471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5

Analysis

max time kernel
129s
max time network
155s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.exe
Size

3.3MB
MD5

7cecb5db02e0bb266129e849f42e3499
SHA1

50d638d25f22c8199a3cb552ee985cdf9c0c21be
SHA256

471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5
SHA512

37082ffff09ac0eb13fad4cd10ba292e67868f09fb6e609b6d1338789e7af71b44f675e39c656b7e03436008931109fae8579b381182c70aa32c55d2c347ef88
SSDEEP

49152:kXEPcE6MUj3cbEMxh1FuLZ3ggxNwvCUAT+0862XysaffpEecjtXHWlQ2JgoY9fNA:iE6MVEMn1cLWgMKUYVsABYoaoY5yia

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 10 IoCs

Processes:

471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmpTuneupPro.exesystweakasp.exesystweakasp.tmpaspsetup.exeaspsetup.tmpAdvancedSystemProtector.exeASPNotifier.exeAdvancedSystemProtector.exeAdvancedSystemProtector.exe

pid	process
1740	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
1696	TuneupPro.exe
1288	systweakasp.exe
1096	systweakasp.tmp
584	aspsetup.exe
876	aspsetup.tmp
2124	AdvancedSystemProtector.exe
2348	ASPNotifier.exe
2332	AdvancedSystemProtector.exe
2548	AdvancedSystemProtector.exe

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

conhost.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}\InProcServer32	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Systweak\\Advanced System Protector\\aspcontexthelper64.dll"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}\InProcServer32\ThreadingModel = "Apartment"	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Systweak\\Advanced System Protector\\aspcontexthelper64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe

Loads dropped DLL 38 IoCs

Processes:

471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.exe471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmpTuneupPro.exesystweakasp.exesystweakasp.tmpaspsetup.exeaspsetup.tmpregsvr32.execonhost.execonhost.exeregsvr32.exeAdvancedSystemProtector.exeASPNotifier.exeAdvancedSystemProtector.exe

pid	process
1344	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.exe
1740	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
1740	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
1740	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
1740	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
1740	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
1740	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
1740	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
1696	TuneupPro.exe
1696	TuneupPro.exe
1696	TuneupPro.exe
1288	systweakasp.exe
1096	systweakasp.tmp
1096	systweakasp.tmp
1096	systweakasp.tmp
1096	systweakasp.tmp
1096	systweakasp.tmp
584	aspsetup.exe
876	aspsetup.tmp
876	aspsetup.tmp
876	aspsetup.tmp
876	aspsetup.tmp
876	aspsetup.tmp
2028	regsvr32.exe
1480	conhost.exe
788	conhost.exe
528	regsvr32.exe
876	aspsetup.tmp
876	aspsetup.tmp
876	aspsetup.tmp
876	aspsetup.tmp
2332	AdvancedSystemProtector.exe
2332	AdvancedSystemProtector.exe
2348	ASPNotifier.exe
2348	ASPNotifier.exe
2332	AdvancedSystemProtector.exe
2548	AdvancedSystemProtector.exe
2548	AdvancedSystemProtector.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

TuneupPro.exe

description ioc process

File opened (read-only) \??\X: TuneupPro.exe

description	ioc	process
File opened (read-only)	\??\X:	TuneupPro.exe

Drops file in System32 directory 4 IoCs

Processes:

471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmpaspsetup.tmp

description	ioc	process
File created	C:\Windows\system32\roboot64.exe	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File opened for modification	C:\Windows\system32\roboot64.exe	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Windows\system32\sasnative64.exe	aspsetup.tmp
File opened for modification	C:\Windows\system32\sasnative64.exe	aspsetup.tmp

Drops file in Program Files directory 64 IoCs

Processes:

471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmpaspsetup.tmpASPNotifier.exe

description	ioc	process
File created	C:\Program Files (x86)\Tuneup Pro\is-VMG78.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-3UJTQ.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-IJ8TO.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File opened for modification	C:\Program Files (x86)\Tuneup Pro\unins000.dat	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-UI0R1.tmp	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Tuneup Pro\TuneupPro.exe	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-R9QMA.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\System.Core.dll	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-519LD.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-SPIRA.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-IQGH5.tmp	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\Xceed.Compression.dll	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-G85RO.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-EMHAJ.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\ASPNotifier_OutOfMemorylog.txt	ASPNotifier.exe
File created	C:\Program Files (x86)\Tuneup Pro\is-ICM3R.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-P4KJ6.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Tuneup Pro\unins000.msg	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\ASPNotifier.exe	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\Microsoft.Win32.TaskScheduler.DLL	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\AspManager.exe	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-3EU5F.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-78RGA.tmp	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Tuneup Pro\isxdl.dll	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\Communication.dll	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-1TQFQ.tmp	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\System.Data.SQLite.dll	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-3IDDN.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-G3BPT.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-UQO7V.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\Restartexp.exe	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-MC0N7.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-PNK98.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-Q3SOB.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-FQDJL.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\Xceed.FileSystem.dll	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\aspsys.dll	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-050PO.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-C9T7D.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-J1LE8.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\AppResource.dll	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\scandll.dll	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-AETAR.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-AH2S8.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-0IMLB.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-7RGSC.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\Xceed.Compression.Formats.dll	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-SV739.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-C4R9D.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-B7JD8.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\Xceed.Zip.dll	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\unins000.dat	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\unins000.dat	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Tuneup Pro\systweakasp.exe	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-BG027.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-GJOP3.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-LHK6E.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File opened for modification	C:\Program Files (x86)\Tuneup Pro\TuppUns.exe	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-CIB6K.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-QCM6H.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-636E2.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-TKK0N.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-IFUEC.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp

Drops file in Windows directory 2 IoCs

Processes:

TuneupPro.exe

description	ioc	process
File created	C:\Windows\Tasks\Tuneup Pro_DEFAULT.job	TuneupPro.exe
File created	C:\Windows\Tasks\Tuneup Pro_UPDATES.job	TuneupPro.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1676 schtasks.exe
Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

