b9af99662b24a9aa6c7f006673dafe005c67cea99d74af6c8f92b967e0cd5a4e

Analysis

max time kernel
105s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2023 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gu5setup.exe
Size

20.1MB
MD5

60c1e488b8fa79a72c7eba52c2d2102d
SHA1

5776fc3a01a321fb55782595430f7c6a1699b678
SHA256

b9af99662b24a9aa6c7f006673dafe005c67cea99d74af6c8f92b967e0cd5a4e
SHA512

7634e84c7bc180d79c69b81e0d5045023070431c00848951215b9c52fa8736d2f260098e07e2d476508b1d1308183b60ff9b8192d6533a6f17de6742610a5fc9
SSDEEP

393216:4hhFSWtiLF5t7NfNSeDTcjw22RJp1ZxxjYDk0:6IJXVceDnRJzZQ

Score

8^/10

bootkit discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

StartupManager.exe

description ioc process

File created C:\Windows\System32\drivers\GUBootStartup.sys StartupManager.exe

description	ioc	process
File created	C:\Windows\System32\drivers\GUBootStartup.sys	StartupManager.exe

Uses Session Manager for persistence 2 TTPs 1 IoCs

Creates Session Manager registry key to run executable early in system boot.

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

DiskDefrag.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a00200000000000	DiskDefrag.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

StartupManager.exeInitialize.exeIntegrator.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	StartupManager.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	Initialize.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	Integrator.exe

Executes dropped EXE 13 IoCs

Processes:

GUAssistComSvc.exestatisticsinfo.exeDiskDefrag.exeStartupManager.exeGUBootService.exeGUPMService.exeprocmgr.exeInitialize.exeGUBootService.exeIntegrator.exeautoupdate.exeupgrade.exeSoftwareUpdate.exe

pid	process
1256	GUAssistComSvc.exe
1756	statisticsinfo.exe
3892	DiskDefrag.exe
4348	StartupManager.exe
860	GUBootService.exe
3364	GUPMService.exe
1796	procmgr.exe
4340	Initialize.exe
2344	GUBootService.exe
3744	Integrator.exe
984	autoupdate.exe
2884	upgrade.exe
1324	SoftwareUpdate.exe

Loads dropped DLL 64 IoCs

Processes:

gu5setup.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeDiskDefrag.exestatisticsinfo.exeStartupManager.exeprocmgr.exeInitialize.exe

pid	process
892	gu5setup.exe
892	gu5setup.exe
892	gu5setup.exe
892	gu5setup.exe
3080	regsvr32.exe
1544	regsvr32.exe
3984	regsvr32.exe
2644	regsvr32.exe
892	gu5setup.exe
3892	DiskDefrag.exe
3892	DiskDefrag.exe
3892	DiskDefrag.exe
3892	DiskDefrag.exe
3892	DiskDefrag.exe
3892	DiskDefrag.exe
3892	DiskDefrag.exe
3892	DiskDefrag.exe
3892	DiskDefrag.exe
3892	DiskDefrag.exe
1756	statisticsinfo.exe
1756	statisticsinfo.exe
892	gu5setup.exe
892	gu5setup.exe
4348	StartupManager.exe
4348	StartupManager.exe
4348	StartupManager.exe
4348	StartupManager.exe
4348	StartupManager.exe
4348	StartupManager.exe
4348	StartupManager.exe
4348	StartupManager.exe
4348	StartupManager.exe
4348	StartupManager.exe
4348	StartupManager.exe
4348	StartupManager.exe
4348	StartupManager.exe
4348	StartupManager.exe
4348	StartupManager.exe
4348	StartupManager.exe
4348	StartupManager.exe
4348	StartupManager.exe
1796	procmgr.exe
1796	procmgr.exe
1796	procmgr.exe
1796	procmgr.exe
1796	procmgr.exe
1796	procmgr.exe
1796	procmgr.exe
1796	procmgr.exe
4340	Initialize.exe
4340	Initialize.exe
4340	Initialize.exe
4340	Initialize.exe
4340	Initialize.exe
4340	Initialize.exe
4340	Initialize.exe
4340	Initialize.exe
4340	Initialize.exe
4340	Initialize.exe
4340	Initialize.exe
4340	Initialize.exe
4340	Initialize.exe
4340	Initialize.exe
4340	Initialize.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exeGUAssistComSvc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B3C418F8-922B-4faf-915E-59BC14448CF7}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D6544943-452E-404F-9B94-93E27E656D85}\LocalServer32	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D6544943-452E-404F-9B94-93E27E656D85}\LocalServer32\ = "\"C:\\Program Files (x86)\\Glary Utilities 5\\x64\\GUAssistComSvc.exe\""	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3186947E-13D8-4B22-9623-F1A1208C8841}\LocalServer32	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3186947E-13D8-4B22-9623-F1A1208C8841}\LocalServer32\ = "\"C:\\Program Files (x86)\\Glary Utilities 5\\x64\\GUAssistComSvc.exe\""	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B3C418F8-922B-4faf-915E-59BC14448CF7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B3C418F8-922B-4faf-915E-59BC14448CF7}\InprocServer32\ = "C:\\Program Files (x86)\\Glary Utilities 5\\x64\\ContextHandler.dll"	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Integrator.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Integrator.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

DiskDefrag.exe

description ioc process

File opened for modification \??\PhysicalDrive0 DiskDefrag.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Integrator.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	DiskDefrag.exe

Drops file in Program Files directory 64 IoCs

Processes:

gu5setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Glary Utilities 5\skins\icons\SoftwareUpdate.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\skins\system information\network.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\x64\MemfilesService.exe	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\languages\Croatian.lng	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\languages\Magyar2.lng	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\Resources\SysInfo\OverViewNode.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\skins\default\images\main_close_hover.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\Resources\Uninstaller\RarelyUsed.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\data\junkInfo.ini	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\languages\latvian.lng	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\Resources\DiskCleaner\oc_btn_click.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\Resources\StartupManager\search_icon.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\languages\Slovak_momirek.lng	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\Native\win10_x64\BootDefragDriver.sys	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\Resources\Uninstaller\Recently.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\skins\icons\filesplitter.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\skins\icons\emptyfolderfinder.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\languages\French (Ad Lib).lng	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\languages\Portuguese_Brazilian.lng	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\Resources\QuickSearch\images\quick_search_clear_keyword2.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\skins\default\images\btn_normal.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\languages\Armenian.lng	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\skins\icons\repairsystem.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\skins\default\images\skin_custom.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\skins\icons\quicksearch.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\skins\icons\registryrestore.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\x64\mfc90u.dll	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\msvcm90.dll	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\Resources\RegistryCleaner\activenow_normal.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\Resources\Uninstaller\Large.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\skins\default\images\main_setting_6.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\languages\Hungarian.lng	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\Native\win7_x86\BootDefragDriver.sys	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\Resources\QuickSearch\images\logo.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\skins\default\images\ad_ca_files_normal.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\Resources\TracksEraser\activenow_hover.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\CheckDisk.exe	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\CrashReport.exe	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\gsd.exe	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\Resources\QuickSearch\images\min_windows3.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\data\xdata.dat	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\Resources\PortableMaker\btn_normal.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\skins\default\images\oc_btn_hover.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\skins\system information\normalhot.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\data\registry.dat	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\languages\Francais.lng	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\Resources\QuickSearch\images\quick_search_history.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\skins\default\images\oc_cancel_click.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\Resources\QuickSearch\images\button_unexpand3.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\Resources\QuickSearch\images\main_menu2.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\skins\default\images\logo.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\skins\default\images\oneclickmaintenance_needclear_bg.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\Config_Portable.dll	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\QuickSearch.exe	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\languages\Magyar.lng	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\Resources\QuickSearch\images\button_right.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\skins\icons\CheckUpdate.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\Resources\RegistryCleaner\activenow_hover.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\skins\default\images\main_right_top_mark_hover_bg.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\CheckUpdate.exe	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\Resources\QuickSearch\images\main_max.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\Resources\QuickSearch\images\menu.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\Resources\QuickSearch\images\mini_close.png	gu5setup.exe
File created	C:\Program Files (x86)\Glary Utilities 5\skins\system information\windows.png	gu5setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsq8A73.tmp\statisticsinfo.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\nsq8A73.tmp\statisticsinfo.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\nsq8A73.tmp\statisticsinfo.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\nsq8A73.tmp\statisticsinfo.exe	nsis_installer_2

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

Processes:

GUAssistComSvc.exegu5setup.exeregsvr32.exeGUBootService.exeregsvr32.exeregsvr32.exeGUBootService.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3186947E-13D8-4B22-9623-F1A1208C8841}\Programmable	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GU.Encrypted\ = "Glary Utilities Encrypted File"	gu5setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31FB3410-EA8B-4931-91C5-ADA7B91D953B}\ = "_DGridMap_CtrlEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GUAssistComSvc.GUShellLink\ = "GUShellLink Class"	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GUAssistComSvc.GUShellLink\CurVer\ = "GUAssistComSvc.GUShellLink.1"	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GUBootService.BootService.1\CLSID	GUBootService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31FB3410-EA8B-4931-91C5-ADA7B91D953B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3186947E-13D8-4B22-9623-F1A1208C8841}\ = "ShellContextMenu Class"	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3DA5E31D-E553-4525-8AC5-EBD92B29A408}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Glary Utilities 5\\x64"	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{801C00B0-20FC-4058-B72B-9304B946D221}\TypeLib	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FD50332F-185B-4D3C-B921-E0B65E547F28}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{35AE4004-4194-4243-92AA-351BB7239539}\1.0\FLAGS\ = "2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CC9859D6-F6D3-4DD5-B0B2-FD2130EC36AC}\TypeLib\ = "{A9299FDE-3941-4C37-949C-630BEBCA9BB9}"	GUBootService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GU.Encrypted\Shell\Open\Command	gu5setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{260ED783-0E9F-41B7-A0B3-B75A2CCEEB43}\ProxyStubClsid32	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{260ED783-0E9F-41B7-A0B3-B75A2CCEEB43}\TypeLib	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Glary Utilities\ = "{B3C418F8-922B-4faf-915E-59BC14448CF7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ContextHandler.CContextMenu\CurVer\ = "ContextHandler.CContextMenu.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D6544943-452E-404F-9B94-93E27E656D85}\Programmable	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{801C00B0-20FC-4058-B72B-9304B946D221}\TypeLib\Version = "1.0"	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71F03427-4342-4D6F-B71A-C7320428EFEE}\Programmable	GUBootService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CC9859D6-F6D3-4DD5-B0B2-FD2130EC36AC}\TypeLib\Version = "1.0"	GUBootService.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\*\shellex	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B3C418F8-922B-4faf-915E-59BC14448CF7}\ = "CContextMenu Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F10E0193-E389-4E51-BDD8-D3DAF5F63851}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{35AE4004-4194-4243-92AA-351BB7239539}\1.0\ = "GridMap ActiveX ¿Ø¼þÄ£¿é"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\*\shellex	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CC9859D6-F6D3-4DD5-B0B2-FD2130EC36AC}\ = "IBootService"	GUBootService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GU.Encrypted\DefaultIcon	gu5setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B3C418F8-922B-4faf-915E-59BC14448CF7}\ = "CContextMenu Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GUBootService.BootService\CurVer\ = "GUBootService.BootService.1"	GUBootService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A9299FDE-3941-4C37-949C-630BEBCA9BB9}\1.0\HELPDIR	GUBootService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71F03427-4342-4D6F-B71A-C7320428EFEE}	GUBootService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71F03427-4342-4D6F-B71A-C7320428EFEE}\AppID = "{CB4B4EAB-4ABB-4702-BB38-E3A1A1D5D67D}"	GUBootService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28C97FA4-8378-42BF-A6F9-D615EB1272D7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B3C418F8-922B-4faf-915E-59BC14448CF7}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{0BCB705C-0F64-405B-8CB3-CDF41B796E19}\ = "GUAssistComSvc"	GUAssistComSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\*\shellex\ContextMenuHandlers\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2DA46AF-A5CD-47A5-B345-7764100E3F97}\TypeLib	GUBootService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GRIDMAP_CTRL.GridMapCtrl.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71F03427-4342-4D6F-B71A-C7320428EFEE}\TypeLib\ = "{A9299FDE-3941-4C37-949C-630BEBCA9BB9}"	GUBootService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GU.Splitted\Shell	gu5setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B3C418F8-922B-4faf-915E-59BC14448CF7}\ProgID\ = "ContextHandler.CContextMenu.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GUBootService.SessionStartup.1	GUBootService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GUBootService.EXE\AppID = "{CB4B4EAB-4ABB-4702-BB38-E3A1A1D5D67D}"	GUBootService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GUBootService.BootService\CurVer\ = "GUBootService.BootService.1"	GUBootService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31FB3410-EA8B-4931-91C5-ADA7B91D953B}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GUBootService.EXE\AppID = "{CB4B4EAB-4ABB-4702-BB38-E3A1A1D5D67D}"	GUBootService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DED4F83E-5A2C-4971-AA04-E57134816579}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	GUBootService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B52C0F28-8D4C-4886-965C-0A772490064E}\1.0\0\win32\ = "C:\\Program Files (x86)\\Glary Utilities 5\\ContextHandler.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{801C00B0-20FC-4058-B72B-9304B946D221}\TypeLib\ = "{3DA5E31D-E553-4525-8AC5-EBD92B29A408}"	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71F03427-4342-4D6F-B71A-C7320428EFEE}\ProgID	GUBootService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A805009D-B902-439A-8E64-26EE3507A12E}\ = "ContextHandler"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GUAssistComSvc.ShellContextMenu\CurVer	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F10E0193-E389-4E51-BDD8-D3DAF5F63851}\ProxyStubClsid32	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58B505BE-F589-4E8E-8BF2-B78E078CA8F7}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FD50332F-185B-4D3C-B921-E0B65E547F28}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2DA46AF-A5CD-47A5-B345-7764100E3F97}\Programmable	GUBootService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\Glary Utilities\ = "{B3C418F8-922B-4faf-915E-59BC14448CF7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71F03427-4342-4D6F-B71A-C7320428EFEE}\LocalServer32\ = "\"C:\\Program Files (x86)\\Common Files\\Glarysoft\\StartupManager\\1.0\\GUBootService.exe\""	GUBootService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ContextHandler.CContextMenu.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B3C418F8-922B-4faf-915E-59BC14448CF7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{260ED783-0E9F-41B7-A0B3-B75A2CCEEB43}\TypeLib\ = "{3DA5E31D-E553-4525-8AC5-EBD92B29A408}"	GUAssistComSvc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

gu5setup.exeInitialize.exeIntegrator.exemsedge.exemsedge.exe

pid	process
892	gu5setup.exe
892	gu5setup.exe
892	gu5setup.exe
892	gu5setup.exe
4340	Initialize.exe
4340	Initialize.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
1820	msedge.exe
1820	msedge.exe
3928	msedge.exe
3928	msedge.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Integrator.exe

pid process

3744 Integrator.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

668
668
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

3928 msedge.exe
3928 msedge.exe
3928 msedge.exe
3928 msedge.exe

pid	process
3744	Integrator.exe

pid	process
668
668

pid	process
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

DiskDefrag.exeStartupManager.exeprocmgr.exeInitialize.exeIntegrator.exeautoupdate.exeupgrade.exeSoftwareUpdate.exe

description	pid	process
Token: SeDebugPrivilege	3892	DiskDefrag.exe
Token: SeDebugPrivilege	4348	StartupManager.exe
Token: SeDebugPrivilege	1796	procmgr.exe
Token: SeDebugPrivilege	1796	procmgr.exe
Token: SeDebugPrivilege	4340	Initialize.exe
Token: SeDebugPrivilege	4340	Initialize.exe
Token: SeDebugPrivilege	4340	Initialize.exe
Token: SeDebugPrivilege	4340	Initialize.exe
Token: SeDebugPrivilege	4340	Initialize.exe
Token: SeDebugPrivilege	3744	Integrator.exe
Token: SeDebugPrivilege	3744	Integrator.exe
Token: SeDebugPrivilege	3744	Integrator.exe
Token: SeDebugPrivilege	984	autoupdate.exe
Token: SeDebugPrivilege	2884	upgrade.exe
Token: SeDebugPrivilege	3744	Integrator.exe
Token: SeDebugPrivilege	1324	SoftwareUpdate.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Integrator.exemsedge.exe

pid process

3744 Integrator.exe
3928 msedge.exe
3928 msedge.exe
3928 msedge.exe
3928 msedge.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Integrator.exe

pid process

3744 Integrator.exe

pid	process
3744	Integrator.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe

pid	process
3744	Integrator.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

DiskDefrag.exeStartupManager.exeprocmgr.exeInitialize.exeIntegrator.exeautoupdate.exeupgrade.exeSoftwareUpdate.exe

pid	process
3892	DiskDefrag.exe
4348	StartupManager.exe
1796	procmgr.exe
1796	procmgr.exe
4340	Initialize.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
3744	Integrator.exe
984	autoupdate.exe
2884	upgrade.exe
2884	upgrade.exe
1324	SoftwareUpdate.exe
1324	SoftwareUpdate.exe
1324	SoftwareUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

gu5setup.exenet.exeregsvr32.exenet.exeStartupManager.exeInitialize.exemsedge.exeIntegrator.exe

