
93	2016	MsiExec.exe
94	2016	MsiExec.exe
95	2016	MsiExec.exe
96	2016	MsiExec.exe
97	2016	MsiExec.exe
98	2016	MsiExec.exe
99	2016	MsiExec.exe
100	2016	MsiExec.exe
101	2016	MsiExec.exe
108	2216	powershell.exe
109	2216	powershell.exe
119	1864	MsiExec.exe
120	1864	MsiExec.exe
123	1864	MsiExec.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 29 IoCs

Processes:

run_848a9.tmpsetup.exesetup.tmpsetup_0.exesetup_0.tmptakemyfileapp2.exesetup_1.exesetup_1.tmphostwin.exesetup_2.exeaipackagechainer.exesetup_3.exeSettings%20Installation.exeSettings.exeSettings.exeSettings.exeSettings.exeSettings.exeSettings.exeSettings.exeSettings.exesetup_4.exeSettings.exeSettings.exeaipackagechainer.exeWeather_Installation.exesetup_5.exeWebCompanionInstaller.exeSettings.exe

pid	process
1208	run_848a9.tmp
2488	setup.exe
2156	setup.tmp
3100	setup_0.exe
2792	setup_0.tmp
1984	takemyfileapp2.exe
1956	setup_1.exe
2192	setup_1.tmp
2760	hostwin.exe
4304	setup_2.exe
4748	aipackagechainer.exe
1404	setup_3.exe
4128	Settings%20Installation.exe
3964	Settings.exe
4652	Settings.exe
3956	Settings.exe
4420	Settings.exe
1572	Settings.exe
2924	Settings.exe
1312	Settings.exe
4876	Settings.exe
3188	setup_4.exe
1752	Settings.exe
2224	Settings.exe
4988	aipackagechainer.exe
1376	Weather_Installation.exe
2556	setup_5.exe
4804	WebCompanionInstaller.exe
4576	Settings.exe

Loads dropped DLL 64 IoCs

Processes:

setup.tmpsetup_1.tmpsetup_2.exeMsiExec.exeMsiExec.exesetup_3.exeSettings%20Installation.exeMsiExec.exeMsiExec.exeMsiExec.exeSettings.exeSettings.exeSettings.exeSettings.exeSettings.exeSettings.exeSettings.exe

pid	process
2156	setup.tmp
2192	setup_1.tmp
4304	setup_2.exe
4060	MsiExec.exe
4060	MsiExec.exe
4540	MsiExec.exe
4540	MsiExec.exe
4540	MsiExec.exe
4540	MsiExec.exe
4540	MsiExec.exe
4540	MsiExec.exe
4540	MsiExec.exe
4540	MsiExec.exe
4540	MsiExec.exe
4540	MsiExec.exe
1404	setup_3.exe
1404	setup_3.exe
4128	Settings%20Installation.exe
4128	Settings%20Installation.exe
1404	setup_3.exe
1672	MsiExec.exe
1672	MsiExec.exe
2016	MsiExec.exe
2016	MsiExec.exe
2016	MsiExec.exe
2016	MsiExec.exe
2016	MsiExec.exe
2016	MsiExec.exe
2016	MsiExec.exe
2016	MsiExec.exe
2016	MsiExec.exe
2016	MsiExec.exe
1404	setup_3.exe
2016	MsiExec.exe
2016	MsiExec.exe
2016	MsiExec.exe
700	MsiExec.exe
700	MsiExec.exe
2016	MsiExec.exe
4128	Settings%20Installation.exe
4128	Settings%20Installation.exe
3964	Settings.exe
4128	Settings%20Installation.exe
4128	Settings%20Installation.exe
3964	Settings.exe
3964	Settings.exe
4652	Settings.exe
3956	Settings.exe
3956	Settings.exe
3956	Settings.exe
4420	Settings.exe
4420	Settings.exe
4420	Settings.exe
1572	Settings.exe
1572	Settings.exe
1572	Settings.exe
3956	Settings.exe
2924	Settings.exe
1312	Settings.exe
2924	Settings.exe
2924	Settings.exe
1312	Settings.exe
1312	Settings.exe
2924	Settings.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aipackagechainer.exeSettings%20Installation.exeaipackagechainer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\	aipackagechainer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Settings%20Installation.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Settings = "C:\\Users\\Admin\\AppData\\Roaming\\Settings\\Settings.exe --iUSIg"	Settings%20Installation.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run	aipackagechainer.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run	aipackagechainer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exesetup_3.exemsiexec.exesetup_2.exesetup_4.exe

description	ioc	process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	setup_3.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	setup_3.exe
File opened (read-only)	\??\I:	setup_2.exe
File opened (read-only)	\??\J:	setup_3.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	setup_3.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	setup_2.exe
File opened (read-only)	\??\R:	setup_2.exe
File opened (read-only)	\??\S:	setup_2.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	setup_4.exe
File opened (read-only)	\??\X:	setup_3.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	setup_4.exe
File opened (read-only)	\??\Y:	setup_4.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	setup_3.exe
File opened (read-only)	\??\U:	setup_3.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	setup_4.exe
File opened (read-only)	\??\J:	setup_2.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\V:	setup_3.exe
File opened (read-only)	\??\Y:	setup_3.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	setup_4.exe
File opened (read-only)	\??\O:	setup_4.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	setup_4.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	setup_2.exe
File opened (read-only)	\??\T:	setup_2.exe
File opened (read-only)	\??\Z:	setup_2.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	setup_3.exe
File opened (read-only)	\??\U:	setup_4.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	setup_4.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	setup_3.exe
File opened (read-only)	\??\A:	setup_4.exe
File opened (read-only)	\??\Q:	setup_2.exe
File opened (read-only)	\??\X:	setup_2.exe
File opened (read-only)	\??\Y:	setup_2.exe

Drops file in Program Files directory 11 IoCs

Processes:

setup_1.tmprun_848a9.tmpsetup_0.tmp

description	ioc	process
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_1.tmp
File created	C:\Program Files (x86)\run_848a9\unins000.dat	run_848a9.tmp
File created	C:\Program Files (x86)\TakeMyFile\unins000.dat	setup_0.tmp
File created	C:\Program Files (x86)\TakeMyFile\is-HTTK3.tmp	setup_0.tmp
File opened for modification	C:\Program Files (x86)\TakeMyFile\unins000.dat	setup_0.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-PITFI.tmp	setup_1.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_1.tmp
File created	C:\Program Files (x86)\run_848a9\is-9MNJ9.tmp	run_848a9.tmp
File opened for modification	C:\Program Files (x86)\run_848a9\unins000.dat	run_848a9.tmp
File opened for modification	C:\Program Files (x86)\TakeMyFile\takemyfileapp2.exe	setup_0.tmp
File created	C:\Program Files (x86)\TakeMyFile\is-UE2OR.tmp	setup_0.tmp

Drops file in Windows directory 64 IoCs

Processes:

msiexec.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSIED76.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1D20.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1F55.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2011.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFD856ED06ACA3D757.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8188.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI84F6.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFC677C984F4D99DAA.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF29C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI241C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI803B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI88DF.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B59E6947-D960-4A88-902E-F387AFD7DF1F}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF179392728C40BFD8.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFB4AE977E0FF5875F.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2844.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f74e777.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIED46.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEFBD.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFDF8958BB7440DB3D.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\f74e77b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI18A6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1BD5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2AD6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAE89.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIECF7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEF3F.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF138EBE36DEB6BB99.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI20BE.tmp	msiexec.exe
File opened for modification	C:\Windows\Tasks\SA.DAT	svchost.exe
File created	C:\Windows\SystemTemp\~DFB865481FB80F14B3.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8118.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8148.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI84C5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8A09.tmp	msiexec.exe
File created	C:\Windows\Installer\f74e777.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\f74e77b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1C83.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEDC6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1E98.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFC0ED23A4DF57DB7D.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF76A8347B2E7EDA47.TMP	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF51A27F6686D1D1EC.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI80F8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2330.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEF2E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f74e77e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB08.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI84E5.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF0ABF29EE6DB3437E.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEDA6.tmp	msiexec.exe
File opened for modification	C:\Windows\Tasks\SA.DAT	svchost.exe
File opened for modification	C:\Windows\Installer\MSI29FA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF359.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B56.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B86.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI237F.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF4E4F7B8748DB011C.TMP	msiexec.exe
File created	C:\Windows\Installer\f74e77e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE9BA.tmp	msiexec.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

takemyfileapp2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	takemyfileapp2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	takemyfileapp2.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4148 taskkill.exe

pid	process
4148	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\7\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\7	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8	msiexec.exe