528 taskkill.exe
756 taskkill.exe
1324 taskkill.exe
732 taskkill.exe
468 taskkill.exe
1364 taskkill.exe

pid	process
1676	schtasks.exe

pid	process
528	taskkill.exe
756	taskkill.exe
1324	taskkill.exe
732	taskkill.exe
468	taskkill.exe
1364	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXETuneupPro.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376086369"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ef917df9fa5ea64790c291384aaf9bc20000000002000000000010660000000100002000000085349ed97d04a7c3e0bf15185d5668a5688849d1eecd33b70a68107129abba1a000000000e8000000002000020000000ab822ba72f1a2c81c84bc995dcf10c2349bf6e594ec4dba894e1e634ba69f5eb20000000c9981cbdae676f8aad97f5e64e44e7eb0204d667fde52fc7ff45f95d399812f74000000094bb7df260293c649586a0e6d0363f6c071401eb272596696421ccf7edee2bc5ddff84e0455550d4e63dec136c3b70d0542a4ec10dbe9f1899041d4a0d19ca3b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ef917df9fa5ea64790c291384aaf9bc2000000000200000000001066000000010000200000009fa848507bda91d86c9eac454b6fec2bd0c64a25992d43481af145f38acbfce7000000000e80000000020000200000003345de27d914b5799d3e15827fef608517aff4bebb4ce2538f54f3815c867e809000000062393bf3a54fe127115fc2f2451f0e090781e5d9cbdadab64d06ca727723d95581c0d580d92ffaf86d302dc13b090144fbb5cd0b695d3abd67991d0d314dcbec87159445d0bc446804af040028c74d44cb466ac7800e94ced6089a746e952e676ae49e4d2e81753b36c5c928097a834cef5c569561da849b15084620b6f0a841cf81ae37c8596114a9cae0908b74129a400000005d58ea9133126e457f77f6a813adb64ae6e6aa3b00457bb62759d12c28019051e2fa970e2a5801542657e74b36955a978dfbb79226011c8566737431e9b1844b	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10fabda64200d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CF2DD7E1-6C35-11ED-A755-C22E595EE768} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	TuneupPro.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.execonhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID\ = "{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\Advanced System Protector\ = "{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\ = "JScript Language Authoring"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\ = "JScript Language Authoring"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}	conhost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\INPROCSERVER32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\ = "JScript Language Authoring"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved	conhost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\INPROCSERVER32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\INPROCSERVER32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ProgID\ = "JScript.Compact"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\ = "JScript Language Authoring"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Systweak\\Advanced System Protector\\aspcontexthelper64.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\PROGID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWow64\\jscript.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmpaspsetup.tmp

pid	process
1740	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
1740	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
876	aspsetup.tmp
876	aspsetup.tmp

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

taskkill.execonhost.exetaskkill.exetaskkill.exetaskkill.exeschtasks.exeASPNotifier.exe

description	pid	process
Token: SeDebugPrivilege	528	taskkill.exe
Token: SeDebugPrivilege	756	conhost.exe
Token: SeDebugPrivilege	1324	taskkill.exe
Token: SeDebugPrivilege	732	taskkill.exe
Token: SeDebugPrivilege	468	taskkill.exe
Token: SeDebugPrivilege	1364	schtasks.exe
Token: SeDebugPrivilege	2348	ASPNotifier.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmpiexplore.exeTuneupPro.exeaspsetup.tmp

pid process

1740 471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
2016 iexplore.exe
1696 TuneupPro.exe
1696 TuneupPro.exe
876 aspsetup.tmp
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

TuneupPro.exe

pid process

1696 TuneupPro.exe
1696 TuneupPro.exe

pid	process
1696	TuneupPro.exe
1696	TuneupPro.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

iexplore.exeTuneupPro.exeIEXPLORE.EXE

pid	process
2016	iexplore.exe
2016	iexplore.exe
1696	TuneupPro.exe
1696	TuneupPro.exe
1696	TuneupPro.exe
1696	TuneupPro.exe
1416	IEXPLORE.EXE
1416	IEXPLORE.EXE
1696	TuneupPro.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.exe471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmpiexplore.exeTuneupPro.exesystweakasp.exesystweakasp.tmpaspsetup.exeaspsetup.tmp

description	pid	process	target process
PID 1344 wrote to memory of 1740	1344	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.exe	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
PID 1344 wrote to memory of 1740	1344	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.exe	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
PID 1344 wrote to memory of 1740	1344	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.exe	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
PID 1344 wrote to memory of 1740	1344	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.exe	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
PID 1344 wrote to memory of 1740	1344	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.exe	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
PID 1344 wrote to memory of 1740	1344	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.exe	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
PID 1344 wrote to memory of 1740	1344	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.exe	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
PID 1740 wrote to memory of 1312	1740	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp	regsvr32.exe
PID 1740 wrote to memory of 1312	1740	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp	regsvr32.exe
PID 1740 wrote to memory of 1312	1740	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp	regsvr32.exe
PID 1740 wrote to memory of 1312	1740	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp	regsvr32.exe
PID 1740 wrote to memory of 1312	1740	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp	regsvr32.exe
PID 1740 wrote to memory of 1312	1740	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp	regsvr32.exe
PID 1740 wrote to memory of 1312	1740	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp	regsvr32.exe
PID 1740 wrote to memory of 2016	1740	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp	iexplore.exe
PID 1740 wrote to memory of 2016	1740	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp	iexplore.exe
PID 1740 wrote to memory of 2016	1740	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp	iexplore.exe
PID 1740 wrote to memory of 2016	1740	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp	iexplore.exe
PID 1740 wrote to memory of 1696	1740	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp	TuneupPro.exe
PID 1740 wrote to memory of 1696	1740	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp	TuneupPro.exe
PID 1740 wrote to memory of 1696	1740	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp	TuneupPro.exe
PID 1740 wrote to memory of 1696	1740	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp	TuneupPro.exe
PID 2016 wrote to memory of 1416	2016	iexplore.exe	IEXPLORE.EXE
PID 2016 wrote to memory of 1416	2016	iexplore.exe	IEXPLORE.EXE
PID 2016 wrote to memory of 1416	2016	iexplore.exe	IEXPLORE.EXE
PID 2016 wrote to memory of 1416	2016	iexplore.exe	IEXPLORE.EXE
PID 1696 wrote to memory of 1288	1696	TuneupPro.exe	systweakasp.exe
PID 1696 wrote to memory of 1288	1696	TuneupPro.exe	systweakasp.exe
PID 1696 wrote to memory of 1288	1696	TuneupPro.exe	systweakasp.exe
PID 1696 wrote to memory of 1288	1696	TuneupPro.exe	systweakasp.exe
PID 1288 wrote to memory of 1096	1288	systweakasp.exe	systweakasp.tmp
PID 1288 wrote to memory of 1096	1288	systweakasp.exe	systweakasp.tmp
PID 1288 wrote to memory of 1096	1288	systweakasp.exe	systweakasp.tmp
PID 1288 wrote to memory of 1096	1288	systweakasp.exe	systweakasp.tmp
PID 1288 wrote to memory of 1096	1288	systweakasp.exe	systweakasp.tmp
PID 1288 wrote to memory of 1096	1288	systweakasp.exe	systweakasp.tmp
PID 1288 wrote to memory of 1096	1288	systweakasp.exe	systweakasp.tmp
PID 1096 wrote to memory of 1676	1096	systweakasp.tmp	schtasks.exe
PID 1096 wrote to memory of 1676	1096	systweakasp.tmp	schtasks.exe
PID 1096 wrote to memory of 1676	1096	systweakasp.tmp	schtasks.exe
PID 1096 wrote to memory of 1676	1096	systweakasp.tmp	schtasks.exe
PID 1096 wrote to memory of 584	1096	systweakasp.tmp	aspsetup.exe
PID 1096 wrote to memory of 584	1096	systweakasp.tmp	aspsetup.exe
PID 1096 wrote to memory of 584	1096	systweakasp.tmp	aspsetup.exe
PID 1096 wrote to memory of 584	1096	systweakasp.tmp	aspsetup.exe
PID 1096 wrote to memory of 584	1096	systweakasp.tmp	aspsetup.exe
PID 1096 wrote to memory of 584	1096	systweakasp.tmp	aspsetup.exe
PID 1096 wrote to memory of 584	1096	systweakasp.tmp	aspsetup.exe
PID 584 wrote to memory of 876	584	aspsetup.exe	aspsetup.tmp
PID 584 wrote to memory of 876	584	aspsetup.exe	aspsetup.tmp
PID 584 wrote to memory of 876	584	aspsetup.exe	aspsetup.tmp
PID 584 wrote to memory of 876	584	aspsetup.exe	aspsetup.tmp
PID 584 wrote to memory of 876	584	aspsetup.exe	aspsetup.tmp
PID 584 wrote to memory of 876	584	aspsetup.exe	aspsetup.tmp
PID 584 wrote to memory of 876	584	aspsetup.exe	aspsetup.tmp
PID 876 wrote to memory of 528	876	aspsetup.tmp	taskkill.exe
PID 876 wrote to memory of 528	876	aspsetup.tmp	taskkill.exe
PID 876 wrote to memory of 528	876	aspsetup.tmp	taskkill.exe
PID 876 wrote to memory of 528	876	aspsetup.tmp	taskkill.exe
PID 876 wrote to memory of 756	876	aspsetup.tmp	conhost.exe
PID 876 wrote to memory of 756	876	aspsetup.tmp	conhost.exe
PID 876 wrote to memory of 756	876	aspsetup.tmp	conhost.exe
PID 876 wrote to memory of 756	876	aspsetup.tmp	conhost.exe
PID 876 wrote to memory of 1324	876	aspsetup.tmp	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.exe
"C:\Users\Admin\AppData\Local\Temp\471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1344