description	pid	process	target process
PID 892 wrote to memory of 3416	892	gu5setup.exe	net.exe
PID 892 wrote to memory of 3416	892	gu5setup.exe	net.exe
PID 892 wrote to memory of 3416	892	gu5setup.exe	net.exe
PID 3416 wrote to memory of 4656	3416	net.exe	net1.exe
PID 3416 wrote to memory of 4656	3416	net.exe	net1.exe
PID 3416 wrote to memory of 4656	3416	net.exe	net1.exe
PID 892 wrote to memory of 3080	892	gu5setup.exe	regsvr32.exe
PID 892 wrote to memory of 3080	892	gu5setup.exe	regsvr32.exe
PID 892 wrote to memory of 3080	892	gu5setup.exe	regsvr32.exe
PID 892 wrote to memory of 1544	892	gu5setup.exe	regsvr32.exe
PID 892 wrote to memory of 1544	892	gu5setup.exe	regsvr32.exe
PID 892 wrote to memory of 1544	892	gu5setup.exe	regsvr32.exe
PID 1544 wrote to memory of 3984	1544	regsvr32.exe	regsvr32.exe
PID 1544 wrote to memory of 3984	1544	regsvr32.exe	regsvr32.exe
PID 892 wrote to memory of 2644	892	gu5setup.exe	regsvr32.exe
PID 892 wrote to memory of 2644	892	gu5setup.exe	regsvr32.exe
PID 892 wrote to memory of 2644	892	gu5setup.exe	regsvr32.exe
PID 892 wrote to memory of 1256	892	gu5setup.exe	GUAssistComSvc.exe
PID 892 wrote to memory of 1256	892	gu5setup.exe	GUAssistComSvc.exe
PID 892 wrote to memory of 1756	892	gu5setup.exe	statisticsinfo.exe
PID 892 wrote to memory of 1756	892	gu5setup.exe	statisticsinfo.exe
PID 892 wrote to memory of 1756	892	gu5setup.exe	statisticsinfo.exe
PID 892 wrote to memory of 3892	892	gu5setup.exe	DiskDefrag.exe
PID 892 wrote to memory of 3892	892	gu5setup.exe	DiskDefrag.exe
PID 892 wrote to memory of 3892	892	gu5setup.exe	DiskDefrag.exe
PID 892 wrote to memory of 808	892	gu5setup.exe	net.exe
PID 892 wrote to memory of 808	892	gu5setup.exe	net.exe
PID 892 wrote to memory of 808	892	gu5setup.exe	net.exe
PID 808 wrote to memory of 4736	808	net.exe	net1.exe
PID 808 wrote to memory of 4736	808	net.exe	net1.exe
PID 808 wrote to memory of 4736	808	net.exe	net1.exe
PID 892 wrote to memory of 4348	892	gu5setup.exe	StartupManager.exe
PID 892 wrote to memory of 4348	892	gu5setup.exe	StartupManager.exe
PID 892 wrote to memory of 4348	892	gu5setup.exe	StartupManager.exe
PID 4348 wrote to memory of 860	4348	StartupManager.exe	GUBootService.exe
PID 4348 wrote to memory of 860	4348	StartupManager.exe	GUBootService.exe
PID 4348 wrote to memory of 860	4348	StartupManager.exe	GUBootService.exe
PID 892 wrote to memory of 3364	892	gu5setup.exe	GUPMService.exe
PID 892 wrote to memory of 3364	892	gu5setup.exe	GUPMService.exe
PID 892 wrote to memory of 3364	892	gu5setup.exe	GUPMService.exe
PID 892 wrote to memory of 1796	892	gu5setup.exe	procmgr.exe
PID 892 wrote to memory of 1796	892	gu5setup.exe	procmgr.exe
PID 892 wrote to memory of 1796	892	gu5setup.exe	procmgr.exe
PID 892 wrote to memory of 4340	892	gu5setup.exe	Initialize.exe
PID 892 wrote to memory of 4340	892	gu5setup.exe	Initialize.exe
PID 892 wrote to memory of 4340	892	gu5setup.exe	Initialize.exe
PID 4340 wrote to memory of 2344	4340	Initialize.exe	GUBootService.exe
PID 4340 wrote to memory of 2344	4340	Initialize.exe	GUBootService.exe
PID 4340 wrote to memory of 2344	4340	Initialize.exe	GUBootService.exe
PID 892 wrote to memory of 3088	892	gu5setup.exe	SchTasks.exe
PID 892 wrote to memory of 3088	892	gu5setup.exe	SchTasks.exe
PID 892 wrote to memory of 3088	892	gu5setup.exe	SchTasks.exe
PID 892 wrote to memory of 3744	892	gu5setup.exe	Integrator.exe
PID 892 wrote to memory of 3744	892	gu5setup.exe	Integrator.exe
PID 892 wrote to memory of 3744	892	gu5setup.exe	Integrator.exe
PID 892 wrote to memory of 3928	892	gu5setup.exe	msedge.exe
PID 892 wrote to memory of 3928	892	gu5setup.exe	msedge.exe
PID 3928 wrote to memory of 3232	3928	msedge.exe	msedge.exe
PID 3928 wrote to memory of 3232	3928	msedge.exe	msedge.exe
PID 3744 wrote to memory of 984	3744	Integrator.exe	autoupdate.exe
PID 3744 wrote to memory of 984	3744	Integrator.exe	autoupdate.exe
PID 3744 wrote to memory of 984	3744	Integrator.exe	autoupdate.exe
PID 3744 wrote to memory of 2884	3744	Integrator.exe	upgrade.exe
PID 3744 wrote to memory of 2884	3744	Integrator.exe	upgrade.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\gu5setup.exe
"C:\Users\Admin\AppData\Local\Temp\gu5setup.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\SysWOW64\net.exe
net stop GUPMService
2⤵
- Suspicious use of WriteProcessMemory
PID:3416

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop GUPMService
3⤵
PID:4656

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Glary Utilities 5\GridMap.ocx"
2⤵
- Loads dropped DLL
- Modifies registry class
PID:3080

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Glary Utilities 5\x64\ContextHandler.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Glary Utilities 5\x64\ContextHandler.dll"
3⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:3984

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Glary Utilities 5\ContextHandler.dll"
2⤵
- Loads dropped DLL
- Modifies registry class
PID:2644

C:\Program Files (x86)\Glary Utilities 5\x64\GUAssistComSvc.exe
"C:\Program Files (x86)\Glary Utilities 5\x64\GUAssistComSvc.exe" /RegServer
2⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
PID:1256

C:\Users\Admin\AppData\Local\Temp\nsq8A73.tmp\statisticsinfo.exe
"C:\Users\Admin\AppData\Local\Temp\nsq8A73.tmp\statisticsinfo.exe" /install /GU5
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756

C:\Program Files (x86)\Glary Utilities 5\DiskDefrag.exe
"C:\Program Files (x86)\Glary Utilities 5\DiskDefrag.exe" -InstallNative
2⤵
- Uses Session Manager for persistence
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3892

C:\Windows\SysWOW64\net.exe
net stop GUBootService
2⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop GUBootService
3⤵
PID:4736

C:\Program Files (x86)\Glary Utilities 5\StartupManager.exe
"C:\Program Files (x86)\Glary Utilities 5\StartupManager.exe" -install
2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4348

C:\Program Files (x86)\Common Files\Glarysoft\StartupManager\1.0\GUBootService.exe
"C:\Program Files (x86)\Common Files\Glarysoft\StartupManager\1.0\GUBootService.exe" /Service
3⤵
- Executes dropped EXE
- Modifies registry class
PID:860

C:\Program Files (x86)\Glary Utilities 5\GUPMService.exe
"C:\Program Files (x86)\Glary Utilities 5\GUPMService.exe" /Service
2⤵
- Executes dropped EXE
PID:3364

C:\Program Files (x86)\Glary Utilities 5\procmgr.exe
"C:\Program Files (x86)\Glary Utilities 5\procmgr.exe" -guupdate
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1796

C:\Program Files (x86)\Glary Utilities 5\Initialize.exe
"C:\Program Files (x86)\Glary Utilities 5\Initialize.exe" /setupschedule /installinit
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4340

C:\Program Files (x86)\Common Files\Glarysoft\StartupManager\1.0\GUBootService.exe
"C:\Program Files (x86)\Common Files\Glarysoft\StartupManager\1.0\GUBootService.exe" /Service
3⤵
- Executes dropped EXE
- Modifies registry class
PID:2344

C:\Windows\SysWOW64\SchTasks.exe
SchTasks /Delete /TN GU5SkipUAC /F
2⤵
PID:3088

C:\Program Files (x86)\Glary Utilities 5\Integrator.exe
"C:\Program Files (x86)\Glary Utilities 5\Integrator.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3744

C:\Program Files (x86)\Glary Utilities 5\autoupdate.exe
"C:\Program Files (x86)\Glary Utilities 5\autoupdate.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:984

C:\Program Files (x86)\Glary Utilities 5\upgrade.exe
"C:\Program Files (x86)\Glary Utilities 5\upgrade.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2884

C:\Program Files (x86)\Glary Utilities 5\SoftwareUpdate.exe
"C:\Program Files (x86)\Glary Utilities 5\SoftwareUpdate.exe" -autorun show
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1324

C:\Program Files (x86)\Glary Utilities 5\x64\MemfilesService.exe
"C:\Program Files (x86)\Glary Utilities 5\x64\MemfilesService.exe"
3⤵
PID:5768

C:\Program Files (x86)\Glary Utilities 5\x64\CheckDiskProgress.exe
"C:\Program Files (x86)\Glary Utilities 5\x64\CheckDiskProgress.exe" CheckDiskPro240681843
3⤵
PID:5824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.glarysoft.com/update/release-notes/?p=1&v=5.203.0.232&l=1&src=10000
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbc93346f8,0x7ffbc9334708,0x7ffbc9334718
3⤵
PID:3232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,4213237091973785321,9476214710134101420,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
3⤵
PID:4140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,4213237091973785321,9476214710134101420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,4213237091973785321,9476214710134101420,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2992 /prefetch:8
3⤵
PID:640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4213237091973785321,9476214710134101420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:1
3⤵
PID:1320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4213237091973785321,9476214710134101420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:1
3⤵
PID:3696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4213237091973785321,9476214710134101420,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
3⤵
PID:2388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4213237091973785321,9476214710134101420,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
3⤵
PID:2488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1488

C:\Program Files (x86)\Glary Utilities 5\x64\GUAssistComSvc.exe
"C:\Program Files (x86)\Glary Utilities 5\x64\GUAssistComSvc.exe" -Embedding
1⤵
PID:5672

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Glary Utilities 5\AppMetrics.dll
Filesize
110KB

MD5
cd45c1e5d4b777dea8d505f77677756b

SHA1
d605d5f097a2de3b1ba097b59a364b6a9308132a

SHA256
905c67e4005e6ae0dca1d853a52951dc0a34da4a7534e9de3d920c5b372ebf11

SHA512
bcc8ef264757aee34990c6a756c5d78ebc057c9180dc2b70166c9fbfa3eb250618a6d266359cebbd26a631759474eda2eeabb81a1b791534c753aa977defa3e9

Download Submit
C:\Program Files (x86)\Glary Utilities 5\AppMetrics.dll
Filesize
110KB

MD5
cd45c1e5d4b777dea8d505f77677756b

SHA1
d605d5f097a2de3b1ba097b59a364b6a9308132a

SHA256
905c67e4005e6ae0dca1d853a52951dc0a34da4a7534e9de3d920c5b372ebf11

SHA512
bcc8ef264757aee34990c6a756c5d78ebc057c9180dc2b70166c9fbfa3eb250618a6d266359cebbd26a631759474eda2eeabb81a1b791534c753aa977defa3e9

Download Submit
C:\Program Files (x86)\Glary Utilities 5\BottDefrag.dll
Filesize
52KB

MD5
d45955824b6d8f286bc3dae692ff88f7

SHA1
e238b6f6b1ff28a6a6290c46c8119073940fbe1a

SHA256
443ad3763f4999cc33e8680e79e4930c30764f58e9422d7abbf35302d72f022b

SHA512
0bfd17ee3c85d346404bf2126679ad55ed4a338822f25f60a8fb26ab25ed9c222d7ff0b39688a445327b813d5ae38fce12e8e3eabce6216c3c661f8bdab7d3fe

