adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6

Analysis

max time kernel
131s
max time network
174s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.exe
Size

3.3MB
MD5

84adf71b3633eb6ad8153958d128670c
SHA1

60f8f24ffe782c704d5dd9b5578bb3d4b9673107
SHA256

adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6
SHA512

e9464e17b14cbf30d781c3cc16cf52dd037b0579a82307e4741aa31111fea9274537479ad1f5d4bb0e8ddcd427a870cb3dffa055ba6bf2546467e082cb98fed3
SSDEEP

49152:fadf5h3PawxeCX0kie7gvxc2ZB1dnIhWSDZ20JNm/n+AD2fNUuL/:k5h/5xtEkieUxc219IEmVJNmv+scyi/

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 9 IoCs

Processes:

adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmpTuneupPro.exesystweakasp.exesystweakasp.tmpaspsetup.exeaspsetup.tmpAdvancedSystemProtector.exeAdvancedSystemProtector.exeASPNotifier.exe

pid	process
1880	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
1904	TuneupPro.exe
692	systweakasp.exe
668	systweakasp.tmp
748	aspsetup.exe
1940	aspsetup.tmp
2140	AdvancedSystemProtector.exe
2592	AdvancedSystemProtector.exe
2620	ASPNotifier.exe

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Systweak\\Advanced System Protector\\aspcontexthelper64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Systweak\\Advanced System Protector\\aspcontexthelper64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AdvancedSystemProtector.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AdvancedSystemProtector.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	AdvancedSystemProtector.exe

Loads dropped DLL 39 IoCs

Processes:

adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.exeadbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmpTuneupPro.exesystweakasp.exesystweakasp.tmpaspsetup.exeaspsetup.tmpregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeAdvancedSystemProtector.exeAdvancedSystemProtector.exe

pid	process
1664	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.exe
1880	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
1880	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
1880	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
1880	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
1880	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
1880	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
1880	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
1904	TuneupPro.exe
1904	TuneupPro.exe
1904	TuneupPro.exe
692	systweakasp.exe
668	systweakasp.tmp
668	systweakasp.tmp
668	systweakasp.tmp
668	systweakasp.tmp
668	systweakasp.tmp
748	aspsetup.exe
1940	aspsetup.tmp
1940	aspsetup.tmp
1940	aspsetup.tmp
1940	aspsetup.tmp
1940	aspsetup.tmp
2012	regsvr32.exe
1500	regsvr32.exe
1440	regsvr32.exe
1704	regsvr32.exe
1940	aspsetup.tmp
1940	aspsetup.tmp
1940	aspsetup.tmp
2140	AdvancedSystemProtector.exe
2140	AdvancedSystemProtector.exe
2140	AdvancedSystemProtector.exe
2140	AdvancedSystemProtector.exe
2140	AdvancedSystemProtector.exe
2140	AdvancedSystemProtector.exe
1940	aspsetup.tmp
2592	AdvancedSystemProtector.exe
2592	AdvancedSystemProtector.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

TuneupPro.exe

description ioc process

File opened (read-only) \??\X: TuneupPro.exe

description	ioc	process
File opened (read-only)	\??\X:	TuneupPro.exe

Drops file in System32 directory 4 IoCs

Processes:

adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmpaspsetup.tmp

description	ioc	process
File created	C:\Windows\system32\roboot64.exe	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File opened for modification	C:\Windows\system32\roboot64.exe	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File created	C:\Windows\system32\sasnative64.exe	aspsetup.tmp
File opened for modification	C:\Windows\system32\sasnative64.exe	aspsetup.tmp

Drops file in Program Files directory 64 IoCs

Processes:

adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmpaspsetup.tmp

description	ioc	process
File created	C:\Program Files (x86)\Tuneup Pro\is-T7Q1D.tmp	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-ER62O.tmp	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-4M83P.tmp	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-BPQGI.tmp	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-JVPV4.tmp	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\libyara.NET.dll	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-PR9M8.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-B7MQP.tmp	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-FGTTH.tmp	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-EN558.tmp	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\System.Data.SQLite.dll	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-EQC2K.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-ES4NJ.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-BGVB2.tmp	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Tuneup Pro\TuppUns.exe	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\Xceed.Zip.dll	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-IFF9L.tmp	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\notifierlib.dll	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\scandll.dll	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-TI59D.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\unins000.msg	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-S80BM.tmp	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-3ERQ7.tmp	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-PILIG.tmp	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-QBDEB.tmp	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-LLDQE.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-VOAJI.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-GIF26.tmp	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-JQ84V.tmp	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File opened for modification	C:\Program Files (x86)\Tuneup Pro\unins000.dat	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File opened for modification	C:\Program Files (x86)\Tuneup Pro\TuneupPro.exe	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-O723A.tmp	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-7T132.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-900G5.tmp	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\unins000.dat	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-1ANH8.tmp	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\ASPNotifier.exe	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-H1JLE.tmp	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-OV1UG.tmp	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-ST78A.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-N3UFO.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-S010K.tmp	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\AspManager.exe	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-DVC9V.tmp	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-0NM8I.tmp	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\Restartexp.exe	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\Interop.IWshRuntimeLibrary.dll	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\Communication.dll	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Tuneup Pro\xmllite.dll	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-FJMS9.tmp	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-96N57.tmp	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-Q5QVF.tmp	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\Xceed.Compression.dll	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\unins000.dat	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-KBOKR.tmp	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-2ME19.tmp	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\Xceed.Compression.Formats.dll	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-94M9A.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-RNPMF.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-NCN5R.tmp	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-NDJP4.tmp	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-F9Q3F.tmp	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\AppResource.dll	aspsetup.tmp

Drops file in Windows directory 2 IoCs

Processes:

TuneupPro.exe

description	ioc	process
File created	C:\Windows\Tasks\Tuneup Pro_DEFAULT.job	TuneupPro.exe
File created	C:\Windows\Tasks\Tuneup Pro_UPDATES.job	TuneupPro.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

664 schtasks.exe
Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

268 taskkill.exe
1408 taskkill.exe
1728 taskkill.exe
852 taskkill.exe
2020 taskkill.exe
1720 taskkill.exe

