be3fbcad1be801f5e104939a95609fad8ee2ad37a04d82cf508c436fc95e6d1a

Resubmissions

31/12/2022, 18:35

221231-w8czqadd7v 8

31/12/2022, 18:29

221231-w4wahadd6t 3

Analysis

max time kernel
592s
max time network
624s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2022, 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FL Studio 20.8.4.2576 Setup.exe
Size

987.0MB
MD5

f148819cd143681f6f95f8b73eb2dca1
SHA1

0e49eecec62d54d5c2c604d3f8a45b53d412c051
SHA256

be3fbcad1be801f5e104939a95609fad8ee2ad37a04d82cf508c436fc95e6d1a
SHA512

182df4408982786959f551d9df2a7a5ce0377371e44cbf959b3f1e491de1c1429e8cac656a7b7c7bdcf4cc47e1343ccc2e106a9f1fe6e722a3b05dc296a03ae3
SSDEEP

25165824:h3Kk3ALjdjnhakD3gzEwYKyGUSeJxNIgalPDNwcA:BlIVhaLzEwYKyGZeJxNMlrNlA

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
3400	FL Studio Setup.exe
3076	flstudio_win_20.8.4.2576.exe
4264	Asio4All.exe
4232	A4ARegFix.exe
4908	FL64.exe

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{232685C6-6548-49D8-846D-4141A3EF7560}\InprocServer32\ = "C:\\Program Files (x86)\\ASIO4ALL v2\\asio4all64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{188135E1-7171-3434-854F-01A3C71F3DF9}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{188135E1-7171-3434-854F-01A3C71F3DF9}\InprocServer32\ = "c:\\program files\\image-line\\fl studio asio\\ilwasapi2asio_x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{188135E1-7171-3434-854F-01A3C71F3DF9}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{232685C6-6548-49D8-846D-4141A3EF7560}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{232685C6-6548-49D8-846D-4141A3EF7560}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	FL Studio 20.8.4.2576 Setup.exe

