3eeab0e2bbd7e74117cf4d36fa98a7d0125fc46161a1193f0b72fca297f5c8ac

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20220414-en
submitted
23-06-2022 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mouse Recorder Premium _TbJNZ.exe
Size

5.1MB
MD5

5347d1465f1abfbe142bee26234c2d42
SHA1

43aa39e7c91122fac3ceff37278f878eb60df870
SHA256

3eeab0e2bbd7e74117cf4d36fa98a7d0125fc46161a1193f0b72fca297f5c8ac
SHA512

afe6c2b058056813ef2f6642c5e4593c37bfc12b38f7f8990e3a923e56922a7c2647eb2e214d7da22de60648475bf59b2b3a9f4818f2861dbc37f9f8e10815bd

Score

10^/10

discovery evasion spyware stealer suricata

Malware Config

Signatures

suricata: ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
suricata: ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
suricata
Downloads MZ/PE file

Executes dropped EXE 11 IoCs

pid	Process
588	MacroRecorderSetup.exe
1572	MacroRecorderSetup.tmp
1436	Quick_Driver_Updater.exe
1644	Quick_Driver_Updater.tmp
984	qdu.exe
1632	MacroRecorder.exe
1444	qdu.exe
872	Winzip_PDFPro.exe
816	196f8b8c-1c7f-4fb3-a8e7-4ee60e063299.exe
1516	ga_utility.exe
328	WZPDFSetup.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1696	netsh.exe

Loads dropped DLL 19 IoCs

pid	Process
588	MacroRecorderSetup.exe
1572	MacroRecorderSetup.tmp
1436	Quick_Driver_Updater.exe
1644	Quick_Driver_Updater.tmp
1644	Quick_Driver_Updater.tmp
1644	Quick_Driver_Updater.tmp
1644	Quick_Driver_Updater.tmp
1572	MacroRecorderSetup.tmp
1572	MacroRecorderSetup.tmp
1632	MacroRecorder.exe
1644	Quick_Driver_Updater.tmp
1632	MacroRecorder.exe
1632	MacroRecorder.exe
816	196f8b8c-1c7f-4fb3-a8e7-4ee60e063299.exe
816	196f8b8c-1c7f-4fb3-a8e7-4ee60e063299.exe
816	196f8b8c-1c7f-4fb3-a8e7-4ee60e063299.exe
816	196f8b8c-1c7f-4fb3-a8e7-4ee60e063299.exe
816	196f8b8c-1c7f-4fb3-a8e7-4ee60e063299.exe
1444	qdu.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\KasperskyLab	MacroRecorderSetup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Quick Driver Updater\x64\is-8VST3.tmp	Quick_Driver_Updater.tmp
File opened for modification	C:\Program Files (x86)\MacroRecorder\MacroRecorder.exe	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\is-2ADLN.tmp	MacroRecorderSetup.tmp
File opened for modification	C:\Program Files\Quick Driver Updater\Delimon.Win32.IO.dll	Quick_Driver_Updater.tmp
File opened for modification	C:\Program Files\Quick Driver Updater\dp\7z.dll	Quick_Driver_Updater.tmp
File opened for modification	C:\Program Files\Quick Driver Updater\dp\DPInst32.exe	Quick_Driver_Updater.tmp
File opened for modification	C:\Program Files\Quick Driver Updater\TAFactory.IconPack.dll	Quick_Driver_Updater.tmp
File created	C:\Program Files\Quick Driver Updater\is-7SC5S.tmp	Quick_Driver_Updater.tmp
File created	C:\Program Files\Quick Driver Updater\is-HNJUQ.tmp	Quick_Driver_Updater.tmp
File opened for modification	C:\Program Files (x86)\MacroRecorder\mrocr.dll	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\is-FU0AH.tmp	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\tessdata\is-7EB0O.tmp	MacroRecorderSetup.tmp
File opened for modification	C:\Program Files (x86)\MacroRecorder\ssleay32.dll	MacroRecorderSetup.tmp
File created	C:\Program Files\Quick Driver Updater\langs\is-ENREG.tmp	Quick_Driver_Updater.tmp
File opened for modification	C:\Program Files (x86)\MacroRecorder\mrinst.exe	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\is-NQM45.tmp	MacroRecorderSetup.tmp
File opened for modification	C:\Program Files\Quick Driver Updater\x86\SQLite.Interop.dll	Quick_Driver_Updater.tmp
File created	C:\Program Files\Quick Driver Updater\unins000.dat	Quick_Driver_Updater.tmp
File created	C:\Program Files\Quick Driver Updater\dp\is-1HRHL.tmp	Quick_Driver_Updater.tmp
File created	C:\Program Files\Quick Driver Updater\is-S7TMI.tmp	Quick_Driver_Updater.tmp
File created	C:\Program Files\Quick Driver Updater\langs\is-ID7NF.tmp	Quick_Driver_Updater.tmp
File created	C:\Program Files (x86)\MacroRecorder\tessdata\is-3P8IC.tmp	MacroRecorderSetup.tmp
File opened for modification	C:\Program Files\Quick Driver Updater\dp\7z.exe	Quick_Driver_Updater.tmp
File created	C:\Program Files\Quick Driver Updater\dp\is-RB3H0.tmp	Quick_Driver_Updater.tmp
File created	C:\Program Files\Quick Driver Updater\dp\is-Q60O8.tmp	Quick_Driver_Updater.tmp
File created	C:\Program Files\Quick Driver Updater\is-IU3RC.tmp	Quick_Driver_Updater.tmp
File created	C:\Program Files\Quick Driver Updater\langs\is-8G282.tmp	Quick_Driver_Updater.tmp
File opened for modification	C:\Program Files\Quick Driver Updater\Microsoft.WindowsAPICodePack.dll	Quick_Driver_Updater.tmp
File opened for modification	C:\Program Files\Quick Driver Updater\qdu.exe	Quick_Driver_Updater.tmp
File created	C:\Program Files\Quick Driver Updater\is-AHT3N.tmp	Quick_Driver_Updater.tmp
File created	C:\Program Files\Quick Driver Updater\is-IACU6.tmp	Quick_Driver_Updater.tmp
File created	C:\Program Files\Quick Driver Updater\x86\is-4B4N9.tmp	Quick_Driver_Updater.tmp
File opened for modification	C:\Program Files\Quick Driver Updater\Interop.IWshRuntimeLibrary.dll	Quick_Driver_Updater.tmp
File opened for modification	C:\Program Files\Quick Driver Updater\Microsoft.Win32.TaskScheduler.dll	Quick_Driver_Updater.tmp
File created	C:\Program Files\Quick Driver Updater\is-N0TEE.tmp	Quick_Driver_Updater.tmp
File created	C:\Program Files\Quick Driver Updater\is-AK2N5.tmp	Quick_Driver_Updater.tmp
File created	C:\Program Files (x86)\MacroRecorder\is-R0GIL.tmp	MacroRecorderSetup.tmp
File created	C:\Program Files\Quick Driver Updater\is-V72EF.tmp	Quick_Driver_Updater.tmp
File created	C:\Program Files\Quick Driver Updater\is-7D3T8.tmp	Quick_Driver_Updater.tmp
File created	C:\Program Files\Quick Driver Updater\dp\is-P6NA0.tmp	Quick_Driver_Updater.tmp
File created	C:\Program Files\Quick Driver Updater\langs\is-MTVVA.tmp	Quick_Driver_Updater.tmp
File created	C:\Program Files (x86)\MacroRecorder\is-93UC8.tmp	MacroRecorderSetup.tmp
File created	C:\Program Files\Quick Driver Updater\dp\is-Q4KQU.tmp	Quick_Driver_Updater.tmp
File created	C:\Program Files\Quick Driver Updater\langs\is-V9LA1.tmp	Quick_Driver_Updater.tmp
File created	C:\Program Files\Quick Driver Updater\langs\is-4INAO.tmp	Quick_Driver_Updater.tmp
File created	C:\Program Files\Quick Driver Updater\dp\is-QEI5F.tmp	Quick_Driver_Updater.tmp
File opened for modification	C:\Program Files (x86)\MacroRecorder\mrkey.dll	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\unins000.dat	MacroRecorderSetup.tmp
File opened for modification	C:\Program Files\Quick Driver Updater\dp\qdureppath.exe	Quick_Driver_Updater.tmp
File created	C:\Program Files\Quick Driver Updater\is-0BNK2.tmp	Quick_Driver_Updater.tmp
File created	C:\Program Files\Quick Driver Updater\is-8KUQR.tmp	Quick_Driver_Updater.tmp
File created	C:\Program Files\Quick Driver Updater\langs\is-IH794.tmp	Quick_Driver_Updater.tmp
File created	C:\Program Files (x86)\MacroRecorder\tessdata\is-DL1RG.tmp	MacroRecorderSetup.tmp
File opened for modification	C:\Program Files (x86)\MacroRecorder\libeay32.dll	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\is-0F9VT.tmp	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\unins000.msg	MacroRecorderSetup.tmp
File opened for modification	C:\Program Files\Quick Driver Updater\dp\qduverif.exe	Quick_Driver_Updater.tmp
File opened for modification	C:\Program Files\Quick Driver Updater\dp\difxapi64.dll	Quick_Driver_Updater.tmp
File opened for modification	C:\Program Files\Quick Driver Updater\Newtonsoft.Json.dll	Quick_Driver_Updater.tmp
File created	C:\Program Files\Quick Driver Updater\is-KJOJF.tmp	Quick_Driver_Updater.tmp
File created	C:\Program Files\Quick Driver Updater\langs\is-4A19N.tmp	Quick_Driver_Updater.tmp
File created	C:\Program Files (x86)\MacroRecorder\is-CH6VV.tmp	MacroRecorderSetup.tmp
File opened for modification	C:\Program Files (x86)\MacroRecorder\unins000.dat	MacroRecorderSetup.tmp
File opened for modification	C:\Program Files\Quick Driver Updater\System.Data.SQLite.dll	Quick_Driver_Updater.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1292	schtasks.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1924	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	WZPDFSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000850f07ecb424934d8f5a48a59e73cec000000000020000000000106600000001000020000000e192b60b1deb1821b79ea459c7f5c3cbdc8f82ed389799113b8ba6239dc12df3000000000e80000000020000200000004dd9421f7291c24e2d7d1aa2e7880637beca66aded79251c59722a9c9b9ac57690000000dca92fb512256a8e7673073d0f197f0ec57e4a50662e7e2a1bd7d9ee23149d34befab738cd44de27c0d614bc06a510d5fd6cce36ce75bd325eff0ffebae032eca0fbc5fb01d2bf0ff473d38ec111d9397359bab74245c6c9f58ac38bde562313e8d88c4f1d9dffb5577f17dc2f654122737b9a9fb90dffbf74af8c21d7bcd28ff0a877b7767349b2c8c36fa133796de440000000741e95f55cc165d3ab689432b5bc8f23a2562ce7faf6e4920f98647e4403017b39527b663f468696ec4cd6478ff68dd569f1bd66539f1f68a4eb18021957f9e1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{072C0F31-F29D-11EC-B0A3-6280490416C4} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{07E5BA71-F29D-11EC-B0A3-6280490416C4} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\WZPDFSetup.exe = "11000"	WZPDFSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "362716655"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	WZPDFSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000850f07ecb424934d8f5a48a59e73cec000000000020000000000106600000001000020000000002f3142debec7bed686277f700d1c09e1f50bb6cff1fe20458b569f7f84b5bf000000000e8000000002000020000000fa47151f88acc335b03f72a3d7b353287ec0a2409bd1bc75e172f02c42316a64200000000a0b439fc4f7cc84059c2c393c5b5d1a6d0be6535ab97d360c7b2c8d3a76c6c240000000fcaa13290289c0867b4ffc5bd80bbc418761e6ac52b8131a2e813e10ddc8a188b95c838932679ab0cd755d1dadd7369b1fefd10be456435f921d6b6151d3425e	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40267ee3a986d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	WZPDFSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Modifies registry class 44 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	MacroRecorder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	MacroRecorder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	MacroRecorder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	MacroRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	MacroRecorder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mrf	MacroRecorderSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacroRecorder\shell\open\command	MacroRecorderSetup.tmp
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	MacroRecorder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	MacroRecorder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe2300001000d09ad3fd8f23af46adb46c85480369c700000000	MacroRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	MacroRecorder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	MacroRecorder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	MacroRecorder.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MacroRecorder\ = "MacroRecorder macro file"	MacroRecorderSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MacroRecorder\DefaultIcon\ = "C:\\Program Files (x86)\\MacroRecorder\\MacroRecorder.exe,1"	MacroRecorderSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacroRecorder\shell	MacroRecorderSetup.tmp
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	MacroRecorder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	MacroRecorder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	MacroRecorder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	MacroRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	MacroRecorder.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mrf\ = "MacroRecorder"	MacroRecorderSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacroRecorder	MacroRecorderSetup.tmp
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	MacroRecorder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	MacroRecorder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	MacroRecorder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	MacroRecorder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	MacroRecorder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacroRecorder\DefaultIcon	MacroRecorderSetup.tmp
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_Classes\Local Settings	MacroRecorder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	MacroRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	MacroRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	MacroRecorder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacroRecorder\shell\open	MacroRecorderSetup.tmp
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	MacroRecorder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	MacroRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	MacroRecorder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	MacroRecorder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	MacroRecorder.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MacroRecorder\shell\open\command\ = "C:\\Program Files (x86)\\MacroRecorder\\MacroRecorder.exe \"%1\""	MacroRecorderSetup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	MacroRecorder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	MacroRecorder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 6200310000000000d7544a1410004d4143524f527e3100004a0008000400efbed7544a14d7544a142a0000002f4101000000120000000000000000000000000000004d006100630072006f0020005200650063006f007200640065007200000018000000	MacroRecorder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	MacroRecorder.exe