pid	process
664	schtasks.exe

pid	process
268	taskkill.exe
1408	taskkill.exe
1728	taskkill.exe
852	taskkill.exe
2020	taskkill.exe
1720	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXETuneupPro.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00eb3ad64100d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F9F8B271-6C34-11ED-8F62-626C2AE6DC56} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376086009"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000097eb66ce7662fd41ba34ef65c65ec148000000000200000000001066000000010000200000001494ea112bbba52b8d0aa1457af1ff88998381f3904a66be87891319f6a89fd7000000000e800000000200002000000051afa0605ddef221341c3fef51a491ffe10ea1a822ff74f6d841c332870b130d2000000005eb32f65930fb0c5ccffcac600f7d744b62dc4bd1e0bc58d328bfe0ec0b20a0400000006f9f131f66c58f9980a748f6651d2b25feb0ff63a71b92359cb4259c9241791a27473ca46c5382aa5b08d82f8d65972e4ca8113a001f6f678939dbb548b031be	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000097eb66ce7662fd41ba34ef65c65ec1480000000002000000000010660000000100002000000064fcac0ebe674eb18f54b6f83ca8b09650113734a42d036645d0f9cc71cb28e3000000000e8000000002000020000000289115a02b209c64e8b304733fac1eb16bc4803b5249df75a80346232c87f6a790000000d84bcfc34d5866f02460e0045355a5633c66a512aef2be161b15481b22510eda9b3b8ec27f7c28edb5c275df9778fd02013cce4d4368fa5609b70d5d3a8ae938537ab3bfd17f4fd5bcd48c5fde5e9784ef1280fa96335beaf3f549b15c915cd5fc902a7ba17dad50db114be547960d155057b0dbaf49594e6279c697dd49b5571dc2ed38506c48c27dd3f6f6f84f1c20400000000b5e425106cf49e77a63e20efe4661fd51ba129ef6394e456e5ac8880e485738d5a661b9dcf665295e218b3a12069f468966381d09d20300032ace5e905a8c4e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	TuneupPro.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\ = "JScript Language"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\INPROCSERVER32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ = "JScript Language Authoring"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ = "JScript Language"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\ = "JScript Language"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\INPROCSERVER32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A} = "Scan with Advanced System Protector"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWow64\\jscript.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\INPROCSERVER32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\ = "JScript Language Encoding"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Advanced System Protector	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A} = "Scan with Advanced System Protector"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\PROGID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\Advanced System Protector\ = "{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ProgID\ = "JScript.Compact"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmpaspsetup.tmp

pid	process
1880	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
1880	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
1940	aspsetup.tmp
1940	aspsetup.tmp

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

conhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeAdvancedSystemProtector.exe

description	pid	process
Token: SeDebugPrivilege	2020	conhost.exe
Token: SeDebugPrivilege	1720	taskkill.exe
Token: SeDebugPrivilege	268	taskkill.exe
Token: SeDebugPrivilege	1408	taskkill.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	852	taskkill.exe
Token: 33	2140	AdvancedSystemProtector.exe
Token: SeIncBasePriorityPrivilege	2140	AdvancedSystemProtector.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmpiexplore.exeTuneupPro.exeaspsetup.tmp

pid process

1880 adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
584 iexplore.exe
1904 TuneupPro.exe
1904 TuneupPro.exe
1940 aspsetup.tmp
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

TuneupPro.exe

pid process

1904 TuneupPro.exe
1904 TuneupPro.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

TuneupPro.exeiexplore.exeIEXPLORE.EXE

pid	process
1904	TuneupPro.exe
584	iexplore.exe
584	iexplore.exe
1904	TuneupPro.exe
1904	TuneupPro.exe
1904	TuneupPro.exe
1400	IEXPLORE.EXE
1400	IEXPLORE.EXE
1904	TuneupPro.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.exeadbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmpiexplore.exeTuneupPro.exesystweakasp.exesystweakasp.tmpaspsetup.exeaspsetup.tmp

description	pid	process	target process
PID 1664 wrote to memory of 1880	1664	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.exe	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
PID 1664 wrote to memory of 1880	1664	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.exe	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
PID 1664 wrote to memory of 1880	1664	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.exe	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
PID 1664 wrote to memory of 1880	1664	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.exe	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
PID 1664 wrote to memory of 1880	1664	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.exe	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
PID 1664 wrote to memory of 1880	1664	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.exe	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
PID 1664 wrote to memory of 1880	1664	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.exe	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
PID 1880 wrote to memory of 1076	1880	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp	regsvr32.exe
PID 1880 wrote to memory of 1076	1880	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp	regsvr32.exe
PID 1880 wrote to memory of 1076	1880	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp	regsvr32.exe
PID 1880 wrote to memory of 1076	1880	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp	regsvr32.exe
PID 1880 wrote to memory of 1076	1880	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp	regsvr32.exe
PID 1880 wrote to memory of 1076	1880	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp	regsvr32.exe
PID 1880 wrote to memory of 1076	1880	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp	regsvr32.exe
PID 1880 wrote to memory of 584	1880	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp	iexplore.exe
PID 1880 wrote to memory of 584	1880	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp	iexplore.exe
PID 1880 wrote to memory of 584	1880	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp	iexplore.exe
PID 1880 wrote to memory of 584	1880	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp	iexplore.exe
PID 1880 wrote to memory of 1904	1880	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp	TuneupPro.exe
PID 1880 wrote to memory of 1904	1880	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp	TuneupPro.exe
PID 1880 wrote to memory of 1904	1880	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp	TuneupPro.exe
PID 1880 wrote to memory of 1904	1880	adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp	TuneupPro.exe
PID 584 wrote to memory of 1400	584	iexplore.exe	IEXPLORE.EXE
PID 584 wrote to memory of 1400	584	iexplore.exe	IEXPLORE.EXE
PID 584 wrote to memory of 1400	584	iexplore.exe	IEXPLORE.EXE
PID 584 wrote to memory of 1400	584	iexplore.exe	IEXPLORE.EXE
PID 1904 wrote to memory of 692	1904	TuneupPro.exe	systweakasp.exe
PID 1904 wrote to memory of 692	1904	TuneupPro.exe	systweakasp.exe
PID 1904 wrote to memory of 692	1904	TuneupPro.exe	systweakasp.exe
PID 1904 wrote to memory of 692	1904	TuneupPro.exe	systweakasp.exe
PID 692 wrote to memory of 668	692	systweakasp.exe	systweakasp.tmp
PID 692 wrote to memory of 668	692	systweakasp.exe	systweakasp.tmp
PID 692 wrote to memory of 668	692	systweakasp.exe	systweakasp.tmp
PID 692 wrote to memory of 668	692	systweakasp.exe	systweakasp.tmp
PID 692 wrote to memory of 668	692	systweakasp.exe	systweakasp.tmp
PID 692 wrote to memory of 668	692	systweakasp.exe	systweakasp.tmp
PID 692 wrote to memory of 668	692	systweakasp.exe	systweakasp.tmp
PID 668 wrote to memory of 664	668	systweakasp.tmp	schtasks.exe
PID 668 wrote to memory of 664	668	systweakasp.tmp	schtasks.exe
PID 668 wrote to memory of 664	668	systweakasp.tmp	schtasks.exe
PID 668 wrote to memory of 664	668	systweakasp.tmp	schtasks.exe
PID 668 wrote to memory of 748	668	systweakasp.tmp	aspsetup.exe
PID 668 wrote to memory of 748	668	systweakasp.tmp	aspsetup.exe
PID 668 wrote to memory of 748	668	systweakasp.tmp	aspsetup.exe
PID 668 wrote to memory of 748	668	systweakasp.tmp	aspsetup.exe
PID 668 wrote to memory of 748	668	systweakasp.tmp	aspsetup.exe
PID 668 wrote to memory of 748	668	systweakasp.tmp	aspsetup.exe
PID 668 wrote to memory of 748	668	systweakasp.tmp	aspsetup.exe
PID 748 wrote to memory of 1940	748	aspsetup.exe	aspsetup.tmp
PID 748 wrote to memory of 1940	748	aspsetup.exe	aspsetup.tmp
PID 748 wrote to memory of 1940	748	aspsetup.exe	aspsetup.tmp
PID 748 wrote to memory of 1940	748	aspsetup.exe	aspsetup.tmp
PID 748 wrote to memory of 1940	748	aspsetup.exe	aspsetup.tmp
PID 748 wrote to memory of 1940	748	aspsetup.exe	aspsetup.tmp
PID 748 wrote to memory of 1940	748	aspsetup.exe	aspsetup.tmp
PID 1940 wrote to memory of 2020	1940	aspsetup.tmp	conhost.exe
PID 1940 wrote to memory of 2020	1940	aspsetup.tmp	conhost.exe
PID 1940 wrote to memory of 2020	1940	aspsetup.tmp	conhost.exe
PID 1940 wrote to memory of 2020	1940	aspsetup.tmp	conhost.exe
PID 1940 wrote to memory of 1720	1940	aspsetup.tmp	taskkill.exe
PID 1940 wrote to memory of 1720	1940	aspsetup.tmp	taskkill.exe
PID 1940 wrote to memory of 1720	1940	aspsetup.tmp	taskkill.exe
PID 1940 wrote to memory of 1720	1940	aspsetup.tmp	taskkill.exe
PID 1940 wrote to memory of 268	1940	aspsetup.tmp	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.exe
"C:\Users\Admin\AppData\Local\Temp\adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Local\Temp\is-9KK1E.tmp\adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9KK1E.tmp\adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp" /SL5="$90120,2957012,148992,C:\Users\Admin\AppData\Local\Temp\adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\jscript.dll"
3⤵
- Modifies registry class
PID:1076