Modifies registry class 7 IoCs

Processes:

setup_0.tmpShellExperienceHost.exeSettings.exeSettings.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\TakeMyFile\command\ = "C:\\Program Files (x86)\\TakeMyFile\\takemyfileapp2.exe \"%1\""	setup_0.tmp
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\MuiCache	ShellExperienceHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{0AFCB3E5-D521-4895-AB94-EA964259F8E2}	Settings.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{26B13B2B-195B-4861-9469-399437C84392}	Settings.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\TakeMyFile	setup_0.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\TakeMyFile\icon = "C:\\Program Files (x86)\\TakeMyFile\\takemyfileapp2.exe"	setup_0.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\TakeMyFile\command	setup_0.tmp

Modifies system certificate store 2 TTPs 21 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

setup_2.exesetup_3.exeSettings.exesetup_4.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	setup_2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	setup_2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	setup_2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	setup_3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Settings.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7	setup_4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	setup_3.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B	setup_4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Settings.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	setup_2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	setup_2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	setup_2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	setup_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup_3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	setup_2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	setup_2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	setup_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e210f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Settings.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

run_848a9.tmpsetup_0.tmpsetup_1.tmpmsiexec.exeMsiExec.exeMsiExec.exepowershell.exeSettings.exeSettings.exeSettings.exeSettings.exeSettings.exeSettings.exeSettings.exeSettings.exeSettings.exetaskmgr.exe

pid	process
1208	run_848a9.tmp
1208	run_848a9.tmp
2792	setup_0.tmp
2792	setup_0.tmp
2192	setup_1.tmp
2192	setup_1.tmp
3140	msiexec.exe
3140	msiexec.exe
1672	MsiExec.exe
1672	MsiExec.exe
2016	MsiExec.exe
2016	MsiExec.exe
2016	MsiExec.exe
2016	MsiExec.exe
3140	msiexec.exe
3140	msiexec.exe
2216	powershell.exe
2216	powershell.exe
2216	powershell.exe
3956	Settings.exe
3956	Settings.exe
1572	Settings.exe
1572	Settings.exe
4420	Settings.exe
4420	Settings.exe
3964	Settings.exe
3964	Settings.exe
2924	Settings.exe
2924	Settings.exe
1312	Settings.exe
1312	Settings.exe
4876	Settings.exe
4876	Settings.exe
3140	msiexec.exe
3140	msiexec.exe
1752	Settings.exe
1752	Settings.exe
2224	Settings.exe
2224	Settings.exe
1764	taskmgr.exe
1764	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

hostwin.exe

pid process

2760 hostwin.exe

pid	process
2760	hostwin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exesetup_2.exe

description	pid	process
Token: SeSecurityPrivilege	3140	msiexec.exe
Token: SeCreateTokenPrivilege	4304	setup_2.exe
Token: SeAssignPrimaryTokenPrivilege	4304	setup_2.exe
Token: SeLockMemoryPrivilege	4304	setup_2.exe
Token: SeIncreaseQuotaPrivilege	4304	setup_2.exe
Token: SeMachineAccountPrivilege	4304	setup_2.exe
Token: SeTcbPrivilege	4304	setup_2.exe
Token: SeSecurityPrivilege	4304	setup_2.exe
Token: SeTakeOwnershipPrivilege	4304	setup_2.exe
Token: SeLoadDriverPrivilege	4304	setup_2.exe
Token: SeSystemProfilePrivilege	4304	setup_2.exe
Token: SeSystemtimePrivilege	4304	setup_2.exe
Token: SeProfSingleProcessPrivilege	4304	setup_2.exe
Token: SeIncBasePriorityPrivilege	4304	setup_2.exe
Token: SeCreatePagefilePrivilege	4304	setup_2.exe
Token: SeCreatePermanentPrivilege	4304	setup_2.exe
Token: SeBackupPrivilege	4304	setup_2.exe
Token: SeRestorePrivilege	4304	setup_2.exe
Token: SeShutdownPrivilege	4304	setup_2.exe
Token: SeDebugPrivilege	4304	setup_2.exe
Token: SeAuditPrivilege	4304	setup_2.exe
Token: SeSystemEnvironmentPrivilege	4304	setup_2.exe
Token: SeChangeNotifyPrivilege	4304	setup_2.exe
Token: SeRemoteShutdownPrivilege	4304	setup_2.exe
Token: SeUndockPrivilege	4304	setup_2.exe
Token: SeSyncAgentPrivilege	4304	setup_2.exe
Token: SeEnableDelegationPrivilege	4304	setup_2.exe
Token: SeManageVolumePrivilege	4304	setup_2.exe
Token: SeImpersonatePrivilege	4304	setup_2.exe
Token: SeCreateGlobalPrivilege	4304	setup_2.exe
Token: SeCreateTokenPrivilege	4304	setup_2.exe
Token: SeAssignPrimaryTokenPrivilege	4304	setup_2.exe
Token: SeLockMemoryPrivilege	4304	setup_2.exe
Token: SeIncreaseQuotaPrivilege	4304	setup_2.exe
Token: SeMachineAccountPrivilege	4304	setup_2.exe
Token: SeTcbPrivilege	4304	setup_2.exe
Token: SeSecurityPrivilege	4304	setup_2.exe
Token: SeTakeOwnershipPrivilege	4304	setup_2.exe
Token: SeLoadDriverPrivilege	4304	setup_2.exe
Token: SeSystemProfilePrivilege	4304	setup_2.exe
Token: SeSystemtimePrivilege	4304	setup_2.exe
Token: SeProfSingleProcessPrivilege	4304	setup_2.exe
Token: SeIncBasePriorityPrivilege	4304	setup_2.exe
Token: SeCreatePagefilePrivilege	4304	setup_2.exe
Token: SeCreatePermanentPrivilege	4304	setup_2.exe
Token: SeBackupPrivilege	4304	setup_2.exe
Token: SeRestorePrivilege	4304	setup_2.exe
Token: SeShutdownPrivilege	4304	setup_2.exe
Token: SeDebugPrivilege	4304	setup_2.exe
Token: SeAuditPrivilege	4304	setup_2.exe
Token: SeSystemEnvironmentPrivilege	4304	setup_2.exe
Token: SeChangeNotifyPrivilege	4304	setup_2.exe
Token: SeRemoteShutdownPrivilege	4304	setup_2.exe
Token: SeUndockPrivilege	4304	setup_2.exe
Token: SeSyncAgentPrivilege	4304	setup_2.exe
Token: SeEnableDelegationPrivilege	4304	setup_2.exe
Token: SeManageVolumePrivilege	4304	setup_2.exe
Token: SeImpersonatePrivilege	4304	setup_2.exe
Token: SeCreateGlobalPrivilege	4304	setup_2.exe
Token: SeCreateTokenPrivilege	4304	setup_2.exe
Token: SeAssignPrimaryTokenPrivilege	4304	setup_2.exe
Token: SeLockMemoryPrivilege	4304	setup_2.exe
Token: SeIncreaseQuotaPrivilege	4304	setup_2.exe
Token: SeMachineAccountPrivilege	4304	setup_2.exe

Suspicious use of FindShellTrayWindow 24 IoCs

Processes:

run_848a9.tmpsetup_0.tmpsetup_1.tmpsetup_2.exesetup_3.exetakemyfileapp2.exeSettings.exesetup_4.exetaskmgr.exe

pid	process
1208	run_848a9.tmp
2792	setup_0.tmp
2192	setup_1.tmp
4304	setup_2.exe
1404	setup_3.exe
1984	takemyfileapp2.exe
1984	takemyfileapp2.exe
1984	takemyfileapp2.exe
3964	Settings.exe
3188	setup_4.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe

Suspicious use of SendNotifyMessage 17 IoCs

Processes:

takemyfileapp2.exetaskmgr.exe

pid	process
1984	takemyfileapp2.exe
1984	takemyfileapp2.exe
1984	takemyfileapp2.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe
1764	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ShellExperienceHost.exe

pid process

888 ShellExperienceHost.exe
888 ShellExperienceHost.exe

pid	process
888	ShellExperienceHost.exe
888	ShellExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

run_848a9.exerun_848a9.tmpsetup.exesetup.tmpsetup_0.exesetup_0.tmpsetup_1.exesetup_1.tmpmsiexec.exesetup_2.exeaipackagechainer.exesetup_3.exeMsiExec.exeSettings%20Installation.exe

description	pid	process	target process
PID 3444 wrote to memory of 1208	3444	run_848a9.exe	run_848a9.tmp
PID 3444 wrote to memory of 1208	3444	run_848a9.exe	run_848a9.tmp
PID 3444 wrote to memory of 1208	3444	run_848a9.exe	run_848a9.tmp
PID 1208 wrote to memory of 2488	1208	run_848a9.tmp	setup.exe
PID 1208 wrote to memory of 2488	1208	run_848a9.tmp	setup.exe
PID 1208 wrote to memory of 2488	1208	run_848a9.tmp	setup.exe
PID 2488 wrote to memory of 2156	2488	setup.exe	setup.tmp
PID 2488 wrote to memory of 2156	2488	setup.exe	setup.tmp
PID 2488 wrote to memory of 2156	2488	setup.exe	setup.tmp
PID 2156 wrote to memory of 3100	2156	setup.tmp	setup_0.exe
PID 2156 wrote to memory of 3100	2156	setup.tmp	setup_0.exe
PID 2156 wrote to memory of 3100	2156	setup.tmp	setup_0.exe
PID 3100 wrote to memory of 2792	3100	setup_0.exe	setup_0.tmp
PID 3100 wrote to memory of 2792	3100	setup_0.exe	setup_0.tmp
PID 3100 wrote to memory of 2792	3100	setup_0.exe	setup_0.tmp
PID 2792 wrote to memory of 1984	2792	setup_0.tmp	takemyfileapp2.exe
PID 2792 wrote to memory of 1984	2792	setup_0.tmp	takemyfileapp2.exe
PID 2792 wrote to memory of 1984	2792	setup_0.tmp	takemyfileapp2.exe
PID 2156 wrote to memory of 1956	2156	setup.tmp	setup_1.exe
PID 2156 wrote to memory of 1956	2156	setup.tmp	setup_1.exe
PID 2156 wrote to memory of 1956	2156	setup.tmp	setup_1.exe
PID 1956 wrote to memory of 2192	1956	setup_1.exe	setup_1.tmp
PID 1956 wrote to memory of 2192	1956	setup_1.exe	setup_1.tmp
PID 1956 wrote to memory of 2192	1956	setup_1.exe	setup_1.tmp
PID 2192 wrote to memory of 2760	2192	setup_1.tmp	hostwin.exe
PID 2192 wrote to memory of 2760	2192	setup_1.tmp	hostwin.exe
PID 2156 wrote to memory of 4304	2156	setup.tmp	setup_2.exe
PID 2156 wrote to memory of 4304	2156	setup.tmp	setup_2.exe
PID 2156 wrote to memory of 4304	2156	setup.tmp	setup_2.exe
PID 3140 wrote to memory of 4060	3140	msiexec.exe	MsiExec.exe
PID 3140 wrote to memory of 4060	3140	msiexec.exe	MsiExec.exe
PID 3140 wrote to memory of 4060	3140	msiexec.exe	MsiExec.exe
PID 4304 wrote to memory of 1036	4304	setup_2.exe	msiexec.exe
PID 4304 wrote to memory of 1036	4304	setup_2.exe	msiexec.exe
PID 4304 wrote to memory of 1036	4304	setup_2.exe	msiexec.exe
PID 3140 wrote to memory of 4540	3140	msiexec.exe	MsiExec.exe
PID 3140 wrote to memory of 4540	3140	msiexec.exe	MsiExec.exe
PID 3140 wrote to memory of 4540	3140	msiexec.exe	MsiExec.exe
PID 3140 wrote to memory of 4748	3140	msiexec.exe	aipackagechainer.exe
PID 3140 wrote to memory of 4748	3140	msiexec.exe	aipackagechainer.exe
PID 3140 wrote to memory of 4748	3140	msiexec.exe	aipackagechainer.exe
PID 2156 wrote to memory of 1404	2156	setup.tmp	setup_3.exe
PID 2156 wrote to memory of 1404	2156	setup.tmp	setup_3.exe
PID 2156 wrote to memory of 1404	2156	setup.tmp	setup_3.exe
PID 4748 wrote to memory of 4128	4748	aipackagechainer.exe	Settings%20Installation.exe
PID 4748 wrote to memory of 4128	4748	aipackagechainer.exe	Settings%20Installation.exe
PID 4748 wrote to memory of 4128	4748	aipackagechainer.exe	Settings%20Installation.exe
PID 3140 wrote to memory of 1672	3140	msiexec.exe	MsiExec.exe
PID 3140 wrote to memory of 1672	3140	msiexec.exe	MsiExec.exe
PID 3140 wrote to memory of 1672	3140	msiexec.exe	MsiExec.exe
PID 1404 wrote to memory of 2256	1404	setup_3.exe	msiexec.exe
PID 1404 wrote to memory of 2256	1404	setup_3.exe	msiexec.exe
PID 1404 wrote to memory of 2256	1404	setup_3.exe	msiexec.exe
PID 3140 wrote to memory of 2016	3140	msiexec.exe	MsiExec.exe
PID 3140 wrote to memory of 2016	3140	msiexec.exe	MsiExec.exe
PID 3140 wrote to memory of 2016	3140	msiexec.exe	MsiExec.exe
PID 2016 wrote to memory of 4148	2016	MsiExec.exe	taskkill.exe
PID 2016 wrote to memory of 4148	2016	MsiExec.exe	taskkill.exe
PID 2016 wrote to memory of 4148	2016	MsiExec.exe	taskkill.exe
PID 3140 wrote to memory of 700	3140	msiexec.exe	MsiExec.exe
PID 3140 wrote to memory of 700	3140	msiexec.exe	MsiExec.exe
PID 3140 wrote to memory of 700	3140	msiexec.exe	MsiExec.exe
PID 4128 wrote to memory of 3964	4128	Settings%20Installation.exe	Settings.exe
PID 4128 wrote to memory of 3964	4128	Settings%20Installation.exe	Settings.exe

C:\Users\Admin\AppData\Local\Temp\run_848a9.exe
"C:\Users\Admin\AppData\Local\Temp\run_848a9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3444

C:\Users\Admin\AppData\Local\Temp\is-J32KT.tmp\run_848a9.tmp
"C:\Users\Admin\AppData\Local\Temp\is-J32KT.tmp\run_848a9.tmp" /SL5="$20094,986812,780800,C:\Users\Admin\AppData\Local\Temp\run_848a9.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\is-JVBGT.tmp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-JVBGT.tmp\setup.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488

C:\Users\Admin\AppData\Local\Temp\is-D9M3F.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-D9M3F.tmp\setup.tmp" /SL5="$701FC,921114,831488,C:\Users\Admin\AppData\Local\Temp\is-JVBGT.tmp\setup.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156

C:\Users\Admin\AppData\Local\Temp\is-VC82Q.tmp\setup_0.exe
"C:\Users\Admin\AppData\Local\Temp\is-VC82Q.tmp\setup_0.exe" /pid=2651945 /cid=2094 /VERYSILENT
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100

C:\Users\Admin\AppData\Local\Temp\is-CL5T4.tmp\setup_0.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CL5T4.tmp\setup_0.tmp" /SL5="$102A6,859139,58368,C:\Users\Admin\AppData\Local\Temp\is-VC82Q.tmp\setup_0.exe" /pid=2651945 /cid=2094 /VERYSILENT
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2792

C:\Program Files (x86)\TakeMyFile\takemyfileapp2.exe
"C:\Program Files (x86)\TakeMyFile\takemyfileapp2.exe" report 2651945 2094
7⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1984

C:\Users\Admin\AppData\Local\Temp\is-VC82Q.tmp\setup_1.exe
"C:\Users\Admin\AppData\Local\Temp\is-VC82Q.tmp\setup_1.exe" /VERYSILENT /id=2094
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Local\Temp\is-GKGMC.tmp\setup_1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GKGMC.tmp\setup_1.tmp" /SL5="$202A6,140765,56832,C:\Users\Admin\AppData\Local\Temp\is-VC82Q.tmp\setup_1.exe" /VERYSILENT /id=2094
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2192

C:\Users\Admin\AppData\Local\Temp\is-SFH1C.tmp\hostwin.exe
"C:\Users\Admin\AppData\Local\Temp\is-SFH1C.tmp\hostwin.exe" 2094 64
7⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:2760

C:\Users\Admin\AppData\Local\Temp\is-VC82Q.tmp\setup_2.exe
"C:\Users\Admin\AppData\Local\Temp\is-VC82Q.tmp\setup_2.exe" SID=765 CID=765 SILENT=1 /quiet
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4304

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Settings\Settings 1.0.0\install\FD7DF1F\Settings Installation.msi" SID=765 CID=765 SILENT=1 /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-VC82Q.tmp\setup_2.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-VC82Q.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630507832 SID=765 CID=765 SILENT=1 /quiet " SID="765" CID="765"
6⤵
PID:1036

