4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23

Analysis

max time kernel
131s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.exe
Size

3.3MB
MD5

c2f748e96d2db66b84c87e6a3465ceca
SHA1

fb87dd59f4b7498550af16fd3b21f44b9f6ac523
SHA256

4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23
SHA512

3c51d52e94a06c31224a0ae52bb383f3a01dcec3693f8fcd6e4ced46bc44e485797ed3201f8880e8a8703fb7f6d62dd974e738fc6a1c64fab1e6b1688cf0de41
SSDEEP

98304:OLeyl6lN3RiDXbkpLHj6u+qHqWRWJU7yii:OjEfsDgpbjCvJUu3

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 7 IoCs

Processes:

4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmpTuneupPro.exesystweakasp.exesystweakasp.tmpaspsetup.exeaspsetup.tmpAdvancedSystemProtector.exe

pid	process
3160	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
448	TuneupPro.exe
2724	systweakasp.exe
3156	systweakasp.tmp
3316	aspsetup.exe
1684	aspsetup.tmp
4736	AdvancedSystemProtector.exe

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

svchost.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Systweak\\Advanced System Protector\\aspcontexthelper64.dll"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}\InProcServer32\ThreadingModel = "Apartment"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Systweak\\Advanced System Protector\\aspcontexthelper64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}\InProcServer32	svchost.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TuneupPro.exesystweakasp.tmpaspsetup.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	TuneupPro.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	systweakasp.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	aspsetup.tmp

Loads dropped DLL 11 IoCs

Processes:

4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmpTuneupPro.exesystweakasp.tmpaspsetup.tmpregsvr32.exesvchost.exeregsvr32.exeregsvr32.exe

pid	process
3160	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
448	TuneupPro.exe
448	TuneupPro.exe
3156	systweakasp.tmp
3156	systweakasp.tmp
3156	systweakasp.tmp
1684	aspsetup.tmp
4128	regsvr32.exe
3160	svchost.exe
3588	regsvr32.exe
1292	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

Processes:

4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmpaspsetup.tmp

description	ioc	process
File created	C:\Windows\system32\roboot64.exe	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File opened for modification	C:\Windows\system32\roboot64.exe	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File created	C:\Windows\system32\sasnative64.exe	aspsetup.tmp
File opened for modification	C:\Windows\system32\sasnative64.exe	aspsetup.tmp

Drops file in Program Files directory 64 IoCs

Processes:

aspsetup.tmp4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp

description	ioc	process
File created	C:\Program Files (x86)\Advanced System Protector\is-K6E6M.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-AD7JT.tmp	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-QA5BN.tmp	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-BSG9H.tmp	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-D82OP.tmp	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-IO3P9.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-F79L5.tmp	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\SQLite.Interop.dll	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-N3UT8.tmp	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\AspManager.exe	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-EM67O.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-SJIBN.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-GSKP5.tmp	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-Q3IHN.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-SFM3D.tmp	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-6NFG7.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-HR3KF.tmp	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-5IGNM.tmp	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File opened for modification	C:\Program Files (x86)\Tuneup Pro\unins000.dat	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\Xceed.Compression.Formats.dll	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-GHQP9.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-RD09E.tmp	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-IH1KQ.tmp	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-10383.tmp	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-JNB5T.tmp	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-BBRAH.tmp	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-MKD7L.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-CDC56.tmp	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\Xceed.FileSystem.dll	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\unins000.msg	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\unins000.dat	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Tuneup Pro\xmllite.dll	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-SKS41.tmp	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-C7NQR.tmp	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-MUVMH.tmp	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\Interop.IWshRuntimeLibrary.dll	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Tuneup Pro\systweakasp.exe	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-M10MT.tmp	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-1PLF2.tmp	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-30K9R.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-NHGMO.tmp	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-85M3C.tmp	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\AppResource.dll	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-6NT91.tmp	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Tuneup Pro\isxdl.dll	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\scandll.dll	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-5EACU.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-FGOGK.tmp	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-04N9Q.tmp	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-1OIU5.tmp	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-CIS4O.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-1A1GK.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-176M5.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-3THLB.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-EF88A.tmp	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-FPDJV.tmp	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-KKMC7.tmp	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-MN96L.tmp	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\Microsoft.Win32.TaskScheduler.DLL	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-4FEII.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-JU2EB.tmp	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-CSHM5.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-873UE.tmp	aspsetup.tmp

Drops file in Windows directory 2 IoCs

Processes:

TuneupPro.exe

description	ioc	process
File created	C:\Windows\Tasks\Tuneup Pro_UPDATES.job	TuneupPro.exe
File created	C:\Windows\Tasks\Tuneup Pro_DEFAULT.job	TuneupPro.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3968 schtasks.exe

pid	process
3968	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1372 taskkill.exe
3036 taskkill.exe
3160 taskkill.exe
4412 taskkill.exe
3524 taskkill.exe
2492 taskkill.exe

pid	process
1372	taskkill.exe
3036	taskkill.exe
3160	taskkill.exe
4412	taskkill.exe
3524	taskkill.exe
2492	taskkill.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exesvchost.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\LIVESCRIPT AUTHOR\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID\ = "JScript"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.1 AUTHOR\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID\ = "{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ProgID\ = "JScript.Compact"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\INPROCSERVER32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\LIVESCRIPT\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT AUTHOR\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Software	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.1 AUTHOR\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\ = "JScript Language Authoring"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\ = "JScript Compact Profile (ECMA 327)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT.ENCODE\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\INPROCSERVER32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Advanced System Protector\ = "{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}\InProcServer32\ThreadingModel = "Apartment"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT.COMPACT\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\ECMASCRIPT AUTHOR\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\ = "JScript Language Authoring"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT.COMPACT\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT AUTHOR\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\ = "JScript Language Authoring"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\INPROCSERVER32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c0000000100000004000000001000000f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmpmsedge.exemsedge.exeaspsetup.tmp

pid	process
3160	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
3160	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
5092	msedge.exe
5092	msedge.exe
1100	msedge.exe
1100	msedge.exe
1684	aspsetup.tmp
1684	aspsetup.tmp

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

1100 msedge.exe
1100 msedge.exe
1100 msedge.exe
1100 msedge.exe

pid	process
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1372	taskkill.exe
Token: SeDebugPrivilege	3036	taskkill.exe
Token: SeDebugPrivilege	3160	taskkill.exe
Token: SeDebugPrivilege	4412	taskkill.exe
Token: SeDebugPrivilege	3524	taskkill.exe
Token: SeDebugPrivilege	2492	taskkill.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmpTuneupPro.exemsedge.exeaspsetup.tmp

pid	process
3160	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
448	TuneupPro.exe
448	TuneupPro.exe
1100	msedge.exe
1100	msedge.exe
1684	aspsetup.tmp

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

TuneupPro.exe

pid process

448 TuneupPro.exe
448 TuneupPro.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

TuneupPro.exe

pid process

448 TuneupPro.exe
448 TuneupPro.exe
448 TuneupPro.exe
448 TuneupPro.exe
448 TuneupPro.exe

pid	process
448	TuneupPro.exe
448	TuneupPro.exe

pid	process
448	TuneupPro.exe
448	TuneupPro.exe
448	TuneupPro.exe
448	TuneupPro.exe
448	TuneupPro.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.exe4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmpmsedge.exeTuneupPro.exesystweakasp.exesystweakasp.tmp