Loads dropped DLL 64 IoCs

pid	Process
3400	FL Studio Setup.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe
3076	flstudio_win_20.8.4.2576.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File created	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Packs\Instruments\Keyboard\Close Grand\desktop.ini	flstudio_win_20.8.4.2576.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Packs\Instruments\Keyboard\Close Grand\desktop.ini	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Toxic Biohazard\Presets\X Nucleon\desktop.ini	flstudio_win_20.8.4.2576.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Toxic Biohazard\Presets\X Nucleon\desktop.ini	flstudio_win_20.8.4.2576.exe
File created	C:\Users\Admin\Documents\Image-Line\Toxic Biohazard\X Nucleon\desktop.ini	FL64.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Packs\Drums\Percussion\707 Tamb.wav	flstudio_win_20.8.4.2576.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Packs\Drums (ModeAudio)\Claps\HouseGen Clap 03.wv	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Packs\Legacy\Instruments\Pads\PAD_LightWaves.wav	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\FL Studio Mobile\Installed\Synth Presets2\SuperSaw\Pads\Evolving.flmpst	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Packs\Drums\Kits\Rock\snare 38.wav	flstudio_win_20.8.4.2576.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Packs\Drums (ModeAudio)\Snares\Attack Snare 40.wv	flstudio_win_20.8.4.2576.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Plugin presets\Generators\Harmless\X Nucleon\Bass\Teeth.fst	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Sawer\Presets\Bass\MC Rock Lite.sawer	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Plugin presets\Generators\Sytrus\Organ\4 drawbars.fst	flstudio_win_20.8.4.2576.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Data\System\Plugin databases\Plugin database (simple)\Effects\Misc\Vocodex.fst	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Plugin presets\Effects\Fruity WaveShaper\Softmunched.fst	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\ZGameEditor Visualizer\ComboWizard\Identification\Vinyl - Only Label Small.fst	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Scores\FPC drumloops\Percussion Loops\Blam's Hand Percussion Loops\fpc_percussion_06.mid	flstudio_win_20.8.4.2576.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\ZGameEditor Visualizer\Effects\Patterns\Diamond Octagon Truchet Pattern.zgeproj	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\PoiZone\Banks\Default\LED Solo Pick ToTc.fxp	flstudio_win_20.8.4.2576.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\PoiZone\Banks\Default\GATE SkyBlue TC.fxp	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Packs\Drums\Kits\Jayce Lewis\JL Hat Overhead Closed Hat 02.flac	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Packs\Drums (ModeAudio)\Snares\Attack Snare 20.wv	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Plugin presets\Effects\Fruity Convolver\Corridors\Stairwell Inner (Open).fst	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Drumpad\Drum Patches\Cymbals\Electro Crash 03.dmpatch	flstudio_win_20.8.4.2576.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Packs\Drums\Kits\HQ Funk Kit\Crash HQ Funk #4.wav	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Plugin presets\Generators\Sytrus\Bell\Piano.fst	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\FL Studio Mobile\Installed\Synth Presets2\GMSynth\Bass\DX.flgsynth	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\ZGameEditor Visualizer\Effects\HUD\prefabs\basic shapes\star5.svg	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Plugin presets\Generators\Drumpad\Tom-Toms\HipHop HiTom 04.fst	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Speech\EasyOnTheCut.speech	flstudio_win_20.8.4.2576.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Drumpad\Drum Patches\Snares\Dance Snare 31.dmpatch	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Plugin presets\Generators\Sytrus\Arp\Echoes 2.fst	flstudio_win_20.8.4.2576.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Scores\FPC drumloops\Drum And Bass Loops\fpc_drumandbassss_09.mid	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Drumpad\Drum Patches\Percussion\Electro Blip 02.dmpatch	flstudio_win_20.8.4.2576.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Packs\Legacy\Instruments\Orchestral\Trombone\22 TRO MLON B2ogg.wav	flstudio_win_20.8.4.2576.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Data\System\Plugin databases\Plugin database (simple)\Generators\Drum\Slicex.fst	flstudio_win_20.8.4.2576.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Dashboard\Artwork\Default\Digits_15.ini	flstudio_win_20.8.4.2576.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Packs\Drums\Kits\Rock\snare_oh 01.wav	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Packs\Drums (ModeAudio)\Hi Hats\Power OHat 05.wv	flstudio_win_20.8.4.2576.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Plugin presets\Generators\Harmless\X Olbaid\Pad\Pad Vapor.fst	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Drumpad\Drum Patches\HiHats\Dance Hat Op 01.dmpatch	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Drumpad\Drum Patches\HiHats\House Hat Cl 01.dmpatch	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Plugin presets\Effects\Fruity X-Y controller\Default.fst	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Dashboard\Artwork\XP30\RolandXP30Slider.ini	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Toxic Biohazard\Presets\Sequences\Space Balls ToTc.tbio	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Packs\Drums\Kits\Rock\tom1_oh 01.wav	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Packs\Drums (ModeAudio)\Hi Hats\Downstream OHat 11.wv	flstudio_win_20.8.4.2576.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Plugin presets\Effects\Fruity Flangus\Surround flanger.fst	flstudio_win_20.8.4.2576.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Plugin presets\Generators\Sytrus\X Saif Sameer\Basses\OPM.fst	flstudio_win_20.8.4.2576.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Channel presets\3x Osc\Synth bass 4.fst	flstudio_win_20.8.4.2576.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Plugin presets\Generators\Drumpad\HiHats\Lo-Fi Hat Cl 02.fst	flstudio_win_20.8.4.2576.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Plugin presets\Generators\Drumpad\Tom-Toms\Lo-Fi LoTom 03.fst	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\GMS\Synth Programs\Leads & Synths\Soup.gmsynth	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Plugin presets\Effects\Fruity Limiter\Transient shaping.fst	flstudio_win_20.8.4.2576.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Plugin presets\Generators\Harmless\X Nucleon\SFX\Scanner.fst	flstudio_win_20.8.4.2576.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Data\System\MIDI import\072 Clarinet.fst	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\ZGameEditor Visualizer\Effects\HUD\prefabs\lines\lines\line-057.ilv	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\FL Studio Mobile\Installed\Effect Presets\Leveler\Default.flmpst	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Packs\Drums\Kits\HQ Metal Kit\Snare Rim HQ Metal #4.wav	flstudio_win_20.8.4.2576.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Packs\Instruments\Keyboard\Stage Grand\Stage Grand 47.wav	flstudio_win_20.8.4.2576.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Plugin presets\Effects\Fruity Convolver\Reverb Devices\Evnt - Town Hall (Rear).fst	flstudio_win_20.8.4.2576.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\ZGameEditor Visualizer\ComboWizard\GroupPresets\Portrait - Color Blobs.fst	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Drumaxx\Drum Patches\Percussion\Jack in the Box 02.dmpatch	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Drumpad\Drum Patches\Tom-Toms\Electro MidTom 02.dmpatch	flstudio_win_20.8.4.2576.exe
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\PoiZone\Banks\Xenos Soundworks\PAD Crystaline 80s.fxp	flstudio_win_20.8.4.2576.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Packs\Drums (ModeAudio)\Foley\MA Tub Thud 03.wv	flstudio_win_20.8.4.2576.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Data\Patches\Scores\FPC drumloops\Drum And Bass Loops\fpc_drumandbassss_27.mid	flstudio_win_20.8.4.2576.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Drumaxx\Drum Patches\Tom-Toms\Acoustic LoTom 10.dmpatch	flstudio_win_20.8.4.2576.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\FL.exe = "11001"	flstudio_win_20.8.4.2576.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\FL (scaled).exe = "11001"	flstudio_win_20.8.4.2576.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	flstudio_win_20.8.4.2576.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\FL64.exe = "11001"	flstudio_win_20.8.4.2576.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\FL64 (scaled).exe = "11001"	flstudio_win_20.8.4.2576.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	flstudio_win_20.8.4.2576.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	FL64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	FL64.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\FL32.flp.20\shell	flstudio_win_20.8.4.2576.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\FL32.fst.20\shell\open\FriendlyAppName = "FL Studio 20 (32bit)"	flstudio_win_20.8.4.2576.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{232685C6-6548-49D8-846D-4141A3EF7560}\InprocServer32\ = "C:\\Program Files (x86)\\ASIO4ALL v2\\asio4all64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	FL64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\FL32.flp.20\DefaultIcon	flstudio_win_20.8.4.2576.exe
Key created	\REGISTRY\MACHINE\Software\Classes\FL64.flp.20\DefaultIcon	flstudio_win_20.8.4.2576.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\FL64.fsc.20\shell\open\command	flstudio_win_20.8.4.2576.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	FL64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	FL64.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\FL32.flp.20\shell\open	flstudio_win_20.8.4.2576.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{232685C6-6548-49D8-846D-4141A3EF7560}\ = "ASIO4ALL v2"	Asio4All.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{232685C6-6548-49D8-846D-4141A3EF7560}\InprocServer32	Asio4All.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\.flp\OpenWithProgids\FL32.flp.20	flstudio_win_20.8.4.2576.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{232685C6-6548-49D8-846D-4141A3EF7560}	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	FL64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FL32.flp.20\FriendlyTypeName = "FL Studio project file"	flstudio_win_20.8.4.2576.exe
Key created	\REGISTRY\MACHINE\Software\Classes\FL32.fsc.20	flstudio_win_20.8.4.2576.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FL64.fst.20\FriendlyTypeName = "FL Studio preset file"	flstudio_win_20.8.4.2576.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FL32.fsc.20\ = "FL Studio score file"	flstudio_win_20.8.4.2576.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\.fst\OpenWithProgids	flstudio_win_20.8.4.2576.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	FL64.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	FL64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FL32.flp.20\DefaultIcon\ = "C:\\Program Files\\Image-Line\\FL Studio 20\\FL.exe,0"	flstudio_win_20.8.4.2576.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\FL64.flp.20\shell\open\command	flstudio_win_20.8.4.2576.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\FL64.fsc.20\shell\open\FriendlyAppName = "FL Studio 20 (64bit)"	flstudio_win_20.8.4.2576.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FL64.fst.20\ = "FL Studio preset file"	flstudio_win_20.8.4.2576.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\FL32.flp.20\shell\open\command\ = "\"C:\\Program Files\\Image-Line\\FL Studio 20\\FL.exe\" \"%1\""	flstudio_win_20.8.4.2576.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	FL64.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	FL64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	FL64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	FL64.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	FL64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	FL64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FL32.fst.20\FriendlyTypeName = "FL Studio preset file"	flstudio_win_20.8.4.2576.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{188135E1-7171-3434-854F-01A3C71F3DF9}\ = "FL Studio ASIO"	flstudio_win_20.8.4.2576.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{188135E1-7171-3434-854F-01A3C71F3DF9}\InprocServer32\ThreadingModel = "Apartment"	flstudio_win_20.8.4.2576.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	FL64.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	FL64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FL32.fst.20\DefaultIcon\ = "C:\\Program Files\\Image-Line\\FL Studio 20\\FL.exe,0"	flstudio_win_20.8.4.2576.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\FL64.flp.20	flstudio_win_20.8.4.2576.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\FL32.fst.20	flstudio_win_20.8.4.2576.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	FL64.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\FL64.fst.20\shell	flstudio_win_20.8.4.2576.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	FL64.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	FL64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	FL64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FL64.fsc.20\DefaultIcon\ = "C:\\Program Files\\Image-Line\\FL Studio 20\\FL64.exe,0"	flstudio_win_20.8.4.2576.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\FL64.flp.20\shell\open\FriendlyAppName = "FL Studio 20 (64bit)"	flstudio_win_20.8.4.2576.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\FL32.fst.20\shell	flstudio_win_20.8.4.2576.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\FL32.fst.20\shell\open\command\ = "\"C:\\Program Files\\Image-Line\\FL Studio 20\\FL.exe\" \"%1\""	flstudio_win_20.8.4.2576.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{232685C6-6548-49D8-846D-4141A3EF7560}\InprocServer32	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	FL64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	FL64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FL32.flp.20\ = "FL Studio project file"	flstudio_win_20.8.4.2576.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\FL64.flp.20\shell\open\command\ = "\"C:\\Program Files\\Image-Line\\FL Studio 20\\FL64.exe\" \"%1\""	flstudio_win_20.8.4.2576.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\FL64.fsc.20\shell	flstudio_win_20.8.4.2576.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\.fsc	flstudio_win_20.8.4.2576.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	FL64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\.fst\ = "FL64.fst.20"	flstudio_win_20.8.4.2576.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{188135E1-7171-3434-854F-01A3C71F3DF9}	flstudio_win_20.8.4.2576.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	FL64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\FL32.flp.20	flstudio_win_20.8.4.2576.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1776	powershell.exe
1776	powershell.exe
1280	powershell.exe
1280	powershell.exe
4476	powershell.exe
4476	powershell.exe
316	powershell.exe
316	powershell.exe
3256	powershell.exe
3256	powershell.exe
1596	powershell.exe
1596	powershell.exe
4560	powershell.exe
4560	powershell.exe
3644	powershell.exe
3644	powershell.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	3256	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: 33	1140	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1140	AUDIODG.EXE
Token: 33	4908	FL64.exe
Token: SeIncBasePriorityPrivilege	4908	FL64.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4908	FL64.exe
4908	FL64.exe
4908	FL64.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3400	FL Studio Setup.exe
3076	flstudio_win_20.8.4.2576.exe
4264	Asio4All.exe
4908	FL64.exe
4908	FL64.exe
4908	FL64.exe
4908	FL64.exe
4908	FL64.exe
4908	FL64.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 3400	2100	FL Studio 20.8.4.2576 Setup.exe	89
PID 2100 wrote to memory of 3400	2100	FL Studio 20.8.4.2576 Setup.exe	89
PID 2100 wrote to memory of 3400	2100	FL Studio 20.8.4.2576 Setup.exe	89
PID 3400 wrote to memory of 3076	3400	FL Studio Setup.exe	91
PID 3400 wrote to memory of 3076	3400	FL Studio Setup.exe	91
PID 3400 wrote to memory of 3076	3400	FL Studio Setup.exe	91
PID 3076 wrote to memory of 1776	3076	flstudio_win_20.8.4.2576.exe	109
PID 3076 wrote to memory of 1776	3076	flstudio_win_20.8.4.2576.exe	109
PID 3076 wrote to memory of 1280	3076	flstudio_win_20.8.4.2576.exe	111
PID 3076 wrote to memory of 1280	3076	flstudio_win_20.8.4.2576.exe	111
PID 3076 wrote to memory of 4476	3076	flstudio_win_20.8.4.2576.exe	113
PID 3076 wrote to memory of 4476	3076	flstudio_win_20.8.4.2576.exe	113
PID 3076 wrote to memory of 316	3076	flstudio_win_20.8.4.2576.exe	115
PID 3076 wrote to memory of 316	3076	flstudio_win_20.8.4.2576.exe	115
PID 3076 wrote to memory of 3256	3076	flstudio_win_20.8.4.2576.exe	117
PID 3076 wrote to memory of 3256	3076	flstudio_win_20.8.4.2576.exe	117
PID 3076 wrote to memory of 1596	3076	flstudio_win_20.8.4.2576.exe	119
PID 3076 wrote to memory of 1596	3076	flstudio_win_20.8.4.2576.exe	119
PID 3076 wrote to memory of 4560	3076	flstudio_win_20.8.4.2576.exe	122
PID 3076 wrote to memory of 4560	3076	flstudio_win_20.8.4.2576.exe	122
PID 3076 wrote to memory of 3644	3076	flstudio_win_20.8.4.2576.exe	123
PID 3076 wrote to memory of 3644	3076	flstudio_win_20.8.4.2576.exe	123
PID 3076 wrote to memory of 4264	3076	flstudio_win_20.8.4.2576.exe	126
PID 3076 wrote to memory of 4264	3076	flstudio_win_20.8.4.2576.exe	126
PID 3076 wrote to memory of 4264	3076	flstudio_win_20.8.4.2576.exe	126
PID 4264 wrote to memory of 4940	4264	Asio4All.exe	127
PID 4264 wrote to memory of 4940	4264	Asio4All.exe	127
PID 4264 wrote to memory of 4940	4264	Asio4All.exe	127
PID 4940 wrote to memory of 2224	4940	regsvr32.exe	128
PID 4940 wrote to memory of 2224	4940	regsvr32.exe	128
PID 4264 wrote to memory of 4232	4264	Asio4All.exe	129
PID 4264 wrote to memory of 4232	4264	Asio4All.exe	129
PID 3076 wrote to memory of 2660	3076	flstudio_win_20.8.4.2576.exe	131
PID 3076 wrote to memory of 2660	3076	flstudio_win_20.8.4.2576.exe	131

