435506cbe66bebdfdf9a2a94b1e8f483fdf108ab308129a6eb8dfd56a8bc77bc

Analysis

max time kernel
156s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20230220-es
resource tags

arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
03-04-2023 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windows.10.codec.pack.v2.2.0.setup.exe
Size

45.5MB
MD5

908ea32c938f24669728a7c026a6552b
SHA1

2695b6cd468636b09c1495a86a69ce4f56203a0c
SHA256

435506cbe66bebdfdf9a2a94b1e8f483fdf108ab308129a6eb8dfd56a8bc77bc
SHA512

342281df3e8823dbca8231335c17d76fbc4d0ba35a97c2d777d11c9ca33b86e689ef54c86aebbbec50a6f499b7232c4d56406f0471cce666a74203bfe95e710e
SSDEEP

786432:Zbe52lsoZacQr5el64WTdDUCpGnSlyXMs8AdIqCmF3kdPEcOKbBhscBpw4yTie6d:ZbpHZac09DtpI7XMvmIqoPppw4yees

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 64 IoCs

Processes:

SetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeTrayMenu.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exe

pid	process
2724	SetACL.exe
1456	SetACL.exe
3016	SetACL.exe
2492	SetACL.exe
4836	SetACL.exe
4112	SetACL.exe
5084	SetACL.exe
3272	SetACL.exe
3148	SetACL.exe
3776	SetACL.exe
428	SetACL.exe
2412	SetACL.exe
4204	SetACL.exe
4864	SetACL.exe
1340	SetACL.exe
5016	SetACL.exe
2960	SetACL.exe
4276	SetACL.exe
1180	SetACL.exe
4992	TrayMenu.exe
616	SetACL.exe
1688	SetACL.exe
3380	SetACL.exe
3272	SetACL.exe
1580	SetACL.exe
4788	SetACL.exe
4660	SetACL.exe
2872	SetACL.exe
3152	SetACL.exe
4560	SetACL.exe
3092	SetACL.exe
3772	SetACL.exe
4364	SetACL.exe
408	SetACL.exe
4480	SetACL.exe
4980	SetACL.exe
4324	SetACL.exe
3368	SetACL.exe
4672	SetACL.exe
224	SetACL.exe
1332	SetACL.exe
4576	SetACL.exe
4772	SetACL.exe
3552	SetACL.exe
1508	SetACL.exe
2232	SetACL.exe
4636	SetACL.exe
1064	SetACL.exe
1340	SetACL.exe
5008	SetACL.exe
2204	SetACL.exe
4568	SetACL.exe
2244	SetACL.exe
2224	SetACL.exe
4584	SetACL.exe
4348	SetACL.exe
3856	SetACL.exe
4316	SetACL.exe
508	SetACL.exe
4752	SetACL.exe
4308	SetACL.exe
3132	SetACL.exe
3456	SetACL.exe
2272	SetACL.exe

Loads dropped DLL 64 IoCs

Processes:

windows.10.codec.pack.v2.2.0.setup.exe

pid	process
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeTrayMenu.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9852A670-F845-491B-9BE6-EBD841B8A613}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E8E73B6B-4CB3-44A4-BE99-4F7BCB96E491}\InprocServer32\ = "C:\\Windows\\system32\\LAVAudio.ax"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2D4D6F88-8B41-40A2-B297-3D722816648B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7CA71B1E-A67D-4D54-A200-FA47605483A7}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B841F346-4835-4de8-AA5E-2E7CD2D4C435}\InprocServer32\ = "C:\\Windows\\system32\\ts.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{760A8F35-97E7-479D-AAF5-DA9EFF95D751}\InprocServer32\ThreadingModel = "Both"	TrayMenu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A36C253D-CEE4-4BCA-9CC2-E03CF6BBB054}\InprocServer32\ = "C:\\Windows\\system32\\dxr.x64.dll"	TrayMenu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ACE4747B-35BD-4E97-9DD7-1D4245B0695C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BD72668E-6BFF-4CD1-8480-D465708B336B}\InprocServer32\ = "C:\\Windows\\system32\\LAVAudio.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2D4D6F88-8B41-40A2-B297-3D722816648B}\InprocServer32\ = "C:\\Windows\\system32\\LAVVideo.ax"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0512B874-44F6-48F1-AFB5-6DE808DDE230}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51A00247-40A8-4845-9F17-7DBFCC9A8783}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{564FD788-86C9-4444-971E-CC4A243DA150}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8B25C0E-0894-4531-B668-AB1599FAF7F6}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B63A013-DC2C-462E-9292-CAF8C867100F}\InprocServer32\ = "C:\\Windows\\system32\\splitter.x64.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69CE757B-E8C0-4B0A-9EA0-CEA284096F98}\InprocServer32\ = "C:\\Windows\\system32\\VSFilter.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F544E0F5-CA3C-47EA-A64D-35FCF1602396}\InprocServer32\ = "C:\\Windows\\system32\\VSFilter.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49590BC9-6DD5-4E44-AD4C-E8FCB7131EC4}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBF9000E-F08C-4858-B769-C914A0FBB1D7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{53D9DE0B-FC61-4650-9773-74D13CC7E582}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{007FC171-01AA-4B3A-B2DB-062DEE815A1E}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DB43B405-43AA-4f01-82D8-D84D47E6019C}\InprocServer32\ = "C:\\Windows\\system32\\ogm.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0180E49C-13BF-46DB-9AFD-9F52292E1C22}\InprocServer32\ = "C:\\Windows\\system32\\VSFilter.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B98D13E7-55DB-4385-A33D-09FD1BA26338}\InprocServer32\ = "C:\\Windows\\system32\\LAVSplitter.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBF9000E-F08C-4858-B769-C914A0FBB1D7}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BD4FB4BE-809D-487b-ADD6-F7D164247E52}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BD72668E-6BFF-4CD1-8480-D465708B336B}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278407C2-558C-4BED-83A0-B6FA454200BD}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{650DE05E-5CD3-44F8-BA20-A5BB91FC61E6}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4DB2B5D9-4556-4340-B189-AD20110D953F}\InprocServer32\ = "C:\\Windows\\system32\\ffdshow.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7CA71B1E-A67D-4D54-A200-FA47605483A7}\InprocServer32\ = "C:\\Windows\\system32\\ffdshow.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6E8FC04-8B05-48B1-9399-848229502A06}\InprocServer32\ = "C:\\Windows\\system32\\ffdshow.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69CE757B-E8C0-4B0A-9EA0-CEA284096F98}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9A98ADCC-C6A4-449E-A8B1-0363673D9F8A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D6A9B8CC-192D-4F00-8BF8-AD8774011B07}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49590BC9-6DD5-4E44-AD4C-E8FCB7131EC4}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{545A00C2-FCCC-40B3-9310-2C36AE64B0DD}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{87271B4E-1726-4CED-AF0D-BE675621FD29}\InprocServer32\ = "C:\\Windows\\system32\\ffdshow.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{895322C5-84A1-450C-8478-C57793CAE86F}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A19DE2F2-2F74-4927-8436-61129D26C141}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A28F324B-DDC5-4999-AA25-D3A7E25EF7A8}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{93A22E7A-5091-45EF-BA61-6DA26156A5D0}\InprocServer32\ = "C:\\Windows\\system32\\VSFilter.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2D8F1801-A70D-48F4-B76B-7F5AE022AB54}\InprocServer32\ = "C:\\Windows\\system32\\LAVAudio.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2D8F1801-A70D-48F4-B76B-7F5AE022AB54}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FFFCC670-5CD4-4C09-952C-F53F46C2B1A7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A0606860-51BE-4CF6-99C0-7CE5F78AC2D8}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{564FD788-86C9-4444-971E-CC4A243DA150}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{895322C5-84A1-450C-8478-C57793CAE86F}\InprocServer32\ = "C:\\Windows\\system32\\splitter.x64.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C89FC33C-E60A-4C97-BEF4-ACC5762B6404}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20ED4A03-6AFD-4FD9-980B-2F6143AA0892}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2D4D6F88-8B41-40A2-B297-3D722816648B}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2F64369-3A16-4692-A6C0-6EFCB6AEBAC1}\InprocServer32\ = "C:\\Windows\\system32\\ffdshow.ax"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{895322C5-84A1-450C-8478-C57793CAE86F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE77C59C-CFD2-429F-868C-8B04D23F94CA}\InprocServer32\ = "C:\\Windows\\system32\\VSFilter.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{56904B22-091C-4459-A2E6-B1F4F946B55F}\InprocServer32\ = "C:\\Windows\\system32\\LAVSplitter.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64F2005C-6CF5-4652-B94F-600360B15B27}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5711D95F-0984-4A22-8FF8-90A954958D0C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B841F346-4835-4de8-AA5E-2E7CD2D4C435}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B3DE7EDC-0CD4-4d07-B1C5-92219CD475CC}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{53D9DE0B-FC61-4650-9773-74D13CC7E582}\InprocServer32\ = "C:\\Windows\\system32\\mkx.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ACE4747B-35BD-4E97-9DD7-1D4245B0695C}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C2D6D98F-09CA-4524-AF64-1049B5665C9C}\InprocServer32\ = "C:\\Windows\\system32\\VSFilter.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D367878E-F3B8-4235-A968-F378EF1B9A44}\InprocServer32	regsvr32.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

windows.10.codec.pack.v2.2.0.setup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Codec Settings UAC Manager = "\"C:\\Windows\\system32\\Codecs\\CodecUACManager.exe\""	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\Run	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Codec Pack Update Checker = "\"C:\\Windows\\system32\\Codecs\\UpdateChecker.exe\""	windows.10.codec.pack.v2.2.0.setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

