sality | cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58

Analysis

max time kernel
152s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-05-2022 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Size

4.8MB
MD5

9a260c07556a7c0e604eab3aac12e60b
SHA1

55fe776c37e6573aed545a1751a0e9900f7cca25
SHA256

cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58
SHA512

73d335a8b19142575ef2daac2a73ccbf85a3f4c9d7310a9beffa318432a9c7890eeb5efaac98daf5f3d5a1f54690fb2de48f7c7942ff738e2a469b9b01e71010

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 1 IoCs

Processes:

Setup.exe

pid process

2120 Setup.exe

pid	process
2120	Setup.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4472-130-0x0000000002900000-0x000000000398E000-memory.dmp	upx
behavioral2/memory/4472-164-0x0000000002900000-0x000000000398E000-memory.dmp	upx

Loads dropped DLL 5 IoCs

Processes:

Setup.exe

pid process

2120 Setup.exe
2120 Setup.exe
2120 Setup.exe
2120 Setup.exe
2120 Setup.exe

pid	process
2120	Setup.exe
2120	Setup.exe
2120	Setup.exe
2120	Setup.exe
2120	Setup.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe

description	ioc	process
File opened (read-only)	\??\L:	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
File opened (read-only)	\??\R:	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
File opened (read-only)	\??\V:	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
File opened (read-only)	\??\X:	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
File opened (read-only)	\??\E:	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
File opened (read-only)	\??\H:	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
File opened (read-only)	\??\J:	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
File opened (read-only)	\??\F:	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
File opened (read-only)	\??\M:	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
File opened (read-only)	\??\Q:	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
File opened (read-only)	\??\U:	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
File opened (read-only)	\??\W:	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
File opened (read-only)	\??\P:	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
File opened (read-only)	\??\S:	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
File opened (read-only)	\??\T:	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
File opened (read-only)	\??\N:	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
File opened (read-only)	\??\O:	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
File opened (read-only)	\??\Y:	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
File opened (read-only)	\??\Z:	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
File opened (read-only)	\??\G:	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
File opened (read-only)	\??\I:	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
File opened (read-only)	\??\K:	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in Program Files directory 11 IoCs

Processes:

cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe

description	ioc	process
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe

Drops file in Windows directory 1 IoCs

Processes:

cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exeSetup.exe

pid	process
4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
2120	Setup.exe
2120	Setup.exe
2120	Setup.exe
2120	Setup.exe
2120	Setup.exe
2120	Setup.exe
2120	Setup.exe
2120	Setup.exe
4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
2120	Setup.exe
2120	Setup.exe
2120	Setup.exe
2120	Setup.exe
4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe

description	pid	process
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
Token: SeDebugPrivilege	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe

description	pid	process	target process
PID 4472 wrote to memory of 780	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	fontdrvhost.exe
PID 4472 wrote to memory of 788	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	fontdrvhost.exe
PID 4472 wrote to memory of 64	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	dwm.exe
PID 4472 wrote to memory of 2664	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	sihost.exe
PID 4472 wrote to memory of 2704	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	svchost.exe
PID 4472 wrote to memory of 2904	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	taskhostw.exe
PID 4472 wrote to memory of 3212	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	Explorer.EXE
PID 4472 wrote to memory of 3308	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	svchost.exe
PID 4472 wrote to memory of 3504	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	DllHost.exe
PID 4472 wrote to memory of 3620	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	StartMenuExperienceHost.exe
PID 4472 wrote to memory of 3684	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	RuntimeBroker.exe
PID 4472 wrote to memory of 3772	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	SearchApp.exe
PID 4472 wrote to memory of 872	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	RuntimeBroker.exe
PID 4472 wrote to memory of 2120	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	Setup.exe
PID 4472 wrote to memory of 2120	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	Setup.exe
PID 4472 wrote to memory of 2120	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	Setup.exe
PID 4472 wrote to memory of 780	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	fontdrvhost.exe
PID 4472 wrote to memory of 788	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	fontdrvhost.exe
PID 4472 wrote to memory of 64	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	dwm.exe
PID 4472 wrote to memory of 2664	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	sihost.exe
PID 4472 wrote to memory of 2704	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	svchost.exe
PID 4472 wrote to memory of 2904	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	taskhostw.exe
PID 4472 wrote to memory of 3212	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	Explorer.EXE
PID 4472 wrote to memory of 3308	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	svchost.exe
PID 4472 wrote to memory of 3504	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	DllHost.exe
PID 4472 wrote to memory of 3620	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	StartMenuExperienceHost.exe
PID 4472 wrote to memory of 3684	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	RuntimeBroker.exe
PID 4472 wrote to memory of 3772	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	SearchApp.exe
PID 4472 wrote to memory of 872	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	RuntimeBroker.exe
PID 4472 wrote to memory of 2120	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	Setup.exe
PID 4472 wrote to memory of 2120	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	Setup.exe
PID 4472 wrote to memory of 780	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	fontdrvhost.exe
PID 4472 wrote to memory of 788	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	fontdrvhost.exe
PID 4472 wrote to memory of 64	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	dwm.exe
PID 4472 wrote to memory of 2664	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	sihost.exe
PID 4472 wrote to memory of 2704	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	svchost.exe
PID 4472 wrote to memory of 2904	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	taskhostw.exe
PID 4472 wrote to memory of 3212	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	Explorer.EXE
PID 4472 wrote to memory of 3308	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	svchost.exe
PID 4472 wrote to memory of 3504	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	DllHost.exe
PID 4472 wrote to memory of 3620	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	StartMenuExperienceHost.exe
PID 4472 wrote to memory of 3684	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	RuntimeBroker.exe
PID 4472 wrote to memory of 3772	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	SearchApp.exe
PID 4472 wrote to memory of 872	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	RuntimeBroker.exe
PID 4472 wrote to memory of 780	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	fontdrvhost.exe
PID 4472 wrote to memory of 788	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	fontdrvhost.exe
PID 4472 wrote to memory of 64	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	dwm.exe
PID 4472 wrote to memory of 2664	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	sihost.exe
PID 4472 wrote to memory of 2704	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	svchost.exe
PID 4472 wrote to memory of 2904	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	taskhostw.exe
PID 4472 wrote to memory of 3212	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	Explorer.EXE
PID 4472 wrote to memory of 3308	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	svchost.exe
PID 4472 wrote to memory of 3504	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	DllHost.exe
PID 4472 wrote to memory of 3620	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	StartMenuExperienceHost.exe
PID 4472 wrote to memory of 3684	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	RuntimeBroker.exe
PID 4472 wrote to memory of 3772	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	SearchApp.exe
PID 4472 wrote to memory of 872	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	RuntimeBroker.exe
PID 4472 wrote to memory of 780	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	fontdrvhost.exe
PID 4472 wrote to memory of 788	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	fontdrvhost.exe
PID 4472 wrote to memory of 64	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	dwm.exe
PID 4472 wrote to memory of 2664	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	sihost.exe
PID 4472 wrote to memory of 2704	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	svchost.exe
PID 4472 wrote to memory of 2904	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	taskhostw.exe
PID 4472 wrote to memory of 3212	4472	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe	Explorer.EXE

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:64

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2704

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2904

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3212

C:\Users\Admin\AppData\Local\Temp\cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe
"C:\Users\Admin\AppData\Local\Temp\cf3e3b97ea1cc5e2f247c762692ea2363e84c19c96ed128d0e9d63dc46e27f58.exe"
2⤵
- Modifies firewall policy service
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4472

\??\c:\af3fb9edce1cc21357a286373bc926c2\Setup.exe
c:\af3fb9edce1cc21357a286373bc926c2\Setup.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3308

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3504

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3620

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3684

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3772

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\af3fb9edce1cc21357a286373bc926c2\1033\SetupResources.dll
Filesize
16KB

MD5
718ab3eb3f43c9bcf16276c1eb17f2c1

SHA1
a3091fd7784a9469309b3edb370e24a0323e30ac

SHA256
e1a13f5b763d73271a1a205a88e64c6611c25d5f434cfa5da14feb8e4272ffaa

SHA512
9fa8a8d9645a9b490257c2dce3d31f1585f6d6069f9471f9e00dfaa9e457ff1db4c9176a91e02d7f0b61bae0c1fc76b56061eff04888a58aeb5ad2e8692fcf8a