C:\Users\Admin\AppData\Local\Temp\FL Studio 20.8.4.2576 Setup.exe
"C:\Users\Admin\AppData\Local\Temp\FL Studio 20.8.4.2576 Setup.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\FL Studio Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\FL Studio Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3400
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\flstudio_win_20.8.4.2576.exe
    C:\Users\Admin\AppData\Local\Temp\RarSFX0\flstudio_win_20.8.4.2576.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops file in Program Files directory
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3076
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\tempfile.ps1"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\tempfile.ps1"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1280
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\tempfile.ps1"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4476
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\tempfile.ps1"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:316
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\tempfile.ps1"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3256
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\tempfile.ps1"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1596
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\tempfile.ps1"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4560
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\tempfile.ps1"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3644
  - - C:\Program Files\Image-Line\FL Studio 20\Asio4All.exe
      "C:\Program Files\Image-Line\FL Studio 20\Asio4All.exe"
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4264
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" -s "C:\Program Files (x86)\ASIO4ALL v2\asio4all64.dll"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4940
      - C:\Windows\system32\regsvr32.exe
        
        -s "C:\Program Files (x86)\ASIO4ALL v2\asio4all64.dll"
        6⤵
        Registers COM server for autorun
        Modifies registry class
        
        PID:2224
    - - C:\Program Files (x86)\ASIO4ALL v2\A4ARegFix.exe
        
        "C:\Program Files (x86)\ASIO4ALL v2\A4ARegFix.exe"
        5⤵
        Executes dropped EXE
        
        PID:4232
  - - C:\Windows\SYSTEM32\regsvr32.exe
      regsvr32.exe /s "C:\Program Files\Image-Line\FL Studio ASIO\ILWASAPI2ASIO_x64.dll"
      4⤵
      Registers COM server for autorun
      PID:2660

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e8 0x478
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Program Files\Image-Line\FL Studio 20\FL64.exe
"C:\Program Files\Image-Line\FL Studio 20\FL64.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4908

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d061e00c5cf07e176d96488d65a4aa8c

SHA1
0fbfbf53d94dc28280d50e7cc77048673d695f5f

SHA256
2d685f5a8ef8cb81125f94801d4e1746492b759207075c40a4df9ea842b8aa8f

SHA512
d85f46880888ecb7f49d13dd86b1d36149fe6f31e218f0e80178c6bbad1dca657c73825aea8902d5cc50b6fef79ab7ed4383b1f3794c51205f6d37dfee7d5ff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1f34b8580ee8e940a12a2379b557fe8a

SHA1
29df2935e8a971c5335fe6edc09183068f747333

SHA256
cb75675812a7a18afe2d2dafa24b34f422d9f14598909f0e98353cb4fc91c0e7

SHA512
9f4eefbdb38050877bd7d976bc522bccdfcfdf60d7c7fa767c8756810e6669e8f63b66ef7bc55623e1d6744e3ccb9774f8a542dce1ef332b16f6e86121644116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1dd8648df1581687db3c443025ee7399

SHA1
f28080fdbaf8533003d8a512ce7bf639759cfd08

SHA256
895eb57409991d9c805c91cc89dbfae5828e8355fe02628c390b2fbe1a75cf6c

SHA512
15bf22009876753580dc12fbbf5f8a8cd5c4d99fecad016f67b817b9d4b10f4fd2c2473483dd94490c26b8c4962397d1c134bfc00a7a88a7b246cd2f4d66c9e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d3716b82c5009c75652c2c932d402f5d

