gcleaner | 34c3b86ca774438ee357cdb9bc39805af451d32437898f8935be9bb9eba0befa

Analysis

max time kernel
271s
max time network
274s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
08-04-2023 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Akira Client.exe
Size

1.5MB
MD5

417fa33d2677da041ce209cbac5240c1
SHA1

b109facc50d4d39e375543d5496ac517f0d9a4da
SHA256

34c3b86ca774438ee357cdb9bc39805af451d32437898f8935be9bb9eba0befa
SHA512

f3ddbd0f0dee910081f0ee83e332ec708c7b77dd45cae9cbab629cacbf185fa488df8b1051800758ed4c1e6a618585fbc9ddab8d81af55233c8219ce63c71e94
SSDEEP

24576:N4nXubIQGyxbPV0db266Bw+vogz2dbFFv0S6dS/01icZOEOR5QvlY:Nqe3f6t+DidXvh6dS/04OOR5QvlY

Score

10^/10

gcleaner discovery loader persistence

Malware Config

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Blocklisted process makes network request 49 IoCs

Processes:

MsiExec.exe

flow	pid	process
149	2276	MsiExec.exe
150	2276	MsiExec.exe
152	2276	MsiExec.exe
154	2276	MsiExec.exe
156	2276	MsiExec.exe
158	2276	MsiExec.exe
159	2276	MsiExec.exe
165	2276	MsiExec.exe
166	2276	MsiExec.exe
167	2276	MsiExec.exe
168	2276	MsiExec.exe
169	2276	MsiExec.exe
174	2276	MsiExec.exe
180	2276	MsiExec.exe
184	2276	MsiExec.exe
194	2276	MsiExec.exe
202	2276	MsiExec.exe
208	2276	MsiExec.exe
211	2276	MsiExec.exe
216	2276	MsiExec.exe
222	2276	MsiExec.exe
224	2276	MsiExec.exe
227	2276	MsiExec.exe
228	2276	MsiExec.exe
231	2276	MsiExec.exe
232	2276	MsiExec.exe
233	2276	MsiExec.exe
234	2276	MsiExec.exe
235	2276	MsiExec.exe
236	2276	MsiExec.exe
237	2276	MsiExec.exe
239	2276	MsiExec.exe
240	2276	MsiExec.exe
241	2276	MsiExec.exe
242	2276	MsiExec.exe
243	2276	MsiExec.exe
244	2276	MsiExec.exe
246	2276	MsiExec.exe
248	2276	MsiExec.exe
249	2276	MsiExec.exe
250	2276	MsiExec.exe
251	2276	MsiExec.exe
252	2276	MsiExec.exe
253	2276	MsiExec.exe
254	2276	MsiExec.exe
255	2276	MsiExec.exe
256	2276	MsiExec.exe
257	2276	MsiExec.exe
258	2276	MsiExec.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

Processes:

RunDLL32.Exe

description	ioc	process
File opened for modification	C:\Windows\system32\DRIVERS\bddci.sys	RunDLL32.Exe
File opened for modification	C:\Windows\system32\DRIVERS\SETB7D6.tmp	RunDLL32.Exe
File created	C:\Windows\system32\DRIVERS\SETB7D6.tmp	RunDLL32.Exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

setup_1.exeWebCompanionInstaller.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	setup_1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WebCompanionInstaller.exe

Executes dropped EXE 15 IoCs

Processes:

Akira Client.tmpsetup.exesetup.tmpsetup_0.exesetup_0.tmpWalliant.exesetup_1.exesetup_2.exeWebCompanionInstaller.exeDCIService.exeWebCompanion.exeWebCompanion.exesetup_3.exesetup_4.exesetup_4.exe

pid	process
1800	Akira Client.tmp
4192	setup.exe
4712	setup.tmp
424	setup_0.exe
5076	setup_0.tmp
1756	Walliant.exe
1140	setup_1.exe
1052	setup_2.exe
1072	WebCompanionInstaller.exe
4088	DCIService.exe
4588	WebCompanion.exe
4604	WebCompanion.exe
1772	setup_3.exe
2420	setup_4.exe
5568	setup_4.exe

Loads dropped DLL 64 IoCs

Processes:

setup.tmpWalliant.exeWebCompanionInstaller.exeDCIService.exeWebCompanion.exe

pid	process
4712	setup.tmp
1756	Walliant.exe
1756	Walliant.exe
1756	Walliant.exe
1756	Walliant.exe
1756	Walliant.exe
1756	Walliant.exe
1756	Walliant.exe
1756	Walliant.exe
1756	Walliant.exe
1756	Walliant.exe
1756	Walliant.exe
1756	Walliant.exe
1756	Walliant.exe
1756	Walliant.exe
1756	Walliant.exe
1756	Walliant.exe
1756	Walliant.exe
1756	Walliant.exe
1756	Walliant.exe
1756	Walliant.exe
1756	Walliant.exe
1756	Walliant.exe
1756	Walliant.exe
1756	Walliant.exe
1756	Walliant.exe
1072	WebCompanionInstaller.exe
1072	WebCompanionInstaller.exe
1072	WebCompanionInstaller.exe
1072	WebCompanionInstaller.exe
1072	WebCompanionInstaller.exe
1072	WebCompanionInstaller.exe
1072	WebCompanionInstaller.exe
1072	WebCompanionInstaller.exe
4088	DCIService.exe
4088	DCIService.exe
4088	DCIService.exe
4088	DCIService.exe
4088	DCIService.exe
4088	DCIService.exe
4588	WebCompanion.exe
4588	WebCompanion.exe
4588	WebCompanion.exe
4588	WebCompanion.exe
4588	WebCompanion.exe
4588	WebCompanion.exe
4588	WebCompanion.exe
4588	WebCompanion.exe
4588	WebCompanion.exe
4588	WebCompanion.exe
4588	WebCompanion.exe
4588	WebCompanion.exe
4588	WebCompanion.exe
4588	WebCompanion.exe
4588	WebCompanion.exe
4588	WebCompanion.exe
4588	WebCompanion.exe
4588	WebCompanion.exe
4588	WebCompanion.exe
4588	WebCompanion.exe
4588	WebCompanion.exe
4588	WebCompanion.exe
4588	WebCompanion.exe
4588	WebCompanion.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Walliant.exeRunDLL32.ExeWebCompanion.exesetup_4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Walliant = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Walliant\\Walliant.exe"	Walliant.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RunDLL32.Exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Web Companion = "C:\\Program Files (x86)\\Lavasoft\\Web Companion\\Application\\WebCompanion.exe --minimize "	WebCompanion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autogen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\is-8HEQP.tmp\\setup_4.exe"	setup_4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exesetup_3.exe

description	ioc	process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	setup_3.exe
File opened (read-only)	\??\X:	setup_3.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	setup_3.exe
File opened (read-only)	\??\K:	setup_3.exe
File opened (read-only)	\??\R:	setup_3.exe
File opened (read-only)	\??\V:	setup_3.exe
File opened (read-only)	\??\W:	setup_3.exe
File opened (read-only)	\??\Z:	setup_3.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	setup_3.exe
File opened (read-only)	\??\E:	setup_3.exe
File opened (read-only)	\??\O:	setup_3.exe
File opened (read-only)	\??\Q:	setup_3.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	setup_3.exe
File opened (read-only)	\??\M:	setup_3.exe
File opened (read-only)	\??\Y:	setup_3.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	setup_3.exe
File opened (read-only)	\??\S:	setup_3.exe
File opened (read-only)	\??\T:	setup_3.exe
File opened (read-only)	\??\U:	setup_3.exe
File opened (read-only)	\??\F:	setup_3.exe
File opened (read-only)	\??\N:	setup_3.exe
File opened (read-only)	\??\P:	setup_3.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	setup_3.exe
File opened (read-only)	\??\J:	setup_3.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in Program Files directory 64 IoCs