Download Submit
C:\af3fb9edce1cc21357a286373bc926c2\1033\SetupResources.dll
Filesize
16KB

MD5
718ab3eb3f43c9bcf16276c1eb17f2c1

SHA1
a3091fd7784a9469309b3edb370e24a0323e30ac

SHA256
e1a13f5b763d73271a1a205a88e64c6611c25d5f434cfa5da14feb8e4272ffaa

SHA512
9fa8a8d9645a9b490257c2dce3d31f1585f6d6069f9471f9e00dfaa9e457ff1db4c9176a91e02d7f0b61bae0c1fc76b56061eff04888a58aeb5ad2e8692fcf8a

Download Submit
C:\af3fb9edce1cc21357a286373bc926c2\Setup.exe
Filesize
76KB

MD5
9a1141fbceeb2e196ae1ba115fd4bee6

SHA1
922eacb654f091bc609f1b7f484292468d046bd1

SHA256
28563d908450eb7b7e9ed07a934e0d68135b5bb48e866e0a1c913bd776a44fef

SHA512
b044600acb16fc3be991d8a6dbc75c2ca45d392e66a4d19eacac4aee282d2ada0d411d832b76d25ef505cc542c7fa1fdb7098da01f84034f798b08baa4796168

Download Submit
C:\af3fb9edce1cc21357a286373bc926c2\SetupEngine.dll
Filesize
789KB

MD5
a030c6b93740cbaa232ffaa08ccd3396

SHA1
6f7236a30308fbf02d88e228f0b5b5ec7f61d3eb

SHA256
0507720d52ae856bbf5ff3f01172a390b6c19517cb95514cd53f4a59859e8d63

SHA512
6787195b7e693744ce3b70c3b3ef04eaf81c39621e33d9f40b9c52f1a2c1d6094eceaebbc9b2906649351f5fc106eed085cef71bb606a9dc7890eafd200cfd42

Download Submit
C:\af3fb9edce1cc21357a286373bc926c2\SetupUi.dll
Filesize
288KB

MD5
c744ec120e54027c57318c4720b4d6be

SHA1
ab65fc4e68ad553520af049129fae4f88c7eff74

SHA256
d1610b0a94a4dadc85ee32a7e5ffd6533ea42347d6f2d6871beb03157b89a857

SHA512
6dcd0ab7b8671e17d1c15db030ee5349ab3a123595c546019cf9391ce05f9f63806149c3ec2f2c71635cb811ab65ad47bcd7031e2eff7a59059577e47dd600a7

Download Submit
C:\af3fb9edce1cc21357a286373bc926c2\sqmapi.dll
Filesize
141KB

MD5
3f0363b40376047eff6a9b97d633b750

SHA1
4eaf6650eca5ce931ee771181b04263c536a948b

SHA256
bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c

SHA512
537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

Download Submit
\??\c:\af3fb9edce1cc21357a286373bc926c2\1028\LocalizedData.xml
Filesize
29KB

MD5
7fc06a77d9aafca9fb19fafa0f919100

SHA1
e565740e7d582cd73f8d3b12de2f4579ff18bb41

SHA256
a27f809211ea1a2d5224cd01101aa3a59bf7853168e45de28a16ef7ed6acd46a

SHA512
466dcc6a5fb015be1619f5725fa62ca46eb0fb428e11f93fd9d82e5df61c3950b3fb62d4db7746cc4a2be199e5e69eaa30b6f3354e0017cfa14d127fad52f8cf

Download Submit
\??\c:\af3fb9edce1cc21357a286373bc926c2\1031\LocalizedData.xml
Filesize
40KB

MD5
b83c3803712e61811c438f6e98790369

SHA1
61a0bc59388786ced045acd82621bee8578cae5a

SHA256
2aa6e8d402e44d9ee895b18195f46bf90259de1b6f44efd46a7075b110f2dcd6

SHA512
e020f93e3a082476087e690ad051f1feb210e0915924bb4548cc9f53a7ee2760211890eb6036ce9e5e4a311abc0300e89e25efbbb894c2a621ffbc9d64cc8a38

Download Submit
\??\c:\af3fb9edce1cc21357a286373bc926c2\1033\LocalizedData.xml
Filesize
38KB