description	pid	process	target process
PID 1636 wrote to memory of 3160	1636	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.exe	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
PID 1636 wrote to memory of 3160	1636	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.exe	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
PID 1636 wrote to memory of 3160	1636	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.exe	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
PID 3160 wrote to memory of 5044	3160	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp	regsvr32.exe
PID 3160 wrote to memory of 5044	3160	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp	regsvr32.exe
PID 3160 wrote to memory of 5044	3160	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp	regsvr32.exe
PID 3160 wrote to memory of 1100	3160	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp	msedge.exe
PID 3160 wrote to memory of 1100	3160	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp	msedge.exe
PID 3160 wrote to memory of 448	3160	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp	TuneupPro.exe
PID 3160 wrote to memory of 448	3160	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp	TuneupPro.exe
PID 3160 wrote to memory of 448	3160	4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp	TuneupPro.exe
PID 1100 wrote to memory of 4036	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 4036	1100	msedge.exe	msedge.exe
PID 448 wrote to memory of 2724	448	TuneupPro.exe	systweakasp.exe
PID 448 wrote to memory of 2724	448	TuneupPro.exe	systweakasp.exe
PID 448 wrote to memory of 2724	448	TuneupPro.exe	systweakasp.exe
PID 2724 wrote to memory of 3156	2724	systweakasp.exe	systweakasp.tmp
PID 2724 wrote to memory of 3156	2724	systweakasp.exe	systweakasp.tmp
PID 2724 wrote to memory of 3156	2724	systweakasp.exe	systweakasp.tmp
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 1272	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 5092	1100	msedge.exe	msedge.exe
PID 1100 wrote to memory of 5092	1100	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3968	3156	systweakasp.tmp	schtasks.exe
PID 3156 wrote to memory of 3968	3156	systweakasp.tmp	schtasks.exe
PID 3156 wrote to memory of 3968	3156	systweakasp.tmp	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.exe
"C:\Users\Admin\AppData\Local\Temp\4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Local\Temp\is-D44JP.tmp\4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
"C:\Users\Admin\AppData\Local\Temp\is-D44JP.tmp\4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp" /SL5="$90042,2957012,148992,C:\Users\Admin\AppData\Local\Temp\4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\jscript.dll"
3⤵
- Modifies registry class
PID:5044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.tuneuppro.com/tupp/afterinstall_sp.asp?utm_content=AfterInstall&utm_term=Setup&page=install&&LangID=en
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffddf8646f8,0x7ffddf864708,0x7ffddf864718
4⤵
PID:4036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,4546955276313364799,10817693186295728979,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
4⤵
PID:1272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,4546955276313364799,10817693186295728979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,4546955276313364799,10817693186295728979,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3132 /prefetch:8
4⤵
PID:3328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,4546955276313364799,10817693186295728979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:1
4⤵
PID:628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,4546955276313364799,10817693186295728979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
4⤵
PID:4580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1916,4546955276313364799,10817693186295728979,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5056 /prefetch:8
4⤵
PID:3904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1916,4546955276313364799,10817693186295728979,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5756 /prefetch:8
4⤵
PID:1616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,4546955276313364799,10817693186295728979,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
4⤵
PID:4848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,4546955276313364799,10817693186295728979,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
4⤵
PID:4324

C:\Program Files (x86)\Tuneup Pro\TuneupPro.exe
"C:\Program Files (x86)\Tuneup Pro\TuneupPro.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:448

C:\Program Files (x86)\Tuneup Pro\systweakasp.exe
"C:\Program Files (x86)\Tuneup Pro\systweakasp.exe" /verysilent
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724

C:\Users\Admin\AppData\Local\Temp\is-8OQ82.tmp\systweakasp.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8OQ82.tmp\systweakasp.tmp" /SL5="$1032C,193643,132096,C:\Program Files (x86)\Tuneup Pro\systweakasp.exe" /verysilent
5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "ASP" /tr "\"C:\Program Files (x86)\Tuneup Pro\systweakasp.exe\" /verysilent" /sc onlogon /RL Highest /F
6⤵
- Creates scheduled task(s)
PID:3968

C:\Users\Admin\AppData\Roaming\ASP\aspsetup.exe
"C:\Users\Admin\AppData\Roaming\ASP\aspsetup.exe" /verysilent
6⤵
- Executes dropped EXE
PID:3316

C:\Users\Admin\AppData\Local\Temp\is-F6C20.tmp\aspsetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-F6C20.tmp\aspsetup.tmp" /SL5="$301E6,9529906,134144,C:\Users\Admin\AppData\Roaming\ASP\aspsetup.exe" /verysilent
7⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1684

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "systemprotector.exe"
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "advancedsystemprotector.exe"
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "aspmanager.exe"
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "asp.exe"
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "BrowserCleaner.exe"
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "ASPNotifier.exe"
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll"
8⤵
- Loads dropped DLL
PID:4128

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll"
9⤵
PID:3160

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll"
8⤵
- Loads dropped DLL
PID:3588

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll"
9⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:1292

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "Advanced System Protector" /f
8⤵
PID:2280

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "Advanced System Protector_101" /f
8⤵
PID:3696

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "Advanced System Protector_startup" /f
8⤵
PID:3148

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "Advanced System Protector_runonce" /f
8⤵
PID:3912

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "systweakasp" /f
8⤵
PID:2272

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "AdvancedSystemProtectorNotifier" /f
8⤵
PID:4732

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "AdvancedSystemProtectorNotifier_startup" /f
8⤵
PID:100

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "AdvancedSystemProtectorNotifier_trigger" /f
8⤵
PID:3524

C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
"C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe" loadvalues
8⤵
- Executes dropped EXE
PID:4736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:3160