Processes:

WebCompanionInstaller.exemsiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-synch-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bdnc.ini	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-errorhandling-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bittorrent.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebcompaionReimageIcon.ico	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-debug-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-processenvironment-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bridge_uninstall.cmd	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-debug-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-crt-heap-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bdnc.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\es-ES\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.Business.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-util-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-crt-filesystem-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.WUApiLib.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-datetime-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\msvcp140.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-crt-locale-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-processthreads-l1-1-1.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-crt-convert-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\vcruntime140_1.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-timezone-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bridge_start.cmd	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.SHDocVw.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-rtlsupport-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\msvcp140_2.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\OnlineThreatsSimple.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-crt-utility-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\msvcp140_codecvt_ids.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-string-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\msvcp140_1.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\vccorlib140.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\it-IT\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SysInfo.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\vcruntime140d.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\ftp.dll	WebCompanionInstaller.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.adblocker.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-console-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\smb.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\WebFilteringSimple.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-interlocked-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-crt-conio-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bddci.sys	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bridge_stop.cmd	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-heap-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci.inf	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bridge_stop.cmd	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-profile-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bddci.cat	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bddci_stop.cmd	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-handle-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-runtime-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Extension.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-filesystem-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\NCalc.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionInstaller.pdb	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\WebFilteringSimple.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\BCUSDK.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\de-DE\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-timezone-l1-1-0.dll	WebCompanionInstaller.exe

Drops file in Windows directory 32 IoCs

Processes:

msiexec.exeWebCompanion.exeWebCompanionInstaller.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSIFC17.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF895.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF924.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFFC7.tmp	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	WebCompanion.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	WebCompanion.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF8A5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFC67.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFDA2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e58f6ee.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF7C9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFBE7.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFFC8.tmp	msiexec.exe
File created	C:\Windows\Installer\e58f6ee.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF954.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	WebCompanionInstaller.exe
File opened for modification	C:\Windows\Installer\MSIFDA1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF994.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFB69.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFC66.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFDD2.tmp	msiexec.exe
File created	C:\Windows\Installer\e58f6f1.msi	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	WebCompanionInstaller.exe
File opened for modification	C:\Windows\Installer\MSIF904.tmp	msiexec.exe

Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exe

pid process

5000 sc.exe
3272 sc.exe
3320 sc.exe
4884 sc.exe
1112 sc.exe
1140 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
5000	sc.exe
3272	sc.exe
3320	sc.exe
4884	sc.exe
1112	sc.exe
1140	sc.exe

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3944	1140	WerFault.exe	setup_1.exe
1192	1140	WerFault.exe	setup_1.exe
884	1140	WerFault.exe	setup_1.exe
752	1140	WerFault.exe	setup_1.exe
3304	1140	WerFault.exe	setup_1.exe
1540	1140	WerFault.exe	setup_1.exe
4884	1140	WerFault.exe	setup_1.exe
5004	1140	WerFault.exe	setup_1.exe
4116	1140	WerFault.exe	setup_1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

runonce.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

4840 taskkill.exe
3844 taskkill.exe

pid	process
4840	taskkill.exe
3844	taskkill.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

chrome.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133254612099800611"	chrome.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Modifies registry class 25 IoCs

Processes:

msiexec.exeWebCompanionInstaller.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	WebCompanionInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "B8DDBE5C483C5BC4A933A9E42F81D915"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductIcon = "C:\\Windows\\Installer\\{C845414C-903C-4218-9DE7-132AB97FDF62}\\logo.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Johan.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";"	msiexec.exe

Modifies system certificate store 2 TTPs 16 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Walliant.exesetup_3.exeWebCompanionInstaller.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Walliant.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E04DE896A3E666D00E687D33FFAD93BE83D349E	setup_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup_3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	Walliant.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Walliant.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 5c000000010000000400000000080000190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd940400000001000000100000004be2c99196650cf40e5a9392a00afeb22000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	WebCompanionInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	setup_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Walliant.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0400000001000000100000004be2c99196650cf40e5a9392a00afeb20f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d4190000000100000010000000fa46ce7cbb85cfb4310075313a09ee052000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Walliant.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E04DE896A3E666D00E687D33FFAD93BE83D349E\Blob = 190000000100000010000000b009e99a5cfc928a173190106dbb32a90300000001000000140000007e04de896a3e666d00e687d33ffad93be83d349e1d0000000100000010000000d0ab39edd1a4d89a5512882deb09cb13140000000100000014000000b3db48a4f9a1c5d8ae3641cc1163696229bc4bc662000000010000002000000031ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d00b000000010000003000000044006900670069004300650072007400200047006c006f00620061006c00200052006f006f0074002000470033000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f000000010000003000000082c80199397722b57ad473ea266b93d47ffc77fe07f09388345f20dab6addd087672f988b4bbfd154c4b133c70c9ecff2000000001000000430200003082023f308201c5a0030201020210055556bcf25ea43535c3a40fd5ab4572300a06082a8648ce3d0403033061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204733301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f742047333076301006072a8648ce3d020106052b8104002203620004dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f6f0ccd00bba615b51467e9e2d9fee8e630c17ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c72deae88a7a16bb543ce67dc23ff031ca3e23ea3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414b3db48a4f9a1c5d8ae3641cc1163696229bc4bc6300a06082a8648ce3d0403030368003065023100adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085a763f99e32de66930ff1ccb1098fdd6cabfa6b7fa0023039665bc2648db89e50dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89aa98ac5d100bdf854e29ae55b7cb32717	setup_3.exe

Runs net.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	36	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	39	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

Akira Client.tmpsetup_0.tmpWebCompanionInstaller.exechrome.exeMsiExec.exeMsiExec.exemsiexec.exechrome.exe

pid	process
1800	Akira Client.tmp
1800	Akira Client.tmp
5076	setup_0.tmp
5076	setup_0.tmp
1072	WebCompanionInstaller.exe
1072	WebCompanionInstaller.exe
1072	WebCompanionInstaller.exe
208	chrome.exe
208	chrome.exe
4724	MsiExec.exe
4724	MsiExec.exe
2276	MsiExec.exe
2276	MsiExec.exe
2276	MsiExec.exe
2276	MsiExec.exe
952	msiexec.exe
952	msiexec.exe
5868	chrome.exe
5868	chrome.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

664

pid	process
664

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

chrome.exe

pid	process
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Walliant.exetaskkill.exeWebCompanionInstaller.exeWebCompanion.exechrome.exeWebCompanion.exemsiexec.exesetup_3.exe

description	pid	process
Token: SeDebugPrivilege	1756	Walliant.exe
Token: SeDebugPrivilege	4840	taskkill.exe
Token: SeDebugPrivilege	1072	WebCompanionInstaller.exe
Token: SeDebugPrivilege	4588	WebCompanion.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeDebugPrivilege	4604	WebCompanion.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeSecurityPrivilege	952	msiexec.exe
Token: SeCreateTokenPrivilege	1772	setup_3.exe
Token: SeAssignPrimaryTokenPrivilege	1772	setup_3.exe
Token: SeLockMemoryPrivilege	1772	setup_3.exe
Token: SeIncreaseQuotaPrivilege	1772	setup_3.exe
Token: SeMachineAccountPrivilege	1772	setup_3.exe
Token: SeTcbPrivilege	1772	setup_3.exe
Token: SeSecurityPrivilege	1772	setup_3.exe
Token: SeTakeOwnershipPrivilege	1772	setup_3.exe
Token: SeLoadDriverPrivilege	1772	setup_3.exe
Token: SeSystemProfilePrivilege	1772	setup_3.exe
Token: SeSystemtimePrivilege	1772	setup_3.exe
Token: SeProfSingleProcessPrivilege	1772	setup_3.exe
Token: SeIncBasePriorityPrivilege	1772	setup_3.exe
Token: SeCreatePagefilePrivilege	1772	setup_3.exe
Token: SeCreatePermanentPrivilege	1772	setup_3.exe
Token: SeBackupPrivilege	1772	setup_3.exe
Token: SeRestorePrivilege	1772	setup_3.exe
Token: SeShutdownPrivilege	1772	setup_3.exe
Token: SeDebugPrivilege	1772	setup_3.exe
Token: SeAuditPrivilege	1772	setup_3.exe
Token: SeSystemEnvironmentPrivilege	1772	setup_3.exe
Token: SeChangeNotifyPrivilege	1772	setup_3.exe
Token: SeRemoteShutdownPrivilege	1772	setup_3.exe
Token: SeUndockPrivilege	1772	setup_3.exe
Token: SeSyncAgentPrivilege	1772	setup_3.exe
Token: SeEnableDelegationPrivilege	1772	setup_3.exe
Token: SeManageVolumePrivilege	1772	setup_3.exe
Token: SeImpersonatePrivilege	1772	setup_3.exe