MD5
d642e322d1e8b739510ca540f8e779f9

SHA1
36279c76d9f34c09ebddc84fd33fcc7d4b9a896c

SHA256
5d90345ff74e177f6da8fb6459c1cfcac080e698215ca75feb130d0d1f2a76b9

SHA512
e1e16ae14bc7cc1608e1a08d3c92b6d0518b5fabd27f2c0eb514c87afc3d6192bf7a793a583afc65f1899f03dc419263b29174456e1ec9ab0f0110e0258e0f0d

Download Submit
\??\c:\af3fb9edce1cc21357a286373bc926c2\1033\SetupResources.dll
Filesize
16KB

MD5
718ab3eb3f43c9bcf16276c1eb17f2c1

SHA1
a3091fd7784a9469309b3edb370e24a0323e30ac

SHA256
e1a13f5b763d73271a1a205a88e64c6611c25d5f434cfa5da14feb8e4272ffaa

SHA512
9fa8a8d9645a9b490257c2dce3d31f1585f6d6069f9471f9e00dfaa9e457ff1db4c9176a91e02d7f0b61bae0c1fc76b56061eff04888a58aeb5ad2e8692fcf8a

Download Submit
\??\c:\af3fb9edce1cc21357a286373bc926c2\1036\LocalizedData.xml
Filesize
40KB

MD5
e382abc19294f779d2833287242e7bc6

SHA1
1ceae32d6b24a3832f9244f5791382865b668a72

SHA256
43f913ff28d677316f560a0f45221f35f27cfaf5fc5bd645974a82dca589edbf

SHA512
06054c8048cade36a3af54f9a07fd8fa5eb4f3228790996d2abea7ee1ee7eb563d46bd54ff97441f9610e778194082c44e66c5f566c9c50a042aba9eb9cae25e

Download Submit
\??\c:\af3fb9edce1cc21357a286373bc926c2\1040\LocalizedData.xml
Filesize
39KB

MD5
0af948fe4142e34092f9dd47a4b8c275

SHA1
b3d6dd5c126280398d9055f90e2c2c26dbae4eaa

SHA256
c4c7c0ddaa6d6a3a1dc260e9c5a24bdfaa98c427c69e8a65427dd7cac0a4b248

SHA512
d97b5fe2553ca78a3019d53e33d2db80c9fa1cf1d8d2501d9ddf0576c7e6ea38dab754fe4712123abf34b97e10b18fb4bbd1c76d3dacb87b4682e501f93423d9

Download Submit
\??\c:\af3fb9edce1cc21357a286373bc926c2\1041\LocalizedData.xml
Filesize
33KB

MD5
7fcfbc308b0c42dcbd8365ba62bada05

SHA1
18a0f0e89b36818c94de0ad795cc593d0e3e29a9

SHA256
01e7d24dd8e00b5c333e96d1bb83813e02e96f89aad0c2f28f84551d28abbbe2

SHA512
cd6f912a037e86d9e1982c73f0f8b3c4d5a9a6b5b108a7b89a46e6691e430a7cb55718de9a0c05650bb194c8d4a2e309ad6221d638cfca8e16aa5920881ba649

Download Submit
\??\c:\af3fb9edce1cc21357a286373bc926c2\1042\LocalizedData.xml
Filesize
32KB

MD5
71dfd70ae141f1d5c1366cb661b354b2

SHA1
c4b22590e6f6dd5d39e5158b831ae217ce17a776

SHA256
cccda55294aeb4af166a8c0449bca2189ddf5aa9a43d5e939dd3803e61738331

SHA512
5000d62f3de41c3fb0ed8a8e9c37dbf4eb427c4f1e3ad3823d4716c6fe62250bac11b7987a302b8a45d91aabcf332457f7aff7d99f15edeffe540639e9440e8a

Download Submit
\??\c:\af3fb9edce1cc21357a286373bc926c2\1049\LocalizedData.xml
Filesize
39KB

MD5
0eeb554d0b9f9fcdb22401e2532e9cd0

SHA1
08799520b72a1ef92ac5b94a33509d1eddf6caf8

SHA256
beef0631c17a4fb1ff0b625c50c6cb6c8ce90a1ae62c5e60e14bf3d915ad509c

SHA512
2180e46a5a2ea1f59c879b729806ca02a232c66660f29c338c1fa7fbee2afa4b13d8777d1f7b63cf831eb42f3e55282d70aa8e53f40616b8a6e4d695c36e313d