Download Submit
C:\Program Files (x86)\Glary Utilities 5\BottDefrag.dll
Filesize
52KB

MD5
d45955824b6d8f286bc3dae692ff88f7

SHA1
e238b6f6b1ff28a6a6290c46c8119073940fbe1a

SHA256
443ad3763f4999cc33e8680e79e4930c30764f58e9422d7abbf35302d72f022b

SHA512
0bfd17ee3c85d346404bf2126679ad55ed4a338822f25f60a8fb26ab25ed9c222d7ff0b39688a445327b813d5ae38fce12e8e3eabce6216c3c661f8bdab7d3fe

Download Submit
C:\Program Files (x86)\Glary Utilities 5\CheckUpdate.dll
Filesize
803KB

MD5
e6cdca1a1995250c34e84f9b8fcf1475

SHA1
61c3b33b7ebc60724b504a094bab785aea6995ae

SHA256
b88e68bfd13dfc31f2db4920541a389328c1231032eb9313ed52e794061f1d7d

SHA512
71c072c6c9824f911cdc8ca1405771e7da0b849dda058a230503b55c577eacbe762a06153c43aaf60bfe963693802ac844f3d1263b9d6c4fa1071f05583d5421

Download Submit
C:\Program Files (x86)\Glary Utilities 5\CheckUpdate.dll
Filesize
803KB

MD5
e6cdca1a1995250c34e84f9b8fcf1475

SHA1
61c3b33b7ebc60724b504a094bab785aea6995ae

SHA256
b88e68bfd13dfc31f2db4920541a389328c1231032eb9313ed52e794061f1d7d

SHA512
71c072c6c9824f911cdc8ca1405771e7da0b849dda058a230503b55c577eacbe762a06153c43aaf60bfe963693802ac844f3d1263b9d6c4fa1071f05583d5421

Download Submit
C:\Program Files (x86)\Glary Utilities 5\Config.dll
Filesize
41KB

MD5
43b4c18da30b1dc7f7191cc02fd11e98

SHA1
f2bf81b48368e90385e7ed2e077fb8a2c0b70d6c

SHA256
9099a5a8fe7f2f8cdf4a7774a07450094d9cfa03a3b32a51baec897e3d93466f

SHA512
af1e3d0cc85af0941131e20c74ea50dcce02058d663027873f033007bfab9e3e88f5d72e65bf68b436b4ad3a8fd24dd07d541adc3e0134afa38f99df5821e2f7

Download Submit
C:\Program Files (x86)\Glary Utilities 5\Config.dll
Filesize
41KB

MD5
43b4c18da30b1dc7f7191cc02fd11e98

SHA1
f2bf81b48368e90385e7ed2e077fb8a2c0b70d6c

SHA256
9099a5a8fe7f2f8cdf4a7774a07450094d9cfa03a3b32a51baec897e3d93466f

SHA512
af1e3d0cc85af0941131e20c74ea50dcce02058d663027873f033007bfab9e3e88f5d72e65bf68b436b4ad3a8fd24dd07d541adc3e0134afa38f99df5821e2f7

Download Submit
C:\Program Files (x86)\Glary Utilities 5\Config.dll
Filesize
41KB

MD5
43b4c18da30b1dc7f7191cc02fd11e98

SHA1
f2bf81b48368e90385e7ed2e077fb8a2c0b70d6c

SHA256
9099a5a8fe7f2f8cdf4a7774a07450094d9cfa03a3b32a51baec897e3d93466f

SHA512
af1e3d0cc85af0941131e20c74ea50dcce02058d663027873f033007bfab9e3e88f5d72e65bf68b436b4ad3a8fd24dd07d541adc3e0134afa38f99df5821e2f7

Download Submit
C:\Program Files (x86)\Glary Utilities 5\ContextHandler.dll
Filesize
142KB

MD5
ebbc9ee7ba1d05720882f5b89f88446b

SHA1
492652e80a6e21492560de12b78842f712ed88d2

SHA256
11bc58edcdfa58004fac954a7a810ff9f4d658133921405d24a59d09d2072fd5

SHA512
c3ac930a34c2736a1c389dad97bbbdb5bd120ec118d24aeeef000eed50c9b2a2bda0b19a144003472e4b736fba4de4e7fa49fd34fbc8fc1c83b6800c88980a4e

Download Submit
C:\Program Files (x86)\Glary Utilities 5\ContextHandler.dll
Filesize
142KB

MD5
ebbc9ee7ba1d05720882f5b89f88446b

SHA1
492652e80a6e21492560de12b78842f712ed88d2

SHA256
11bc58edcdfa58004fac954a7a810ff9f4d658133921405d24a59d09d2072fd5

SHA512
c3ac930a34c2736a1c389dad97bbbdb5bd120ec118d24aeeef000eed50c9b2a2bda0b19a144003472e4b736fba4de4e7fa49fd34fbc8fc1c83b6800c88980a4e

Download Submit
C:\Program Files (x86)\Glary Utilities 5\CrashReport.dll
Filesize
300KB

MD5
f555bcd3d2e073eaf071fa53ffb194e1

SHA1
99ee36a91023a9d3743b6a137babc7de063ced4b

SHA256
3b83f5f089db86c52df20963a7a74b0ad3d9d352468d260613464f73ad7970df

SHA512
4d9b037624cf403ff1eb8454366d6cdb560faf27194d097b0cdcd30af29bb094ded3b734769f64a922a4f80e7f28d056ba6f74ba049c56e0ff9019c7a4c7eafa

Download Submit
C:\Program Files (x86)\Glary Utilities 5\CrashReport.dll
Filesize
300KB

MD5
f555bcd3d2e073eaf071fa53ffb194e1

SHA1
99ee36a91023a9d3743b6a137babc7de063ced4b

SHA256
3b83f5f089db86c52df20963a7a74b0ad3d9d352468d260613464f73ad7970df

SHA512
4d9b037624cf403ff1eb8454366d6cdb560faf27194d097b0cdcd30af29bb094ded3b734769f64a922a4f80e7f28d056ba6f74ba049c56e0ff9019c7a4c7eafa

Download Submit
C:\Program Files (x86)\Glary Utilities 5\CrashReport.dll
Filesize
300KB

MD5
f555bcd3d2e073eaf071fa53ffb194e1

SHA1
99ee36a91023a9d3743b6a137babc7de063ced4b

SHA256
3b83f5f089db86c52df20963a7a74b0ad3d9d352468d260613464f73ad7970df

SHA512
4d9b037624cf403ff1eb8454366d6cdb560faf27194d097b0cdcd30af29bb094ded3b734769f64a922a4f80e7f28d056ba6f74ba049c56e0ff9019c7a4c7eafa

Download Submit
C:\Program Files (x86)\Glary Utilities 5\DiskDefrag.exe
Filesize
462KB

MD5
bd96f2291d4cce6d01fefc51297341da

SHA1
6a08ab7a2a88d056f6223c5aeba445e2f6f9c679

SHA256
da46a27075634f0b679f0e8fa1a25118014651cfcdb95e25611c389dd72d8fce

SHA512
fd48ba9c0fff0157741461f2f53f8fbaf7c85f03bcc8262f9a338f440a6a9a0bf925c2a08355a4e7f9c2c1eec2379cda9d615d2bf750b01ce1f0c0aa79ca04d0

Download Submit
C:\Program Files (x86)\Glary Utilities 5\DiskDefrag.exe
Filesize
462KB

MD5
bd96f2291d4cce6d01fefc51297341da

SHA1
6a08ab7a2a88d056f6223c5aeba445e2f6f9c679

SHA256
da46a27075634f0b679f0e8fa1a25118014651cfcdb95e25611c389dd72d8fce

SHA512
fd48ba9c0fff0157741461f2f53f8fbaf7c85f03bcc8262f9a338f440a6a9a0bf925c2a08355a4e7f9c2c1eec2379cda9d615d2bf750b01ce1f0c0aa79ca04d0

Download Submit
C:\Program Files (x86)\Glary Utilities 5\GridMap.ocx
Filesize
161KB

MD5
0ac55e0d792e46c7d8638ffb001a4474

SHA1
3b09248a427e6d81f5956f908690648a5cd83749

SHA256
65293604b2f7d9b9a9946724a1e0769ac4454453dfdb4ff491db1710e778159f

SHA512
c736e71186ebe86eb0f8214ee82598e768e4b14968572736686a1fc8f7712c88f47b0dd270cf3080ed8528165945880f0712b5f3a5e2e542318b3cc11c53baca

Download Submit
C:\Program Files (x86)\Glary Utilities 5\GridMap.ocx
Filesize
161KB

MD5
0ac55e0d792e46c7d8638ffb001a4474

SHA1
3b09248a427e6d81f5956f908690648a5cd83749

SHA256
65293604b2f7d9b9a9946724a1e0769ac4454453dfdb4ff491db1710e778159f

SHA512
c736e71186ebe86eb0f8214ee82598e768e4b14968572736686a1fc8f7712c88f47b0dd270cf3080ed8528165945880f0712b5f3a5e2e542318b3cc11c53baca

Download Submit
C:\Program Files (x86)\Glary Utilities 5\Integrator.exe
Filesize
907KB

MD5
603969cfc18a54accb99816fe85e566e

SHA1
603e8fc391be9fcb8bf0012daa19eaf391c0b35a

SHA256
d8a87f0a79146417c92be9c7cdef26007bbc098250d8d02df77c238669d9bb57

SHA512
882535bc84e969bd76f9740138774bce09f9535dc19b9fd88374fdd05bdf308cf0e6b8e7d15839bc7ae352135a1d7ec1f2d617ebc74fb3388014f1e871df628a

Download Submit
C:\Program Files (x86)\Glary Utilities 5\Languages.dll
Filesize
100KB