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.tuneuppro.com/tupp/afterinstall.asp?utm_content=AfterInstall&utm_term=Setup&page=install&&LangID=en
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:584

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:584 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1400

C:\Program Files (x86)\Tuneup Pro\TuneupPro.exe
"C:\Program Files (x86)\Tuneup Pro\TuneupPro.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904

C:\Program Files (x86)\Tuneup Pro\systweakasp.exe
"C:\Program Files (x86)\Tuneup Pro\systweakasp.exe" /verysilent
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:692

C:\Users\Admin\AppData\Local\Temp\is-LG1VQ.tmp\systweakasp.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LG1VQ.tmp\systweakasp.tmp" /SL5="$20324,193643,132096,C:\Program Files (x86)\Tuneup Pro\systweakasp.exe" /verysilent
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "ASP" /tr "\"C:\Program Files (x86)\Tuneup Pro\systweakasp.exe\" /verysilent" /sc onlogon /RL Highest /F
6⤵
- Creates scheduled task(s)
PID:664

C:\Users\Admin\AppData\Roaming\ASP\aspsetup.exe
"C:\Users\Admin\AppData\Roaming\ASP\aspsetup.exe" /verysilent
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:748

C:\Users\Admin\AppData\Local\Temp\is-8CRIG.tmp\aspsetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8CRIG.tmp\aspsetup.tmp" /SL5="$20362,9529906,134144,C:\Users\Admin\AppData\Roaming\ASP\aspsetup.exe" /verysilent
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "systemprotector.exe"
8⤵
- Kills process with taskkill
PID:2020

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "advancedsystemprotector.exe"
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "aspmanager.exe"
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "asp.exe"
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "BrowserCleaner.exe"
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "ASPNotifier.exe"
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll"
8⤵
- Loads dropped DLL
PID:2012

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll"
9⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:1500

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll"
8⤵
- Loads dropped DLL
PID:1440

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll"
9⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:1704

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "Advanced System Protector" /f
8⤵
PID:972

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "Advanced System Protector_startup" /f
8⤵
PID:1424

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "Advanced System Protector_101" /f
8⤵
PID:1500

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "Advanced System Protector_runonce" /f
8⤵
PID:1952

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "AdvancedSystemProtectorNotifier" /f
8⤵
PID:1888

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "AdvancedSystemProtectorNotifier_trigger" /f
8⤵
PID:2088

C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
"C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe" loadvalues
8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "AdvancedSystemProtectorNotifier_startup" /f
8⤵
PID:2064

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "systweakasp" /f
8⤵
PID:2004

C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
"C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe" -silentscan
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592

C:\Program Files (x86)\Advanced System Protector\ASPNotifier.exe
"C:\Program Files (x86)\Advanced System Protector\ASPNotifier.exe" createschedule
8⤵
- Executes dropped EXE
PID:2620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9246285051399059134-2094783944-2048832562-15875006481379497375-19048130461656169028"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
Filesize
8.0MB

MD5
33aff12b5fb549cd3d252ad4319ba8db

SHA1
51ce2a5ff58b722a56cb6b11d8812d8d56af7e8d

SHA256
a677c7f04a7a22f3beae64ed1624771a8604c95b8bbe3143e6b5ed18430f5452

SHA512
55badecf3a6ca7efd62b03fe4d6ece68b85e211b73bb87b7c6610b253af6b6f14dbe17feb9ea111ec4b2b4cf56952d715db20d8290a447b114490a762fed780f

Download Submit
C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
Filesize
8.0MB

MD5
33aff12b5fb549cd3d252ad4319ba8db

SHA1
51ce2a5ff58b722a56cb6b11d8812d8d56af7e8d

SHA256
a677c7f04a7a22f3beae64ed1624771a8604c95b8bbe3143e6b5ed18430f5452

SHA512
55badecf3a6ca7efd62b03fe4d6ece68b85e211b73bb87b7c6610b253af6b6f14dbe17feb9ea111ec4b2b4cf56952d715db20d8290a447b114490a762fed780f

Download Submit
C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
Filesize
8.0MB

MD5
33aff12b5fb549cd3d252ad4319ba8db

SHA1
51ce2a5ff58b722a56cb6b11d8812d8d56af7e8d

SHA256
a677c7f04a7a22f3beae64ed1624771a8604c95b8bbe3143e6b5ed18430f5452

SHA512
55badecf3a6ca7efd62b03fe4d6ece68b85e211b73bb87b7c6610b253af6b6f14dbe17feb9ea111ec4b2b4cf56952d715db20d8290a447b114490a762fed780f

Download Submit
C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe.config
Filesize
9KB

MD5
a284ffaae3af04444474a18803ee2aa3

SHA1
ee173016d79f8031960edecba19160c928e3492e

SHA256
4931f6936709ad3012b8838b3e619bb8e43785c001ec2974a2ecb8041afe4c96

SHA512
f52a13cbcc6878bc510e3010b2d532c7d26dc237555cabcf8daad26be0777ffc3336174a67bba60b33d4708241a90d7d2be86e9cc319f07f39056664f5b6f920

Download Submit
C:\Program Files (x86)\Advanced System Protector\SQLite.Interop.dll
Filesize
1.1MB

