lumma | 96e7875d3e0134218c07b6c78da8d5a2e49008cea091c14a854fddf9fc1cec73

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2023 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cisco_4.x_installer.msi
Size

124.2MB
MD5

7c505e3aab5a2359ea78b1c65bbd92c1
SHA1

a8c6de80c1e5072bdd097110bd9bd41d4fa336fd
SHA256

96e7875d3e0134218c07b6c78da8d5a2e49008cea091c14a854fddf9fc1cec73
SHA512

11f82a93e61f87a34e9b4ae9ea712337a818de1aecc349885057c54735c0094754f2322bf0967e56d6c289f0da06a198f1128b09356b9d49cb069ffd80364258
SSDEEP

3145728:YFIJVEnmGgZM8KmNJTLAH0D2b/l+GBdSORE:YFA2mfZ5KmNtOnbcGBd9RE

Score

10^/10

lumma discovery persistence stealer

Malware Config

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Blocklisted process makes network request 4 IoCs

Processes:

msiexec.exe

flow pid process

12 1888 msiexec.exe
14 1888 msiexec.exe
20 1888 msiexec.exe
22 1888 msiexec.exe

flow	pid	process
12	1888	msiexec.exe
14	1888	msiexec.exe
20	1888	msiexec.exe
22	1888	msiexec.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MSI7BB2.tmppython.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	MSI7BB2.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	python.exe

Executes dropped EXE 8 IoCs

Processes:

ontrade.exeontrade.exeOntradeCEF.exeontrade.exeMSI7BB2.tmppython.exepython.exepython-3.9.9-amd64.exe

pid process

4284 ontrade.exe
644 ontrade.exe
3504 OntradeCEF.exe
880 ontrade.exe
1676 MSI7BB2.tmp
4848 python.exe
2128 python.exe
2632 python-3.9.9-amd64.exe

pid	process
4284	ontrade.exe
644	ontrade.exe
3504	OntradeCEF.exe
880	ontrade.exe
1676	MSI7BB2.tmp
4848	python.exe
2128	python.exe
2632	python-3.9.9-amd64.exe

Loads dropped DLL 18 IoCs

Processes:

MsiExec.exeMsiExec.exeontrade.exeOntradeCEF.exepython.exe

pid	process
704	MsiExec.exe
704	MsiExec.exe
704	MsiExec.exe
704	MsiExec.exe
704	MsiExec.exe
704	MsiExec.exe
1384	MsiExec.exe
1384	MsiExec.exe
644	ontrade.exe
644	ontrade.exe
3504	OntradeCEF.exe
3504	OntradeCEF.exe
3504	OntradeCEF.exe
3504	OntradeCEF.exe
3504	OntradeCEF.exe
1384	MsiExec.exe
704	MsiExec.exe
2128	python.exe

Registers COM server for autorun 1 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

ontrade.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F213E74A-C207-4320-93C6-24613FAFC33D}\LocalServer32\ = "C:\\PROGRA~2\\Ontrade\\ontrade.exe"	ontrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC07ED40-A510-4856-AE26-752339F64682}\LocalServer32\ = "C:\\PROGRA~2\\Ontrade\\ontrade.exe"	ontrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{53387750-7A95-4F5E-B1CC-0B65BB58430E}\LocalServer32\ = "C:\\PROGRA~2\\Ontrade\\ontrade.exe"	ontrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8EC1A250-C769-4E55-A2ED-D7E759F43AE1}\LocalServer32\ = "C:\\PROGRA~2\\Ontrade\\ontrade.exe"	ontrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F213E74A-C207-4320-93C6-24613FAFC33D}\LocalServer32	ontrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3DA1DC10-B9F1-4B5B-8ED9-2E87A39A1699}\LocalServer32	ontrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3DA1DC10-B9F1-4B5B-8ED9-2E87A39A1699}\LocalServer32\ = "C:\\PROGRA~2\\Ontrade\\ontrade.exe"	ontrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC07ED40-A510-4856-AE26-752339F64682}\LocalServer32	ontrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{53387750-7A95-4F5E-B1CC-0B65BB58430E}\LocalServer32	ontrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8EC1A250-C769-4E55-A2ED-D7E759F43AE1}\LocalServer32	ontrade.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

python.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	python.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{e71df380-4294-4a01-b02c-b032205feeeb} = "\"C:\\Users\\Admin\\AppData\\Local\\Package Cache\\{e71df380-4294-4a01-b02c-b032205feeeb}\\python-3.9.9-amd64.exe\" /burn.runonce"	python.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Ontrade\Cef\cef.pak	msiexec.exe
File created	C:\Program Files\Python39\tcl\tcl8.6\tzdata\Pacific\Tahiti	msiexec.exe
File created	C:\Program Files\Python39\Lib\distutils\dist.py	msiexec.exe
File created	C:\Program Files\Python39\Lib\distutils\util.py	msiexec.exe
File created	C:\Program Files\Python39\Lib\lib2to3\fixes\fix_metaclass.py	msiexec.exe
File created	C:\Program Files\Python39\tcl\tcl8.6\tzdata\America\Indiana\Indianapolis	msiexec.exe
File created	C:\Program Files\Python39\tcl\tcl8.6\tzdata\Antarctica\Casey	msiexec.exe
File created	C:\Program Files\Python39\Lib\test\libregrtest\utils.py	msiexec.exe
File created	C:\Program Files\Python39\tcl\tcl8.6\tzdata\America\Argentina\Tucuman	msiexec.exe
File created	C:\Program Files\Python39\tcl\tix8.4.3\demos\bitmaps\italic.xbm	msiexec.exe
File created	C:\Program Files (x86)\Ontrade\GoMenu.xml	msiexec.exe
File created	C:\Program Files\Python39\Lib\email\mime\application.py	msiexec.exe
File created	C:\Program Files\Python39\Lib\test\test__opcode.py	msiexec.exe
File created	C:\Program Files\Python39\tcl\tk8.6\demos\anilabel.tcl	msiexec.exe
File created	C:\Program Files (x86)\Ontrade\Marketpages\support_hover.gif	msiexec.exe
File created	C:\Program Files\Python39\Lib\unittest\test\__init__.py	msiexec.exe
File created	C:\Program Files\Python39\Lib\test\crashers\README	msiexec.exe
File created	C:\Program Files\Python39\Lib\test\test_codecencodings_tw.py	msiexec.exe
File created	C:\Program Files\Python39\tcl\tcl8.6\tzdata\Europe\Sarajevo	msiexec.exe
File created	C:\Program Files\Python39\Lib\email\feedparser.py	msiexec.exe
File created	C:\Program Files\Python39\Lib\test\support\testresult.py	msiexec.exe
File created	C:\Program Files\Python39\Lib\test\test_signal.py	msiexec.exe
File created	C:\Program Files\Python39\tcl\tk8.6\ttk\treeview.tcl	msiexec.exe
File created	C:\Program Files (x86)\Ontrade\Marketpages\tullettprebon_usd_swaptions.html	msiexec.exe
File created	C:\Program Files\Python39\include\Python.h	msiexec.exe
File created	C:\Program Files\Python39\Lib\test\sndhdrdata\README	msiexec.exe
File created	C:\Program Files\Python39\Lib\test\test_importlib\import_\test_packages.py	msiexec.exe
File created	C:\Program Files\Python39\Lib\sqlite3\test\factory.py	msiexec.exe
File created	C:\Program Files\Python39\Lib\test\decimaltestdata\invert.decTest	msiexec.exe
File created	C:\Program Files\Python39\Lib\test\ziptestdata\header.sh	msiexec.exe
File created	C:\Program Files\Python39\tcl\tcl8.6\msgs\ar_in.msg	msiexec.exe
File created	C:\Program Files\Python39\tcl\tix8.4.3\demos\samples\HList1.tcl	msiexec.exe
File created	C:\Program Files (x86)\Ontrade\Marketpages\infront_fxfwd_huf.html	msiexec.exe
File created	C:\Program Files\Python39\tcl\tcl8.6\tzdata\America\Argentina\Salta	msiexec.exe
File created	C:\Program Files\Python39\tcl\tcl8.6\tzdata\Asia\Hong_Kong	msiexec.exe
File created	C:\Program Files\Python39\Lib\encodings\iso2022_jp_3.py	msiexec.exe
File created	C:\Program Files\Python39\Lib\test\audiodata\pluck-ulaw.au	msiexec.exe
File created	C:\Program Files\Python39\Lib\test\decimaltestdata\ddRemainderNear.decTest	msiexec.exe
File created	C:\Program Files\Python39\tcl\tcl8.6\tzdata\Australia\Queensland	msiexec.exe
File created	C:\Program Files\Python39\tcl\tcl8.6\tzdata\Asia\Calcutta	msiexec.exe
File created	C:\Program Files\Python39\include\cpython\pyerrors.h	msiexec.exe
File created	C:\Program Files\Python39\Lib\ctypes\test\test_checkretval.py	msiexec.exe
File created	C:\Program Files\Python39\Lib\encodings\iso8859_11.py	msiexec.exe
File created	C:\Program Files\Python39\Lib\unittest\signals.py	msiexec.exe
File created	C:\Program Files\Python39\Lib\test\test_importlib\zipdata01\__init__.py	msiexec.exe
File created	C:\Program Files\Python39\Lib\distutils\ccompiler.py	msiexec.exe
File created	C:\Program Files\Python39\Lib\encodings\mac_latin2.py	msiexec.exe
File created	C:\Program Files\Python39\Lib\lib2to3\tests\data\fixers\myfixes\fix_first.py	msiexec.exe
File created	C:\Program Files\Python39\tcl\tcl8.6\tzdata\Etc\GMT+7	msiexec.exe
File created	C:\Program Files\Python39\tcl\tcl8.6\tzdata\Pacific\Galapagos	msiexec.exe
File created	C:\Program Files (x86)\Ontrade\locale\pl\lc_messages\plurals.mo	msiexec.exe
File created	C:\Program Files\Python39\Lib\tty.py	msiexec.exe
File created	C:\Program Files\Python39\Lib\test\crashers\gc_inspection.py	msiexec.exe
File created	C:\Program Files\Python39\tcl\tcl8.6\encoding\macDingbats.enc	msiexec.exe
File created	C:\Program Files\Python39\tcl\tcl8.6\tzdata\America\Porto_Acre	msiexec.exe
File created	C:\Program Files (x86)\Ontrade\Marketpages\infront_fx_usd.html	msiexec.exe
File created	C:\Program Files\Python39\Lib\test\test_importlib\source\test_file_loader.py	msiexec.exe
File created	C:\Program Files\Python39\Lib\tkinter\constants.py	msiexec.exe
File created	C:\Program Files\Python39\tcl\tcl8.6\tzdata\Indian\Reunion	msiexec.exe
File created	C:\Program Files\Python39\tcl\tix8.4.3\bitmaps\textfile.xpm	msiexec.exe
File created	C:\Program Files\Python39\Lib\email\mime\message.py	msiexec.exe
File created	C:\Program Files\Python39\Lib\xml\sax\xmlreader.py	msiexec.exe
File created	C:\Program Files\Python39\Lib\test\test_augassign.py	msiexec.exe
File created	C:\Program Files\Python39\Lib\test\xmltestdata\c14n-20\inNsContent.xml	msiexec.exe