SHA1
0e24eac9215e30354c17dc6160f33d388b9ad0d6

SHA256
b3911ffe77953188bed116540c479628120a2ca207c67b48d201cd1a0f415489

SHA512
29955e69b15cece9f0b1cc85b217371d4504abbb4bccd9cf41e52af271be4ce87bc974ae7ee8a86c490c2c68b3159210191a62f423ffead5ecc7f8b6211f5d4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a9451a6b9669d49bd90704dff21beb85

SHA1
5f93d2dec01a31e04fc90c28eb1c5ca62c6fff80

SHA256
b2ff191507379930b97a212f869c3774c20b274e8fc9fcc96da5c154fb0e3056

SHA512
06634cb578f6ce8d721e6306004082073fc224b91ceea37ef870df87b12b2d5f59e7d08b20b520787a1d13f3edbbb004197bf70f180f86dd7f401a5ad289ccb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
65a68df1062af34622552c4f644a5708

SHA1
6f6ecf7b4b635abb0b132d95dac2759dc14b50af

SHA256
718dc2f5f4a6dbb7fab7f3db05bd7f602fb16526caae7084ab46c3ab4e7bad35

SHA512
4e460eb566032942547b58411222dd26ae300a95f83cf5ae6df58ebd28594341123611b348bd4031a33bc7f38307d5cb8fb677bba8c896919e3eee677a104d4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0026cdd9bbc34b9de2447c0eb04c14b5

SHA1
ab7713fe5fbbb23031937dd1dc7d0fa238884ad4

SHA256
cf5a1c42641a83dd41fe89923591962b7ad189006342c7a67669239688f84a2d

SHA512
62aab723672e2731946f4bbf6a3d92609ff94384e324f3c50e803095529baf848ce2cd37219a059ced4c3f559e598bd9b900b9dd8aa0657adca6d845127797fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FL Studio Setup.exe

Filesize
593KB

MD5
93d7f68bf494986d9ac52bdfad74c1a0

SHA1
a59912e5ea98b004e020060cf8c84dc960833513

SHA256
854117af0babc53f820b56d9abdf7b3b47897512a0c3b96bbc9e572a3d84691b

SHA512
bf09db10fe0a0842e857951e028a8e9589d68e704ccd8ac8ad4d5d44bcb9146c710d79be41701065681097ba7f0027b4e38ec6c2211c4ed446b5e4c27ebe40c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FL Studio Setup.exe

Filesize
593KB

MD5
93d7f68bf494986d9ac52bdfad74c1a0

SHA1
a59912e5ea98b004e020060cf8c84dc960833513

SHA256
854117af0babc53f820b56d9abdf7b3b47897512a0c3b96bbc9e572a3d84691b

SHA512
bf09db10fe0a0842e857951e028a8e9589d68e704ccd8ac8ad4d5d44bcb9146c710d79be41701065681097ba7f0027b4e38ec6c2211c4ed446b5e4c27ebe40c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\flstudio_win_20.8.4.2576.exe

Filesize
926.1MB

MD5
3f8da9f2d6143e870c5e4301864ccfa0

SHA1
2eac870ad5b774461be3f96b58e71b8de67d539f

SHA256
ba311d77ae56136335d257a2e6ebf477195ba08c9b224c290c38ab94d4fc68dd

SHA512
5964cb0e26aa79c9292c5101ec5b59230df774124bde07d38d5b2f9951c3a131054913281414e0ee36b042de1a375a3948494449606bc4d18bcdb5841a54c4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\flstudio_win_20.8.4.2576.exe

Filesize
926.1MB

MD5
3f8da9f2d6143e870c5e4301864ccfa0

SHA1
2eac870ad5b774461be3f96b58e71b8de67d539f

SHA256
ba311d77ae56136335d257a2e6ebf477195ba08c9b224c290c38ab94d4fc68dd

SHA512
5964cb0e26aa79c9292c5101ec5b59230df774124bde07d38d5b2f9951c3a131054913281414e0ee36b042de1a375a3948494449606bc4d18bcdb5841a54c4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D2E.tmp\System.dll

Filesize
31KB

MD5
7a489d160d2495f4c19440ad71f736fc

SHA1
84b76d4dd8eea133a04b2617db7918392b1d8740

SHA256
bdbb8fb7286986260ecea91a3e7dde82a2ac3f56b9f4c445c43458fdef9d689f

SHA512
d3fb8c4076952f3241d638006647f924271028ea00c0cbe33784906a53f870ee0b7c30243b1217ef67eea81ca410542e866f80bf904ef50fa31f2323e97ee5b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\AccessControl.dll

Filesize
15KB

MD5
f894e7068ee5f5b4489d7acdde7112c9

SHA1
79ec857791ad4ac76673b05e6fc44e55315424ef

SHA256
3948484bc6a6e8652c2220be411cdcabab73eab46578faca8c0bd01d3ea290ab

SHA512
e85b2bdc27b9721425bb03393e8aad897647053c77d7862ea541e03dc896173af6eaaf182514d46464d560d15c6b9d4652690885426ac1c68e2b9dd8d632e816

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\AccessControl.dll

Filesize
15KB

MD5
f894e7068ee5f5b4489d7acdde7112c9

SHA1
79ec857791ad4ac76673b05e6fc44e55315424ef

SHA256
3948484bc6a6e8652c2220be411cdcabab73eab46578faca8c0bd01d3ea290ab

SHA512
e85b2bdc27b9721425bb03393e8aad897647053c77d7862ea541e03dc896173af6eaaf182514d46464d560d15c6b9d4652690885426ac1c68e2b9dd8d632e816

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\ILSetup.dll

Filesize
1.0MB

MD5
cd50c47c010aa1e6abd8bd8ce98fb8c5

SHA1
547e445c42b39041204c012f95e146ba7bb3442b

SHA256
1ea1404b5e14ee8572575d941ef27437a534b46aa1d23e112cf40f4144cbb7ca

SHA512
f4c54f3403633167572e36867a0e99164de2cafe873505922b055b65b63809729a89ab3df092a634d18fe2fb8d3d1060a908349ef61b88ff0750815347a4fa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\ILSetup.dll

Filesize
1.0MB

MD5
cd50c47c010aa1e6abd8bd8ce98fb8c5

SHA1
547e445c42b39041204c012f95e146ba7bb3442b

SHA256
1ea1404b5e14ee8572575d941ef27437a534b46aa1d23e112cf40f4144cbb7ca

SHA512
f4c54f3403633167572e36867a0e99164de2cafe873505922b055b65b63809729a89ab3df092a634d18fe2fb8d3d1060a908349ef61b88ff0750815347a4fa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\ILSetup.dll

Filesize
1.0MB

MD5
cd50c47c010aa1e6abd8bd8ce98fb8c5

SHA1
547e445c42b39041204c012f95e146ba7bb3442b

SHA256
1ea1404b5e14ee8572575d941ef27437a534b46aa1d23e112cf40f4144cbb7ca

SHA512
f4c54f3403633167572e36867a0e99164de2cafe873505922b055b65b63809729a89ab3df092a634d18fe2fb8d3d1060a908349ef61b88ff0750815347a4fa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\ILSetup.dll

Filesize
1.0MB

MD5
cd50c47c010aa1e6abd8bd8ce98fb8c5

SHA1
547e445c42b39041204c012f95e146ba7bb3442b

SHA256
1ea1404b5e14ee8572575d941ef27437a534b46aa1d23e112cf40f4144cbb7ca

SHA512
f4c54f3403633167572e36867a0e99164de2cafe873505922b055b65b63809729a89ab3df092a634d18fe2fb8d3d1060a908349ef61b88ff0750815347a4fa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\ILSetup.dll