Modifies system certificate store 2 TTPs 22 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Mouse Recorder Premium _TbJNZ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Mouse Recorder Premium _TbJNZ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Mouse Recorder Premium _TbJNZ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Mouse Recorder Premium _TbJNZ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba87030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Mouse Recorder Premium _TbJNZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Mouse Recorder Premium _TbJNZ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	qdu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	qdu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Mouse Recorder Premium _TbJNZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	Mouse Recorder Premium _TbJNZ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca60f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca6040000000100000010000000a923759bba49366e31c2dbf2e766ba872000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Mouse Recorder Premium _TbJNZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Mouse Recorder Premium _TbJNZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	qdu.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	qdu.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Mouse Recorder Premium _TbJNZ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Mouse Recorder Premium _TbJNZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Mouse Recorder Premium _TbJNZ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Mouse Recorder Premium _TbJNZ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Mouse Recorder Premium _TbJNZ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Mouse Recorder Premium _TbJNZ.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	qdu.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	qdu.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1948	Mouse Recorder Premium _TbJNZ.exe
1948	Mouse Recorder Premium _TbJNZ.exe
1948	Mouse Recorder Premium _TbJNZ.exe
1948	Mouse Recorder Premium _TbJNZ.exe
1948	Mouse Recorder Premium _TbJNZ.exe
1948	Mouse Recorder Premium _TbJNZ.exe
1948	Mouse Recorder Premium _TbJNZ.exe
1948	Mouse Recorder Premium _TbJNZ.exe
1948	Mouse Recorder Premium _TbJNZ.exe
1948	Mouse Recorder Premium _TbJNZ.exe
1644	Quick_Driver_Updater.tmp
1644	Quick_Driver_Updater.tmp
1572	MacroRecorderSetup.tmp
1572	MacroRecorderSetup.tmp
1632	MacroRecorder.exe
1632	MacroRecorder.exe
1632	MacroRecorder.exe
1632	MacroRecorder.exe
816	196f8b8c-1c7f-4fb3-a8e7-4ee60e063299.exe
816	196f8b8c-1c7f-4fb3-a8e7-4ee60e063299.exe
1516	ga_utility.exe
684	iexplore.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1924	taskkill.exe
Token: SeDebugPrivilege	1444	qdu.exe
Token: 33	1444	qdu.exe
Token: SeIncBasePriorityPrivilege	1444	qdu.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1644	Quick_Driver_Updater.tmp
1572	MacroRecorderSetup.tmp
1632	MacroRecorder.exe
1632	MacroRecorder.exe
1632	MacroRecorder.exe
684	iexplore.exe
1668	iexplore.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1632	MacroRecorder.exe
1632	MacroRecorder.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1632	MacroRecorder.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1632	MacroRecorder.exe
1632	MacroRecorder.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1632	MacroRecorder.exe
1632	MacroRecorder.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1632	MacroRecorder.exe
1632	MacroRecorder.exe
1632	MacroRecorder.exe
1444	qdu.exe
1444	qdu.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1632	MacroRecorder.exe
1632	MacroRecorder.exe
1632	MacroRecorder.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1632	MacroRecorder.exe
1632	MacroRecorder.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1632	MacroRecorder.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1632	MacroRecorder.exe
1632	MacroRecorder.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1632	MacroRecorder.exe
1632	MacroRecorder.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1632	MacroRecorder.exe
1632	MacroRecorder.exe
1632	MacroRecorder.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe
1444	qdu.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
1948	Mouse Recorder Premium _TbJNZ.exe
1948	Mouse Recorder Premium _TbJNZ.exe
1632	MacroRecorder.exe
1632	MacroRecorder.exe
1632	MacroRecorder.exe
1668	iexplore.exe
1668	iexplore.exe
684	iexplore.exe
684	iexplore.exe
1292	IEXPLORE.EXE
1292	IEXPLORE.EXE
2112	IEXPLORE.EXE
2112	IEXPLORE.EXE
1632	MacroRecorder.exe
1632	MacroRecorder.exe
1444	qdu.exe
1444	qdu.exe
1292	IEXPLORE.EXE
1292	IEXPLORE.EXE
1632	MacroRecorder.exe
1632	MacroRecorder.exe
2112	IEXPLORE.EXE
2112	IEXPLORE.EXE
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE
1632	MacroRecorder.exe
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 588	1948	Mouse Recorder Premium _TbJNZ.exe	29
PID 1948 wrote to memory of 588	1948	Mouse Recorder Premium _TbJNZ.exe	29
PID 1948 wrote to memory of 588	1948	Mouse Recorder Premium _TbJNZ.exe	29
PID 1948 wrote to memory of 588	1948	Mouse Recorder Premium _TbJNZ.exe	29
PID 1948 wrote to memory of 588	1948	Mouse Recorder Premium _TbJNZ.exe	29
PID 1948 wrote to memory of 588	1948	Mouse Recorder Premium _TbJNZ.exe	29
PID 1948 wrote to memory of 588	1948	Mouse Recorder Premium _TbJNZ.exe	29
PID 588 wrote to memory of 1572	588	MacroRecorderSetup.exe	30
PID 588 wrote to memory of 1572	588	MacroRecorderSetup.exe	30
PID 588 wrote to memory of 1572	588	MacroRecorderSetup.exe	30
PID 588 wrote to memory of 1572	588	MacroRecorderSetup.exe	30
PID 588 wrote to memory of 1572	588	MacroRecorderSetup.exe	30
PID 588 wrote to memory of 1572	588	MacroRecorderSetup.exe	30
PID 588 wrote to memory of 1572	588	MacroRecorderSetup.exe	30
PID 1948 wrote to memory of 1436	1948	Mouse Recorder Premium _TbJNZ.exe	31
PID 1948 wrote to memory of 1436	1948	Mouse Recorder Premium _TbJNZ.exe	31
PID 1948 wrote to memory of 1436	1948	Mouse Recorder Premium _TbJNZ.exe	31
PID 1948 wrote to memory of 1436	1948	Mouse Recorder Premium _TbJNZ.exe	31
PID 1948 wrote to memory of 1436	1948	Mouse Recorder Premium _TbJNZ.exe	31
PID 1948 wrote to memory of 1436	1948	Mouse Recorder Premium _TbJNZ.exe	31
PID 1948 wrote to memory of 1436	1948	Mouse Recorder Premium _TbJNZ.exe	31
PID 1436 wrote to memory of 1644	1436	Quick_Driver_Updater.exe	33
PID 1436 wrote to memory of 1644	1436	Quick_Driver_Updater.exe	33
PID 1436 wrote to memory of 1644	1436	Quick_Driver_Updater.exe	33
PID 1436 wrote to memory of 1644	1436	Quick_Driver_Updater.exe	33
PID 1436 wrote to memory of 1644	1436	Quick_Driver_Updater.exe	33
PID 1436 wrote to memory of 1644	1436	Quick_Driver_Updater.exe	33
PID 1436 wrote to memory of 1644	1436	Quick_Driver_Updater.exe	33
PID 1644 wrote to memory of 1380	1644	Quick_Driver_Updater.tmp	34
PID 1644 wrote to memory of 1380	1644	Quick_Driver_Updater.tmp	34
PID 1644 wrote to memory of 1380	1644	Quick_Driver_Updater.tmp	34
PID 1644 wrote to memory of 1380	1644	Quick_Driver_Updater.tmp	34
PID 1644 wrote to memory of 1924	1644	Quick_Driver_Updater.tmp	36
PID 1644 wrote to memory of 1924	1644	Quick_Driver_Updater.tmp	36
PID 1644 wrote to memory of 1924	1644	Quick_Driver_Updater.tmp	36
PID 1644 wrote to memory of 1924	1644	Quick_Driver_Updater.tmp	36
PID 1644 wrote to memory of 1292	1644	Quick_Driver_Updater.tmp	39
PID 1644 wrote to memory of 1292	1644	Quick_Driver_Updater.tmp	39
PID 1644 wrote to memory of 1292	1644	Quick_Driver_Updater.tmp	39
PID 1644 wrote to memory of 1292	1644	Quick_Driver_Updater.tmp	39
PID 1644 wrote to memory of 984	1644	Quick_Driver_Updater.tmp	42
PID 1644 wrote to memory of 984	1644	Quick_Driver_Updater.tmp	42
PID 1644 wrote to memory of 984	1644	Quick_Driver_Updater.tmp	42
PID 1644 wrote to memory of 984	1644	Quick_Driver_Updater.tmp	42
PID 1644 wrote to memory of 984	1644	Quick_Driver_Updater.tmp	42
PID 1644 wrote to memory of 984	1644	Quick_Driver_Updater.tmp	42
PID 1644 wrote to memory of 984	1644	Quick_Driver_Updater.tmp	42
PID 1572 wrote to memory of 1696	1572	MacroRecorderSetup.tmp	44
PID 1572 wrote to memory of 1696	1572	MacroRecorderSetup.tmp	44
PID 1572 wrote to memory of 1696	1572	MacroRecorderSetup.tmp	44
PID 1572 wrote to memory of 1696	1572	MacroRecorderSetup.tmp	44
PID 1572 wrote to memory of 1632	1572	MacroRecorderSetup.tmp	46
PID 1572 wrote to memory of 1632	1572	MacroRecorderSetup.tmp	46
PID 1572 wrote to memory of 1632	1572	MacroRecorderSetup.tmp	46
PID 1572 wrote to memory of 1632	1572	MacroRecorderSetup.tmp	46
PID 1644 wrote to memory of 1444	1644	Quick_Driver_Updater.tmp	47
PID 1644 wrote to memory of 1444	1644	Quick_Driver_Updater.tmp	47
PID 1644 wrote to memory of 1444	1644	Quick_Driver_Updater.tmp	47
PID 1644 wrote to memory of 1444	1644	Quick_Driver_Updater.tmp	47
PID 1644 wrote to memory of 1444	1644	Quick_Driver_Updater.tmp	47
PID 1644 wrote to memory of 1444	1644	Quick_Driver_Updater.tmp	47
PID 1644 wrote to memory of 1444	1644	Quick_Driver_Updater.tmp	47
PID 1948 wrote to memory of 872	1948	Mouse Recorder Premium _TbJNZ.exe	48
PID 1948 wrote to memory of 872	1948	Mouse Recorder Premium _TbJNZ.exe	48