Download Submit
\??\c:\af3fb9edce1cc21357a286373bc926c2\2052\LocalizedData.xml
Filesize
30KB

MD5
52b1dc12ce4153aa759fb3bbe04d01fc

SHA1
bf21f8591c473d1fce68a9faf1e5942f486f6eba

SHA256
d1735c8cfd8e10ba019d70818c19fa865e7c72f30ab6421a3748408f85fb96c3

SHA512
418903ae9a7baebf73d055e4774ff1917fbaab9ee7ed8c120c34bb10e7303f6dd7b7dae701596d4626387a30ae1b4d329a9af49b8718b360e2ff619c56c19623

Download Submit
\??\c:\af3fb9edce1cc21357a286373bc926c2\3082\LocalizedData.xml
Filesize
39KB

MD5
5397a12d466d55d566b4209e0e4f92d3

SHA1
fcffd8961fb487995543fc173521fdf5df6e243b

SHA256
f124d318138ff084b6484deb354cca0f72296e1341bf01169792b3e060c89e89

SHA512
7708f5a2ad3e4c90c4c216600435af87a1557f60caf880a3dd9b5f482e17399af9f0b9de03ff1dbdd210583e0fec5b466e35794ac24d6d37f9bbc094e52fc77b

Download Submit
\??\c:\af3fb9edce1cc21357a286373bc926c2\DHTMLHeader.html
Filesize
15KB

MD5
cd131d41791a543cc6f6ed1ea5bd257c

SHA1
f42a2708a0b42a13530d26515274d1fcdbfe8490

SHA256
e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb

SHA512
a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

Download Submit
\??\c:\af3fb9edce1cc21357a286373bc926c2\ParameterInfo.xml
Filesize
8KB

MD5
46db5d342d306778cab61e413a84fece

SHA1
d0885ae1f706e014015cacb0cd67ca786d0962c2

SHA256
227bd903261486663665ba232b753781bafd7afba68b5614ad93d6d1f5a1e16b

SHA512
5de734ce86888ae41db113be13b8b6652f67de8e7ff0dc062a3e217e078ccafacf44117bbfff6e26d6c7e4fa369855e87b4926e9bdfa96f466a89a9d9c67a5bc

Download Submit
\??\c:\af3fb9edce1cc21357a286373bc926c2\Setup.exe
Filesize
76KB

MD5
9a1141fbceeb2e196ae1ba115fd4bee6

SHA1
922eacb654f091bc609f1b7f484292468d046bd1

SHA256
28563d908450eb7b7e9ed07a934e0d68135b5bb48e866e0a1c913bd776a44fef

SHA512
b044600acb16fc3be991d8a6dbc75c2ca45d392e66a4d19eacac4aee282d2ada0d411d832b76d25ef505cc542c7fa1fdb7098da01f84034f798b08baa4796168

Download Submit
\??\c:\af3fb9edce1cc21357a286373bc926c2\SetupEngine.dll
Filesize
789KB

MD5
a030c6b93740cbaa232ffaa08ccd3396

SHA1
6f7236a30308fbf02d88e228f0b5b5ec7f61d3eb

SHA256
0507720d52ae856bbf5ff3f01172a390b6c19517cb95514cd53f4a59859e8d63

SHA512
6787195b7e693744ce3b70c3b3ef04eaf81c39621e33d9f40b9c52f1a2c1d6094eceaebbc9b2906649351f5fc106eed085cef71bb606a9dc7890eafd200cfd42

Download Submit
\??\c:\af3fb9edce1cc21357a286373bc926c2\SetupUi.dll
Filesize
288KB

MD5
c744ec120e54027c57318c4720b4d6be

SHA1
ab65fc4e68ad553520af049129fae4f88c7eff74

SHA256
d1610b0a94a4dadc85ee32a7e5ffd6533ea42347d6f2d6871beb03157b89a857

SHA512
6dcd0ab7b8671e17d1c15db030ee5349ab3a123595c546019cf9391ce05f9f63806149c3ec2f2c71635cb811ab65ad47bcd7031e2eff7a59059577e47dd600a7

