8dbbe3e8657d87e842026b7051a7b0680d3838749773997df91f123034a7566d

Resubmissions

29-10-2021 04:47

211029-fephnahcek 10

29-10-2021 04:36

211029-e8cwaahcdp 8

Analysis

max time kernel
110s
max time network
152s
platform
windows10_x64
resource
win10-en-20211014
submitted
29-10-2021 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

run_848a9.exe
Size

1.7MB
MD5

67c86865ba800ab9f761356d4cc5c08c
SHA1

1f3dcc460c3fb02704e69cd8509445a92ac3600d
SHA256

8dbbe3e8657d87e842026b7051a7b0680d3838749773997df91f123034a7566d
SHA512

328c47921cfa939403736e63d0a5f5659dce3a916a44e6d0b0434ae4672bf96530a86cb19c2709a67914381fd8fc1c40b6e12209a35735743a8988a6166b50ff

Score

10^/10

discovery persistence spyware stealer suricata

Malware Config

Signatures

suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata

Blocklisted process makes network request 50 IoCs

Processes:

MsiExec.exeMsiExec.exepowershell.exe

flow	pid	process
62	3496	MsiExec.exe
63	3496	MsiExec.exe
65	3496	MsiExec.exe
73	3044	MsiExec.exe
74	3044	MsiExec.exe
75	3044	MsiExec.exe
76	3044	MsiExec.exe
77	3044	MsiExec.exe
78	3044	MsiExec.exe
79	3044	MsiExec.exe
80	3044	MsiExec.exe
81	3044	MsiExec.exe
82	3044	MsiExec.exe
83	3044	MsiExec.exe
84	3044	MsiExec.exe
85	3044	MsiExec.exe
86	3044	MsiExec.exe
87	3044	MsiExec.exe
88	3044	MsiExec.exe
89	3044	MsiExec.exe
90	3044	MsiExec.exe
91	3044	MsiExec.exe
92	3044	MsiExec.exe
93	3044	MsiExec.exe
94	3044	MsiExec.exe
95	3044	MsiExec.exe
98	3044	MsiExec.exe
99	3044	MsiExec.exe
100	3044	MsiExec.exe
101	3044	MsiExec.exe
102	3044	MsiExec.exe
103	3044	MsiExec.exe
104	3044	MsiExec.exe
105	3044	MsiExec.exe
106	3044	MsiExec.exe
107	3044	MsiExec.exe
108	3044	MsiExec.exe
109	3044	MsiExec.exe
110	3044	MsiExec.exe
111	3044	MsiExec.exe
112	3044	MsiExec.exe
113	3044	MsiExec.exe
114	3044	MsiExec.exe
115	3044	MsiExec.exe
116	3044	MsiExec.exe
117	3044	MsiExec.exe
120	3044	MsiExec.exe
121	3044	MsiExec.exe
124	2076	powershell.exe
126	2076	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 23 IoCs

Processes:

run_848a9.tmpsetup.exesetup.tmpsetup_0.exesetup_0.tmptakemyfileapp2.exesetup_1.exesetup_1.tmphostwin.exesetup_2.exeaipackagechainer.exesetup_3.exeSettings%20Installation.exeSettings.exeSettings.exeSettings.exeSettings.exeSettings.exeSettings.exeSettings.exeSettings.exesetup_4.exeSettings.exe

pid	process
3128	run_848a9.tmp
1608	setup.exe
3676	setup.tmp
2828	setup_0.exe
1368	setup_0.tmp
3196	takemyfileapp2.exe
716	setup_1.exe
2596	setup_1.tmp
1880	hostwin.exe
2360	setup_2.exe
984	aipackagechainer.exe
1576	setup_3.exe
4012	Settings%20Installation.exe
348	Settings.exe
3784	Settings.exe
1548	Settings.exe
1256	Settings.exe
1184	Settings.exe
3256	Settings.exe
3476	Settings.exe
4416	Settings.exe
4552	setup_4.exe
4640	Settings.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Settings.exeSettings.exeSettings.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation	Settings.exe
Key value queried	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation	Settings.exe
Key value queried	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation	Settings.exe

Loads dropped DLL 64 IoCs

Processes:

setup.tmpsetup_1.tmpsetup_2.exeMsiExec.exeMsiExec.exesetup_3.exeSettings%20Installation.exeMsiExec.exeMsiExec.exeMsiExec.exeSettings.exeSettings.exeSettings.exeSettings.exeSettings.exeSettings.exe

pid	process
3676	setup.tmp
2596	setup_1.tmp
2360	setup_2.exe
3212	MsiExec.exe
3212	MsiExec.exe
3496	MsiExec.exe
3496	MsiExec.exe
3496	MsiExec.exe
3496	MsiExec.exe
3496	MsiExec.exe
3496	MsiExec.exe
3496	MsiExec.exe
3496	MsiExec.exe
3496	MsiExec.exe
3496	MsiExec.exe
1576	setup_3.exe
1576	setup_3.exe
4012	Settings%20Installation.exe
4012	Settings%20Installation.exe
1576	setup_3.exe
2512	MsiExec.exe
2512	MsiExec.exe
3044	MsiExec.exe
3044	MsiExec.exe
3044	MsiExec.exe
3044	MsiExec.exe
3044	MsiExec.exe
3044	MsiExec.exe
3044	MsiExec.exe
3044	MsiExec.exe
3044	MsiExec.exe
3044	MsiExec.exe
1576	setup_3.exe
3044	MsiExec.exe
3044	MsiExec.exe
3044	MsiExec.exe
988	MsiExec.exe
988	MsiExec.exe
988	MsiExec.exe
988	MsiExec.exe
988	MsiExec.exe
988	MsiExec.exe
988	MsiExec.exe
3044	MsiExec.exe
4012	Settings%20Installation.exe
4012	Settings%20Installation.exe
4012	Settings%20Installation.exe
348	Settings.exe
4012	Settings%20Installation.exe
348	Settings.exe
348	Settings.exe
3784	Settings.exe
1548	Settings.exe
1548	Settings.exe
1548	Settings.exe
1256	Settings.exe
1256	Settings.exe
1256	Settings.exe
1184	Settings.exe
1184	Settings.exe
1184	Settings.exe
3256	Settings.exe
3256	Settings.exe
3256	Settings.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aipackagechainer.exeSettings%20Installation.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\	aipackagechainer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Settings%20Installation.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Settings = "C:\\Users\\Admin\\AppData\\Roaming\\Settings\\Settings.exe --iUSIg"	Settings%20Installation.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run	aipackagechainer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

setup_3.exesetup_2.exemsiexec.exesetup_4.exe

description	ioc	process
File opened (read-only)	\??\E:	setup_3.exe
File opened (read-only)	\??\K:	setup_3.exe
File opened (read-only)	\??\E:	setup_2.exe
File opened (read-only)	\??\I:	setup_2.exe
File opened (read-only)	\??\R:	setup_2.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	setup_3.exe
File opened (read-only)	\??\Z:	setup_4.exe
File opened (read-only)	\??\M:	setup_2.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	setup_4.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	setup_3.exe
File opened (read-only)	\??\V:	setup_3.exe
File opened (read-only)	\??\F:	setup_4.exe
File opened (read-only)	\??\K:	setup_4.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	setup_2.exe
File opened (read-only)	\??\T:	setup_2.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	setup_3.exe
File opened (read-only)	\??\S:	setup_4.exe
File opened (read-only)	\??\W:	setup_4.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	setup_2.exe
File opened (read-only)	\??\J:	setup_2.exe
File opened (read-only)	\??\Y:	setup_2.exe
File opened (read-only)	\??\G:	setup_3.exe
File opened (read-only)	\??\N:	setup_3.exe
File opened (read-only)	\??\Q:	setup_4.exe
File opened (read-only)	\??\X:	setup_2.exe
File opened (read-only)	\??\Z:	setup_2.exe
File opened (read-only)	\??\J:	setup_3.exe
File opened (read-only)	\??\S:	setup_3.exe
File opened (read-only)	\??\X:	setup_3.exe
File opened (read-only)	\??\A:	setup_4.exe
File opened (read-only)	\??\O:	setup_3.exe
File opened (read-only)	\??\U:	setup_4.exe
File opened (read-only)	\??\S:	setup_2.exe
File opened (read-only)	\??\U:	setup_2.exe
File opened (read-only)	\??\V:	setup_2.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\A:	setup_3.exe
File opened (read-only)	\??\M:	setup_3.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	setup_3.exe
File opened (read-only)	\??\L:	setup_3.exe
File opened (read-only)	\??\G:	setup_4.exe
File opened (read-only)	\??\P:	setup_4.exe
File opened (read-only)	\??\E:	setup_4.exe
File opened (read-only)	\??\I:	setup_4.exe
File opened (read-only)	\??\G:	setup_2.exe
File opened (read-only)	\??\H:	setup_2.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Program Files directory 17 IoCs