C:\Users\Admin\AppData\Local\Temp\is-HL4FV.tmp\471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HL4FV.tmp\471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp" /SL5="$90120,2957012,148992,C:\Users\Admin\AppData\Local\Temp\471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\jscript.dll"
3⤵
- Modifies registry class
PID:1312

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.tuneuppro.com/tupp/afterinstall.asp?utm_content=AfterInstall&utm_term=Setup&page=install&&LangID=en
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2016 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1416

C:\Program Files (x86)\Tuneup Pro\TuneupPro.exe
"C:\Program Files (x86)\Tuneup Pro\TuneupPro.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696

C:\Program Files (x86)\Tuneup Pro\systweakasp.exe
"C:\Program Files (x86)\Tuneup Pro\systweakasp.exe" /verysilent
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1288

C:\Users\Admin\AppData\Local\Temp\is-CNQ15.tmp\systweakasp.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CNQ15.tmp\systweakasp.tmp" /SL5="$201B8,193643,132096,C:\Program Files (x86)\Tuneup Pro\systweakasp.exe" /verysilent
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "ASP" /tr "\"C:\Program Files (x86)\Tuneup Pro\systweakasp.exe\" /verysilent" /sc onlogon /RL Highest /F
6⤵
- Creates scheduled task(s)
PID:1676

C:\Users\Admin\AppData\Roaming\ASP\aspsetup.exe
"C:\Users\Admin\AppData\Roaming\ASP\aspsetup.exe" /verysilent
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584

C:\Users\Admin\AppData\Local\Temp\is-2SP3V.tmp\aspsetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2SP3V.tmp\aspsetup.tmp" /SL5="$2035E,9529906,134144,C:\Users\Admin\AppData\Roaming\ASP\aspsetup.exe" /verysilent
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "systemprotector.exe"
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "advancedsystemprotector.exe"
8⤵
- Kills process with taskkill
PID:756

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "aspmanager.exe"
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "asp.exe"
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:732

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "BrowserCleaner.exe"
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "ASPNotifier.exe"
8⤵
- Kills process with taskkill
PID:1364

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll"
8⤵
- Loads dropped DLL
PID:2028

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll"
9⤵
PID:1480

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll"
8⤵
PID:788

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll"
9⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:528

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "Advanced System Protector" /f
8⤵
PID:1536

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "Advanced System Protector_101" /f
8⤵
PID:2040

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "Advanced System Protector_startup" /f
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "Advanced System Protector_runonce" /f
8⤵
PID:1992

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "systweakasp" /f
8⤵
PID:1500

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "AdvancedSystemProtectorNotifier_trigger" /f
8⤵
PID:2096

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "AdvancedSystemProtectorNotifier_startup" /f
8⤵
PID:2076

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "AdvancedSystemProtectorNotifier" /f
8⤵
PID:2056

C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
"C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe" loadvalues
8⤵
- Executes dropped EXE
PID:2124

C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
"C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe" -silentscan
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332

C:\Program Files (x86)\Advanced System Protector\ASPNotifier.exe
"C:\Program Files (x86)\Advanced System Protector\ASPNotifier.exe" createschedule
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
"C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe" loadvalues
9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2121074324756209557-417633999808021161-1956409857-1717160022-9657131341969101746"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "972890066-1890438723620748585-1484633027184478603082313901776844322-1544367617"
1⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:1480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "173573636-1276858969-1166365180275766770198019127318740388041162390561569990205"
1⤵
- Loads dropped DLL
PID:788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Advanced System Protector\ASPNotifier.exe
Filesize
635KB

MD5
1b954641f9f3a97720e9de3a86caa363

SHA1
e3346c0b212a84a15d7087e5a17b242cc02f6439

SHA256
1ab446046d16c7407bdf9e75693d6e8753a03e3d0b100695cff48fb2941c5a82

SHA512
77729f71da750c82a38c32cd9a815116f6ed56967ecd518a9f72e79c15543d0f9e3b05c79482f1647d9918b43298d5d9f88b87e65b748faa5237e4843c9c52e0

Download Submit
C:\Program Files (x86)\Advanced System Protector\ASPNotifier.exe
Filesize
635KB

MD5
1b954641f9f3a97720e9de3a86caa363

SHA1
e3346c0b212a84a15d7087e5a17b242cc02f6439

SHA256
1ab446046d16c7407bdf9e75693d6e8753a03e3d0b100695cff48fb2941c5a82

SHA512
77729f71da750c82a38c32cd9a815116f6ed56967ecd518a9f72e79c15543d0f9e3b05c79482f1647d9918b43298d5d9f88b87e65b748faa5237e4843c9c52e0