Drops file in Windows directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\SourceHash{DB100C7C-FE04-4C9F-8047-3DBD3427A6B3}	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5B4B8687-6FD2-4002-A109-CC428BC53026}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9FDE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA581.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e56994b.msi	msiexec.exe
File created	C:\Windows\Installer\e56994e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{34795B45-E434-46E9-8FAD-C1E77BFAEFDC}\idle.exe	msiexec.exe
File created	C:\Windows\Installer\e56996a.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E750A467-EDAD-4BF6-A92A-20372DFBD416}	msiexec.exe
File created	C:\Windows\Installer\e56995f.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{69306EC3-EA19-4D92-B235-048E8B56B75E}	msiexec.exe
File created	C:\Windows\Installer\e569953.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4D9C.tmp	msiexec.exe
File created	C:\Windows\Installer\e569963.msi	msiexec.exe
File created	C:\Windows\Installer\e569966.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA486.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7C5F.tmp	msiexec.exe
File created	C:\Windows\Installer\e56994b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3D20.tmp	msiexec.exe
File created	C:\Windows\Installer\e56995a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56995f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e569963.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e569967.msi	msiexec.exe
File created	C:\Windows\Installer\e569967.msi	msiexec.exe
File created	C:\Windows\Installer\{34795B45-E434-46E9-8FAD-C1E77BFAEFDC}\idle.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBD22.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1798.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e569957.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI55AC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD94.tmp	msiexec.exe
File created	C:\Windows\Installer\e569947.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\{E57796A2-EA95-4AF6-9991-C952D68CCE45}\ontrade.exe	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E9C206B7-6416-47E1-B233-79AF33872B59}	msiexec.exe
File created	C:\Windows\Installer\e56995e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e569947.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E57796A2-EA95-4AF6-9991-C952D68CCE45}	msiexec.exe
File opened for modification	C:\Windows\Installer\e569953.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI775E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e56994f.msi	msiexec.exe
File created	C:\Windows\Installer\e569956.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA9C8.tmp	msiexec.exe
File created	C:\Windows\Installer\{E57796A2-EA95-4AF6-9991-C952D68CCE45}\ontrade.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID965.tmp	msiexec.exe
File created	C:\Windows\Installer\e569952.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA33B.tmp	msiexec.exe
File created	C:\Windows\Installer\e569962.msi	msiexec.exe
File created	C:\Windows\Installer\e56996b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA427.tmp	msiexec.exe
File created	C:\Windows\Installer\e56994f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9CB9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA100.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI458D.tmp	msiexec.exe
File created	C:\Windows\Installer\e56994a.msi	msiexec.exe
File created	C:\Windows\Installer\e56995b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA407.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7BB2.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{96355609-7AF7-4475-81C0-1CEAB5EDE7F2}	msiexec.exe
File opened for modification	C:\Windows\Installer\e56996b.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{34795B45-E434-46E9-8FAD-C1E77BFAEFDC}	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B6FD15AA-5981-429F-8EDE-D3343710473F}	msiexec.exe
File created	C:\Windows\Installer\e569957.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f9d6c693febb2fce0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f9d6c6930000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900f9d6c693000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f9d6c69300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f9d6c69300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1516 timeout.exe

pid	process
1516	timeout.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

ontrade.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	ontrade.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ontrade.exe = "11000"	ontrade.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

ontrade.exeontrade.exeontrade.exemsiexec.exesplwow64.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\PortfolioChart\Defaults	ontrade.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\Orderbook	ontrade.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\Orderbook\Defaults\Top = "4294967295"	ontrade.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\SingleClick\Defaults	ontrade.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\SingleClick\Defaults\Left = "4294967295"	ontrade.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\Orderbook\Defaults\Top = "4294967295"	ontrade.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\Orderbook\Defaults\WidthForex = "190"	ontrade.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\ConsolidatedOrderbook\Defaults\Height = "97"	ontrade.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\SingleClick\Defaults\HorizHeight = "0"	ontrade.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\ConsolidatedOrderbook\Defaults\Width = "250"	ontrade.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\SingleClick\Defaults\VertHeight = "0"	ontrade.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade	ontrade.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\Portfolio	ontrade.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\Orderbook\Defaults\HeightForex = "110"	ontrade.exe
Key created	\REGISTRY\USER\.DEFAULT	ontrade.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Chromium\BLBeacon	ontrade.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	ontrade.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\ReverseAllLists = "1"	ontrade.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\ConsolidatedOrderbook\Defaults\WidthMMCount = "325"	ontrade.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\ConsolidatedOrderbook	ontrade.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\ConsolidatedOrderbook\Defaults\Width = "250"	ontrade.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\SingleClick\Defaults\HorizHeight = "0"	ontrade.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\ConsolidatedOrderbook\Defaults	ontrade.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\ConsolidatedOrderbook\Defaults\WidthMM = "475"	ontrade.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\PortfolioChart	ontrade.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\Orderbook	ontrade.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\Orderbook	ontrade.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\OrderEntry\BasketTrading	ontrade.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\PortfolioChart\Defaults\Width = "350"	ontrade.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\SingleClick\Defaults\HorizHeight = "0"	ontrade.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\23	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Chromium	ontrade.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness	ontrade.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\Portfolio\Defaults	ontrade.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\SingleClick\Defaults\Left = "4294967295"	ontrade.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\Orderbook\Defaults\WidthMMCount = "325"	ontrade.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade	ontrade.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\Orderbook\Defaults\Height = "137"	ontrade.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\Orderbook\Defaults\WidthMMCount = "325"	ontrade.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\ConsolidatedOrderbook\Defaults\WidthMM = "475"	ontrade.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\PortfolioChart\Defaults\Width = "350"	ontrade.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\SingleClick\Defaults	ontrade.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\ConsolidatedOrderbook	ontrade.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\SingleClick\Defaults\Top = "4294967295"	ontrade.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\SingleClick\Defaults\Top = "4294967295"	ontrade.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\OrderEntry\BasketTrading	ontrade.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\ConsolidatedOrderbook\Defaults\Height = "97"	ontrade.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ontrade.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\PortfolioChart\Defaults\Width = "350"	ontrade.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\SingleClick	ontrade.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\Telemetry\splwow64.exe\JScriptSetScriptStateStarted = "240571281"	splwow64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\Portfolio\Defaults\Width = "216"	ontrade.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\ConsolidatedOrderbook\Defaults\Height = "97"	ontrade.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\Orderbook\Defaults\Left = "4294967295"	ontrade.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\PortfolioChart	ontrade.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\ConsolidatedOrderbook\Defaults\Width = "250"	ontrade.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\SingleClick\Defaults	ontrade.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Infront\ontrade\ConsolidatedOrderbook	ontrade.exe

Modifies registry class 64 IoCs

Processes:

msiexec.exeontrade.exeontrade.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\906553697FA75744180CC1AE5BDE7E2F\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C7C001BD40EFF9C40874D3DB43726A3B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7B602C9E61461E742B3397FA3378B295\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{E9C206B7-6416-47E1-B233-79AF33872B59}v3.9.9150.0\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Ontrade.Estimates\Clsid\ = "{EC07ED40-A510-4856-AE26-752339F64682}"	ontrade.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C7C001BD40EFF9C40874D3DB43726A3B\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3CE6039691AE29D42B5340E8B8657BE5	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3DA1DC10-B9F1-4B5B-8ED9-2E87A39A1699}\Version	ontrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3DA1DC10-B9F1-4B5B-8ED9-2E87A39A1699}\TypeLib	ontrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EC07ED40-A510-4856-AE26-752339F64682}\TypeLib	ontrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C7C001BD40EFF9C40874D3DB43726A3B\DefaultFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA51DF6B1895F924E8ED3D43730174F3\Version = "50930622"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\64E4E4290A4D8CC4DAD4CC131F1A50A2\2A69775E59AE6FA499199C256DC8EC54	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35E08438-FCD3-4533-8818-E68AEB793E93}	ontrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F213E74A-C207-4320-93C6-24613FAFC33D}\TypeLib\ = "{258A436E-5CAA-4034-BA55-F1F44EF278AA}"	ontrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3DE392B4-0A67-47FA-882C-A688A0F536E8}\ProxyStubClsid32	ontrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B52C974C-D966-4E3B-8DB4-A1AA3CEC9697}\ProxyStubClsid32	ontrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35E08438-FCD3-4533-8818-E68AEB793E93}\TypeLib\Version = "1.0"	ontrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35E08438-FCD3-4533-8818-E68AEB793E93}\ = "IInfrontApplication"	ontrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8EC1A250-C769-4E55-A2ED-D7E759F43AE1}\ProgID\ = "Ontrade.InfrontApplication"	ontrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\906553697FA75744180CC1AE5BDE7E2F\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA51DF6B1895F924E8ED3D43730174F3\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7868B4B52DF620041A90CC24B85C0362	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B52C974C-D966-4E3B-8DB4-A1AA3CEC9697}\ProxyStubClsid32	ontrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3DE392B4-0A67-47FA-882C-A688A0F536E8}\ProxyStubClsid32	ontrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA51DF6B1895F924E8ED3D43730174F3\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{B6FD15AA-5981-429F-8EDE-D3343710473F}v3.9.9150.0\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAFFF425-15DE-4028-A7CA-635890C50F15}\ = "IJavascriptCallback"	ontrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAFFF425-15DE-4028-A7CA-635890C50F15}\TypeLib\ = "{258A436E-5CAA-4034-BA55-F1F44EF278AA}"	ontrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35E08438-FCD3-4533-8818-E68AEB793E93}\ProxyStubClsid32	ontrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F213E74A-C207-4320-93C6-24613FAFC33D}\LocalServer32	ontrade.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\764A057EDADE6FB49AA20273D2BF4D61\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F213E74A-C207-4320-93C6-24613FAFC33D}\TypeLib	ontrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\54B59743434E9E64F8DA1C7EB7AFFECD\DefaultFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{03D6675B-8494-4D9E-A3B6-D4435ABAAB75}\TypeLib\Version = "1.0"	ontrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\906553697FA75744180CC1AE5BDE7E2F\DefaultFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7B602C9E61461E742B3397FA3378B295\DefaultFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3DA1DC10-B9F1-4B5B-8ED9-2E87A39A1699}\LocalServer32\ = "C:\\PROGRA~2\\Ontrade\\ontrade.exe"	ontrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC07ED40-A510-4856-AE26-752339F64682}\Version\ = "1.0"	ontrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EC07ED40-A510-4856-AE26-752339F64682}\TypeLib\ = "{258A436E-5CAA-4034-BA55-F1F44EF278AA}"	ontrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7868B4B52DF620041A90CC24B85C0362\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\764A057EDADE6FB49AA20273D2BF4D61	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{258A436E-5CAA-4034-BA55-F1F44EF278AA}\1.0\FLAGS	ontrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F213E74A-C207-4320-93C6-24613FAFC33D}\ProgID	ontrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F213E74A-C207-4320-93C6-24613FAFC33D}\Version\ = "1.0"	ontrade.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\764A057EDADE6FB49AA20273D2BF4D61\DeploymentFlags = "2"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09252CBD2741A7F54BC97BE2C00003A0\3CE6039691AE29D42B5340E8B8657BE5	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2A69775E59AE6FA499199C256DC8EC54\PackageCode = "DB4FB4A8E0157AA4496088A978AC8822"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3DA1DC10-B9F1-4B5B-8ED9-2E87A39A1699}	ontrade.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\764A057EDADE6FB49AA20273D2BF4D61\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAFFF425-15DE-4028-A7CA-635890C50F15}\TypeLib	ontrade.exe
Key created	\REGISTRY\MACHINE\Software\Classes\infront\shell\open\command	ontrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3DE392B4-0A67-47FA-882C-A688A0F536E8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ontrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3DE392B4-0A67-47FA-882C-A688A0F536E8}\ = "IBrokerStats"	ontrade.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA51DF6B1895F924E8ED3D43730174F3\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA51DF6B1895F924E8ED3D43730174F3\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7868B4B52DF620041A90CC24B85C0362\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2A69775E59AE6FA499199C256DC8EC54\ProductName = "Windows Installation"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3DA1DC10-B9F1-4B5B-8ED9-2E87A39A1699}\ProgID	ontrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\906553697FA75744180CC1AE5BDE7E2F\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2A69775E59AE6FA499199C256DC8EC54\SourceList\PackageName = "cisco_4.x_installer.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35E08438-FCD3-4533-8818-E68AEB793E93}	ontrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{53387750-7A95-4F5E-B1CC-0B65BB58430E}\Version\ = "1.0"	ontrade.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\906553697FA75744180CC1AE5BDE7E2F\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39A2DFD8-019F-496A-A7E4-D860B1F912D3}\ProxyStubClsid32	ontrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B52C974C-D966-4E3B-8DB4-A1AA3CEC9697}\TypeLib	ontrade.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

msiexec.exeontrade.exeontrade.exeOntradeCEF.exeontrade.exe

pid	process
1784	msiexec.exe
1784	msiexec.exe
4284	ontrade.exe
4284	ontrade.exe
644	ontrade.exe
644	ontrade.exe
3504	OntradeCEF.exe
3504	OntradeCEF.exe
3504	OntradeCEF.exe
3504	OntradeCEF.exe
880	ontrade.exe
880	ontrade.exe
1784	msiexec.exe
1784	msiexec.exe
1784	msiexec.exe
1784	msiexec.exe
1784	msiexec.exe
1784	msiexec.exe
1784	msiexec.exe
1784	msiexec.exe
1784	msiexec.exe
1784	msiexec.exe
1784	msiexec.exe
1784	msiexec.exe
1784	msiexec.exe
1784	msiexec.exe
1784	msiexec.exe
1784	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1888	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1888	msiexec.exe
Token: SeSecurityPrivilege	1784	msiexec.exe
Token: SeCreateTokenPrivilege	1888	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1888	msiexec.exe
Token: SeLockMemoryPrivilege	1888	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1888	msiexec.exe
Token: SeMachineAccountPrivilege	1888	msiexec.exe
Token: SeTcbPrivilege	1888	msiexec.exe
Token: SeSecurityPrivilege	1888	msiexec.exe
Token: SeTakeOwnershipPrivilege	1888	msiexec.exe
Token: SeLoadDriverPrivilege	1888	msiexec.exe
Token: SeSystemProfilePrivilege	1888	msiexec.exe
Token: SeSystemtimePrivilege	1888	msiexec.exe
Token: SeProfSingleProcessPrivilege	1888	msiexec.exe
Token: SeIncBasePriorityPrivilege	1888	msiexec.exe
Token: SeCreatePagefilePrivilege	1888	msiexec.exe
Token: SeCreatePermanentPrivilege	1888	msiexec.exe
Token: SeBackupPrivilege	1888	msiexec.exe
Token: SeRestorePrivilege	1888	msiexec.exe
Token: SeShutdownPrivilege	1888	msiexec.exe
Token: SeDebugPrivilege	1888	msiexec.exe
Token: SeAuditPrivilege	1888	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1888	msiexec.exe
Token: SeChangeNotifyPrivilege	1888	msiexec.exe
Token: SeRemoteShutdownPrivilege	1888	msiexec.exe
Token: SeUndockPrivilege	1888	msiexec.exe
Token: SeSyncAgentPrivilege	1888	msiexec.exe
Token: SeEnableDelegationPrivilege	1888	msiexec.exe
Token: SeManageVolumePrivilege	1888	msiexec.exe
Token: SeImpersonatePrivilege	1888	msiexec.exe
Token: SeCreateGlobalPrivilege	1888	msiexec.exe
Token: SeRestorePrivilege	1784	msiexec.exe
Token: SeTakeOwnershipPrivilege	1784	msiexec.exe
Token: SeRestorePrivilege	1784	msiexec.exe
Token: SeTakeOwnershipPrivilege	1784	msiexec.exe
Token: SeRestorePrivilege	1784	msiexec.exe
Token: SeTakeOwnershipPrivilege	1784	msiexec.exe
Token: SeRestorePrivilege	1784	msiexec.exe
Token: SeTakeOwnershipPrivilege	1784	msiexec.exe
Token: SeRestorePrivilege	1784	msiexec.exe
Token: SeTakeOwnershipPrivilege	1784	msiexec.exe
Token: SeRestorePrivilege	1784	msiexec.exe
Token: SeTakeOwnershipPrivilege	1784	msiexec.exe
Token: SeRestorePrivilege	1784	msiexec.exe
Token: SeTakeOwnershipPrivilege	1784	msiexec.exe
Token: SeRestorePrivilege	1784	msiexec.exe
Token: SeTakeOwnershipPrivilege	1784	msiexec.exe
Token: SeRestorePrivilege	1784	msiexec.exe
Token: SeTakeOwnershipPrivilege	1784	msiexec.exe
Token: SeRestorePrivilege	1784	msiexec.exe
Token: SeTakeOwnershipPrivilege	1784	msiexec.exe
Token: SeRestorePrivilege	1784	msiexec.exe
Token: SeTakeOwnershipPrivilege	1784	msiexec.exe
Token: SeRestorePrivilege	1784	msiexec.exe
Token: SeTakeOwnershipPrivilege	1784	msiexec.exe
Token: SeRestorePrivilege	1784	msiexec.exe
Token: SeTakeOwnershipPrivilege	1784	msiexec.exe
Token: SeRestorePrivilege	1784	msiexec.exe
Token: SeTakeOwnershipPrivilege	1784	msiexec.exe
Token: SeRestorePrivilege	1784	msiexec.exe
Token: SeTakeOwnershipPrivilege	1784	msiexec.exe
Token: SeRestorePrivilege	1784	msiexec.exe
Token: SeTakeOwnershipPrivilege	1784	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1888 msiexec.exe
1888 msiexec.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

ontrade.exeontrade.exeontrade.exe

pid process

4284 ontrade.exe
4284 ontrade.exe
4284 ontrade.exe
644 ontrade.exe
644 ontrade.exe
644 ontrade.exe
880 ontrade.exe
880 ontrade.exe
880 ontrade.exe

pid	process
1888	msiexec.exe
1888	msiexec.exe

pid	process
4284	ontrade.exe
4284	ontrade.exe
4284	ontrade.exe
644	ontrade.exe
644	ontrade.exe
644	ontrade.exe
880	ontrade.exe
880	ontrade.exe
880	ontrade.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

msiexec.exeMsiExec.exeontrade.exeontrade.exeMSI7BB2.tmpcmd.exepython.exepython.exe