Processes:

msiexec.exesetup_0.tmpsetup_1.tmprun_848a9.tmp

description	ioc	process
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File created	C:\Program Files (x86)\TakeMyFile\is-OSROT.tmp	setup_0.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_1.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-V9RST.tmp	setup_1.tmp
File opened for modification	C:\Program Files (x86)\run_848a9\unins000.dat	run_848a9.tmp
File opened for modification	C:\Program Files (x86)\TakeMyFile\takemyfileapp2.exe	setup_0.tmp
File created	C:\Program Files (x86)\TakeMyFile\unins000.dat	setup_0.tmp
File created	C:\Program Files (x86)\TakeMyFile\is-PH630.tmp	setup_0.tmp
File opened for modification	C:\Program Files (x86)\TakeMyFile\unins000.dat	setup_0.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_1.tmp
File created	C:\Program Files (x86)\run_848a9\unins000.dat	run_848a9.tmp
File created	C:\Program Files (x86)\run_848a9\is-BN6QC.tmp	run_848a9.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe

Drops file in Windows directory 56 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID0A9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1BE4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC9A8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICCCB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICEDF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1D6E.tmp	msiexec.exe
File created	C:\Windows\Installer\f765a9f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI66FE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC4D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID3DD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f765a9f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC1D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File created	C:\Windows\Installer\f765aa6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1D3E.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5DAC.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6283.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID212.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6641.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1CDF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6507.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC998.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICA47.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1DBD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6158.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6330.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC948.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID282.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID2B2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI61B7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI938E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICBBF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICA07.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID232.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID262.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICEF0.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B59E6947-D960-4A88-902E-F387AFD7DF1F}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC704.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC977.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI64B8.tmp	msiexec.exe
File created	C:\Windows\Installer\f765aa7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1D0E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI60F9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f765aa3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICF30.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f765aa7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI63EC.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\f765aa3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID1D2.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe	nsis_installer_2

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

takemyfileapp2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	takemyfileapp2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	takemyfileapp2.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2320 taskkill.exe

pid	process
2320	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe

Modifies registry class 28 IoCs

Processes:

msiexec.exesetup_0.tmp

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\TakeMyFile\icon = "C:\\Program Files (x86)\\TakeMyFile\\takemyfileapp2.exe"	setup_0.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\TakeMyFile	setup_0.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductIcon = "C:\\Windows\\Installer\\{C845414C-903C-4218-9DE7-132AB97FDF62}\\logo.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\TakeMyFile\command	setup_0.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Johan.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\TakeMyFile\command\ = "C:\\Program Files (x86)\\TakeMyFile\\takemyfileapp2.exe \"%1\""	setup_0.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "06B073E49A8D6C24C95A4819BE5CEF22"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager"	msiexec.exe

Modifies system certificate store 2 TTPs 18 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

setup_2.exesetup_3.exesetup_4.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	setup_2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	setup_2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	setup_2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup_3.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B	setup_4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7	setup_4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	setup_4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	setup_4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	setup_2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	setup_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	setup_2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	setup_2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	setup_4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	setup_2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	setup_2.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

run_848a9.tmpsetup_0.tmpsetup_1.tmpmsiexec.exeMsiExec.exeMsiExec.exepowershell.exeSettings.exeSettings.exeSettings.exeSettings.exeSettings.exeSettings.exeSettings.exeSettings.exe

pid	process
3128	run_848a9.tmp
3128	run_848a9.tmp
1368	setup_0.tmp
1368	setup_0.tmp
2596	setup_1.tmp
2596	setup_1.tmp
1060	msiexec.exe
1060	msiexec.exe
2512	MsiExec.exe
2512	MsiExec.exe
3044	MsiExec.exe
3044	MsiExec.exe
3044	MsiExec.exe
3044	MsiExec.exe
1060	msiexec.exe
1060	msiexec.exe
2076	powershell.exe
2076	powershell.exe
2076	powershell.exe
348	Settings.exe
348	Settings.exe
1548	Settings.exe
1548	Settings.exe
1256	Settings.exe
1256	Settings.exe
1184	Settings.exe
1184	Settings.exe
3256	Settings.exe
3256	Settings.exe
3476	Settings.exe
3476	Settings.exe
4416	Settings.exe
4416	Settings.exe
4640	Settings.exe
4640	Settings.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exesetup_2.exe

description	pid	process
Token: SeSecurityPrivilege	1060	msiexec.exe
Token: SeCreateTokenPrivilege	2360	setup_2.exe
Token: SeAssignPrimaryTokenPrivilege	2360	setup_2.exe
Token: SeLockMemoryPrivilege	2360	setup_2.exe
Token: SeIncreaseQuotaPrivilege	2360	setup_2.exe
Token: SeMachineAccountPrivilege	2360	setup_2.exe
Token: SeTcbPrivilege	2360	setup_2.exe
Token: SeSecurityPrivilege	2360	setup_2.exe
Token: SeTakeOwnershipPrivilege	2360	setup_2.exe
Token: SeLoadDriverPrivilege	2360	setup_2.exe
Token: SeSystemProfilePrivilege	2360	setup_2.exe
Token: SeSystemtimePrivilege	2360	setup_2.exe
Token: SeProfSingleProcessPrivilege	2360	setup_2.exe
Token: SeIncBasePriorityPrivilege	2360	setup_2.exe
Token: SeCreatePagefilePrivilege	2360	setup_2.exe
Token: SeCreatePermanentPrivilege	2360	setup_2.exe
Token: SeBackupPrivilege	2360	setup_2.exe
Token: SeRestorePrivilege	2360	setup_2.exe
Token: SeShutdownPrivilege	2360	setup_2.exe
Token: SeDebugPrivilege	2360	setup_2.exe
Token: SeAuditPrivilege	2360	setup_2.exe
Token: SeSystemEnvironmentPrivilege	2360	setup_2.exe
Token: SeChangeNotifyPrivilege	2360	setup_2.exe
Token: SeRemoteShutdownPrivilege	2360	setup_2.exe
Token: SeUndockPrivilege	2360	setup_2.exe
Token: SeSyncAgentPrivilege	2360	setup_2.exe
Token: SeEnableDelegationPrivilege	2360	setup_2.exe
Token: SeManageVolumePrivilege	2360	setup_2.exe
Token: SeImpersonatePrivilege	2360	setup_2.exe
Token: SeCreateGlobalPrivilege	2360	setup_2.exe
Token: SeCreateTokenPrivilege	2360	setup_2.exe
Token: SeAssignPrimaryTokenPrivilege	2360	setup_2.exe
Token: SeLockMemoryPrivilege	2360	setup_2.exe
Token: SeIncreaseQuotaPrivilege	2360	setup_2.exe
Token: SeMachineAccountPrivilege	2360	setup_2.exe
Token: SeTcbPrivilege	2360	setup_2.exe
Token: SeSecurityPrivilege	2360	setup_2.exe
Token: SeTakeOwnershipPrivilege	2360	setup_2.exe
Token: SeLoadDriverPrivilege	2360	setup_2.exe
Token: SeSystemProfilePrivilege	2360	setup_2.exe
Token: SeSystemtimePrivilege	2360	setup_2.exe
Token: SeProfSingleProcessPrivilege	2360	setup_2.exe
Token: SeIncBasePriorityPrivilege	2360	setup_2.exe
Token: SeCreatePagefilePrivilege	2360	setup_2.exe
Token: SeCreatePermanentPrivilege	2360	setup_2.exe
Token: SeBackupPrivilege	2360	setup_2.exe
Token: SeRestorePrivilege	2360	setup_2.exe
Token: SeShutdownPrivilege	2360	setup_2.exe
Token: SeDebugPrivilege	2360	setup_2.exe
Token: SeAuditPrivilege	2360	setup_2.exe
Token: SeSystemEnvironmentPrivilege	2360	setup_2.exe
Token: SeChangeNotifyPrivilege	2360	setup_2.exe
Token: SeRemoteShutdownPrivilege	2360	setup_2.exe
Token: SeUndockPrivilege	2360	setup_2.exe
Token: SeSyncAgentPrivilege	2360	setup_2.exe
Token: SeEnableDelegationPrivilege	2360	setup_2.exe
Token: SeManageVolumePrivilege	2360	setup_2.exe
Token: SeImpersonatePrivilege	2360	setup_2.exe
Token: SeCreateGlobalPrivilege	2360	setup_2.exe
Token: SeCreateTokenPrivilege	2360	setup_2.exe
Token: SeAssignPrimaryTokenPrivilege	2360	setup_2.exe
Token: SeLockMemoryPrivilege	2360	setup_2.exe
Token: SeIncreaseQuotaPrivilege	2360	setup_2.exe
Token: SeMachineAccountPrivilege	2360	setup_2.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