Filesize
1.0MB

MD5
cd50c47c010aa1e6abd8bd8ce98fb8c5

SHA1
547e445c42b39041204c012f95e146ba7bb3442b

SHA256
1ea1404b5e14ee8572575d941ef27437a534b46aa1d23e112cf40f4144cbb7ca

SHA512
f4c54f3403633167572e36867a0e99164de2cafe873505922b055b65b63809729a89ab3df092a634d18fe2fb8d3d1060a908349ef61b88ff0750815347a4fa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\ILSetup.dll

Filesize
1.0MB

MD5
cd50c47c010aa1e6abd8bd8ce98fb8c5

SHA1
547e445c42b39041204c012f95e146ba7bb3442b

SHA256
1ea1404b5e14ee8572575d941ef27437a534b46aa1d23e112cf40f4144cbb7ca

SHA512
f4c54f3403633167572e36867a0e99164de2cafe873505922b055b65b63809729a89ab3df092a634d18fe2fb8d3d1060a908349ef61b88ff0750815347a4fa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\ILSetup.dll

Filesize
1.0MB

MD5
cd50c47c010aa1e6abd8bd8ce98fb8c5

SHA1
547e445c42b39041204c012f95e146ba7bb3442b

SHA256
1ea1404b5e14ee8572575d941ef27437a534b46aa1d23e112cf40f4144cbb7ca

SHA512
f4c54f3403633167572e36867a0e99164de2cafe873505922b055b65b63809729a89ab3df092a634d18fe2fb8d3d1060a908349ef61b88ff0750815347a4fa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\ILSetup.dll

Filesize
1.0MB

MD5
cd50c47c010aa1e6abd8bd8ce98fb8c5

SHA1
547e445c42b39041204c012f95e146ba7bb3442b

SHA256
1ea1404b5e14ee8572575d941ef27437a534b46aa1d23e112cf40f4144cbb7ca

SHA512
f4c54f3403633167572e36867a0e99164de2cafe873505922b055b65b63809729a89ab3df092a634d18fe2fb8d3d1060a908349ef61b88ff0750815347a4fa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\ILSetup.dll

Filesize
1.0MB

MD5
cd50c47c010aa1e6abd8bd8ce98fb8c5

SHA1
547e445c42b39041204c012f95e146ba7bb3442b

SHA256
1ea1404b5e14ee8572575d941ef27437a534b46aa1d23e112cf40f4144cbb7ca

SHA512
f4c54f3403633167572e36867a0e99164de2cafe873505922b055b65b63809729a89ab3df092a634d18fe2fb8d3d1060a908349ef61b88ff0750815347a4fa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\ILSetup.dll

Filesize
1.0MB

MD5
cd50c47c010aa1e6abd8bd8ce98fb8c5

SHA1
547e445c42b39041204c012f95e146ba7bb3442b

SHA256
1ea1404b5e14ee8572575d941ef27437a534b46aa1d23e112cf40f4144cbb7ca

SHA512
f4c54f3403633167572e36867a0e99164de2cafe873505922b055b65b63809729a89ab3df092a634d18fe2fb8d3d1060a908349ef61b88ff0750815347a4fa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\ILSetup.dll

Filesize
1.0MB

MD5
cd50c47c010aa1e6abd8bd8ce98fb8c5

SHA1
547e445c42b39041204c012f95e146ba7bb3442b

SHA256
1ea1404b5e14ee8572575d941ef27437a534b46aa1d23e112cf40f4144cbb7ca

SHA512
f4c54f3403633167572e36867a0e99164de2cafe873505922b055b65b63809729a89ab3df092a634d18fe2fb8d3d1060a908349ef61b88ff0750815347a4fa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\ILSetup.dll

Filesize
1.0MB

MD5
cd50c47c010aa1e6abd8bd8ce98fb8c5

SHA1
547e445c42b39041204c012f95e146ba7bb3442b

SHA256
1ea1404b5e14ee8572575d941ef27437a534b46aa1d23e112cf40f4144cbb7ca

SHA512
f4c54f3403633167572e36867a0e99164de2cafe873505922b055b65b63809729a89ab3df092a634d18fe2fb8d3d1060a908349ef61b88ff0750815347a4fa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\ILSetup.dll

Filesize
1.0MB

MD5
cd50c47c010aa1e6abd8bd8ce98fb8c5

SHA1
547e445c42b39041204c012f95e146ba7bb3442b

SHA256
1ea1404b5e14ee8572575d941ef27437a534b46aa1d23e112cf40f4144cbb7ca

SHA512
f4c54f3403633167572e36867a0e99164de2cafe873505922b055b65b63809729a89ab3df092a634d18fe2fb8d3d1060a908349ef61b88ff0750815347a4fa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\ILSetup.dll

Filesize
1.0MB

MD5
cd50c47c010aa1e6abd8bd8ce98fb8c5

SHA1
547e445c42b39041204c012f95e146ba7bb3442b

SHA256
1ea1404b5e14ee8572575d941ef27437a534b46aa1d23e112cf40f4144cbb7ca

SHA512
f4c54f3403633167572e36867a0e99164de2cafe873505922b055b65b63809729a89ab3df092a634d18fe2fb8d3d1060a908349ef61b88ff0750815347a4fa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\ILSetup.dll

Filesize
1.0MB

MD5
cd50c47c010aa1e6abd8bd8ce98fb8c5

SHA1
547e445c42b39041204c012f95e146ba7bb3442b

SHA256
1ea1404b5e14ee8572575d941ef27437a534b46aa1d23e112cf40f4144cbb7ca

SHA512
f4c54f3403633167572e36867a0e99164de2cafe873505922b055b65b63809729a89ab3df092a634d18fe2fb8d3d1060a908349ef61b88ff0750815347a4fa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\ILSetup.dll

Filesize
1.0MB

MD5
cd50c47c010aa1e6abd8bd8ce98fb8c5

SHA1
547e445c42b39041204c012f95e146ba7bb3442b

SHA256
1ea1404b5e14ee8572575d941ef27437a534b46aa1d23e112cf40f4144cbb7ca

SHA512
f4c54f3403633167572e36867a0e99164de2cafe873505922b055b65b63809729a89ab3df092a634d18fe2fb8d3d1060a908349ef61b88ff0750815347a4fa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\ILSetup.dll

Filesize
1.0MB

MD5
cd50c47c010aa1e6abd8bd8ce98fb8c5

SHA1
547e445c42b39041204c012f95e146ba7bb3442b

SHA256
1ea1404b5e14ee8572575d941ef27437a534b46aa1d23e112cf40f4144cbb7ca

SHA512
f4c54f3403633167572e36867a0e99164de2cafe873505922b055b65b63809729a89ab3df092a634d18fe2fb8d3d1060a908349ef61b88ff0750815347a4fa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\ILSetup.dll

Filesize
1.0MB

MD5
cd50c47c010aa1e6abd8bd8ce98fb8c5

SHA1
547e445c42b39041204c012f95e146ba7bb3442b

SHA256
1ea1404b5e14ee8572575d941ef27437a534b46aa1d23e112cf40f4144cbb7ca

SHA512
f4c54f3403633167572e36867a0e99164de2cafe873505922b055b65b63809729a89ab3df092a634d18fe2fb8d3d1060a908349ef61b88ff0750815347a4fa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\ILSetup.dll