C:\Users\Admin\AppData\Local\Temp\is-VC82Q.tmp\setup_3.exe
"C:\Users\Admin\AppData\Local\Temp\is-VC82Q.tmp\setup_3.exe" /qn CAMPAIGN="2094"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Johan.msi" /qn CAMPAIGN=2094 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-VC82Q.tmp\setup_3.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-VC82Q.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630507832 /qn CAMPAIGN=""2094"" " CAMPAIGN="2094"
6⤵
- Enumerates connected drives
PID:2256

C:\Users\Admin\AppData\Local\Temp\is-VC82Q.tmp\setup_4.exe
"C:\Users\Admin\AppData\Local\Temp\is-VC82Q.tmp\setup_4.exe" /quiet SILENT=1 AF=751__US
5⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:3188

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=751__US AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-VC82Q.tmp\setup_4.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-VC82Q.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630507832 /quiet SILENT=1 AF=751__US " AF="751__US" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"
6⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\is-VC82Q.tmp\setup_5.exe
"C:\Users\Admin\AppData\Local\Temp\is-VC82Q.tmp\setup_5.exe" --silent --partner=IT201117
5⤵
- Executes dropped EXE
PID:2556

C:\Users\Admin\AppData\Local\Temp\7zSCF9D7195\WebCompanionInstaller.exe
.\WebCompanionInstaller.exe --partner=IT201117 --version=7.0.2417.4248 --prod --silent --partner=IT201117
6⤵
- Executes dropped EXE
PID:4804

C:\Windows\SysWOW64\sc.exe
"sc.exe" Create "WCAssistantService" binPath= "C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= auto
7⤵
PID:3932

C:\Windows\SysWOW64\sc.exe
"sc.exe" failure WCAssistantService reset= 30 actions= restart/60000
7⤵
PID:2644

C:\Windows\SysWOW64\sc.exe
"sc.exe" description "WCAssistantService" "Ad-Aware Web Companion Internet security service"
7⤵
PID:3936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone
7⤵
PID:1528

C:\Windows\SysWOW64\netsh.exe
netsh http add urlacl url=http://+:9007/ user=Everyone
8⤵
PID:3916

C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
"C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe" --silent --install --geo=
7⤵
PID:4624

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B82E191FDE3625CB26B7CA8F4BCDB04B C
2⤵
- Loads dropped DLL
PID:4060

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 0DCC4B9F26FC5061DBA9EE1DBAD02477
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4540

C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4748

C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe" -silent=1 -CID=765 -SID=765 -submn=default
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4128

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" "--iUSIg"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3964

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Settings\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Settings\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Settings\User Data" --annotation=plat=Win64 --annotation=prod=Settings --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1c0,0x210,0x7ffd418bdec0,0x7ffd418bded0,0x7ffd418bdee0
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4652

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=gpu-process --field-trial-handle=1592,17796308506535524952,15450420065756967663,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3964_1312415333" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1608 /prefetch:2
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3956

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1592,17796308506535524952,15450420065756967663,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3964_1312415333" --mojo-platform-channel-handle=1932 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:4420

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1592,17796308506535524952,15450420065756967663,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3964_1312415333" --mojo-platform-channel-handle=2200 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1572

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Settings\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1592,17796308506535524952,15450420065756967663,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3964_1312415333" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2524 /prefetch:1
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2924

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Settings\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1592,17796308506535524952,15450420065756967663,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3964_1312415333" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2548 /prefetch:1
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1312

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=gpu-process --field-trial-handle=1592,17796308506535524952,15450420065756967663,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3964_1312415333" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3220 /prefetch:2
5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4876

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,17796308506535524952,15450420065756967663,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3964_1312415333" --mojo-platform-channel-handle=3692 /prefetch:8
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1752

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,17796308506535524952,15450420065756967663,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3964_1312415333" --mojo-platform-channel-handle=3344 /prefetch:8
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2224

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,17796308506535524952,15450420065756967663,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3964_1312415333" --mojo-platform-channel-handle=480 /prefetch:8
5⤵
- Executes dropped EXE
PID:4576

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,17796308506535524952,15450420065756967663,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3964_1312415333" --mojo-platform-channel-handle=3416 /prefetch:8
5⤵
PID:2992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_513E.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites' -retry_count 10"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2216

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 86F98F20D378E1D260AD1C2BF221B86E C
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1672

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding FDA5BC5647A22BAEB5F04DA101676EB0
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
3⤵
- Kills process with taskkill
PID:4148

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DF8DB035C406B8A0C05626B3C0FD1609 E Global\MSI0000
2⤵
- Loads dropped DLL
PID:700

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 0D851DBEC87F804A199F66F789971620 C
2⤵
PID:2160

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D57CCF0D549F53E88E67FD1778AED11B
2⤵
- Blocklisted process makes network request
PID:1864

C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4988

C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=751__US -BF=default -uncf=default
3⤵
- Executes dropped EXE
PID:1376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in Windows directory
PID:2808

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:888

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in Windows directory
PID:2984

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1764

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1456

C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe
"C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe"
1⤵
PID:404

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\TakeMyFile\takemyfileapp2.exe
MD5
96f0ec1dd262f03d9c4dc71ca0c4abb3

SHA1
b25222639d324fe07ad6dc9cc240046bf036af85

SHA256
0555fd26a051d4576f81a6384807430dc290f997eca72e4ab6f058c79101d64b

SHA512
e9a42f045073f34b3dbab630edb1a6befee1d07d4ef0c584fcd384aca297ec9d2b66595d0ad9264338f3cf6d5fde715bac799651a8a99ecc5d369a1ddcae6899

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_1C9188608785142B616358BAE9B73F2D
MD5
8d720eea5e516cad40ecd8a2d212e08b

SHA1
5d3ab3b2c52d471cb769782d642944cbd9e94a97

SHA256
fe4307756718e7f4555c29d3abff96d01b12c7b254c397527dc62d3ba8d825ed

SHA512
047a4bea5dc18fdf13b477ac7fa78e7d6b953f4d958ddb3a8fe1a9d939682b33b4433fd37f4e194cc7a88f1af61dd362a25fc16d5169c6ecfb9bda3933e568ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4
MD5
a4c3ff630c91e854a58c0aba97555f7b

SHA1
b3d4537dd4a29bd6c5570d839051a484c749dff7

SHA256
66ca045c3102126cc7dc60d65ce281fab903e99156fb3846b69747e71743cc7f

SHA512
5b4c8bac2f5339cb6af55f66ecef24d3af4c78c8b81585a49dc5fb080baaa079a62976e763059b5b8d6b9d30f3b7bd2e96f75262038baeb173902b22c9ed0e2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F
MD5
15db79133013f8a3676af10f250ad06a

SHA1
53454fb12c6781b8c95a6072a75971433180510b

SHA256
c57ce646e8e2f4e52265a73e8b279d14e9bdeada8e17537966c7a3ad81a6bbe1

SHA512
6e3764e55d39456dc596315a07a2e7b8feab2b41738dee9dd516a02cbdd95432c7019edbaa609cc1bd8ae720add0a9c83d493ab2428a47edc2996c82394ca65a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
MD5
f3eff9264ac38c152c8c65f7a3b92f57

SHA1
b89df29b8336c11d884a548fcb6d35c5cc2dff77

SHA256
0581869ececc28e9aeb4973ce389d0e331286361c552e49146909f6761071b6b

SHA512
b422b7aa4843ffbb71658c3fafa118fc523e204cf4d807b5329084d8cbc3e30f9472476109ec46ff74bc970e83df255e870bcf726bf4f91dbca7d64605f021e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
MD5
d3b4a7a010339c0a27044e0f898a16b5

SHA1
eb64718c1c201c50b6d07877c8a286b274b5b8e4

SHA256
311010080becf1578e842aae708435af4abddc3bbb5a5ed69d7823db4c1e420d

SHA512
ce96337e4e89275f700f951501638304ac523b96ab549e7c5218c09c15b6a8051eeab14a051bb34140c82932c37a20d659cece3a3b6cf4af8462a1c6b805d291

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
MD5
52bbbd3a8be1b451bf24ea2204a95b58

SHA1
23cd624677119a1dead9c3782dddd340c7fbd260

SHA256
98d435304a8a1079a98b92f848e604a70f5e936a3751ee593a60919f74b5abba

SHA512
6a9a35169724eeb2f3949545b85de01f2b5d5351a2161633976cf589252bf031b4f18f9a7244563ae23602f8c9a09e8f7f015b901e6e9f976845dbc9e6f20369

