0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac

Analysis

max time kernel
161s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2022 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
Size

2.2MB
MD5

67fa0e9fd5d95a17b484b97bc7ef4399
SHA1

41d5e4bcc07a7a75754c104458cd41e9c3bf391e
SHA256

0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac
SHA512

35f51650d487827c671369af4935c42b13a62bcb1292e1ec66e4857607f5c10e08dd780e9f54965c1b3a08326bd99849e331dc61c494c594ce896f2e799ed51e
SSDEEP

49152:osLsLsLs2dcISukoxqro4/Y9dVkZPbZ0obUmp2:osLsLsLs2bvX9UZPt0oq

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
1396	Logo1_.exe
4896	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
4500	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
364	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
216	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
3580	setup.exe
4476	setup.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Loads dropped DLL 17 IoCs

pid	Process
4476	setup.exe
4476	setup.exe
4476	setup.exe
4476	setup.exe
4476	setup.exe
4476	setup.exe
4476	setup.exe
4476	setup.exe
4476	setup.exe
4476	setup.exe
4476	setup.exe
4476	setup.exe
4476	setup.exe
4476	setup.exe
4476	setup.exe
4476	setup.exe
4476	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1036\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ks_IN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\_desktop.ini	Logo1_.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
File created	C:\Windows\rundl132.exe	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
File created	C:\Windows\Logo1_.exe	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Logo1_.exe	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\Logo1_.exe	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{16344B6E-52E1-4BBC-AA79-E08B10B7BAB9}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BB118F1-6D5B-470E-82D0-AFB042724560}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4AAC3B1-C547-11D3-B289-00C04F59FBE9}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D8B6332-D8B1-11D2-80C5-00104B1F6CEA}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{80FDE82A-2CAA-11D3-88C3-00C04F72F303}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EE77D8B-40C1-4A2A-9B77-421907F02058}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8415DE38-1C1D-11D3-889D-00C04F72F303}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ECBE1E54-3649-4287-9888-D9FB133CAE0D}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B15A454-9067-4878-B10E-B9DFFE03049D}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EC1-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2069-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ECBE1E54-3649-4287-9888-D9FB133CAE0D}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D8B6332-D8B1-11D2-80C5-00104B1F6CEA}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6494206F-23EA-11D3-88B0-00C04F72F303}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\NumMethods	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF57A6F0-4101-11D3-88F6-00C04F72F303}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{251753FA-FB3B-11D2-8842-00C04F72F303}\ = "ISetupFileRegistrar"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0BA4BA22-2EF0-11D3-88C8-00C04F72F303}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EDC2C10-66FE-11D3-A90F-00105A088FAC}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E26CAD5-1B59-4D1D-9063-2D91314C9E45}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\ = "ISetupBasicFeatureStateEvents"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EC5-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DED5FEEC-225A-11D3-88AA-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00345390-4F77-11D3-A908-00105A088FAC}\ = "ISetupMultiMedia"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0E67BBC9-18CB-4B22-BACD-687CDF6387B6}\ = "ISetupScriptEngine"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}\ = "ISetupFeatures"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2069-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83755DD1-086B-11D3-8868-00C04F72F303}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E67BBC9-18CB-4B22-BACD-687CDF6387B6}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B15A454-9067-4878-B10E-B9DFFE03049D}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2061-CB55-11D2-8094-00104B1F9838}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2060-CB55-11D2-8094-00104B1F9838}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CFCFE67-0BB8-43E0-8425-378D0A02ACE4}\ = "ISetupCABFile2"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B14-E59D-11D2-B40B-00A024B9DDDD}\ = "ISetupLogService"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1ED19966-1493-4539-B9F5-97A6556CE8F8}\ = "ISetupScriptError"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE6115A1-7DE5-48DC-AD2A-25060E00FCE2}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2084-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{61892D50-28EF-11D3-A8FF-00105A088FAC}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1ED19966-1493-4539-B9F5-97A6556CE8F8}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2067-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6494206F-23EA-11D3-88B0-00C04F72F303}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B4D3EAE5-8A3A-4376-8B65-6A81293EDB1D}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{91814EBF-B5F0-11D2-80B9-00104B1F6CEA}\ = "ISetupMedia"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B288F47-79AB-43A8-8494-D9F4D5985B29}\ = "ISetupProgress2"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{761C8359-55AF-4E7B-9C83-C1A927E0F617}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2061-CB55-11D2-8094-00104B1F9838}\ = "ISetupObjects"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8415DDF9-1C1D-11D3-889D-00C04F72F303}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4143914-2238-40F8-A74C-67C4B8ACB27A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C5C8B37-CCB7-11D5-ABEC-00B0D0238DF5}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F9922A2-F026-11D2-8822-00C04F72F303}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D8B6332-D8B1-11D2-80C5-00104B1F6CEA}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83755DD1-086B-11D3-8868-00C04F72F303}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EBF-B5F0-11D2-80B9-00104B1F6CEA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