Processes:

windows.10.codec.pack.v2.2.0.setup.exe

description	ioc	process
File created	C:\Windows\system32\cue2xml.js.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Lang\mpcresources.en_GB.dll	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Lang\mpcresources.fi.dll	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\LAVFilters\LAVSplitter.ax.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\PCMOUT_VIDEO_2496.bmp.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\system32\dxr.x64.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\msvcr80.dll	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\LAVFilters\LAVAudio.ax.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\libFLAC.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\x264vfw.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\bass_ape.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\system32\IcarosConfig.exe.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Lang\mpcresources.lt.dll	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\system32\ff_liba52.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\mkv2vfr.exe.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\DisableUpdateChecker.exe.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\mpciconlib.dll	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\ff_libdts.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\system32\ff_libmad.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\xvidvfw.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\system32\ogm.x64.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Lang\mpcresources.cs.dll	windows.10.codec.pack.v2.2.0.setup.exe
File opened for modification	C:\Windows\SysWOW64\Codecs\icon.ico	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Shaders\Sepia.hlsl	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\system32\libmpeg2_ff.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\system32\cdxareader.ax.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\avutil-lav-57.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\ts.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\cue2xml.js.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\system32\IcarosUICore.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\msvcp80.dll	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Lang\mpcresources.de.dll	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Lang\mpcresources.nl.dll	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\ffdshow.ax.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Formats.ini.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\DCBassSourceMod.ax.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\avfilter-lav-8.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\system32\IcarosPropertyHandler.dll	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\D3DX9_43.dll	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Lang\mpcresources.el.dll	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Shaders\BT.601 to BT.709 [HD].hlsl	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Shaders\LCD angle correction.hlsl	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\LAVFilters\avformat-lav-59.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\system32\IcarosCache.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\CodecSettingsADMIN.exe.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\LAVFilters\avcodec-lav-59.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\cdxareader.ax.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Lang\mpcresources.th_TH.dll	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Lang\mpcresources.vi.dll	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\ff_unrar.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\system32\dsmux.x64.exe.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\swscale-ics-5.dll	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Shaders\Gaussian Blur_pass1.hlsl	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\LAVFilters\libbluray.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\system32\ff_samplerate.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\basswv.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\mkzlib.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Lang\mpcresources.ar.dll	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\system32\avfilter-lav-8.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File opened for modification	C:\Windows\SysWOW64\Codecs\TrayMenu.exe.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\Codecs\Shaders\YV12 chroma upsampling.hlsl	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\system32\ffmpeg.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\SysWOW64\libmpeg2_ff.dll.new	windows.10.codec.pack.v2.2.0.setup.exe
File created	C:\Windows\system32\TomsMoComp_ff.dll.new	windows.10.codec.pack.v2.2.0.setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Codecs\CodecSettingsADMIN.exe	nsis_installer_1
C:\Windows\SysWOW64\Codecs\CodecSettingsADMIN.exe	nsis_installer_2

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

windows.10.codec.pack.v2.2.0.setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	windows.10.codec.pack.v2.2.0.setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	windows.10.codec.pack.v2.2.0.setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	windows.10.codec.pack.v2.2.0.setup.exe

Modifies registry class 64 IoCs

Processes:

windows.10.codec.pack.v2.2.0.setup.exeregsvr32.exeregsvr32.exeSetACL.exeTrayMenu.exeregsvr32.exeSetACL.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64F2005C-6CF5-4652-B94F-600360B15B27}\InprocServer32\ = "C:\\Windows\\SysWow64\\mkx.dll"	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F13D3732-96BD-4108-AFEB-E85F68FF64DC}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.IVF\shell\ = "Play"	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\.m4v\ = "WMP11.AssocFile.MP4"	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\.3g2\PerceivedType = "video"	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.mpc\PreviewDetails = "prop:System.Title;System.Media.Duration;System.Size;System.Video.FrameWidth;System.Video.FrameHeight;System.Rating;System.Keywords;System.Comment;System.Music.Artist;System.Music.Genre;System.ParentalRating;System.OfflineAvailability;System.OfflineStatus;System.DateModified;System.DateCreated;System.SharedWith;System.Media.SubTitle;System.Media.Year;System.Video.FrameRate;System.Video.EncodingBitrate;System.Video.TotalBitrate"	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{49590BC9-6DD5-4E44-AD4C-E8FCB7131EC4}	windows.10.codec.pack.v2.2.0.setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{0B390488-D80F-4A68-8408-48DC199F0E97}\FilterData = 020000000000200003000000000000003070693300000000000000000a00000000000000000000003074793300000000480100005801000031747933000000004801000068010000327479330000000048010000780100003374793300000000480100008801000034747933000000004801000098010000357479330000000048010000a8010000367479330000000048010000b8010000377479330000000048010000c8010000387479330000000048010000d8010000397479330000000048010000e8010000317069330800000000000000010000000000000000000000307479330000000048010000f8010000327069330000000000000000040000000000000000000000307479330000000008020000f8010000317479330000000018020000f801000032747933000000001802000028020000337479330000000048010000380200007669647300001000800000aa00389b715956313200001000800000aa00389b714959555600001000800000aa00389b715955593200001000800000aa00389b715955595600001000800000aa00389b715559565900001000800000aa00389b715659555900001000800000aa00389b717eeb36e44f52ce119f530020af0ba7707deb36e44f52ce119f530020af0ba7707ceb36e44f52ce119f530020af0ba7707beb36e44f52ce119f530020af0ba770000000000000000000000000000000007478747300001000800000aa00389b7108eb87e4266be94b9dd3993434d313fd3ea5eb0430936c439133553ec87031dc2d806de046dbcf11b4d100805f6cbbea	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F71651E-65D2-40BF-AC44-275D11927D99}\InprocServer32\ = "C:\\Windows\\system32\\ffdshow.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vob\Content Type = "video/x-matroska"	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.WEBM	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\Preferred	SetACL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Open in Media Player Classic\command\ = "\"C:\\Windows\\SysWOW64\\Codecs\\mpc-hc.exe\" \"%1\""	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C54F71E-EA15-43A5-8EA5-ADB91283D3D7}\InprocServer32\ThreadingModel = "Apartment"	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C52908F0-1C06-4C0D-A4CD-3D10EA51C757}\InprocServer32\ = "C:\\Windows\\SysWow64\\madFlac.ax"	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Media Type\Extensions\.mks\Source Filter = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\.mov\OpenWithProgIds	windows.10.codec.pack.v2.2.0.setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.shn\OpenWithProgIds\WMP11.AssocFile.SHN	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.umx\ShellEx\	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VzCs.VzCsMediaList\ = "VzCsMediaList Class"	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{760A8F35-97E7-479D-AAF5-DA9EFF95D751}\InprocServer32\ = "C:\\Windows\\system32\\dxr.x64.dll"	TrayMenu.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\.mov\OpenWithProgids\WMP11.AssocFile.MOV	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.OGM\shell\open\command\ = "\"%ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe\" /prefetch:8 /Open \"%L\""	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.webm\ExtendedTileInfo = "prop:System.ItemType;System.Size;System.Media.Duration;System.OfflineAvailability"	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\.opus	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{0B390488-D80F-4A68-8408-48DC199F0E97}	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4E7FC4FF-A849-4D6D-B2A6-D7874A67A4FC}\ProgID	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\Extensions\.mka = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.3GP\shellex\ContextMenuHandlers\PlayTo	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A19DE2F2-2F74-4927-8436-61129D26C141}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mtm\PerceivedType = "audio"	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp4\ShellEx\{BB2E617C-0920-11D1-9A0B-00C04FC2D6C1}\ = "{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.FLV\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.DTSWAV\shell\play\command	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.APE\DefaultIcon\ = "%SystemRoot%\\SysWow64\\wmploc.dll,-730"	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpc\ShellEx\	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\DoNotUse	SetACL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFEB8952-1311-4A44-B6D7-E3D31F00C4AB}\InprocServer32\ThreadingModel = "Both"	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{8F43B7D9-9D6B-4F48-BE18-4D787C795EEA}\FriendlyName = "Haali Simple Media Splitter"	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.bdmv\PreviewDetails = "prop:System.Title;System.Media.Duration;System.Size;System.Video.FrameWidth;System.Video.FrameHeight;System.Rating;System.Keywords;System.Comment;System.Music.Artist;System.Music.Genre;System.ParentalRating;System.OfflineAvailability;System.OfflineStatus;System.DateModified;System.DateCreated;System.SharedWith;System.Media.SubTitle;System.Media.Year;System.Video.FrameRate;System.Video.EncodingBitrate;System.Video.TotalBitrate"	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E8E73B6B-4CB3-44A4-BE99-4F7BCB96E491}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E15A6DE-B1F1-4E1F-8448-F5A06E179208}\Instance\{7E15A6DE-B1F1-4E1F-8448-F5A06E179208}	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\Extensions\.mks = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.UMX\shell\open\command	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2F64369-3A16-4692-A6C0-6EFCB6AEBAC1}\InprocServer32\ = "C:\\Windows\\system32\\ffdshow.ax"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{DBF9000E-F08C-4858-B769-C914A0FBB1D7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.mlp	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.FLAC\shellex	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{545A00C2-FCCC-40B3-9310-2C36AE64B0DD}	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9852A670-F845-491B-9BE6-EBD841B8A613}\InprocServer32\ = "C:\\Windows\\system32\\VSFilter.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{B98D13E7-55DB-4385-A33D-09FD1BA26338}\CLSID = "{B98D13E7-55DB-4385-A33D-09FD1BA26338}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.ALAC\shell\play\ = "&Play"	windows.10.codec.pack.v2.2.0.setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wv\OpenWithProgIds\WMP11.AssocFile.WV	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\Extensions\.mka\Source Filter = "{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}"	windows.10.codec.pack.v2.2.0.setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{55DA30FC-F16B-49FC-BAA5-AE59FC65F82D}\FilterData = 02000000010080000100000000000000307069330c00000000000000000000000000000000000000	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{9852A670-F845-491B-9BE6-EBD841B8A613}\FriendlyName = "DirectVobSub (auto-loading version)"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\.m2ts\PerceivedType = "video"	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.OGM\shellex	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.WV\ = "WV Format Sound"	windows.10.codec.pack.v2.2.0.setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C89FC33C-E60A-4C97-BEF4-ACC5762B6404}\InprocServer32	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.S3M\shell\ = "Play"	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.vob\ExtendedTileInfo = "prop:System.ItemType;System.Size;System.Media.Duration;System.OfflineAvailability"	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.AC3\shell\play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	windows.10.codec.pack.v2.2.0.setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.MO3\FriendlyTypeName = "@%SystemRoot%\\system32\\unregmp2.exe,-9908"	windows.10.codec.pack.v2.2.0.setup.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

windows.10.codec.pack.v2.2.0.setup.exe

pid	process
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe
3052	windows.10.codec.pack.v2.2.0.setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

windows.10.codec.pack.v2.2.0.setup.exe

pid process

3052 windows.10.codec.pack.v2.2.0.setup.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

windows.10.codec.pack.v2.2.0.setup.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exeSetACL.exe