Download Submit
C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
Filesize
8.0MB

MD5
33aff12b5fb549cd3d252ad4319ba8db

SHA1
51ce2a5ff58b722a56cb6b11d8812d8d56af7e8d

SHA256
a677c7f04a7a22f3beae64ed1624771a8604c95b8bbe3143e6b5ed18430f5452

SHA512
55badecf3a6ca7efd62b03fe4d6ece68b85e211b73bb87b7c6610b253af6b6f14dbe17feb9ea111ec4b2b4cf56952d715db20d8290a447b114490a762fed780f

Download Submit
C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
Filesize
8.0MB

MD5
33aff12b5fb549cd3d252ad4319ba8db

SHA1
51ce2a5ff58b722a56cb6b11d8812d8d56af7e8d

SHA256
a677c7f04a7a22f3beae64ed1624771a8604c95b8bbe3143e6b5ed18430f5452

SHA512
55badecf3a6ca7efd62b03fe4d6ece68b85e211b73bb87b7c6610b253af6b6f14dbe17feb9ea111ec4b2b4cf56952d715db20d8290a447b114490a762fed780f

Download Submit
C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
Filesize
8.0MB

MD5
33aff12b5fb549cd3d252ad4319ba8db

SHA1
51ce2a5ff58b722a56cb6b11d8812d8d56af7e8d

SHA256
a677c7f04a7a22f3beae64ed1624771a8604c95b8bbe3143e6b5ed18430f5452

SHA512
55badecf3a6ca7efd62b03fe4d6ece68b85e211b73bb87b7c6610b253af6b6f14dbe17feb9ea111ec4b2b4cf56952d715db20d8290a447b114490a762fed780f

Download Submit
C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe.config
Filesize
9KB

MD5
a284ffaae3af04444474a18803ee2aa3

SHA1
ee173016d79f8031960edecba19160c928e3492e

SHA256
4931f6936709ad3012b8838b3e619bb8e43785c001ec2974a2ecb8041afe4c96

SHA512
f52a13cbcc6878bc510e3010b2d532c7d26dc237555cabcf8daad26be0777ffc3336174a67bba60b33d4708241a90d7d2be86e9cc319f07f39056664f5b6f920

Download Submit
C:\Program Files (x86)\Advanced System Protector\System.Data.SQLite.dll
Filesize
373KB

MD5
e057bfd75665a9326919008b08870acf

SHA1
ccefd28d344663184a8dd9271d9266dee4d6d67b

SHA256
c3d0211dbc8897b4d04f063f598ac2a14977b7d8ee9d4326dd41eb79d3a8d648

SHA512
68690123f9e75ba5975e2ad701729c012cda0c735d9dece9618576bf500d57f64a36f7f3528ce89fd41db63974e3a3c568ec3673b5711a9d35eec280ef3edc55

Download Submit
C:\Program Files (x86)\Advanced System Protector\notifierlib.dll
Filesize
633KB

MD5
1163a97a57b8b7d574727b94621ac65c

SHA1
ffd91aff4b4a6efef8c5ef9a43dc9b64fe84838f

SHA256
ce6e571d7f07a019c4ecd92d6a7b3b7ab6f6b075bd523610a7ceef7db84e7347

SHA512
211630563429a7b233f1590c24c9ffaf60440e908dc5a0231e116706afcec914e43cbd26fcd10097b7332cdba3765ee70f00f8ed3de1166626acf42ebe43d0ee

Download Submit
C:\Program Files (x86)\Tuneup Pro\FileList.rcp
Filesize
13KB

MD5
856e0fd8e725e175568c9750045829ee

SHA1
983678d82e63f181d2d77f42d7fde27eab317432

SHA256
171099dece5d940339136025019c7cbcb5b6959b40e1eccddb318db419f69442

SHA512
ffa7f5a67e91368f1651976843c40fe670882f0ef3b20f466f05bd1728844d31f489755a4f6a7f502dfd03a31053140a0d1a35c2ada29f823b17e82519ab382d

Download Submit
C:\Program Files (x86)\Tuneup Pro\RegList.rcp
Filesize
89KB

MD5
5e301389550a01b7d10b5666a327624c

SHA1
0000d901de7debd1ef579ddf64df92b932912224

SHA256
2b7250211f050bd11bf7ab5d296aba46ccb88875b8bf4b8154a382277144c36e

SHA512
d58d1eda01a77985beaec96a006b2e7708f6c6c6553a474f39a2cd1c858aa71c7eca23dbc983fdad2d996fc296ffbc554eac1e5869d96944733ee574d7a6dbab

Download Submit
C:\Program Files (x86)\Tuneup Pro\TuneupPro.exe
Filesize
7.3MB

MD5
be2ce71fc87a375f96665b980ec59f7b

SHA1
5ecad41aee09c73f8f7bf1d8d49bea7a222fff85

SHA256
88967773ef715fa98dc87a529d8d0e2f9d3e4783fab33e30f2df88df2a81bc76

SHA512
1a5e44396114afd5ad4b51eeba4ec4a08c07b8664836acc126c6c255ed023e8cc5d7fa9104bde8c703d45b45d4ac02cb6e5983f26cd55efec13f5ba723918e05

Download Submit
C:\Program Files (x86)\Tuneup Pro\TuneupPro.exe
Filesize
7.3MB

MD5
be2ce71fc87a375f96665b980ec59f7b

SHA1
5ecad41aee09c73f8f7bf1d8d49bea7a222fff85

SHA256
88967773ef715fa98dc87a529d8d0e2f9d3e4783fab33e30f2df88df2a81bc76

SHA512
1a5e44396114afd5ad4b51eeba4ec4a08c07b8664836acc126c6c255ed023e8cc5d7fa9104bde8c703d45b45d4ac02cb6e5983f26cd55efec13f5ba723918e05

Download Submit
C:\Program Files (x86)\Tuneup Pro\XmlLite.dll
Filesize
124KB

MD5
71a2dca8f626fcef8bff7e2c17c67a7f

SHA1
5aaea93ec3f4d722d7ea0c2d86bc4f3cbdce5c92

SHA256
b55a978443ef0b873875910283bedfab0c3133bac7be72a68ed5146f83f1ef8c

SHA512
5244918679eba6e7af8e367c66c3d1bdcfa2323400994ecda37ccd697fb28b52ffdad992650929ec98b98ae9e0213074368a8881c6a62e48579c30f17051a17d

Download Submit
C:\Program Files (x86)\Tuneup Pro\eng_rcp.ini
Filesize
83KB

MD5
bbf623a44f466bf544d2418f4473a7e4

SHA1
684e3b0396a143d23f64c3eda59f6b29291cf967

SHA256
115fa830c0087b531655bc2974522d924405f718289c57769e9aae44c7b116d5

SHA512
e6d3a359f63c34d3457e8c2c56addf8d90cf7ac7e99db6545fc6a3f713fb4b0f631d6aa75da7064effdb4df6001aa7a65e06a010cbeaf561cf865b4c3dc0670e