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
Filesize
8.0MB

MD5
33aff12b5fb549cd3d252ad4319ba8db

SHA1
51ce2a5ff58b722a56cb6b11d8812d8d56af7e8d

SHA256
a677c7f04a7a22f3beae64ed1624771a8604c95b8bbe3143e6b5ed18430f5452

SHA512
55badecf3a6ca7efd62b03fe4d6ece68b85e211b73bb87b7c6610b253af6b6f14dbe17feb9ea111ec4b2b4cf56952d715db20d8290a447b114490a762fed780f

Download Submit
C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
Filesize
8.0MB

MD5
33aff12b5fb549cd3d252ad4319ba8db

SHA1
51ce2a5ff58b722a56cb6b11d8812d8d56af7e8d

SHA256
a677c7f04a7a22f3beae64ed1624771a8604c95b8bbe3143e6b5ed18430f5452

SHA512
55badecf3a6ca7efd62b03fe4d6ece68b85e211b73bb87b7c6610b253af6b6f14dbe17feb9ea111ec4b2b4cf56952d715db20d8290a447b114490a762fed780f

Download Submit
C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe.config
Filesize
9KB

MD5
a284ffaae3af04444474a18803ee2aa3

SHA1
ee173016d79f8031960edecba19160c928e3492e

SHA256
4931f6936709ad3012b8838b3e619bb8e43785c001ec2974a2ecb8041afe4c96

SHA512
f52a13cbcc6878bc510e3010b2d532c7d26dc237555cabcf8daad26be0777ffc3336174a67bba60b33d4708241a90d7d2be86e9cc319f07f39056664f5b6f920

Download Submit
C:\Program Files (x86)\Advanced System Protector\System.Data.SQLite.dll
Filesize
373KB

MD5
e057bfd75665a9326919008b08870acf

SHA1
ccefd28d344663184a8dd9271d9266dee4d6d67b

SHA256
c3d0211dbc8897b4d04f063f598ac2a14977b7d8ee9d4326dd41eb79d3a8d648

SHA512
68690123f9e75ba5975e2ad701729c012cda0c735d9dece9618576bf500d57f64a36f7f3528ce89fd41db63974e3a3c568ec3673b5711a9d35eec280ef3edc55

Download Submit
C:\Program Files (x86)\Advanced System Protector\System.Data.SQLite.dll
Filesize
373KB

MD5
e057bfd75665a9326919008b08870acf

SHA1
ccefd28d344663184a8dd9271d9266dee4d6d67b

SHA256
c3d0211dbc8897b4d04f063f598ac2a14977b7d8ee9d4326dd41eb79d3a8d648

SHA512
68690123f9e75ba5975e2ad701729c012cda0c735d9dece9618576bf500d57f64a36f7f3528ce89fd41db63974e3a3c568ec3673b5711a9d35eec280ef3edc55

Download Submit
C:\Program Files (x86)\Advanced System Protector\System.Data.SQLite.dll
Filesize
373KB

MD5
e057bfd75665a9326919008b08870acf

SHA1
ccefd28d344663184a8dd9271d9266dee4d6d67b

SHA256
c3d0211dbc8897b4d04f063f598ac2a14977b7d8ee9d4326dd41eb79d3a8d648

SHA512
68690123f9e75ba5975e2ad701729c012cda0c735d9dece9618576bf500d57f64a36f7f3528ce89fd41db63974e3a3c568ec3673b5711a9d35eec280ef3edc55

Download Submit
C:\Program Files (x86)\Tuneup Pro\FileList.rcp
Filesize
13KB

MD5
856e0fd8e725e175568c9750045829ee

SHA1
983678d82e63f181d2d77f42d7fde27eab317432

SHA256
171099dece5d940339136025019c7cbcb5b6959b40e1eccddb318db419f69442

SHA512
ffa7f5a67e91368f1651976843c40fe670882f0ef3b20f466f05bd1728844d31f489755a4f6a7f502dfd03a31053140a0d1a35c2ada29f823b17e82519ab382d

Download Submit
C:\Program Files (x86)\Tuneup Pro\RegList.rcp
Filesize
89KB

MD5
5e301389550a01b7d10b5666a327624c

SHA1
0000d901de7debd1ef579ddf64df92b932912224

SHA256
2b7250211f050bd11bf7ab5d296aba46ccb88875b8bf4b8154a382277144c36e

SHA512
d58d1eda01a77985beaec96a006b2e7708f6c6c6553a474f39a2cd1c858aa71c7eca23dbc983fdad2d996fc296ffbc554eac1e5869d96944733ee574d7a6dbab