description	pid	process
Token: SeDebugPrivilege	3052	windows.10.codec.pack.v2.2.0.setup.exe
Token: SeShutdownPrivilege	3052	windows.10.codec.pack.v2.2.0.setup.exe
Token: SeCreatePagefilePrivilege	3052	windows.10.codec.pack.v2.2.0.setup.exe
Token: SeIncBasePriorityPrivilege	3052	windows.10.codec.pack.v2.2.0.setup.exe
Token: SeBackupPrivilege	616	SetACL.exe
Token: SeRestorePrivilege	616	SetACL.exe
Token: SeTakeOwnershipPrivilege	616	SetACL.exe
Token: SeBackupPrivilege	1688	SetACL.exe
Token: SeRestorePrivilege	1688	SetACL.exe
Token: SeTakeOwnershipPrivilege	1688	SetACL.exe
Token: SeBackupPrivilege	3380	SetACL.exe
Token: SeRestorePrivilege	3380	SetACL.exe
Token: SeTakeOwnershipPrivilege	3380	SetACL.exe
Token: SeBackupPrivilege	3272	SetACL.exe
Token: SeRestorePrivilege	3272	SetACL.exe
Token: SeTakeOwnershipPrivilege	3272	SetACL.exe
Token: SeBackupPrivilege	1580	SetACL.exe
Token: SeRestorePrivilege	1580	SetACL.exe
Token: SeTakeOwnershipPrivilege	1580	SetACL.exe
Token: SeBackupPrivilege	4788	SetACL.exe
Token: SeRestorePrivilege	4788	SetACL.exe
Token: SeTakeOwnershipPrivilege	4788	SetACL.exe
Token: SeBackupPrivilege	4660	SetACL.exe
Token: SeRestorePrivilege	4660	SetACL.exe
Token: SeTakeOwnershipPrivilege	4660	SetACL.exe
Token: SeBackupPrivilege	2872	SetACL.exe
Token: SeRestorePrivilege	2872	SetACL.exe
Token: SeTakeOwnershipPrivilege	2872	SetACL.exe
Token: SeBackupPrivilege	3152	SetACL.exe
Token: SeRestorePrivilege	3152	SetACL.exe
Token: SeTakeOwnershipPrivilege	3152	SetACL.exe
Token: SeBackupPrivilege	4560	SetACL.exe
Token: SeRestorePrivilege	4560	SetACL.exe
Token: SeTakeOwnershipPrivilege	4560	SetACL.exe
Token: SeBackupPrivilege	3092	SetACL.exe
Token: SeRestorePrivilege	3092	SetACL.exe
Token: SeTakeOwnershipPrivilege	3092	SetACL.exe
Token: SeBackupPrivilege	3772	SetACL.exe
Token: SeRestorePrivilege	3772	SetACL.exe
Token: SeTakeOwnershipPrivilege	3772	SetACL.exe
Token: SeBackupPrivilege	4364	SetACL.exe
Token: SeRestorePrivilege	4364	SetACL.exe
Token: SeTakeOwnershipPrivilege	4364	SetACL.exe
Token: SeBackupPrivilege	408	SetACL.exe
Token: SeRestorePrivilege	408	SetACL.exe
Token: SeTakeOwnershipPrivilege	408	SetACL.exe
Token: SeBackupPrivilege	4480	SetACL.exe
Token: SeRestorePrivilege	4480	SetACL.exe
Token: SeTakeOwnershipPrivilege	4480	SetACL.exe
Token: SeBackupPrivilege	4980	SetACL.exe
Token: SeRestorePrivilege	4980	SetACL.exe
Token: SeTakeOwnershipPrivilege	4980	SetACL.exe
Token: SeBackupPrivilege	4324	SetACL.exe
Token: SeRestorePrivilege	4324	SetACL.exe
Token: SeTakeOwnershipPrivilege	4324	SetACL.exe
Token: SeBackupPrivilege	3368	SetACL.exe
Token: SeRestorePrivilege	3368	SetACL.exe
Token: SeTakeOwnershipPrivilege	3368	SetACL.exe
Token: SeBackupPrivilege	4672	SetACL.exe
Token: SeRestorePrivilege	4672	SetACL.exe
Token: SeTakeOwnershipPrivilege	4672	SetACL.exe
Token: SeBackupPrivilege	224	SetACL.exe
Token: SeRestorePrivilege	224	SetACL.exe
Token: SeTakeOwnershipPrivilege	224	SetACL.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

TrayMenu.exe

pid process

4992 TrayMenu.exe
4992 TrayMenu.exe
4992 TrayMenu.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

TrayMenu.exe

pid process

4992 TrayMenu.exe
4992 TrayMenu.exe
4992 TrayMenu.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

windows.10.codec.pack.v2.2.0.setup.exeregsvr32.exeTrayMenu.exe

pid process

3052 windows.10.codec.pack.v2.2.0.setup.exe
852 regsvr32.exe
4992 TrayMenu.exe

pid	process
4992	TrayMenu.exe
4992	TrayMenu.exe
4992	TrayMenu.exe

pid	process
4992	TrayMenu.exe
4992	TrayMenu.exe
4992	TrayMenu.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

windows.10.codec.pack.v2.2.0.setup.exe

description	pid	process	target process
PID 3052 wrote to memory of 2724	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 2724	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 1456	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 1456	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 3016	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 3016	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 2492	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 2492	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 4836	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 4836	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 4112	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 4112	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 5084	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 5084	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 3272	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 3272	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 3148	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 3148	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 3776	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 3776	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 428	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 428	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 2412	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 2412	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 4204	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 4204	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 4864	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 4864	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 1340	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 1340	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 5016	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 5016	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 2960	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 2960	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 4276	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 4276	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 1180	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 1180	3052	windows.10.codec.pack.v2.2.0.setup.exe	SetACL.exe
PID 3052 wrote to memory of 852	3052	windows.10.codec.pack.v2.2.0.setup.exe	regsvr32.exe
PID 3052 wrote to memory of 852	3052	windows.10.codec.pack.v2.2.0.setup.exe	regsvr32.exe
PID 3052 wrote to memory of 1804	3052	windows.10.codec.pack.v2.2.0.setup.exe	regsvr32.exe
PID 3052 wrote to memory of 1804	3052	windows.10.codec.pack.v2.2.0.setup.exe	regsvr32.exe
PID 3052 wrote to memory of 4992	3052	windows.10.codec.pack.v2.2.0.setup.exe	regsvr32.exe
PID 3052 wrote to memory of 4992	3052	windows.10.codec.pack.v2.2.0.setup.exe	regsvr32.exe
PID 3052 wrote to memory of 3616	3052	windows.10.codec.pack.v2.2.0.setup.exe	regsvr32.exe
PID 3052 wrote to memory of 3616	3052	windows.10.codec.pack.v2.2.0.setup.exe	regsvr32.exe
PID 3052 wrote to memory of 2888	3052	windows.10.codec.pack.v2.2.0.setup.exe	regsvr32.exe
PID 3052 wrote to memory of 2888	3052	windows.10.codec.pack.v2.2.0.setup.exe	regsvr32.exe
PID 3052 wrote to memory of 2372	3052	windows.10.codec.pack.v2.2.0.setup.exe	regsvr32.exe
PID 3052 wrote to memory of 2372	3052	windows.10.codec.pack.v2.2.0.setup.exe	regsvr32.exe
PID 3052 wrote to memory of 3024	3052	windows.10.codec.pack.v2.2.0.setup.exe	regsvr32.exe
PID 3052 wrote to memory of 3024	3052	windows.10.codec.pack.v2.2.0.setup.exe	regsvr32.exe
PID 3052 wrote to memory of 2088	3052	windows.10.codec.pack.v2.2.0.setup.exe	regsvr32.exe
PID 3052 wrote to memory of 2088	3052	windows.10.codec.pack.v2.2.0.setup.exe	regsvr32.exe
PID 3052 wrote to memory of 4316	3052	windows.10.codec.pack.v2.2.0.setup.exe	regsvr32.exe
PID 3052 wrote to memory of 4316	3052	windows.10.codec.pack.v2.2.0.setup.exe	regsvr32.exe
PID 3052 wrote to memory of 4088	3052	windows.10.codec.pack.v2.2.0.setup.exe	regsvr32.exe
PID 3052 wrote to memory of 4088	3052	windows.10.codec.pack.v2.2.0.setup.exe	regsvr32.exe
PID 3052 wrote to memory of 1616	3052	windows.10.codec.pack.v2.2.0.setup.exe	regsvr32.exe
PID 3052 wrote to memory of 1616	3052	windows.10.codec.pack.v2.2.0.setup.exe	regsvr32.exe
PID 3052 wrote to memory of 2772	3052	windows.10.codec.pack.v2.2.0.setup.exe	regsvr32.exe
PID 3052 wrote to memory of 2772	3052	windows.10.codec.pack.v2.2.0.setup.exe	regsvr32.exe
PID 3052 wrote to memory of 4612	3052	windows.10.codec.pack.v2.2.0.setup.exe	regsvr32.exe
PID 3052 wrote to memory of 4612	3052	windows.10.codec.pack.v2.2.0.setup.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\windows.10.codec.pack.v2.2.0.setup.exe
"C:\Users\Admin\AppData\Local\Temp\windows.10.codec.pack.v2.2.0.setup.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\DoNotUse /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:2724

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:1456

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:3016

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\Preferred /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:2492

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\DoNotUse /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:4836

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:4112

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" "MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Media Foundation\ByteStreamHandlers\.avi" /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:5084

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" "MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Media Foundation\ByteStreamHandlers\.m4a" /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:3272

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" "MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Media Foundation\ByteStreamHandlers\.m4v" /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:3148

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" "MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Media Foundation\ByteStreamHandlers\.mp4" /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:3776

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" "MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Media Foundation\ByteStreamHandlers\.mp4v" /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:428

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\DoNotUse /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:2412

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\Preferred /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:4204

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\DoNotUse /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:4864

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" "MACHINE\SOFTWARE\Microsoft\Windows Media Foundation\ByteStreamHandlers\.avi" /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:1340

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" "MACHINE\SOFTWARE\Microsoft\Windows Media Foundation\ByteStreamHandlers\.m4a" /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:5016

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" "MACHINE\SOFTWARE\Microsoft\Windows Media Foundation\ByteStreamHandlers\.m4v" /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:2960

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" "MACHINE\SOFTWARE\Microsoft\Windows Media Foundation\ByteStreamHandlers\.mp4" /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:4276

C:\Windows\SysWOW64\Codecs\SetACL.exe
"C:\Windows\system32\Codecs\SetACL.exe" "MACHINE\SOFTWARE\Microsoft\Windows Media Foundation\ByteStreamHandlers\.mp4v" /registry /grant S-1-5-32-544 /full /r:cont_obj /sid /silent
2⤵
- Executes dropped EXE
PID:1180

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\ffdshow.ax
2⤵
- Registers COM server for autorun
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:852

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\avi.x64.dll
2⤵
- Registers COM server for autorun
PID:1804

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\dxr.x64.dll
2⤵
PID:4992

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\ts.x64.dll
2⤵
- Registers COM server for autorun
PID:3024