MD5
890d00a3ee9d5be5d3a4248a8c529df0

SHA1
d094cace0566e6a9548b8b8841dffecf4ed2b0a3

SHA256
6fdb54429dc63541741676f065cbb903af0fc63f6d9d9bd2915b9f5f94853a62

SHA512
c75cdaf2b32d32e7303db78dbe5d78775ad9cca566ecd0fc6e503845941d172234d6b1600919a058fe2ebaa7cb3e5b64d28bcdf02285cfe5e0a7eb29dfc4f6f5

Download Submit
C:\Program Files (x86)\Advanced System Protector\System.Data.SQLite.dll
Filesize
373KB

MD5
e057bfd75665a9326919008b08870acf

SHA1
ccefd28d344663184a8dd9271d9266dee4d6d67b

SHA256
c3d0211dbc8897b4d04f063f598ac2a14977b7d8ee9d4326dd41eb79d3a8d648

SHA512
68690123f9e75ba5975e2ad701729c012cda0c735d9dece9618576bf500d57f64a36f7f3528ce89fd41db63974e3a3c568ec3673b5711a9d35eec280ef3edc55

Download Submit
C:\Program Files (x86)\Advanced System Protector\Xceed.Compression.dll
Filesize
118KB

MD5
77c58c931770b18374fa1776b5368058

SHA1
c67cbaf0e2c77f2d0f6763577c92a77fa63575d9

SHA256
8dc50dbcfd15ab8566caef5c1c6596d1eb194e9d08ef438cf171cd322db2dd6b

SHA512
36d8fa4eefd32d1052e136738fe1dccf1faebf6c499477236a39cf64d534cfb18335f9f7a3e3bdb19fc15486f729e0c957fcc05491aac7a02205a3e001f2ac62

Download Submit
C:\Program Files (x86)\Advanced System Protector\aspsys.dll
Filesize
974KB

MD5
d9652b5da10ad056b64ce262e2576757

SHA1
3e95f7211eb790e2534b25cbe2376c4f2953d254

SHA256
ebd47fa0dae95ce25650817cc0cdeb793a6870fb1e1c681595c39b93581bfcff

SHA512
680f49f502fc83f0ce39be60819b5680540a76cf91e63c8ca42dce8bfa4da82bbbd4f78501037180e2f286e8adf8d3c42baaa377d45ddc254fd9ca79b86ce490

Download Submit
C:\Program Files (x86)\Tuneup Pro\FileList.rcp
Filesize
13KB

MD5
856e0fd8e725e175568c9750045829ee

SHA1
983678d82e63f181d2d77f42d7fde27eab317432

SHA256
171099dece5d940339136025019c7cbcb5b6959b40e1eccddb318db419f69442

SHA512
ffa7f5a67e91368f1651976843c40fe670882f0ef3b20f466f05bd1728844d31f489755a4f6a7f502dfd03a31053140a0d1a35c2ada29f823b17e82519ab382d

Download Submit
C:\Program Files (x86)\Tuneup Pro\RegList.rcp
Filesize
89KB

MD5
5e301389550a01b7d10b5666a327624c

SHA1
0000d901de7debd1ef579ddf64df92b932912224

SHA256
2b7250211f050bd11bf7ab5d296aba46ccb88875b8bf4b8154a382277144c36e

SHA512
d58d1eda01a77985beaec96a006b2e7708f6c6c6553a474f39a2cd1c858aa71c7eca23dbc983fdad2d996fc296ffbc554eac1e5869d96944733ee574d7a6dbab

Download Submit
C:\Program Files (x86)\Tuneup Pro\TuneupPro.exe
Filesize
7.3MB

MD5
be2ce71fc87a375f96665b980ec59f7b

SHA1
5ecad41aee09c73f8f7bf1d8d49bea7a222fff85

SHA256
88967773ef715fa98dc87a529d8d0e2f9d3e4783fab33e30f2df88df2a81bc76

SHA512
1a5e44396114afd5ad4b51eeba4ec4a08c07b8664836acc126c6c255ed023e8cc5d7fa9104bde8c703d45b45d4ac02cb6e5983f26cd55efec13f5ba723918e05

Download Submit
C:\Program Files (x86)\Tuneup Pro\TuneupPro.exe
Filesize
7.3MB

MD5
be2ce71fc87a375f96665b980ec59f7b

SHA1
5ecad41aee09c73f8f7bf1d8d49bea7a222fff85

SHA256
88967773ef715fa98dc87a529d8d0e2f9d3e4783fab33e30f2df88df2a81bc76

SHA512
1a5e44396114afd5ad4b51eeba4ec4a08c07b8664836acc126c6c255ed023e8cc5d7fa9104bde8c703d45b45d4ac02cb6e5983f26cd55efec13f5ba723918e05

Download Submit
C:\Program Files (x86)\Tuneup Pro\XmlLite.dll
Filesize
124KB

MD5
71a2dca8f626fcef8bff7e2c17c67a7f

SHA1
5aaea93ec3f4d722d7ea0c2d86bc4f3cbdce5c92

SHA256
b55a978443ef0b873875910283bedfab0c3133bac7be72a68ed5146f83f1ef8c

SHA512
5244918679eba6e7af8e367c66c3d1bdcfa2323400994ecda37ccd697fb28b52ffdad992650929ec98b98ae9e0213074368a8881c6a62e48579c30f17051a17d

Download Submit
C:\Program Files (x86)\Tuneup Pro\eng_rcp.ini
Filesize
83KB

MD5
bbf623a44f466bf544d2418f4473a7e4

SHA1
684e3b0396a143d23f64c3eda59f6b29291cf967

SHA256
115fa830c0087b531655bc2974522d924405f718289c57769e9aae44c7b116d5

SHA512
e6d3a359f63c34d3457e8c2c56addf8d90cf7ac7e99db6545fc6a3f713fb4b0f631d6aa75da7064effdb4df6001aa7a65e06a010cbeaf561cf865b4c3dc0670e

Download Submit
C:\Program Files (x86)\Tuneup Pro\isxdl.dll
Filesize
153KB

MD5
16429d91b2a28595e3bb5f6a48faa705

SHA1
aa195a50f21cf8935c7031543215151214c6ef4b

SHA256
1b141a14ed518bf01f847d893e282b831d0f0cee87919bc2e98e54a3c80f5471

SHA512
a6f0ba9812c2bf8b6ddac02fff963ad062a7f7fc08ee238d680e32eccb741f7875954765a5e86a2cd3ae0be72cd5b773a9c67425dfb106ecef8e285cdf02ad64

Download Submit
C:\Program Files (x86)\Tuneup Pro\systweakasp.exe
Filesize
579KB

MD5
8f2ca56d9c7c425facbe535745092ff2

SHA1
f2cbbe9867a40a0928542dace51d8b94957dfcac

SHA256
0c4e44adbd402f42a65bfdd4143a874b76bca9e3a51af3ede9268489e37a8bc4

SHA512
a19cdddd7c9f4bea90e64b03c5f3635d07e25545d35a020ee10de1a79b61748e8673aac179746dce334338d536fdc71ba24479b9cf643e5550ecca3af5c9990e