Suspicious use of FindShellTrayWindow 31 IoCs

Processes:

Akira Client.tmpsetup_0.tmpWalliant.exechrome.exesetup_3.exe

pid	process
1800	Akira Client.tmp
5076	setup_0.tmp
1756	Walliant.exe
1756	Walliant.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
1772	setup_3.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

Walliant.exechrome.exe

pid	process
1756	Walliant.exe
1756	Walliant.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Walliant.exe

pid process

1756 Walliant.exe
1756 Walliant.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Akira Client.exeAkira Client.tmpsetup.exesetup.tmpsetup_0.exesetup_0.tmpsetup_1.execmd.exesetup_2.exeWebCompanionInstaller.exeRunDLL32.Exerunonce.exenet.execmd.exe

description	pid	process	target process
PID 3980 wrote to memory of 1800	3980	Akira Client.exe	Akira Client.tmp
PID 3980 wrote to memory of 1800	3980	Akira Client.exe	Akira Client.tmp
PID 3980 wrote to memory of 1800	3980	Akira Client.exe	Akira Client.tmp
PID 1800 wrote to memory of 4192	1800	Akira Client.tmp	setup.exe
PID 1800 wrote to memory of 4192	1800	Akira Client.tmp	setup.exe
PID 1800 wrote to memory of 4192	1800	Akira Client.tmp	setup.exe
PID 4192 wrote to memory of 4712	4192	setup.exe	setup.tmp
PID 4192 wrote to memory of 4712	4192	setup.exe	setup.tmp
PID 4192 wrote to memory of 4712	4192	setup.exe	setup.tmp
PID 4712 wrote to memory of 424	4712	setup.tmp	setup_0.exe
PID 4712 wrote to memory of 424	4712	setup.tmp	setup_0.exe
PID 4712 wrote to memory of 424	4712	setup.tmp	setup_0.exe
PID 424 wrote to memory of 5076	424	setup_0.exe	setup_0.tmp
PID 424 wrote to memory of 5076	424	setup_0.exe	setup_0.tmp
PID 424 wrote to memory of 5076	424	setup_0.exe	setup_0.tmp
PID 5076 wrote to memory of 1756	5076	setup_0.tmp	Walliant.exe
PID 5076 wrote to memory of 1756	5076	setup_0.tmp	Walliant.exe
PID 5076 wrote to memory of 1756	5076	setup_0.tmp	Walliant.exe
PID 4712 wrote to memory of 1140	4712	setup.tmp	setup_1.exe
PID 4712 wrote to memory of 1140	4712	setup.tmp	setup_1.exe
PID 4712 wrote to memory of 1140	4712	setup.tmp	setup_1.exe
PID 1140 wrote to memory of 2176	1140	setup_1.exe	cmd.exe
PID 1140 wrote to memory of 2176	1140	setup_1.exe	cmd.exe
PID 1140 wrote to memory of 2176	1140	setup_1.exe	cmd.exe
PID 2176 wrote to memory of 4840	2176	cmd.exe	taskkill.exe
PID 2176 wrote to memory of 4840	2176	cmd.exe	taskkill.exe
PID 2176 wrote to memory of 4840	2176	cmd.exe	taskkill.exe
PID 4712 wrote to memory of 1052	4712	setup.tmp	setup_2.exe
PID 4712 wrote to memory of 1052	4712	setup.tmp	setup_2.exe
PID 4712 wrote to memory of 1052	4712	setup.tmp	setup_2.exe
PID 1052 wrote to memory of 1072	1052	setup_2.exe	WebCompanionInstaller.exe
PID 1052 wrote to memory of 1072	1052	setup_2.exe	WebCompanionInstaller.exe
PID 1052 wrote to memory of 1072	1052	setup_2.exe	WebCompanionInstaller.exe
PID 1072 wrote to memory of 5000	1072	WebCompanionInstaller.exe	sc.exe
PID 1072 wrote to memory of 5000	1072	WebCompanionInstaller.exe	sc.exe
PID 1072 wrote to memory of 5000	1072	WebCompanionInstaller.exe	sc.exe
PID 1072 wrote to memory of 3272	1072	WebCompanionInstaller.exe	sc.exe
PID 1072 wrote to memory of 3272	1072	WebCompanionInstaller.exe	sc.exe
PID 1072 wrote to memory of 3272	1072	WebCompanionInstaller.exe	sc.exe
PID 1072 wrote to memory of 3320	1072	WebCompanionInstaller.exe	sc.exe
PID 1072 wrote to memory of 3320	1072	WebCompanionInstaller.exe	sc.exe
PID 1072 wrote to memory of 3320	1072	WebCompanionInstaller.exe	sc.exe
PID 1072 wrote to memory of 4916	1072	WebCompanionInstaller.exe	RunDLL32.Exe
PID 1072 wrote to memory of 4916	1072	WebCompanionInstaller.exe	RunDLL32.Exe
PID 4916 wrote to memory of 3988	4916	RunDLL32.Exe	runonce.exe
PID 4916 wrote to memory of 3988	4916	RunDLL32.Exe	runonce.exe
PID 3988 wrote to memory of 4344	3988	runonce.exe	grpconv.exe
PID 3988 wrote to memory of 4344	3988	runonce.exe	grpconv.exe
PID 1072 wrote to memory of 4328	1072	WebCompanionInstaller.exe	net.exe
PID 1072 wrote to memory of 4328	1072	WebCompanionInstaller.exe	net.exe
PID 1072 wrote to memory of 4884	1072	WebCompanionInstaller.exe	sc.exe
PID 1072 wrote to memory of 4884	1072	WebCompanionInstaller.exe	sc.exe
PID 1072 wrote to memory of 4884	1072	WebCompanionInstaller.exe	sc.exe
PID 4328 wrote to memory of 4960	4328	net.exe	net1.exe
PID 4328 wrote to memory of 4960	4328	net.exe	net1.exe
PID 1072 wrote to memory of 1112	1072	WebCompanionInstaller.exe	sc.exe
PID 1072 wrote to memory of 1112	1072	WebCompanionInstaller.exe	sc.exe
PID 1072 wrote to memory of 1112	1072	WebCompanionInstaller.exe	sc.exe
PID 1072 wrote to memory of 4416	1072	WebCompanionInstaller.exe	cmd.exe
PID 1072 wrote to memory of 4416	1072	WebCompanionInstaller.exe	cmd.exe
PID 1072 wrote to memory of 4416	1072	WebCompanionInstaller.exe	cmd.exe
PID 4416 wrote to memory of 1140	4416	cmd.exe	sc.exe
PID 4416 wrote to memory of 1140	4416	cmd.exe	sc.exe
PID 4416 wrote to memory of 1140	4416	cmd.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\Akira Client.exe
"C:\Users\Admin\AppData\Local\Temp\Akira Client.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3980