C:\Users\Admin\AppData\Local\Temp\Mouse Recorder Premium _TbJNZ.exe
"C:\Users\Admin\AppData\Local\Temp\Mouse Recorder Premium _TbJNZ.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\MacroRecorderSetup_exe_0623202223339134314216\MacroRecorderSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\MacroRecorderSetup_exe_0623202223339134314216\MacroRecorderSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:588
- - C:\Users\Admin\AppData\Local\Temp\is-3IHR6.tmp\MacroRecorderSetup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-3IHR6.tmp\MacroRecorderSetup.tmp" /SL5="$101B0,18101744,845312,C:\Users\Admin\AppData\Local\Temp\MacroRecorderSetup_exe_0623202223339134314216\MacroRecorderSetup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh" advfirewall firewall add rule name="MacroRecorder" dir=in action=allow program="C:\Program Files (x86)\MacroRecorder\MacroRecorder.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1696
  - - C:\Program Files (x86)\MacroRecorder\MacroRecorder.exe
      "C:\Program Files (x86)\MacroRecorder\MacroRecorder.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:1632
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.macrorecorder.com/download/
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1668
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1668 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1292
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.macrorecorder.com/docs/02/anchor/register
        5⤵
        Modifies Internet Explorer settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:684
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:684 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2112
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:684 CREDAT:865284 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2728
- C:\Users\Admin\AppData\Local\Temp\Quick_Driver_Updater_exe_6623202223354303381569\Quick_Driver_Updater.exe
  "C:\Users\Admin\AppData\Local\Temp\Quick_Driver_Updater_exe_6623202223354303381569\Quick_Driver_Updater.exe" /verysilent /ppi=1 /ppinag=1 /ddtime=500 /delay=5 /source=sftqdu1 /pixel=SFT5696_SFT5567_RUNT
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Users\Admin\AppData\Local\Temp\is-DIT8P.tmp\Quick_Driver_Updater.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-DIT8P.tmp\Quick_Driver_Updater.tmp" /SL5="$10204,5773230,1034240,C:\Users\Admin\AppData\Local\Temp\Quick_Driver_Updater_exe_6623202223354303381569\Quick_Driver_Updater.exe" /verysilent /ppi=1 /ppinag=1 /ddtime=500 /delay=5 /source=sftqdu1 /pixel=SFT5696_SFT5567_RUNT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /tn "Quick Driver Updater_launcher" /f
      4⤵
      PID:1380
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /f /im "qdu.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1924
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /Create /F /RL Highest /SC ONCE /st 00:00 /TN "Quick Driver Updater skipuac" /TR "'C:\Program Files\Quick Driver Updater\qdu.exe'"
      4⤵
      Creates scheduled task(s)
      PID:1292
  - - C:\Program Files\Quick Driver Updater\qdu.exe
      "C:\Program Files\Quick Driver Updater\qdu.exe" cntryphnno
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:984
  - - C:\Program Files\Quick Driver Updater\qdu.exe
      "C:\Program Files\Quick Driver Updater\qdu.exe" silentlnch
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:1444
- C:\Users\Admin\AppData\Local\Temp\Winzip_PDFPro_exe_56232022233534405827365\Winzip_PDFPro.exe
  "C:\Users\Admin\AppData\Local\Temp\Winzip_PDFPro_exe_56232022233534405827365\Winzip_PDFPro.exe" /S
  2⤵
  - Executes dropped EXE
  PID:872
- - C:\196f8b8c-1c7f-4fb3-a8e7-4ee60e063299.exe
    \196f8b8c-1c7f-4fb3-a8e7-4ee60e063299.exe /OSOURCE="wzpdf8" /BUILD_ID="8" /S
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:816
  - - C:\Users\Admin\AppData\Local\Temp\nsyEADF.tmp\ga_utility.exe
      "C:\Users\Admin\AppData\Local\Temp\nsyEADF.tmp\ga_utility.exe" -install_start_s -install_silent -guid "844FADA1D7E76E3DE6499F4AA473DECB16DA96BB" -language "en" -app_version "2.0.2.11" -product_code "WZPDF" -app_name "WinZip PDF Pro" -track_id "UA-66457935-18"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\WZPDFSetup.exe
      "C:\Users\Admin\AppData\Local\Temp\WZPDFSetup.exe" /NO_UI /GA_TRACKING_UID="844FADA1D7E76E3DE6499F4AA473DECB16DA96BB" /CANCEL_ONE_INSTANCE_CHECK /BUILD_ID=8 /OSOURCE="wzpdf8"
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      PID:328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\196f8b8c-1c7f-4fb3-a8e7-4ee60e063299.exe