Download Submit
C:\Program Files (x86)\Tuneup Pro\systweakasp.exe
Filesize
579KB

MD5
8f2ca56d9c7c425facbe535745092ff2

SHA1
f2cbbe9867a40a0928542dace51d8b94957dfcac

SHA256
0c4e44adbd402f42a65bfdd4143a874b76bca9e3a51af3ede9268489e37a8bc4

SHA512
a19cdddd7c9f4bea90e64b03c5f3635d07e25545d35a020ee10de1a79b61748e8673aac179746dce334338d536fdc71ba24479b9cf643e5550ecca3af5c9990e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
95933535f027fae59d55e8455f02b0d8

SHA1
eafd12048f2e3a5b41073fabd7fc4cde5837cde7

SHA256
15b3262cdd174a4cc3388641d671ccfefd49df909e8356b2d3f7b2cd829c6cd3

SHA512
ba1cd6e2ba79eb66b9c01125b0443cdd6969981fbe297cc25122d6043b805bf1cccc0496941c9100441ff137df998b0fffd591ca0af4b3c1c296c2efd2047d87

Download Submit
C:\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll
Filesize
136KB

MD5
e7059592011dbb3ca2347e8e2e4ba400

SHA1
be5feb87ce963220e19f689489819fd374aab94c

SHA256
d931455afb2a3a282e5b16187e8a94c7d1f0f5df1ba38e3ba46bc58716653ea8

SHA512
72923928018050178f2e10a08b733837180cffa21daec360cb6ec95d4e5099bcfb5e9bdece59684ae2e1e117103762c8dea1d8fb6a645957aef0c29b7f17114e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8CRIG.tmp\aspsetup.tmp
Filesize
1.2MB

MD5
62ceb818e56ce85ba410f1a290e4d922

SHA1
2165d42d4234e2edfdbf158b12e279b531900af2

SHA256
0d3b947076332280f176f502341cc23a68f110d441d386448f4c7bd6596e405d

SHA512
46df25076588518f9d225d49d41e7d2d3c75705e37fc7a86f0f4a58f24fc897e8fb15a64aa4a27b84923b29f108a876e33b03f2dc54e22380c47091b42787c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8CRIG.tmp\aspsetup.tmp
Filesize
1.2MB

MD5
62ceb818e56ce85ba410f1a290e4d922

SHA1
2165d42d4234e2edfdbf158b12e279b531900af2

SHA256
0d3b947076332280f176f502341cc23a68f110d441d386448f4c7bd6596e405d

SHA512
46df25076588518f9d225d49d41e7d2d3c75705e37fc7a86f0f4a58f24fc897e8fb15a64aa4a27b84923b29f108a876e33b03f2dc54e22380c47091b42787c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9KK1E.tmp\adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
Filesize
1.2MB

MD5
3aabfe33f7b23e5b8409647b6b41996f

SHA1
8653690e9d2bae73243a8203b8dc9c34c5163d72

SHA256
706612698e77b203d3058c2edda371cd5425f325bac7fbe0dfb6d8542dc37b4c

SHA512
2e5ff22d9ff1bab18adeaf2ddde9724e1a14c1488fd5e0beed5196cfcad3f2e110588d7166cebe71f72072bc8ddcdee59b5929c3dd163f9b5e02c88a5e584792

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9KK1E.tmp\adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
Filesize
1.2MB

MD5
3aabfe33f7b23e5b8409647b6b41996f

SHA1
8653690e9d2bae73243a8203b8dc9c34c5163d72

SHA256
706612698e77b203d3058c2edda371cd5425f325bac7fbe0dfb6d8542dc37b4c

SHA512
2e5ff22d9ff1bab18adeaf2ddde9724e1a14c1488fd5e0beed5196cfcad3f2e110588d7166cebe71f72072bc8ddcdee59b5929c3dd163f9b5e02c88a5e584792

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LG1VQ.tmp\systweakasp.tmp
Filesize
1.1MB

MD5
d4fde02fb6b4eb1bebc289aca8289ae9

SHA1
9518abb7827a4e5b0eb52ff9221d1224f23c7e06

SHA256
3f8c455ab5e927d205eaf643f8c045c9115f4081049d1319d8ae9894ef21a397

SHA512
f99e61ef419f88ebc8d48298a5eed91e6ce0440f8ca075947a612d46d2ac9cfb66865c898c86bc8b0224c68eab61c396b414ba4c0fd64c71551c90d22cdded5f

Download Submit
C:\Users\Admin\AppData\Roaming\ASP\aspsetup.exe
Filesize
9.6MB

MD5
baaf358c8ec9eda3dcdf59d500fbaacd

SHA1
9cfabd299a6c438376d1dec3c160f52c3af93738

SHA256
cd8d06443e9284f56755e64742b9d40c2096efc5c83ca3eba2fb93f80ba5401b

SHA512
63a275bd26452d4d89da23136f97b8d3dbf5576fb7849794992106f75ed31f1cc25e058bdfae788f1295a700a89ec2e5c3ccd40ea60a9c26cb2a66e2939c7520

Download Submit
C:\Users\Admin\AppData\Roaming\ASP\aspsetup.exe
Filesize
9.6MB

MD5
baaf358c8ec9eda3dcdf59d500fbaacd

SHA1
9cfabd299a6c438376d1dec3c160f52c3af93738

SHA256
cd8d06443e9284f56755e64742b9d40c2096efc5c83ca3eba2fb93f80ba5401b

SHA512
63a275bd26452d4d89da23136f97b8d3dbf5576fb7849794992106f75ed31f1cc25e058bdfae788f1295a700a89ec2e5c3ccd40ea60a9c26cb2a66e2939c7520

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\X9LQCW8X.txt
Filesize
603B

MD5
9558a18de4a88662fd7798897b58eb5e

SHA1
3366f84d91bf7fff97390b62b753f2496f6a9c3b

SHA256
c8d2eaa240f9ce0587c9202c9f517df4d073f330511122a94092f53492f6d236

SHA512
f96bb14b12fc9906fb7aa13eae03ed26d529ea0331bffe0420a8dcca243586b6d7e198717eeccb74eb7df8661a766d17949073b3e15fcf30022a4d1d2cc10615

Download Submit
\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
Filesize
8.0MB

MD5
33aff12b5fb549cd3d252ad4319ba8db

SHA1
51ce2a5ff58b722a56cb6b11d8812d8d56af7e8d

SHA256
a677c7f04a7a22f3beae64ed1624771a8604c95b8bbe3143e6b5ed18430f5452

SHA512
55badecf3a6ca7efd62b03fe4d6ece68b85e211b73bb87b7c6610b253af6b6f14dbe17feb9ea111ec4b2b4cf56952d715db20d8290a447b114490a762fed780f

Download Submit
\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
Filesize
8.0MB

MD5
33aff12b5fb549cd3d252ad4319ba8db

SHA1
51ce2a5ff58b722a56cb6b11d8812d8d56af7e8d

SHA256
a677c7f04a7a22f3beae64ed1624771a8604c95b8bbe3143e6b5ed18430f5452

SHA512
55badecf3a6ca7efd62b03fe4d6ece68b85e211b73bb87b7c6610b253af6b6f14dbe17feb9ea111ec4b2b4cf56952d715db20d8290a447b114490a762fed780f