description	pid	process	target process
PID 1784 wrote to memory of 704	1784	msiexec.exe	MsiExec.exe
PID 1784 wrote to memory of 704	1784	msiexec.exe	MsiExec.exe
PID 1784 wrote to memory of 704	1784	msiexec.exe	MsiExec.exe
PID 1784 wrote to memory of 1384	1784	msiexec.exe	MsiExec.exe
PID 1784 wrote to memory of 1384	1784	msiexec.exe	MsiExec.exe
PID 1784 wrote to memory of 1384	1784	msiexec.exe	MsiExec.exe
PID 1384 wrote to memory of 4284	1384	MsiExec.exe	ontrade.exe
PID 1384 wrote to memory of 4284	1384	MsiExec.exe	ontrade.exe
PID 1384 wrote to memory of 4284	1384	MsiExec.exe	ontrade.exe
PID 4284 wrote to memory of 4668	4284	ontrade.exe	splwow64.exe
PID 4284 wrote to memory of 4668	4284	ontrade.exe	splwow64.exe
PID 1384 wrote to memory of 644	1384	MsiExec.exe	ontrade.exe
PID 1384 wrote to memory of 644	1384	MsiExec.exe	ontrade.exe
PID 1384 wrote to memory of 644	1384	MsiExec.exe	ontrade.exe
PID 644 wrote to memory of 3504	644	ontrade.exe	OntradeCEF.exe
PID 644 wrote to memory of 3504	644	ontrade.exe	OntradeCEF.exe
PID 644 wrote to memory of 3504	644	ontrade.exe	OntradeCEF.exe
PID 1384 wrote to memory of 880	1384	MsiExec.exe	ontrade.exe
PID 1384 wrote to memory of 880	1384	MsiExec.exe	ontrade.exe
PID 1384 wrote to memory of 880	1384	MsiExec.exe	ontrade.exe
PID 1784 wrote to memory of 1676	1784	msiexec.exe	MSI7BB2.tmp
PID 1784 wrote to memory of 1676	1784	msiexec.exe	MSI7BB2.tmp
PID 1784 wrote to memory of 1676	1784	msiexec.exe	MSI7BB2.tmp
PID 1676 wrote to memory of 4268	1676	MSI7BB2.tmp	cmd.exe
PID 1676 wrote to memory of 4268	1676	MSI7BB2.tmp	cmd.exe
PID 1676 wrote to memory of 4268	1676	MSI7BB2.tmp	cmd.exe
PID 4268 wrote to memory of 1516	4268	cmd.exe	timeout.exe
PID 4268 wrote to memory of 1516	4268	cmd.exe	timeout.exe
PID 4268 wrote to memory of 1516	4268	cmd.exe	timeout.exe
PID 4268 wrote to memory of 4848	4268	cmd.exe	python.exe
PID 4268 wrote to memory of 4848	4268	cmd.exe	python.exe
PID 4268 wrote to memory of 4848	4268	cmd.exe	python.exe
PID 4848 wrote to memory of 2128	4848	python.exe	python.exe
PID 4848 wrote to memory of 2128	4848	python.exe	python.exe
PID 4848 wrote to memory of 2128	4848	python.exe	python.exe
PID 2128 wrote to memory of 2632	2128	python.exe	python-3.9.9-amd64.exe
PID 2128 wrote to memory of 2632	2128	python.exe	python-3.9.9-amd64.exe
PID 2128 wrote to memory of 2632	2128	python.exe	python-3.9.9-amd64.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\cisco_4.x_installer.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1888

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding FCEA28CE863C02F5FE28BA95F6D6B6EC
2⤵
- Loads dropped DLL
PID:704

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8351B091E421BE428132E09ABFF84FB2 E Global\MSI0000
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1384

C:\Program Files (x86)\Ontrade\ontrade.exe
"C:\Program Files (x86)\Ontrade\ontrade.exe" /RegProtocolHandler /SILENT
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 16384
4⤵
- Modifies data under HKEY_USERS
PID:4668

C:\Program Files (x86)\Ontrade\ontrade.exe
"C:\Program Files (x86)\Ontrade\ontrade.exe" /REGSERVER /SILENT
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:644

C:\Program Files (x86)\Ontrade\Cef\OntradeCEF.exe
"C:\Program Files (x86)\Ontrade\Cef\OntradeCEF.exe" --type=gpu-process --field-trial-handle=2028,5094814458211896285,4417884647126858730,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Program Files (x86)\Ontrade\Cef" --log-file="C:\Users\Admin\AppData\Local\Infront\CEF\Cache85\Debug.log" --log-severity=info --resources-dir-path="C:\Program Files (x86)\Ontrade\Cef" --lang=en-us --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Infront\CEF\Cache85\Debug.log" --mojo-platform-channel-handle=2036 /prefetch:2
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3504

C:\Program Files (x86)\Ontrade\ontrade.exe
"C:\Program Files (x86)\Ontrade\ontrade.exe" /REGBROWSEREMULATION /SILENT
3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:880

C:\Windows\Installer\MSI7BB2.tmp
"C:\Windows\Installer\MSI7BB2.tmp" /DontWait /RunAsAdmin /HideWindow "C:\Program Files (x86)\Ontrade\InstallPython.bat"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ""C:\Program Files (x86)\Ontrade\InstallPython.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4268

C:\Windows\SysWOW64\timeout.exe
timeout 10
4⤵
- Delays execution with timeout.exe
PID:1516

C:\Program Files (x86)\Ontrade\python.exe
python.exe /quiet InstallAllUsers=1 PrependPath=1
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\Temp\{675D854C-9F42-49EA-8847-6D93DAF09BB1}\.cr\python.exe
"C:\Windows\Temp\{675D854C-9F42-49EA-8847-6D93DAF09BB1}\.cr\python.exe" -burn.clean.room="C:\Program Files (x86)\Ontrade\python.exe" -burn.filehandle.attached=688 -burn.filehandle.self=536 /quiet InstallAllUsers=1 PrependPath=1
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\Temp\{FAA98C59-B8BF-44E1-88A4-3B9001E79D70}\.be\python-3.9.9-amd64.exe
"C:\Windows\Temp\{FAA98C59-B8BF-44E1-88A4-3B9001E79D70}\.be\python-3.9.9-amd64.exe" -q -burn.elevated BurnPipe.{BFD45070-E605-4FE4-AB3B-BC5B504FC898} {C392F028-21B0-4CEE-9310-6D30E2BF391E} 2128
6⤵
- Executes dropped EXE
PID:2632

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A77596F71EF061CE3A6E3FD1137353ED
2⤵
PID:4076

C:\Program Files\Python39\python.exe
"C:\Program Files\Python39\python.exe" -E -s -m ensurepip -U --default-pip
3⤵
PID:3808

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4588

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e569949.rbs
Filesize
1.9MB

MD5
ea7318c4f61f76f4740362744a53d07b

SHA1
2db83ac3f36d438122a4e56e56475a6bf09f31a4

SHA256
7455eefe6b84391b6eba8e4784f75d802947e906704eeda652b5906358858d77

SHA512
e3b840862d52748ea0c8808f9e40b9a1a115e76e6dd624cc6d37ef4bf0c2f3ceec4bae5f75fc8cc4d16531004e4073a1c7d14c2e475d6214611ece1f996a0b07

Download Submit
C:\Config.Msi\e56994d.rbs
Filesize
7KB

MD5
998625013d6c720154797abdf1461166

SHA1
bde3508ba70c6f32d5fbfb74589dcc3f0980e015

SHA256
f7130e064796c55452490356bc090691aaa604250eb3493bdf632d531518494b

SHA512
c0a22a8a129c2fbf60001287930835427383f77352fb11d0df08dc109fd9f761d4ca611f02b1188c1d381e389ded2241e2cd3a2523a7b693b06c0be4ab85fbb1

Download Submit
C:\Config.Msi\e569951.rbs
Filesize
33KB

MD5
a1786cfa07de9a9226b0637fff8f4f65

SHA1
e413854aabc7ff5ede2f495000714375d9124955

SHA256
29180e23c4bc52cd9540f5a50c61078f1547154f88cc4331168925d094ecc94a

SHA512
10cadfb6aa1e60b0524b3009fc557edf4b0a4f87233189f7b7f5486ef9b5d142bdb9160a4130a0698cf02f3f96512e7a0d07f3274a2481625026cc419a4a528b

Download Submit
C:\Config.Msi\e569955.rbs
Filesize
11KB

MD5
84f7a5d66a0186d96feb3c7598d93827

SHA1
d1b81830f9f6fc64c8d748c74861401f21d251a1

SHA256
ca43b1993e78b994b739c91b267249a26193bd204df42e6c49016dfbbbaafccf

SHA512
9a60db15d6e4a22ae46900a90deec3aca4a9ca819133c91b492e03b96cc2274ee0ff398a8001088ee71e44da241b21ab697db19c91cdd51a80820a77c62d2ff5

Download Submit
C:\Config.Msi\e569959.rbs
Filesize
150KB

MD5
4922bd53321f055159a7ddd80efafe7a

SHA1
6ce2039b464a97a81a31c0286480ded93dfcd54a

SHA256
847576b5f682f4117c1067ff082a82fba4e20bc2d35a70468f64e8e3c76f52d7

SHA512
929c1047a3c34f78c9b776cfaa8d4612099630a2aa3dc042f576816829075b7a18e743724c25eff0b681a42733421891a92d7dd095643d1f7a63ead81416061b

Download Submit
C:\Config.Msi\e56995d.rbs
Filesize
219KB

MD5
9e12b75f5a02470f61869384cff37a40

SHA1
9da490fa596fda2eddf34cc1f70ac790e10bd51a

SHA256
0c546bb1430699c2b88e5ffed2fb103d2a06fac605e1a504c70286e774780395

SHA512
77eb6fd6ab385cdbe34e4adf7d828f49adc3be5f43c6b8217e51fc65ad65a965171e1ee37371cbbc255bb60ea571be91de4827b1901140e966c56cb2076d544c