Filesize
1.1MB

MD5
0326ea0f5c32288fbd387fcd892e53ae

SHA1
e2b4bca06749092e73d700b24c12ab6f5d6975dc

SHA256
da283aaf5b1ffb2ea2df1e783bff722537c14c6be78bfda216e1762fa2a5f1d1

SHA512
4f18b3568200dc6777fbac53149881acc1ea7494b34e4b7a01e6e440ee7562da4dbfd6a07357d885dcd3d60c75cacf429011079a79dd34aa1091cd86c0aa06e6

Download Submit
C:\196f8b8c-1c7f-4fb3-a8e7-4ee60e063299.exe

Filesize
1.1MB

MD5
0326ea0f5c32288fbd387fcd892e53ae

SHA1
e2b4bca06749092e73d700b24c12ab6f5d6975dc

SHA256
da283aaf5b1ffb2ea2df1e783bff722537c14c6be78bfda216e1762fa2a5f1d1

SHA512
4f18b3568200dc6777fbac53149881acc1ea7494b34e4b7a01e6e440ee7562da4dbfd6a07357d885dcd3d60c75cacf429011079a79dd34aa1091cd86c0aa06e6

Download Submit
C:\Program Files (x86)\MacroRecorder\MacroRecorder.exe

Filesize
15.8MB

MD5
3c528f77c6b1af0977eb5ba44086d784

SHA1
8ceb25234265ddf76c94c294a5d225e258fedb9e

SHA256
83943684c39165f0dd12cf6c1156c143987264209e764f80aa0a2e15e909fd11

SHA512
4299e3b89fa127b5db4c30083b36e7982fa03dd718ea067a4cad0530dc7b8def013c03f378163bcf99d54668546630a43dafe4bfdb99c3570a5ffc1269514f2e

Download Submit
C:\Program Files (x86)\MacroRecorder\MacroRecorder.exe

Filesize
15.8MB

MD5
3c528f77c6b1af0977eb5ba44086d784

SHA1
8ceb25234265ddf76c94c294a5d225e258fedb9e

SHA256
83943684c39165f0dd12cf6c1156c143987264209e764f80aa0a2e15e909fd11

SHA512
4299e3b89fa127b5db4c30083b36e7982fa03dd718ea067a4cad0530dc7b8def013c03f378163bcf99d54668546630a43dafe4bfdb99c3570a5ffc1269514f2e

Download Submit
C:\Program Files (x86)\MacroRecorder\libeay32.dll

Filesize
1.3MB

MD5
39d7e73dc7712f89e93ab7a21bc5eb11

SHA1
21fc38157ac375741709147ffa9cde4ee19ed737

SHA256
6f91f607d1f30622e4b44d2146e59085a2a397990b79acbe75970e6dd5c7eddb

SHA512
bd7dc91d685bcc93f458c4df0d1370fe0afdc9b3729f11bf9141fde1ca04de5d561a595b180aec0bad9f7c6c7f25c438a262c63c7960e0f3bfac44f03a67f266

Download Submit
C:\Program Files (x86)\MacroRecorder\mrkey.dll

Filesize
156KB

MD5
1d01aa12abca7c2405abb863ae670305

SHA1
452b72fd0d41f008be8e2f8bdbcb3d727da885dc

SHA256
e92e12209048ffdca0c9e8bbbbf0616ce3e83dc66152c727f1758cd711dc529a

SHA512
36fdf55268418da1f09a22f284bf3b4d63b88af998d80d41ca9e7558b498143e5babc8329504c0e4c44d0a3edfc9692e612fb90e27d78f88cb92994181e1b550

Download Submit
C:\Program Files (x86)\MacroRecorder\ssleay32.dll

Filesize
351KB

MD5
af1353192fa86ee523768166c6afc58d

SHA1
0eaffe577bc67b2d7fd70011eb2a3a422182965a

SHA256
ccedca6c1b5aefc779af25a64f4fbc212a3379c3a2b392e9893a0d3edbfdb332

SHA512
95f5b8369ed6775a9d4f4bc9c02b35edba041a9823642ae8e2358a9cb93e212374fe3d75313de3b112b4174ab2adefc4cf34d25d0a89ecd439e3250d3f11f317

Download Submit
C:\Program Files\Quick Driver Updater\Microsoft.Win32.TaskScheduler.dll

Filesize
184KB

MD5
10b55f05ec011648f5ed0c2476c4abe3

SHA1
d40b05c4af3030232c807073ba05986482bdffe2

SHA256
05ab1bbcb2cce566b6d170011b446c5a34aeed37e73341fd4fbe348fb838930c

SHA512
ee3a2faac5af2e12aaaf288a6ac8fb18f3713395124f9e9d90616f2d546e951c12071a9c15f5411535ae936a9a18ff2d269dd16ad6fc275f6314f05acbe1128a