run_848a9.tmpsetup_0.tmpsetup_1.tmpsetup_2.exesetup_3.exeSettings.exesetup_4.exe

pid process

3128 run_848a9.tmp
1368 setup_0.tmp
2596 setup_1.tmp
2360 setup_2.exe
1576 setup_3.exe
348 Settings.exe
4552 setup_4.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

run_848a9.exerun_848a9.tmpsetup.exesetup.tmpsetup_0.exesetup_0.tmpsetup_1.exesetup_1.tmpmsiexec.exesetup_2.exeaipackagechainer.exesetup_3.exeMsiExec.exeSettings%20Installation.exe

description	pid	process	target process
PID 2720 wrote to memory of 3128	2720	run_848a9.exe	run_848a9.tmp
PID 2720 wrote to memory of 3128	2720	run_848a9.exe	run_848a9.tmp
PID 2720 wrote to memory of 3128	2720	run_848a9.exe	run_848a9.tmp
PID 3128 wrote to memory of 1608	3128	run_848a9.tmp	setup.exe
PID 3128 wrote to memory of 1608	3128	run_848a9.tmp	setup.exe
PID 3128 wrote to memory of 1608	3128	run_848a9.tmp	setup.exe
PID 1608 wrote to memory of 3676	1608	setup.exe	setup.tmp
PID 1608 wrote to memory of 3676	1608	setup.exe	setup.tmp
PID 1608 wrote to memory of 3676	1608	setup.exe	setup.tmp
PID 3676 wrote to memory of 2828	3676	setup.tmp	setup_0.exe
PID 3676 wrote to memory of 2828	3676	setup.tmp	setup_0.exe
PID 3676 wrote to memory of 2828	3676	setup.tmp	setup_0.exe
PID 2828 wrote to memory of 1368	2828	setup_0.exe	setup_0.tmp
PID 2828 wrote to memory of 1368	2828	setup_0.exe	setup_0.tmp
PID 2828 wrote to memory of 1368	2828	setup_0.exe	setup_0.tmp
PID 1368 wrote to memory of 3196	1368	setup_0.tmp	takemyfileapp2.exe
PID 1368 wrote to memory of 3196	1368	setup_0.tmp	takemyfileapp2.exe
PID 1368 wrote to memory of 3196	1368	setup_0.tmp	takemyfileapp2.exe
PID 3676 wrote to memory of 716	3676	setup.tmp	setup_1.exe
PID 3676 wrote to memory of 716	3676	setup.tmp	setup_1.exe
PID 3676 wrote to memory of 716	3676	setup.tmp	setup_1.exe
PID 716 wrote to memory of 2596	716	setup_1.exe	setup_1.tmp
PID 716 wrote to memory of 2596	716	setup_1.exe	setup_1.tmp
PID 716 wrote to memory of 2596	716	setup_1.exe	setup_1.tmp
PID 2596 wrote to memory of 1880	2596	setup_1.tmp	hostwin.exe
PID 2596 wrote to memory of 1880	2596	setup_1.tmp	hostwin.exe
PID 3676 wrote to memory of 2360	3676	setup.tmp	setup_2.exe
PID 3676 wrote to memory of 2360	3676	setup.tmp	setup_2.exe
PID 3676 wrote to memory of 2360	3676	setup.tmp	setup_2.exe
PID 1060 wrote to memory of 3212	1060	msiexec.exe	MsiExec.exe
PID 1060 wrote to memory of 3212	1060	msiexec.exe	MsiExec.exe
PID 1060 wrote to memory of 3212	1060	msiexec.exe	MsiExec.exe
PID 2360 wrote to memory of 2436	2360	setup_2.exe	msiexec.exe
PID 2360 wrote to memory of 2436	2360	setup_2.exe	msiexec.exe
PID 2360 wrote to memory of 2436	2360	setup_2.exe	msiexec.exe
PID 1060 wrote to memory of 3496	1060	msiexec.exe	MsiExec.exe
PID 1060 wrote to memory of 3496	1060	msiexec.exe	MsiExec.exe
PID 1060 wrote to memory of 3496	1060	msiexec.exe	MsiExec.exe
PID 1060 wrote to memory of 984	1060	msiexec.exe	aipackagechainer.exe
PID 1060 wrote to memory of 984	1060	msiexec.exe	aipackagechainer.exe
PID 1060 wrote to memory of 984	1060	msiexec.exe	aipackagechainer.exe
PID 3676 wrote to memory of 1576	3676	setup.tmp	setup_3.exe
PID 3676 wrote to memory of 1576	3676	setup.tmp	setup_3.exe
PID 3676 wrote to memory of 1576	3676	setup.tmp	setup_3.exe
PID 984 wrote to memory of 4012	984	aipackagechainer.exe	Settings%20Installation.exe
PID 984 wrote to memory of 4012	984	aipackagechainer.exe	Settings%20Installation.exe
PID 984 wrote to memory of 4012	984	aipackagechainer.exe	Settings%20Installation.exe
PID 1060 wrote to memory of 2512	1060	msiexec.exe	MsiExec.exe
PID 1060 wrote to memory of 2512	1060	msiexec.exe	MsiExec.exe
PID 1060 wrote to memory of 2512	1060	msiexec.exe	MsiExec.exe
PID 1576 wrote to memory of 1952	1576	setup_3.exe	msiexec.exe
PID 1576 wrote to memory of 1952	1576	setup_3.exe	msiexec.exe
PID 1576 wrote to memory of 1952	1576	setup_3.exe	msiexec.exe
PID 1060 wrote to memory of 3044	1060	msiexec.exe	MsiExec.exe
PID 1060 wrote to memory of 3044	1060	msiexec.exe	MsiExec.exe
PID 1060 wrote to memory of 3044	1060	msiexec.exe	MsiExec.exe
PID 3044 wrote to memory of 2320	3044	MsiExec.exe	taskkill.exe
PID 3044 wrote to memory of 2320	3044	MsiExec.exe	taskkill.exe
PID 3044 wrote to memory of 2320	3044	MsiExec.exe	taskkill.exe
PID 1060 wrote to memory of 988	1060	msiexec.exe	MsiExec.exe
PID 1060 wrote to memory of 988	1060	msiexec.exe	MsiExec.exe
PID 1060 wrote to memory of 988	1060	msiexec.exe	MsiExec.exe
PID 4012 wrote to memory of 348	4012	Settings%20Installation.exe	Settings.exe
PID 4012 wrote to memory of 348	4012	Settings%20Installation.exe	Settings.exe

C:\Users\Admin\AppData\Local\Temp\run_848a9.exe
"C:\Users\Admin\AppData\Local\Temp\run_848a9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2720

C:\Users\Admin\AppData\Local\Temp\is-GGBT6.tmp\run_848a9.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GGBT6.tmp\run_848a9.tmp" /SL5="$3013A,986812,780800,C:\Users\Admin\AppData\Local\Temp\run_848a9.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3128