4492	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
4492	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
4492	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
4492	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
4492	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
4492	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
4492	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
4492	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
4492	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
4492	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
4492	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
4492	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
4492	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
4492	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
4492	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
4492	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
4492	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
4492	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 4008	4492	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe	81
PID 4492 wrote to memory of 4008	4492	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe	81
PID 4492 wrote to memory of 4008	4492	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe	81
PID 4492 wrote to memory of 1396	4492	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe	83
PID 4492 wrote to memory of 1396	4492	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe	83
PID 4492 wrote to memory of 1396	4492	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe	83
PID 1396 wrote to memory of 2788	1396	Logo1_.exe	84
PID 1396 wrote to memory of 2788	1396	Logo1_.exe	84
PID 1396 wrote to memory of 2788	1396	Logo1_.exe	84
PID 2788 wrote to memory of 1316	2788	net.exe	86
PID 2788 wrote to memory of 1316	2788	net.exe	86
PID 2788 wrote to memory of 1316	2788	net.exe	86
PID 4008 wrote to memory of 4896	4008	cmd.exe	87
PID 4008 wrote to memory of 4896	4008	cmd.exe	87
PID 4008 wrote to memory of 4896	4008	cmd.exe	87
PID 4896 wrote to memory of 1988	4896	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe	88
PID 4896 wrote to memory of 1988	4896	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe	88
PID 4896 wrote to memory of 1988	4896	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe	88
PID 1988 wrote to memory of 4500	1988	cmd.exe	90
PID 1988 wrote to memory of 4500	1988	cmd.exe	90
PID 1988 wrote to memory of 4500	1988	cmd.exe	90
PID 4500 wrote to memory of 1068	4500	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe	92
PID 4500 wrote to memory of 1068	4500	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe	92
PID 4500 wrote to memory of 1068	4500	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe	92
PID 1068 wrote to memory of 364	1068	cmd.exe	93
PID 1068 wrote to memory of 364	1068	cmd.exe	93
PID 1068 wrote to memory of 364	1068	cmd.exe	93
PID 364 wrote to memory of 392	364	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe	94
PID 364 wrote to memory of 392	364	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe	94
PID 364 wrote to memory of 392	364	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe	94
PID 392 wrote to memory of 216	392	cmd.exe	96
PID 392 wrote to memory of 216	392	cmd.exe	96
PID 392 wrote to memory of 216	392	cmd.exe	96
PID 1396 wrote to memory of 2592	1396	Logo1_.exe	30
PID 1396 wrote to memory of 2592	1396	Logo1_.exe	30
PID 216 wrote to memory of 3580	216	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe	97
PID 216 wrote to memory of 3580	216	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe	97
PID 216 wrote to memory of 3580	216	0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe	97
PID 3580 wrote to memory of 4476	3580	setup.exe	98
PID 3580 wrote to memory of 4476	3580	setup.exe	98
PID 3580 wrote to memory of 4476	3580	setup.exe	98

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2592
- C:\Users\Admin\AppData\Local\Temp\0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
  "C:\Users\Admin\AppData\Local\Temp\0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a1B39.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Users\Admin\AppData\Local\Temp\0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
      "C:\Users\Admin\AppData\Local\Temp\0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:4896
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a1D9A.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1988
      - C:\Users\Admin\AppData\Local\Temp\0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a23C4.bat
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe"
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7426.bat
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\pft81A5.tmp\Disk1\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\pft81A5.tmp\Disk1\setup.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\pft81A5.tmp\Disk1\setup.exe
        