Download Submit
C:\Program Files\Quick Driver Updater\System.Data.SQLite.dll

Filesize
377KB

MD5
f008d53ef467ba98705ed7d178d0c578

SHA1
f4089c5c4941f8226c9889e6a6b62e63b5bacd4a

SHA256
b648f4071b4f5f89729194c55a83f8643fb8482e43896fea6854409e69d75f3a

SHA512
940bf937fa17e0f42b7f5f380e7678a211eae08d8403ed84f179729732e337033131a63276bf2220709b2388f9e137474a0a378c831b80af170ce6c6104f4892

Download Submit
C:\Program Files\Quick Driver Updater\WPFToolkit.dll

Filesize
456KB

MD5
195ed09e0b4f3b09ea4a3b67a0d3f396

SHA1
01a250631397c93c4aab9a777a86e39fd8d84f09

SHA256
aef9fcbb874fc82e151e32279330061f8f22a77c05f583a0cb5e5696654ac456

SHA512
b801c03efa3e8079366a7782d2634a3686d88f64c3c31a03aa5ce71b7bf472766724d209290c231d55da89dd4f03bd1c0153ffeb514e1d5d408cc2c713cd4098

Download Submit
C:\Program Files\Quick Driver Updater\langs\qdu_en-us.ini

Filesize
84KB

MD5
d541c142e6787ddb6a38e4f9a9363abb

SHA1
7c886aeeef554a03a9d31837805105c3eb9785d2

SHA256
6d1e04b7647987433d4d35c90f0ce7bae21170cdfebf3ea38ef8150cde5839e3

SHA512
fc36ca172bf197f6ad5ec0039f87e76c00f72ab3c1e033492c2bae16a628a27f74f329f3a3ee29b11c2c1a8c718ca90f9deb96e20a1915c8b8c95a50eb476db7

Download Submit
C:\Program Files\Quick Driver Updater\qdu.exe

Filesize
4.0MB

MD5
dfe06df90a37a45b23e33f510dda9554

SHA1
370edde62c86c1cdae423e966c6e31d5f0bffb58

SHA256
68e15d06d36f57bb45c819e0a3aada7023493bfbea1d2cbd1f3c1f421fe4b546

SHA512
c3a5589006c4e194f2cc7d5c053cd1ddcd4f0a4cdc76d104c0a32c64f0fb0103755523c90e8cba4c3818b49f0b9e144d010d4b97003cf66b9779e0e776220d70

Download Submit
C:\Program Files\Quick Driver Updater\qdu.exe

Filesize
4.0MB

MD5
dfe06df90a37a45b23e33f510dda9554

SHA1
370edde62c86c1cdae423e966c6e31d5f0bffb58

SHA256
68e15d06d36f57bb45c819e0a3aada7023493bfbea1d2cbd1f3c1f421fe4b546

SHA512
c3a5589006c4e194f2cc7d5c053cd1ddcd4f0a4cdc76d104c0a32c64f0fb0103755523c90e8cba4c3818b49f0b9e144d010d4b97003cf66b9779e0e776220d70

Download Submit
C:\Program Files\Quick Driver Updater\qdu.exe

Filesize
4.0MB

MD5
dfe06df90a37a45b23e33f510dda9554

SHA1
370edde62c86c1cdae423e966c6e31d5f0bffb58

SHA256
68e15d06d36f57bb45c819e0a3aada7023493bfbea1d2cbd1f3c1f421fe4b546

SHA512
c3a5589006c4e194f2cc7d5c053cd1ddcd4f0a4cdc76d104c0a32c64f0fb0103755523c90e8cba4c3818b49f0b9e144d010d4b97003cf66b9779e0e776220d70

Download Submit
C:\Program Files\Quick Driver Updater\qdu.exe.config

Filesize
3KB

MD5
b6cd223552358a991d62398d8a769bda

SHA1
21c4455118aabf5064f4743007ea31795f07ceac

SHA256
1d890e3d22dbd0177acb4d307b98e5ec491b8085b7ca70c08ef5bd666489b619

SHA512
a019eeefba7672e13891a3ce1c29dbe781535e7e5bb9d035c50bcc1de67c37f4dfa8a46f0972c3f88c8da8db21cc9b1fda139c31350ec9672dd5ee2d685c3b0e

Download Submit
C:\Program Files\Quick Driver Updater\x64\SQLite.Interop.dll

Filesize
1.5MB

MD5
65142ec86e7fe03453efe502a1d8ea1a

SHA1
f6731a02884073edc41ace74569a31f95ae3d8f3

SHA256
39785f30001d4a858e968d93a5e2cef0717fedc6cf668f557854b374ece54f4f

SHA512
576c95bd82dc53b73d487b94bf4e5ac0914289ae99d3696eb9f66b69b7119422d6b400d47b5a31367820494b61679ffed7c04cfd5acb24a2c13ec3cb2b4ad497

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

Filesize
727B

MD5
6948d4c1d35134af5f68adf7063c34d0

SHA1
f88c102cb36d2799668f868c1981cbb0c1b00dfc

SHA256
831f285000ba994610d22d8f9a0f46eeb18bd3989c10291632be2e51cc093be2

SHA512
3a6b60eff54a267d28fb07d7f0da287476a223cd3f04f52cecb9041a61f5660b75e7838f2b86804ad10522b75c49da92b8858563f69267942f995d58babce1a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
d79b8fd535a85556f621318ea4fccf48

SHA1
8e93819e7891d69a1059d3ef3174ad46c88e5dcd

SHA256
efe4e9819fef2de17ca038f0ca93f567412bd298f88c6c59c7c476b7da587771

SHA512
d44de6653b1598e3ad8330736ec7a7ae8fd5bee996f77275ae4f8271f39ec85acd76285b832f0e96dd39606346c15f057dd0e1bdc28ac2513271b37187ff3005

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
308336e7f515478969b24c13ded11ede

SHA1
8fb0cf42b77dbbef224a1e5fc38abc2486320775

SHA256
889b832323726a9f10ad03f85562048fdcfe20c9ff6f9d37412cf477b4e92ff9

SHA512
61ad97228cd6c3909ef3ac5e4940199971f293bdd0d5eb7916e60469573a44b6287c0fa1e0b6c1389df35eb6c9a7d2a61fdb318d4a886a3821ef5a9dab3ac24f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_E490EA7FE9CCA5E70E3DD1BCBE4988BC

Filesize
637B

MD5
943d1c8724804d8ead75ba03f1889a72

SHA1
52f2c06616debdb238570a338ad2a157ca3ce885

SHA256
b8a92208332dac6efec5ad0904c847595fdd322ace594a3ea11638f26c0e3bed

SHA512
88a2d8419dbc1da659d87d0026fce3adae636734d134ffd3329c07aa621abc14a50039ee5aaac61ce96bba385e1a03087de9c3f9cbb50d7ee5ddf394c89360da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
471B

MD5
8390d5c8d002c44f82ec7ee7bfba3755

SHA1
119e63698e40d302804b61a6b11bb8c4fcad4a4f

SHA256
1a4df15849008916167a2ea56fca09779ece53ee7b6c4787db5b8daf41a81369

SHA512
088a154ac438ebb9348a204e9522c7d279e31f90344246372589e34109c842070e663c865de193f23ccc981018457ca90c38bf7272830f4a93fe0efc79220f34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
5a11c6099b9e5808dfb08c5c9570c92f

SHA1
e5dc219641146d1839557973f348037fa589fd18

SHA256
91291a5edc4e10a225d3c23265d236ecc74473d9893be5bd07e202d95b3fb172

SHA512
c2435b6619464a14c65ab116ab83a6e0568bdf7abc5e5a5e19f3deaf56c70a46360965da8b60e1256e9c8656aef9751adb9e762731bb8dbab145f1c8224ac8f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

Filesize
398B

MD5
014ddfaea3d7afdf75130c925ca819be

SHA1
e446c6629a28f4769999c9fc78d3543a8df40b08

SHA256
c87344ed38df974ddced5f2088c402c17217c7c7504e9b5504e78d6230895600

SHA512
689a933b3840f59cb19e3da0a7c42855baf1ac043c9c8b0d1a1caf2272d674188eea22677917fd54cb95a2aabdb9cc8360ae2912396f046a586e10f5b7d961d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
8462b32f21e8686b7955085560016797

SHA1
532db56fd76135a800071b0ef212835d785e13fc

SHA256
dc43c8f9952a4342b87da87152dd93fa9bdd2d20319aad1cd78cbdf1f16d4130

SHA512
4231d4fa83c68ffba1db996a4c8606f3c8e781f586025a1fe62a42eb31a23a0d57e4dcc368142f2fb785523db4794f082acc6d7c23bb0927e5a64c88729e33b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
c2fb57ca296eee1f67326ecdc5d7a70c