Download Submit
C:\Config.Msi\e569961.rbs
Filesize
8KB

MD5
ae366d7dc88408e8467ce32675faf981

SHA1
359ee7ea110a6ad7e102cac131b860a549b62954

SHA256
f3381d8728016e82b439c43b08f0db132294f6fa79e8c872088c5e29e55e978e

SHA512
61a4148b91f9820d11244ea03fd4e0a403c97abb2f72d2dc7813e927fbefebf6b2a803747c3a5d73b419b864d10914161165e47ce169cff1fc70cf9b53eb8be6

Download Submit
C:\Config.Msi\e569965.rbs
Filesize
25KB

MD5
ec9212f6a941a547209979315297cf22

SHA1
38fedb78bd1f693b41920288490fed0e45e17183

SHA256
be6996368924ccfdd5a49c908966214ab12393dae55f9cd8e2815c408927a17d

SHA512
3eef8454c4b26478d51df8b513b929e8785c3ba4f54ac091869c26a9ac40026e62e5343bb1732378e2ef8683561dfb75de7ee1003d8f17b35dada04477b23e07

Download Submit
C:\Config.Msi\e569969.rbs
Filesize
268KB

MD5
9d7fb2aeb9b21e6a4c5718da81a36f48

SHA1
36988a1765ae93f3e6b05ef60c1565e22c5aa666

SHA256
68a2f682b1867b14f97d520d761902bf55bce71ba81728a54cb5661385f8f801

SHA512
f822a07a7eb420b0a0dea95df44179ba635dee511b40f06ee2142a105ff0ced54bd75df13c0b9163e5f5da1e19bd7d563def42fe154465652cc773a77339dc94

Download Submit
C:\Config.Msi\e56996d.rbs
Filesize
13KB

MD5
55a4354641bf45f4d12fcd4914b9abe6

SHA1
7ab9c17f12f698f3bef75a7226af3e4c60324f82

SHA256
766fae07068d919d78ce4e5b02520f5106b0ad6d11e522f13d91e0c82da6f822

SHA512
14fad88e6c394998e03ee86bbd85edb55b6e27a265e5f0d26c826e8d87ef0f1326bec027db7286b66557b5c12532ba829e99786ba64a22554b11a1984d3fddc5

Download Submit
C:\Program Files (x86)\Ontrade\Cef\D3DCompiler_47.dll
Filesize
3.5MB

MD5
f76b1d2cd95385b21e61874761ddb53a

SHA1
e5219dc55dcd6b8643e3920ad21d0640fd714383

SHA256
8bf0eeb5081d8397e2f84f69449c8a80d9c0cdcf82bcef7a484309046adcb081

SHA512
8e5c6541bbea6730c4f6392439454f516d56ac9ad6d6b55336e52361cc80a35fbed8a90d58020d92fa4ac9fcfeee6c280754a9e99cc32bae901b00306626e69f

Download Submit
C:\Program Files (x86)\Ontrade\Cef\OntradeCEF.exe
Filesize
2.9MB

MD5
9567dfc97d64f4b15996272b295e6a50

SHA1
a68fdeb5d6d18ab1fcbf7c72695944cbfaba44d6

SHA256
3ae460debdc3d50485c8999a7b51e4a12323711f73c900ef85643469190d0f2c

SHA512
945e283422ca2334431056f0c03366f8f02ef7b72e983324d51332e2765998e3db030c9f1e5f8dc8d4ec3c854b3a301ba06656ea633ad14d98422ac451062c00

Download Submit
C:\Program Files (x86)\Ontrade\Cef\OntradeCEF.exe
Filesize
2.9MB

MD5
9567dfc97d64f4b15996272b295e6a50

SHA1
a68fdeb5d6d18ab1fcbf7c72695944cbfaba44d6

SHA256
3ae460debdc3d50485c8999a7b51e4a12323711f73c900ef85643469190d0f2c

SHA512
945e283422ca2334431056f0c03366f8f02ef7b72e983324d51332e2765998e3db030c9f1e5f8dc8d4ec3c854b3a301ba06656ea633ad14d98422ac451062c00

Download Submit
C:\Program Files (x86)\Ontrade\Cef\cef.pak
Filesize
1.9MB

MD5
fe4cf7f3c1ae565d64662311efe784f3

SHA1
c43ede2994d5700a5158aa84865fad2afbfaa22f

SHA256
090c2f61f048c9dd5e2f887fc44ac1c734ab4e2354c295bce7ff893cf1f26f0f

SHA512
e610bdf17f254119680e64d74027700c240b10895ebb255c9c6d8510c65234125a7b0f54df195f8227d7bf654ca53cc5d602cbb142daba1ad16eda73b8bf8b8e

Download Submit
C:\Program Files (x86)\Ontrade\Cef\cef_100_percent.pak
Filesize
261KB

MD5
b84d20e51dc7b971c7ab2502e3843f1f

SHA1
ed87bd499cae74a748e03fc33c36476a20487b78

SHA256
62d84df6c05bc41086aef1caff5b2db9cacd18535cb64407e79b715baa316b17

SHA512
1dcf7ff2cd92708892a43fb6cb9df5b46c1f98c49b7f58dc915b31dcaa27323d9055754173005b16581e74add695b62fa096890a40e3a2ee42ddb11a785920d5

Download Submit
C:\Program Files (x86)\Ontrade\Cef\cef_200_percent.pak
Filesize
412KB

MD5
d344d778833b313ed4afecdb90f4cad0

SHA1
acb1f69b2f0a69d301e6816c5d886f1c10a1bdd9

SHA256
ca0242f452e96e89a85e5a718e9ab01e24ea955b8491f6da9b1ebb5b3b4b7c71

SHA512
e5d32aba64613a9e8ec4aabb50b088f06ad83e2341f9bb22bb541e29deb63027dc07295c53eab8934387dcdb7c93aa7264dd77deba0a0bc9ed9514c5fb6b8b0b

Download Submit
C:\Program Files (x86)\Ontrade\Cef\cef_extensions.pak
Filesize
1.2MB

MD5
41ad298ca43c6a19b50911b55f77cc99

SHA1
0f67649ab7a2a0bcfdd4c0e00ded7437e14cb4ab

SHA256
e9cb8a906b63f8db9acc22455941bce5aacdc3828d8f39cd14d09ff5eb79bf3f

SHA512
0a505c8bcbeb5603fd30dbde786bfc5051fe8172e3db813e1c54c95da70d98eedd9b84d94361aef8711d3733ea7b25762b97a63f9d1b6f00e771700ecfdd65f3

Download Submit
C:\Program Files (x86)\Ontrade\Cef\chrome_elf.dll
Filesize
805KB

MD5
c715647a1fd53add717d7122dac003a2

SHA1
a72ab3b49d22203de35ddc33ee43ff712ff2bb88

SHA256
5fac85326a4581f3fec0af0b3068547cba5098eb973e7a3634373c753ca7d320

SHA512
84251eb3fd4b817aec0d3e18e4676e853172aa255887d07ce943fb390ade5ddc2485264a44c3395af9e3007ef95c74e4e6a2fc34c398b768db92169edee507e4

Download Submit
C:\Program Files (x86)\Ontrade\Cef\chrome_elf.dll
Filesize
805KB

MD5
c715647a1fd53add717d7122dac003a2

SHA1
a72ab3b49d22203de35ddc33ee43ff712ff2bb88

SHA256
5fac85326a4581f3fec0af0b3068547cba5098eb973e7a3634373c753ca7d320

SHA512
84251eb3fd4b817aec0d3e18e4676e853172aa255887d07ce943fb390ade5ddc2485264a44c3395af9e3007ef95c74e4e6a2fc34c398b768db92169edee507e4

Download Submit
C:\Program Files (x86)\Ontrade\Cef\chrome_elf.dll
Filesize
805KB

MD5
c715647a1fd53add717d7122dac003a2

SHA1
a72ab3b49d22203de35ddc33ee43ff712ff2bb88

SHA256
5fac85326a4581f3fec0af0b3068547cba5098eb973e7a3634373c753ca7d320

SHA512
84251eb3fd4b817aec0d3e18e4676e853172aa255887d07ce943fb390ade5ddc2485264a44c3395af9e3007ef95c74e4e6a2fc34c398b768db92169edee507e4

Download Submit
C:\Program Files (x86)\Ontrade\Cef\d3dcompiler_47.dll
Filesize
3.5MB

MD5
f76b1d2cd95385b21e61874761ddb53a

SHA1
e5219dc55dcd6b8643e3920ad21d0640fd714383

SHA256
8bf0eeb5081d8397e2f84f69449c8a80d9c0cdcf82bcef7a484309046adcb081

SHA512
8e5c6541bbea6730c4f6392439454f516d56ac9ad6d6b55336e52361cc80a35fbed8a90d58020d92fa4ac9fcfeee6c280754a9e99cc32bae901b00306626e69f

Download Submit
C:\Program Files (x86)\Ontrade\Cef\devtools_resources.pak
Filesize
1.6MB

MD5
6198a72ece5e8b9a8566ab22ede91061

SHA1
d911e03d0b01ad5a5ba55ec56f7b7b74aabf7b4c

SHA256
4868cdbe694270afc2e1ffe18592e75a733a14a48ab8d12d43e1e5f7eaee05c2

SHA512
53af0b552fe5971067f2bc7b8c8b8f19ba483e1c7956c3ad175a7505eb74f50fd11b6aeac81b2cd5a0c8e003c815869caec1b0c81b9e7552c9d910dd2d78bdba

Download Submit
C:\Program Files (x86)\Ontrade\Cef\en-US.pak
Filesize
225KB

MD5
16a6914c9637812257e28b2cc4e6d809

SHA1
82212a642c90b51b8f67e517ee8782da841b658f

SHA256
8fe734f556d97e7c07d02e839a16565f7db88ca7091ca3903a9b153a68aaaf72

SHA512
6efbab68c8b036fd73951295a5f65718003deea46db838f6f263133452e09be45ce006246850facbb1922766f42c2ce1796722cecfcc8495921a7bcd9402a446