C:\Users\Admin\AppData\Local\Temp\is-KQETR.tmp\Akira Client.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KQETR.tmp\Akira Client.tmp" /SL5="$A0056,781828,780800,C:\Users\Admin\AppData\Local\Temp\Akira Client.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1800

C:\Users\Admin\AppData\Local\Temp\is-ME4TN.tmp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-ME4TN.tmp\setup.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192

C:\Users\Admin\AppData\Local\Temp\is-JTGTB.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JTGTB.tmp\setup.tmp" /SL5="$101FA,922170,832512,C:\Users\Admin\AppData\Local\Temp\is-ME4TN.tmp\setup.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4712

C:\Users\Admin\AppData\Local\Temp\is-8HEQP.tmp\setup_0.exe
"C:\Users\Admin\AppData\Local\Temp\is-8HEQP.tmp\setup_0.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:424

C:\Users\Admin\AppData\Local\Temp\is-SOSPC.tmp\setup_0.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SOSPC.tmp\setup_0.tmp" /SL5="$10264,3256556,830976,C:\Users\Admin\AppData\Local\Temp\is-8HEQP.tmp\setup_0.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5076

C:\Users\Admin\AppData\Local\Programs\Walliant\Walliant.exe
"C:\Users\Admin\AppData\Local\Programs\Walliant\Walliant.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1756

C:\Users\Admin\AppData\Local\Temp\is-8HEQP.tmp\setup_1.exe
"C:\Users\Admin\AppData\Local\Temp\is-8HEQP.tmp\setup_1.exe" /mixten SUB=2477
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 456
6⤵
- Program crash
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 764
6⤵
- Program crash
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 808
6⤵
- Program crash
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 808
6⤵
- Program crash
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 856
6⤵
- Program crash
PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 984
6⤵
- Program crash
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 988
6⤵
- Program crash
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 1364
6⤵
- Program crash
PID:5004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "setup_1.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\is-8HEQP.tmp\setup_1.exe" & exit
6⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "setup_1.exe" /f
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 1300
6⤵
- Program crash
PID:4116

C:\Users\Admin\AppData\Local\Temp\is-8HEQP.tmp\setup_2.exe
"C:\Users\Admin\AppData\Local\Temp\is-8HEQP.tmp\setup_2.exe" --silent --partner=IT210801
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052

C:\Users\Admin\AppData\Local\Temp\7zSC148C257\WebCompanionInstaller.exe
.\WebCompanionInstaller.exe --partner=IT210801 --version=8.9.0.371 --silent --partner=IT210801
6⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\sc.exe
"sc.exe" Create "WCAssistantService" binPath= "C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= auto
7⤵
- Launches sc.exe
PID:5000

C:\Windows\SysWOW64\sc.exe
"sc.exe" failure WCAssistantService reset= 30 actions= restart/60000
7⤵
- Launches sc.exe
PID:3272

C:\Windows\SysWOW64\sc.exe
"sc.exe" description "WCAssistantService" "Ad-Aware Web Companion Internet security service"
7⤵
- Launches sc.exe
PID:3320

C:\Windows\system32\RunDLL32.Exe
"C:\Windows\sysnative\RunDLL32.Exe" syssetup,SetupInfObjectInstallAction BootInstall 128 C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci.inf
7⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
8⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
9⤵
PID:4344

C:\Windows\system32\net.exe
"C:\Windows\sysnative\net.exe" start bddci
7⤵
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start bddci
8⤵
PID:4960

C:\Windows\SysWOW64\sc.exe
"sc.exe" Create "DCIService" binPath= "C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe" DisplayName= "DCIService" start= auto
7⤵
- Launches sc.exe
PID:4884

C:\Windows\SysWOW64\sc.exe
"sc.exe" description "DCIService" "Webprotection Bridge service"
7⤵
- Launches sc.exe
PID:1112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bridge_start.cmd"
7⤵
- Suspicious use of WriteProcessMemory
PID:4416

C:\Windows\SysWOW64\sc.exe
sc start DCIService
8⤵
- Launches sc.exe
PID:1140

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone
7⤵
PID:1056

C:\Windows\SysWOW64\netsh.exe
netsh http add urlacl url=http://+:9007/ user=Everyone
8⤵
PID:2784

C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
"C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe" --silent --install --geo=
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
"C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe" --silent --afterinstall
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4604

C:\Users\Admin\AppData\Local\Temp\is-8HEQP.tmp\setup_3.exe
"C:\Users\Admin\AppData\Local\Temp\is-8HEQP.tmp\setup_3.exe" /qn CAMPAIGN="2477"
5⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1772

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Johan.msi" /qn CAMPAIGN=2477 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-8HEQP.tmp\setup_3.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-8HEQP.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1680746908 /qn CAMPAIGN=""2477"" " CAMPAIGN="2477"
6⤵
PID:1332

C:\Users\Admin\AppData\Local\Temp\is-8HEQP.tmp\setup_4.exe
"C:\Users\Admin\AppData\Local\Temp\is-8HEQP.tmp\setup_4.exe" /S
5⤵
- Executes dropped EXE
PID:2420

C:\Users\Admin\AppData\Local\Temp\is-8HEQP.tmp\setup_4.exe
"C:\Users\Admin\AppData\Local\Temp\is-8HEQP.tmp\setup_4.exe" /S
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
7⤵
PID:2208

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
8⤵
PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1140 -ip 1140
1⤵
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1140 -ip 1140
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1140 -ip 1140
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1140 -ip 1140
1⤵
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1140 -ip 1140
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1140 -ip 1140
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1140 -ip 1140
1⤵
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 1140 -ip 1140
1⤵
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1140 -ip 1140
1⤵
PID:4504

C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe
"C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x120,0x124,0x128,0x11c,0x12c,0x7ffe6cd09758,0x7ffe6cd09768,0x7ffe6cd09778
2⤵
PID:4316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1832 --field-trial-handle=1848,i,12882970757872579100,14047808946405828182,131072 /prefetch:2
2⤵
PID:4852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1848,i,12882970757872579100,14047808946405828182,131072 /prefetch:8
2⤵
PID:3724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1808 --field-trial-handle=1848,i,12882970757872579100,14047808946405828182,131072 /prefetch:8
2⤵
PID:4308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3232 --field-trial-handle=1848,i,12882970757872579100,14047808946405828182,131072 /prefetch:1
2⤵
PID:4304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3360 --field-trial-handle=1848,i,12882970757872579100,14047808946405828182,131072 /prefetch:1
2⤵
PID:5096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4556 --field-trial-handle=1848,i,12882970757872579100,14047808946405828182,131072 /prefetch:1
2⤵
PID:1716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4740 --field-trial-handle=1848,i,12882970757872579100,14047808946405828182,131072 /prefetch:8
2⤵
PID:4608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4892 --field-trial-handle=1848,i,12882970757872579100,14047808946405828182,131072 /prefetch:8
2⤵
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 --field-trial-handle=1848,i,12882970757872579100,14047808946405828182,131072 /prefetch:8
2⤵
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5368 --field-trial-handle=1848,i,12882970757872579100,14047808946405828182,131072 /prefetch:8
2⤵
PID:2328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 --field-trial-handle=1848,i,12882970757872579100,14047808946405828182,131072 /prefetch:8
2⤵
PID:1200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4036 --field-trial-handle=1848,i,12882970757872579100,14047808946405828182,131072 /prefetch:1
2⤵
PID:1196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5384 --field-trial-handle=1848,i,12882970757872579100,14047808946405828182,131072 /prefetch:1
2⤵
PID:2232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4624 --field-trial-handle=1848,i,12882970757872579100,14047808946405828182,131072 /prefetch:1
2⤵
PID:5448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5988 --field-trial-handle=1848,i,12882970757872579100,14047808946405828182,131072 /prefetch:1
2⤵
PID:1588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5164 --field-trial-handle=1848,i,12882970757872579100,14047808946405828182,131072 /prefetch:1
2⤵
PID:5752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=972 --field-trial-handle=1848,i,12882970757872579100,14047808946405828182,131072 /prefetch:1
2⤵
PID:6096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=6040 --field-trial-handle=1848,i,12882970757872579100,14047808946405828182,131072 /prefetch:1
2⤵
PID:6124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3524 --field-trial-handle=1848,i,12882970757872579100,14047808946405828182,131072 /prefetch:8
2⤵
PID:5380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3476 --field-trial-handle=1848,i,12882970757872579100,14047808946405828182,131072 /prefetch:8
2⤵
PID:6116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4496 --field-trial-handle=1848,i,12882970757872579100,14047808946405828182,131072 /prefetch:1
2⤵
PID:3368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5452 --field-trial-handle=1848,i,12882970757872579100,14047808946405828182,131072 /prefetch:1
2⤵
PID:5840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=3860 --field-trial-handle=1848,i,12882970757872579100,14047808946405828182,131072 /prefetch:1
2⤵
PID:5856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=884 --field-trial-handle=1848,i,12882970757872579100,14047808946405828182,131072 /prefetch:1
2⤵
PID:5984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5416 --field-trial-handle=1848,i,12882970757872579100,14047808946405828182,131072 /prefetch:1
2⤵
PID:6116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3504 --field-trial-handle=1848,i,12882970757872579100,14047808946405828182,131072 /prefetch:8
2⤵
PID:6136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=6172 --field-trial-handle=1848,i,12882970757872579100,14047808946405828182,131072 /prefetch:1
2⤵
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=3388 --field-trial-handle=1848,i,12882970757872579100,14047808946405828182,131072 /prefetch:1
2⤵
PID:5400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=6436 --field-trial-handle=1848,i,12882970757872579100,14047808946405828182,131072 /prefetch:1
2⤵
PID:5768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6204 --field-trial-handle=1848,i,12882970757872579100,14047808946405828182,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5868