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
fc0e6b4655baa316a9d601a3847c609b

SHA1
36d585b40862c39f459e044fe43d6472c2da169c

SHA256
22e087f7285540b9d47e009ef251d78db5f4b08984febcefe810bec0bc4f311a

SHA512
7271acd620418aba5f03cc01eda971139401b93889f25b112c4dd9e62dce19574b38185ff884596494073e1d701fdd7bc34fd0f9d39267008ad8913d3c7bc9ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_1C9188608785142B616358BAE9B73F2D
MD5
c4021c56b1b6677c078db5773c816344

SHA1
7940fc50953afd4b12a870706ee258c52fb34bfe

SHA256
7b7b816f3243c249e6948377f10ddfa5cc44195fbec2311acdd3906e2f4474c1

SHA512
21d8da91283238daaf951badb8f109233c9ef7ba3a8b01f23ddb405210c83264b875374bb7b7d2a76e277ba969d31b9771bb7bed755bfce91ac3c10b2e57c4b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4
MD5
57a8468134431562a5b1a8bc6b91b1fa

SHA1
43c3a0f70efafa386bc5cb255aa67e8e983dfb4f

SHA256
6eacc34c131d4d4deba15d7cece30dc3ed90b2c845ec0406b80d66a8a9c0e9e9

SHA512
b0edbbffd89bfb3a7f6e66a5b9889fcc521a2cd9574312166449707d7ebefeaa95ea3aae6df0ff4e8625692016f76c8209eb7c18553a6a3b7747983880d11410

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F
MD5
e640a07f53cfc6ef4d173f9cff81f91a

SHA1
40d8088c0d7b4343546f63c2d37d8dcdbf6f076c

SHA256
15f02743df0235f8fa7a67c4669508a5dc6086cef0afb4b283dbfee264fde7be

SHA512
9760f7c15e4799817fcfab3b3e829827836c5e6fbdacc11c99c4936154ed891375cb43f665dd5ec83f2d4389fa3c133b200c6ebe6c8b54e31f30a2fe7ec0bc67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
MD5
8cb6f53571c7dd4d312a38e61c9c62b4

SHA1
f436177b79033a66bc24eeccfe0218ec0531c186

SHA256
dfd7fdfc836e478ce47faca7fabf8e806875e372094cd8b19c083159213d4f39

SHA512
2858f93cd693c059d9f78450ce89fc8d221890db54ddd87a718bc0ba145f8a05ecb45f6acef80717dbe1cea8183400e6e9165631b7b46823d13418672592c56c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
MD5
cb90ba2821fdd2f3811a1b0b7ac8acfc

SHA1
9e69c43071cf2e8a6473093cffc58d466246ed34

SHA256
dd904813f871fb284f8b45595c9071513e2dc32378e35323ccdf0f23529b1bb8

SHA512
e202bbb6791d99b2c55a7f8a2d2f9db6a3b1d76471df8f635eb8f58c079ba9f83cd3a24a653cea1023f1c85a142ed68405a163f36b8ce6db630566ee2996e4fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
MD5
4dc2b0363f2c2342fc0372d6506bf34f

SHA1
2d0104f4ef92b246f3db3a7b77a632840818bdaa

SHA256
ce51227c3c150ffda3d68ff127c73503c521da5bc84e3867f7b1e3bdec8fcde3

SHA512
8ce34a20a543f1c287974bfb6b48004287fdd91fd31090a54533891f4771d635848c017c8ea6d28c5196fdc7451162ee6e0956229dbee342ff93798bc8a5191a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE4C9.tmp
MD5
07ce413b1af6342187514871dc112c74

SHA1
8008f8bfeae99918b6323a3d1270dea63b3a8394

SHA256
0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

SHA512
27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE4C9.tmp
MD5
07ce413b1af6342187514871dc112c74

SHA1
8008f8bfeae99918b6323a3d1270dea63b3a8394

SHA256
0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

SHA512
27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE557.tmp
MD5
e6a708c70a8cfd78b7c0383615545158

SHA1
b9274d9bf4750f557d34ddfd802113f5dd1df91c

SHA256
e124c00f974e0c09200676e7ce2147c3822b4cd4764dcc970e832bd93d869d0c

SHA512
2d0162f268f357a29c8bc35f855678e8e47e8a70825130e73e40a7dca1e9a3d8844b66616bfaa156b16fa4162bcf6991f659b3a6e8ee3caf841c87ec16189ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE557.tmp
MD5
e6a708c70a8cfd78b7c0383615545158

SHA1
b9274d9bf4750f557d34ddfd802113f5dd1df91c

SHA256
e124c00f974e0c09200676e7ce2147c3822b4cd4764dcc970e832bd93d869d0c

SHA512
2d0162f268f357a29c8bc35f855678e8e47e8a70825130e73e40a7dca1e9a3d8844b66616bfaa156b16fa4162bcf6991f659b3a6e8ee3caf841c87ec16189ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CL5T4.tmp\setup_0.tmp
MD5
1afbd25db5c9a90fe05309f7c4fbcf09

SHA1
baf330b5c249ca925b4ea19a52fe8b2c27e547fa

SHA256
3bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c

SHA512
3a448f06862c6d163fd58b68b836d866ae513e04a69774abf5a0c5b7df74f5b9ee37240083760185618c5068bf93e7fd812e76b3e530639111fb1d74f4d28419

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CL5T4.tmp\setup_0.tmp
MD5
1afbd25db5c9a90fe05309f7c4fbcf09

SHA1
baf330b5c249ca925b4ea19a52fe8b2c27e547fa

SHA256
3bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c

SHA512
3a448f06862c6d163fd58b68b836d866ae513e04a69774abf5a0c5b7df74f5b9ee37240083760185618c5068bf93e7fd812e76b3e530639111fb1d74f4d28419

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D9M3F.tmp\setup.tmp
MD5
38e9177040663abdf7cb42d237b03d9d

SHA1
0b95b3694406d9d86aa3e4953f42d471977ff03d

SHA256
2a322dbda4ac86aed04ab99f9f2c277c2f84b6046e234c3ae55ceec53883b594

SHA512
78db4c72b2e10d665775e7f306d926060c95ba47610e809e0a21006280f9f0280fa572168b9c9ee00e2121090db9a20dc524677d961fea4292c41c44ba3cb30f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GKGMC.tmp\setup_1.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GKGMC.tmp\setup_1.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J32KT.tmp\run_848a9.tmp
MD5
172be78472394107d27ae2337ad8bf58

SHA1
530b852a568698a51fb11e137f8c5da54c21a29c

SHA256
b45d8b87c446af32aaead1b658bb10b22ba951cba63d432f665cd8c0150a576b

SHA512
903f4f3846627e03593163e89c2cd06c43a76cccbadd7eb345fd851433d290cc95737255f12d961106b43bc0a3012ea577fca0246dd7ead4665786654f122a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J32KT.tmp\run_848a9.tmp
MD5
172be78472394107d27ae2337ad8bf58

SHA1
530b852a568698a51fb11e137f8c5da54c21a29c

SHA256
b45d8b87c446af32aaead1b658bb10b22ba951cba63d432f665cd8c0150a576b

SHA512
903f4f3846627e03593163e89c2cd06c43a76cccbadd7eb345fd851433d290cc95737255f12d961106b43bc0a3012ea577fca0246dd7ead4665786654f122a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JVBGT.tmp\setup.exe
MD5
af5770a146da7de3837f95f622c150e5

SHA1
83edfc1970dcec10ac1a3fad0281486b8fc23810

SHA256
864a35c54d0d9aa563d4e300bd003c83502f45df8736c2f6bbb0edf74870a2e7

SHA512
15f40a0d8af86b809768ff6ee87633be59ab06d2db2b6281c30bd2e81a9b10fefb9f9737e9a770e9b084997086c45e6d3d9a2ce70ec29b0b94eab04157a2d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JVBGT.tmp\setup.exe
MD5
af5770a146da7de3837f95f622c150e5

SHA1
83edfc1970dcec10ac1a3fad0281486b8fc23810

SHA256
864a35c54d0d9aa563d4e300bd003c83502f45df8736c2f6bbb0edf74870a2e7

SHA512
15f40a0d8af86b809768ff6ee87633be59ab06d2db2b6281c30bd2e81a9b10fefb9f9737e9a770e9b084997086c45e6d3d9a2ce70ec29b0b94eab04157a2d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SFH1C.tmp\hostwin.exe
MD5
b3bb91ad96f2d4c041861ce59ba6ac73