C:\Users\Admin\AppData\Local\Temp\is-4ALH6.tmp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-4ALH6.tmp\setup.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Local\Temp\is-SCK79.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SCK79.tmp\setup.tmp" /SL5="$10202,921114,831488,C:\Users\Admin\AppData\Local\Temp\is-4ALH6.tmp\setup.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3676

C:\Users\Admin\AppData\Local\Temp\is-CH25C.tmp\setup_0.exe
"C:\Users\Admin\AppData\Local\Temp\is-CH25C.tmp\setup_0.exe" /pid=2651945 /cid=2094 /VERYSILENT
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828

C:\Users\Admin\AppData\Local\Temp\is-1A6RP.tmp\setup_0.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1A6RP.tmp\setup_0.tmp" /SL5="$10270,859139,58368,C:\Users\Admin\AppData\Local\Temp\is-CH25C.tmp\setup_0.exe" /pid=2651945 /cid=2094 /VERYSILENT
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1368

C:\Program Files (x86)\TakeMyFile\takemyfileapp2.exe
"C:\Program Files (x86)\TakeMyFile\takemyfileapp2.exe" report 2651945 2094
7⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3196

C:\Users\Admin\AppData\Local\Temp\is-CH25C.tmp\setup_1.exe
"C:\Users\Admin\AppData\Local\Temp\is-CH25C.tmp\setup_1.exe" /VERYSILENT /id=2094
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:716

C:\Users\Admin\AppData\Local\Temp\is-EGTVC.tmp\setup_1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EGTVC.tmp\setup_1.tmp" /SL5="$20270,140765,56832,C:\Users\Admin\AppData\Local\Temp\is-CH25C.tmp\setup_1.exe" /VERYSILENT /id=2094
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2596

C:\Users\Admin\AppData\Local\Temp\is-9I6E6.tmp\hostwin.exe
"C:\Users\Admin\AppData\Local\Temp\is-9I6E6.tmp\hostwin.exe" 2094 64
7⤵
- Executes dropped EXE
PID:1880

C:\Users\Admin\AppData\Local\Temp\is-CH25C.tmp\setup_2.exe
"C:\Users\Admin\AppData\Local\Temp\is-CH25C.tmp\setup_2.exe" SID=765 CID=765 SILENT=1 /quiet
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Settings\Settings 1.0.0\install\FD7DF1F\Settings Installation.msi" SID=765 CID=765 SILENT=1 /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-CH25C.tmp\setup_2.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-CH25C.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1635223481 SID=765 CID=765 SILENT=1 /quiet " SID="765" CID="765"
6⤵
PID:2436

C:\Users\Admin\AppData\Local\Temp\is-CH25C.tmp\setup_3.exe
"C:\Users\Admin\AppData\Local\Temp\is-CH25C.tmp\setup_3.exe" /qn CAMPAIGN="2094"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Johan.msi" /qn CAMPAIGN=2094 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-CH25C.tmp\setup_3.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-CH25C.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1635223481 /qn CAMPAIGN=""2094"" " CAMPAIGN="2094"
6⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\is-CH25C.tmp\setup_4.exe
"C:\Users\Admin\AppData\Local\Temp\is-CH25C.tmp\setup_4.exe" /quiet SILENT=1 AF=751__US
5⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:4552

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=751__US AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-CH25C.tmp\setup_4.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-CH25C.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1635223481 /quiet SILENT=1 AF=751__US " AF="751__US" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"
6⤵
PID:4812

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 33C817583B9ED22A81AC70174AFA3C95 C
2⤵
- Loads dropped DLL
PID:3212

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 59FCA58BCFA0F3BB3382911A126DA121
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3496

C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:984

C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe" -silent=1 -CID=765 -SID=765 -submn=default
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4012

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" "--iUSIg"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:348

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Settings\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Settings\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Settings\User Data" --annotation=plat=Win64 --annotation=prod=Settings --annotation=ver=0.0.13 --initial-client-data=0x1e0,0x1e4,0x1e8,0x1bc,0x1ec,0x7ffb315adec0,0x7ffb315aded0,0x7ffb315adee0
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3784

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=gpu-process --field-trial-handle=1640,17251213886805565706,14906434101271972681,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw348_209215946" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1660 /prefetch:2
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1548

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1640,17251213886805565706,14906434101271972681,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw348_209215946" --mojo-platform-channel-handle=1712 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1256

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1640,17251213886805565706,14906434101271972681,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw348_209215946" --mojo-platform-channel-handle=2028 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1184

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Settings\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1640,17251213886805565706,14906434101271972681,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw348_209215946" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2604 /prefetch:1
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:3476

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Settings\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1640,17251213886805565706,14906434101271972681,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw348_209215946" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2560 /prefetch:1
5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3256

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=gpu-process --field-trial-handle=1640,17251213886805565706,14906434101271972681,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw348_209215946" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3092 /prefetch:2
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4416

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,17251213886805565706,14906434101271972681,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw348_209215946" --mojo-platform-channel-handle=1896 /prefetch:8
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_EE73.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites' -retry_count 10"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2076

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 586B71E1F7B0C995AA45F6486C575702 C
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2512

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 3A807F3EA0594CAD9CA1BC921A10B660
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
3⤵
- Kills process with taskkill
PID:2320

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 7C14DB409509B0F78CB843312ADB93F4 E Global\MSI0000
2⤵
- Loads dropped DLL
PID:988

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 0E08A08EF0577D6EDA43D0C4F35DD185 C
2⤵
PID:4748

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 3520132DFA6B14C349CB28B61F7A55C0
2⤵
PID:4896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\TakeMyFile\takemyfileapp2.exe
MD5
96f0ec1dd262f03d9c4dc71ca0c4abb3

SHA1
b25222639d324fe07ad6dc9cc240046bf036af85

SHA256
0555fd26a051d4576f81a6384807430dc290f997eca72e4ab6f058c79101d64b

SHA512
e9a42f045073f34b3dbab630edb1a6befee1d07d4ef0c584fcd384aca297ec9d2b66595d0ad9264338f3cf6d5fde715bac799651a8a99ecc5d369a1ddcae6899

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_1C9188608785142B616358BAE9B73F2D
MD5
8d720eea5e516cad40ecd8a2d212e08b

SHA1
5d3ab3b2c52d471cb769782d642944cbd9e94a97

SHA256
fe4307756718e7f4555c29d3abff96d01b12c7b254c397527dc62d3ba8d825ed

SHA512
047a4bea5dc18fdf13b477ac7fa78e7d6b953f4d958ddb3a8fe1a9d939682b33b4433fd37f4e194cc7a88f1af61dd362a25fc16d5169c6ecfb9bda3933e568ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F
MD5
15db79133013f8a3676af10f250ad06a

SHA1
53454fb12c6781b8c95a6072a75971433180510b

SHA256
c57ce646e8e2f4e52265a73e8b279d14e9bdeada8e17537966c7a3ad81a6bbe1

SHA512
6e3764e55d39456dc596315a07a2e7b8feab2b41738dee9dd516a02cbdd95432c7019edbaa609cc1bd8ae720add0a9c83d493ab2428a47edc2996c82394ca65a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
MD5
f3eff9264ac38c152c8c65f7a3b92f57

SHA1
b89df29b8336c11d884a548fcb6d35c5cc2dff77

SHA256
0581869ececc28e9aeb4973ce389d0e331286361c552e49146909f6761071b6b

SHA512
b422b7aa4843ffbb71658c3fafa118fc523e204cf4d807b5329084d8cbc3e30f9472476109ec46ff74bc970e83df255e870bcf726bf4f91dbca7d64605f021e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
MD5
d3b4a7a010339c0a27044e0f898a16b5

SHA1
eb64718c1c201c50b6d07877c8a286b274b5b8e4

SHA256
311010080becf1578e842aae708435af4abddc3bbb5a5ed69d7823db4c1e420d

SHA512
ce96337e4e89275f700f951501638304ac523b96ab549e7c5218c09c15b6a8051eeab14a051bb34140c82932c37a20d659cece3a3b6cf4af8462a1c6b805d291

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
MD5
52bbbd3a8be1b451bf24ea2204a95b58