Download Submit
C:\Program Files (x86)\Ontrade\Cef\icudtl.dat
Filesize
10.0MB

MD5
9732e28c054db1e042cd306a7bc9227a

SHA1
6bab2e77925515888808c1ef729c5bb1323100dd

SHA256
27993e2079711d5f0f04a72f48fee88b269604c8e3fbdf50a7f7bb3f5bfc8d8e

SHA512
3eb67ab896a56dab4a2d6eea98f251affd6864c5f5b24f22b61b6acc1df4460d86f0a448f1983aac019e79ff930286c3510891be9d48ef07a93ff975a0e55335

Download Submit
C:\Program Files (x86)\Ontrade\Cef\libcef.dll
Filesize
107.6MB

MD5
b3a789be981d931ccb3596a4f2e7aae3

SHA1
717f1c31d2b71812b59bb1fca386c6607723b2cc

SHA256
acb4a6da0f6cec50fd1b83c91f1fe25136175df8cf94a17a38a99c2db713b42b

SHA512
470fb1b10ee0b9d26844f7f3aeaf98ec2f6e1453614e56b4704723e1c137f6e6b247fbe0d117a83cbd696ae06fe2a60c0bd4322180c3336379996947d732fe88

Download Submit
C:\Program Files (x86)\Ontrade\Cef\libcef.dll
Filesize
107.6MB

MD5
b3a789be981d931ccb3596a4f2e7aae3

SHA1
717f1c31d2b71812b59bb1fca386c6607723b2cc

SHA256
acb4a6da0f6cec50fd1b83c91f1fe25136175df8cf94a17a38a99c2db713b42b

SHA512
470fb1b10ee0b9d26844f7f3aeaf98ec2f6e1453614e56b4704723e1c137f6e6b247fbe0d117a83cbd696ae06fe2a60c0bd4322180c3336379996947d732fe88

Download Submit
C:\Program Files (x86)\Ontrade\Cef\libcef.dll
Filesize
107.6MB

MD5
b3a789be981d931ccb3596a4f2e7aae3

SHA1
717f1c31d2b71812b59bb1fca386c6607723b2cc

SHA256
acb4a6da0f6cec50fd1b83c91f1fe25136175df8cf94a17a38a99c2db713b42b

SHA512
470fb1b10ee0b9d26844f7f3aeaf98ec2f6e1453614e56b4704723e1c137f6e6b247fbe0d117a83cbd696ae06fe2a60c0bd4322180c3336379996947d732fe88

Download Submit
C:\Program Files (x86)\Ontrade\Cef\swiftshader\libEGL.dll
Filesize
329KB

MD5
15ff375d8709f42cd3f0e55aa6b5fddf

SHA1
5bbc1038feaade05977d59694f4e96ff8e15e6ff

SHA256
d4021cdd06205b782a8a2f3e17f9ab2bc39c62638d30e4c75695d0179ae8af70

SHA512
571ac2608fa068c585bf9a663b029902478a07acab648589330ad2f5cc230d937f47d8ae6d1ac4b6d3a1940836eefac0b69a278a16568cdc427437e50609facc

Download Submit
C:\Program Files (x86)\Ontrade\Cef\swiftshader\libGLESv2.dll
Filesize
2.3MB

MD5
1a97e8fd9e0d78073d76dbe1ae7e7251

SHA1
c55b1e5dba07cfb5bd43788ab48e9412e2ab42ec

SHA256
0a031a162aa8cca6db00febcb30511041396b856fd1ca91f60cfdc258058fb21

SHA512
be3b2a2268c2f2dd41e4d263b77af4524a618cfb164d33df45b97f7b1b36c44693d619b4c69441761e6bcbac0984cb2bfd5e1401a0c03ebcf65ce3f3e46d3300

Download Submit
C:\Program Files (x86)\Ontrade\Cef\swiftshader\libegl.dll
Filesize
329KB

MD5
15ff375d8709f42cd3f0e55aa6b5fddf

SHA1
5bbc1038feaade05977d59694f4e96ff8e15e6ff

SHA256
d4021cdd06205b782a8a2f3e17f9ab2bc39c62638d30e4c75695d0179ae8af70

SHA512
571ac2608fa068c585bf9a663b029902478a07acab648589330ad2f5cc230d937f47d8ae6d1ac4b6d3a1940836eefac0b69a278a16568cdc427437e50609facc

Download Submit
C:\Program Files (x86)\Ontrade\Cef\swiftshader\libglesv2.dll
Filesize
2.3MB

MD5
1a97e8fd9e0d78073d76dbe1ae7e7251

SHA1
c55b1e5dba07cfb5bd43788ab48e9412e2ab42ec

SHA256
0a031a162aa8cca6db00febcb30511041396b856fd1ca91f60cfdc258058fb21

SHA512
be3b2a2268c2f2dd41e4d263b77af4524a618cfb164d33df45b97f7b1b36c44693d619b4c69441761e6bcbac0984cb2bfd5e1401a0c03ebcf65ce3f3e46d3300

Download Submit
C:\Program Files (x86)\Ontrade\Cef\v8_context_snapshot.bin
Filesize
167KB

MD5
a51c7e228b7ca14c65ba8ecbd3216b41

SHA1
7d82ef76931f13bf002bc2fd315c37296500b9ca

SHA256
3e49ddd6b5f5f4523ea6488621734da9d00a3dc830bb24aa72dcaf95eacadeef

SHA512
c86ebebba8a0efe01c0d116d762da2f37249a89336437891fc405263d4e3507ad478f9ca4b24b925307a091ed24bc42a9d5e2c0e78db7014700c43508d3b588b

Download Submit
C:\Program Files (x86)\Ontrade\InstallPython.bat
Filesize
498B

MD5
78ff9522ad1b42abec78dedf473c986d

SHA1
299bdc484a30a702cdf4f0b71f3e7ebe006e3856

SHA256
11a31a38ecec5f592a705aa77b968636cbc91ce79051ed63c4b598e3aac71982

SHA512
3e64370df6ba9de2e63fcd4693c4ed99942fa8a1d7e8c8f6ccc688c676a87d73178f4775419859b1df88f47bf5d47726dda13bbe1152f24ce1e31773a2ce5909

Download Submit
C:\Program Files (x86)\Ontrade\ontrade.exe
Filesize
33.1MB

MD5
cbde8f4f7fab2df383aa778d54c1d49d

SHA1
61b7d90d8056bb7cd40172f9440f51f0be31b316

SHA256
2a9b99a05bb451d3a0afba224d03e5a93467b2ad3ff18f3e3f81f4d5be1cdf48

SHA512
2bd97008c3d15342a2efce6f1c501285c47ab0f691fb17e4bba3a9e589906052d4e42d0c9b9b62162ed9172b6d9a86e1637556ae59e57c4faca4df81afd80108

Download Submit
C:\Program Files (x86)\Ontrade\ontrade.exe
Filesize
33.1MB

MD5
cbde8f4f7fab2df383aa778d54c1d49d

SHA1
61b7d90d8056bb7cd40172f9440f51f0be31b316

SHA256
2a9b99a05bb451d3a0afba224d03e5a93467b2ad3ff18f3e3f81f4d5be1cdf48

SHA512
2bd97008c3d15342a2efce6f1c501285c47ab0f691fb17e4bba3a9e589906052d4e42d0c9b9b62162ed9172b6d9a86e1637556ae59e57c4faca4df81afd80108

Download Submit
C:\Program Files (x86)\Ontrade\ontrade.exe
Filesize
33.1MB

MD5
cbde8f4f7fab2df383aa778d54c1d49d

SHA1
61b7d90d8056bb7cd40172f9440f51f0be31b316

SHA256
2a9b99a05bb451d3a0afba224d03e5a93467b2ad3ff18f3e3f81f4d5be1cdf48

SHA512
2bd97008c3d15342a2efce6f1c501285c47ab0f691fb17e4bba3a9e589906052d4e42d0c9b9b62162ed9172b6d9a86e1637556ae59e57c4faca4df81afd80108

Download Submit
C:\Program Files (x86)\Ontrade\ontrade.exe
Filesize
33.1MB

MD5
cbde8f4f7fab2df383aa778d54c1d49d

SHA1
61b7d90d8056bb7cd40172f9440f51f0be31b316

SHA256
2a9b99a05bb451d3a0afba224d03e5a93467b2ad3ff18f3e3f81f4d5be1cdf48

SHA512
2bd97008c3d15342a2efce6f1c501285c47ab0f691fb17e4bba3a9e589906052d4e42d0c9b9b62162ed9172b6d9a86e1637556ae59e57c4faca4df81afd80108

Download Submit
C:\Program Files (x86)\Ontrade\python.exe
Filesize
27.5MB

MD5
a09ef64c9ea2e7d9a04a2cafb833aa7b

SHA1
dc882fe3cec422a1e836c8b9c58075ae51c0a964

SHA256
137d59e5c0b01a8f1bdcba08344402ae658c81c6bf03b6602bd8b4e951ad0714

SHA512
913f32a1e59c820823b2eef4bbec2ba2310c5e429143d80ab3173b604bb8762d708c7eb90e140718fbcce1202bc3ba6bf6a1fcbe96e0f9d1faeb17ed6ad14119

Download Submit
C:\Program Files (x86)\Ontrade\python.exe
Filesize
27.5MB

MD5
a09ef64c9ea2e7d9a04a2cafb833aa7b

SHA1
dc882fe3cec422a1e836c8b9c58075ae51c0a964

SHA256
137d59e5c0b01a8f1bdcba08344402ae658c81c6bf03b6602bd8b4e951ad0714

SHA512
913f32a1e59c820823b2eef4bbec2ba2310c5e429143d80ab3173b604bb8762d708c7eb90e140718fbcce1202bc3ba6bf6a1fcbe96e0f9d1faeb17ed6ad14119

Download Submit
C:\Program Files\Python39\Lib\test\test_importlib\extension\__main__.py
Filesize
62B