Download Submit
C:\Program Files (x86)\Tuneup Pro\isxdl.dll
Filesize
153KB

MD5
16429d91b2a28595e3bb5f6a48faa705

SHA1
aa195a50f21cf8935c7031543215151214c6ef4b

SHA256
1b141a14ed518bf01f847d893e282b831d0f0cee87919bc2e98e54a3c80f5471

SHA512
a6f0ba9812c2bf8b6ddac02fff963ad062a7f7fc08ee238d680e32eccb741f7875954765a5e86a2cd3ae0be72cd5b773a9c67425dfb106ecef8e285cdf02ad64

Download Submit
C:\Program Files (x86)\Tuneup Pro\systweakasp.exe
Filesize
579KB

MD5
8f2ca56d9c7c425facbe535745092ff2

SHA1
f2cbbe9867a40a0928542dace51d8b94957dfcac

SHA256
0c4e44adbd402f42a65bfdd4143a874b76bca9e3a51af3ede9268489e37a8bc4

SHA512
a19cdddd7c9f4bea90e64b03c5f3635d07e25545d35a020ee10de1a79b61748e8673aac179746dce334338d536fdc71ba24479b9cf643e5550ecca3af5c9990e

Download Submit
C:\Program Files (x86)\Tuneup Pro\systweakasp.exe
Filesize
579KB

MD5
8f2ca56d9c7c425facbe535745092ff2

SHA1
f2cbbe9867a40a0928542dace51d8b94957dfcac

SHA256
0c4e44adbd402f42a65bfdd4143a874b76bca9e3a51af3ede9268489e37a8bc4

SHA512
a19cdddd7c9f4bea90e64b03c5f3635d07e25545d35a020ee10de1a79b61748e8673aac179746dce334338d536fdc71ba24479b9cf643e5550ecca3af5c9990e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
0430feb0eba94134c375abe593490bb5

SHA1
1c878c9ef71a63dc988f53fd209c48ba14eb965b

SHA256
24143c8c131227d9334af0480bb5306540d93cccfb53a2a7753f44a49f75f615

SHA512
3ee83dca869555963b18dafc54e5d527ece3a307b2c4e1ae1c5bcf3fc4ad5423f25ec29254519614c87afc37bf122533ebe5de36660d0a179263568134041f93

Download Submit
C:\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll
Filesize
136KB

MD5
e7059592011dbb3ca2347e8e2e4ba400

SHA1
be5feb87ce963220e19f689489819fd374aab94c

SHA256
d931455afb2a3a282e5b16187e8a94c7d1f0f5df1ba38e3ba46bc58716653ea8

SHA512
72923928018050178f2e10a08b733837180cffa21daec360cb6ec95d4e5099bcfb5e9bdece59684ae2e1e117103762c8dea1d8fb6a645957aef0c29b7f17114e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2SP3V.tmp\aspsetup.tmp
Filesize
1.2MB

MD5
62ceb818e56ce85ba410f1a290e4d922

SHA1
2165d42d4234e2edfdbf158b12e279b531900af2

SHA256
0d3b947076332280f176f502341cc23a68f110d441d386448f4c7bd6596e405d

SHA512
46df25076588518f9d225d49d41e7d2d3c75705e37fc7a86f0f4a58f24fc897e8fb15a64aa4a27b84923b29f108a876e33b03f2dc54e22380c47091b42787c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2SP3V.tmp\aspsetup.tmp
Filesize
1.2MB

MD5
62ceb818e56ce85ba410f1a290e4d922

SHA1
2165d42d4234e2edfdbf158b12e279b531900af2

SHA256
0d3b947076332280f176f502341cc23a68f110d441d386448f4c7bd6596e405d

SHA512
46df25076588518f9d225d49d41e7d2d3c75705e37fc7a86f0f4a58f24fc897e8fb15a64aa4a27b84923b29f108a876e33b03f2dc54e22380c47091b42787c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CNQ15.tmp\systweakasp.tmp
Filesize
1.1MB

MD5
d4fde02fb6b4eb1bebc289aca8289ae9

SHA1
9518abb7827a4e5b0eb52ff9221d1224f23c7e06

SHA256
3f8c455ab5e927d205eaf643f8c045c9115f4081049d1319d8ae9894ef21a397

SHA512
f99e61ef419f88ebc8d48298a5eed91e6ce0440f8ca075947a612d46d2ac9cfb66865c898c86bc8b0224c68eab61c396b414ba4c0fd64c71551c90d22cdded5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HL4FV.tmp\471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
Filesize
1.2MB

MD5
3aabfe33f7b23e5b8409647b6b41996f

SHA1
8653690e9d2bae73243a8203b8dc9c34c5163d72

SHA256
706612698e77b203d3058c2edda371cd5425f325bac7fbe0dfb6d8542dc37b4c

SHA512
2e5ff22d9ff1bab18adeaf2ddde9724e1a14c1488fd5e0beed5196cfcad3f2e110588d7166cebe71f72072bc8ddcdee59b5929c3dd163f9b5e02c88a5e584792

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HL4FV.tmp\471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
Filesize
1.2MB

MD5
3aabfe33f7b23e5b8409647b6b41996f

SHA1
8653690e9d2bae73243a8203b8dc9c34c5163d72

SHA256
706612698e77b203d3058c2edda371cd5425f325bac7fbe0dfb6d8542dc37b4c

SHA512
2e5ff22d9ff1bab18adeaf2ddde9724e1a14c1488fd5e0beed5196cfcad3f2e110588d7166cebe71f72072bc8ddcdee59b5929c3dd163f9b5e02c88a5e584792

Download Submit
C:\Users\Admin\AppData\Roaming\ASP\aspsetup.exe
Filesize
9.6MB

MD5
baaf358c8ec9eda3dcdf59d500fbaacd

SHA1
9cfabd299a6c438376d1dec3c160f52c3af93738

SHA256
cd8d06443e9284f56755e64742b9d40c2096efc5c83ca3eba2fb93f80ba5401b

SHA512
63a275bd26452d4d89da23136f97b8d3dbf5576fb7849794992106f75ed31f1cc25e058bdfae788f1295a700a89ec2e5c3ccd40ea60a9c26cb2a66e2939c7520

Download Submit
C:\Users\Admin\AppData\Roaming\ASP\aspsetup.exe
Filesize
9.6MB

MD5
baaf358c8ec9eda3dcdf59d500fbaacd

SHA1
9cfabd299a6c438376d1dec3c160f52c3af93738

SHA256
cd8d06443e9284f56755e64742b9d40c2096efc5c83ca3eba2fb93f80ba5401b

SHA512
63a275bd26452d4d89da23136f97b8d3dbf5576fb7849794992106f75ed31f1cc25e058bdfae788f1295a700a89ec2e5c3ccd40ea60a9c26cb2a66e2939c7520