Download Submit
C:\Program Files (x86)\Tuneup Pro\TuneupPro.exe
Filesize
7.3MB

MD5
be2ce71fc87a375f96665b980ec59f7b

SHA1
5ecad41aee09c73f8f7bf1d8d49bea7a222fff85

SHA256
88967773ef715fa98dc87a529d8d0e2f9d3e4783fab33e30f2df88df2a81bc76

SHA512
1a5e44396114afd5ad4b51eeba4ec4a08c07b8664836acc126c6c255ed023e8cc5d7fa9104bde8c703d45b45d4ac02cb6e5983f26cd55efec13f5ba723918e05

Download Submit
C:\Program Files (x86)\Tuneup Pro\TuneupPro.exe
Filesize
7.3MB

MD5
be2ce71fc87a375f96665b980ec59f7b

SHA1
5ecad41aee09c73f8f7bf1d8d49bea7a222fff85

SHA256
88967773ef715fa98dc87a529d8d0e2f9d3e4783fab33e30f2df88df2a81bc76

SHA512
1a5e44396114afd5ad4b51eeba4ec4a08c07b8664836acc126c6c255ed023e8cc5d7fa9104bde8c703d45b45d4ac02cb6e5983f26cd55efec13f5ba723918e05

Download Submit
C:\Program Files (x86)\Tuneup Pro\XmlLite.dll
Filesize
124KB

MD5
71a2dca8f626fcef8bff7e2c17c67a7f

SHA1
5aaea93ec3f4d722d7ea0c2d86bc4f3cbdce5c92

SHA256
b55a978443ef0b873875910283bedfab0c3133bac7be72a68ed5146f83f1ef8c

SHA512
5244918679eba6e7af8e367c66c3d1bdcfa2323400994ecda37ccd697fb28b52ffdad992650929ec98b98ae9e0213074368a8881c6a62e48579c30f17051a17d

Download Submit
C:\Program Files (x86)\Tuneup Pro\eng_rcp.ini
Filesize
83KB

MD5
bbf623a44f466bf544d2418f4473a7e4

SHA1
684e3b0396a143d23f64c3eda59f6b29291cf967

SHA256
115fa830c0087b531655bc2974522d924405f718289c57769e9aae44c7b116d5

SHA512
e6d3a359f63c34d3457e8c2c56addf8d90cf7ac7e99db6545fc6a3f713fb4b0f631d6aa75da7064effdb4df6001aa7a65e06a010cbeaf561cf865b4c3dc0670e

Download Submit
C:\Program Files (x86)\Tuneup Pro\isxdl.dll
Filesize
153KB

MD5
16429d91b2a28595e3bb5f6a48faa705

SHA1
aa195a50f21cf8935c7031543215151214c6ef4b

SHA256
1b141a14ed518bf01f847d893e282b831d0f0cee87919bc2e98e54a3c80f5471

SHA512
a6f0ba9812c2bf8b6ddac02fff963ad062a7f7fc08ee238d680e32eccb741f7875954765a5e86a2cd3ae0be72cd5b773a9c67425dfb106ecef8e285cdf02ad64

Download Submit
C:\Program Files (x86)\Tuneup Pro\isxdl.dll
Filesize
153KB

MD5
16429d91b2a28595e3bb5f6a48faa705

SHA1
aa195a50f21cf8935c7031543215151214c6ef4b

SHA256
1b141a14ed518bf01f847d893e282b831d0f0cee87919bc2e98e54a3c80f5471

SHA512
a6f0ba9812c2bf8b6ddac02fff963ad062a7f7fc08ee238d680e32eccb741f7875954765a5e86a2cd3ae0be72cd5b773a9c67425dfb106ecef8e285cdf02ad64

Download Submit
C:\Program Files (x86)\Tuneup Pro\systweakasp.exe
Filesize
579KB

MD5
8f2ca56d9c7c425facbe535745092ff2

SHA1
f2cbbe9867a40a0928542dace51d8b94957dfcac

SHA256
0c4e44adbd402f42a65bfdd4143a874b76bca9e3a51af3ede9268489e37a8bc4

SHA512
a19cdddd7c9f4bea90e64b03c5f3635d07e25545d35a020ee10de1a79b61748e8673aac179746dce334338d536fdc71ba24479b9cf643e5550ecca3af5c9990e