MD5
a3095436c539d73ed776043ea0efe875

SHA1
1c1d2ffe9bdabf503abc6ec7a849e008fa0dea8f

SHA256
93d2e2d15e99354400bec8ec20e69c2ff64fe4282c5074f56a3517ff924bd901

SHA512
a4cef8c9462994d5c3479fa2941f5f7ddfbc978be9d23cc21134a6ffa34efaf28769d05f55bb62cc3a9cd760a0ceb085655f2fb41bcd07036dfadf712f8d6520

Download Submit
C:\Program Files (x86)\Glary Utilities 5\LockDll.dll
Filesize
579KB

MD5
a819a258502ab21e1998a1cbdd8001e6

SHA1
231641fc2e56aa671823282c8f77048d368cbfff

SHA256
e2d9c525f62d3dc56b17dbf05d6412bae898b6b905c45fc7ed6de4322ff8a90c

SHA512
14eaa3ccedd9bdfac096b072bfe4c6d88cd5a569cce78c6f371e3ea2bb53c0738e7bea130e49906f676a222ec3bb7152988bd70c58f00cf8c14180014cdc9ce3

Download Submit
C:\Program Files (x86)\Glary Utilities 5\LockDll.dll
Filesize
579KB

MD5
a819a258502ab21e1998a1cbdd8001e6

SHA1
231641fc2e56aa671823282c8f77048d368cbfff

SHA256
e2d9c525f62d3dc56b17dbf05d6412bae898b6b905c45fc7ed6de4322ff8a90c

SHA512
14eaa3ccedd9bdfac096b072bfe4c6d88cd5a569cce78c6f371e3ea2bb53c0738e7bea130e49906f676a222ec3bb7152988bd70c58f00cf8c14180014cdc9ce3

Download Submit
C:\Program Files (x86)\Glary Utilities 5\LockDll.dll
Filesize
579KB

MD5
a819a258502ab21e1998a1cbdd8001e6

SHA1
231641fc2e56aa671823282c8f77048d368cbfff

SHA256
e2d9c525f62d3dc56b17dbf05d6412bae898b6b905c45fc7ed6de4322ff8a90c

SHA512
14eaa3ccedd9bdfac096b072bfe4c6d88cd5a569cce78c6f371e3ea2bb53c0738e7bea130e49906f676a222ec3bb7152988bd70c58f00cf8c14180014cdc9ce3

Download Submit
C:\Program Files (x86)\Glary Utilities 5\Log.dll
Filesize
132KB

MD5
cecd9ea323fc99231f6eeed30071e3b3

SHA1
a55550eb2aa22d72de9bd2d08d984134474695f7

SHA256
05e6ca9f66272a693be073d135bddba8af89d860155e6bfba44c40cb6d15be97

SHA512
f6de470bd2fc3ec76ad76101aa958f12c1572a3390c9c80739b348f82d8e02f1c513685720dcc9490e1caeb4853630c09d75b19d645ff7e3ff71d1f76855e886

Download Submit
C:\Program Files (x86)\Glary Utilities 5\Log.dll
Filesize
132KB

MD5
cecd9ea323fc99231f6eeed30071e3b3

SHA1
a55550eb2aa22d72de9bd2d08d984134474695f7

SHA256
05e6ca9f66272a693be073d135bddba8af89d860155e6bfba44c40cb6d15be97

SHA512
f6de470bd2fc3ec76ad76101aa958f12c1572a3390c9c80739b348f82d8e02f1c513685720dcc9490e1caeb4853630c09d75b19d645ff7e3ff71d1f76855e886

Download Submit
C:\Program Files (x86)\Glary Utilities 5\MachineCode.dll
Filesize
322KB

MD5
e2a47ab4815b39bff8da9df0eeb28cdc

SHA1
3b91572251d7f69b798d34ee59c6e0ec0909aec9

SHA256
d17d88d915915fa280f90b51c6a09155e285bb4c43babd78b11b1b866df987c2

SHA512
efb0ac40e2ade5be68665beae0dc48756d7f7c02cde4a6041d360fa0f736a91cbe7015f52e01b5d160b3b8d1cc5da1ce3746fe0c81d8d4ef1d348e7c69c35a15

Download Submit
C:\Program Files (x86)\Glary Utilities 5\ObjectAdmin.dll
Filesize
80KB

MD5
dfec05724ba90c20f0053b001e9d6e83

SHA1
7f34a9a867c08acb84629faaf064a41ccb8b0285

SHA256
69ddc9b220e3ca3ea012ec2912befc1c731f266a86d63f36db6fc2c0af6cd7d1

SHA512
590eee3676be78f1b5b97a5980e43509388ba1eb79227352187bc2d7560a814fd31dd41ab398f4323a781d89dab80ee5c2bdd71b90bb8f189c7109fadcca11f7

Download Submit
C:\Program Files (x86)\Glary Utilities 5\ObjectAdmin.dll
Filesize
80KB

MD5
dfec05724ba90c20f0053b001e9d6e83

SHA1
7f34a9a867c08acb84629faaf064a41ccb8b0285

SHA256
69ddc9b220e3ca3ea012ec2912befc1c731f266a86d63f36db6fc2c0af6cd7d1

SHA512
590eee3676be78f1b5b97a5980e43509388ba1eb79227352187bc2d7560a814fd31dd41ab398f4323a781d89dab80ee5c2bdd71b90bb8f189c7109fadcca11f7

Download Submit
C:\Program Files (x86)\Glary Utilities 5\Resources\TracksEraser\activenow_click.png
Filesize
2KB

MD5
19792d59472d85af52bbf21ec20260cf

SHA1
d0cfae9b4e62ba74ae6a10e8a82e8fb54473b895

SHA256
9344c4a21814b627a92e76272a2dd80f075303a93a290a5e02f1e34949af7b1e

SHA512
704eede4370e36d8c68ae71cdd167504e554d8749e6f60f4e2f9ed4e8d6adf4e5edc2de5f8589774d6c765a162a977936543237e166b1d92f52161eb14f89126

Download Submit
C:\Program Files (x86)\Glary Utilities 5\Resources\TracksEraser\tab_btn_click.png
Filesize
2KB

MD5
f003bdfcd0bcad4c5c1fa5284019530f

SHA1
ff48f9d4cf7b6c40ed594b7b60cc20431354ed28

SHA256
ec19a4a75d386e66786e09a6b2e2dae353342654b6817934a32c427acf699e92

SHA512
21de020c6a42fc707a75895e5ca37ce9c7560614eeec135fe4522bb0e53067dcfed428f3a1010a80924beaea51de2d541d1c4d11840d5d38611acf4a50821896

Download Submit
C:\Program Files (x86)\Glary Utilities 5\RestoreCenter.dll
Filesize
236KB

MD5
1c5f3426855b27d164455ddf356ab3d9

SHA1
5ec53bf3f994451e9714b884f141573832585d21

SHA256
0b7a9732f5cd97c9345cf309f65470544291a0c5cc221d3e53902f3d4d11c5e2

SHA512
0613e496c5d0bbcbe6634bd8c773a82c88e83c35dea9d4997a3daf4bbe429a7a8b65c78c2b49c2ae2cc8b7a44eb11f6210965efb164db52f5808fd370594f419

Download Submit
C:\Program Files (x86)\Glary Utilities 5\RestoreCenter.dll
Filesize
236KB

MD5
1c5f3426855b27d164455ddf356ab3d9

SHA1
5ec53bf3f994451e9714b884f141573832585d21

SHA256
0b7a9732f5cd97c9345cf309f65470544291a0c5cc221d3e53902f3d4d11c5e2

SHA512
0613e496c5d0bbcbe6634bd8c773a82c88e83c35dea9d4997a3daf4bbe429a7a8b65c78c2b49c2ae2cc8b7a44eb11f6210965efb164db52f5808fd370594f419

Download Submit
C:\Program Files (x86)\Glary Utilities 5\ShortcutFixer.dll
Filesize
61KB

MD5
a33cea5bd1c42aac1c2e2db57e518ddd

SHA1
2fd5ccac8e6e607c676b5eb74e70578ecd1c2491

SHA256
31294c6f488b690e5214c65940f2406c5dfcd986351422e9d921f0e862afa117

SHA512
6371833c28bf7e62cb625951e6719f2511a8c6b06cf92bb84ddf6898e222df5e9c623d172bad2bcdc104126af59e3d5d5515f6638919b19de6c0da13d912ec11

Download Submit
C:\Program Files (x86)\Glary Utilities 5\ShortcutFixer.dll
Filesize
61KB

MD5
a33cea5bd1c42aac1c2e2db57e518ddd

SHA1
2fd5ccac8e6e607c676b5eb74e70578ecd1c2491

SHA256
31294c6f488b690e5214c65940f2406c5dfcd986351422e9d921f0e862afa117

SHA512
6371833c28bf7e62cb625951e6719f2511a8c6b06cf92bb84ddf6898e222df5e9c623d172bad2bcdc104126af59e3d5d5515f6638919b19de6c0da13d912ec11

Download Submit
C:\Program Files (x86)\Glary Utilities 5\StartupManager.dll
Filesize
1.5MB

MD5
5d3a904f97515808a7f82881c6850fe5

SHA1
9b5399de423d8f9d140ffdaded9f1a0562343dc1

SHA256
0c67fbe546ac17c8d4558aa0236e8f73881dfcfb2e2d19bbc3ca803170125d2a

SHA512
3ce5f59eea007c26ea695db631cbbfc55a36f129a791a88cb3af5194d52cb35cbf018be4ba67a9946ddf0f446e510809a314f948e7cadd33555150335c1c0940

Download Submit
C:\Program Files (x86)\Glary Utilities 5\StartupManager.dll
Filesize
1.5MB