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\ogm.x64.dll
2⤵
- Registers COM server for autorun
PID:2372

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\mp4.x64.dll
2⤵
- Registers COM server for autorun
PID:2888

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\mkx.x64.dll
2⤵
- Registers COM server for autorun
PID:3616

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\splitter.x64.ax
2⤵
- Registers COM server for autorun
- Modifies registry class
PID:2088

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\VSFilter.dll
2⤵
- Registers COM server for autorun
- Modifies registry class
PID:4316

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\cdxareader.ax
2⤵
- Registers COM server for autorun
PID:4088

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\LAVSplitter.ax
2⤵
- Registers COM server for autorun
- Modifies registry class
PID:1616

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\LAVVideo.ax
2⤵
- Registers COM server for autorun
PID:2772

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\LAVAudio.ax
2⤵
- Registers COM server for autorun
- Modifies registry class
PID:4612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\\Regasm.exe" "C:\Windows\SysWOW64\IcarosPropertyHandler.dll" /silent /codebase
2⤵
PID:1128

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Regasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\\Regasm.exe" "C:\Windows\system32\IcarosPropertyHandler.dll" /silent /codebase
2⤵
PID:4584

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\IcarosThumbnailProvider.dll
2⤵
PID:616

C:\Windows\SysWOW64\Codecs\TrayMenu.exe
C:\Windows\SysWOW64\Codecs\TrayMenu.exe
2⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4992

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DirectShow\Preferred -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:616

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DirectShow\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3380

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3272

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\Preferred -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectShow\Preferred -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectShow\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:408

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DirectShow\Preferred -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DirectShow\Preferred -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3368

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DirectShow\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
- Executes dropped EXE
PID:1332

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
- Executes dropped EXE
PID:4576

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
- Executes dropped EXE
PID:4772

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
- Executes dropped EXE
PID:3552

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
- Executes dropped EXE
PID:1508

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
- Executes dropped EXE
PID:2232

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
- Executes dropped EXE
PID:4636

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
- Executes dropped EXE
PID:1064

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\Preferred -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
- Executes dropped EXE
PID:1340

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
- Executes dropped EXE
PID:5008

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
- Executes dropped EXE
PID:2204

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectShow\Preferred -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
- Executes dropped EXE
PID:4568

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectShow\Preferred -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
- Executes dropped EXE
PID:2244

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectShow\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
- Executes dropped EXE
PID:2224

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
- Executes dropped EXE
- Modifies registry class
PID:4584

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
- Executes dropped EXE
PID:4348

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
- Executes dropped EXE
PID:3856

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
- Executes dropped EXE
PID:4316

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
- Executes dropped EXE
PID:508

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
- Executes dropped EXE
PID:4752

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DirectShow\Preferred -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
- Executes dropped EXE
PID:4308

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DirectShow\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
- Executes dropped EXE
PID:3132

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
- Executes dropped EXE
PID:3456

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
- Executes dropped EXE
PID:2272

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
PID:5092

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
PID:336

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
PID:2828

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
PID:5056

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\Preferred -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
PID:796

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
PID:1132

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectShow\Preferred -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
PID:3000

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectShow\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
PID:4524

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
PID:2212

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
PID:1876

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn setowner -ownr n:S-1-5-32-544;s:y -silent
2⤵
PID:4896

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:full -silent
2⤵
PID:3716

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DirectShow\Preferred -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:2216

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DirectShow\Preferred -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:3556

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DirectShow\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:4976

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:4808

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:2856

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:4688

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:3748

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:1388

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:3304

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:4048

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:3212

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:3976

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\Preferred -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:4540

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:4208

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:756

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectShow\Preferred -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:2884

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectShow\Preferred -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:1052

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectShow\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:1688

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:4644

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:1332

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:4576

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
- Modifies registry class
PID:664

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:2112

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:4860

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DirectShow\Preferred -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:4084

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DirectShow\Preferred -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:2828

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DirectShow\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:5056

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:3896

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:4284

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:4408

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:944

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:2756

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:5032

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Media Foundation\ByteStreamHandlers\.avi" -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:2600

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Media Foundation\ByteStreamHandlers\.avi" -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:2528

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Media Foundation\ByteStreamHandlers\.avi" -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:5072

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Media Foundation\ByteStreamHandlers\.m4a" -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:2516

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Media Foundation\ByteStreamHandlers\.m4a" -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:2524

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Media Foundation\ByteStreamHandlers\.m4a" -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:4308

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Media Foundation\ByteStreamHandlers\.m4v" -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:4816

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Media Foundation\ByteStreamHandlers\.m4v" -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:2552

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Media Foundation\ByteStreamHandlers\.m4v" -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:3636

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Media Foundation\ByteStreamHandlers\.mp4" -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:5092

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Media Foundation\ByteStreamHandlers\.mp4" -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:2932

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Media Foundation\ByteStreamHandlers\.mp4" -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:2960

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Media Foundation\ByteStreamHandlers\.mp4v" -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:5096

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Media Foundation\ByteStreamHandlers\.mp4v" -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:3672

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Media Foundation\ByteStreamHandlers\.mp4v" -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:1676

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectShow\Preferred -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:1920

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectShow\Preferred -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:1320

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectShow\Preferred -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:4348

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:1876

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:3856

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaFoundation\MediaSources\DoNotUse -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:2088

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Foundation\ByteStreamHandlers\.avi" -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:4288

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Foundation\ByteStreamHandlers\.avi" -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:5028

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Foundation\ByteStreamHandlers\.avi" -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:2908

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Foundation\ByteStreamHandlers\.m4a" -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:4648

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Foundation\ByteStreamHandlers\.m4a" -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:3456

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Foundation\ByteStreamHandlers\.m4a" -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:436

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Foundation\ByteStreamHandlers\.m4v" -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:3756

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Foundation\ByteStreamHandlers\.m4v" -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:3480

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Foundation\ByteStreamHandlers\.m4v" -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:3932

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Foundation\ByteStreamHandlers\.mp4" -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:1988

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Foundation\ByteStreamHandlers\.mp4" -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:1424

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Foundation\ByteStreamHandlers\.mp4" -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:4364

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Foundation\ByteStreamHandlers\.mp4v" -ot reg -actn setowner -ownr n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y -silent
2⤵
PID:1464

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Foundation\ByteStreamHandlers\.mp4v" -ot reg -actn ace -ace n:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464;s:y;p:full -silent
2⤵
PID:4524

C:\Windows\SysWOW64\Codecs\SetACL.exe
C:\Windows\system32\Codecs\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Foundation\ByteStreamHandlers\.mp4v" -ot reg -actn ace -ace n:S-1-5-32-544;s:y;p:read -silent
2⤵
PID:2604

C:\Windows\SysWOW64\Codecs\CodecSettings.exe
"C:\Windows\SysWOW64\Codecs\CodecSettings.exe"
1⤵
PID:1864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nscD6A5.tmp\System.dll

Filesize
11KB

MD5
6f5257c0b8c0ef4d440f4f4fce85fb1b

SHA1
b6ac111dfb0d1fc75ad09c56bde7830232395785

SHA256
b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

SHA512
a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscD6A5.tmp\audio.ini

Filesize
1KB

MD5
d7888585c101fe7ebb264479a5861234

SHA1
1c4108bb273f51114edb8cd13e6f3990b1e51f7f

SHA256
1c9151223da0226280761b3d2369580a8f08383e963c8ae8a91f8fe13deeb226

SHA512
3acdb1cb65b23ea303bd8ad2b1ae552e31070adfc9d488fcca7c896e49d88b2ab6b032d58772f17b4bd38758ceabec8a46c7e014d7899e0c4b7773024856cc6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscD6A5.tmp\codec_settings.ini

Filesize
1KB

MD5
48846b7ecde61aa95ea6812330d290c1

SHA1
22629563440a208ec6845abc1ac730761501fbc4

SHA256
0b92311a2e99216e3fef19723b276bcdddef16a7b8a599472a7815f0b938ae00

SHA512
d8724d08dc4c4c230425df0d7f32dd2e2286c5daf5c615bcf13b45d59e77e3a586deb7f33022edb11f33c2ab77b4ee918dd813a6867c71950bb43b3483c7f5f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscD6A5.tmp\codec_settings.ini

Filesize
1KB

MD5
48846b7ecde61aa95ea6812330d290c1

SHA1
22629563440a208ec6845abc1ac730761501fbc4

SHA256
0b92311a2e99216e3fef19723b276bcdddef16a7b8a599472a7815f0b938ae00

SHA512
d8724d08dc4c4c230425df0d7f32dd2e2286c5daf5c615bcf13b45d59e77e3a586deb7f33022edb11f33c2ab77b4ee918dd813a6867c71950bb43b3483c7f5f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscD6A5.tmp\codec_settings.ini

Filesize
1KB

MD5
c750c1e8da80de7271ad9246e2f37c9b

SHA1
f22c0adee830f38397ed97c0afca5ea4521cc7a4

SHA256
5713265035e1230e3587d10fdf9b30e50e5a2477f7adbcbc29818170fccf1280

SHA512
d10e777f26c38d85fd6c51ca004b05557b67c45c14645e676420afbd2655b3821ed5d9192f48172a3c9095381e17e48e16a7c3e24a7424dccb52a3f7698c0be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscD6A5.tmp\codec_settings.ini

Filesize
1KB

MD5
37e1aeb83f642e09fe82910b6428ee9b

SHA1
f5872bf917f325c48a56279fe560e6d88f86526d

SHA256
495d06f9c75b455cae9b4ad16eb358b9dc252694964d3134ba923abcc64e39ee

SHA512
9318d66ee625ce0d5add810592073339b2e163a21e0ae4617efe6484ecf5b49681527064c3afb8037429b67b6a1fc760933042f3f83b8be9b7936eb5e2ec6b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscD6A5.tmp\video.ini

Filesize
1KB

MD5
0abe24bfc246d3799e2d053679f81afb

SHA1
136d91962d6bf7117eb31df26b318418e15f234c

SHA256
8de43489b1a1271f0bd4e231cd25973be4763ec514688cdce702e192c5e72340

SHA512
7167e30d57ee5b0a89cbca4ff5e058a91bb86b726f76cb033489958fbeb22255b246f3a70e1bd9ca6abda1e302c61c53b449f8b344e1655f56f7120f71272e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\AppAssoc.xml

Filesize
1KB

MD5
82961d57741513188bfc9c2324e5533a

SHA1
de94ecfbe6d8bf48c7398e6e114654cb1ffe0e07

SHA256
2d3b37cb19866944d868f166a50ae940fe741400886255664d0978a9a368dedb

SHA512
7bb04ceb7cec07ede7cae148e3f08c831d53e5362de8dda7d17be13f2e54e6d24d94fe41dcbd796082a4350664fab3a32548f6d677aac819cb135886440bd26b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\HwInfo.dll