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2328

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 86AD3D99DD90E92B110FCFEC26BD9D94 C
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4724

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding CCCE600C7BC0422E77B8B3534DA7210E
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2276

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
3⤵
- Kills process with taskkill
PID:3844

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 4836D73A0F42E3C1CAD402224FB9884F E Global\MSI0000
2⤵
PID:3844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58f6f0.rbs
Filesize
200KB

MD5
e6ab788e646f41e32a12b0849eacbe58

SHA1
1951de498a77818c434199a83a33f0c546009989

SHA256
7dd154a2fb246d36e0c6c0ebe1f6259e3dd53fdecaedbd7b6d43e5ce111584c8

SHA512
8c99e23bfc885ec86475b558f40ccdbec774a88051d909a7042ebe82e4d432877ba2841d6c309d4364c5538e00660ee60c7aa615cb83b7553aa60914e2f9f71c

Download Submit
C:\PROGRA~2\Lavasoft\WEBCOM~1\Service\x64\bddci.sys
Filesize
358KB

MD5
7e8d2dd117579f79f574f8f410364f42

SHA1
44d730b09ac3d193680a0bb2bc985765d636225a

SHA256
bd44c3509f3095551bc3d9379e3e06ca49aac622a6c9d878e07eeb714141530e

SHA512
781dea6b7692646eec06216433c01d1852504c0740560d7083de78f78f186ec0bb7ed992d1dd32950513c66e38921062b5f93094da93799a7cba857e498059fc

Download Submit
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci.inf
Filesize
2KB

MD5
58b2e13bac1f78e521a408ec5ca8a606

SHA1
e40139e0a3f8b2f5d3a457d1701b527b83bc1541

SHA256
a84e4b890c7cfd488653eaf6cf38f283d8b7e12f467f241a2046818cb9e762de

SHA512
5e25997da0769f2d1217c754efa2b72a1117f1849ec86c90ad3945ec899f52b9237d0d39d8c43df3fdf93b52c26b47f6eafe6009e7cc62389e96d26f84a3f96e

Download Submit
C:\ProgramData\Lavasoft\Web Companion\Logs\Webcompanion\webcompanion.log
Filesize
5KB

MD5
a9b1ceaca4332fd8d53bd69f66353635

SHA1
f712555326179420587275780f88a53d6e1fdef8

SHA256
c3d26c9f35a8693c878f876556eb576891602397daff44f12c0809cd0b040fc8

SHA512
07be69d280041a391f1c178982aeac7d270869e3e99dee79503d8ef3425ff5c212a0fb9e5b2d213781d882cbd0df76579525f3ea191195a5ad88f573a1ab586c

Download Submit
C:\ProgramData\Lavasoft\Web Companion\Options\ActiveFeatures.zip.tmp
Filesize
17KB

MD5
f73194a31d358c8b154bddb32cb3845b

SHA1
5eba0a11c128a564be4bd35ccf331d326f07090f

SHA256
365d64720bf60a75f792f2c3253806f96229ccb2ec8e587bb75c2e7613ecf2ad

SHA512
d00868310865bb483a9a728ecf211941e38cad0c83c3e59a7c841bbaee11b1d50af873e9c687da771c30a693cbcfa40c18722459d3301916ca563161b2ec7167

Download Submit
C:\ProgramData\Lavasoft\Web Companion\Options\ServicePartnerInfo.txt
Filesize
174B

MD5
71c9286863d8b5f76f57b09b938fb5e1

SHA1
86dfb9ec32e8c0af8830353e0961891e68280fcb

SHA256
49fb88645a52ccccfe22cbfc3b25b3d7d2c6a08a0fdd352d8af91368cb7e582b

SHA512
0bc3ab32ccbd290cd49b5ff565d207a40f48f3f813d20cf2a96a9773c13dabb01aa56657da3c83b5c21bab2d933afddb22dc8970fcb6ed2798d556de0656de30

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\57bec79515c1ec525f8858bf\1.0.0\tracking.ini
Filesize
84B

MD5
58f9599d4a3353d13d70b4753e992585

SHA1
98aadd36a7e0b9422f7a9053b0c417b1a0e951aa

SHA256
ba424d5e22099f71c79676f03f06c137dcf068102cadc9e4882aa0e580de7c92

SHA512
956326a47d540658c037139e4bc99883cda5281ffda5e19aea759f5f437595206d28638b39858828b49c4715b3411cb0be10b81e61f54adc1250ec97c13f87e3

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\57bec79515c1ec525f8858bf\1.0.0\tracking.ini
Filesize
84B

MD5
f502370bb4f3d63a935323646ad3de6f

SHA1
0a8eb241dee1db69d2c5a32e2698a0dbba0e44b4

SHA256
0614617972063f5d71b298f0721ebcaeb1c532c956b39a6153cb2cf3ac447dca

SHA512
209542ad72c654d2961e457d071e8f88b213f8542793adc75be56ff93c9d803dfef79b5465acdbccee005cb2ceb86051088dad19cc33037e5f02a7b4c0405b3b

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\57bec79515c1ec525f8858bf\1.0.0\{4AFEC3BA-C84B-46E6-BC89-66E2548FBC48}.session
Filesize
4KB

MD5
20a7574bf4b1ef7b0382f877cb503fee

SHA1
bc231c191af41ebcd8fec286544f05dde666188a

SHA256
d857dd14b104302e73292fc390e7e44636f2389df957f240981f733ced2aea6f

SHA512
bf52c888363063c9846b773f300aa6cf8325fffebbf5232de352db02eef28c88fd938b054c1b4b00ef7750ab60f4e60f142d7160287ad148481c03f0d3309e01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000058
Filesize
162KB

MD5
fdfdaf63d56b4a9cd6641d79f7159fdc

SHA1
18b413d8b6b9f3bec32026b7e9d9f4e5e366922f

SHA256
f4dba3e15f08cf0686e6d89370ed42e8a5dafc38973501f0aa6baa9b93c720f3

SHA512
06fd67f1a2d5f168c75b5b833d3222d6c0eccfadd4021173a7ec7f949971554d1c7df322b1dc512ef14941e76a9ff6445ba3bd16d940be5bc177be989ec39c2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000072
Filesize
50KB