        -deleter
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4476
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1396
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0700\Intel32\IGdi.dll

Filesize
156KB

MD5
98098911f534ffb8b4b70101dc4ccf86

SHA1
22e40b9f75ad1e1b7340a86d8dc7ccb299e4212a

SHA256
e7b19016e5a2b337728a31998c1a0b3f7a724a323025751c5fcaad6b52e3b31a

SHA512
b35becbf4d9735b87fc67dbfeb316f4c9f0946fabf6341f950aa60a1766b3a102613e7fffde607f7ff5fd5fb6de56dacba52ac65be14e3c79be65d5a991f95b3

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0700\Intel32\Setup.dll

Filesize
264KB

MD5
7f0e7fc1dc4b20bab20497d670761c6e

SHA1
16f2795a58ffb8481e1258d6e4e026bff56c9d90

SHA256
5a45fb7bba2bc79cbc66e657ce56b110538d5537b59ecf320baa053beea6d1e6

SHA512
c07d887dd73d24fae0c40ff511e3ffeeb2622d074e3224bad30416837e149ba96e49252436ea27612da7697d491b3af8b7e323da08b453ca708461c0722eafe3

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0700\Intel32\Setup.dll

Filesize
264KB

MD5
7f0e7fc1dc4b20bab20497d670761c6e

SHA1
16f2795a58ffb8481e1258d6e4e026bff56c9d90

SHA256
5a45fb7bba2bc79cbc66e657ce56b110538d5537b59ecf320baa053beea6d1e6

SHA512
c07d887dd73d24fae0c40ff511e3ffeeb2622d074e3224bad30416837e149ba96e49252436ea27612da7697d491b3af8b7e323da08b453ca708461c0722eafe3

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0700\Intel32\Setup.dll

Filesize
264KB

MD5
7f0e7fc1dc4b20bab20497d670761c6e

SHA1
16f2795a58ffb8481e1258d6e4e026bff56c9d90

SHA256
5a45fb7bba2bc79cbc66e657ce56b110538d5537b59ecf320baa053beea6d1e6

SHA512
c07d887dd73d24fae0c40ff511e3ffeeb2622d074e3224bad30416837e149ba96e49252436ea27612da7697d491b3af8b7e323da08b453ca708461c0722eafe3

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0700\Intel32\ctor.dll

Filesize
56KB

MD5
86f3f2451f2d4a36df07348987a6d6c7

SHA1
0b02b9dcbadeab407bf40a9ebf73c65f18e72d96

SHA256
42a495bd6d881d2c0dc349f4bb5689b5db0aeb4c6a6bb88611b2ce4873a2313c

SHA512
8e22e3e006c79c1ce1de56d2950a43b12ba66bbbd3236cbec7a02c739f70d597b4dbe16b552b94378359b930fc11d32717ecfe3785ba7d813fcfa910f0a6aa45

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0700\Intel32\ctor.dll

Filesize
56KB

MD5
86f3f2451f2d4a36df07348987a6d6c7

SHA1
0b02b9dcbadeab407bf40a9ebf73c65f18e72d96

SHA256
42a495bd6d881d2c0dc349f4bb5689b5db0aeb4c6a6bb88611b2ce4873a2313c

SHA512
8e22e3e006c79c1ce1de56d2950a43b12ba66bbbd3236cbec7a02c739f70d597b4dbe16b552b94378359b930fc11d32717ecfe3785ba7d813fcfa910f0a6aa45

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0700\Intel32\iKernel.dll

Filesize
620KB

MD5
734bfdc5269c9f5d3cb5c70c3b1fb7cd

SHA1
8430a0e5dc8d4b85ff107d176e8c8c9b3ac05dc7

SHA256
cf45dc216ad13041c81911c9c1f5367e17a63e10bdf8065e6e2341cd5e114028

SHA512
625014078f8924aed95d36f3e2276d6568c7d51b5b70865f5a85dc53d12bfc89547550e325cfddec909a678bcf41c79baeb4f12b090e5b2ac81d86918a3b5403