Filesize
68KB

MD5
44e5c77cae3ae434d1e4e619bdb1c39b

SHA1
9988f020eac45207d148668227b6819a38bdafa0

SHA256
326c406116026019a41c94b2e6b4c1061154f3bc9a395638063dae349f8a7579

SHA512
c3e40499d1296bebd2b1a770d9cd1f025859963a0f6dff002eb336f069f057ac4b3d2f5819232af6d2802ba1a3770f62440136030eb37355fa6f5b6ee0bc0470

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\InstallOptions.dll

Filesize
14KB

MD5
2a03c4a7ac5ee5e0e0a683949f70971b

SHA1
3bd9877caaea4804c0400420494ad1143179dcec

SHA256
d4f0042d8e7622b7e14395e926dd02edab3cdc77e82d88108b67a4d2cee9229b

SHA512
1942cdb522859f8dba46824786e361794a62e6201279201e1e0e2e07499fb6252933c5661782fccd77291c3650cafb2a7a08eee5431c8238f0da44840ee4c476

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\InstallOptions.dll

Filesize
14KB

MD5
2a03c4a7ac5ee5e0e0a683949f70971b

SHA1
3bd9877caaea4804c0400420494ad1143179dcec

SHA256
d4f0042d8e7622b7e14395e926dd02edab3cdc77e82d88108b67a4d2cee9229b

SHA512
1942cdb522859f8dba46824786e361794a62e6201279201e1e0e2e07499fb6252933c5661782fccd77291c3650cafb2a7a08eee5431c8238f0da44840ee4c476

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\InstallOptions.dll

Filesize
14KB

MD5
2a03c4a7ac5ee5e0e0a683949f70971b

SHA1
3bd9877caaea4804c0400420494ad1143179dcec

SHA256
d4f0042d8e7622b7e14395e926dd02edab3cdc77e82d88108b67a4d2cee9229b

SHA512
1942cdb522859f8dba46824786e361794a62e6201279201e1e0e2e07499fb6252933c5661782fccd77291c3650cafb2a7a08eee5431c8238f0da44840ee4c476

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\KillProcDLL.dll

Filesize
4KB

MD5
99f345cf51b6c3c317d20a81acb11012

SHA1
b3d0355f527c536ea14a8ff51741c8739d66f727

SHA256
c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93

SHA512
937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\ShellLink.dll

Filesize
4KB

MD5
aad75be0bdd1f1bac758b521c9f1d022

SHA1
5d444b8432c8834f5b5cd29225101856cebb8ecf

SHA256
d1d1642f3e70386af125ec32f41734896427811770d617729d8d5ebdf18f8aa7

SHA512
4c6e155cdf62cc8b65f3d0699c73c9032accefaa0f51e8b9a5c2f340ec8c6f5fab0ea02aad0abed476b3537292ba22d898589812850968e105ac83680d2f87d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\System.dll

Filesize
11KB

MD5
6f5257c0b8c0ef4d440f4f4fce85fb1b

SHA1
b6ac111dfb0d1fc75ad09c56bde7830232395785

SHA256
b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

SHA512
a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\UserInfo.dll

Filesize
4KB

MD5
8ef0e4eb7c89cdd2b552de746f5e2a53

SHA1
820f681e7cec409a02b194a487d1c8af1038acf0

SHA256
41293b9f6588e0fbdc8fcf2a9bd8e2b244cd5ff038fc13033378da337219c9dc

SHA512
a68533e8a19637d0d44219549b24baba0dc4824424842f125600fda3edcafc4bb6bb340d57a00815f262d82373b440d58d6e4e5b2ceb29bb3f6bc4cbde66c3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\UserInfo.dll

Filesize
4KB

MD5
8ef0e4eb7c89cdd2b552de746f5e2a53

SHA1
820f681e7cec409a02b194a487d1c8af1038acf0

SHA256
41293b9f6588e0fbdc8fcf2a9bd8e2b244cd5ff038fc13033378da337219c9dc

SHA512
a68533e8a19637d0d44219549b24baba0dc4824424842f125600fda3edcafc4bb6bb340d57a00815f262d82373b440d58d6e4e5b2ceb29bb3f6bc4cbde66c3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\UserInfo.dll

Filesize
4KB

MD5
8ef0e4eb7c89cdd2b552de746f5e2a53

SHA1
820f681e7cec409a02b194a487d1c8af1038acf0

SHA256
41293b9f6588e0fbdc8fcf2a9bd8e2b244cd5ff038fc13033378da337219c9dc

SHA512
a68533e8a19637d0d44219549b24baba0dc4824424842f125600fda3edcafc4bb6bb340d57a00815f262d82373b440d58d6e4e5b2ceb29bb3f6bc4cbde66c3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\UserInfo.dll

Filesize
4KB

MD5
8ef0e4eb7c89cdd2b552de746f5e2a53

SHA1
820f681e7cec409a02b194a487d1c8af1038acf0

SHA256
41293b9f6588e0fbdc8fcf2a9bd8e2b244cd5ff038fc13033378da337219c9dc

SHA512
a68533e8a19637d0d44219549b24baba0dc4824424842f125600fda3edcafc4bb6bb340d57a00815f262d82373b440d58d6e4e5b2ceb29bb3f6bc4cbde66c3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\audio.ini

Filesize
1KB

MD5
916da5dfbc449673b560900ae0920097

SHA1
38a2a10eef881cedf6c38c5cd17a3be3dc4e7f34

SHA256
42423ed38acac92446c4cf684cf15534ded9254ed38789ad1b6ad0fea2f98393

SHA512
23e4b845d4063e04cb3f14409dc5443fb4898f3b98c6c09e20974e8f9885f1c5e73c413e4c1be9fd98f729503bf77574114f9f45978caf4d55d0daf5901a4d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\audio.ini

Filesize
1KB

MD5
916da5dfbc449673b560900ae0920097

SHA1
38a2a10eef881cedf6c38c5cd17a3be3dc4e7f34

SHA256
42423ed38acac92446c4cf684cf15534ded9254ed38789ad1b6ad0fea2f98393

SHA512
23e4b845d4063e04cb3f14409dc5443fb4898f3b98c6c09e20974e8f9885f1c5e73c413e4c1be9fd98f729503bf77574114f9f45978caf4d55d0daf5901a4d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\audio.ini

Filesize
1KB

MD5
dde13da249344a91a57f8afeeb064748

SHA1
1e326cd0d785820dc9e3787f7071e56bbd6a5e6e

SHA256
7b1494067a47aa43eebe4487db2cef257ba89f6ee3e19ab4c5c763bab00878d5

SHA512
b14ed00a7a146e7846d088d8f340d137eaf4671b9263523e550575a767b6e8970fa55b082ef39663c449c87b124336c2f46f97bb09fe4fd573bd812218361d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\cpudesc.dll

Filesize
4KB

MD5
d25102051b33f61c9f7fb564a4556219

SHA1
c683964c11d5175171bd009cb08f87592c923f85

SHA256
e58e5d1d8da2ea526d0d754b4faad3773021166b0720723efb7b30f1f5075398

SHA512
8828eec31926251d7e51b5bf1050c3519c9b7fca4f978fb6ee0bf18f9642c3460687f10ff79e5892100ecadbf49725711567c348e1dfccb3644bd9ef992a92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\easy.ini

Filesize
1KB

MD5
5dc29cea6faff28ceb5c1d9d5245542c

SHA1
a0c2de97067b5726bee30eb44a6d9adec59bb06a

SHA256
b681ddba789b74dfc8c70e42d0e3acd359f0186309558ddcc74e74ef64f6f96b

SHA512
cabdbaf5fb7a3d460e51ff1aa8a5cf73bee22bbcf2745ff612f5b84c31d92da6cc1dcd216b2ca8a4703fd64cc7509b089ea4bf2b7cf8f66d72629c791e89077f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\easy.ini

Filesize
1KB

MD5
43a1a5ee65d2828841781b6b403f3a64

SHA1
5a3636e0aae2199f56d2b57beb2c787b92dd045c

SHA256
4efdbf5ca7b648390c5d1cbf21ea6f67061a235dc54700b30c7aa321eeb037ce

SHA512
9dea293900ab699e93ab0d40fda09ef95f03af1e6272ea07561b6755fbe81a0d692d2f7ec0385b3bc7ac6a667644322cdcd3770afcf0e0c7b8966b58d82accbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsDialogs.dll

Filesize
9KB

MD5
d9256d9acaecabb20b7e9a1595abfa36

SHA1
ece1cab181dac7729246da1d4494b8daa10c3b70

SHA256
d7b2c55977a541f8d075e48d4e0a82eec79ad247b0ed168c19a8518131acd19c

SHA512
5827cdbfde0e766d1b74ecb22f9614232031da41c21d0f6ff6c9d5dcdfc0adc23e8fd616eb020ab42208932444b5e0cb1e6d6e698bead412eae19624a180b6ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsDialogs.dll

Filesize
9KB

MD5
d9256d9acaecabb20b7e9a1595abfa36

SHA1
ece1cab181dac7729246da1d4494b8daa10c3b70

SHA256
d7b2c55977a541f8d075e48d4e0a82eec79ad247b0ed168c19a8518131acd19c

SHA512
5827cdbfde0e766d1b74ecb22f9614232031da41c21d0f6ff6c9d5dcdfc0adc23e8fd616eb020ab42208932444b5e0cb1e6d6e698bead412eae19624a180b6ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsDialogs.dll

Filesize
9KB

MD5
d9256d9acaecabb20b7e9a1595abfa36

SHA1
ece1cab181dac7729246da1d4494b8daa10c3b70

SHA256
d7b2c55977a541f8d075e48d4e0a82eec79ad247b0ed168c19a8518131acd19c

SHA512
5827cdbfde0e766d1b74ecb22f9614232031da41c21d0f6ff6c9d5dcdfc0adc23e8fd616eb020ab42208932444b5e0cb1e6d6e698bead412eae19624a180b6ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsExec.dll

Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsqD6A1.tmp

Filesize
30KB

MD5
1bc3c1608ac94cf3fb4575dc96610fe0

SHA1
02a953629b0e272d8a9bbf5dacbb03402853bc8a

SHA256
64f426601f824c9ec361755cb157d5f80499b8bbf4a29455bfca1fb65f2aae5c

SHA512
63881bcdf359f22de1a7582d943ec241ab2fe32fd68e202befd940c4e2ee86092797bc2de4514685d122235465fcc992cb0b5c1b9899869f9ca5840bcd8bec05