Download Submit
C:\Program Files (x86)\Tuneup Pro\systweakasp.exe
Filesize
579KB

MD5
8f2ca56d9c7c425facbe535745092ff2

SHA1
f2cbbe9867a40a0928542dace51d8b94957dfcac

SHA256
0c4e44adbd402f42a65bfdd4143a874b76bca9e3a51af3ede9268489e37a8bc4

SHA512
a19cdddd7c9f4bea90e64b03c5f3635d07e25545d35a020ee10de1a79b61748e8673aac179746dce334338d536fdc71ba24479b9cf643e5550ecca3af5c9990e

Download Submit
C:\Program Files (x86)\Tuneup Pro\xmllite.dll
Filesize
124KB

MD5
71a2dca8f626fcef8bff7e2c17c67a7f

SHA1
5aaea93ec3f4d722d7ea0c2d86bc4f3cbdce5c92

SHA256
b55a978443ef0b873875910283bedfab0c3133bac7be72a68ed5146f83f1ef8c

SHA512
5244918679eba6e7af8e367c66c3d1bdcfa2323400994ecda37ccd697fb28b52ffdad992650929ec98b98ae9e0213074368a8881c6a62e48579c30f17051a17d

Download Submit
C:\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll
Filesize
136KB

MD5
e7059592011dbb3ca2347e8e2e4ba400

SHA1
be5feb87ce963220e19f689489819fd374aab94c

SHA256
d931455afb2a3a282e5b16187e8a94c7d1f0f5df1ba38e3ba46bc58716653ea8

SHA512
72923928018050178f2e10a08b733837180cffa21daec360cb6ec95d4e5099bcfb5e9bdece59684ae2e1e117103762c8dea1d8fb6a645957aef0c29b7f17114e

Download Submit
C:\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll
Filesize
136KB

MD5
e7059592011dbb3ca2347e8e2e4ba400

SHA1
be5feb87ce963220e19f689489819fd374aab94c

SHA256
d931455afb2a3a282e5b16187e8a94c7d1f0f5df1ba38e3ba46bc58716653ea8

SHA512
72923928018050178f2e10a08b733837180cffa21daec360cb6ec95d4e5099bcfb5e9bdece59684ae2e1e117103762c8dea1d8fb6a645957aef0c29b7f17114e

Download Submit
C:\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll
Filesize
136KB

MD5
e7059592011dbb3ca2347e8e2e4ba400

SHA1
be5feb87ce963220e19f689489819fd374aab94c

SHA256
d931455afb2a3a282e5b16187e8a94c7d1f0f5df1ba38e3ba46bc58716653ea8

SHA512
72923928018050178f2e10a08b733837180cffa21daec360cb6ec95d4e5099bcfb5e9bdece59684ae2e1e117103762c8dea1d8fb6a645957aef0c29b7f17114e

Download Submit
C:\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll
Filesize
136KB

MD5
e7059592011dbb3ca2347e8e2e4ba400

SHA1
be5feb87ce963220e19f689489819fd374aab94c

SHA256
d931455afb2a3a282e5b16187e8a94c7d1f0f5df1ba38e3ba46bc58716653ea8

SHA512
72923928018050178f2e10a08b733837180cffa21daec360cb6ec95d4e5099bcfb5e9bdece59684ae2e1e117103762c8dea1d8fb6a645957aef0c29b7f17114e

Download Submit
C:\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll
Filesize
136KB

MD5
e7059592011dbb3ca2347e8e2e4ba400

SHA1
be5feb87ce963220e19f689489819fd374aab94c

SHA256
d931455afb2a3a282e5b16187e8a94c7d1f0f5df1ba38e3ba46bc58716653ea8

SHA512
72923928018050178f2e10a08b733837180cffa21daec360cb6ec95d4e5099bcfb5e9bdece59684ae2e1e117103762c8dea1d8fb6a645957aef0c29b7f17114e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6REEU.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6REEU.tmp\isxdl.dll
Filesize
152KB

MD5
1e95c2a4d1c4f57b67cca6ab4c2c8b91

SHA1
9c9501210b5469c1a390f5f44674dde5ece10b09

SHA256
31163bd401dd84733cb21fd84a25e883082c70640fcc255883b637788a7bed4c

SHA512
9d6cf00fd1a66d044f3e100a29e5154eb68e785be97033d277a6255c69e6fb0340c117299e7c4273053205d44f9fde1353e2aa0f19b3589413fe8c90ccacc8c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6REEU.tmp\isxdl.dll
Filesize
152KB