MD5
cd2f3074326840d55a3c3ea1e99e83fe

SHA1
3a2e1d1a93506526ae3ed2b44d584af7771ff8d0

SHA256
9ec9f50ac6a5dfdf7ace0a047ab4e86a7f8ff297030f93f9b8b4e27c57fdaa51

SHA512
0685f7e50451e87f8d7d47f3373d653f7d6163ffa8ccd143a85b179d2c5c51cf494e8b5f7e561436c35bfb8ffb9304f0c49962a8bf7065830f0cc95281f4ae6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
5KB

MD5
c22f9c248c154692bbc9753b23dcc562

SHA1
5f1b9bef82e26bfe7d9d2be5f25a3cc2236c2f03

SHA256
361f6ead60001646eafc848628afb688e69c8c88c4a5e0e4aa8e228a9852ea6b

SHA512
84c88fd7c013d8f9f237cdc410359c06c82e8be17b7c20dc60e850ded2dd7c78f6b0912e432b9cbd1dddec21a4fdfe6e5a4e1b055b5da09b3e6ec48ea608019b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
52bfb39f20f1e9a66055a5f5ef2edf24

SHA1
16f1528e90f3210dceb038c7573d2faf94429537

SHA256
3ae44a3fc939c641384341842666c658713bac0ce74fe1363dda737efc1fdbbf

SHA512
ba925e085dabbe6108286465f1e0a99a812273bfc719f4c98c92ed94afcaa1fbf4100cc70a77252212f28464cfa58f48e15947501a1da92315a8bf3ef937fe90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
fb3fa830f1c927a6e0eb094b71e5b876

SHA1
45139160052e89711bd1943a6ef6b190227ef10c

SHA256
35700fe8ffe5d9da8da72baeb39a68e56230a0eb11ca3de98bd2faa06180ef42

SHA512
c5aa190455a8255803e10e6c657e36a3cee7285d85bea0e361b64f360fed151ab6500a4320334da8d78d6e896bec43328fe8e9af77c333c1cb6920f5a4105068

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
c63556c306602bacb41aa10fead003a1

SHA1
63cfa0fc9445713f2ff141159133ff752d79c98e

SHA256
10c381393c46f697ab91d1c738f2ea8077e0e47b0c2062c95433e9f2ba5d9105

SHA512
246c091c9a622b92e8a33cb954dda9f9a0b8d46ac0b591564b87ad469d221252047133c7750cc8650cc80608de514968b57f0cd5123b8a79adf8c1b743f2fc90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
15afc1d9813bb7929dfa977c8a6840b1

SHA1
bf11faf83cdce923aec7ace46220e185cf5f6114

SHA256
5285050586308df0133cf4fa9a18f818901a1712cdf0c651566b29a697fa2e19

SHA512
11a76df012340674dfa3adcf8c3609410b8813d4b0cd304364956efabffb35b7fe4bddc32aad0abd6c53420f5ca3a527d664140ef7a1588975cbd3c4615cb2a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
50fe4046a1917649683b3405cebe1309

SHA1
393b7936de3c2982f9e65da2e7fdfb4735fa873a

SHA256
f148ed7157f3522a9cec6ec75b307be848e3addd83ca36b16427f97ec0466a9a

SHA512
563d6db8d612ccda8c1d15451fcb825104ea863c589a66ede5e7bc377fea4ad0a986028b885b43c7085e0ca4f71888ac98ee70887ce757317006c12a2f2b2057

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
e1e6c6d68d4d659afcb7b1526792217c

SHA1
020aaebf1f89d0aac690be7b285a3fc18637c02d

SHA256
773bda2026af53a0937c4c806436963d58e1fd7de8086e4951bdfc0578382dbc

SHA512
12dbed081e23531ee4ff7eb0038758721ac11a08af32df0f53eb48c5d228d355f9737c52462e388e4de32862b0f21f623cd1ec34d65898f1c88decacfea1f6a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
53c64898fd8e841cd8cd9cf354fba74a

SHA1
4054407b7be30aa0a60f123dcc598b4efa39e7a2

SHA256
49d62522c500aa512d4627a2cfe6a8b3e7ea3e25ad3fda075d015708939323a1

SHA512
6ecec72cb265a7708602e40737db3b463ecee1064b1d12e329e1d45fae4dccceb5c0d6112be572e3855feb6259d7bb5c99169079096c089d942c120353ab30d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
2da414f9be43cc3969976c38b7b2222a

SHA1
0462bbe0108d8d6717026e577b0197eeba28d33b

SHA256
eefbd7d2b93221c214fdb718f996035374304e8a905f195271796abbdad39e34

SHA512
9adae82ec4fe1f8d039cd085f870d9f8194fcdfc3528e06aacfd9f383799b9438aaebbf0f36107a55fc2604149b72491e47f408d5ffbc8c5040a2f93bdb9c64f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
0739611dad7e5e2d82809da4a0eb0acd

SHA1
498432c384130c35bd8ffecc62adfe56414db3b9

SHA256
cc4aaa0274558b4f3f24b353297836841eadd712c2bdb35fe6dacdde3f42b57b

SHA512
22a787e097296840abf96512c0c33110fbca5ec4a6c2559dc962b7cdb7dcf8841bec1cd7a11c72bee0afbe77c47a823eb1f0ac299323de6d56aaa2d6c97e0960

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
fdfac801e27a4fed2fc04d545c334d2e

SHA1
b37e0b1ca5d8d555d9e82ca9b15878ddab488c78

SHA256
410af2819361eac1d8d6fd37cbdf9d32f2eb6a87ecb9536d88ade621693b7c18

SHA512
bbf6088927eb17bcd98ea2f6fd347eaf6e8fc3b55615a4dfd72ac1f3bc8751c5a7ed33dce6b08e72976d63b477d2347b1f684215a2d1ea9ea182d03b54d6a6b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
aae4c79c6fd93daa02eb957b47204085

SHA1
1b1ed0bb47eaf8b1ee7126aaa40fbfe4b9ba33d3

SHA256
7709c01ff31eecbc275c2f11b75bf68cc6c0b961e29a6a486a95fe3e1f560552

SHA512
6e2d041fa25405c43b231722c79e3a0e4a264b4a3542ae63639f362e58120f04a45cee92db79bec8adef6d047a8c1bdcd096d4b1f82acf0b231b39c9de0dab51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
0447bd6cbcd44324499cc7a24e1bbd2b

SHA1
6d7808ee78496b72b253fae7c9965c5d55e405b1

SHA256
f07a3d8805343dbee81ac63ecdbd509567da37c0373524805fe2a396ff472ff1

SHA512
2ef83e6ae884bee92a8da8b2bd22eba487419db843fa73d3fbafc5030dbc3197f0f59404f439dc95ff2d445742e198df018b1b9946f9abb00a7c5c5c76471839

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
200KB

MD5
29888fb3e74534349f45a342c624e3ac

SHA1
606648c5fca332ddbeaa7fe6cec991cc523b65cf

SHA256
85fe57f703cb1d7bbb2860bc1bd3787ad9a814a2cc087588a5d7485dafbae1e6

SHA512
6b09d9f95f025a941ac14bcf30e7143db112276f8a172e0222ef19c7d9823dec86870a4aecb28c6feb45941baab42bb2504175671e2b98583ee7a6ad84904768

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
200KB

MD5
421fbce27c8e44ea399817ccf344dc3e

SHA1
ab28a73dbf0e2a2bb0d5558caa89c003da3be51a

SHA256
51d161255251f2f787cba065209d73d59b3d1f2fe33e9ceafc9957704332e2b0

SHA512
8d714f7edede4ef5856c6d682f0bfe65df854f35db8f54ffca3fe7c87c33c018fa0e49f93f8bba61d836eeed4c9820811e6687654d575ea692a5418e0b75836b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
200KB