MD5
5d3a904f97515808a7f82881c6850fe5

SHA1
9b5399de423d8f9d140ffdaded9f1a0562343dc1

SHA256
0c67fbe546ac17c8d4558aa0236e8f73881dfcfb2e2d19bbc3ca803170125d2a

SHA512
3ce5f59eea007c26ea695db631cbbfc55a36f129a791a88cb3af5194d52cb35cbf018be4ba67a9946ddf0f446e510809a314f948e7cadd33555150335c1c0940

Download Submit
C:\Program Files (x86)\Glary Utilities 5\StartupManager.exe
Filesize
50KB

MD5
89921765dc64d59b0ccbc40fe46bb592

SHA1
6e5e2d8e39c1c1bccd7ce7a205a748d331ce29f5

SHA256
91b51f100058ea950c376ec928b7049f3e5ffb5528385ca3efc76770a94a7ae8

SHA512
a2137077a4746cecd9ab55ca4ca5e3fc5545940626450dfecf4aa0317d857d2607dc908b0ecbc54439a66efa17799e958a8903d216dc562d7dc2c4dc871b847c

Download Submit
C:\Program Files (x86)\Glary Utilities 5\StartupManager.exe
Filesize
50KB

MD5
89921765dc64d59b0ccbc40fe46bb592

SHA1
6e5e2d8e39c1c1bccd7ce7a205a748d331ce29f5

SHA256
91b51f100058ea950c376ec928b7049f3e5ffb5528385ca3efc76770a94a7ae8

SHA512
a2137077a4746cecd9ab55ca4ca5e3fc5545940626450dfecf4aa0317d857d2607dc908b0ecbc54439a66efa17799e958a8903d216dc562d7dc2c4dc871b847c

Download Submit
C:\Program Files (x86)\Glary Utilities 5\data\ModuleInfo.ini
Filesize
13KB

MD5
bba1a3fe109dd0a92c6175b517604980

SHA1
a88f1155ef165d2e8474abd7d1754d7e86b8cae7

SHA256
6ed46b27cea1cc5b7b554804bff81f1ef9cc5c85fbb2dd09bddb1564291ddf44

SHA512
2a59e4b142b2030ceb3334cb9d0347b053a7893bca771dea0ae18706306d5c8ef6b9f8e6e6510d212cb514d1f684e458559c44a372adfd5ec5fc47f8d759f9be

Download Submit
C:\Program Files (x86)\Glary Utilities 5\data\backup.ini
Filesize
3KB

MD5
77b63890dad56c93714f0bd68fe49d4b

SHA1
a8eb7280af291bb3a1b50814bb36f5ee111e60b9

SHA256
a09b4b3b295b78623767ddf8de4313736a710e78b0867fa7ea375668c29474f1

SHA512
158a835422591760b47c394dc7da548b63f6f383533764adbb72687cbe1a9f3deef19cc2c08abcddacf4e65517ed6e902dbce38ba6232caa5824d8fefaa38b38

Download Submit
C:\Program Files (x86)\Glary Utilities 5\data\gulr.dat
Filesize
564B

MD5
4299c74b3d5cc1c715d03bbdfadc470a

SHA1
67a1ea8bbbec7a5bbc45c3d4b9ecb5f1649c4b3d

SHA256
2c24370342e85b5b762d65f00d14846d3b407b93f57883a54ce2e5cfb1e09df5

SHA512
c6b1cfd895b58d69cdc76bbee09d2ce44880ce6e922bb521943e01fdd12a42131001aa890955c22a725df04f367feae1760eff6fdf73d7309f8676487fd8c935

Download Submit
C:\Program Files (x86)\Glary Utilities 5\data\rule.ini
Filesize
14KB

MD5
dec3f261af4632c36b8d25bf7fc7590b

SHA1
b0be8df8cd8807b21acf5661d4c222474e511835

SHA256
062ad687c39b28a509c94f6c6ff1ccdb81f12663d6a18a4fa812def4032fff21

SHA512
a086c050bca7ec8937f2f0c358bf3b39be5d0e93869f426ee3f79dd5fe9ec11197d3dfe01878c84ad7cc69f49ac1e4e1e64e341aaad9e7da27b1643acb8071d6

Download Submit
C:\Program Files (x86)\Glary Utilities 5\dbghelp.dll
Filesize
1020KB

MD5
74edbb03de3291fcf2094af1fb363f1d

SHA1
16b5d948ed7843576781dc4f2a391607ac0120a4

SHA256
dca9f45efed8eab442b491aebda3e3cce7f5f9fc5de527d2dbdfd85a5be85dfa

SHA512
b08eb03c54f25979c5aee745530ecd51c5761eb99871b867ff84e14590b32ef3247e17cf63bf953ee1efcb0fda8c4540191b9280db33359fdca352967e42b289

Download Submit
C:\Program Files (x86)\Glary Utilities 5\dbghelp.dll
Filesize
1020KB

MD5
74edbb03de3291fcf2094af1fb363f1d

SHA1
16b5d948ed7843576781dc4f2a391607ac0120a4

SHA256
dca9f45efed8eab442b491aebda3e3cce7f5f9fc5de527d2dbdfd85a5be85dfa

SHA512
b08eb03c54f25979c5aee745530ecd51c5761eb99871b867ff84e14590b32ef3247e17cf63bf953ee1efcb0fda8c4540191b9280db33359fdca352967e42b289

Download Submit
C:\Program Files (x86)\Glary Utilities 5\dbghelp.dll
Filesize
1020KB

MD5
74edbb03de3291fcf2094af1fb363f1d

SHA1
16b5d948ed7843576781dc4f2a391607ac0120a4

SHA256
dca9f45efed8eab442b491aebda3e3cce7f5f9fc5de527d2dbdfd85a5be85dfa

SHA512
b08eb03c54f25979c5aee745530ecd51c5761eb99871b867ff84e14590b32ef3247e17cf63bf953ee1efcb0fda8c4540191b9280db33359fdca352967e42b289

Download Submit
C:\Program Files (x86)\Glary Utilities 5\languages.dll
Filesize
100KB

MD5
a3095436c539d73ed776043ea0efe875

SHA1
1c1d2ffe9bdabf503abc6ec7a849e008fa0dea8f

SHA256
93d2e2d15e99354400bec8ec20e69c2ff64fe4282c5074f56a3517ff924bd901

SHA512
a4cef8c9462994d5c3479fa2941f5f7ddfbc978be9d23cc21134a6ffa34efaf28769d05f55bb62cc3a9cd760a0ceb085655f2fb41bcd07036dfadf712f8d6520

Download Submit
C:\Program Files (x86)\Glary Utilities 5\languages.dll
Filesize
100KB

MD5
a3095436c539d73ed776043ea0efe875

SHA1
1c1d2ffe9bdabf503abc6ec7a849e008fa0dea8f

SHA256
93d2e2d15e99354400bec8ec20e69c2ff64fe4282c5074f56a3517ff924bd901

SHA512
a4cef8c9462994d5c3479fa2941f5f7ddfbc978be9d23cc21134a6ffa34efaf28769d05f55bb62cc3a9cd760a0ceb085655f2fb41bcd07036dfadf712f8d6520

Download Submit
C:\Program Files (x86)\Glary Utilities 5\languages\english.lng
Filesize
252KB

MD5
5d1f1be266a4496c80a8bdae2690db8d

SHA1
b82ed98ad69c2f7f4c288d64194477476909cb73

SHA256
d0cfa55bc9e58ad26a0a505302aa8ffa758987b9c117db926269e414265caa9f

SHA512
bd6e1d5946110aa9fa1230a1afa6846c79fe82c9738fc18c6eeb216bf5830430b72f2f5474281e144c056e46d3225e57203fe255717628091a8138739feeb319

Download Submit
C:\Program Files (x86)\Glary Utilities 5\machinecode.dll
Filesize
322KB

MD5
e2a47ab4815b39bff8da9df0eeb28cdc

SHA1
3b91572251d7f69b798d34ee59c6e0ec0909aec9

SHA256
d17d88d915915fa280f90b51c6a09155e285bb4c43babd78b11b1b866df987c2

SHA512
efb0ac40e2ade5be68665beae0dc48756d7f7c02cde4a6041d360fa0f736a91cbe7015f52e01b5d160b3b8d1cc5da1ce3746fe0c81d8d4ef1d348e7c69c35a15

Download Submit
C:\Program Files (x86)\Glary Utilities 5\news.ini
Filesize
194B

MD5
2ba4748a0e867ed4d55c83c362185023

SHA1
fc9508275a7f3040f1643ff5d0e897dd36476949

SHA256
e600c0fe5fb2ceb41f8d0ca93ab2518c3b3a87481bec6f5840f56bc5103fd2d2

SHA512
5e3e572c9319161f1ed27bae22315bf7838a4b219e07ce9a9b6e58c2d1c4fcfb33239d2182b0bc7acd74f718badd4dd8a262d30a818d0279cdf3891233d6fbc5

Download Submit
C:\Program Files (x86)\Glary Utilities 5\settings.ini
Filesize
46B

MD5
56688b599335e8fa00e0479e9e9bb4a0

SHA1
a4f4a65555f6891c5b6a1e556eb90473f56fd8b6

SHA256
af4c3b39f0580a5b68e402a13dd0e0e506055126e76c327adffb6ab8404dfc97

SHA512
76191dacbe1b3c399142ebc5d86ffdcd8368a7ed1f342d840eadd95d936af6885840f303d0a8346c922aba89e34aae4c5f79a80bdae12d404823341ffd094adc

Download Submit
C:\Program Files (x86)\Glary Utilities 5\x64\ContextHandler.dll
Filesize
90KB

MD5
49cb529c99024c9ba0755d9c72efe25f

SHA1
fa51e01662e2e08a4d59310f1d49b4b65bbc752e

SHA256
b31ce5e783d06c40fa2af6738439068c91a497f9414a6cd9b6b168f4cb35197c

SHA512
2ca4704c6cf0ae0ea6fb036d3411cbe5c10b0352cb262ee58753749a6124b3c92b19eae3ca8641315fbdc79069eb947285842d4828d4c2bffa1fa55b177093c0