Download Submit
\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
Filesize
8.0MB

MD5
33aff12b5fb549cd3d252ad4319ba8db

SHA1
51ce2a5ff58b722a56cb6b11d8812d8d56af7e8d

SHA256
a677c7f04a7a22f3beae64ed1624771a8604c95b8bbe3143e6b5ed18430f5452

SHA512
55badecf3a6ca7efd62b03fe4d6ece68b85e211b73bb87b7c6610b253af6b6f14dbe17feb9ea111ec4b2b4cf56952d715db20d8290a447b114490a762fed780f

Download Submit
\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
Filesize
8.0MB

MD5
33aff12b5fb549cd3d252ad4319ba8db

SHA1
51ce2a5ff58b722a56cb6b11d8812d8d56af7e8d

SHA256
a677c7f04a7a22f3beae64ed1624771a8604c95b8bbe3143e6b5ed18430f5452

SHA512
55badecf3a6ca7efd62b03fe4d6ece68b85e211b73bb87b7c6610b253af6b6f14dbe17feb9ea111ec4b2b4cf56952d715db20d8290a447b114490a762fed780f

Download Submit
\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
Filesize
8.0MB

MD5
33aff12b5fb549cd3d252ad4319ba8db

SHA1
51ce2a5ff58b722a56cb6b11d8812d8d56af7e8d

SHA256
a677c7f04a7a22f3beae64ed1624771a8604c95b8bbe3143e6b5ed18430f5452

SHA512
55badecf3a6ca7efd62b03fe4d6ece68b85e211b73bb87b7c6610b253af6b6f14dbe17feb9ea111ec4b2b4cf56952d715db20d8290a447b114490a762fed780f

Download Submit
\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
Filesize
8.0MB

MD5
33aff12b5fb549cd3d252ad4319ba8db

SHA1
51ce2a5ff58b722a56cb6b11d8812d8d56af7e8d

SHA256
a677c7f04a7a22f3beae64ed1624771a8604c95b8bbe3143e6b5ed18430f5452

SHA512
55badecf3a6ca7efd62b03fe4d6ece68b85e211b73bb87b7c6610b253af6b6f14dbe17feb9ea111ec4b2b4cf56952d715db20d8290a447b114490a762fed780f

Download Submit
\Program Files (x86)\Advanced System Protector\SQLite.Interop.dll
Filesize
1.1MB

MD5
890d00a3ee9d5be5d3a4248a8c529df0

SHA1
d094cace0566e6a9548b8b8841dffecf4ed2b0a3

SHA256
6fdb54429dc63541741676f065cbb903af0fc63f6d9d9bd2915b9f5f94853a62

SHA512
c75cdaf2b32d32e7303db78dbe5d78775ad9cca566ecd0fc6e503845941d172234d6b1600919a058fe2ebaa7cb3e5b64d28bcdf02285cfe5e0a7eb29dfc4f6f5

Download Submit
\Program Files (x86)\Advanced System Protector\System.Data.SQLite.dll
Filesize
373KB

MD5
e057bfd75665a9326919008b08870acf

SHA1
ccefd28d344663184a8dd9271d9266dee4d6d67b

SHA256
c3d0211dbc8897b4d04f063f598ac2a14977b7d8ee9d4326dd41eb79d3a8d648

SHA512
68690123f9e75ba5975e2ad701729c012cda0c735d9dece9618576bf500d57f64a36f7f3528ce89fd41db63974e3a3c568ec3673b5711a9d35eec280ef3edc55

Download Submit
\Program Files (x86)\Advanced System Protector\System.Data.SQLite.dll
Filesize
373KB

MD5
e057bfd75665a9326919008b08870acf

SHA1
ccefd28d344663184a8dd9271d9266dee4d6d67b

SHA256
c3d0211dbc8897b4d04f063f598ac2a14977b7d8ee9d4326dd41eb79d3a8d648

SHA512
68690123f9e75ba5975e2ad701729c012cda0c735d9dece9618576bf500d57f64a36f7f3528ce89fd41db63974e3a3c568ec3673b5711a9d35eec280ef3edc55

Download Submit
\Program Files (x86)\Advanced System Protector\Xceed.Compression.dll
Filesize
118KB

MD5
77c58c931770b18374fa1776b5368058

SHA1
c67cbaf0e2c77f2d0f6763577c92a77fa63575d9

SHA256
8dc50dbcfd15ab8566caef5c1c6596d1eb194e9d08ef438cf171cd322db2dd6b

SHA512
36d8fa4eefd32d1052e136738fe1dccf1faebf6c499477236a39cf64d534cfb18335f9f7a3e3bdb19fc15486f729e0c957fcc05491aac7a02205a3e001f2ac62

Download Submit
\Program Files (x86)\Advanced System Protector\Xceed.Compression.dll
Filesize
118KB

MD5
77c58c931770b18374fa1776b5368058

SHA1
c67cbaf0e2c77f2d0f6763577c92a77fa63575d9

SHA256
8dc50dbcfd15ab8566caef5c1c6596d1eb194e9d08ef438cf171cd322db2dd6b

SHA512
36d8fa4eefd32d1052e136738fe1dccf1faebf6c499477236a39cf64d534cfb18335f9f7a3e3bdb19fc15486f729e0c957fcc05491aac7a02205a3e001f2ac62

Download Submit
\Program Files (x86)\Advanced System Protector\aspsys.dll
Filesize
974KB

MD5
d9652b5da10ad056b64ce262e2576757

SHA1
3e95f7211eb790e2534b25cbe2376c4f2953d254

SHA256
ebd47fa0dae95ce25650817cc0cdeb793a6870fb1e1c681595c39b93581bfcff

SHA512
680f49f502fc83f0ce39be60819b5680540a76cf91e63c8ca42dce8bfa4da82bbbd4f78501037180e2f286e8adf8d3c42baaa377d45ddc254fd9ca79b86ce490

Download Submit
\Program Files (x86)\Advanced System Protector\unins000.exe
Filesize
1.2MB

MD5
62ceb818e56ce85ba410f1a290e4d922

SHA1
2165d42d4234e2edfdbf158b12e279b531900af2

SHA256
0d3b947076332280f176f502341cc23a68f110d441d386448f4c7bd6596e405d

SHA512
46df25076588518f9d225d49d41e7d2d3c75705e37fc7a86f0f4a58f24fc897e8fb15a64aa4a27b84923b29f108a876e33b03f2dc54e22380c47091b42787c69

Download Submit
\Program Files (x86)\Tuneup Pro\TuneupPro.exe
Filesize
7.3MB

MD5
be2ce71fc87a375f96665b980ec59f7b

SHA1
5ecad41aee09c73f8f7bf1d8d49bea7a222fff85

SHA256
88967773ef715fa98dc87a529d8d0e2f9d3e4783fab33e30f2df88df2a81bc76

SHA512
1a5e44396114afd5ad4b51eeba4ec4a08c07b8664836acc126c6c255ed023e8cc5d7fa9104bde8c703d45b45d4ac02cb6e5983f26cd55efec13f5ba723918e05