SHA1
23cd624677119a1dead9c3782dddd340c7fbd260

SHA256
98d435304a8a1079a98b92f848e604a70f5e936a3751ee593a60919f74b5abba

SHA512
6a9a35169724eeb2f3949545b85de01f2b5d5351a2161633976cf589252bf031b4f18f9a7244563ae23602f8c9a09e8f7f015b901e6e9f976845dbc9e6f20369

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
00fe0ea2d09b4e3abdffa47f5510c178

SHA1
334f119f6f319184a4f0b39a0dfaca85106aeab7

SHA256
c75763114cabb533a68a9e2d9d45326cd9f83b1dc9ad564a0edec3263e6c1216

SHA512
5e1a0c444acec4132a768deb361c7325bc0ccfb6d26df6e2141c7eb9948452a2f1f73fe4b9cd8abe86fb82673420a84e5a8229c781991fd2c7b6ea7d43597bb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_1C9188608785142B616358BAE9B73F2D
MD5
eab79ab107c166e080f5eb12cff7903d

SHA1
867c6c80175a991b0e33dbc26d9e2c60a3b96aa7

SHA256
33112e69185514f7d7032e911fc2d3b954794b6b032c74a8dd1618c2da9906b2

SHA512
322ed50c37fcded88d495df8b78501ec95e72fb502a031320d7f57dfa55c0a1f4b5ce9aaf1dd6ccf1f57a97b2691db60be0f034763759cb3a6a89335b35734c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F
MD5
3a2243dab433243f7ef202c99f1c7d4f

SHA1
036b53fae9d5095efd929dac73b3b5f0987fbe34

SHA256
d83217844089449e9fd7503c55ee21d561869fa4c831380ed6f5f32d320c2b09

SHA512
7bc13aebbc96f5bb9d0c42f73368edc1cc1cf5855e8614871ff9e69dbabdd6fed0eb74ab27bf0e4c6a4301b8779d1c9e2b87c9e91db0c86dac87feb7b26e414e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
MD5
8bfb79dd42b2e8f07eaa24c72fce6e44

SHA1
61c1b515505de5985ee57540ddd16be84a4cd42d

SHA256
0711ec4dab2e685d372e1d939d0886162f34f20711214dab3985e58b657455a6

SHA512
53ad197ff0f2fe0830fcac7821b389c3a46ed9243f0d5e96d6eab68bcb9ed983b3ab45c99624b4cfb41f98125212cbee051a74a2bdd5065be3b80656c9cc252e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
MD5
fac23c1a2486075e870c397e5e6b9b44

SHA1
4906caea260954d3b2e263a574a24f2838048592

SHA256
336064e5c9ea0646b9bab5ee73109e26f0d8ed19753631ede74e48ef9077bd62

SHA512
67018428982ee6108f1851abf5b22926df9cc7e4c27b718265137b69678c4b09eb776bbcdf8e405592dd7da37802c75ae725301f6e611d4b61f8cc9240c42878

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
MD5
a03b99158807cccec192e77d79b024ad

SHA1
9ec5c64fcf64507479d9bb993f41a1ba251e6eec

SHA256
a71137a5524b2966bcc976b44c52dc81f0bb32803f982ee0be84995e957da225

SHA512
fed3b39fa524de7556c917e504dce4165bedb4e397a7dfaf5585650f06e3f64948070e06b9d727ca4ba447ba1dce5ecdb4deed85ea7116d7f27040158c013114

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI56C8.tmp
MD5
07ce413b1af6342187514871dc112c74

SHA1
8008f8bfeae99918b6323a3d1270dea63b3a8394

SHA256
0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

SHA512
27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5830.tmp
MD5
e6a708c70a8cfd78b7c0383615545158

SHA1
b9274d9bf4750f557d34ddfd802113f5dd1df91c

SHA256
e124c00f974e0c09200676e7ce2147c3822b4cd4764dcc970e832bd93d869d0c

SHA512
2d0162f268f357a29c8bc35f855678e8e47e8a70825130e73e40a7dca1e9a3d8844b66616bfaa156b16fa4162bcf6991f659b3a6e8ee3caf841c87ec16189ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1A6RP.tmp\setup_0.tmp
MD5
1afbd25db5c9a90fe05309f7c4fbcf09

SHA1
baf330b5c249ca925b4ea19a52fe8b2c27e547fa

SHA256
3bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c

SHA512
3a448f06862c6d163fd58b68b836d866ae513e04a69774abf5a0c5b7df74f5b9ee37240083760185618c5068bf93e7fd812e76b3e530639111fb1d74f4d28419

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1A6RP.tmp\setup_0.tmp
MD5
1afbd25db5c9a90fe05309f7c4fbcf09

SHA1
baf330b5c249ca925b4ea19a52fe8b2c27e547fa

SHA256
3bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c

SHA512
3a448f06862c6d163fd58b68b836d866ae513e04a69774abf5a0c5b7df74f5b9ee37240083760185618c5068bf93e7fd812e76b3e530639111fb1d74f4d28419

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4ALH6.tmp\setup.exe
MD5
af5770a146da7de3837f95f622c150e5

SHA1
83edfc1970dcec10ac1a3fad0281486b8fc23810

SHA256
864a35c54d0d9aa563d4e300bd003c83502f45df8736c2f6bbb0edf74870a2e7

SHA512
15f40a0d8af86b809768ff6ee87633be59ab06d2db2b6281c30bd2e81a9b10fefb9f9737e9a770e9b084997086c45e6d3d9a2ce70ec29b0b94eab04157a2d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4ALH6.tmp\setup.exe
MD5
af5770a146da7de3837f95f622c150e5

SHA1
83edfc1970dcec10ac1a3fad0281486b8fc23810

SHA256
864a35c54d0d9aa563d4e300bd003c83502f45df8736c2f6bbb0edf74870a2e7

SHA512
15f40a0d8af86b809768ff6ee87633be59ab06d2db2b6281c30bd2e81a9b10fefb9f9737e9a770e9b084997086c45e6d3d9a2ce70ec29b0b94eab04157a2d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9I6E6.tmp\hostwin.exe
MD5
b3bb91ad96f2d4c041861ce59ba6ac73

SHA1
e18c6fd6a0d0d5c124c9ef6972a76c47c28c80a3

SHA256
0581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426

SHA512
e3a8426d202a8aad79aad5d75549753cf70b9c2c0fa4c9468f03d089eca8e529b56cd8fa16b7be3a4cfc019d43ff458b9dc8a1cae44b6ed75e27f21489a2cbdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9I6E6.tmp\hostwin.exe
MD5
b3bb91ad96f2d4c041861ce59ba6ac73

SHA1
e18c6fd6a0d0d5c124c9ef6972a76c47c28c80a3

SHA256
0581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426

SHA512
e3a8426d202a8aad79aad5d75549753cf70b9c2c0fa4c9468f03d089eca8e529b56cd8fa16b7be3a4cfc019d43ff458b9dc8a1cae44b6ed75e27f21489a2cbdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CH25C.tmp\setup_0.exe
MD5
2c9cd007de9f99579da31ce28481ede0

SHA1
72b8f13007747ca6231f7da558fec3fa1b996b98

SHA256
3b87f07a3ed4782c8fcebe44ae6b036d717aa127db34995c24f2d9f1c7dce44d

SHA512
f3c7c1b47839d628b94701f12165113cb3e300cf46e2b213267159465713bbae26be70c48be652365a5bebf9559e9ec46310914a983ddf9b86a9708b5441d447

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CH25C.tmp\setup_0.exe
MD5
2c9cd007de9f99579da31ce28481ede0

SHA1
72b8f13007747ca6231f7da558fec3fa1b996b98

SHA256
3b87f07a3ed4782c8fcebe44ae6b036d717aa127db34995c24f2d9f1c7dce44d

SHA512
f3c7c1b47839d628b94701f12165113cb3e300cf46e2b213267159465713bbae26be70c48be652365a5bebf9559e9ec46310914a983ddf9b86a9708b5441d447

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CH25C.tmp\setup_1.exe
MD5
5dd257000cde6a086046cadff128eba9

SHA1
cbef6958c188daa91e66607443a0421b36b35f19

SHA256
f8f138e3290ccbaa58efe016d661eb19cb8731ff89a5df2af5015a22becdb0dd

SHA512
7a1139f109ea5d47e312b850ec904c762028b5cc35254ac2dd9f2fe1bf74b70f0c5dbaaced48b63b0485116db99a1c23acf62ae96e0f07bcfcd018f10abc939c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CH25C.tmp\setup_1.exe
MD5
5dd257000cde6a086046cadff128eba9