Filesize
1.0MB

MD5
cd50c47c010aa1e6abd8bd8ce98fb8c5

SHA1
547e445c42b39041204c012f95e146ba7bb3442b

SHA256
1ea1404b5e14ee8572575d941ef27437a534b46aa1d23e112cf40f4144cbb7ca

SHA512
f4c54f3403633167572e36867a0e99164de2cafe873505922b055b65b63809729a89ab3df092a634d18fe2fb8d3d1060a908349ef61b88ff0750815347a4fa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\ILSetup.dll

Filesize
1.0MB

MD5
cd50c47c010aa1e6abd8bd8ce98fb8c5

SHA1
547e445c42b39041204c012f95e146ba7bb3442b

SHA256
1ea1404b5e14ee8572575d941ef27437a534b46aa1d23e112cf40f4144cbb7ca

SHA512
f4c54f3403633167572e36867a0e99164de2cafe873505922b055b65b63809729a89ab3df092a634d18fe2fb8d3d1060a908349ef61b88ff0750815347a4fa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\ILSetup.dll

Filesize
1.0MB

MD5
cd50c47c010aa1e6abd8bd8ce98fb8c5

SHA1
547e445c42b39041204c012f95e146ba7bb3442b

SHA256
1ea1404b5e14ee8572575d941ef27437a534b46aa1d23e112cf40f4144cbb7ca

SHA512
f4c54f3403633167572e36867a0e99164de2cafe873505922b055b65b63809729a89ab3df092a634d18fe2fb8d3d1060a908349ef61b88ff0750815347a4fa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\ILSetup.dll

Filesize
1.0MB

MD5
cd50c47c010aa1e6abd8bd8ce98fb8c5

SHA1
547e445c42b39041204c012f95e146ba7bb3442b

SHA256
1ea1404b5e14ee8572575d941ef27437a534b46aa1d23e112cf40f4144cbb7ca

SHA512
f4c54f3403633167572e36867a0e99164de2cafe873505922b055b65b63809729a89ab3df092a634d18fe2fb8d3d1060a908349ef61b88ff0750815347a4fa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\ILSetup.dll

Filesize
1.0MB

MD5
cd50c47c010aa1e6abd8bd8ce98fb8c5

SHA1
547e445c42b39041204c012f95e146ba7bb3442b

SHA256
1ea1404b5e14ee8572575d941ef27437a534b46aa1d23e112cf40f4144cbb7ca

SHA512
f4c54f3403633167572e36867a0e99164de2cafe873505922b055b65b63809729a89ab3df092a634d18fe2fb8d3d1060a908349ef61b88ff0750815347a4fa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\InstallOptions.dll

Filesize
15KB

MD5
998189882c9f1be220c9faf0fd2bde15

SHA1
787d50c46c9a2a48565f684fabc7503aca8b0493

SHA256
f34385901206a3952fe2724edb3b0b123fd897119c774ab68c8745de6662d990

SHA512
e0c52ad851b476e7bcbadea8f993e5c6f9f70a9b46e2aebe8ee353a372b0bd5af95241240f880f49b9d91d240a4a2b7e7d2b7c8a18ca1654e607fa8d2772dfd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\InstallOptions.dll

Filesize
15KB

MD5
998189882c9f1be220c9faf0fd2bde15

SHA1
787d50c46c9a2a48565f684fabc7503aca8b0493

SHA256
f34385901206a3952fe2724edb3b0b123fd897119c774ab68c8745de6662d990

SHA512
e0c52ad851b476e7bcbadea8f993e5c6f9f70a9b46e2aebe8ee353a372b0bd5af95241240f880f49b9d91d240a4a2b7e7d2b7c8a18ca1654e607fa8d2772dfd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\InstallOptions.dll

Filesize
15KB

MD5
998189882c9f1be220c9faf0fd2bde15

SHA1
787d50c46c9a2a48565f684fabc7503aca8b0493

SHA256
f34385901206a3952fe2724edb3b0b123fd897119c774ab68c8745de6662d990

SHA512
e0c52ad851b476e7bcbadea8f993e5c6f9f70a9b46e2aebe8ee353a372b0bd5af95241240f880f49b9d91d240a4a2b7e7d2b7c8a18ca1654e607fa8d2772dfd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\InstallOptions.dll

Filesize
15KB

MD5
998189882c9f1be220c9faf0fd2bde15

SHA1
787d50c46c9a2a48565f684fabc7503aca8b0493

SHA256
f34385901206a3952fe2724edb3b0b123fd897119c774ab68c8745de6662d990

SHA512
e0c52ad851b476e7bcbadea8f993e5c6f9f70a9b46e2aebe8ee353a372b0bd5af95241240f880f49b9d91d240a4a2b7e7d2b7c8a18ca1654e607fa8d2772dfd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\InstallOptions.dll

Filesize
15KB

MD5
998189882c9f1be220c9faf0fd2bde15

SHA1
787d50c46c9a2a48565f684fabc7503aca8b0493

SHA256
f34385901206a3952fe2724edb3b0b123fd897119c774ab68c8745de6662d990

SHA512
e0c52ad851b476e7bcbadea8f993e5c6f9f70a9b46e2aebe8ee353a372b0bd5af95241240f880f49b9d91d240a4a2b7e7d2b7c8a18ca1654e607fa8d2772dfd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\InstallOptions.dll

Filesize
15KB

MD5
998189882c9f1be220c9faf0fd2bde15

SHA1
787d50c46c9a2a48565f684fabc7503aca8b0493

SHA256
f34385901206a3952fe2724edb3b0b123fd897119c774ab68c8745de6662d990

SHA512
e0c52ad851b476e7bcbadea8f993e5c6f9f70a9b46e2aebe8ee353a372b0bd5af95241240f880f49b9d91d240a4a2b7e7d2b7c8a18ca1654e607fa8d2772dfd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\InstallOptions.dll

Filesize
15KB

MD5
998189882c9f1be220c9faf0fd2bde15

SHA1
787d50c46c9a2a48565f684fabc7503aca8b0493

SHA256
f34385901206a3952fe2724edb3b0b123fd897119c774ab68c8745de6662d990

SHA512
e0c52ad851b476e7bcbadea8f993e5c6f9f70a9b46e2aebe8ee353a372b0bd5af95241240f880f49b9d91d240a4a2b7e7d2b7c8a18ca1654e607fa8d2772dfd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\System.dll

Filesize
11KB

MD5
24523fe14bb9ba400a3950016b187915

SHA1
6ec152b4e4ac04038d4608a8a206070185116036

SHA256
c4aaf80e3990185eeb5ea56bf841dbf5f3d02269d715f3bfdfe8b54aa797a7b9

SHA512
ae73351d27109187f7c4e312bc30a165202f29d74c65dd0feaee75dab72b97d27c6482b1e95771063afec7e9f2ca03a27a11cd25e39228072b69c33fffef7257

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\UserMgr.dll

Filesize
23KB

MD5
9210597fba3dfab3c69b1eb490205419

SHA1
6e3ca39043756ed1cceaf2d4853e7cb6be1c64cb

SHA256
7696c255014a543f720e189ab3fe48f62fcf43435465062649c96138eedb222f

SHA512
4877daefdd34725791fba7c8cc2d85c4e91080ca7787a71ee9ffde71704ac40799b891f03d1f1805a31af6ddc35e335f74c9d620e87d517670a378c001cffb06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\nsExec.dll