Download Submit
\Program Files (x86)\Tuneup Pro\TuneupPro.exe
Filesize
7.3MB

MD5
be2ce71fc87a375f96665b980ec59f7b

SHA1
5ecad41aee09c73f8f7bf1d8d49bea7a222fff85

SHA256
88967773ef715fa98dc87a529d8d0e2f9d3e4783fab33e30f2df88df2a81bc76

SHA512
1a5e44396114afd5ad4b51eeba4ec4a08c07b8664836acc126c6c255ed023e8cc5d7fa9104bde8c703d45b45d4ac02cb6e5983f26cd55efec13f5ba723918e05

Download Submit
\Program Files (x86)\Tuneup Pro\TuneupPro.exe
Filesize
7.3MB

MD5
be2ce71fc87a375f96665b980ec59f7b

SHA1
5ecad41aee09c73f8f7bf1d8d49bea7a222fff85

SHA256
88967773ef715fa98dc87a529d8d0e2f9d3e4783fab33e30f2df88df2a81bc76

SHA512
1a5e44396114afd5ad4b51eeba4ec4a08c07b8664836acc126c6c255ed023e8cc5d7fa9104bde8c703d45b45d4ac02cb6e5983f26cd55efec13f5ba723918e05

Download Submit
\Program Files (x86)\Tuneup Pro\isxdl.dll
Filesize
153KB

MD5
16429d91b2a28595e3bb5f6a48faa705

SHA1
aa195a50f21cf8935c7031543215151214c6ef4b

SHA256
1b141a14ed518bf01f847d893e282b831d0f0cee87919bc2e98e54a3c80f5471

SHA512
a6f0ba9812c2bf8b6ddac02fff963ad062a7f7fc08ee238d680e32eccb741f7875954765a5e86a2cd3ae0be72cd5b773a9c67425dfb106ecef8e285cdf02ad64

Download Submit
\Program Files (x86)\Tuneup Pro\systweakasp.exe
Filesize
579KB

MD5
8f2ca56d9c7c425facbe535745092ff2

SHA1
f2cbbe9867a40a0928542dace51d8b94957dfcac

SHA256
0c4e44adbd402f42a65bfdd4143a874b76bca9e3a51af3ede9268489e37a8bc4

SHA512
a19cdddd7c9f4bea90e64b03c5f3635d07e25545d35a020ee10de1a79b61748e8673aac179746dce334338d536fdc71ba24479b9cf643e5550ecca3af5c9990e

Download Submit
\Program Files (x86)\Tuneup Pro\unins000.exe
Filesize
1.2MB

MD5
3aabfe33f7b23e5b8409647b6b41996f

SHA1
8653690e9d2bae73243a8203b8dc9c34c5163d72

SHA256
706612698e77b203d3058c2edda371cd5425f325bac7fbe0dfb6d8542dc37b4c

SHA512
2e5ff22d9ff1bab18adeaf2ddde9724e1a14c1488fd5e0beed5196cfcad3f2e110588d7166cebe71f72072bc8ddcdee59b5929c3dd163f9b5e02c88a5e584792

Download Submit
\Program Files (x86)\Tuneup Pro\xmllite.dll
Filesize
124KB

MD5
71a2dca8f626fcef8bff7e2c17c67a7f

SHA1
5aaea93ec3f4d722d7ea0c2d86bc4f3cbdce5c92

SHA256
b55a978443ef0b873875910283bedfab0c3133bac7be72a68ed5146f83f1ef8c

SHA512
5244918679eba6e7af8e367c66c3d1bdcfa2323400994ecda37ccd697fb28b52ffdad992650929ec98b98ae9e0213074368a8881c6a62e48579c30f17051a17d

Download Submit
\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll
Filesize
136KB

MD5
e7059592011dbb3ca2347e8e2e4ba400

SHA1
be5feb87ce963220e19f689489819fd374aab94c

SHA256
d931455afb2a3a282e5b16187e8a94c7d1f0f5df1ba38e3ba46bc58716653ea8

SHA512
72923928018050178f2e10a08b733837180cffa21daec360cb6ec95d4e5099bcfb5e9bdece59684ae2e1e117103762c8dea1d8fb6a645957aef0c29b7f17114e

Download Submit
\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll
Filesize
136KB

MD5
e7059592011dbb3ca2347e8e2e4ba400

SHA1
be5feb87ce963220e19f689489819fd374aab94c

SHA256
d931455afb2a3a282e5b16187e8a94c7d1f0f5df1ba38e3ba46bc58716653ea8

SHA512
72923928018050178f2e10a08b733837180cffa21daec360cb6ec95d4e5099bcfb5e9bdece59684ae2e1e117103762c8dea1d8fb6a645957aef0c29b7f17114e

Download Submit
\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll
Filesize
136KB

MD5
e7059592011dbb3ca2347e8e2e4ba400

SHA1
be5feb87ce963220e19f689489819fd374aab94c

SHA256
d931455afb2a3a282e5b16187e8a94c7d1f0f5df1ba38e3ba46bc58716653ea8

SHA512
72923928018050178f2e10a08b733837180cffa21daec360cb6ec95d4e5099bcfb5e9bdece59684ae2e1e117103762c8dea1d8fb6a645957aef0c29b7f17114e

Download Submit
\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll
Filesize
136KB

MD5
e7059592011dbb3ca2347e8e2e4ba400

SHA1
be5feb87ce963220e19f689489819fd374aab94c

SHA256
d931455afb2a3a282e5b16187e8a94c7d1f0f5df1ba38e3ba46bc58716653ea8

SHA512
72923928018050178f2e10a08b733837180cffa21daec360cb6ec95d4e5099bcfb5e9bdece59684ae2e1e117103762c8dea1d8fb6a645957aef0c29b7f17114e

Download Submit
\Users\Admin\AppData\Local\Temp\is-8CRIG.tmp\aspsetup.tmp
Filesize
1.2MB

MD5
62ceb818e56ce85ba410f1a290e4d922

SHA1
2165d42d4234e2edfdbf158b12e279b531900af2

SHA256
0d3b947076332280f176f502341cc23a68f110d441d386448f4c7bd6596e405d

SHA512
46df25076588518f9d225d49d41e7d2d3c75705e37fc7a86f0f4a58f24fc897e8fb15a64aa4a27b84923b29f108a876e33b03f2dc54e22380c47091b42787c69

Download Submit
\Users\Admin\AppData\Local\Temp\is-9KK1E.tmp\adbbe19fd837825864c22996efe46a3d19350003261b40309ad212154051b6a6.tmp
Filesize
1.2MB

MD5
3aabfe33f7b23e5b8409647b6b41996f

SHA1
8653690e9d2bae73243a8203b8dc9c34c5163d72

SHA256
706612698e77b203d3058c2edda371cd5425f325bac7fbe0dfb6d8542dc37b4c

SHA512
2e5ff22d9ff1bab18adeaf2ddde9724e1a14c1488fd5e0beed5196cfcad3f2e110588d7166cebe71f72072bc8ddcdee59b5929c3dd163f9b5e02c88a5e584792