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsqD6A1.tmp

Filesize
30KB

MD5
1bc3c1608ac94cf3fb4575dc96610fe0

SHA1
02a953629b0e272d8a9bbf5dacbb03402853bc8a

SHA256
64f426601f824c9ec361755cb157d5f80499b8bbf4a29455bfca1fb65f2aae5c

SHA512
63881bcdf359f22de1a7582d943ec241ab2fe32fd68e202befd940c4e2ee86092797bc2de4514685d122235465fcc992cb0b5c1b9899869f9ca5840bcd8bec05

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsqD6A1.tmp

Filesize
30KB

MD5
1bc3c1608ac94cf3fb4575dc96610fe0

SHA1
02a953629b0e272d8a9bbf5dacbb03402853bc8a

SHA256
64f426601f824c9ec361755cb157d5f80499b8bbf4a29455bfca1fb65f2aae5c

SHA512
63881bcdf359f22de1a7582d943ec241ab2fe32fd68e202befd940c4e2ee86092797bc2de4514685d122235465fcc992cb0b5c1b9899869f9ca5840bcd8bec05

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\nsqD6A1.tmp

Filesize
30KB

MD5
1bc3c1608ac94cf3fb4575dc96610fe0

SHA1
02a953629b0e272d8a9bbf5dacbb03402853bc8a

SHA256
64f426601f824c9ec361755cb157d5f80499b8bbf4a29455bfca1fb65f2aae5c

SHA512
63881bcdf359f22de1a7582d943ec241ab2fe32fd68e202befd940c4e2ee86092797bc2de4514685d122235465fcc992cb0b5c1b9899869f9ca5840bcd8bec05

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\video.ini

Filesize
1KB

MD5
8dc8d038bb7f87afe5d6bdfdcee2e81c

SHA1
0ca90246da79a9418cd740706ac03d6ba02595ec

SHA256
93e250b40a90e7db98e623b28637859e7b92729ed9dbe1b9c2bc80710317a549

SHA512
27e2b75a45bae6e61d62e90ce064335bc4971b2ab7ad5392773f16cdb62e6d41d4c146ad22af4426c8f7aa767fd471b451915563bd212586b462ebf4ba5deec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\video.ini

Filesize
1KB

MD5
a78a25e6df096865af0cac7b01204f8a

SHA1
1aecccf7b7eeb65af9af9e1c823d9dbda9eb8b76

SHA256
95d2955ba96fd539fd571aa26dc72983587da8e9f7238bb25bc39686ba807d31

SHA512
79de7813bc4c0bef4a58347b843cf29e28878cc8fedc3d55819271d57ba8d140f5b60d9e05d366f06b50f23256c52f779ed173734b828a512581fa321fd48cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\video.ini

Filesize
1KB

MD5
9fe4ea24f19b7b40c899a8af16ef6534

SHA1
5fa89a3129877331e31ba05fc98431b9a6162ff8

SHA256
7500f8d716c644262400a10bdd28bc62acccf08092847c90c96e20ad44bdd029

SHA512
9863671da0a21c394fb131e98753d2624014354b1cabd5f7cb7219b57383c4a67dc26403b9bf23986b2bfeb60798a2fe4a0a0d0fc5eba180e243100c73609ce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB443.tmp\video_hardware.ini

Filesize
802B

MD5
539f149b374cda60f08b2f14d04bf6f2

SHA1
dc8de30db9667e4419f1bcebdea174ec138a7bba

SHA256
3fc7a360025857aeab1a697446111ae730c5ae7125e74974c2f1c28408f6d943

SHA512
3c321fdee44c1613a4275092644783079a3ae08cdd270be0e5bf79d59f7c75977ecd26797cdc3343aa9ee33796fd5d1ee7d36534959011a1ea8d461d8f7285eb

Download Submit
C:\Windows\SysWOW64\Codecs\CodecSettingsADMIN.exe

Filesize
185KB

MD5
7ab9d1929d6cd3ca7f38d4cd21847708

SHA1
92ea03a0755045ed262f2995d7b5660fdea13bb4

SHA256
6fbe76aeecae269842f647435d79388a0369616c104faa53d2b36bc5b085fcc5

SHA512
c5c1645461a0d34d7c344899e545a2ef31b14cb674666432496874e3f11904d0f67c197663b28c8ef30fe3697326f87a68e3772f3b45917738b5b9ffde7a9149

Download Submit
C:\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
C:\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
C:\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
C:\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
C:\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
C:\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
C:\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
C:\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
C:\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
C:\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
C:\Windows\SysWOW64\Codecs\SetACL.exe

Filesize
556KB

MD5
1d2af4d7b2a745f0b28498d0db49eb8a

SHA1
d353180a668d53185aec0012a832e80a04e6a2e7

SHA256
139cdf232bf6b710079f65b52a2ba9d5f5f33b6799fbdf441677902e757e76b5

SHA512
99428e594d212166a73007c6441c5aae1c5aace5487a1d06db7511adb1eb82b76e7be360804a5147a4df838839abb1de0944eb46bb30a90dbacc14d772312813

Download Submit
C:\Windows\SysWOW64\Codecs\TrayMenu.exe

Filesize
873KB

MD5
c33d0d8de7a3466227f50b2d14d97f68

SHA1
b115a92bbd44155db70781eeacef649878c129ec

SHA256
018ce623777c1cbb71bcb746ab7e0cce1cc5e228f5bd85aab606298311eeda3a

SHA512
10fc351c5514894f14e7c43ebe34e5a14ff14ea0223772d2e3b461f9f528e7d17f940b76a589a51c9eb8e145afe6ec2382053861a8887058b60d4cec157cd80d

Download Submit
C:\Windows\SysWOW64\DSDProcessUnit.dll

Filesize
864KB

MD5
d97e3c0480e4fa59e01ee67782391fed

SHA1
a08ba6b2ebd307d9e2eb5cebddc655462009cce1

SHA256
5726cce27c0c8e18f47279940d050f5e05e35d6e9e2e5a4e3432f62f000fbbaa

SHA512
1ca3da1514eda53a358c6c90a72d18611e386babcc0e8052180d42be6621d0c7cca5d81e05795a66dd51ee621c1ae4f67d30197ff56a08e9197e2d3e04f8f356

Download Submit
C:\Windows\SysWOW64\FLWindowsVistaAPI.dll

Filesize
100KB

MD5
7e844cdbfe61b2f0bf29eb31f2c4ab6e

SHA1
c01543541e93c8ca14e88fe434d8eb5280952c65

SHA256
17ef476a6806b0ea60ad1919753aed5fe6b4e8e0a5e6c9634867846589ad626d

SHA512
2eb314332d4a18ada071726097e799afaa2f94be1fd87bc12a3098eb207dfc88010de33a7312ca985fa983e9f86e569265d385a979f8f5c49edd5cc37cf150ff

Download Submit
C:\Windows\SysWOW64\Formats.ini

Filesize
236B

MD5
64546fe93b5977ce25e0f0607c3f5f80

SHA1
345a2c502cce4a8f006525d51bf5dc7675c511c3

SHA256
62c82871f0431df70cf560869d836f303459670773e780c12285e89cf3344a37

SHA512
0645e5b6a7c0e54cf7531da2cb4fb0e0870170707945c5daff28b27459235b01b61f3344c31e4317ae8547871a306b68a70161c06bcb791475986002dd2e64c8

Download Submit
C:\Windows\SysWOW64\IcarosCache.dll

Filesize
271KB

MD5
d5312099ef77a2d12c6de1ed63425451

SHA1
798b99bacd5b9c7b42addd3bf4a5965f90f2b059

SHA256
cca1be97c455d9d7b303b6dad14bb1fd454512d2bc0b5539018ac5d316c71cd7

SHA512
ae78b76667eaf0fa801d7b79a96fe58b884cfc37a13ac0eb917511d2a0c0be2d6d6cf84879a3d2e7c30b2812a2bccc48d632e1975409775e52c27aac455fb0b9

Download Submit
C:\Windows\SysWOW64\IcarosThumbnailProvider.dll

Filesize
294KB

MD5
6c988be822d81fa967145a538e214430

SHA1
6eb6b6263f68fe1b8e2ca05bc96d8de2d60aa15d

SHA256
022d9e4d02f33ac40e9da89949891edd4f1395234447f6be0b1c077fe749860c

SHA512
043393718ac753ec2ccada02db75eac9e7dc1f57db2f28ca15f5c037cf854fffd4d6640bf9854c379945873d86074d636ccbcfc99a68f72fa8e7881a86d61b67

Download Submit
C:\Windows\SysWOW64\LAVAudio.ax

Filesize
266KB

MD5
7541409c8d6e3a0efbc70d9e66bcd6a9

SHA1
188fc30087a9ee7e0962093deaf7f749f11b33c6

SHA256
bbea286f576f9972f641feef8ca4c438242748e181c843279e4f6f3c4534d0d0

SHA512
4fa0338004781670bb724c387c0d307ebe3a24446066ebce0718e41e7461997cf178baef72b9087648c475a63f68a79d581da6b472fa04455864065326c95022

Download Submit
C:\Windows\SysWOW64\LAVSplitter.ax

Filesize
545KB

MD5
2d38c1d2b199b363de16003ce660760a

SHA1
fb6a5fb88796f1bdc451a3db306ebcfae1abc418

SHA256
8aee61f2c2feb23e3e617d85cdceadfe93e2fb4395a5f71615c8032f39ae773b

SHA512
2e5349c5d39b3e13cc8642fe4c72cec0cd3f474b271ed405007458bfe0986e21fe18f69cbd5bb722ec308f8cbbe7432c6f3ac114596590b7215718e2bf7e30d6

Download Submit
C:\Windows\SysWOW64\LAVVideo.ax

Filesize
1.0MB

MD5
9df1764a5084ce52bf746bc91a331d87

SHA1
e0d1a96829de887a98aab600b8572b03043eefb9

SHA256
d823503313d7a71706e56f41d4c60eb253957c65b1d40a9bb92a79becd37c5f1

SHA512
3fe73b60ed258cf2edd38dbf35046c21bc156bf89303bb6d67489a14e70585e0569f444d8884c92ff2c15a95371a2d4b8356d13c720314c3f0cd2f211ae8f214

Download Submit
C:\Windows\SysWOW64\PCMOUT_VIDEO_2496.bmp

Filesize
900KB

MD5
3ad19e79c8e1b64a82f9a8aef978c4b0

SHA1
f3b73755a3678f1b69335760638cc522a6535fef

SHA256
688d3c95fd14df61f650a3326bcf87c1d6edc6ef8d14f1d20206cf273907ce3e

SHA512
5699e21a77de7b3f25a88bf7a09e98420cc3f37b8b41ceca9a5b2b0fe7494094493b5257cb96e08211e34f55fef99512787ac3adae24a2d7e90bca0d7dddb96e