MD5
1e95c2a4d1c4f57b67cca6ab4c2c8b91

SHA1
9c9501210b5469c1a390f5f44674dde5ece10b09

SHA256
31163bd401dd84733cb21fd84a25e883082c70640fcc255883b637788a7bed4c

SHA512
9d6cf00fd1a66d044f3e100a29e5154eb68e785be97033d277a6255c69e6fb0340c117299e7c4273053205d44f9fde1353e2aa0f19b3589413fe8c90ccacc8c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8OQ82.tmp\systweakasp.tmp
Filesize
1.1MB

MD5
d4fde02fb6b4eb1bebc289aca8289ae9

SHA1
9518abb7827a4e5b0eb52ff9221d1224f23c7e06

SHA256
3f8c455ab5e927d205eaf643f8c045c9115f4081049d1319d8ae9894ef21a397

SHA512
f99e61ef419f88ebc8d48298a5eed91e6ce0440f8ca075947a612d46d2ac9cfb66865c898c86bc8b0224c68eab61c396b414ba4c0fd64c71551c90d22cdded5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8OQ82.tmp\systweakasp.tmp
Filesize
1.1MB

MD5
d4fde02fb6b4eb1bebc289aca8289ae9

SHA1
9518abb7827a4e5b0eb52ff9221d1224f23c7e06

SHA256
3f8c455ab5e927d205eaf643f8c045c9115f4081049d1319d8ae9894ef21a397

SHA512
f99e61ef419f88ebc8d48298a5eed91e6ce0440f8ca075947a612d46d2ac9cfb66865c898c86bc8b0224c68eab61c396b414ba4c0fd64c71551c90d22cdded5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D44JP.tmp\4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
Filesize
1.2MB

MD5
3aabfe33f7b23e5b8409647b6b41996f

SHA1
8653690e9d2bae73243a8203b8dc9c34c5163d72

SHA256
706612698e77b203d3058c2edda371cd5425f325bac7fbe0dfb6d8542dc37b4c

SHA512
2e5ff22d9ff1bab18adeaf2ddde9724e1a14c1488fd5e0beed5196cfcad3f2e110588d7166cebe71f72072bc8ddcdee59b5929c3dd163f9b5e02c88a5e584792

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D44JP.tmp\4655c1448795668c21904ce39b61dbf2aa278df7d0ade347352bf6405ca83b23.tmp
Filesize
1.2MB

MD5
3aabfe33f7b23e5b8409647b6b41996f

SHA1
8653690e9d2bae73243a8203b8dc9c34c5163d72

SHA256
706612698e77b203d3058c2edda371cd5425f325bac7fbe0dfb6d8542dc37b4c

SHA512
2e5ff22d9ff1bab18adeaf2ddde9724e1a14c1488fd5e0beed5196cfcad3f2e110588d7166cebe71f72072bc8ddcdee59b5929c3dd163f9b5e02c88a5e584792

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DVLB1.tmp\isxdl.dll
Filesize
147KB

MD5
4beded47aa9b07f05a56c0f97331d1a4

SHA1
c2b4df1ad01c5f9b7fb60694312444450f285dbe

SHA256
da171a2e0eec75f372d1fc0a69be17a4a7d519908a6f75b76abe6ec7ab71d284

SHA512
488e68d604259d0d2e546edf45429ace33054dbc71098977e82b43c4c97ba341d1a4bdab4170e48a5178423183bb06ff947149cfbeb8b868b4175996b211cfc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F5QG8.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F6C20.tmp\aspsetup.tmp
Filesize
1.2MB

MD5
62ceb818e56ce85ba410f1a290e4d922

SHA1
2165d42d4234e2edfdbf158b12e279b531900af2

SHA256
0d3b947076332280f176f502341cc23a68f110d441d386448f4c7bd6596e405d

SHA512
46df25076588518f9d225d49d41e7d2d3c75705e37fc7a86f0f4a58f24fc897e8fb15a64aa4a27b84923b29f108a876e33b03f2dc54e22380c47091b42787c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F6C20.tmp\aspsetup.tmp
Filesize
1.2MB

MD5
62ceb818e56ce85ba410f1a290e4d922

SHA1
2165d42d4234e2edfdbf158b12e279b531900af2

SHA256
0d3b947076332280f176f502341cc23a68f110d441d386448f4c7bd6596e405d

SHA512
46df25076588518f9d225d49d41e7d2d3c75705e37fc7a86f0f4a58f24fc897e8fb15a64aa4a27b84923b29f108a876e33b03f2dc54e22380c47091b42787c69