SHA1
e18c6fd6a0d0d5c124c9ef6972a76c47c28c80a3

SHA256
0581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426

SHA512
e3a8426d202a8aad79aad5d75549753cf70b9c2c0fa4c9468f03d089eca8e529b56cd8fa16b7be3a4cfc019d43ff458b9dc8a1cae44b6ed75e27f21489a2cbdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SFH1C.tmp\hostwin.exe
MD5
b3bb91ad96f2d4c041861ce59ba6ac73

SHA1
e18c6fd6a0d0d5c124c9ef6972a76c47c28c80a3

SHA256
0581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426

SHA512
e3a8426d202a8aad79aad5d75549753cf70b9c2c0fa4c9468f03d089eca8e529b56cd8fa16b7be3a4cfc019d43ff458b9dc8a1cae44b6ed75e27f21489a2cbdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SFH1C.tmp\idp.dll
MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VC82Q.tmp\idp.dll
MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VC82Q.tmp\setup_0.exe
MD5
2c9cd007de9f99579da31ce28481ede0

SHA1
72b8f13007747ca6231f7da558fec3fa1b996b98

SHA256
3b87f07a3ed4782c8fcebe44ae6b036d717aa127db34995c24f2d9f1c7dce44d

SHA512
f3c7c1b47839d628b94701f12165113cb3e300cf46e2b213267159465713bbae26be70c48be652365a5bebf9559e9ec46310914a983ddf9b86a9708b5441d447

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VC82Q.tmp\setup_0.exe
MD5
2c9cd007de9f99579da31ce28481ede0

SHA1
72b8f13007747ca6231f7da558fec3fa1b996b98

SHA256
3b87f07a3ed4782c8fcebe44ae6b036d717aa127db34995c24f2d9f1c7dce44d

SHA512
f3c7c1b47839d628b94701f12165113cb3e300cf46e2b213267159465713bbae26be70c48be652365a5bebf9559e9ec46310914a983ddf9b86a9708b5441d447

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VC82Q.tmp\setup_1.exe
MD5
5dd257000cde6a086046cadff128eba9

SHA1
cbef6958c188daa91e66607443a0421b36b35f19

SHA256
f8f138e3290ccbaa58efe016d661eb19cb8731ff89a5df2af5015a22becdb0dd

SHA512
7a1139f109ea5d47e312b850ec904c762028b5cc35254ac2dd9f2fe1bf74b70f0c5dbaaced48b63b0485116db99a1c23acf62ae96e0f07bcfcd018f10abc939c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VC82Q.tmp\setup_1.exe
MD5
5dd257000cde6a086046cadff128eba9

SHA1
cbef6958c188daa91e66607443a0421b36b35f19

SHA256
f8f138e3290ccbaa58efe016d661eb19cb8731ff89a5df2af5015a22becdb0dd

SHA512
7a1139f109ea5d47e312b850ec904c762028b5cc35254ac2dd9f2fe1bf74b70f0c5dbaaced48b63b0485116db99a1c23acf62ae96e0f07bcfcd018f10abc939c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VC82Q.tmp\setup_2.exe
MD5
4089790fa14889f8990d9a1e31e8a041

SHA1
b44f3012ade8d942166fbf2d4833a40c934cd7e7

SHA256
6c33bfeb38fdf3dc27297f92c66ae750f7260a955e155582ccd725af23aec880

SHA512
90026d9fd1e6f55decc8c8792c16122563def33dc4dac3f0db7c9b297bdc26e059fcb5f732deb752bca98c366c1ba1fbf0c5f3e74331616122c52db1d9a7f796

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VC82Q.tmp\setup_2.exe
MD5
4089790fa14889f8990d9a1e31e8a041

SHA1
b44f3012ade8d942166fbf2d4833a40c934cd7e7

SHA256
6c33bfeb38fdf3dc27297f92c66ae750f7260a955e155582ccd725af23aec880

SHA512
90026d9fd1e6f55decc8c8792c16122563def33dc4dac3f0db7c9b297bdc26e059fcb5f732deb752bca98c366c1ba1fbf0c5f3e74331616122c52db1d9a7f796

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VC82Q.tmp\setup_3.exe
MD5
78b13010746f790292949e6bd53321da

SHA1
fdc327892bd4d3f41b0a5210dbdd54e381ff3ae3

SHA256
b945185dc04126878956ebc6246cb62391edba6e64d954f3f33ce767e74238e7

SHA512
2422e5c7e354e6b6fb9f539cb56c6a6bc9ca9dcd0eeda80209975819504f59ce09e49c5e5586d6a646e6c16dd4fba87422d1dbd7d590c49f67a2fda2489dca9c

Download Submit
C:\Users\Admin\AppData\Roaming\Settings\Settings 1.0.0\install\FD7DF1F\Settings Installation.msi
MD5
acadfc9d99be20d8c9f710f0df886ae1

SHA1
998fd9d3d172c3ab7498d74fcfff748792013edd

SHA256
186dff721282a6eacb1f69010cd8f1e95332eb5e572c155faee7d1a45a91fdb7

SHA512
d996222f5c1e0dab0916ecfb797fd863c9e64b258e9c1f9f112f60bbd43b6af558d14eb856865f2d042c3464b2258c4cf8cdd43257329c8ac2ca930df12cb073

Download Submit
C:\Users\Admin\AppData\Roaming\Settings\Settings 1.0.0\install\decoder.dll
MD5
62326d3ef35667b1533673d2bb1d342c

SHA1
8100ce90b7cbddd7ef2fd77c544ebf12ebd5ec33

SHA256
a087b791ff8ff9e05e339600199aa389a4554050acc7af7fa36dbe208be7382e

SHA512
7321feae8ee8d0653d7bd935e3d2e6f658e6798b2a7a8f44976c58509028e79284582132cb999c7c3124a7e94960d9c5d5fc8edefaeda06275ab725730d0d9b5

Download Submit
C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe
MD5
96e2ab9849c69367fa6643514045b291

SHA1
4de21a728d4d1d2961ae065f2e96be6b268de409

SHA256
5d596c1c19bb7712dcb8e2a43811849b1e9879bab81de86c9eb3b445f0d65cc3

SHA512
4327bdfaaf8043303fede40e68f5381a9a33546db1f17e8504fb663cff729aac22d61d332b5d552dbad01d7cbc66072edf7d2b215fa704da0c9f41b706fd8c4a

Download Submit
C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe
MD5
fc8c4b0f7d641f4211f047c0a1b27a2c

SHA1
fc5ac7e9e7fe0df52a7f3c8a7a41e9c9612c4690

SHA256
58ddfce3ee3b2ac7dce6aeed19a686d4108897ab7b7fff6e91d63b35648226d4

SHA512
6f4154d4c02f0792961e52a2770e4f32eada5de247a5ada95536a78c52ba3462973304d1a6435c6da8fbe8b8264df7cf295c62642848c0d944e31d69138d23a1

Download Submit
C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.ini
MD5
928f96a3198f48c845808c3e90c1455a

SHA1
969e77a29fcb210930c4e7e3e5140511d0a107cb

SHA256
f5f75d9fd7e0ccf7180c916cae73f6e51bb89465231186bca284823d755ddea7

SHA512
144304ba9750308bb974772733ffb39025dfb20f25d598e535222cc9bd4b897519c529b41d1ecb66233a566dd0016f470b8c74ff34edc67e1e37552e26dca00a

Download Submit
C:\Windows\Installer\MSIE9BA.tmp
MD5
842cc23e74711a7b6955e6876c0641ce

SHA1
3c7f32c373e03d76e9f5d76d2dfdcb6508c7af56

SHA256
7e434d53739356b7f74c5143b98138c6b67b38c2dbd772a28e8dde70e8be8644

SHA512
dd8323f657786fae516b400fe6b0569b8d4d16ccb4b396648b427e875d9e5b1eb7a874338d386f0940dc370de6fecf9893efd28149745bc9fd3f67a792ec824d

Download Submit
C:\Windows\Installer\MSIE9BA.tmp
MD5
842cc23e74711a7b6955e6876c0641ce

SHA1
3c7f32c373e03d76e9f5d76d2dfdcb6508c7af56

SHA256
7e434d53739356b7f74c5143b98138c6b67b38c2dbd772a28e8dde70e8be8644

SHA512
dd8323f657786fae516b400fe6b0569b8d4d16ccb4b396648b427e875d9e5b1eb7a874338d386f0940dc370de6fecf9893efd28149745bc9fd3f67a792ec824d

Download Submit
C:\Windows\Installer\MSIECF7.tmp
MD5
07ce413b1af6342187514871dc112c74