Download Submit
C:\Windows\SysWOW64\VSFilter.dll

Filesize
1.5MB

MD5
a065f69a2aa291d6e93113c5968361dc

SHA1
b8284641971cf8eddb3447eb659676e661943298

SHA256
460dfb510fe42b50f80a3ee3df1f605d05262361120f7a60d5e20629d2071ed0

SHA512
f717f239a4d76a6c2cef893773ab5b8e42ead47afeca65b2e3a79c841d84922b7e89aeac52d41e3134c5c1c020dc1a79082b034f1708fe337f7daa8ee1e2e6e9

Download Submit
C:\Windows\SysWOW64\VzCs.dll

Filesize
140KB

MD5
0e794e3472b165ea0401cda153c29f74

SHA1
e44d625d2cbdcc387defb51fb60f10485c77c6f1

SHA256
5961ee6dfb7e230890ec86cd48106a4e9e30e338c60e0702f0532aef9dbbb8b3

SHA512
52bf4ad2361331fbd377ccbfe45c34288d8fdda483d8c31f9ff4112182992557fd88237530344a13bf78c931f372da7661ab04ed359fbfb0bcf5565d3f21ec6e

Download Submit
C:\Windows\SysWOW64\avcodec-ics-58.dll

Filesize
9.9MB

MD5
e6635a5c54fc0b30a8438ddb32e6b4dc

SHA1
bf7ec4f65853e386503d431483005542e7efd7e1

SHA256
5dc0e01e01a53642b4d45430cf8955bdfc974da94f82a6822d84bc28830c9988

SHA512
8f50e3e3fad9db16143630e062a43e37491e0d6e7f4c96caeb8daf69b7ada9ce3fb0c0ff06fbd8210801cb978da41048605c3bc187cbf73f8b7fae0d41546e66

Download Submit
C:\Windows\SysWOW64\avcodec-lav-59.dll

Filesize
12.6MB

MD5
d43932bfcca55ce95079c530586767d4

SHA1
df6555e1f207f00bea171bd9720bbe3651c57a6e

SHA256
4bd1ec53155c7073ee4ed0b12186164990120a5ea5a377ed914a0018a8a843ad

SHA512
d531f96c5c7727de1f72bafe2a3e72482f3c2269901d78683040cbf5188bfb75defe79127aaf8ba6bde557cd09fea95d40fabc43f3e7bb6fa5eafdf13b14b813

Download Submit
C:\Windows\SysWOW64\avfilter-lav-8.dll

Filesize
204KB

MD5
e50128bf7dadb5c51156bf704fddef85

SHA1
0ba7ca4081f4c500c84f5bc547d817661af42ac4

SHA256
5b6243342dfbf88debc72720a5f25eb835c932c3c7b458afad4f3e290b7b68e2

SHA512
5542104aa48ba92de6032d2bb13bb7ecf30363293eb5cee780738b8ae316576fafb36f1834b989058f76ecf056a45c7f8735990f5fe51ef8e5ba95466ae6a7e6

Download Submit
C:\Windows\SysWOW64\avformat-ics-58.dll

Filesize
1.3MB

MD5
778f25414249cd2ff40b58fb22a3f00e

SHA1
76255e8b0c77adfbdf97ae5588a394e669575f42

SHA256
8eed8be1246e69cb1c7582eec9b070d42c95f84c9effd1d4fcf5918170d7880f

SHA512
46e80937d432649dfb2b9d9aad54e292a80ac5b515205b6b3bb1293c00b06b73670554e6eef7265037b6c7ace62352d056414d6537e5b56008c61ff8dd82680b

Download Submit
C:\Windows\SysWOW64\avformat-lav-59.dll

Filesize
4.8MB

MD5
a439ea9e954a221543c4983564958b65

SHA1
e2c5eadfd32f4dce1e0b79a539439221ca8e380f

SHA256
cdb1f07a56e0c9121b45227c88cfae75485a8434e9aa8e484634e48eba12eb5d

SHA512
68a46d57fef4d991e7c570fc43a0e6bbf4d5361c74d8aee004d71324d00de9bf0d077dc680f61220de60e5ee7690e43915ee68e8a6d63864eb243aa8a098eab9

Download Submit
C:\Windows\SysWOW64\avi.dll

Filesize
107KB

MD5
8111075e8b53fee942ce45d9a514fa89

SHA1
6f426c4da9361636e2e3cda4cf010fc2e4203dfd

SHA256
864ab53cc8a3a904c9ac2b03b9079d1521a38865b0fca05b3cf04b34ab41e8ce

SHA512
f915ce84e79d9119dcdebe88b4eb2bad91ec7f6730e8dea540b00aedddf7769ec34d8314c347c77a31eca9ea0cb4a839243ab9e394eb6de1ee14937c541fff07

Download Submit
C:\Windows\SysWOW64\avs.dll

Filesize
95KB

MD5
44a5965795fd86118922e18124498d43

SHA1
415bdbb0d4552918643eb41c424abec243841de7

SHA256
2ce27c872bc4314fc86e94b05b42b39a710ee396638645a09c974aa6a98c974f

SHA512
4a906a0112ceefb79051c8f3b2df6112da7c2f6eb16f136f41f09704e573bf49060e180e222035a2f67ac9af33d377ffe317148c2116e3c6e656ac65cc2c5d2c

Download Submit
C:\Windows\SysWOW64\avutil-ics-56.dll

Filesize
539KB

MD5
9ba6d1b8e0064d4502baf64399fc3d7d

SHA1
5917f1c23a7d9fed8155ca5e4062b89d565c0e3a

SHA256
9163b6e78b73a68886af720b76468b90dd8df650f6ed5b3187519474cb3e841a

SHA512
dc41fd993f64f7021f6e8edd8728b74978928cd14a849866e2b1ff33d3a7837a3f06cffb4d47805dbc3e8d1ebaa2d19aba5526f917623599f06fad5dba0b42e6

Download Submit
C:\Windows\SysWOW64\avutil-lav-57.dll

Filesize
697KB

MD5
3f704bda6be84c27a16643d607cff93f

SHA1
bdb9812e6bb96e934ea261b404adfd6cbbd22e9d

SHA256
eab96cdb6ac151627ff3709c5350880b90eb6e2677e75b3ac377c7644f0802b6

SHA512
65f79445c06e1c11d23c9331d1be58ee503f552b4a3dd57f29645451cd043ec7afd8d032845e8f4e8e2aa640f39f2dd33cf92c172a33f77b72684dabedee5522

Download Submit
C:\Windows\SysWOW64\dxr.dll

Filesize
244KB

MD5
116abbf463689755cc34e65338eb478b

SHA1
a993a6c58b2090fff04c52b165c2c46e3cc4a854

SHA256
20872e846d07c6ebeaf32fb3cc0430bede9103c366f00cde6ca834f7f73db5c7

SHA512
edb50b9c0ebe1d250cd348c0319dfab85ec1f15528b9e9ef5010a14ecb9e9ba4d066e6476faaaaddb3271f43aa3ad7f5e3c3e28d65c8d9eabaf99e88b4812a58

Download Submit
C:\Windows\SysWOW64\libFLAC.dll

Filesize
262KB

MD5
b9ff0a41d52cbe2b64e2a3d4dbcc81b2

SHA1
c122e719e72ecf29298c283725b9c2b6f5b65c41

SHA256
ddaa5c61795795fa02b94fb638bb6c4ad198bedb4de1935e1f96db40f1eef937

SHA512
99554d02c4509a5f16c7ba32b75cf6da23216242891531a703bd5447f9c707e17ac33bfe3f770b807f432b0d501641c74510a5c21cc08b1dcec60ab6e027b1a7

Download Submit
C:\Windows\SysWOW64\libbluray.dll

Filesize
335KB

MD5
032f7d4c93b1c63d686586b0d72a0172

SHA1
a5630a46c06df857c70c16104ef484f64df430e1

SHA256
3ce23fc539e05980bcee8d9eac184895eed5547aa042068237606d44c419ab29

SHA512
395bf53cf344b77c97078e03c1c1986ad4eda5eacec7751d65fd8455eacb6094070177f6d55b3e7cc7a1dd2c4f4cb7abac0e11121e9ee474d9d124cc19599afe

Download Submit
C:\Windows\SysWOW64\libmmd.dll

Filesize
2.7MB

MD5
95f2d2445dacfe7711b1dcc794c649a7

SHA1
5ad0c619fe7cd678ae75c0964c9e9a93aaac47f2

SHA256
31b1c20265a6a624637037dcb5a4071acf35feba3458e3f3c70018d3fb020f1e

SHA512
67d332bc41c2c3d0b46edb52a1150692d186625104ab2bca3029084a08cb0b697a08195216d8793d41982ae0d059a4ec3e059a6ff2e911c7a61d005b7045bcb5

Download Submit
C:\Windows\SysWOW64\mkunicode.dll

Filesize
24KB

MD5
2680869cc2929f7c766540f5d0c7f94e

SHA1
ac4c4b0a1df1671e62fa94eb109645d71dc24930

SHA256
6301f7534a6d829e0b6a4a2f8ffd52a018b6753f0bd3ed3b4c87ba2599664041

SHA512
a30d4bf98ed536ce2818f2a90b971c11155ceef41f5547faf19eadebc2dc811aedbdc841d9ebc562ba2a88dc5409c47b2dc6f0a294324ea4bcc64189cc9f1854

Download Submit
C:\Windows\SysWOW64\mkx.dll

Filesize
147KB

MD5
6adb98152cd780dafd43fa2db9ff819b

SHA1
6e0a5e4c95113010aab1041207b17647a32744d5

SHA256
9e62acf083c0b1bf515e1bd2eb627dc64d16050358a355cad75dde0ea233f983

SHA512
dba6cd6d6bf6864d8021cd1b84f1d2fcc2b36e14a254c0ec429c821d1281dd40e6ad0b39d8164dc9d253e7886adcad63d3c698df4e1b1b524c80bac98c41d96e

Download Submit
C:\Windows\SysWOW64\mkzlib.dll

Filesize
78KB

MD5
9a0ab536859c2d0fc6621f0781624d51

SHA1
3c3f200de2a8c92d488163a4a1cd64e6fb82a871

SHA256
26cbcc7e03686a45ea6379d90b43c3dbb5c4271f7e62551a0b76101c9258760b

SHA512
db75cb37531894f19970f6739eab20cbf793308d05445bf251962b6af20eea6dda71461ac81204a1667872f263873d34d08d9fbc0473f8d3411083ddef5437c8