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\P9ONIW3I.txt
Filesize
606B

MD5
c016d4241ce0c33c7949e9b3afc8c517

SHA1
3b7c9060c5e76f0558410c89301ee4ad74d26508

SHA256
c7e8b78050e35102082195197f000b641a0a70402dc3832449285a88c4eb588f

SHA512
ab4e0fda3c10dad26c10fc07482e4f1b1156be1a1b21e6a997365b4258d5b618e48baf099303d6ce46b237f781ee5cce1392345effeafbe430b48af28b9fcda3

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files (x86)\Advanced System Protector\ASPNotifier.exe
Filesize
635KB

MD5
1b954641f9f3a97720e9de3a86caa363

SHA1
e3346c0b212a84a15d7087e5a17b242cc02f6439

SHA256
1ab446046d16c7407bdf9e75693d6e8753a03e3d0b100695cff48fb2941c5a82

SHA512
77729f71da750c82a38c32cd9a815116f6ed56967ecd518a9f72e79c15543d0f9e3b05c79482f1647d9918b43298d5d9f88b87e65b748faa5237e4843c9c52e0

Download Submit
\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
Filesize
8.0MB

MD5
33aff12b5fb549cd3d252ad4319ba8db

SHA1
51ce2a5ff58b722a56cb6b11d8812d8d56af7e8d

SHA256
a677c7f04a7a22f3beae64ed1624771a8604c95b8bbe3143e6b5ed18430f5452

SHA512
55badecf3a6ca7efd62b03fe4d6ece68b85e211b73bb87b7c6610b253af6b6f14dbe17feb9ea111ec4b2b4cf56952d715db20d8290a447b114490a762fed780f

Download Submit
\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
Filesize
8.0MB

MD5
33aff12b5fb549cd3d252ad4319ba8db

SHA1
51ce2a5ff58b722a56cb6b11d8812d8d56af7e8d

SHA256
a677c7f04a7a22f3beae64ed1624771a8604c95b8bbe3143e6b5ed18430f5452

SHA512
55badecf3a6ca7efd62b03fe4d6ece68b85e211b73bb87b7c6610b253af6b6f14dbe17feb9ea111ec4b2b4cf56952d715db20d8290a447b114490a762fed780f

Download Submit
\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
Filesize
8.0MB

MD5
33aff12b5fb549cd3d252ad4319ba8db

SHA1
51ce2a5ff58b722a56cb6b11d8812d8d56af7e8d

SHA256
a677c7f04a7a22f3beae64ed1624771a8604c95b8bbe3143e6b5ed18430f5452

SHA512
55badecf3a6ca7efd62b03fe4d6ece68b85e211b73bb87b7c6610b253af6b6f14dbe17feb9ea111ec4b2b4cf56952d715db20d8290a447b114490a762fed780f

Download Submit
\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
Filesize
8.0MB

MD5
33aff12b5fb549cd3d252ad4319ba8db

SHA1
51ce2a5ff58b722a56cb6b11d8812d8d56af7e8d

SHA256
a677c7f04a7a22f3beae64ed1624771a8604c95b8bbe3143e6b5ed18430f5452

SHA512
55badecf3a6ca7efd62b03fe4d6ece68b85e211b73bb87b7c6610b253af6b6f14dbe17feb9ea111ec4b2b4cf56952d715db20d8290a447b114490a762fed780f

Download Submit
\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
Filesize
8.0MB

MD5
33aff12b5fb549cd3d252ad4319ba8db

SHA1
51ce2a5ff58b722a56cb6b11d8812d8d56af7e8d

SHA256
a677c7f04a7a22f3beae64ed1624771a8604c95b8bbe3143e6b5ed18430f5452

SHA512
55badecf3a6ca7efd62b03fe4d6ece68b85e211b73bb87b7c6610b253af6b6f14dbe17feb9ea111ec4b2b4cf56952d715db20d8290a447b114490a762fed780f

Download Submit
\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
Filesize
8.0MB

MD5
33aff12b5fb549cd3d252ad4319ba8db

SHA1
51ce2a5ff58b722a56cb6b11d8812d8d56af7e8d

SHA256
a677c7f04a7a22f3beae64ed1624771a8604c95b8bbe3143e6b5ed18430f5452

SHA512
55badecf3a6ca7efd62b03fe4d6ece68b85e211b73bb87b7c6610b253af6b6f14dbe17feb9ea111ec4b2b4cf56952d715db20d8290a447b114490a762fed780f

Download Submit
\Program Files (x86)\Advanced System Protector\System.Data.SQLite.dll
Filesize
373KB

MD5
e057bfd75665a9326919008b08870acf

SHA1
ccefd28d344663184a8dd9271d9266dee4d6d67b

SHA256
c3d0211dbc8897b4d04f063f598ac2a14977b7d8ee9d4326dd41eb79d3a8d648

SHA512
68690123f9e75ba5975e2ad701729c012cda0c735d9dece9618576bf500d57f64a36f7f3528ce89fd41db63974e3a3c568ec3673b5711a9d35eec280ef3edc55

Download Submit
\Program Files (x86)\Advanced System Protector\System.Data.SQLite.dll
Filesize
373KB

MD5
e057bfd75665a9326919008b08870acf

SHA1
ccefd28d344663184a8dd9271d9266dee4d6d67b

SHA256
c3d0211dbc8897b4d04f063f598ac2a14977b7d8ee9d4326dd41eb79d3a8d648

SHA512
68690123f9e75ba5975e2ad701729c012cda0c735d9dece9618576bf500d57f64a36f7f3528ce89fd41db63974e3a3c568ec3673b5711a9d35eec280ef3edc55

Download Submit
\Program Files (x86)\Advanced System Protector\notifierlib.dll
Filesize
633KB

MD5
1163a97a57b8b7d574727b94621ac65c

SHA1
ffd91aff4b4a6efef8c5ef9a43dc9b64fe84838f

SHA256
ce6e571d7f07a019c4ecd92d6a7b3b7ab6f6b075bd523610a7ceef7db84e7347

SHA512
211630563429a7b233f1590c24c9ffaf60440e908dc5a0231e116706afcec914e43cbd26fcd10097b7332cdba3765ee70f00f8ed3de1166626acf42ebe43d0ee

Download Submit
\Program Files (x86)\Advanced System Protector\unins000.exe
Filesize
1.2MB

MD5
62ceb818e56ce85ba410f1a290e4d922

SHA1
2165d42d4234e2edfdbf158b12e279b531900af2

SHA256
0d3b947076332280f176f502341cc23a68f110d441d386448f4c7bd6596e405d

SHA512
46df25076588518f9d225d49d41e7d2d3c75705e37fc7a86f0f4a58f24fc897e8fb15a64aa4a27b84923b29f108a876e33b03f2dc54e22380c47091b42787c69