Download Submit
\??\c:\af3fb9edce1cc21357a286373bc926c2\SetupUi.xsd
Filesize
29KB

MD5
2fadd9e618eff8175f2a6e8b95c0cacc

SHA1
9ab1710a217d15b192188b19467932d947b0a4f8

SHA256
222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093

SHA512
a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

Download Submit
\??\c:\af3fb9edce1cc21357a286373bc926c2\Strings.xml
Filesize
13KB

MD5
332adf643747297b9bfa9527eaefe084

SHA1
670f933d778eca39938a515a39106551185205e9

SHA256
e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca

SHA512
bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0

Download Submit
\??\c:\af3fb9edce1cc21357a286373bc926c2\UiInfo.xml
Filesize
35KB

MD5
4f90fcef3836f5fc49426ad9938a1c60

SHA1
89eba3b81982d5d5c457ffa7a7096284a10de64a

SHA256
66a0299ce7ee12dd9fc2cfead3c3211e59bfb54d6c0627d044d44cef6e70367b

SHA512
4ce2731c1d32d7ca3a4f644f4b3111f06223de96c1e241fcc86f5fe665f4db18c8a241dae4e8a7e278d6afbf91b235a2c3517a40d4d22d9866880e19a7221160

Download Submit
\??\c:\af3fb9edce1cc21357a286373bc926c2\graphics\print.ico
Filesize
1KB

MD5
7e55ddc6d611176e697d01c90a1212cf

SHA1
e2620da05b8e4e2360da579a7be32c1b225deb1b

SHA256
ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed

SHA512
283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

Download Submit
\??\c:\af3fb9edce1cc21357a286373bc926c2\graphics\save.ico
Filesize
1KB

MD5
7d62e82d960a938c98da02b1d5201bd5

SHA1
194e96b0440bf8631887e5e9d3cc485f8e90fbf5

SHA256
ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5

SHA512
ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

Download Submit
\??\c:\af3fb9edce1cc21357a286373bc926c2\graphics\setup.ico
Filesize
35KB

MD5
3d25d679e0ff0b8c94273dcd8b07049d

SHA1
a517fc5e96bc68a02a44093673ee7e076ad57308

SHA256
288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f

SHA512
3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

Download Submit
\??\c:\af3fb9edce1cc21357a286373bc926c2\header.bmp
Filesize
7KB

MD5
3ad1a8c3b96993bcdf45244be2c00eef

SHA1
308f98e199f74a43d325115a8e7072d5f2c6202d

SHA256
133b86a4f1c67a159167489fdaeab765bfa1050c23a7ae6d5c517188fb45f94a

SHA512
133442c4a65269f817675adf01adcf622e509aa7ec7583bca8cd9a7eb6018d2aab56066054f75657038efb947cd3b3e5dc4fe7f0863c8b3b1770a8fa4fe2e658

Download Submit
\??\c:\af3fb9edce1cc21357a286373bc926c2\sqmapi.dll
Filesize
141KB

MD5
3f0363b40376047eff6a9b97d633b750

SHA1
4eaf6650eca5ce931ee771181b04263c536a948b

SHA256
bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c

SHA512
537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

Download Submit
\??\c:\af3fb9edce1cc21357a286373bc926c2\watermark.bmp
Filesize
301KB

MD5
1a5caafacfc8c7766e404d019249cf67

SHA1
35d4878db63059a0f25899f4be00b41f430389bf

SHA256
2e87d5742413254db10f7bd0762b6cdb98ff9c46ca9acddfd9b1c2e5418638f2

SHA512
202c13ded002d234117f08b18ca80d603246e6a166e18ba422e30d394ada7e47153dd3cce9728affe97128fdd797fe6302c74dc6882317e2ba254c8a6db80f46

Download Submit
memory/2120-131-0x0000000000000000-mapping.dmp

Download
memory/4472-130-0x0000000002900000-0x000000000398E000-memory.dmp

Filesize
16.6MB

Download
memory/4472-163-0x0000000001000000-0x00000000014EA000-memory.dmp

Filesize
4.9MB

Download
memory/4472-164-0x0000000002900000-0x000000000398E000-memory.dmp

Filesize
16.6MB

Download