Download Submit
C:\Program Files (x86)\Glary Utilities 5\x64\ContextHandler.dll
Filesize
90KB

MD5
49cb529c99024c9ba0755d9c72efe25f

SHA1
fa51e01662e2e08a4d59310f1d49b4b65bbc752e

SHA256
b31ce5e783d06c40fa2af6738439068c91a497f9414a6cd9b6b168f4cb35197c

SHA512
2ca4704c6cf0ae0ea6fb036d3411cbe5c10b0352cb262ee58753749a6124b3c92b19eae3ca8641315fbdc79069eb947285842d4828d4c2bffa1fa55b177093c0

Download Submit
C:\Program Files (x86)\Glary Utilities 5\x64\ContextHandler.dll
Filesize
90KB

MD5
49cb529c99024c9ba0755d9c72efe25f

SHA1
fa51e01662e2e08a4d59310f1d49b4b65bbc752e

SHA256
b31ce5e783d06c40fa2af6738439068c91a497f9414a6cd9b6b168f4cb35197c

SHA512
2ca4704c6cf0ae0ea6fb036d3411cbe5c10b0352cb262ee58753749a6124b3c92b19eae3ca8641315fbdc79069eb947285842d4828d4c2bffa1fa55b177093c0

Download Submit
C:\Program Files (x86)\Glary Utilities 5\x64\GUAssistComSvc.exe
Filesize
174KB

MD5
5ba6fac3fcda58b28140c936096e6aa6

SHA1
8e81c28c9fcfe68205338bac57c308e92701581a

SHA256
89a86d98aae061e1549feb2fb53459eccebe5ae76cc65c09af8fa6467f43869c

SHA512
73ea685865b4b8c9ab11fd43a6c9cdab8c316d867579a3b4cdffebdc5471669e535cfc5680c135c978f31c402b025527c3616720a2d4a5a4863153d5190d2553

Download Submit
C:\Program Files (x86)\Glary Utilities 5\x64\GUAssistComSvc.exe
Filesize
174KB

MD5
5ba6fac3fcda58b28140c936096e6aa6

SHA1
8e81c28c9fcfe68205338bac57c308e92701581a

SHA256
89a86d98aae061e1549feb2fb53459eccebe5ae76cc65c09af8fa6467f43869c

SHA512
73ea685865b4b8c9ab11fd43a6c9cdab8c316d867579a3b4cdffebdc5471669e535cfc5680c135c978f31c402b025527c3616720a2d4a5a4863153d5190d2553

Download Submit
C:\Program Files (x86)\Glary Utilities 5\zlib1.dll
Filesize
92KB

MD5
6d723ceabcac4aaec2c3fe7a41120fda

SHA1
2e6c5cf78339209e884a081f11eb3f44702fd58c

SHA256
10b82d48a764ed9b5b842f92bef949cbd4d84c734654b1253fced9f5fee734ec

SHA512
f1fe3254c23689395a152224dc74798ae4bfc2e76fcae9fbb03376f368cced6962611905170c474a892b86b298f35a12b278a3cb2f4a6cbdcd5d3f6984eb94e1

Download Submit
C:\Program Files (x86)\Glary Utilities 5\zlib1.dll
Filesize
92KB

MD5
6d723ceabcac4aaec2c3fe7a41120fda

SHA1
2e6c5cf78339209e884a081f11eb3f44702fd58c

SHA256
10b82d48a764ed9b5b842f92bef949cbd4d84c734654b1253fced9f5fee734ec

SHA512
f1fe3254c23689395a152224dc74798ae4bfc2e76fcae9fbb03376f368cced6962611905170c474a892b86b298f35a12b278a3cb2f4a6cbdcd5d3f6984eb94e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aaeb1f5e097ab38083674077b84b8ed6

SHA1
7d9191cb2277c30f1147c9d29d75fc8e6aa0a4f2

SHA256
1654b27bfaeee49bfe56e0c4c0303418f4887f3ea1933f03cafce10352321aef

SHA512
130f1b62134626959f69b13e33c42c3182e343d7f0a5b6291f7bb0c2f64b60885f5e6331e1866a4944e9b7b2e49fe798e073316fde23927ede2c348ba0e56eda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1db53baf44edd6b1bc2b7576e2f01e12

SHA1
e35739fa87978775dcb3d8df5c8d2063631fa8df

SHA256
0d73ba3eea4c552ce3ffa767e4cd5fff4e459e543756987ab5d55f1e6d963f48

SHA512
84f544858803ac14bac962d2df1dbc7ed6e1134ecf16d242d7ee7316648b56b5bc095241363837bf0bf0afd16ca7deebe7afb7d40057604acbf09821fd5a9912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
48B

MD5
cb3376edf16d4e7565711412c7fc1dcc

SHA1
f9d5e62d377e51a99d3d98708d209018723c9da6

SHA256
fa208d88366a829c0b4c880f678692e617478d83a495b60caf97767fbf4dac14

SHA512
9f35e1a0a5f85e622dd854ab7e149f8a7423904319242217584ba2988fa3e01c5a881ade5f1c8967ce4465bf38903a4ab24a73d2bb62ba190b8c3436e2465495

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
480B

MD5
84c6e34ec1210a21a8c27ec8f871c83c

SHA1
da5ab1b054de893837fd227266ec67e8ed2fec78

SHA256
2119adb58b62c4f200b27ae8accd172dbe87c5bf8c9108767840d9db8afd0e22

SHA512
0d9aaae3719bde97916266d10e3cc4f456139d9d8ea1b6211a6831b8b6a0ed2cab842c938707d7b3ad3bbda0bc95f442aad791560755531ec40ca1a612a49e59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
2ef90eeaf6738dd66971f88b2cd04efb

SHA1
9a57ded93cad7cd6a0f9057d8d86e1182fe3a973

SHA256
b9bdb11c5839352eb80ddde3923038a99eadcec67410f00048afd36650b4d373

SHA512
447ac0567dfeec4eb19483a30e044ca30ec01407c8551578121dd0de6d6717a384d8dd006b14af73f2fcb6cff9eab82e561e3b01a764a878a75d59a75bf10681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
dd4801be7b7ec28ef735a791144a73d5

SHA1
1051b66bbcb216a0017f27ef69d1953af90d279c

SHA256
ba7680847431dae7a71333a675b19b47d000c4d2c865170505dd5035579c9e4d

SHA512
add2961bffe2ab5635dd7a07df4554b58d09dfeb9bdb9e96ed3044b9ad79bbc1d9e2d24efff706898c2696c3be28a1bdf73ce0ce456438883b581f1c4b676513

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
8382b00966d1e24727f1c637e2a62053

SHA1
6f77f6e0795da8f13fecf7beaa94a0f127b54975

SHA256
360f511c1c0d8e02634cea992dadd93535c44b2499ac40a19279dca34aba4cab

SHA512
3fa0f27a0f2e520445c0a7f436b41c03d0c6c5d7084bcc051f9cf9988593ac477b6f8f850142dbb61aca04a884a451e68267ed774085c3a3eca4e8355dca4638

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
c0e2ba7d28d802f45367069fd8cc4976

SHA1
cd86e0b6724e9c3c94ce1b427ba480ccd13ac418

SHA256
b53e494525585c184905579a670a2ff5efbb23200f9dcfca2858ecce9d476b10

SHA512
c29aef200d200bbdebb0b8af1e33c0f5ad21604cdc9c25db9f42872ceed713f06cdbae78e3e26a8b186421405ff79eea02b4acf79c3df89fde317b9c95975b8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
47e94a96372e6f095b8a3fd7edc48ec0

SHA1
377b68f34e5964ca8be1b1b0c1507dd7f0e5f005

SHA256
15c77bafd922bd085317fd544d0fa129e3b8c814e3ba0d48936366004427732e

SHA512
5bd63de2e831805b723d7ddf1343c3b721ef5b757d9ab01bf8554ef8e29ac2cc09fa104fc85d530f27d66b67280774b3ebbef6729ea3ab61ce8028ab4ba5bdad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
f2bad4144ef82113a84d352bfaa24edc

SHA1
c9e6e14899fe16a2c7d892cfbbe07985470256cb

SHA256
a850dde357bf1996aad00fadf28c78d607cc80fa603a675f1a2559b7ab6e4482

SHA512
6e23fd264c3405a00017fd2b9740160e11fda76bfe24a844c1c83486261375630fdf34a271160efcdb804a7ef1015f307b0022b5a4ef588bcf4e1ab2920fd036

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
db0888f7e7f8def512a6d0a69c807ec4

SHA1
6ee6598880c30583a8754f4c5917d2728b9b82cf

SHA256
0a8c1297d9a47fdb98fa7aacca24ac8e4b6a0f561a0e36d22cdc1229302d0ec3

SHA512
5757ff3dbde65e9063efb19f254065af30388fb9f9f77a2a4b6b0eb526d42ed6a4a0d3805d712be256508396108e5453c7f34fde5846c6c2fe46afbebbf26b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq8A73.tmp\KillProcDLL.dll
Filesize
14KB

MD5
2f8a43c3581af1f31ce8d9da0c03465b

SHA1
3cce52e1dd53191127a98b324644c5cc581295ca

SHA256
97b5b3985736cc0f49ceb2da68b01ce51fa821b6da3cec69cfeebfba8d626845

SHA512
fd4ffab70048664c2f9aab375bb4c5cd89b3ff525335633dfd895dddf2be0791c56f585a9675f0a91be0d20882260709c847e0c8757e0fb49f80a932b187eab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq8A73.tmp\KillProcDLL.dll
Filesize
14KB

MD5
2f8a43c3581af1f31ce8d9da0c03465b

SHA1
3cce52e1dd53191127a98b324644c5cc581295ca

SHA256
97b5b3985736cc0f49ceb2da68b01ce51fa821b6da3cec69cfeebfba8d626845

SHA512
fd4ffab70048664c2f9aab375bb4c5cd89b3ff525335633dfd895dddf2be0791c56f585a9675f0a91be0d20882260709c847e0c8757e0fb49f80a932b187eab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq8A73.tmp\KillProcDLL.dll
Filesize
14KB