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0700\Intel32\iscript.dll

Filesize
232KB

MD5
7600d18e83e1e41ba6f9ac914fb0e37e

SHA1
9432db98dd322e27bbc696a86d4ffe61ef5505b2

SHA256
1bf555fa6044231196e97fbef29e63a4233f2c4eeceb42528598f596c7c469db

SHA512
9c71dab5cc116cae11f7f6df4c9384bb6824eefc0bec8b1d7c0b75d26cf3ccd07dfd23bfa87bfc3a230ef0fe161d9e79be51a747ff96a7d725b0a8a0de85a56b

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0700\Intel32\iuser.dll

Filesize
148KB

MD5
4ee14797231081a3f00878b3579005b0

SHA1
5afaf830563d79d1233aabbb0220d0dac58cfae6

SHA256
3802c0e00e5e9b87f8307be63a9b91809a17bfaeb5d391c5ba410a59f16a3cf9

SHA512
1f33b48ff1aca2a219aea27403b786d1e37ceb810b13c1cf696201c2d2b1ecc7ad976a927be645905d4d0d2bbdd38c5d239179f2b6d7127ea8569fce47db439a

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\Objectps.dll

Filesize
32KB

MD5
96331344f45a28c11963044ca7ab44b6

SHA1
8fb596d3d5e290244d7e0c958483c9c0be7cc67f

SHA256
e7d9673cb26e282b9f2cfa0165c54182c3dfa46c5fcaac78c347efbf31e515d2

SHA512
dd90854e43bfbc481afa17dd603a37984ec349a16764824d790642be923ca128b1d2178866c7bcaa23c3de861c420a483f31ebd8034b77c75be7a266797076c1

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\Objectps.dll

Filesize
32KB

MD5
96331344f45a28c11963044ca7ab44b6

SHA1
8fb596d3d5e290244d7e0c958483c9c0be7cc67f

SHA256
e7d9673cb26e282b9f2cfa0165c54182c3dfa46c5fcaac78c347efbf31e515d2

SHA512
dd90854e43bfbc481afa17dd603a37984ec349a16764824d790642be923ca128b1d2178866c7bcaa23c3de861c420a483f31ebd8034b77c75be7a266797076c1

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\Objectps.dll

Filesize
32KB

MD5
96331344f45a28c11963044ca7ab44b6

SHA1
8fb596d3d5e290244d7e0c958483c9c0be7cc67f

SHA256
e7d9673cb26e282b9f2cfa0165c54182c3dfa46c5fcaac78c347efbf31e515d2

SHA512
dd90854e43bfbc481afa17dd603a37984ec349a16764824d790642be923ca128b1d2178866c7bcaa23c3de861c420a483f31ebd8034b77c75be7a266797076c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1B39.bat

Filesize
722B

MD5
8611169b966c4ee71adfe3553dbe8cdd

SHA1
e0a1009727c240557b58f453bd6a074abfc21056

SHA256
c5f9b18a3349ac9a448610746fcd3183d94a4017a1177b8f47952641fdf4bf1c

SHA512
0d2da605b27f73c53cffc33c16f0d886a7cc26283860758ac6d5a9eca13c73a7db31b68465232c3301828863f98e61dba9142f0352cf08b2cd2bb983023d42fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1D9A.bat

Filesize
722B

MD5
6d659f163f06d57b9cab3f95e5640a3c

SHA1
47afb3c31d22175ac1c84e40856b6f0be1f14242

SHA256
59b6e470f70393283671b0e547ecf7bce702b181f48c82018b7cd1e826f48619

SHA512
db9ea4f83417813a39e4ec1bea81ae164ba1e8e4c05f9312a4776b25bfddcedba6193cfa2845ff8b3eaa2e27b88ec44bda551f6723c0b3a64d6f9f4ac31ca843

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a23C4.bat

Filesize
722B

MD5
4d0a096f4a671f8f0cfc4a59f0e4ca3c

SHA1
99c7cb5a9d1377489ed22b4bbc36f987357a2dfc

SHA256
261e83c9ab826a9b1c931104ea7b490ac39b6cdbca9a74d270bb83be7f65e2e4

SHA512
2d5de62f07596c1f0e791e96e0a6f10e45d3145287b0bbeb76b0d356ffda80ccda86ff7e1137166b11957b30cae14eb8c89ad87ee06ce2ae5703cb29c3ffe43f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7426.bat