Download Submit
\Program Files (x86)\Tuneup Pro\TuneupPro.exe
Filesize
7.3MB

MD5
be2ce71fc87a375f96665b980ec59f7b

SHA1
5ecad41aee09c73f8f7bf1d8d49bea7a222fff85

SHA256
88967773ef715fa98dc87a529d8d0e2f9d3e4783fab33e30f2df88df2a81bc76

SHA512
1a5e44396114afd5ad4b51eeba4ec4a08c07b8664836acc126c6c255ed023e8cc5d7fa9104bde8c703d45b45d4ac02cb6e5983f26cd55efec13f5ba723918e05

Download Submit
\Program Files (x86)\Tuneup Pro\TuneupPro.exe
Filesize
7.3MB

MD5
be2ce71fc87a375f96665b980ec59f7b

SHA1
5ecad41aee09c73f8f7bf1d8d49bea7a222fff85

SHA256
88967773ef715fa98dc87a529d8d0e2f9d3e4783fab33e30f2df88df2a81bc76

SHA512
1a5e44396114afd5ad4b51eeba4ec4a08c07b8664836acc126c6c255ed023e8cc5d7fa9104bde8c703d45b45d4ac02cb6e5983f26cd55efec13f5ba723918e05

Download Submit
\Program Files (x86)\Tuneup Pro\TuneupPro.exe
Filesize
7.3MB

MD5
be2ce71fc87a375f96665b980ec59f7b

SHA1
5ecad41aee09c73f8f7bf1d8d49bea7a222fff85

SHA256
88967773ef715fa98dc87a529d8d0e2f9d3e4783fab33e30f2df88df2a81bc76

SHA512
1a5e44396114afd5ad4b51eeba4ec4a08c07b8664836acc126c6c255ed023e8cc5d7fa9104bde8c703d45b45d4ac02cb6e5983f26cd55efec13f5ba723918e05

Download Submit
\Program Files (x86)\Tuneup Pro\isxdl.dll
Filesize
153KB

MD5
16429d91b2a28595e3bb5f6a48faa705

SHA1
aa195a50f21cf8935c7031543215151214c6ef4b

SHA256
1b141a14ed518bf01f847d893e282b831d0f0cee87919bc2e98e54a3c80f5471

SHA512
a6f0ba9812c2bf8b6ddac02fff963ad062a7f7fc08ee238d680e32eccb741f7875954765a5e86a2cd3ae0be72cd5b773a9c67425dfb106ecef8e285cdf02ad64

Download Submit
\Program Files (x86)\Tuneup Pro\systweakasp.exe
Filesize
579KB

MD5
8f2ca56d9c7c425facbe535745092ff2

SHA1
f2cbbe9867a40a0928542dace51d8b94957dfcac

SHA256
0c4e44adbd402f42a65bfdd4143a874b76bca9e3a51af3ede9268489e37a8bc4

SHA512
a19cdddd7c9f4bea90e64b03c5f3635d07e25545d35a020ee10de1a79b61748e8673aac179746dce334338d536fdc71ba24479b9cf643e5550ecca3af5c9990e

Download Submit
\Program Files (x86)\Tuneup Pro\unins000.exe
Filesize
1.2MB

MD5
3aabfe33f7b23e5b8409647b6b41996f

SHA1
8653690e9d2bae73243a8203b8dc9c34c5163d72

SHA256
706612698e77b203d3058c2edda371cd5425f325bac7fbe0dfb6d8542dc37b4c

SHA512
2e5ff22d9ff1bab18adeaf2ddde9724e1a14c1488fd5e0beed5196cfcad3f2e110588d7166cebe71f72072bc8ddcdee59b5929c3dd163f9b5e02c88a5e584792

Download Submit
\Program Files (x86)\Tuneup Pro\xmllite.dll
Filesize
124KB

MD5
71a2dca8f626fcef8bff7e2c17c67a7f

SHA1
5aaea93ec3f4d722d7ea0c2d86bc4f3cbdce5c92

SHA256
b55a978443ef0b873875910283bedfab0c3133bac7be72a68ed5146f83f1ef8c

SHA512
5244918679eba6e7af8e367c66c3d1bdcfa2323400994ecda37ccd697fb28b52ffdad992650929ec98b98ae9e0213074368a8881c6a62e48579c30f17051a17d

Download Submit
\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll
Filesize
136KB

MD5
e7059592011dbb3ca2347e8e2e4ba400

SHA1
be5feb87ce963220e19f689489819fd374aab94c

SHA256
d931455afb2a3a282e5b16187e8a94c7d1f0f5df1ba38e3ba46bc58716653ea8

SHA512
72923928018050178f2e10a08b733837180cffa21daec360cb6ec95d4e5099bcfb5e9bdece59684ae2e1e117103762c8dea1d8fb6a645957aef0c29b7f17114e

Download Submit
\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll
Filesize
136KB

MD5
e7059592011dbb3ca2347e8e2e4ba400

SHA1
be5feb87ce963220e19f689489819fd374aab94c

SHA256
d931455afb2a3a282e5b16187e8a94c7d1f0f5df1ba38e3ba46bc58716653ea8

SHA512
72923928018050178f2e10a08b733837180cffa21daec360cb6ec95d4e5099bcfb5e9bdece59684ae2e1e117103762c8dea1d8fb6a645957aef0c29b7f17114e

Download Submit
\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll
Filesize
136KB

MD5
e7059592011dbb3ca2347e8e2e4ba400

SHA1
be5feb87ce963220e19f689489819fd374aab94c

SHA256
d931455afb2a3a282e5b16187e8a94c7d1f0f5df1ba38e3ba46bc58716653ea8

SHA512
72923928018050178f2e10a08b733837180cffa21daec360cb6ec95d4e5099bcfb5e9bdece59684ae2e1e117103762c8dea1d8fb6a645957aef0c29b7f17114e

Download Submit
\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll
Filesize
136KB

MD5
e7059592011dbb3ca2347e8e2e4ba400

SHA1
be5feb87ce963220e19f689489819fd374aab94c

SHA256
d931455afb2a3a282e5b16187e8a94c7d1f0f5df1ba38e3ba46bc58716653ea8

SHA512
72923928018050178f2e10a08b733837180cffa21daec360cb6ec95d4e5099bcfb5e9bdece59684ae2e1e117103762c8dea1d8fb6a645957aef0c29b7f17114e

Download Submit
\Users\Admin\AppData\Local\Temp\is-1RS9R.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-1RS9R.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-1RS9R.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-1RS9R.tmp\isxdl.dll
Filesize
152KB