Download Submit
\Users\Admin\AppData\Local\Temp\is-FSVQD.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-FSVQD.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-FSVQD.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-LG1VQ.tmp\systweakasp.tmp
Filesize
1.1MB

MD5
d4fde02fb6b4eb1bebc289aca8289ae9

SHA1
9518abb7827a4e5b0eb52ff9221d1224f23c7e06

SHA256
3f8c455ab5e927d205eaf643f8c045c9115f4081049d1319d8ae9894ef21a397

SHA512
f99e61ef419f88ebc8d48298a5eed91e6ce0440f8ca075947a612d46d2ac9cfb66865c898c86bc8b0224c68eab61c396b414ba4c0fd64c71551c90d22cdded5f

Download Submit
\Users\Admin\AppData\Local\Temp\is-SBR9O.tmp\isxdl.dll
Filesize
147KB

MD5
4beded47aa9b07f05a56c0f97331d1a4

SHA1
c2b4df1ad01c5f9b7fb60694312444450f285dbe

SHA256
da171a2e0eec75f372d1fc0a69be17a4a7d519908a6f75b76abe6ec7ab71d284

SHA512
488e68d604259d0d2e546edf45429ace33054dbc71098977e82b43c4c97ba341d1a4bdab4170e48a5178423183bb06ff947149cfbeb8b868b4175996b211cfc7

Download Submit
\Users\Admin\AppData\Local\Temp\is-VCNDT.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-VCNDT.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-VCNDT.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-VCNDT.tmp\isxdl.dll
Filesize
152KB

MD5
1e95c2a4d1c4f57b67cca6ab4c2c8b91

SHA1
9c9501210b5469c1a390f5f44674dde5ece10b09

SHA256
31163bd401dd84733cb21fd84a25e883082c70640fcc255883b637788a7bed4c

SHA512
9d6cf00fd1a66d044f3e100a29e5154eb68e785be97033d277a6255c69e6fb0340c117299e7c4273053205d44f9fde1353e2aa0f19b3589413fe8c90ccacc8c8

Download Submit
\Users\Admin\AppData\Roaming\ASP\aspsetup.exe
Filesize
9.6MB

MD5
baaf358c8ec9eda3dcdf59d500fbaacd

SHA1
9cfabd299a6c438376d1dec3c160f52c3af93738

SHA256
cd8d06443e9284f56755e64742b9d40c2096efc5c83ca3eba2fb93f80ba5401b

SHA512
63a275bd26452d4d89da23136f97b8d3dbf5576fb7849794992106f75ed31f1cc25e058bdfae788f1295a700a89ec2e5c3ccd40ea60a9c26cb2a66e2939c7520

Download Submit
memory/268-120-0x0000000000000000-mapping.dmp

Download
memory/664-101-0x0000000000000000-mapping.dmp

Download
memory/668-92-0x0000000000000000-mapping.dmp

Download
memory/668-99-0x0000000006E30000-0x0000000006E5A000-memory.dmp

Filesize
168KB

Download
memory/692-86-0x0000000000000000-mapping.dmp

Download
memory/692-89-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/692-102-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/692-214-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/748-126-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/748-212-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/748-114-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/748-106-0x0000000000000000-mapping.dmp

Download
memory/748-109-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/852-123-0x0000000000000000-mapping.dmp

Download
memory/972-144-0x0000000000000000-mapping.dmp

Download
memory/1076-65-0x0000000000000000-mapping.dmp

Download
memory/1408-121-0x0000000000000000-mapping.dmp

Download
memory/1424-146-0x0000000000000000-mapping.dmp

Download
memory/1440-138-0x0000000000000000-mapping.dmp

Download
memory/1500-135-0x0000000000000000-mapping.dmp

Download
memory/1500-136-0x000007FEFBCE1000-0x000007FEFBCE3000-memory.dmp

Filesize
8KB

Download
memory/1500-145-0x0000000000000000-mapping.dmp

Download
memory/1664-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1664-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1664-77-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1664-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download
memory/1704-141-0x0000000000000000-mapping.dmp

Download
memory/1720-119-0x0000000000000000-mapping.dmp

Download
memory/1728-122-0x0000000000000000-mapping.dmp

Download
memory/1880-67-0x00000000744E1000-0x00000000744E3000-memory.dmp

Filesize
8KB

Download
memory/1880-58-0x0000000000000000-mapping.dmp

Download
memory/1888-149-0x0000000000000000-mapping.dmp

Download
memory/1904-73-0x0000000000000000-mapping.dmp

Download
memory/1940-124-0x00000000710C1000-0x00000000710C3000-memory.dmp

Filesize
8KB

Download
memory/1940-113-0x0000000000000000-mapping.dmp

Download
memory/1952-147-0x0000000000000000-mapping.dmp

Download
memory/2004-148-0x0000000000000000-mapping.dmp

Download
memory/2012-131-0x0000000000000000-mapping.dmp

Download
memory/2020-118-0x0000000000000000-mapping.dmp

Download
memory/2064-150-0x0000000000000000-mapping.dmp

Download
memory/2088-151-0x0000000000000000-mapping.dmp

Download
memory/2140-194-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/2140-186-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/2140-164-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2140-182-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/2140-195-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/2140-184-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/2140-185-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/2140-196-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/2140-187-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/2140-197-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/2140-189-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/2140-190-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/2140-191-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/2140-192-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/2140-193-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/2140-174-0x0000000004FF0000-0x000000000507D000-memory.dmp

Filesize
564KB

Download
memory/2140-183-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/2140-170-0x0000000000DA0000-0x0000000000DBC000-memory.dmp

Filesize
112KB

Download
memory/2140-188-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/2140-171-0x0000000000DC0000-0x0000000000DE0000-memory.dmp

Filesize
128KB

Download
memory/2140-159-0x0000000001110000-0x000000000191C000-memory.dmp

Filesize
8.0MB

Download
memory/2140-155-0x0000000000000000-mapping.dmp

Download
memory/2592-213-0x0000000001110000-0x000000000191C000-memory.dmp

Filesize
8.0MB

Download
memory/2592-209-0x0000000000000000-mapping.dmp

Download
memory/2592-217-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/2592-220-0x0000000000BC0000-0x0000000000BE0000-memory.dmp

Filesize
128KB

Download
memory/2592-221-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/2592-222-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/2592-224-0x0000000007CC0000-0x0000000007EC7000-memory.dmp

Filesize
2.0MB

Download
memory/2592-223-0x0000000007CC0000-0x0000000007EC7000-memory.dmp

Filesize
2.0MB

Download
memory/2592-225-0x000000000A4E0000-0x000000000A502000-memory.dmp

Filesize
136KB

Download
memory/2620-215-0x0000000000D70000-0x0000000000E10000-memory.dmp

Filesize
640KB

Download
memory/2620-211-0x0000000000000000-mapping.dmp

Download
memory/2620-219-0x0000000002210000-0x00000000022B0000-memory.dmp

Filesize
640KB

Download