Filesize
722B

MD5
088c8d906e9f44d80ba212e203165081

SHA1
3ac91d3e2e9418163bdd3a271a81ca6cadcf6dbb

SHA256
4396aa7cb3875c49f3662a4abcdadfbfd764ce871848e139c9c9694044f15c8b

SHA512
e889715153f65e74edcb0640879875ff6819f535e2673bf6dad490a17c961622a66b91046ae6ce755c5b9a4d16bb0638febc308ebe6433314fbf95f05f0f6a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe

Filesize
2.1MB

MD5
220c729a4baf8fbb9263b6bd0833fb6d

SHA1
f9decacc46bbe0a0e6fd048184a1ce97426f60cc

SHA256
790de0b1b302523fff660755bdc9b8d3306d66422a204590d98a62e375ad559b

SHA512
96d44dbe38dd1e766242416d3ed35f72c381769398cc9592f07346149d919a3e46f0a0996c0a9cc8c71199297428dacf30314cee59c482364439dad7371db740

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe

Filesize
2.1MB

MD5
8f6c3bc50ccf719c3291a1a58cfe26f6

SHA1
97b0a29f0d366d22725f2132cc545c79f8cb90cd

SHA256
221db0d1c788938e1c1319da1d69fa10d0977f1141887ade6fb1a5057d001043

SHA512
e1a7076dcc7fc52ac5ab28a8519479037174c3f022473e5042a633505ff8261b0c81e26dbc44471cfdb741677fe1982c7205f4ce9653a386a7c3536c9b475e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe

Filesize
2.2MB

MD5
5a9eb5984891885f0ca59e6b87796032

SHA1
087fffc164286deb1d02852f0410009c2852a008

SHA256
707b15a9b8e1ba6314835b470dcfa4faf0c83fc53b76421bcd09b5f14a82a8f3

SHA512
6210bb4c05ec5a35fb6f528aa28d764e865a5cdccbfee3f0eda669ba9bf660bba5af4f9c7298ac3248fea78a618a6971d6ea8dd0ec7ef509e3fe940e37a3f870

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe

Filesize
2.2MB

MD5
abc11288e9a28c0a585af5b03c20cfbb

SHA1
9d3620e78cf578817b4a46512b7d5b15ae86dbf1

SHA256
fc3edbc2c190156a142454d9059b916c3f03efe60af460aa3ab3fa593c1ad383

SHA512
0e9e378ebfb7b731e6e9cba521eb40c74347fa7fdd7e9b49104b1f77b45647984340ccc43bbbebd4d2b83702f77ce1df12d55b4c5a6055489c1cc5b4a23a0c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe.exe

Filesize
2.1MB

MD5
220c729a4baf8fbb9263b6bd0833fb6d

SHA1
f9decacc46bbe0a0e6fd048184a1ce97426f60cc

SHA256
790de0b1b302523fff660755bdc9b8d3306d66422a204590d98a62e375ad559b

SHA512
96d44dbe38dd1e766242416d3ed35f72c381769398cc9592f07346149d919a3e46f0a0996c0a9cc8c71199297428dacf30314cee59c482364439dad7371db740

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe.exe

Filesize
2.1MB

MD5
8f6c3bc50ccf719c3291a1a58cfe26f6

SHA1
97b0a29f0d366d22725f2132cc545c79f8cb90cd

SHA256
221db0d1c788938e1c1319da1d69fa10d0977f1141887ade6fb1a5057d001043

SHA512
e1a7076dcc7fc52ac5ab28a8519479037174c3f022473e5042a633505ff8261b0c81e26dbc44471cfdb741677fe1982c7205f4ce9653a386a7c3536c9b475e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe.exe

Filesize
2.2MB

MD5
5a9eb5984891885f0ca59e6b87796032

SHA1
087fffc164286deb1d02852f0410009c2852a008

SHA256
707b15a9b8e1ba6314835b470dcfa4faf0c83fc53b76421bcd09b5f14a82a8f3

SHA512
6210bb4c05ec5a35fb6f528aa28d764e865a5cdccbfee3f0eda669ba9bf660bba5af4f9c7298ac3248fea78a618a6971d6ea8dd0ec7ef509e3fe940e37a3f870