SHA1
64efaa8316a2f9af61695d3f55a19a5d9940fe2c

SHA256
27b8fad886081fd383baf8724dfae0a94468125ce825353a86903a285ffc9533

SHA512
c064258ff645c4fc405c045d6be723ebe25f3a603ab216169a476a3776995471294e7b1e343ec111a940bd5539f9ed19e00bab99a570903302f80a911c3a7b5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ae0c076e20e3d1eeaecce213e0da9b4

SHA1
ac59949268bc2064be31d77f6d574e2885799966

SHA256
622de4729cbb11955c545cea437c1b66f4383882302fad38f583db725d28797d

SHA512
5d7c4a938df1a62f31dcdaf4db4f2b909e7e03524cb00ce23dca94ab777437396fa4a2d7b7f4b4ba407be0fac6e39e92afcdeae51c5c69af0f58c768e7f5f98d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc77712c45577b0f7bdaa1cd9faa7f4b

SHA1
1be1b89130a6a535b77a3294595dc2567504b0ab

SHA256
64dcfeb11ebb171151693dfb7653eeb4b5e9f3060bfff6c84deb201c89d0df80

SHA512
827b9c5131ac6884984e28c8e9c782fc601dc577bc9ad7fbdbd768b2c1536fd6642c4002f76f1198a6c78727d2e006fe4eee03f4b7de4a141982a4bd1300053f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6840ae82c90e2a315d9524e35735b0fb

SHA1
3608c77269ebdcb15c9a767ed263bb5c2a938dc6

SHA256
24ce82112204dc2e58c58d227d70ef48a893ab9953f261f6888a0e0c2d9fa5e5

SHA512
44dc82ef2c4e06ff0a3b214ac0d2a67ea905a850c01a6290244ba005fdb878cf642ce25a82ec1574e462b296c685a253e4d8ccfd7d3381f7a0ed5f85b6049dcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_E490EA7FE9CCA5E70E3DD1BCBE4988BC

Filesize
402B

MD5
3b70d86388c57559764ac9032937fdc2

SHA1
54f42c0b9e492dcfc46f893d258e8d8a4e23056b

SHA256
7697bc4a05aea148926238cebbf7dd7fe23f127794262b57aab7a81608186e7e

SHA512
7332f589ad8b40df1195b372e65ece954430c3401fbbd2ca5bba66438be97cf1b5d42de24eeb44affed3913aa5f1e9c19b1d5698693bfe5f736822e2c441e960

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
396B

MD5
c1d0a88a15ce131ad4b872e5afe68842

SHA1
610ae93299126f684746ea91207750d8dce0409a

SHA256
767295c514b2d48153d8bf245c6e30edf1f013a25592cb4fe132c6477ff815a6

SHA512
61f80a41713a5fc534f7d1f754d5976d9422cbec0c26c659572f2d09b59c85e134b0467f9b007b41f5bbbc4ab79513ed9fc343ccc30332c510d4a13a3e1cfc6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
ffed1ea5e3eac8d97a5a0407112c6c25

SHA1
9ec2004906b7b9855e6c98dd6f0dc243561499da

SHA256
59935fb587cb02f9350ee275982e6968e89cb19ddece7ab4844d49ab51293445

SHA512
a49e55e43a4e7670dffd85bfa73c772187bd323c1846658e581f7eed1d20912d24fcfc06afaf841986fbc2dc08a0afc1fb1b3fb455690572729faafe578454bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_12EDABE7F42D330012E99BF50004DBA7

Filesize
410B

MD5
09324c96203996bbd801dabd26122f80

SHA1
b2c071d814c3e808068bd9cee81e3d685d0a1eef

SHA256
5ebec3bc9c17694df173e1aa4114a7837f485f886806e045382b1df9db950bec

SHA512
25edf7e624d96e0cfa0316a04a0e66ea62badaabef1cae8a61f9ea9b271c7f331621e2534038e74b651189cd7030899571d6b077bff8f4cd4e1ebe2eb159dbf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MacroRecorderSetup_exe_0623202223339134314216\MacroRecorderSetup.exe

Filesize
18.1MB

MD5
de5e05ee93d77686863e45c70d8f7143

SHA1
e86714331c8e2f3fc17f0e2ba98a8ba430bd3c54

SHA256
881c7772666619ee5bbf9e4e97158b832ab10db9838d70dd3b4a8954aaf9c3e8

SHA512
91a2ae260fe82e1c399ef4de8cbae640509393004a89c3b4c00a74709009b81d4c97909e9de2c2bfaaaa03eb17dcd1dfe5759b6a66a2de6e10548afd59a1ac8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MacroRecorderSetup_exe_0623202223339134314216\MacroRecorderSetup.exe

Filesize
18.1MB

MD5
de5e05ee93d77686863e45c70d8f7143

SHA1
e86714331c8e2f3fc17f0e2ba98a8ba430bd3c54

SHA256
881c7772666619ee5bbf9e4e97158b832ab10db9838d70dd3b4a8954aaf9c3e8

SHA512
91a2ae260fe82e1c399ef4de8cbae640509393004a89c3b4c00a74709009b81d4c97909e9de2c2bfaaaa03eb17dcd1dfe5759b6a66a2de6e10548afd59a1ac8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Quick_Driver_Updater_exe_6623202223354303381569\Quick_Driver_Updater.exe

Filesize
6.4MB

MD5
4aae3da061f772f90bae6902c72f7cf2

SHA1
c27cbebaa722793d0208e9908079d2caea70dace

SHA256
4df4c5e467ca99103d85bb250cda1279240bc2a7e892a0b174d32d8efe18b903

SHA512
068fa6af3e7e7ab862ae7789d7fea5a6e748f7e8a9268e43bedbb26f6fce99d97ae9915907319ae1482e67cfd0fdfddfa01c0e74070624c51369bd61316d17bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Quick_Driver_Updater_exe_6623202223354303381569\Quick_Driver_Updater.exe

Filesize
6.4MB

MD5
4aae3da061f772f90bae6902c72f7cf2

SHA1
c27cbebaa722793d0208e9908079d2caea70dace

SHA256
4df4c5e467ca99103d85bb250cda1279240bc2a7e892a0b174d32d8efe18b903

SHA512
068fa6af3e7e7ab862ae7789d7fea5a6e748f7e8a9268e43bedbb26f6fce99d97ae9915907319ae1482e67cfd0fdfddfa01c0e74070624c51369bd61316d17bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZPDFSetup.exe

Filesize
1.6MB

MD5
06061544ca08aae412a1f59a018006dc

SHA1
0088c3ecdeea233514f296b3be1f5911718965fa

SHA256
bc01797d4c3cc85804bae45538bfabfb03e95fda93d4d464bc9ae09cebac9633

SHA512
e1fcdd177e68b09dbf58638680641b9c5df4d6382eff677555150253e12607e028ec984c63e9ffe47d5c5e1d77cf2d289ac530da86190cf732b9482f23bd2cd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Winzip_PDFPro_exe_56232022233534405827365\Winzip_PDFPro.exe

Filesize
1.4MB

MD5
8b1e501c4bf4be75f5c399215f6101e0

SHA1
0c4c71c394a7a038e87eb377a9fd304831c326d7

SHA256
64232a323c6391be43180639ad55e99965a9e11fd3fc2a45f519b54ef7178b1c

SHA512
1bd236b2ffa26f021762593bea53b293b7b49214f8b0782f5d1a90d560dbac71a15bd4bd8be3ad28360285f9f5aa7a3dde0677bb92ba77747a20af733e2b477d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Winzip_PDFPro_exe_56232022233534405827365\Winzip_PDFPro.exe

Filesize
1.4MB

MD5
8b1e501c4bf4be75f5c399215f6101e0

SHA1
0c4c71c394a7a038e87eb377a9fd304831c326d7

SHA256
64232a323c6391be43180639ad55e99965a9e11fd3fc2a45f519b54ef7178b1c

SHA512
1bd236b2ffa26f021762593bea53b293b7b49214f8b0782f5d1a90d560dbac71a15bd4bd8be3ad28360285f9f5aa7a3dde0677bb92ba77747a20af733e2b477d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3IHR6.tmp\MacroRecorderSetup.tmp