SHA1
cbef6958c188daa91e66607443a0421b36b35f19

SHA256
f8f138e3290ccbaa58efe016d661eb19cb8731ff89a5df2af5015a22becdb0dd

SHA512
7a1139f109ea5d47e312b850ec904c762028b5cc35254ac2dd9f2fe1bf74b70f0c5dbaaced48b63b0485116db99a1c23acf62ae96e0f07bcfcd018f10abc939c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CH25C.tmp\setup_2.exe
MD5
4089790fa14889f8990d9a1e31e8a041

SHA1
b44f3012ade8d942166fbf2d4833a40c934cd7e7

SHA256
6c33bfeb38fdf3dc27297f92c66ae750f7260a955e155582ccd725af23aec880

SHA512
90026d9fd1e6f55decc8c8792c16122563def33dc4dac3f0db7c9b297bdc26e059fcb5f732deb752bca98c366c1ba1fbf0c5f3e74331616122c52db1d9a7f796

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CH25C.tmp\setup_2.exe
MD5
4089790fa14889f8990d9a1e31e8a041

SHA1
b44f3012ade8d942166fbf2d4833a40c934cd7e7

SHA256
6c33bfeb38fdf3dc27297f92c66ae750f7260a955e155582ccd725af23aec880

SHA512
90026d9fd1e6f55decc8c8792c16122563def33dc4dac3f0db7c9b297bdc26e059fcb5f732deb752bca98c366c1ba1fbf0c5f3e74331616122c52db1d9a7f796

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CH25C.tmp\setup_3.exe
MD5
78b13010746f790292949e6bd53321da

SHA1
fdc327892bd4d3f41b0a5210dbdd54e381ff3ae3

SHA256
b945185dc04126878956ebc6246cb62391edba6e64d954f3f33ce767e74238e7

SHA512
2422e5c7e354e6b6fb9f539cb56c6a6bc9ca9dcd0eeda80209975819504f59ce09e49c5e5586d6a646e6c16dd4fba87422d1dbd7d590c49f67a2fda2489dca9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CH25C.tmp\setup_3.exe
MD5
78b13010746f790292949e6bd53321da

SHA1
fdc327892bd4d3f41b0a5210dbdd54e381ff3ae3

SHA256
b945185dc04126878956ebc6246cb62391edba6e64d954f3f33ce767e74238e7

SHA512
2422e5c7e354e6b6fb9f539cb56c6a6bc9ca9dcd0eeda80209975819504f59ce09e49c5e5586d6a646e6c16dd4fba87422d1dbd7d590c49f67a2fda2489dca9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EGTVC.tmp\setup_1.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EGTVC.tmp\setup_1.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GGBT6.tmp\run_848a9.tmp
MD5
172be78472394107d27ae2337ad8bf58

SHA1
530b852a568698a51fb11e137f8c5da54c21a29c

SHA256
b45d8b87c446af32aaead1b658bb10b22ba951cba63d432f665cd8c0150a576b

SHA512
903f4f3846627e03593163e89c2cd06c43a76cccbadd7eb345fd851433d290cc95737255f12d961106b43bc0a3012ea577fca0246dd7ead4665786654f122a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GGBT6.tmp\run_848a9.tmp
MD5
172be78472394107d27ae2337ad8bf58

SHA1
530b852a568698a51fb11e137f8c5da54c21a29c

SHA256
b45d8b87c446af32aaead1b658bb10b22ba951cba63d432f665cd8c0150a576b

SHA512
903f4f3846627e03593163e89c2cd06c43a76cccbadd7eb345fd851433d290cc95737255f12d961106b43bc0a3012ea577fca0246dd7ead4665786654f122a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SCK79.tmp\setup.tmp
MD5
38e9177040663abdf7cb42d237b03d9d

SHA1
0b95b3694406d9d86aa3e4953f42d471977ff03d

SHA256
2a322dbda4ac86aed04ab99f9f2c277c2f84b6046e234c3ae55ceec53883b594

SHA512
78db4c72b2e10d665775e7f306d926060c95ba47610e809e0a21006280f9f0280fa572168b9c9ee00e2121090db9a20dc524677d961fea4292c41c44ba3cb30f

Download Submit
C:\Users\Admin\AppData\Roaming\Settings\Settings 1.0.0\install\FD7DF1F\Settings Installation.msi
MD5
acadfc9d99be20d8c9f710f0df886ae1

SHA1
998fd9d3d172c3ab7498d74fcfff748792013edd

SHA256
186dff721282a6eacb1f69010cd8f1e95332eb5e572c155faee7d1a45a91fdb7

SHA512
d996222f5c1e0dab0916ecfb797fd863c9e64b258e9c1f9f112f60bbd43b6af558d14eb856865f2d042c3464b2258c4cf8cdd43257329c8ac2ca930df12cb073

Download Submit
C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe
MD5
96e2ab9849c69367fa6643514045b291

SHA1
4de21a728d4d1d2961ae065f2e96be6b268de409

SHA256
5d596c1c19bb7712dcb8e2a43811849b1e9879bab81de86c9eb3b445f0d65cc3

SHA512
4327bdfaaf8043303fede40e68f5381a9a33546db1f17e8504fb663cff729aac22d61d332b5d552dbad01d7cbc66072edf7d2b215fa704da0c9f41b706fd8c4a

Download Submit
C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe
MD5
96e2ab9849c69367fa6643514045b291

SHA1
4de21a728d4d1d2961ae065f2e96be6b268de409

SHA256
5d596c1c19bb7712dcb8e2a43811849b1e9879bab81de86c9eb3b445f0d65cc3

SHA512
4327bdfaaf8043303fede40e68f5381a9a33546db1f17e8504fb663cff729aac22d61d332b5d552dbad01d7cbc66072edf7d2b215fa704da0c9f41b706fd8c4a

Download Submit
C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe
MD5
fc8c4b0f7d641f4211f047c0a1b27a2c

SHA1
fc5ac7e9e7fe0df52a7f3c8a7a41e9c9612c4690

SHA256
58ddfce3ee3b2ac7dce6aeed19a686d4108897ab7b7fff6e91d63b35648226d4

SHA512
6f4154d4c02f0792961e52a2770e4f32eada5de247a5ada95536a78c52ba3462973304d1a6435c6da8fbe8b8264df7cf295c62642848c0d944e31d69138d23a1

Download Submit
C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.ini
MD5
928f96a3198f48c845808c3e90c1455a

SHA1
969e77a29fcb210930c4e7e3e5140511d0a107cb

SHA256
f5f75d9fd7e0ccf7180c916cae73f6e51bb89465231186bca284823d755ddea7

SHA512
144304ba9750308bb974772733ffb39025dfb20f25d598e535222cc9bd4b897519c529b41d1ecb66233a566dd0016f470b8c74ff34edc67e1e37552e26dca00a

Download Submit
C:\Windows\Installer\MSI5DAC.tmp
MD5
842cc23e74711a7b6955e6876c0641ce

SHA1
3c7f32c373e03d76e9f5d76d2dfdcb6508c7af56

SHA256
7e434d53739356b7f74c5143b98138c6b67b38c2dbd772a28e8dde70e8be8644

SHA512
dd8323f657786fae516b400fe6b0569b8d4d16ccb4b396648b427e875d9e5b1eb7a874338d386f0940dc370de6fecf9893efd28149745bc9fd3f67a792ec824d

Download Submit
C:\Windows\Installer\MSI60F9.tmp
MD5
07ce413b1af6342187514871dc112c74

SHA1
8008f8bfeae99918b6323a3d1270dea63b3a8394

SHA256
0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

SHA512
27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

Download Submit
C:\Windows\Installer\MSI6158.tmp
MD5
07ce413b1af6342187514871dc112c74

SHA1
8008f8bfeae99918b6323a3d1270dea63b3a8394

SHA256
0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

SHA512
27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

Download Submit
C:\Windows\Installer\MSI61B7.tmp
MD5
07ce413b1af6342187514871dc112c74