Download Submit
C:\Windows\SysWOW64\mp4.dll

Filesize
139KB

MD5
5571c32ae9b10240a791fdc2a5387a7c

SHA1
75b7e0c5f28074f278c8a697cfcaf062494bee22

SHA256
3546d56cb130d9960d0b5c377f207f16b7ae8983d59fea6a51058407421c4680

SHA512
062b17668eac675e025e29f5aafa59560ccb50e30ddb305711f03935911cb6741bd9048ccce7eaed0859b676758e12f6451429347e542b4148b36650f1499f0a

Download Submit
C:\Windows\SysWOW64\msvcr71.dll

Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
C:\Windows\SysWOW64\ogm.dll

Filesize
120KB

MD5
73933b9207edae66ecfcd2871a79ae21

SHA1
aa61212f2c233b8128d6063d5e0cac7cc6be3635

SHA256
895c832523a181db648e7edd1cd916aa1e8234a46c5c497b4a664ca16534bf78

SHA512
53fda73eba7cc5024d1ce5fe1824b742d8979fffb317bba9a86d3e542a43a6806e6dc40c8fb856a9d3a3f978168a42cb75930467a3e882d2f35aa3a9b82fde00

Download Submit
C:\Windows\SysWOW64\splitter.ax

Filesize
543KB

MD5
f9d85ffe9198de79004353a3ff8a120f

SHA1
23e58b3eb84bdf564e5d2680ce52bb862cf36d67

SHA256
77db6ebf7429b43f04d6f56c925b10e21df522754b820b91028e703d34d49f73

SHA512
707b28b54258d9604b4a3a848a2bc0a159d96c2ff55a464aeb94fec9ccf4cda589f1a5017ceca8f9df6ca876efcff1432a8ad95e82b042e5876a8863403bfc5f

Download Submit
C:\Windows\SysWOW64\swresample-lav-4.dll

Filesize
127KB

MD5
fce791b9a6ef4ecf4668768ec2ee4141

SHA1
4a674b3e87881a92e3e3e5763805919417226817

SHA256
24a35afc4272461144fe5691780bdba2e11783a442f61ad00a6ebefa65b2897f

SHA512
f24206a83f10c077205d767fc8d94d318550053a2a42e2d2bc368e36b9d4c6cea9a050c25a8a7b4030e8d85c5952742dc34eb29c6af016313f172263f22d597c

Download Submit
C:\Windows\SysWOW64\swscale-ics-5.dll

Filesize
535KB

MD5
39e1994731d6589898eb915826bc8fc9

SHA1
7f3ca5588c681d18e595c8286b200a0b6dbba14e

SHA256
fd437831d3ed76b590feea8ecdbe51279ccabcf17ab4615aac4d44c56731ab21

SHA512
92bba891efebe8f07047e250c6aff5a1410982304b46d9f346c07690befae0bb38a79045262dc4b7c9ceb64011f1f0702d118b45d6048cc979d00538202254f9

Download Submit
C:\Windows\SysWOW64\swscale-lav-6.dll

Filesize
570KB

MD5
07312428393abaa4dddfaf8d765fc51e

SHA1
d9d6edc0a5fc08d5903a38480d49cb78f15dc652

SHA256
583280b29a4fbbb06d852e4ab1667510aa84315e2d6da60e76ac4dd25ebb3157

SHA512
a2ff3bc33aebe8ef1ec102a9057218af03ece0e4e0c674efe942360bddb76742bb6c47959ba0a1b379d8e2b22f3f3cf5a2396a81d7b1d99ad424da2f7b4790bd

Download Submit
C:\Windows\SysWOW64\ts.dll

Filesize
151KB

MD5
18d337b1a07c2ccdc1bfc9339a1aff8d

SHA1
7703a5a1fb41b28ed345343a971366c7d3b8d46a

SHA256
7431a058d7ddf7607cd8e30a6db0a0033a4d951cb4af4419db4a5e34bb3d4525

SHA512
f1e06ccd3e4e24de2f503a8067373883089e0b01acee08392b4120932a94b4db1dceca3be9c298a20d9e40da97f6cc9c1cbdfb3768d1010d3e6fe8d6d58218a0

Download Submit
C:\Windows\System32\LAVFilters.Dependencies.manifest.new

Filesize
493B

MD5
c74f5c6ea4f00e03526d94a097c37802

SHA1
0706b46c2586c834a12f28538cc50a3b2768dd08

SHA256
02ed6041ffc345b910f88b9886e36e330d286d891c0e5cbe3c05303d56681299

SHA512
68c389836a2997d3e107ce48a00fec24f148cfd10442adf8d65db8c0f16d9196f63065ec926e534a840e52f9f272cdf94439bcb97ba86b7497330dd7106709b2

Download Submit
memory/1128-1191-0x0000000000850000-0x0000000000862000-memory.dmp

Filesize
72KB

Download
memory/1128-1192-0x0000000005070000-0x0000000005078000-memory.dmp

Filesize
32KB

Download
memory/2088-1040-0x0000000000ED0000-0x0000000000EE9000-memory.dmp

Filesize
100KB

Download
memory/2888-1039-0x0000000000880000-0x0000000000899000-memory.dmp

Filesize
100KB

Download
memory/3052-1055-0x0000000009580000-0x00000000095D9000-memory.dmp

Filesize
356KB

Download
memory/3052-1294-0x0000000009BA0000-0x0000000009BB3000-memory.dmp

Filesize
76KB

Download
memory/3052-946-0x0000000009580000-0x00000000095A9000-memory.dmp

Filesize
164KB

Download
memory/3052-934-0x0000000009580000-0x00000000095A0000-memory.dmp

Filesize
128KB

Download
memory/3052-165-0x00000000742E0000-0x00000000742F0000-memory.dmp

Filesize
64KB

Download
memory/3052-908-0x0000000009CE0000-0x0000000009D89000-memory.dmp

Filesize
676KB

Download
memory/3052-1000-0x0000000009590000-0x00000000095A7000-memory.dmp

Filesize
92KB

Download
memory/3052-994-0x0000000009CE0000-0x0000000009D6C000-memory.dmp

Filesize
560KB

Download
memory/3052-901-0x0000000009CE0000-0x0000000009D89000-memory.dmp

Filesize
676KB

Download
memory/3052-987-0x0000000009580000-0x000000000959D000-memory.dmp

Filesize
116KB

Download
memory/3052-979-0x0000000009580000-0x00000000095AB000-memory.dmp

Filesize
172KB

Download
memory/3052-972-0x0000000009580000-0x00000000095A3000-memory.dmp

Filesize
140KB

Download
memory/3052-831-0x0000000009630000-0x0000000009671000-memory.dmp

Filesize
260KB

Download
memory/3052-965-0x00000000095C0000-0x00000000095D7000-memory.dmp

Filesize
92KB

Download
memory/3052-166-0x0000000007300000-0x00000000078A4000-memory.dmp

Filesize
5.6MB

Download
memory/3052-167-0x00000000078F0000-0x0000000007982000-memory.dmp

Filesize
584KB

Download
memory/3052-1238-0x0000000009CE0000-0x0000000009D89000-memory.dmp

Filesize
676KB

Download
memory/3052-1239-0x0000000009CE0000-0x0000000009D89000-memory.dmp

Filesize
676KB

Download
memory/3052-168-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/3052-828-0x0000000009570000-0x00000000095EE000-memory.dmp

Filesize
504KB

Download
memory/3052-959-0x0000000009580000-0x00000000095A8000-memory.dmp

Filesize
160KB

Download
memory/3052-811-0x0000000009570000-0x000000000957B000-memory.dmp

Filesize
44KB

Download
memory/3052-804-0x0000000009CE0000-0x0000000009DB4000-memory.dmp

Filesize
848KB

Download
memory/3052-941-0x0000000009580000-0x00000000095C2000-memory.dmp

Filesize
264KB

Download
memory/3052-954-0x0000000009630000-0x0000000009647000-memory.dmp

Filesize
92KB

Download
memory/3052-1308-0x00000000095E0000-0x00000000095E3000-memory.dmp

Filesize
12KB

Download
memory/3052-1307-0x00000000095E0000-0x00000000095E3000-memory.dmp

Filesize
12KB

Download
memory/3052-1309-0x00000000095E0000-0x00000000095E3000-memory.dmp

Filesize
12KB

Download
memory/3052-1310-0x00000000095E0000-0x00000000095E3000-memory.dmp

Filesize
12KB

Download
memory/3052-1311-0x00000000095E0000-0x00000000095E3000-memory.dmp

Filesize
12KB

Download
memory/3052-800-0x0000000009570000-0x000000000957D000-memory.dmp

Filesize
52KB

Download
memory/3052-795-0x0000000009570000-0x0000000009585000-memory.dmp

Filesize
84KB

Download
memory/3052-788-0x0000000009570000-0x000000000958F000-memory.dmp

Filesize
124KB

Download
memory/3052-783-0x0000000009570000-0x0000000009585000-memory.dmp

Filesize
84KB

Download
memory/3052-681-0x0000000009360000-0x0000000009363000-memory.dmp

Filesize
12KB

Download
memory/3052-396-0x00000000098D0000-0x00000000098DA000-memory.dmp

Filesize
40KB

Download
memory/3052-389-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/3052-175-0x0000000008E80000-0x0000000008EC0000-memory.dmp

Filesize
256KB

Download
memory/3052-174-0x0000000008F10000-0x0000000009012000-memory.dmp

Filesize
1.0MB

Download
memory/3052-173-0x0000000008C80000-0x0000000008CCA000-memory.dmp

Filesize
296KB

Download
memory/3052-172-0x0000000008670000-0x0000000008B9C000-memory.dmp

Filesize
5.2MB

Download
memory/3052-171-0x0000000008640000-0x000000000865C000-memory.dmp

Filesize
112KB

Download
memory/3052-170-0x0000000008590000-0x00000000085F6000-memory.dmp

Filesize
408KB

Download
memory/3052-169-0x00000000084F0000-0x000000000858C000-memory.dmp

Filesize
624KB

Download
memory/3616-1038-0x0000000002570000-0x0000000002589000-memory.dmp

Filesize
100KB

Download
memory/4584-1240-0x00000192E4E30000-0x00000192E4E40000-memory.dmp

Filesize
64KB

Download
memory/4584-1237-0x00000192CABE0000-0x00000192CABE8000-memory.dmp

Filesize
32KB

Download
memory/4584-1236-0x00000192CA7D0000-0x00000192CA7E0000-memory.dmp

Filesize
64KB

Download