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b3c943094e299b36b0028476e37ecbe7db58f1cd91fd6e612b35dedc0123dac.exe.exe

Filesize
2.2MB

MD5
abc11288e9a28c0a585af5b03c20cfbb

SHA1
9d3620e78cf578817b4a46512b7d5b15ae86dbf1

SHA256
fc3edbc2c190156a142454d9059b916c3f03efe60af460aa3ab3fa593c1ad383

SHA512
0e9e378ebfb7b731e6e9cba521eb40c74347fa7fdd7e9b49104b1f77b45647984340ccc43bbbebd4d2b83702f77ce1df12d55b4c5a6055489c1cc5b4a23a0c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\isp8D2C.tmp\Setup.dll

Filesize
264KB

MD5
7f0e7fc1dc4b20bab20497d670761c6e

SHA1
16f2795a58ffb8481e1258d6e4e026bff56c9d90

SHA256
5a45fb7bba2bc79cbc66e657ce56b110538d5537b59ecf320baa053beea6d1e6

SHA512
c07d887dd73d24fae0c40ff511e3ffeeb2622d074e3224bad30416837e149ba96e49252436ea27612da7697d491b3af8b7e323da08b453ca708461c0722eafe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\isp952F.tmp\_Setup.dll

Filesize
152KB

MD5
028076a4fbf8fa58f18a60e3a5240e0a

SHA1
e88dbf4140ea02b812794158defd9518cbaae76b

SHA256
594820df4a61a930bcbbea6681361b173334ff925e4bcad138d48aaa36bc3b8d

SHA512
698178f9eb18ba9ae7d72168dbf3f803231aff16b2ac3d857105a55439e5ed5ed9190c384a3d5b430a00a87ab7a2ad31120bb9b39569ac6587f46137a0c23d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft81A5.tmp\Disk1\data1.cab

Filesize
268KB

MD5
2e07c2124289e238a1e059ad038378e0

SHA1
837a12a4e8a9533ed02017044162273681ccbba9

SHA256
3e585ed0687543501362a28b21068718a34050956fa4267f7554990d8368a79c

SHA512
87812e423f3f7d8b8c7a249af5bb3a73c760752c9cc5922b92e11f76cb5ed31a567cd460ac7ca3e69b99046d856887426f51dc84efe5d892d6ddcc3c082d8f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft81A5.tmp\Disk1\data1.hdr

Filesize
20KB

MD5
744b00ee4e00f7242953a824e9ae2182

SHA1
2fbc4b8e2a0ddfb204df5944a114f18c60fe8085

SHA256
f40b492902b74212274a0532ddc4fbfb50a810e2ec7c1108f07874242bec65eb

SHA512
d287b24d3a5b8cfafb765f902dbea0f718cb2a876d6ebd03742734fa18623edc845c1a2665ef2318b279e3e55789975e88a91887ee34dcbd8908db5a97f4da0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft81A5.tmp\Disk1\engine32.cab

Filesize
386KB

MD5
feebebfdb673bba2beca3f83263faaa3

SHA1
6cf32a42b95b3497f2731f2b22136dea9ba69489

SHA256
7a81f54a1f3f087fc2a3d7c25898744a59f189572c979bb8a811a1eb09eec00d

SHA512
f0fc304ad3e69ff013f8a1c8f249a5d6190fc76ea257d4ec7512ef490ce572ca16b2005665361aff59f9968e09c96edc143cf862cb6c194c40b39d528f68b707

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft81A5.tmp\Disk1\layout.bin

Filesize
456B

MD5
a7ffda5ed804e42a48098abdd7b2affa

SHA1
fa1a3e5d2564e42361fd03b48b5c0dd4bbe73ccf

SHA256
0623c89f446853840c399202d52f206abd7c404653c90c1df682b37d1c9d5366

SHA512
d9c6a84ff12aca7bfade6b4958d570e3ac19ab0d7bd21b70127496794efb0948e171f76ed343175b7b80d59a12e8cd9c322e307e3964688013b9ff8a762bc6ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft81A5.tmp\Disk1\setup.boot