Filesize
3.0MB

MD5
e1f9a2fd3d98a0c8292e1944d16489d1

SHA1
9ee15a009b44e5c6feee944a49384e4573b73b76

SHA256
cff18e9286cfc125c3030889cce95748aa692df206297f298ec608bcfc7b8132

SHA512
68931b5022189184d438d07c8d7adc32d8dfb3b23f435c491615c87e4deb1f947b926aaa16b58305541fa953e21226b0e2e8dac9ae994e5db4303eeb8300db54

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3IHR6.tmp\MacroRecorderSetup.tmp

Filesize
3.0MB

MD5
e1f9a2fd3d98a0c8292e1944d16489d1

SHA1
9ee15a009b44e5c6feee944a49384e4573b73b76

SHA256
cff18e9286cfc125c3030889cce95748aa692df206297f298ec608bcfc7b8132

SHA512
68931b5022189184d438d07c8d7adc32d8dfb3b23f435c491615c87e4deb1f947b926aaa16b58305541fa953e21226b0e2e8dac9ae994e5db4303eeb8300db54

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DIT8P.tmp\Quick_Driver_Updater.tmp

Filesize
2.7MB

MD5
348e9aad9e445392ba5c9fe96daf6f8b

SHA1
e04d450778d05cabb111903892dda0cdb288cd98

SHA256
5bae7f43baa254ce2eba9018e11c575730427d4fdf3146165755cd4bb07c3e53

SHA512
c19e21b4ce0908bd5b0d7f606f6ee44d0b8839ddcab7067933092a707d21131b7379a1850e35475e57be62cba1b61abde61331bd1bccdd875e756bb296f34024

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DIT8P.tmp\Quick_Driver_Updater.tmp

Filesize
2.7MB

MD5
348e9aad9e445392ba5c9fe96daf6f8b

SHA1
e04d450778d05cabb111903892dda0cdb288cd98

SHA256
5bae7f43baa254ce2eba9018e11c575730427d4fdf3146165755cd4bb07c3e53

SHA512
c19e21b4ce0908bd5b0d7f606f6ee44d0b8839ddcab7067933092a707d21131b7379a1850e35475e57be62cba1b61abde61331bd1bccdd875e756bb296f34024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyEADF.tmp\ga_utility.exe

Filesize
488KB

MD5
142164f843e70dfddd7d456604799b52

SHA1
bfffc80d78ae437741efe33e9d7aab9baa47542a

SHA256
33ab6fcc791863ec141c9fc9a3df08baa16a63901304c669fde08daa6aa6a971

SHA512
3ef82e81d1067b540c43ac98db7f8d967ed1d363257c41b49d652f1af2066b0a8f3eb141fd51e75eb62fdb9ff1e3a09a223b370bbd37cf327e78222ddc0a8241

Download Submit
C:\Users\Admin\AppData\Roaming\Digital Protection Services S.R.L\Quick Driver Updater\Errorlog.txt

Filesize
1KB

MD5
65890ad559eec4337f3152d6f0ee8e51

SHA1
80dbf2fe1c3260666b3332c61ed2af7abc72165d

SHA256
72a837b2d81d3b8a4446fcd34995a86fa029b917bc710a4a0a69fa45dff0b637

SHA512
0db2fd80ac3e38fb57c9adf591399c0463cb8f9fd503e00cf4f70d0cad5809f0f5c93296a2a8a088bfa97eedc7813f7cb96704508e8f7812fe423aee01d49a7e

Download Submit
\Program Files (x86)\MacroRecorder\MacroRecorder.exe

Filesize
15.8MB

MD5
3c528f77c6b1af0977eb5ba44086d784

SHA1
8ceb25234265ddf76c94c294a5d225e258fedb9e

SHA256
83943684c39165f0dd12cf6c1156c143987264209e764f80aa0a2e15e909fd11

SHA512
4299e3b89fa127b5db4c30083b36e7982fa03dd718ea067a4cad0530dc7b8def013c03f378163bcf99d54668546630a43dafe4bfdb99c3570a5ffc1269514f2e

Download Submit
\Program Files (x86)\MacroRecorder\MacroRecorder.exe

Filesize
15.8MB

MD5
3c528f77c6b1af0977eb5ba44086d784

SHA1
8ceb25234265ddf76c94c294a5d225e258fedb9e

SHA256
83943684c39165f0dd12cf6c1156c143987264209e764f80aa0a2e15e909fd11

SHA512
4299e3b89fa127b5db4c30083b36e7982fa03dd718ea067a4cad0530dc7b8def013c03f378163bcf99d54668546630a43dafe4bfdb99c3570a5ffc1269514f2e

Download Submit
\Program Files (x86)\MacroRecorder\libeay32.dll

Filesize
1.3MB

MD5
39d7e73dc7712f89e93ab7a21bc5eb11

SHA1
21fc38157ac375741709147ffa9cde4ee19ed737

SHA256
6f91f607d1f30622e4b44d2146e59085a2a397990b79acbe75970e6dd5c7eddb

SHA512
bd7dc91d685bcc93f458c4df0d1370fe0afdc9b3729f11bf9141fde1ca04de5d561a595b180aec0bad9f7c6c7f25c438a262c63c7960e0f3bfac44f03a67f266

Download Submit
\Program Files (x86)\MacroRecorder\mrkey.dll

Filesize
156KB

MD5
1d01aa12abca7c2405abb863ae670305

SHA1
452b72fd0d41f008be8e2f8bdbcb3d727da885dc

SHA256
e92e12209048ffdca0c9e8bbbbf0616ce3e83dc66152c727f1758cd711dc529a

SHA512
36fdf55268418da1f09a22f284bf3b4d63b88af998d80d41ca9e7558b498143e5babc8329504c0e4c44d0a3edfc9692e612fb90e27d78f88cb92994181e1b550

Download Submit
\Program Files (x86)\MacroRecorder\ssleay32.dll

Filesize
351KB

MD5
af1353192fa86ee523768166c6afc58d

SHA1
0eaffe577bc67b2d7fd70011eb2a3a422182965a

SHA256
ccedca6c1b5aefc779af25a64f4fbc212a3379c3a2b392e9893a0d3edbfdb332

SHA512
95f5b8369ed6775a9d4f4bc9c02b35edba041a9823642ae8e2358a9cb93e212374fe3d75313de3b112b4174ab2adefc4cf34d25d0a89ecd439e3250d3f11f317

Download Submit
\Program Files\Quick Driver Updater\qdu.exe

Filesize
4.0MB

MD5
dfe06df90a37a45b23e33f510dda9554

SHA1
370edde62c86c1cdae423e966c6e31d5f0bffb58

SHA256
68e15d06d36f57bb45c819e0a3aada7023493bfbea1d2cbd1f3c1f421fe4b546

SHA512
c3a5589006c4e194f2cc7d5c053cd1ddcd4f0a4cdc76d104c0a32c64f0fb0103755523c90e8cba4c3818b49f0b9e144d010d4b97003cf66b9779e0e776220d70

Download Submit
\Program Files\Quick Driver Updater\qdu.exe

Filesize
4.0MB

MD5
dfe06df90a37a45b23e33f510dda9554

SHA1
370edde62c86c1cdae423e966c6e31d5f0bffb58

SHA256
68e15d06d36f57bb45c819e0a3aada7023493bfbea1d2cbd1f3c1f421fe4b546

SHA512
c3a5589006c4e194f2cc7d5c053cd1ddcd4f0a4cdc76d104c0a32c64f0fb0103755523c90e8cba4c3818b49f0b9e144d010d4b97003cf66b9779e0e776220d70

Download Submit
\Program Files\Quick Driver Updater\qdu.exe

Filesize
4.0MB

MD5
dfe06df90a37a45b23e33f510dda9554

SHA1
370edde62c86c1cdae423e966c6e31d5f0bffb58

SHA256
68e15d06d36f57bb45c819e0a3aada7023493bfbea1d2cbd1f3c1f421fe4b546

SHA512
c3a5589006c4e194f2cc7d5c053cd1ddcd4f0a4cdc76d104c0a32c64f0fb0103755523c90e8cba4c3818b49f0b9e144d010d4b97003cf66b9779e0e776220d70

Download Submit
\Program Files\Quick Driver Updater\qdu.exe

Filesize
4.0MB

MD5
dfe06df90a37a45b23e33f510dda9554

SHA1
370edde62c86c1cdae423e966c6e31d5f0bffb58

SHA256
68e15d06d36f57bb45c819e0a3aada7023493bfbea1d2cbd1f3c1f421fe4b546

SHA512
c3a5589006c4e194f2cc7d5c053cd1ddcd4f0a4cdc76d104c0a32c64f0fb0103755523c90e8cba4c3818b49f0b9e144d010d4b97003cf66b9779e0e776220d70