MD5
2ee4daf8f493b1b2d985b3988bac6a13

SHA1
d99aa2eeb2fb23a1723be5591f1124d8e032da8b

SHA256
f2cb039ccf26b38894a7d1fbff5f12570024a8d72fcf3c8ceab77a5caf837bd7

SHA512
fd1af4da1a59ce01aaac53ccae4f5f288ba95c238215fe2d6fba914555228886969fdcaacffd5319fb9797eb39b0274d2748d7e53197d7a5dc4e216b3be71e43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
200KB

MD5
31df2ea47ff9cb040873828b00318a77

SHA1
46017d239d828fcaa8871f3c7b0b8877c53d16fe

SHA256
7574037a912519394952431e800f9ae0abcfc6b594dcaad41d2402f2057c163f

SHA512
676329ca5d1083b16481fe3bbdc966cf58f3d29228cbe31b71df5dbea1eff8309be4cfde0d8eb65425ee39dbfb13d5d54441a000ce09bfe50a8435b4788bcb20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
103KB

MD5
199321334e76f765bd86b79167ca3a8e

SHA1
c3fa0432eac739e74c0277d75aa0cf9b57caa1bd

SHA256
e3d230f25045df3ddc7b99a57f40f6a08675015ce81269da59cc9f67df5cffbe

SHA512
dde7342c9fe53026d94141ce1349409eae5d9743cd97ababdfdb867aa3a7af34ace4345547d3900970b72d6125f2a4e686100fd3efcb06436e3c25418f629265

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
101KB

MD5
e2e5312deba6e0ebb10595e895265bf2

SHA1
5b19e4474e399c4e882cecafa980ad61c6b52570

SHA256
4cbf2d8611d7332f4d5b87f50f0c242914c3bffa509e2499f841e251179ce9fb

SHA512
b73a9cf9ef696e47fd90fbb744f6ba1472f3b37c69b53d70079be55daf3172723bfe0a7ca77542a4e3a762f3f1ace6ae29aba5de02bba2451f352772def8d363

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5936d5.TMP
Filesize
97KB

MD5
125de4d003f15a579990747632adfc7c

SHA1
74bd5bf774f632fb67bed3e13bcd3b6d30278c12

SHA256
27c9000a9eeee4e6142aa7b2ba257955633577d58138bb2c522c3c1cd119e977

SHA512
bbf92f79f62c15e6f43567a04cbd3f358a439d5db9ef4b14e31570ab36cb6b8758d6326ab1c84ac1f180da4b7e50a845186843c0159ccc7ee23f94018b31196f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\cb6b7e4d-38c8-4cf2-aebe-4062a39ecc79.tmp
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.371\kajpxngl.newcfg
Filesize
601B

MD5
1298fb7f666268f80a23904bc72ae1e9

SHA1
4f7d05ff8127d4b2e029cd50fdcfec648adb318f

SHA256
bd6eca35592fe643b8e0a05d58a1ea77d7ae5d6a06422f50866cc864bbaf7436

SHA512
3449a2447b09ff567e8347e53a8673823b5792a0c978dfe5d6d44f15bfe34e03dfe286a2ceafab930121f8f94448a525f4ea51937b1caecba7bbb117e5e91961

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.371\kth-namb.newcfg
Filesize
476B

MD5
d688075f2a14f59ebd6b4db562d7ca9b

SHA1
bf6d5a03785ae61a8ba65aae063178ad4429c8dc

SHA256
ba30553d3d84be781cfa6bfc6b8aec74714874232b41f188cb16e98ac0baed10

SHA512
f3485e3a244c123674a91824fb62c3f81a724d7da259e5d2297427825e8365914738b53f4a44098a00770dbe40effbff024082a1972c043d7fa4b06b48be6660

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.371\oeq9q4ii.newcfg
Filesize
1KB

MD5
e4308a22084be6f951aa99648cdbe1c2

SHA1
dbef8d6b73e101397816c3ade09d4f156987a53b

SHA256
f96bacba602816427d078505dea2b0423bd391313950e8b60258471d7372b446

SHA512
8d1aa1380a5623d247fea0d8e0178cc1dbb61141c7dc45c095930a420a904efbf7f80f3febb5411cb8a152ee12e5e667f6466cf33de58dcdf89e0199fd959867

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.371\rwws6ysa.newcfg
Filesize
1KB

MD5
3589061668e83d2e320e6772f72060e4

SHA1
5e6a7d90eb9dff98ed88772f1f6813b3a0937bdb

SHA256
078987da39fa63c02c13ac4935ab9bf76d8248af3f1625b947098a614a2a7ade

SHA512
90414e0f9d31a9406baed7ea197b72f1b347d8a8e7cd1b7a169e1ce4ce75f44707509242ecd92460eadac4647a522b7c1da86f7c5e9948d5137e85e5567a3401

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.371\tyw7gph4.newcfg
Filesize
600B

MD5
f45fbf2840b83157a163c07002870999

SHA1
7d99a5ac807b4405ea93fcbac01b7681ad1b8186

SHA256
06d4c8f2f79d3293da27d3cc69cd59c14f3ec02c3ea622608b6e6ffd0316ef70

SHA512
b8ffb396648642bfc2d1ba374adb74cefd54ea449fb95bfb19e46becf828fac028716050436766ac19d61ce553395cf4aa4361adb2d7bee482e03e1efe870244

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.371\ufsxding.newcfg
Filesize
480B

MD5
e5842e68e01a61b15603df392c77d3b9

SHA1
e8dfdd9ef58dc7e155149ad7aeb4b86da88d9b2d

SHA256
a80104003be8199a4fd4e8ecf55039bd89c611debc7d7ff21c563a596eb67af5

SHA512
0258c6c602620e556833ada35f6ff37145d4700fec275b64a783aa004615e905d4ebe29c2a11709776f59f1641edbdaee2ae303cae87b37147c31ec7f49dcf1f

Download Submit
C:\Users\Admin\AppData\Local\Lavasoft\WebCompanion.exe_Url_siq0lwf3tzgxp2khfkllybk3idtbehng\8.9.0.371\user.config
Filesize
338B

MD5
0a35fbae99f45bc0dccdb777ecfd0436

SHA1
65e295fde91f90d55b107680e060895654fe66e4

SHA256
19af84c48a15820c94367390d58588ddad8164b0ac4056c258a766c726329550

SHA512
db3a0973a373c039603c750f0f196cbf65553cddb83739f1942402eaacbe178a775be87c4b034feb706830ae69d20158c3e3ecad8d5d3febc45146b487c3c42c

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\AsyncBridge.Net35.dll
Filesize
23KB

MD5
35cbdbe6987b9951d3467dda2f318f3c

SHA1
c0c7bc36c2fb710938f7666858324b141bc5ff22

SHA256
e4915f18fd6713ee84f27a06ed1f6f555cdbebe1522792cf4b4961664550cf83

SHA512
e1f456f0b4db885f8475d2837f32f31c09f4b303c118f59be4786cf4303a31a2d3004656a3fcfbbf354326ed404afcb4d60966bca04a5e5de8fb8feaf581bce7

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\AsyncBridge.Net35.dll
Filesize
23KB

MD5
35cbdbe6987b9951d3467dda2f318f3c

SHA1
c0c7bc36c2fb710938f7666858324b141bc5ff22

SHA256
e4915f18fd6713ee84f27a06ed1f6f555cdbebe1522792cf4b4961664550cf83

SHA512
e1f456f0b4db885f8475d2837f32f31c09f4b303c118f59be4786cf4303a31a2d3004656a3fcfbbf354326ed404afcb4d60966bca04a5e5de8fb8feaf581bce7