SHA1
8008f8bfeae99918b6323a3d1270dea63b3a8394

SHA256
0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

SHA512
27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

Download Submit
C:\Windows\Installer\MSIECF7.tmp
MD5
07ce413b1af6342187514871dc112c74

SHA1
8008f8bfeae99918b6323a3d1270dea63b3a8394

SHA256
0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

SHA512
27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

Download Submit
C:\Windows\Installer\MSIED46.tmp
MD5
07ce413b1af6342187514871dc112c74

SHA1
8008f8bfeae99918b6323a3d1270dea63b3a8394

SHA256
0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

SHA512
27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

Download Submit
C:\Windows\Installer\MSIED46.tmp
MD5
07ce413b1af6342187514871dc112c74

SHA1
8008f8bfeae99918b6323a3d1270dea63b3a8394

SHA256
0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

SHA512
27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

Download Submit
C:\Windows\Installer\MSIED76.tmp
MD5
07ce413b1af6342187514871dc112c74

SHA1
8008f8bfeae99918b6323a3d1270dea63b3a8394

SHA256
0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

SHA512
27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

Download Submit
C:\Windows\Installer\MSIED76.tmp
MD5
07ce413b1af6342187514871dc112c74

SHA1
8008f8bfeae99918b6323a3d1270dea63b3a8394

SHA256
0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

SHA512
27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

Download Submit
C:\Windows\Installer\MSIEDA6.tmp
MD5
e6a708c70a8cfd78b7c0383615545158

SHA1
b9274d9bf4750f557d34ddfd802113f5dd1df91c

SHA256
e124c00f974e0c09200676e7ce2147c3822b4cd4764dcc970e832bd93d869d0c

SHA512
2d0162f268f357a29c8bc35f855678e8e47e8a70825130e73e40a7dca1e9a3d8844b66616bfaa156b16fa4162bcf6991f659b3a6e8ee3caf841c87ec16189ff8

Download Submit
C:\Windows\Installer\MSIEDA6.tmp
MD5
e6a708c70a8cfd78b7c0383615545158

SHA1
b9274d9bf4750f557d34ddfd802113f5dd1df91c

SHA256
e124c00f974e0c09200676e7ce2147c3822b4cd4764dcc970e832bd93d869d0c

SHA512
2d0162f268f357a29c8bc35f855678e8e47e8a70825130e73e40a7dca1e9a3d8844b66616bfaa156b16fa4162bcf6991f659b3a6e8ee3caf841c87ec16189ff8

Download Submit
C:\Windows\Installer\MSIEDC6.tmp
MD5
f32ac1d425e8b7c320d6be9a968585ab

SHA1
3b0bd3122226f2ac9f11664d9fc13d699b6dcfa0

SHA256
96f8d286f86055dcb3a15e0f3a2de092b0441ec36455c14caaad4c1f5a227894

SHA512
d8d9d996e279b7500306614448d61d5c3ac9c2efc28ac71d1daa09951f342d2cf773f0a7b51cb847f4d91dd34018e4a2d7977c0f6f2859795d4f0df7ac894b27

Download Submit
C:\Windows\Installer\MSIEDC6.tmp
MD5
f32ac1d425e8b7c320d6be9a968585ab

SHA1
3b0bd3122226f2ac9f11664d9fc13d699b6dcfa0

SHA256
96f8d286f86055dcb3a15e0f3a2de092b0441ec36455c14caaad4c1f5a227894

SHA512
d8d9d996e279b7500306614448d61d5c3ac9c2efc28ac71d1daa09951f342d2cf773f0a7b51cb847f4d91dd34018e4a2d7977c0f6f2859795d4f0df7ac894b27

Download Submit
C:\Windows\Installer\MSIEF2E.tmp
MD5
f32ac1d425e8b7c320d6be9a968585ab

SHA1
3b0bd3122226f2ac9f11664d9fc13d699b6dcfa0

SHA256
96f8d286f86055dcb3a15e0f3a2de092b0441ec36455c14caaad4c1f5a227894

SHA512
d8d9d996e279b7500306614448d61d5c3ac9c2efc28ac71d1daa09951f342d2cf773f0a7b51cb847f4d91dd34018e4a2d7977c0f6f2859795d4f0df7ac894b27

Download Submit
C:\Windows\Installer\MSIEF2E.tmp
MD5
f32ac1d425e8b7c320d6be9a968585ab

SHA1
3b0bd3122226f2ac9f11664d9fc13d699b6dcfa0

SHA256
96f8d286f86055dcb3a15e0f3a2de092b0441ec36455c14caaad4c1f5a227894

SHA512
d8d9d996e279b7500306614448d61d5c3ac9c2efc28ac71d1daa09951f342d2cf773f0a7b51cb847f4d91dd34018e4a2d7977c0f6f2859795d4f0df7ac894b27

Download Submit
C:\Windows\Installer\MSIEF3F.tmp
MD5
07ce413b1af6342187514871dc112c74

SHA1
8008f8bfeae99918b6323a3d1270dea63b3a8394

SHA256
0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

SHA512
27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

Download Submit
C:\Windows\Installer\MSIEF3F.tmp
MD5
07ce413b1af6342187514871dc112c74

SHA1
8008f8bfeae99918b6323a3d1270dea63b3a8394

SHA256
0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

SHA512
27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

Download Submit
C:\Windows\Installer\MSIEFBD.tmp
MD5
f32ac1d425e8b7c320d6be9a968585ab

SHA1
3b0bd3122226f2ac9f11664d9fc13d699b6dcfa0

SHA256
96f8d286f86055dcb3a15e0f3a2de092b0441ec36455c14caaad4c1f5a227894

SHA512
d8d9d996e279b7500306614448d61d5c3ac9c2efc28ac71d1daa09951f342d2cf773f0a7b51cb847f4d91dd34018e4a2d7977c0f6f2859795d4f0df7ac894b27

Download Submit
C:\Windows\Installer\MSIEFBD.tmp
MD5
f32ac1d425e8b7c320d6be9a968585ab

SHA1
3b0bd3122226f2ac9f11664d9fc13d699b6dcfa0

SHA256
96f8d286f86055dcb3a15e0f3a2de092b0441ec36455c14caaad4c1f5a227894

SHA512
d8d9d996e279b7500306614448d61d5c3ac9c2efc28ac71d1daa09951f342d2cf773f0a7b51cb847f4d91dd34018e4a2d7977c0f6f2859795d4f0df7ac894b27

Download Submit
C:\Windows\Installer\MSIF359.tmp
MD5
f32ac1d425e8b7c320d6be9a968585ab

SHA1
3b0bd3122226f2ac9f11664d9fc13d699b6dcfa0

SHA256
96f8d286f86055dcb3a15e0f3a2de092b0441ec36455c14caaad4c1f5a227894

SHA512
d8d9d996e279b7500306614448d61d5c3ac9c2efc28ac71d1daa09951f342d2cf773f0a7b51cb847f4d91dd34018e4a2d7977c0f6f2859795d4f0df7ac894b27

Download Submit
C:\Windows\Installer\MSIF359.tmp
MD5
f32ac1d425e8b7c320d6be9a968585ab

SHA1
3b0bd3122226f2ac9f11664d9fc13d699b6dcfa0

SHA256
96f8d286f86055dcb3a15e0f3a2de092b0441ec36455c14caaad4c1f5a227894

SHA512
d8d9d996e279b7500306614448d61d5c3ac9c2efc28ac71d1daa09951f342d2cf773f0a7b51cb847f4d91dd34018e4a2d7977c0f6f2859795d4f0df7ac894b27

Download Submit
memory/404-349-0x0000000001730000-0x0000000001732000-memory.dmp

Filesize
8KB

Download
memory/700-259-0x0000000000000000-mapping.dmp

Download
memory/700-260-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/700-261-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/888-268-0x000002375E0B0000-0x000002375E0B2000-memory.dmp

Filesize
8KB

Download
memory/888-269-0x000002375E0B0000-0x000002375E0B2000-memory.dmp

Filesize
8KB

Download
memory/888-272-0x000002375E0B0000-0x000002375E0B2000-memory.dmp

Filesize
8KB

Download
memory/1036-201-0x0000000000000000-mapping.dmp

Download
memory/1036-202-0x0000000003530000-0x0000000003531000-memory.dmp

Filesize
4KB

Download
memory/1036-203-0x0000000003530000-0x0000000003531000-memory.dmp

Filesize
4KB

Download
memory/1208-149-0x0000000000000000-mapping.dmp

Download
memory/1208-151-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/1312-307-0x00000182A7F20000-0x00000182A7F22000-memory.dmp