MD5
2f8a43c3581af1f31ce8d9da0c03465b

SHA1
3cce52e1dd53191127a98b324644c5cc581295ca

SHA256
97b5b3985736cc0f49ceb2da68b01ce51fa821b6da3cec69cfeebfba8d626845

SHA512
fd4ffab70048664c2f9aab375bb4c5cd89b3ff525335633dfd895dddf2be0791c56f585a9675f0a91be0d20882260709c847e0c8757e0fb49f80a932b187eab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq8A73.tmp\MachineCode.dll
Filesize
322KB

MD5
e2a47ab4815b39bff8da9df0eeb28cdc

SHA1
3b91572251d7f69b798d34ee59c6e0ec0909aec9

SHA256
d17d88d915915fa280f90b51c6a09155e285bb4c43babd78b11b1b866df987c2

SHA512
efb0ac40e2ade5be68665beae0dc48756d7f7c02cde4a6041d360fa0f736a91cbe7015f52e01b5d160b3b8d1cc5da1ce3746fe0c81d8d4ef1d348e7c69c35a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq8A73.tmp\MachineCode.dll
Filesize
322KB

MD5
e2a47ab4815b39bff8da9df0eeb28cdc

SHA1
3b91572251d7f69b798d34ee59c6e0ec0909aec9

SHA256
d17d88d915915fa280f90b51c6a09155e285bb4c43babd78b11b1b866df987c2

SHA512
efb0ac40e2ade5be68665beae0dc48756d7f7c02cde4a6041d360fa0f736a91cbe7015f52e01b5d160b3b8d1cc5da1ce3746fe0c81d8d4ef1d348e7c69c35a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq8A73.tmp\System.dll
Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq8A73.tmp\modern-wizard.bmp
Filesize
596KB

MD5
c57ce6f09c7a8e95361dfd2e7b03f49d

SHA1
85ab2fc81b1f7db68145af62b4d720fd0c7b6242

SHA256
720a31ee8077202126a4657ba7d28f7f46a30872b8b21d2a0e89d0af227b109f

SHA512
014e96c9a68d32d37b20da6b4b89530cfc55f86ef399d276f82683e59d4680125d0be0b753b4d065ee2a48445277e039e9e4af0fbda70ec384650ee4a7f79b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq8A73.tmp\nsDialogs.dll
Filesize
9KB

MD5
1c8b2b40c642e8b5a5b3ff102796fb37

SHA1
3245f55afac50f775eb53fd6d14abb7fe523393d

SHA256
8780095aa2f49725388cddf00d79a74e85c9c4863b366f55c39c606a5fb8440c

SHA512
4ff2dc83f640933162ec8818bb1bf3b3be1183264750946a3d949d2e7068ee606277b6c840193ef2b4663952387f07f6ab12c84c4a11cae9a8de7bd4e7971c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq8A73.tmp\nsExec.dll
Filesize
6KB

MD5
09c2e27c626d6f33018b8a34d3d98cb6

SHA1
8d6bf50218c8f201f06ecf98ca73b74752a2e453

SHA256
114c6941a8b489416c84563e94fd266ea5cad2b518db45cd977f1f9761e00cb1

SHA512
883454bef7b6de86d53af790755ae624f756b48b23970f865558ba03a5aecfa8d15f14700e92b3c51546e738c93e53dc50b8a45f79ef3f00aa84382853440954

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq8A73.tmp\nsExec.dll
Filesize
6KB

MD5
09c2e27c626d6f33018b8a34d3d98cb6

SHA1
8d6bf50218c8f201f06ecf98ca73b74752a2e453

SHA256
114c6941a8b489416c84563e94fd266ea5cad2b518db45cd977f1f9761e00cb1

SHA512
883454bef7b6de86d53af790755ae624f756b48b23970f865558ba03a5aecfa8d15f14700e92b3c51546e738c93e53dc50b8a45f79ef3f00aa84382853440954

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq8A73.tmp\nsExec.dll
Filesize
6KB

MD5
09c2e27c626d6f33018b8a34d3d98cb6

SHA1
8d6bf50218c8f201f06ecf98ca73b74752a2e453

SHA256
114c6941a8b489416c84563e94fd266ea5cad2b518db45cd977f1f9761e00cb1

SHA512
883454bef7b6de86d53af790755ae624f756b48b23970f865558ba03a5aecfa8d15f14700e92b3c51546e738c93e53dc50b8a45f79ef3f00aa84382853440954

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq8A73.tmp\statisticsinfo.exe
Filesize
147KB

MD5
97802c6ddd0a87805593677dc54a07be

SHA1
ff5169ea3d72983d2314d247d1b376b27f36777c

SHA256
e0fbdaf886685436b48757f64b09c518a443c005def7f10969f4d7ee18c7d11f

SHA512
a3d07d1b97a91e5dfd8e138fa8495babdba4028765e2f068659b32c2d03f78f5e42512620ee9fa27a14b6b9c36b575008158060dfab14181784b627142dd676c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq8A73.tmp\statisticsinfo.exe
Filesize
147KB

MD5
97802c6ddd0a87805593677dc54a07be

SHA1
ff5169ea3d72983d2314d247d1b376b27f36777c

SHA256
e0fbdaf886685436b48757f64b09c518a443c005def7f10969f4d7ee18c7d11f

SHA512
a3d07d1b97a91e5dfd8e138fa8495babdba4028765e2f068659b32c2d03f78f5e42512620ee9fa27a14b6b9c36b575008158060dfab14181784b627142dd676c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw3171.tmp\Inetc.dll
Filesize
21KB

MD5
92ec4dd8c0ddd8c4305ae1684ab65fb0

SHA1
d850013d582a62e502942f0dd282cc0c29c4310e

SHA256
5520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934

SHA512
581351aef694f2489e1a0977ebca55c4d7268ca167127cefb217ed0d2098136c7eb433058469449f75be82b8e5d484c9e7b6cf0b32535063709272d7810ec651

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw3171.tmp\xtInfoPlugin.dll
Filesize
160KB

MD5
8f358cfd9f9e30e64c536cd7dc5ce415

SHA1
cbca484d99ce8da6badebfb507550974af821c21

SHA256
6f12201a1c80198b9c9a6667c459c348230c587839a1f7b1133e14720b708aca

SHA512
14c69403c62ee82b5357980f0c76a4d9b80c7725790e0b9691a60394efc2787361f6b7dee83ca62f1b9ef6eae90bdf7d033b8c4ba6bacd51403187004b944c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~autoupdate.dat
Filesize
184B

MD5
cd5f805ee8e53b4616d87dd41ce799e3

SHA1
b0d1d7fc38455a25661c94f9f186343f7ea83861

SHA256
cec146ac085eef3bc664960115958ca370477b2c72a2cf29d6e7a8ad054712fe

SHA512
72f5a361531364e04f1b337289653a0ce134ef05f229c201aa018ae059dacb85cf0b23632236a4ea8562cc70743c00b3c1aa0b19d45707379691f8a80ed60eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~gu3-ver.dat
Filesize
93B

MD5
4c077809d5360a4bc17a25807827cf2c

SHA1
e0c5e0e099c31afd8c24bf8d4cd635b1b1da0bce

SHA256
0bf280f293f191f6f5c9ab8d3c05344b584a9cefb0eb0f20037ab4fd02c9dc1c

SHA512
89c6f995b0721a1b818b3480335a4ded9ee1ad0060377cfb31b75e72d4d50cc6250ce76af13dfdc24408383e43315a0c683f7b8dd42db3bb8086de6b6327ecf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\~upgrade.dat
Filesize
1KB

MD5
41a198e7c6fd672c46d059b8af7a3a10

SHA1
9e537a0c88dc753130d18657a2b1542774b5d951

SHA256
0897c30091baf0ccd14fac66b20624b90bce5d67604c15cd7b50c5bbb737745e

SHA512
ec335050c481cc525f7a1f6d7744952f1cd28bce3303af68a884f723fd3d5fc6d1917560e22436c018fb06f62e704f707e70554106b966ea0561e90df8d4d862

Download Submit
C:\Users\Admin\AppData\Roaming\GlarySoft\Glary Utilities 5\WebUpdate\WebUpdate.xml
Filesize
276KB

MD5
aeb69c7cbbe9ae1e5ddc4ecf90bb0d2f

SHA1
1032bbb88f698ce083a2bba38a38b162c83c359e

SHA256
7d44faa119dc69c020dc49b002b922fb93b5826aef8cd8075db43b9168ae4758

SHA512
bb305e56da200b437af27ad240c8f490e4074255fff5f7104e10dc4df63eb4c7090ad355caf07fc07be310ec330a8e5291e5ddb691129f5ca30477ff62b28a71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
eb76721beb3ff9061ea23e31aed510b0

SHA1
5ac730dc5080709681a411ac3cafd04d32260498

SHA256
d05f3f75f4407ab94702069708cf301e89b8b850fe230b7b2f94bb5d392a14fc

SHA512
89eb2c07ae23980ccf5d153e4a8bfb8a8dcf88d50a153833ef8d3340b6ca2e2ccf36a1c211d20d05e56a25f649605909711799d6f923eecc498db62b4c5021e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\GUTracksIni.tmp
Filesize
188KB

MD5
49b5656a422755ddecc80d3a43309d63

SHA1
f79af7dee7e7b614007e1fb28bef03e319e054d0

SHA256
71d4c42d34de461c904786aad7778239366036962fc27f5833701c1f9f55cd31

SHA512
8dfa97ee56f2e36d215bd2d291588a2ca994d65106137d4623a96701a4b038279e3d40d596c2f448679835ee94547936b4500c2fb179f722c575839ef4483152

Download Submit