MD5
1e95c2a4d1c4f57b67cca6ab4c2c8b91

SHA1
9c9501210b5469c1a390f5f44674dde5ece10b09

SHA256
31163bd401dd84733cb21fd84a25e883082c70640fcc255883b637788a7bed4c

SHA512
9d6cf00fd1a66d044f3e100a29e5154eb68e785be97033d277a6255c69e6fb0340c117299e7c4273053205d44f9fde1353e2aa0f19b3589413fe8c90ccacc8c8

Download Submit
\Users\Admin\AppData\Local\Temp\is-2SP3V.tmp\aspsetup.tmp
Filesize
1.2MB

MD5
62ceb818e56ce85ba410f1a290e4d922

SHA1
2165d42d4234e2edfdbf158b12e279b531900af2

SHA256
0d3b947076332280f176f502341cc23a68f110d441d386448f4c7bd6596e405d

SHA512
46df25076588518f9d225d49d41e7d2d3c75705e37fc7a86f0f4a58f24fc897e8fb15a64aa4a27b84923b29f108a876e33b03f2dc54e22380c47091b42787c69

Download Submit
\Users\Admin\AppData\Local\Temp\is-853PP.tmp\isxdl.dll
Filesize
147KB

MD5
4beded47aa9b07f05a56c0f97331d1a4

SHA1
c2b4df1ad01c5f9b7fb60694312444450f285dbe

SHA256
da171a2e0eec75f372d1fc0a69be17a4a7d519908a6f75b76abe6ec7ab71d284

SHA512
488e68d604259d0d2e546edf45429ace33054dbc71098977e82b43c4c97ba341d1a4bdab4170e48a5178423183bb06ff947149cfbeb8b868b4175996b211cfc7

Download Submit
\Users\Admin\AppData\Local\Temp\is-CNQ15.tmp\systweakasp.tmp
Filesize
1.1MB

MD5
d4fde02fb6b4eb1bebc289aca8289ae9

SHA1
9518abb7827a4e5b0eb52ff9221d1224f23c7e06

SHA256
3f8c455ab5e927d205eaf643f8c045c9115f4081049d1319d8ae9894ef21a397

SHA512
f99e61ef419f88ebc8d48298a5eed91e6ce0440f8ca075947a612d46d2ac9cfb66865c898c86bc8b0224c68eab61c396b414ba4c0fd64c71551c90d22cdded5f

Download Submit
\Users\Admin\AppData\Local\Temp\is-EFBMT.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-EFBMT.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-EFBMT.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-HL4FV.tmp\471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
Filesize
1.2MB

MD5
3aabfe33f7b23e5b8409647b6b41996f

SHA1
8653690e9d2bae73243a8203b8dc9c34c5163d72

SHA256
706612698e77b203d3058c2edda371cd5425f325bac7fbe0dfb6d8542dc37b4c

SHA512
2e5ff22d9ff1bab18adeaf2ddde9724e1a14c1488fd5e0beed5196cfcad3f2e110588d7166cebe71f72072bc8ddcdee59b5929c3dd163f9b5e02c88a5e584792

Download Submit
\Users\Admin\AppData\Roaming\ASP\aspsetup.exe
Filesize
9.6MB

MD5
baaf358c8ec9eda3dcdf59d500fbaacd

SHA1
9cfabd299a6c438376d1dec3c160f52c3af93738

SHA256
cd8d06443e9284f56755e64742b9d40c2096efc5c83ca3eba2fb93f80ba5401b

SHA512
63a275bd26452d4d89da23136f97b8d3dbf5576fb7849794992106f75ed31f1cc25e058bdfae788f1295a700a89ec2e5c3ccd40ea60a9c26cb2a66e2939c7520

Download Submit
memory/468-123-0x0000000000000000-mapping.dmp

Download
memory/528-119-0x0000000000000000-mapping.dmp

Download
memory/528-142-0x0000000000000000-mapping.dmp

Download
memory/584-153-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/584-110-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/584-117-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/584-173-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/584-107-0x0000000000000000-mapping.dmp

Download
memory/732-122-0x0000000000000000-mapping.dmp

Download
memory/756-120-0x0000000000000000-mapping.dmp

Download
memory/788-139-0x0000000000000000-mapping.dmp

Download
memory/876-126-0x0000000070ED1000-0x0000000070ED3000-memory.dmp

Filesize
8KB

Download
memory/876-114-0x0000000000000000-mapping.dmp

Download
memory/1096-93-0x0000000000000000-mapping.dmp

Download
memory/1288-125-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1288-175-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1288-96-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1288-90-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1288-87-0x0000000000000000-mapping.dmp

Download
memory/1312-65-0x0000000000000000-mapping.dmp

Download
memory/1324-121-0x0000000000000000-mapping.dmp

Download
memory/1344-54-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/1344-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1344-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1344-77-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1344-58-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1364-124-0x0000000000000000-mapping.dmp

Download
memory/1364-147-0x0000000000000000-mapping.dmp

Download
memory/1480-136-0x0000000000000000-mapping.dmp

Download
memory/1480-137-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

Filesize
8KB

Download
memory/1500-149-0x0000000000000000-mapping.dmp

Download
memory/1536-145-0x0000000000000000-mapping.dmp

Download
memory/1676-103-0x0000000000000000-mapping.dmp

Download
memory/1696-74-0x0000000000000000-mapping.dmp

Download
memory/1740-59-0x0000000000000000-mapping.dmp

Download
memory/1740-68-0x00000000742F1000-0x00000000742F3000-memory.dmp

Filesize
8KB

Download
memory/1992-148-0x0000000000000000-mapping.dmp

Download
memory/2028-132-0x0000000000000000-mapping.dmp

Download
memory/2040-146-0x0000000000000000-mapping.dmp

Download
memory/2056-150-0x0000000000000000-mapping.dmp

Download
memory/2076-151-0x0000000000000000-mapping.dmp

Download
memory/2096-152-0x0000000000000000-mapping.dmp

Download
memory/2124-161-0x0000000001350000-0x0000000001B5C000-memory.dmp

Filesize
8.0MB

Download
memory/2124-157-0x0000000000000000-mapping.dmp

Download
memory/2332-166-0x0000000000000000-mapping.dmp

Download
memory/2332-179-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/2348-168-0x0000000000000000-mapping.dmp

Download
memory/2348-172-0x0000000000BC0000-0x0000000000C60000-memory.dmp

Filesize
640KB

Download
memory/2348-184-0x00000000041F0000-0x0000000004290000-memory.dmp

Filesize
640KB

Download
memory/2548-185-0x0000000000000000-mapping.dmp

Download
memory/2548-187-0x0000000000C40000-0x0000000000C5C000-memory.dmp

Filesize
112KB

Download
memory/2548-188-0x0000000000CB0000-0x0000000000CD0000-memory.dmp

Filesize
128KB

Download