Filesize
326KB

MD5
b957e3c1f4781fb85d25e56dcad80d21

SHA1
71a116100ce724ddea6e81bf278b664bace6f14f

SHA256
fd4199c6c2156c6bcef909d3f62b23868d7499498311d32ff02302f6aaed9aa7

SHA512
f5ea6a11ad27a68913f22a775df8493e0f75cbfd3ed5020ed3c00b73d5c504e17182ed283793ccc8381d4bc72f1f9cb6448ee1b6b2411945b42ce9a49a47a8ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft81A5.tmp\Disk1\setup.exe

Filesize
95KB

MD5
d92301094eedaab094578d63397c8b50

SHA1
a4991b322310eaaa857f1a826a9120c37daba1fe

SHA256
a807f2a847619f728590ab27c8ddfd15d406d08f1a0fb27e1d5ca92e3c247357

SHA512
193369846b4fdfb99b80ad35345eea2df331959e68171eae6a7ad8c12cb9616a8e2d4191797eae82349d6890e45d729ad7160763d973898f2646d3563635e8b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft81A5.tmp\Disk1\setup.exe

Filesize
95KB

MD5
d92301094eedaab094578d63397c8b50

SHA1
a4991b322310eaaa857f1a826a9120c37daba1fe

SHA256
a807f2a847619f728590ab27c8ddfd15d406d08f1a0fb27e1d5ca92e3c247357

SHA512
193369846b4fdfb99b80ad35345eea2df331959e68171eae6a7ad8c12cb9616a8e2d4191797eae82349d6890e45d729ad7160763d973898f2646d3563635e8b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft81A5.tmp\Disk1\setup.exe

Filesize
95KB

MD5
d92301094eedaab094578d63397c8b50

SHA1
a4991b322310eaaa857f1a826a9120c37daba1fe

SHA256
a807f2a847619f728590ab27c8ddfd15d406d08f1a0fb27e1d5ca92e3c247357

SHA512
193369846b4fdfb99b80ad35345eea2df331959e68171eae6a7ad8c12cb9616a8e2d4191797eae82349d6890e45d729ad7160763d973898f2646d3563635e8b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft81A5.tmp\Disk1\setup.ini

Filesize
389B

MD5
412b0d63ca96cae56b58f519c5745589

SHA1
e3dd630a2f7aa59d0af5256f653c92a530e19d70

SHA256
9df625b9a534bedea01080f923df3030ca5d46522405906534e2bbd802de4b05

SHA512
f8f303ab9db25baf2ca78e0dad17ede03421163c259638b99663e8d4876ac28c5f16809e0b789c907a1bf04eb59bccd5b24e2d11f5903d410ce3e3048a948147

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft81A5.tmp\Disk1\setup.inx

Filesize
153KB

MD5
59bc5617d7fa90e0cbba1cb6d3f09881

SHA1
9403953cda03f60dc87b4c9aef0e11dc017cc63f

SHA256
a4c660ee171dfbca85f315b4ff48fc4cf3eefb3069c2444d4e8086d39ff859e9

SHA512
923cde5d9e46376aaf97634b1032c18c9667ae4eecf3d4269c26fe29e2f73dd424729512fdc85b308c4395ec164180476b1358c3432fd46f456914179b973f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\{59A20D13-F35E-4E0B-892D-10D346DAC38B}\{41E496B5-47F4-11D6-9BBB-00E0987BB2CD}\_IsRes.dll

Filesize
284KB

MD5
552da0bced12d1a9b04af8f08726f574

SHA1
8157d244161293624d0fabc35e3b3c7a97960a0d

SHA256
ac0f969daaf22f422d7412c4db1ade13a01154200d79d2f446c1d68c2e4422f7

SHA512
e6c1e295f07c9750e57db5c9cd8c067be969bfa29c93bf2ae24ca2a2b84a297a81144706b198ec5bdec74b7fd490d117378b83398331e3cc81b480fc84e86b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{59A20D13-F35E-4E0B-892D-10D346DAC38B}\{41E496B5-47F4-11D6-9BBB-00E0987BB2CD}\isrt.dll