Download Submit
\Program Files\Quick Driver Updater\unins000.exe

Filesize
2.7MB

MD5
348e9aad9e445392ba5c9fe96daf6f8b

SHA1
e04d450778d05cabb111903892dda0cdb288cd98

SHA256
5bae7f43baa254ce2eba9018e11c575730427d4fdf3146165755cd4bb07c3e53

SHA512
c19e21b4ce0908bd5b0d7f606f6ee44d0b8839ddcab7067933092a707d21131b7379a1850e35475e57be62cba1b61abde61331bd1bccdd875e756bb296f34024

Download Submit
\Program Files\Quick Driver Updater\x64\SQLite.Interop.dll

Filesize
1.5MB

MD5
65142ec86e7fe03453efe502a1d8ea1a

SHA1
f6731a02884073edc41ace74569a31f95ae3d8f3

SHA256
39785f30001d4a858e968d93a5e2cef0717fedc6cf668f557854b374ece54f4f

SHA512
576c95bd82dc53b73d487b94bf4e5ac0914289ae99d3696eb9f66b69b7119422d6b400d47b5a31367820494b61679ffed7c04cfd5acb24a2c13ec3cb2b4ad497

Download Submit
\Users\Admin\AppData\Local\Temp\WZPDFSetup.exe

Filesize
1.6MB

MD5
06061544ca08aae412a1f59a018006dc

SHA1
0088c3ecdeea233514f296b3be1f5911718965fa

SHA256
bc01797d4c3cc85804bae45538bfabfb03e95fda93d4d464bc9ae09cebac9633

SHA512
e1fcdd177e68b09dbf58638680641b9c5df4d6382eff677555150253e12607e028ec984c63e9ffe47d5c5e1d77cf2d289ac530da86190cf732b9482f23bd2cd0

Download Submit
\Users\Admin\AppData\Local\Temp\is-3IHR6.tmp\MacroRecorderSetup.tmp

Filesize
3.0MB

MD5
e1f9a2fd3d98a0c8292e1944d16489d1

SHA1
9ee15a009b44e5c6feee944a49384e4573b73b76

SHA256
cff18e9286cfc125c3030889cce95748aa692df206297f298ec608bcfc7b8132

SHA512
68931b5022189184d438d07c8d7adc32d8dfb3b23f435c491615c87e4deb1f947b926aaa16b58305541fa953e21226b0e2e8dac9ae994e5db4303eeb8300db54

Download Submit
\Users\Admin\AppData\Local\Temp\is-CPQQF.tmp\_isetup\_isdecmp.dll

Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
\Users\Admin\AppData\Local\Temp\is-DIT8P.tmp\Quick_Driver_Updater.tmp

Filesize
2.7MB

MD5
348e9aad9e445392ba5c9fe96daf6f8b

SHA1
e04d450778d05cabb111903892dda0cdb288cd98

SHA256
5bae7f43baa254ce2eba9018e11c575730427d4fdf3146165755cd4bb07c3e53

SHA512
c19e21b4ce0908bd5b0d7f606f6ee44d0b8839ddcab7067933092a707d21131b7379a1850e35475e57be62cba1b61abde61331bd1bccdd875e756bb296f34024

Download Submit
\Users\Admin\AppData\Local\Temp\nsyE958.tmp\Crypto.dll

Filesize
3KB

MD5
59b7a89dbff790d69e01409dbc2a2788

SHA1
4ebbee3ebb35add8c1a0e436a4e4c9c5ba47c02a

SHA256
17b9038e66f3f45c4e775b32ad1bf076812d1ca4149198b47f4e0eda416859b1

SHA512
c202034bfbb7aca777326e7fb336e977e79cd9ba3bc7c17e5b6ec9c0222f6df2e1675b7d6bcb3de04a84e6226b193a5e0b81af950bc659fab83d12cd2fb84c04

Download Submit
\Users\Admin\AppData\Local\Temp\nsyE958.tmp\System.dll

Filesize
12KB

MD5
564bb0373067e1785cba7e4c24aab4bf

SHA1
7c9416a01d821b10b2eef97b80899d24014d6fc1

SHA256
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

SHA512
22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

Download Submit
\Users\Admin\AppData\Local\Temp\nsyE958.tmp\ThreadTimer.dll

Filesize
3KB

MD5
1ef958d9667a3e548eabb533ebf18175

SHA1
79f9be24ce78a11944dec5bddd99c3d52a389ffc

SHA256
8b3b4ac7e82ad70222016975d51347abc0e2f8ace27d7a9aae940e3d2140c08f

SHA512
2a060b23e057a40b21f922368d591ca84117d024c033526ceba26847436f20f230472e23b212bf99dd8746b3e39b7844f502236a912401ea07dd03cba75b5921

Download Submit
\Users\Admin\AppData\Local\Temp\nsyEADF.tmp\ga_utility.exe

Filesize
488KB

MD5
142164f843e70dfddd7d456604799b52

SHA1
bfffc80d78ae437741efe33e9d7aab9baa47542a

SHA256
33ab6fcc791863ec141c9fc9a3df08baa16a63901304c669fde08daa6aa6a971

SHA512
3ef82e81d1067b540c43ac98db7f8d967ed1d363257c41b49d652f1af2066b0a8f3eb141fd51e75eb62fdb9ff1e3a09a223b370bbd37cf327e78222ddc0a8241

Download Submit
memory/588-63-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/588-57-0x00000000754A1000-0x00000000754A3000-memory.dmp

Filesize
8KB

Download
memory/588-112-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/588-58-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/588-111-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/984-116-0x0000000000108000-0x0000000000127000-memory.dmp

Filesize
124KB

Download
memory/984-96-0x000007FEEE1D0000-0x000007FEEEBF3000-memory.dmp

Filesize
10.1MB

Download
memory/984-100-0x000007FEEDD10000-0x000007FEEE1D0000-memory.dmp

Filesize
4.8MB

Download
memory/984-102-0x000007FEECD40000-0x000007FEEDD0A000-memory.dmp

Filesize
15.8MB

Download
memory/984-103-0x000007FEEBAE0000-0x000007FEECD33000-memory.dmp

Filesize
18.3MB

Download
memory/984-113-0x000007FEE9E20000-0x000007FEEAEB6000-memory.dmp

Filesize
16.6MB

Download
memory/984-114-0x0000000000108000-0x0000000000127000-memory.dmp

Filesize
124KB

Download
memory/1436-70-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/1436-120-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/1436-79-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/1444-130-0x000007FEED770000-0x000007FEEE73A000-memory.dmp

Filesize
15.8MB

Download
memory/1444-173-0x000000001B630000-0x000000001B649000-memory.dmp

Filesize
100KB

Download
memory/1444-171-0x000007FEE7EE0000-0x000007FEE95B3000-memory.dmp

Filesize
22.8MB

Download
memory/1444-129-0x000007FEEE740000-0x000007FEEEC00000-memory.dmp

Filesize
4.8MB

Download
memory/1444-174-0x000007FEE6BC0000-0x000007FEE7A4F000-memory.dmp

Filesize
14.6MB

Download
memory/1444-148-0x000000001CC81000-0x000000001CF54000-memory.dmp

Filesize
2.8MB

Download
memory/1444-131-0x000007FEEC510000-0x000007FEED763000-memory.dmp

Filesize
18.3MB

Download
memory/1444-172-0x0000000000AD8000-0x0000000000AF7000-memory.dmp

Filesize
124KB

Download
memory/1444-142-0x0000000000AD8000-0x0000000000AF7000-memory.dmp

Filesize
124KB

Download
memory/1444-140-0x000007FEEA940000-0x000007FEEB9D6000-memory.dmp

Filesize
16.6MB

Download
memory/1444-128-0x000007FEF1C70000-0x000007FEF2693000-memory.dmp

Filesize
10.1MB

Download
memory/1632-108-0x0000000000230000-0x0000000000261000-memory.dmp

Filesize
196KB

Download
memory/1644-80-0x0000000074721000-0x0000000074723000-memory.dmp

Filesize
8KB

Download
memory/1948-54-0x000007FEFBEF1000-0x000007FEFBEF3000-memory.dmp

Filesize
8KB

Download