SHA1
8008f8bfeae99918b6323a3d1270dea63b3a8394

SHA256
0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

SHA512
27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

Download Submit
C:\Windows\Installer\MSI6283.tmp
MD5
e6a708c70a8cfd78b7c0383615545158

SHA1
b9274d9bf4750f557d34ddfd802113f5dd1df91c

SHA256
e124c00f974e0c09200676e7ce2147c3822b4cd4764dcc970e832bd93d869d0c

SHA512
2d0162f268f357a29c8bc35f855678e8e47e8a70825130e73e40a7dca1e9a3d8844b66616bfaa156b16fa4162bcf6991f659b3a6e8ee3caf841c87ec16189ff8

Download Submit
C:\Windows\Installer\MSI6330.tmp
MD5
f32ac1d425e8b7c320d6be9a968585ab

SHA1
3b0bd3122226f2ac9f11664d9fc13d699b6dcfa0

SHA256
96f8d286f86055dcb3a15e0f3a2de092b0441ec36455c14caaad4c1f5a227894

SHA512
d8d9d996e279b7500306614448d61d5c3ac9c2efc28ac71d1daa09951f342d2cf773f0a7b51cb847f4d91dd34018e4a2d7977c0f6f2859795d4f0df7ac894b27

Download Submit
C:\Windows\Installer\MSI63EC.tmp
MD5
f32ac1d425e8b7c320d6be9a968585ab

SHA1
3b0bd3122226f2ac9f11664d9fc13d699b6dcfa0

SHA256
96f8d286f86055dcb3a15e0f3a2de092b0441ec36455c14caaad4c1f5a227894

SHA512
d8d9d996e279b7500306614448d61d5c3ac9c2efc28ac71d1daa09951f342d2cf773f0a7b51cb847f4d91dd34018e4a2d7977c0f6f2859795d4f0df7ac894b27

Download Submit
C:\Windows\Installer\MSI64B8.tmp
MD5
07ce413b1af6342187514871dc112c74

SHA1
8008f8bfeae99918b6323a3d1270dea63b3a8394

SHA256
0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

SHA512
27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

Download Submit
C:\Windows\Installer\MSI6507.tmp
MD5
f32ac1d425e8b7c320d6be9a968585ab

SHA1
3b0bd3122226f2ac9f11664d9fc13d699b6dcfa0

SHA256
96f8d286f86055dcb3a15e0f3a2de092b0441ec36455c14caaad4c1f5a227894

SHA512
d8d9d996e279b7500306614448d61d5c3ac9c2efc28ac71d1daa09951f342d2cf773f0a7b51cb847f4d91dd34018e4a2d7977c0f6f2859795d4f0df7ac894b27

Download Submit
C:\Windows\Installer\MSI66FE.tmp
MD5
f32ac1d425e8b7c320d6be9a968585ab

SHA1
3b0bd3122226f2ac9f11664d9fc13d699b6dcfa0

SHA256
96f8d286f86055dcb3a15e0f3a2de092b0441ec36455c14caaad4c1f5a227894

SHA512
d8d9d996e279b7500306614448d61d5c3ac9c2efc28ac71d1daa09951f342d2cf773f0a7b51cb847f4d91dd34018e4a2d7977c0f6f2859795d4f0df7ac894b27

Download Submit
\Users\Admin\AppData\Local\Temp\MSI56C8.tmp
MD5
07ce413b1af6342187514871dc112c74

SHA1
8008f8bfeae99918b6323a3d1270dea63b3a8394

SHA256
0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

SHA512
27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

Download Submit
\Users\Admin\AppData\Local\Temp\MSI5830.tmp
MD5
e6a708c70a8cfd78b7c0383615545158

SHA1
b9274d9bf4750f557d34ddfd802113f5dd1df91c

SHA256
e124c00f974e0c09200676e7ce2147c3822b4cd4764dcc970e832bd93d869d0c

SHA512
2d0162f268f357a29c8bc35f855678e8e47e8a70825130e73e40a7dca1e9a3d8844b66616bfaa156b16fa4162bcf6991f659b3a6e8ee3caf841c87ec16189ff8

Download Submit
\Users\Admin\AppData\Local\Temp\is-9I6E6.tmp\idp.dll
MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
\Users\Admin\AppData\Local\Temp\is-CH25C.tmp\idp.dll
MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
\Users\Admin\AppData\Roaming\Settings\Settings 1.0.0\install\decoder.dll
MD5
62326d3ef35667b1533673d2bb1d342c

SHA1
8100ce90b7cbddd7ef2fd77c544ebf12ebd5ec33

SHA256
a087b791ff8ff9e05e339600199aa389a4554050acc7af7fa36dbe208be7382e

SHA512
7321feae8ee8d0653d7bd935e3d2e6f658e6798b2a7a8f44976c58509028e79284582132cb999c7c3124a7e94960d9c5d5fc8edefaeda06275ab725730d0d9b5

Download Submit
\Windows\Installer\MSI5DAC.tmp
MD5
842cc23e74711a7b6955e6876c0641ce

SHA1
3c7f32c373e03d76e9f5d76d2dfdcb6508c7af56

SHA256
7e434d53739356b7f74c5143b98138c6b67b38c2dbd772a28e8dde70e8be8644

SHA512
dd8323f657786fae516b400fe6b0569b8d4d16ccb4b396648b427e875d9e5b1eb7a874338d386f0940dc370de6fecf9893efd28149745bc9fd3f67a792ec824d

Download Submit
\Windows\Installer\MSI60F9.tmp
MD5
07ce413b1af6342187514871dc112c74

SHA1
8008f8bfeae99918b6323a3d1270dea63b3a8394

SHA256
0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

SHA512
27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

Download Submit
\Windows\Installer\MSI6158.tmp
MD5
07ce413b1af6342187514871dc112c74

SHA1
8008f8bfeae99918b6323a3d1270dea63b3a8394

SHA256
0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

SHA512
27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

Download Submit
\Windows\Installer\MSI61B7.tmp
MD5
07ce413b1af6342187514871dc112c74

SHA1
8008f8bfeae99918b6323a3d1270dea63b3a8394

SHA256
0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

SHA512
27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

Download Submit
\Windows\Installer\MSI6283.tmp
MD5
e6a708c70a8cfd78b7c0383615545158

SHA1
b9274d9bf4750f557d34ddfd802113f5dd1df91c

SHA256
e124c00f974e0c09200676e7ce2147c3822b4cd4764dcc970e832bd93d869d0c

SHA512
2d0162f268f357a29c8bc35f855678e8e47e8a70825130e73e40a7dca1e9a3d8844b66616bfaa156b16fa4162bcf6991f659b3a6e8ee3caf841c87ec16189ff8

Download Submit
\Windows\Installer\MSI6330.tmp
MD5
f32ac1d425e8b7c320d6be9a968585ab

SHA1
3b0bd3122226f2ac9f11664d9fc13d699b6dcfa0

SHA256
96f8d286f86055dcb3a15e0f3a2de092b0441ec36455c14caaad4c1f5a227894

SHA512
d8d9d996e279b7500306614448d61d5c3ac9c2efc28ac71d1daa09951f342d2cf773f0a7b51cb847f4d91dd34018e4a2d7977c0f6f2859795d4f0df7ac894b27

Download Submit
\Windows\Installer\MSI63EC.tmp
MD5
f32ac1d425e8b7c320d6be9a968585ab

SHA1
3b0bd3122226f2ac9f11664d9fc13d699b6dcfa0

SHA256
96f8d286f86055dcb3a15e0f3a2de092b0441ec36455c14caaad4c1f5a227894

SHA512
d8d9d996e279b7500306614448d61d5c3ac9c2efc28ac71d1daa09951f342d2cf773f0a7b51cb847f4d91dd34018e4a2d7977c0f6f2859795d4f0df7ac894b27

Download Submit
\Windows\Installer\MSI64B8.tmp
MD5
07ce413b1af6342187514871dc112c74

SHA1
8008f8bfeae99918b6323a3d1270dea63b3a8394

SHA256
0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

SHA512
27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

Download Submit
\Windows\Installer\MSI6507.tmp
MD5
f32ac1d425e8b7c320d6be9a968585ab