Filesize
6KB

MD5
1cf768cdc98419962be6449925b56991

SHA1
6f3a40a5e0bc9907eb3d398bc29d15d32f56d557

SHA256
51d7a5d1f57067fdab6cee8878bd7cb4883eb67ac69d8118a19fd56d7a65bd14

SHA512
c8c8575c86e548e9f36e979a58ea63a6b5ab033a89dc5ba5e41616cfadd0bb0a66e61383cec91f60e975405ffc3368d3a044fa5316f80b9d9952a816d4844c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\nsExec.dll

Filesize
6KB

MD5
1cf768cdc98419962be6449925b56991

SHA1
6f3a40a5e0bc9907eb3d398bc29d15d32f56d557

SHA256
51d7a5d1f57067fdab6cee8878bd7cb4883eb67ac69d8118a19fd56d7a65bd14

SHA512
c8c8575c86e548e9f36e979a58ea63a6b5ab033a89dc5ba5e41616cfadd0bb0a66e61383cec91f60e975405ffc3368d3a044fa5316f80b9d9952a816d4844c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\nsExec.dll

Filesize
6KB

MD5
1cf768cdc98419962be6449925b56991

SHA1
6f3a40a5e0bc9907eb3d398bc29d15d32f56d557

SHA256
51d7a5d1f57067fdab6cee8878bd7cb4883eb67ac69d8118a19fd56d7a65bd14

SHA512
c8c8575c86e548e9f36e979a58ea63a6b5ab033a89dc5ba5e41616cfadd0bb0a66e61383cec91f60e975405ffc3368d3a044fa5316f80b9d9952a816d4844c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\nsExec.dll

Filesize
6KB

MD5
1cf768cdc98419962be6449925b56991

SHA1
6f3a40a5e0bc9907eb3d398bc29d15d32f56d557

SHA256
51d7a5d1f57067fdab6cee8878bd7cb4883eb67ac69d8118a19fd56d7a65bd14

SHA512
c8c8575c86e548e9f36e979a58ea63a6b5ab033a89dc5ba5e41616cfadd0bb0a66e61383cec91f60e975405ffc3368d3a044fa5316f80b9d9952a816d4844c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\nsExec.dll

Filesize
6KB

MD5
1cf768cdc98419962be6449925b56991

SHA1
6f3a40a5e0bc9907eb3d398bc29d15d32f56d557

SHA256
51d7a5d1f57067fdab6cee8878bd7cb4883eb67ac69d8118a19fd56d7a65bd14

SHA512
c8c8575c86e548e9f36e979a58ea63a6b5ab033a89dc5ba5e41616cfadd0bb0a66e61383cec91f60e975405ffc3368d3a044fa5316f80b9d9952a816d4844c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\nsExec.dll

Filesize
6KB

MD5
1cf768cdc98419962be6449925b56991

SHA1
6f3a40a5e0bc9907eb3d398bc29d15d32f56d557

SHA256
51d7a5d1f57067fdab6cee8878bd7cb4883eb67ac69d8118a19fd56d7a65bd14

SHA512
c8c8575c86e548e9f36e979a58ea63a6b5ab033a89dc5ba5e41616cfadd0bb0a66e61383cec91f60e975405ffc3368d3a044fa5316f80b9d9952a816d4844c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\nsExec.dll

Filesize
6KB

MD5
1cf768cdc98419962be6449925b56991

SHA1
6f3a40a5e0bc9907eb3d398bc29d15d32f56d557

SHA256
51d7a5d1f57067fdab6cee8878bd7cb4883eb67ac69d8118a19fd56d7a65bd14

SHA512
c8c8575c86e548e9f36e979a58ea63a6b5ab033a89dc5ba5e41616cfadd0bb0a66e61383cec91f60e975405ffc3368d3a044fa5316f80b9d9952a816d4844c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\nsExec.dll

Filesize
6KB

MD5
1cf768cdc98419962be6449925b56991

SHA1
6f3a40a5e0bc9907eb3d398bc29d15d32f56d557

SHA256
51d7a5d1f57067fdab6cee8878bd7cb4883eb67ac69d8118a19fd56d7a65bd14

SHA512
c8c8575c86e548e9f36e979a58ea63a6b5ab033a89dc5ba5e41616cfadd0bb0a66e61383cec91f60e975405ffc3368d3a044fa5316f80b9d9952a816d4844c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\tempfile.ps1

Filesize
111B

MD5
f7cacba08813f15322eadbf1c2a394fd

SHA1
2d963cca54d20871f5b9975f9164a866d83e4250

SHA256
f733a70f6385a9f5e1d3e1c10749f78ed79a3918d4d7d1205c76b45eacf534be

SHA512
179e13b9319e08017a92fc47d589b7ba4fee2824d2c1d25a48f509b3a71ab1e51249369f64804a1073ecbbf4f27d64a0a0459d1abb45f98edcbdb22c61bbf42e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\tempfile.ps1

Filesize
120B

MD5
2a701c5d056394e5c23495ee20ff1dd2

SHA1
6605751f1b989a6a9182ab91355b9deda51c2651

SHA256
7c3bdeca15abc72e22bb61106a1f26d992243d6806dcaace5139086979e51005

SHA512
51d1d18c934f10358d14fb1993126e3717b14636e1b6bb261a08cf2c342cd4c0df2bb02e94cd5aa0ff2a56eae90c16360a7e1f3039a1c759d60e48d99a1e30c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\tempfile.ps1

Filesize
113B

MD5
7c9b6abedb3f5cf35e0e6b798323f2d4

SHA1
2e7bc89eac789a8125432595876e0defb9ee0ad9

SHA256
1ffff655058197c0d8f683c7a78addbcbcf338678847da3d82a02735190f25a2

SHA512
dd3a2133131f1c6c35f80204f4f27d924b7140b236401949433355daad86978526efb4b4e0f1311c56c16fb72a59acc78c5fec83db93b0864897b9db779d9748

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\tempfile.ps1

Filesize
122B

MD5
6cec58160804ab57d8fda61a0a780f6a

SHA1
0849117a1360dc3086d4e7ae78a8afac16ef032e

SHA256
6394916c331dcd2aeeb9125995fcc3697d0d2e41e67a030ebc9e22de567035d3

SHA512
496dc54263af3549f7ed9d612f8abaa476cc573b18256dbad8395f5722d777ed3000d63f8012eef3df380403bf1a68bc98070c1de978d12747ea144d93daf801

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\tempfile.ps1

Filesize
152B

MD5
078a5b9c799428eff1123e4ff248ea04

SHA1
988a1e2b41ac3c92e0fce66c5e5c881b47f353b4

SHA256
d334c0707c69848b494cf1918de8562a22de1dd4725a7535e0e1ee5ae6b102f9

SHA512
9c334f19130d450cd8baf648a65bd8d992ca027eff3628e18cb8a3ed58df1db19420d0949e122d56fdccc611a3f9e58063df5b6dc77bed355d8970276386e182

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\tempfile.ps1

Filesize
150B

MD5
4e14df40fd47f06aec7f41d966130adf

SHA1
2b191d6a4dd3f9e9dc2e1cabbc1d349e423ce77e

SHA256
b4affe32385742904ce138e3466bc5b35d50f0f52d77a5b20889893ec88930cc

SHA512
865b19147bbdbd26ad00209973bc0201dc324e5077ae5595c52d022beab6cb496d222e64590baf94558e87dfcb6aae14efe2e2ad34192f00325c53f43fef9373