MD5
47878c074f37661118db4f3525b2b6cb

SHA1
9671e2ef6e3d9fa96e7450bcee03300f8d395533

SHA256
b4dc0b48d375647bcfab52d235abf7968daf57b6bbdf325766f31ce7752d7216

SHA512
13c626ada191848c31321c74eb7f0f1fde5445a82d34282d69e2b086ba6b539d8632c82bba61ff52185f75fec2514dad66139309835e53f5b09a3c5a2ebecff5

Download Submit
C:\Program Files\Python39\Lib\test\test_importlib\import_\__init__.py
Filesize
147B

MD5
c3239b95575b0ad63408b8e633f9334d

SHA1
7dbb42dfa3ca934fb86b8e0e2268b6b793cbccdc

SHA256
6546a8ef1019da695edeca7c68103a1a8e746d88b89faf7d5297a60753fd1225

SHA512
5685131ad55f43ab73afccbef69652d03bb64e6135beb476bc987f316afe0198157507203b9846728bc7ea25bc88f040e7d2cb557c9480bac72f519d6ba90b25

Download Submit
C:\Program Files\Python39\Lib\test\test_tools\test_c_analyzer\test_variables\__init__.py
Filesize
154B

MD5
e1b27d214a1714271983ee7f7f5c9f37

SHA1
c62c91feeb1f5ae570b5c9c03ae29ee445639429

SHA256
329743706d4d31db91597c27c0e61f754473b15fb89c52b67ffbd5d6b9d6041a

SHA512
a0a7604f0c7abcbb677fd182345f04be971b40a784bcf28efe62eee18090672222468791e981754b1900b9f0830139ea9bf09e2103e3b0e9a1a5adca26cdba09

Download Submit
C:\Program Files\Python39\python.exe
Filesize
99KB

MD5
38349921b29e799b5beee2acc46c4ade

SHA1
2d0844236415ad66ab3063f2071c00d24bb78804

SHA256
2f70510113972f88797df96d67267db5a523beb7de2f6c23adaba0adbbc6e76e

SHA512
3d9686865bab5f4e32a7204b6f1579a7804779c4dd6714116faf3427a6d5f9932de21e86398329f6484c500b397f10eb016d184b058f108adacbfb89f7804998

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C42BC945025A34066DAB76EF3F80A05
Filesize
27KB

MD5
aff13f9fb850913e1ddbf0fafe7dc3d4

SHA1
f97755de087877ae07e4b6867dffa1dfa9c65fb6

SHA256
624b1ecc8af03addfb3fa35e62c5d096458c45f8bd3406c371a9ed7e554d7bfc

SHA512
ac2adad9ad06223864af23ded0e0b8e4140c3eba8e06f814955ee788a4db7cab0062b14240d5e229923599a9518478a1ad1c6c335fe755dbeb5da4a2ef5fbbac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94D451DDCFFF94F1A6B8406468FA3558_4153D76C26F33196FBC8A8AE835AB7C4
Filesize
1KB

MD5
c09f581e9142a4388c1f003ed6c74c98

SHA1
d9d94f57d22303def5d5e3af7865cb5f9980530e

SHA256
ac18f8b02922b6193aa9433e2c457c1d892f26ffb2534a08033b4fe699b2b732

SHA512
c54d25e787a4de3151e1ff7588e5bcbc35b49b849c3997b3234e87c8100c562fc56edbeb7121d44a315f90721fc9f5d3b8c84116072d5160fd43f6e0747f9890

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
Filesize
727B

MD5
dcba1cc19f2d5bba73b2a0593590d9fc

SHA1
59178350d6fe2313ac264cbeca4de7162998fd25

SHA256
8a9f5e6ead55364d979821f5c3180a9643dd27302d7665c06c78e62e062fb3e0

SHA512
894b2ab3ea95e34a7f919d507b1b9f251e31ce00f20f44e36fc95917dffc40fc158029122795d9093257697dc21620244ab7f51a19b9d2f2af8987e8908bd32a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C42BC945025A34066DAB76EF3F80A05
Filesize
314B

MD5
01ca89040ab6c710c1ebf797e437d5a4

SHA1
e547b31455b7b3f1870568ef6395a98bd97de194

SHA256
1ff34b2329a402473c305489066dc47e0ef2769b58e4f5bb7ce073e6d4bff389

SHA512
e3c39a3b17b2e976c95e4217d8818a6bdaacbfcf8f317a612a60b631bad81b825f10bceeb68968e9001bfd8f1132e9e0450d80e5edcd6aec8641b97e6946d17a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94D451DDCFFF94F1A6B8406468FA3558_4153D76C26F33196FBC8A8AE835AB7C4
Filesize
410B

MD5
25598520931c50cb0f8cab488583ea39

SHA1
83a43b378f066b915f03808afc6470f90b1258cd

SHA256
92638c9ec5260dffbafa78eb7bea000b8e4bfa0184e8d357012faa573c7192af

SHA512
4c0b1dea5c097ba3d23b69422c0f388511ece29a9767957ec910da00988a8277c6a0ab74c51dd9b8bf54014cb0c4b3ee73bcd063d428191cdbec2feb00c84fb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
Filesize
478B

MD5
5151a1e30806fff0c5c43e2fc8f95583

SHA1
164f931d6481990ffabcc84c05174ae549021b5c

SHA256
70c9c8f4c0802e8c8e1d160965db349b9ef54c14759ced51f6e4fc020cbfd276

SHA512
4ac5c2d34277ee94a8953be237c9ab7f553a24f233cb2e9fe7d78c82a2f1ee4f1ec68187267ea87169c35b5fea7afbe65019f554cc01bbad9c5f7665d3fe1e3d

Download Submit
C:\Windows\Installer\MSI1798.tmp
Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI1798.tmp
Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI7BB2.tmp
Filesize
389KB

MD5
b9545ed17695a32face8c3408a6a3553

SHA1
f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83

SHA256
1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a

SHA512
f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

Download Submit
C:\Windows\Installer\MSI7BB2.tmp
Filesize
389KB

MD5
b9545ed17695a32face8c3408a6a3553

SHA1
f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83

SHA256
1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a

SHA512
f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

Download Submit
C:\Windows\Installer\MSI7C5F.tmp
Filesize
205KB

MD5
f101c603e2f8032e94c1e4df3616bd96

SHA1
da8fe6f8c2b9c3cb027c52d0434af8d2af3e0155

SHA256
bd8d4d479bc93ef1fd3e29e9068395529ec66c746a3976b4ed5722b79163eeca

SHA512
1983073c237eb7c136fce5a9fc090ca9a21c45149f20fb8dd25934747909643ed4e32eec0a397701c61d769a699a0c8dfe722d68be12d5c60a14feac76ed46d3

Download Submit
C:\Windows\Installer\MSI7C5F.tmp
Filesize
205KB

MD5
f101c603e2f8032e94c1e4df3616bd96

SHA1
da8fe6f8c2b9c3cb027c52d0434af8d2af3e0155

SHA256
bd8d4d479bc93ef1fd3e29e9068395529ec66c746a3976b4ed5722b79163eeca

SHA512
1983073c237eb7c136fce5a9fc090ca9a21c45149f20fb8dd25934747909643ed4e32eec0a397701c61d769a699a0c8dfe722d68be12d5c60a14feac76ed46d3

Download Submit
C:\Windows\Installer\MSI9FDE.tmp
Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI9FDE.tmp
Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSIA33B.tmp
Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSIA33B.tmp
Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSIA407.tmp
Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSIA407.tmp
Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSIA407.tmp
Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSIA427.tmp
Filesize
561KB

MD5
5576bf4d22dc695564e49a68cbc98bc2

SHA1
80e0e045162a65d84939e22a821ecbbbde3f31d6

SHA256
20f76ffd846155a41633d75cb2e784e54f6ec77ca9ca9d52d9510c3e2e918801

SHA512
4b952ce6ef08c86d8594fadd1069c3af39c3465314716dc7e7d9937befab8f4db5e4920a901920af4f937e5bb80ca02c33406d54cc766920b8ebba3855500972

Download Submit
C:\Windows\Installer\MSIA427.tmp
Filesize
561KB

MD5
5576bf4d22dc695564e49a68cbc98bc2

SHA1
80e0e045162a65d84939e22a821ecbbbde3f31d6

SHA256
20f76ffd846155a41633d75cb2e784e54f6ec77ca9ca9d52d9510c3e2e918801

SHA512
4b952ce6ef08c86d8594fadd1069c3af39c3465314716dc7e7d9937befab8f4db5e4920a901920af4f937e5bb80ca02c33406d54cc766920b8ebba3855500972

Download Submit
C:\Windows\Installer\MSIA486.tmp
Filesize
205KB

MD5
f101c603e2f8032e94c1e4df3616bd96

SHA1
da8fe6f8c2b9c3cb027c52d0434af8d2af3e0155

SHA256
bd8d4d479bc93ef1fd3e29e9068395529ec66c746a3976b4ed5722b79163eeca

SHA512
1983073c237eb7c136fce5a9fc090ca9a21c45149f20fb8dd25934747909643ed4e32eec0a397701c61d769a699a0c8dfe722d68be12d5c60a14feac76ed46d3

Download Submit
C:\Windows\Installer\MSIA486.tmp
Filesize
205KB

MD5
f101c603e2f8032e94c1e4df3616bd96

SHA1
da8fe6f8c2b9c3cb027c52d0434af8d2af3e0155

SHA256
bd8d4d479bc93ef1fd3e29e9068395529ec66c746a3976b4ed5722b79163eeca

SHA512
1983073c237eb7c136fce5a9fc090ca9a21c45149f20fb8dd25934747909643ed4e32eec0a397701c61d769a699a0c8dfe722d68be12d5c60a14feac76ed46d3

Download Submit
C:\Windows\Installer\MSIA581.tmp
Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSIA581.tmp
Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSIBD22.tmp
Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSIBD22.tmp
Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSID965.tmp
Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSID965.tmp
Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\e569947.msi
Filesize
124.2MB