Download Submit
C:\Users\Admin\AppData\Roaming\ASP\aspsetup.exe
Filesize
9.6MB

MD5
baaf358c8ec9eda3dcdf59d500fbaacd

SHA1
9cfabd299a6c438376d1dec3c160f52c3af93738

SHA256
cd8d06443e9284f56755e64742b9d40c2096efc5c83ca3eba2fb93f80ba5401b

SHA512
63a275bd26452d4d89da23136f97b8d3dbf5576fb7849794992106f75ed31f1cc25e058bdfae788f1295a700a89ec2e5c3ccd40ea60a9c26cb2a66e2939c7520

Download Submit
C:\Users\Admin\AppData\Roaming\ASP\aspsetup.exe
Filesize
9.6MB

MD5
baaf358c8ec9eda3dcdf59d500fbaacd

SHA1
9cfabd299a6c438376d1dec3c160f52c3af93738

SHA256
cd8d06443e9284f56755e64742b9d40c2096efc5c83ca3eba2fb93f80ba5401b

SHA512
63a275bd26452d4d89da23136f97b8d3dbf5576fb7849794992106f75ed31f1cc25e058bdfae788f1295a700a89ec2e5c3ccd40ea60a9c26cb2a66e2939c7520

Download Submit
\??\pipe\LOCAL\crashpad_1100_LTTUYTREONLPVUYR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/100-220-0x0000000000000000-mapping.dmp

Download
memory/448-142-0x0000000000000000-mapping.dmp

Download
memory/628-176-0x0000000000000000-mapping.dmp

Download
memory/1100-141-0x0000000000000000-mapping.dmp

Download
memory/1272-167-0x0000000000000000-mapping.dmp

Download
memory/1292-212-0x0000000000000000-mapping.dmp

Download
memory/1372-189-0x0000000000000000-mapping.dmp

Download
memory/1616-199-0x0000000000000000-mapping.dmp

Download
memory/1636-137-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1636-132-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1636-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1636-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1684-186-0x0000000000000000-mapping.dmp

Download
memory/2272-218-0x0000000000000000-mapping.dmp

Download
memory/2280-214-0x0000000000000000-mapping.dmp

Download
memory/2492-197-0x0000000000000000-mapping.dmp

Download
memory/2724-155-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2724-153-0x0000000000000000-mapping.dmp

Download
memory/2724-179-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2724-160-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3036-193-0x0000000000000000-mapping.dmp

Download
memory/3148-216-0x0000000000000000-mapping.dmp

Download
memory/3156-164-0x0000000007440000-0x000000000746A000-memory.dmp

Filesize
168KB

Download
memory/3156-157-0x0000000000000000-mapping.dmp

Download
memory/3160-208-0x0000000000000000-mapping.dmp

Download
memory/3160-194-0x0000000000000000-mapping.dmp

Download
memory/3160-134-0x0000000000000000-mapping.dmp

Download
memory/3316-180-0x0000000000000000-mapping.dmp

Download
memory/3316-182-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3316-185-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3316-192-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3328-171-0x0000000000000000-mapping.dmp

Download
memory/3524-196-0x0000000000000000-mapping.dmp

Download
memory/3524-221-0x0000000000000000-mapping.dmp

Download
memory/3588-210-0x0000000000000000-mapping.dmp

Download
memory/3696-215-0x0000000000000000-mapping.dmp

Download
memory/3904-191-0x0000000000000000-mapping.dmp

Download
memory/3912-217-0x0000000000000000-mapping.dmp

Download
memory/3968-169-0x0000000000000000-mapping.dmp

Download
memory/4036-148-0x0000000000000000-mapping.dmp

Download
memory/4128-205-0x0000000000000000-mapping.dmp

Download
memory/4324-203-0x0000000000000000-mapping.dmp

Download
memory/4412-195-0x0000000000000000-mapping.dmp

Download
memory/4580-178-0x0000000000000000-mapping.dmp

Download
memory/4732-219-0x0000000000000000-mapping.dmp

Download
memory/4736-222-0x0000000000000000-mapping.dmp

Download
memory/4736-226-0x0000000000850000-0x000000000105C000-memory.dmp

Filesize
8.0MB

Download
memory/4736-227-0x0000000006170000-0x0000000006714000-memory.dmp

Filesize
5.6MB

Download
memory/4736-231-0x0000000005A70000-0x0000000005AD0000-memory.dmp

Filesize
384KB

Download
memory/4848-201-0x0000000000000000-mapping.dmp

Download
memory/5044-139-0x0000000000000000-mapping.dmp

Download
memory/5092-168-0x0000000000000000-mapping.dmp

Download