SHA1
3b0bd3122226f2ac9f11664d9fc13d699b6dcfa0

SHA256
96f8d286f86055dcb3a15e0f3a2de092b0441ec36455c14caaad4c1f5a227894

SHA512
d8d9d996e279b7500306614448d61d5c3ac9c2efc28ac71d1daa09951f342d2cf773f0a7b51cb847f4d91dd34018e4a2d7977c0f6f2859795d4f0df7ac894b27

Download Submit
\Windows\Installer\MSI66FE.tmp
MD5
f32ac1d425e8b7c320d6be9a968585ab

SHA1
3b0bd3122226f2ac9f11664d9fc13d699b6dcfa0

SHA256
96f8d286f86055dcb3a15e0f3a2de092b0441ec36455c14caaad4c1f5a227894

SHA512
d8d9d996e279b7500306614448d61d5c3ac9c2efc28ac71d1daa09951f342d2cf773f0a7b51cb847f4d91dd34018e4a2d7977c0f6f2859795d4f0df7ac894b27

Download Submit
memory/348-231-0x0000000000000000-mapping.dmp

Download
memory/348-233-0x00000194156A0000-0x00000194156A2000-memory.dmp

Filesize
8KB

Download
memory/348-232-0x00000194156A0000-0x00000194156A2000-memory.dmp

Filesize
8KB

Download
memory/716-143-0x0000000000000000-mapping.dmp

Download
memory/716-148-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/984-209-0x0000000000000000-mapping.dmp

Download
memory/988-230-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/988-229-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/988-228-0x0000000000000000-mapping.dmp

Download
memory/1060-162-0x0000020A0B4F0000-0x0000020A0B4F2000-memory.dmp

Filesize
8KB

Download
memory/1060-161-0x0000020A0B4F0000-0x0000020A0B4F2000-memory.dmp

Filesize
8KB

Download
memory/1184-257-0x000001F0BE930000-0x000001F0BE932000-memory.dmp

Filesize
8KB

Download
memory/1184-254-0x0000000000000000-mapping.dmp

Download
memory/1184-260-0x000001F0BE930000-0x000001F0BE932000-memory.dmp

Filesize
8KB

Download
memory/1256-252-0x0000000000000000-mapping.dmp

Download
memory/1256-258-0x0000011FD2C90000-0x0000011FD2C92000-memory.dmp

Filesize
8KB

Download
memory/1256-256-0x0000011FD2C90000-0x0000011FD2C92000-memory.dmp

Filesize
8KB

Download
memory/1368-136-0x0000000000000000-mapping.dmp

Download
memory/1368-139-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1548-255-0x00000195AE810000-0x00000195AE812000-memory.dmp

Filesize
8KB

Download
memory/1548-253-0x00000195AE810000-0x00000195AE812000-memory.dmp

Filesize
8KB

Download
memory/1548-251-0x0000000000000000-mapping.dmp

Download
memory/1548-264-0x00000195AE810000-0x00000195AE812000-memory.dmp

Filesize
8KB

Download
memory/1548-262-0x00000195AE810000-0x00000195AE812000-memory.dmp

Filesize
8KB

Download
memory/1576-213-0x0000000000000000-mapping.dmp

Download
memory/1608-122-0x0000000000000000-mapping.dmp

Download
memory/1608-129-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1880-154-0x0000000000000000-mapping.dmp

Download
memory/1952-221-0x0000000000000000-mapping.dmp

Download
memory/1952-223-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/1952-222-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/2076-239-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/2076-247-0x00000000081F0000-0x00000000081F1000-memory.dmp

Filesize
4KB

Download
memory/2076-240-0x0000000004B12000-0x0000000004B13000-memory.dmp

Filesize
4KB

Download
memory/2076-242-0x00000000077B0000-0x00000000077B1000-memory.dmp

Filesize
4KB

Download
memory/2076-238-0x0000000007180000-0x0000000007181000-memory.dmp

Filesize
4KB

Download
memory/2076-301-0x0000000004B14000-0x0000000004B16000-memory.dmp

Filesize
8KB

Download
memory/2076-300-0x0000000004B13000-0x0000000004B14000-memory.dmp

Filesize
4KB

Download
memory/2076-272-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/2076-237-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/2076-236-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/2076-235-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/2076-234-0x0000000000000000-mapping.dmp

Download
memory/2076-243-0x0000000007820000-0x0000000007821000-memory.dmp

Filesize
4KB

Download
memory/2076-241-0x00000000070D0000-0x00000000070D1000-memory.dmp

Filesize
4KB

Download
memory/2076-246-0x0000000007E20000-0x0000000007E21000-memory.dmp

Filesize
4KB

Download
memory/2076-245-0x0000000007DF0000-0x0000000007DF1000-memory.dmp

Filesize
4KB

Download
memory/2076-244-0x00000000079A0000-0x00000000079A1000-memory.dmp

Filesize
4KB

Download
memory/2320-227-0x0000000000000000-mapping.dmp

Download
memory/2360-157-0x0000000000000000-mapping.dmp

Download
memory/2436-170-0x0000000000000000-mapping.dmp

Download
memory/2436-172-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2436-171-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2512-220-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/2512-219-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/2512-218-0x0000000000000000-mapping.dmp

Download
memory/2596-153-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2596-149-0x0000000000000000-mapping.dmp

Download
memory/2720-117-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2828-132-0x0000000000000000-mapping.dmp

Download
memory/2828-138-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3044-224-0x0000000000000000-mapping.dmp

Download
memory/3044-225-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3044-226-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3128-118-0x0000000000000000-mapping.dmp

Download
memory/3128-120-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/3196-141-0x0000000000000000-mapping.dmp

Download
memory/3196-146-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/3212-163-0x0000000000000000-mapping.dmp

Download
memory/3212-164-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/3212-165-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/3256-263-0x0000017C4D290000-0x0000017C4D292000-memory.dmp

Filesize
8KB

Download
memory/3256-269-0x0000017C4D290000-0x0000017C4D292000-memory.dmp

Filesize
8KB

Download
memory/3256-259-0x0000000000000000-mapping.dmp

Download
memory/3256-268-0x0000017C4D290000-0x0000017C4D292000-memory.dmp

Filesize
8KB

Download
memory/3256-265-0x0000017C4D290000-0x0000017C4D292000-memory.dmp

Filesize
8KB

Download
memory/3476-271-0x000001C81AE20000-0x000001C81AE22000-memory.dmp

Filesize
8KB

Download
memory/3476-261-0x0000000000000000-mapping.dmp

Download
memory/3476-267-0x000001C81AE20000-0x000001C81AE22000-memory.dmp

Filesize
8KB

Download
memory/3476-266-0x000001C81AE20000-0x000001C81AE22000-memory.dmp

Filesize
8KB

Download
memory/3476-270-0x000001C81AE20000-0x000001C81AE22000-memory.dmp

Filesize
8KB

Download
memory/3496-178-0x0000000000000000-mapping.dmp

Download
memory/3496-179-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/3496-180-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/3676-130-0x0000000000720000-0x00000000007CE000-memory.dmp

Filesize
696KB

Download
memory/3676-127-0x0000000000000000-mapping.dmp

Download
memory/3784-250-0x000001526F160000-0x000001526F162000-memory.dmp

Filesize
8KB

Download
memory/3784-249-0x000001526F160000-0x000001526F162000-memory.dmp

Filesize
8KB

Download
memory/3784-248-0x0000000000000000-mapping.dmp

Download
memory/4012-216-0x0000000000000000-mapping.dmp

Download
memory/4416-278-0x000002767D790000-0x000002767D792000-memory.dmp

Filesize
8KB

Download
memory/4416-282-0x000002767D790000-0x000002767D792000-memory.dmp

Filesize
8KB

Download
memory/4416-280-0x000002767D790000-0x000002767D792000-memory.dmp

Filesize
8KB

Download
memory/4416-277-0x000002767D790000-0x000002767D792000-memory.dmp

Filesize
8KB

Download
memory/4416-276-0x0000000000000000-mapping.dmp

Download
memory/4552-289-0x0000000000000000-mapping.dmp

Download
memory/4640-290-0x0000000000000000-mapping.dmp

Download
memory/4748-294-0x0000000000000000-mapping.dmp

Download
memory/4812-297-0x0000000000000000-mapping.dmp

Download
memory/4896-302-0x0000000000000000-mapping.dmp

Download