Filesize
360KB

MD5
6324cf6a84746d3bfa3e85062f8db9d9

SHA1
fe8ed3d85781ccd4520c8d7bb7ce18010c18f5c0

SHA256
bbd3875ea69d883d48280fd89c9401ea2a37e3e004d1dc942285cf852a86559e

SHA512
2e06aa89b450a23f18bea2629ec698946f0c2fecb6d00464feee3bb8a415cea4d131bc601217fc4d203e0f1dd58db15a6b14c35281d8eab27d44fe14af861ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{59A20D13-F35E-4E0B-892D-10D346DAC38B}\{41E496B5-47F4-11D6-9BBB-00E0987BB2CD}\isrt.dll

Filesize
360KB

MD5
6324cf6a84746d3bfa3e85062f8db9d9

SHA1
fe8ed3d85781ccd4520c8d7bb7ce18010c18f5c0

SHA256
bbd3875ea69d883d48280fd89c9401ea2a37e3e004d1dc942285cf852a86559e

SHA512
2e06aa89b450a23f18bea2629ec698946f0c2fecb6d00464feee3bb8a415cea4d131bc601217fc4d203e0f1dd58db15a6b14c35281d8eab27d44fe14af861ba1

Download Submit
C:\Windows\Logo1_.exe

Filesize
32KB

MD5
6917b25a96721ae8a5b2b4a41fbf020e

SHA1
8bd8634cbd10714c347adbef4bd4d003fb51491e

SHA256
c3ff877c939675e9297ea9b3f3000c7aa1fb21f799e9b83d1d458891f3b1651a

SHA512
33998de38f2b507bb2597417ce4903d1d4d62648c81a1ed4c2626d4f3d8fd109a34394bba23328ecf2828e32f347708abc34dd2dcd26562b5922767abd8bb731

Download Submit
C:\Windows\Logo1_.exe

Filesize
32KB

MD5
6917b25a96721ae8a5b2b4a41fbf020e

SHA1
8bd8634cbd10714c347adbef4bd4d003fb51491e

SHA256
c3ff877c939675e9297ea9b3f3000c7aa1fb21f799e9b83d1d458891f3b1651a

SHA512
33998de38f2b507bb2597417ce4903d1d4d62648c81a1ed4c2626d4f3d8fd109a34394bba23328ecf2828e32f347708abc34dd2dcd26562b5922767abd8bb731

Download Submit
C:\Windows\rundl132.exe

Filesize
32KB

MD5
6917b25a96721ae8a5b2b4a41fbf020e

SHA1
8bd8634cbd10714c347adbef4bd4d003fb51491e

SHA256
c3ff877c939675e9297ea9b3f3000c7aa1fb21f799e9b83d1d458891f3b1651a

SHA512
33998de38f2b507bb2597417ce4903d1d4d62648c81a1ed4c2626d4f3d8fd109a34394bba23328ecf2828e32f347708abc34dd2dcd26562b5922767abd8bb731

Download Submit
memory/216-164-0x0000000000000000-mapping.dmp

Download
memory/364-161-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/364-159-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/364-157-0x0000000000000000-mapping.dmp

Download
memory/392-160-0x0000000000000000-mapping.dmp

Download
memory/1068-152-0x0000000000000000-mapping.dmp

Download
memory/1316-141-0x0000000000000000-mapping.dmp

Download
memory/1396-145-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1396-133-0x0000000000000000-mapping.dmp

Download
memory/1396-156-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1988-146-0x0000000000000000-mapping.dmp

Download
memory/2788-138-0x0000000000000000-mapping.dmp

Download
memory/3580-166-0x0000000000000000-mapping.dmp

Download
memory/4008-132-0x0000000000000000-mapping.dmp

Download
memory/4476-190-0x0000000003741000-0x0000000003749000-memory.dmp

Filesize
32KB

Download
memory/4476-178-0x0000000003700000-0x0000000003743000-memory.dmp

Filesize
268KB

Download
memory/4476-169-0x0000000000000000-mapping.dmp

Download
memory/4476-194-0x0000000004FA0000-0x0000000004FFC000-memory.dmp

Filesize
368KB

Download
memory/4492-136-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4500-150-0x0000000000000000-mapping.dmp

Download
memory/4500-153-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4896-142-0x0000000000000000-mapping.dmp

Download
memory/4896-144-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4896-147-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download