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\tempfile.ps1

Filesize
143B

MD5
e03e5393247f537e82d707eabfb2f632

SHA1
d029479365c2ada596a5463fcb11d7867082dcd7

SHA256
8538174af838736e9168e74fc7161298a539ede040ef36feb6cd07a27758a4f8

SHA512
f7a55aa2f58fab8170608b246eb827fe3426533edc4b5f096cc27b34b8dab28ffa625b3ac82000d480f2b2b607e5c93a6d024fae519ddcb2c1212be2afb6cd20

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\tempfile.ps1

Filesize
143B

MD5
7a368131348f92b708c9f0375d2ec532

SHA1
077688ca79711f833fc9d22e4600a75230a6eb9d

SHA256
914e9a80d5e98229b0b86dc1951c34e0a385a38e1b85e17428c35e3fb770ed9d

SHA512
95100371bea8f84b383b30b5c742c7982dd2220eb1f362dae91f84b47164618889655c5499db74a8254045583ed5db656b6fd7180655e581dd4d8fcd294ebbe6

Download Submit
memory/316-207-0x00007FFED86C0000-0x00007FFED9181000-memory.dmp

Filesize
10.8MB

Download
memory/316-208-0x00007FFED86C0000-0x00007FFED9181000-memory.dmp

Filesize
10.8MB

Download
memory/1280-196-0x00007FFED86C0000-0x00007FFED9181000-memory.dmp

Filesize
10.8MB

Download
memory/1596-219-0x00007FFED86C0000-0x00007FFED9181000-memory.dmp

Filesize
10.8MB

Download
memory/1596-218-0x00007FFED86C0000-0x00007FFED9181000-memory.dmp

Filesize
10.8MB

Download
memory/1776-190-0x00007FFED86C0000-0x00007FFED9181000-memory.dmp

Filesize
10.8MB

Download
memory/1776-189-0x00007FFED86C0000-0x00007FFED9181000-memory.dmp

Filesize
10.8MB

Download
memory/1776-187-0x0000022EEC340000-0x0000022EEC362000-memory.dmp

Filesize
136KB

Download
memory/3076-237-0x0000000006770000-0x00000000067E7000-memory.dmp

Filesize
476KB

Download
memory/3076-160-0x0000000005230000-0x000000000533B000-memory.dmp

Filesize
1.0MB

Download
memory/3076-184-0x0000000000611000-0x0000000000614000-memory.dmp

Filesize
12KB

Download
memory/3076-175-0x0000000005800000-0x000000000590B000-memory.dmp

Filesize
1.0MB

Download
memory/3076-235-0x0000000006010000-0x0000000006279000-memory.dmp

Filesize
2.4MB

Download
memory/3076-239-0x00000000068A0000-0x0000000006B11000-memory.dmp

Filesize
2.4MB

Download
memory/3076-232-0x0000000002150000-0x000000000225B000-memory.dmp

Filesize
1.0MB

Download
memory/3076-236-0x0000000006510000-0x000000000662D000-memory.dmp

Filesize
1.1MB

Download
memory/3076-142-0x0000000005020000-0x000000000512B000-memory.dmp

Filesize
1.0MB

Download
memory/3256-233-0x00007FFED86C0000-0x00007FFED9181000-memory.dmp

Filesize
10.8MB

Download
memory/3256-215-0x00007FFED86C0000-0x00007FFED9181000-memory.dmp

Filesize
10.8MB

Download
memory/3644-229-0x00007FFED86C0000-0x00007FFED9181000-memory.dmp

Filesize
10.8MB

Download
memory/3644-230-0x00007FFED86C0000-0x00007FFED9181000-memory.dmp

Filesize
10.8MB

Download
memory/4476-199-0x00007FFED86C0000-0x00007FFED9181000-memory.dmp

Filesize
10.8MB

Download
memory/4476-202-0x00007FFED86C0000-0x00007FFED9181000-memory.dmp

Filesize
10.8MB

Download
memory/4560-224-0x00007FFED86C0000-0x00007FFED9181000-memory.dmp

Filesize
10.8MB

Download
memory/4908-255-0x0000000002B71000-0x000000000377D000-memory.dmp

Filesize
12.0MB

Download
memory/4908-276-0x00000000125B0000-0x0000000012B84000-memory.dmp

Filesize
5.8MB

Download
memory/4908-254-0x0000000002B70000-0x0000000005AE6000-memory.dmp

Filesize
47.5MB

Download
memory/4908-290-0x000000001DBB0000-0x000000001DFDC000-memory.dmp

Filesize
4.2MB

Download
memory/4908-259-0x0000000006060000-0x000000000641A000-memory.dmp

Filesize
3.7MB

Download
memory/4908-260-0x0000000006061000-0x000000000634A000-memory.dmp

Filesize
2.9MB

Download
memory/4908-264-0x0000000008D10000-0x0000000008D3F000-memory.dmp

Filesize
188KB

Download
memory/4908-265-0x000000000B300000-0x000000000B92D000-memory.dmp

Filesize
6.2MB

Download
memory/4908-266-0x000000000B301000-0x000000000B7BD000-memory.dmp

Filesize
4.7MB

Download
memory/4908-270-0x000000000C3A0000-0x000000000C773000-memory.dmp

Filesize
3.8MB

Download
memory/4908-271-0x000000000E4D0000-0x000000000EB29000-memory.dmp

Filesize
6.3MB

Download
memory/4908-272-0x000000000EDB0000-0x000000000F380000-memory.dmp

Filesize
5.8MB

Download
memory/4908-273-0x000000000A540000-0x000000000A588000-memory.dmp

Filesize
288KB

Download
memory/4908-274-0x0000000011840000-0x0000000011C45000-memory.dmp

Filesize
4.0MB

Download
memory/4908-275-0x0000000011D90000-0x0000000012135000-memory.dmp

Filesize
3.6MB

Download
memory/4908-253-0x0000000002B70000-0x0000000005AE6000-memory.dmp

Filesize
47.5MB

Download
memory/4908-277-0x0000000013450000-0x0000000013830000-memory.dmp

Filesize
3.9MB

Download
memory/4908-278-0x0000000013970000-0x0000000013D59000-memory.dmp

Filesize
3.9MB

Download
memory/4908-279-0x00000000149E0000-0x0000000014E1A000-memory.dmp

Filesize
4.2MB

Download
memory/4908-280-0x0000000016210000-0x00000000165E5000-memory.dmp

Filesize
3.8MB

Download
memory/4908-281-0x0000000017040000-0x0000000017439000-memory.dmp

Filesize
4.0MB

Download
memory/4908-282-0x0000000017990000-0x0000000017D5A000-memory.dmp

Filesize
3.8MB

Download
memory/4908-283-0x0000000018620000-0x00000000189DD000-memory.dmp

Filesize
3.7MB

Download
memory/4908-284-0x0000000018E40000-0x00000000191FB000-memory.dmp

Filesize
3.7MB

Download
memory/4908-285-0x00000000198E0000-0x0000000019CA0000-memory.dmp

Filesize
3.8MB

Download
memory/4908-286-0x000000001A0B0000-0x000000001A69B000-memory.dmp

Filesize
5.9MB

Download
memory/4908-287-0x000000001B7D0000-0x000000001BD94000-memory.dmp

Filesize
5.8MB

Download
memory/4908-288-0x000000001CA70000-0x000000001CE28000-memory.dmp

Filesize
3.7MB

Download
memory/4908-289-0x000000001D380000-0x000000001D92E000-memory.dmp

Filesize
5.7MB

Download