MD5
7c505e3aab5a2359ea78b1c65bbd92c1

SHA1
a8c6de80c1e5072bdd097110bd9bd41d4fa336fd

SHA256
96e7875d3e0134218c07b6c78da8d5a2e49008cea091c14a854fddf9fc1cec73

SHA512
11f82a93e61f87a34e9b4ae9ea712337a818de1aecc349885057c54735c0094754f2322bf0967e56d6c289f0da06a198f1128b09356b9d49cb069ffd80364258

Download Submit
C:\Windows\Installer\e569957.msi
Filesize
8.0MB

MD5
ca5e930be86d16a361ff4478a705d6eb

SHA1
b54877e46954e58077e833db3d4572c5f83c6065

SHA256
2867e9fcd9c2df689972d49703a7a72e038fb1974de7b5bc229994a20401b258

SHA512
24d4aba749a6a802b32476131f26ae9986e2a5ea223e3160116707552f4d8b6d897b12229f26f73ae4334d91bdc7e45078e3deb2ef0b17c37ad9bd87c82e3565

Download Submit
C:\Windows\Installer\e56996a.msi
Filesize
3.3MB

MD5
2568ccb100090e6462275fa91026fa01

SHA1
e456aea532f1b9f338d2baa60f8e9e4068e40dae

SHA256
a8324234abd0ac5e70bede162aa404d478f99d883d7dfa87b6f809904895d6a9

SHA512
692205a356fecb53931d30cb3140f5d3eadfdfe498a055ef5098a65c027795a888a647894329189e659c5f50e92dca894499bb271ef83ecf3af9d12cf3d401b5

Download Submit
C:\Windows\Temp\{675D854C-9F42-49EA-8847-6D93DAF09BB1}\.cr\python.exe
Filesize
843KB

MD5
908269084a2640ad902dc4b687d00e34

SHA1
3afe99b8576bab28101c94bdd179d760e601593f

SHA256
56113d5c65b3c3a4137be32fe84765c43cfe18445eb6ec0535cbfefb1ebd82ad

SHA512
e3b11566d4ef3323947a496ef50cfa3379afa4a44fea78f73af71b94548ece1392d8e6c9a9129eac65661ceeb54cdb095da902fcc61d4ad03f4badb81f9586c3

Download Submit
C:\Windows\Temp\{675D854C-9F42-49EA-8847-6D93DAF09BB1}\.cr\python.exe
Filesize
843KB

MD5
908269084a2640ad902dc4b687d00e34

SHA1
3afe99b8576bab28101c94bdd179d760e601593f

SHA256
56113d5c65b3c3a4137be32fe84765c43cfe18445eb6ec0535cbfefb1ebd82ad

SHA512
e3b11566d4ef3323947a496ef50cfa3379afa4a44fea78f73af71b94548ece1392d8e6c9a9129eac65661ceeb54cdb095da902fcc61d4ad03f4badb81f9586c3

Download Submit
C:\Windows\Temp\{FAA98C59-B8BF-44E1-88A4-3B9001E79D70}\.ba\PythonBA.dll
Filesize
604KB

MD5
92b28f795f91bcd1ae8ef6621a4db018

SHA1
3a7d9afd8dd4e9edae9bb8a96a664298eb6be2ec

SHA256
af35eee81df7d356efbeeccbea7b1d86181f4e36a9168673a2fb5faa788e9903

SHA512
2ee975bf151cf4058015feb84285b867bf1891541beb9847f8913c2d7eb419176ebd4e1f80a18d4add7f6904b37f924c3d3b1e3b251ee9ab069758533dce49be

Download Submit
C:\Windows\Temp\{FAA98C59-B8BF-44E1-88A4-3B9001E79D70}\.ba\SideBar.png
Filesize
56KB

MD5
ca62a92ad5b307faeac640cd5eb460ed

SHA1
5edf8b5fc931648f77a2a131e4c733f1d31b548e

SHA256
f3109977125d4a3a3ffa17462cfc31799589f466a51d226d1d1f87df2f267627

SHA512
f7b3001a957f393298b0ff2aa08b400f8639f2f0487a34ac2a0e8d9519765ac92249185ebe45f907bc9d2f8556fdd39095c52f890330a35edf71ae49df32e27a

Download Submit
C:\Windows\Temp\{FAA98C59-B8BF-44E1-88A4-3B9001E79D70}\.be\python-3.9.9-amd64.exe
Filesize
843KB

MD5
908269084a2640ad902dc4b687d00e34

SHA1
3afe99b8576bab28101c94bdd179d760e601593f

SHA256
56113d5c65b3c3a4137be32fe84765c43cfe18445eb6ec0535cbfefb1ebd82ad

SHA512
e3b11566d4ef3323947a496ef50cfa3379afa4a44fea78f73af71b94548ece1392d8e6c9a9129eac65661ceeb54cdb095da902fcc61d4ad03f4badb81f9586c3

Download Submit
C:\Windows\Temp\{FAA98C59-B8BF-44E1-88A4-3B9001E79D70}\.be\python-3.9.9-amd64.exe
Filesize
843KB

MD5
908269084a2640ad902dc4b687d00e34

SHA1
3afe99b8576bab28101c94bdd179d760e601593f

SHA256
56113d5c65b3c3a4137be32fe84765c43cfe18445eb6ec0535cbfefb1ebd82ad

SHA512
e3b11566d4ef3323947a496ef50cfa3379afa4a44fea78f73af71b94548ece1392d8e6c9a9129eac65661ceeb54cdb095da902fcc61d4ad03f4badb81f9586c3

Download Submit
C:\Windows\Temp\{FAA98C59-B8BF-44E1-88A4-3B9001E79D70}\.be\python-3.9.9-amd64.exe
Filesize
843KB

MD5
908269084a2640ad902dc4b687d00e34

SHA1
3afe99b8576bab28101c94bdd179d760e601593f

SHA256
56113d5c65b3c3a4137be32fe84765c43cfe18445eb6ec0535cbfefb1ebd82ad

SHA512
e3b11566d4ef3323947a496ef50cfa3379afa4a44fea78f73af71b94548ece1392d8e6c9a9129eac65661ceeb54cdb095da902fcc61d4ad03f4badb81f9586c3

Download Submit
C:\Windows\Temp\{FAA98C59-B8BF-44E1-88A4-3B9001E79D70}\core_AllUsers
Filesize
1.6MB

MD5
3de9c185465a75055c54326b94c5d38e

SHA1
ffa0592ba45dced944b29cfc935d0e6709039536

SHA256
e24ce58c4f20e44425fdf1251e347c549590d7a8df9b6a526b3a9cad6187426e

SHA512
bf2bef61d2d40f8425ddbfacdbbcaca35c3a8d754aa8999de1e6fb0e9e666ea00de30e0f67ef977e955de3835acd514c967143a6bf751e9572bf0ac2104d8879

Download Submit
C:\Windows\Temp\{FAA98C59-B8BF-44E1-88A4-3B9001E79D70}\dev_AllUsers
Filesize
284KB

MD5
195bb6fcb203e2a0ece6b06f1cd84c3b

SHA1
b55d21f730b434837125a2f0e84aaba9b94e0912

SHA256
3547d0a15953cb4e0464c77e58868bf1f2c728179e7cde8c9febf45c367de4ec

SHA512
649bd002053006dac6146fbd2605a6c42e16f0ee8f24d5c8caf29ca25b87e6fd916611577b75d2579013aa2381a7c706759ed3ac6b695527ac74bf2685713a63

Download Submit
C:\Windows\Temp\{FAA98C59-B8BF-44E1-88A4-3B9001E79D70}\exe_AllUsers
Filesize
544KB

MD5
5fb52ab49f02c7578a460b2c0bf532dd

SHA1
ab84b385a79e15e05e4d0b9715b2c5458d71d11f

SHA256
8ba19052bf5f0f66a8a2414b8c2a12a5b96a681160d3506cb13b2343756a423c

SHA512
d0205786f379c8c9ec0a176f91d99f3af5609f5d85fec1d357cdc2907a7509ed8dec98abb60765fab0569c2f3a107087b4bbbc1348db1b3562be541f83ea6a5b

Download Submit
C:\Windows\Temp\{FAA98C59-B8BF-44E1-88A4-3B9001E79D70}\tools_AllUsers
Filesize
196KB

MD5
a3e7eec67ea6c60e1a1afa4381faf3d4

SHA1
66bdac77ec685e144e5e735ae4aa334be79c5f9d

SHA256
4b8ee7fab1375c3f2fb10f17a635dafdc37508c717ffc22ffc5ff09e27e6a972

SHA512
bf7c0220f32d4533284a0e61c52c9332c4b6d65f658d96cd7f6373ee84ec6b8bd68f46ac8f5fd4878ae57d11b850c220f55fe8d4081262520be2ef3bf3d3db85

Download Submit
memory/644-686-0x0000000000400000-0x00000000025D7000-memory.dmp

Filesize
33.8MB

Download
memory/644-671-0x0000000005EB0000-0x0000000005EB1000-memory.dmp

Filesize
4KB

Download
memory/644-695-0x0000000000400000-0x00000000025D7000-memory.dmp

Filesize
33.8MB

Download
memory/644-689-0x0000000008770000-0x0000000008771000-memory.dmp

Filesize
4KB

Download
memory/880-709-0x0000000000400000-0x00000000025D7000-memory.dmp

Filesize
33.8MB

Download
memory/880-712-0x0000000000400000-0x00000000025D7000-memory.dmp

Filesize
33.8MB

Download
memory/880-707-0x0000000005EB0000-0x0000000005EB1000-memory.dmp

Filesize
4KB

Download
memory/3504-708-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/3504-691-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/4284-665-0x0000000000400000-0x00000000025D7000-memory.dmp

Filesize
33.8MB

Download
memory/4284-664-0x0000000006170000-0x0000000006171000-memory.dmp

Filesize
4KB

Download
memory/4284-663-0x0000000005FF0000-0x0000000005FF1000-memory.dmp

Filesize
4KB

Download
memory/4668-676-0x00000000043C0000-0x000000000467C000-memory.dmp

Filesize
2.7MB

Download