Filesize
8KB

Download
memory/1312-305-0x00000182A7F20000-0x00000182A7F22000-memory.dmp

Filesize
8KB

Download
memory/1312-302-0x00000182A7F20000-0x00000182A7F22000-memory.dmp

Filesize
8KB

Download
memory/1312-299-0x0000000000000000-mapping.dmp

Download
memory/1312-303-0x00000182A7F20000-0x00000182A7F22000-memory.dmp

Filesize
8KB

Download
memory/1376-332-0x0000000000000000-mapping.dmp

Download
memory/1404-246-0x0000000000000000-mapping.dmp

Download
memory/1528-345-0x0000000000000000-mapping.dmp

Download
memory/1572-294-0x00000203968D0000-0x00000203968D2000-memory.dmp

Filesize
8KB

Download
memory/1572-295-0x00000203968D0000-0x00000203968D2000-memory.dmp

Filesize
8KB

Download
memory/1572-293-0x0000000000000000-mapping.dmp

Download
memory/1672-249-0x0000000000000000-mapping.dmp

Download
memory/1672-251-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

Filesize
4KB

Download
memory/1672-250-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

Filesize
4KB

Download
memory/1752-325-0x0000000000000000-mapping.dmp

Download
memory/1864-322-0x0000000000000000-mapping.dmp

Download
memory/1956-182-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1956-174-0x0000000000000000-mapping.dmp

Download
memory/1984-181-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/1984-172-0x0000000000000000-mapping.dmp

Download
memory/2008-319-0x0000000000000000-mapping.dmp

Download
memory/2016-257-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/2016-256-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/2016-255-0x0000000000000000-mapping.dmp

Download
memory/2156-161-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/2156-158-0x0000000000000000-mapping.dmp

Download
memory/2160-316-0x0000000000000000-mapping.dmp

Download
memory/2160-317-0x0000000002F80000-0x0000000002F81000-memory.dmp

Filesize
4KB

Download
memory/2192-178-0x0000000000000000-mapping.dmp

Download
memory/2192-183-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/2216-266-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/2216-315-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/2216-314-0x0000000006BF5000-0x0000000006BF7000-memory.dmp

Filesize
8KB

Download
memory/2216-286-0x00000000082E0000-0x00000000082E1000-memory.dmp

Filesize
4KB

Download
memory/2216-282-0x0000000007BC0000-0x0000000007BC1000-memory.dmp

Filesize
4KB

Download
memory/2216-281-0x00000000081E0000-0x00000000081E1000-memory.dmp

Filesize
4KB

Download
memory/2216-280-0x0000000007E80000-0x0000000007E81000-memory.dmp

Filesize
4KB

Download
memory/2216-265-0x0000000000000000-mapping.dmp

Download
memory/2216-279-0x0000000007A40000-0x0000000007A41000-memory.dmp

Filesize
4KB

Download
memory/2216-267-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/2216-278-0x00000000079D0000-0x00000000079D1000-memory.dmp

Filesize
4KB

Download
memory/2216-276-0x0000000006BF0000-0x0000000006BF1000-memory.dmp

Filesize
4KB

Download
memory/2216-270-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/2216-271-0x0000000007230000-0x0000000007231000-memory.dmp

Filesize
4KB

Download
memory/2216-277-0x0000000006BF2000-0x0000000006BF3000-memory.dmp

Filesize
4KB

Download
memory/2216-273-0x0000000007050000-0x0000000007051000-memory.dmp

Filesize
4KB

Download
memory/2216-274-0x00000000071B0000-0x00000000071B1000-memory.dmp

Filesize
4KB

Download
memory/2216-275-0x0000000007BF0000-0x0000000007BF1000-memory.dmp

Filesize
4KB

Download
memory/2224-328-0x0000000000000000-mapping.dmp

Download
memory/2256-252-0x0000000000000000-mapping.dmp

Download
memory/2256-254-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/2256-253-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/2488-160-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2488-153-0x0000000000000000-mapping.dmp

Download
memory/2556-333-0x0000000000000000-mapping.dmp

Download
memory/2644-343-0x0000000000000000-mapping.dmp

Download
memory/2760-185-0x0000000000000000-mapping.dmp

Download
memory/2792-171-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2792-167-0x0000000000000000-mapping.dmp

Download
memory/2924-298-0x0000000000000000-mapping.dmp

Download
memory/2924-306-0x000001AF26B60000-0x000001AF26B62000-memory.dmp

Filesize
8KB

Download
memory/2924-300-0x000001AF26B60000-0x000001AF26B62000-memory.dmp

Filesize
8KB

Download
memory/2924-301-0x000001AF26B60000-0x000001AF26B62000-memory.dmp

Filesize
8KB

Download
memory/2924-304-0x000001AF26B60000-0x000001AF26B62000-memory.dmp

Filesize
8KB

Download
memory/2992-339-0x0000000000000000-mapping.dmp

Download
memory/3100-170-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3100-163-0x0000000000000000-mapping.dmp

Download
memory/3140-192-0x0000029A3F0E0000-0x0000029A3F0E2000-memory.dmp

Filesize
8KB

Download
memory/3140-193-0x0000029A3F0E0000-0x0000029A3F0E2000-memory.dmp

Filesize
8KB

Download
memory/3188-313-0x0000000000000000-mapping.dmp

Download
memory/3444-148-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3916-346-0x0000000000000000-mapping.dmp

Download
memory/3932-342-0x0000000000000000-mapping.dmp

Download
memory/3936-344-0x0000000000000000-mapping.dmp

Download
memory/3956-296-0x00000282C31E0000-0x00000282C31E2000-memory.dmp

Filesize
8KB

Download
memory/3956-297-0x00000282C31E0000-0x00000282C31E2000-memory.dmp

Filesize
8KB

Download
memory/3956-287-0x0000000000000000-mapping.dmp

Download
memory/3956-289-0x00000282C31E0000-0x00000282C31E2000-memory.dmp

Filesize
8KB

Download
memory/3956-290-0x00000282C31E0000-0x00000282C31E2000-memory.dmp

Filesize
8KB

Download
memory/3964-264-0x000001FB0E4E0000-0x000001FB0E4E2000-memory.dmp

Filesize
8KB

Download
memory/3964-263-0x000001FB0E4E0000-0x000001FB0E4E2000-memory.dmp

Filesize
8KB

Download
memory/3964-262-0x0000000000000000-mapping.dmp

Download
memory/4060-194-0x0000000000000000-mapping.dmp

Download
memory/4060-196-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/4060-195-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/4128-248-0x0000000000000000-mapping.dmp

Download
memory/4148-258-0x0000000000000000-mapping.dmp

Download
memory/4304-188-0x0000000000000000-mapping.dmp

Download
memory/4420-288-0x0000000000000000-mapping.dmp

Download
memory/4420-291-0x00000260899A0000-0x00000260899A2000-memory.dmp

Filesize
8KB

Download
memory/4420-292-0x00000260899A0000-0x00000260899A2000-memory.dmp

Filesize
8KB

Download
memory/4540-211-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4540-209-0x0000000000000000-mapping.dmp

Download
memory/4540-210-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4576-336-0x0000000000000000-mapping.dmp

Download
memory/4624-347-0x0000000000000000-mapping.dmp

Download
memory/4624-348-0x0000000001550000-0x0000000001551000-memory.dmp

Filesize
4KB

Download
memory/4652-283-0x0000000000000000-mapping.dmp

Download
memory/4652-284-0x000002548EC10000-0x000002548EC12000-memory.dmp

Filesize
8KB

Download
memory/4652-285-0x000002548EC10000-0x000002548EC12000-memory.dmp

Filesize
8KB

Download
memory/4748-242-0x0000000000000000-mapping.dmp

Download
memory/4804-334-0x0000000000000000-mapping.dmp

Download
memory/4804-335-0x00000000012F0000-0x00000000012F1000-memory.dmp

Filesize
4KB

Download
memory/4876-312-0x000001AD99650000-0x000001AD99652000-memory.dmp

Filesize
8KB

Download
memory/4876-309-0x000001AD99650000-0x000001AD99652000-memory.dmp

Filesize
8KB

Download
memory/4876-308-0x0000000000000000-mapping.dmp

Download
memory/4876-310-0x000001AD99650000-0x000001AD99652000-memory.dmp

Filesize
8KB

Download
memory/4876-311-0x000001AD99650000-0x000001AD99652000-memory.dmp

Filesize
8KB

Download
memory/4988-331-0x0000000000000000-mapping.dmp

Download