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\AsyncBridge.Net35.dll
Filesize
23KB

MD5
35cbdbe6987b9951d3467dda2f318f3c

SHA1
c0c7bc36c2fb710938f7666858324b141bc5ff22

SHA256
e4915f18fd6713ee84f27a06ed1f6f555cdbebe1522792cf4b4961664550cf83

SHA512
e1f456f0b4db885f8475d2837f32f31c09f4b303c118f59be4786cf4303a31a2d3004656a3fcfbbf354326ed404afcb4d60966bca04a5e5de8fb8feaf581bce7

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\AsyncBridge.Net35.dll
Filesize
23KB

MD5
35cbdbe6987b9951d3467dda2f318f3c

SHA1
c0c7bc36c2fb710938f7666858324b141bc5ff22

SHA256
e4915f18fd6713ee84f27a06ed1f6f555cdbebe1522792cf4b4961664550cf83

SHA512
e1f456f0b4db885f8475d2837f32f31c09f4b303c118f59be4786cf4303a31a2d3004656a3fcfbbf354326ed404afcb4d60966bca04a5e5de8fb8feaf581bce7

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\AsyncBridge.Net35.dll
Filesize
23KB

MD5
35cbdbe6987b9951d3467dda2f318f3c

SHA1
c0c7bc36c2fb710938f7666858324b141bc5ff22

SHA256
e4915f18fd6713ee84f27a06ed1f6f555cdbebe1522792cf4b4961664550cf83

SHA512
e1f456f0b4db885f8475d2837f32f31c09f4b303c118f59be4786cf4303a31a2d3004656a3fcfbbf354326ed404afcb4d60966bca04a5e5de8fb8feaf581bce7

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\Countly.dll
Filesize
128KB

MD5
304e0f414c764d7a5c2647d721646e13

SHA1
b126d0bc4cd678fe2e2e1acb165d076364807129

SHA256
86cb999ef8b3d20cb81b69ff03580cc6f3d2ca6cc699ab0810fab8cac0e7397e

SHA512
fdb45e066cee6ee5580a1e7fa695804fa0d1959e7c74ad128b60196a137054f3370a5c031cd3fa0f727392e8b71925f739f65978710e0e1e8eb9c2f11782ce9f

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\Countly.dll
Filesize
128KB

MD5
304e0f414c764d7a5c2647d721646e13

SHA1
b126d0bc4cd678fe2e2e1acb165d076364807129

SHA256
86cb999ef8b3d20cb81b69ff03580cc6f3d2ca6cc699ab0810fab8cac0e7397e

SHA512
fdb45e066cee6ee5580a1e7fa695804fa0d1959e7c74ad128b60196a137054f3370a5c031cd3fa0f727392e8b71925f739f65978710e0e1e8eb9c2f11782ce9f

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\Countly.dll
Filesize
128KB

MD5
304e0f414c764d7a5c2647d721646e13

SHA1
b126d0bc4cd678fe2e2e1acb165d076364807129

SHA256
86cb999ef8b3d20cb81b69ff03580cc6f3d2ca6cc699ab0810fab8cac0e7397e

SHA512
fdb45e066cee6ee5580a1e7fa695804fa0d1959e7c74ad128b60196a137054f3370a5c031cd3fa0f727392e8b71925f739f65978710e0e1e8eb9c2f11782ce9f

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\Countly.dll
Filesize
128KB

MD5
304e0f414c764d7a5c2647d721646e13

SHA1
b126d0bc4cd678fe2e2e1acb165d076364807129

SHA256
86cb999ef8b3d20cb81b69ff03580cc6f3d2ca6cc699ab0810fab8cac0e7397e

SHA512
fdb45e066cee6ee5580a1e7fa695804fa0d1959e7c74ad128b60196a137054f3370a5c031cd3fa0f727392e8b71925f739f65978710e0e1e8eb9c2f11782ce9f

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\Countly.dll
Filesize
128KB

MD5
304e0f414c764d7a5c2647d721646e13

SHA1
b126d0bc4cd678fe2e2e1acb165d076364807129

SHA256
86cb999ef8b3d20cb81b69ff03580cc6f3d2ca6cc699ab0810fab8cac0e7397e

SHA512
fdb45e066cee6ee5580a1e7fa695804fa0d1959e7c74ad128b60196a137054f3370a5c031cd3fa0f727392e8b71925f739f65978710e0e1e8eb9c2f11782ce9f

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\Gh.Common.dll
Filesize
53KB

MD5
72563fcd701c8dda5537e2ec7c3030ab

SHA1
eaf2ad4e3657b258b67c9275c76f57db536c6202

SHA256
6d3dd8d3c7c9a3540f4ca3a1fbb014981632bf9d8c7fc4c4ab7d9dea6d6683f2

SHA512
7109099fd6b29845b53829ddaeeb86095e806f9c6cb9510d65aec1683c2c476e3f0536524dde9bbee36afb1f99fdf892a143abcc9b95624576b85b6f3f1ffc87

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\Gh.Common.dll
Filesize
53KB

MD5
72563fcd701c8dda5537e2ec7c3030ab

SHA1
eaf2ad4e3657b258b67c9275c76f57db536c6202

SHA256
6d3dd8d3c7c9a3540f4ca3a1fbb014981632bf9d8c7fc4c4ab7d9dea6d6683f2

SHA512
7109099fd6b29845b53829ddaeeb86095e806f9c6cb9510d65aec1683c2c476e3f0536524dde9bbee36afb1f99fdf892a143abcc9b95624576b85b6f3f1ffc87

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\Gh.Common.dll
Filesize
53KB

MD5
72563fcd701c8dda5537e2ec7c3030ab

SHA1
eaf2ad4e3657b258b67c9275c76f57db536c6202

SHA256
6d3dd8d3c7c9a3540f4ca3a1fbb014981632bf9d8c7fc4c4ab7d9dea6d6683f2

SHA512
7109099fd6b29845b53829ddaeeb86095e806f9c6cb9510d65aec1683c2c476e3f0536524dde9bbee36afb1f99fdf892a143abcc9b95624576b85b6f3f1ffc87

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\Gh.Common.dll
Filesize
53KB

MD5
72563fcd701c8dda5537e2ec7c3030ab

SHA1
eaf2ad4e3657b258b67c9275c76f57db536c6202

SHA256
6d3dd8d3c7c9a3540f4ca3a1fbb014981632bf9d8c7fc4c4ab7d9dea6d6683f2

SHA512
7109099fd6b29845b53829ddaeeb86095e806f9c6cb9510d65aec1683c2c476e3f0536524dde9bbee36afb1f99fdf892a143abcc9b95624576b85b6f3f1ffc87

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\Gh.Common.dll
Filesize
53KB

MD5
72563fcd701c8dda5537e2ec7c3030ab

SHA1
eaf2ad4e3657b258b67c9275c76f57db536c6202

SHA256
6d3dd8d3c7c9a3540f4ca3a1fbb014981632bf9d8c7fc4c4ab7d9dea6d6683f2

SHA512
7109099fd6b29845b53829ddaeeb86095e806f9c6cb9510d65aec1683c2c476e3f0536524dde9bbee36afb1f99fdf892a143abcc9b95624576b85b6f3f1ffc87

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\Newtonsoft.Json.dll
Filesize
464KB

MD5
83222120c8095b8623fe827fb70faf6b

SHA1
9294136b07c36fab5523ef345fe05f03ea516b15

SHA256
eff79de319ca8941a2e62fb573230d82b79b80958e5a26ab1a4e87193eb13503

SHA512
3077e4ea7ebfd4d25b60b9727fbab183827aad5ba914e8cd3d9557fa3913fd82efe2cd20b1a193d8c7e1b81ee44f04dadfcb8f18507977c78dd5c8b071f8addb

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\Newtonsoft.Json.dll
Filesize
464KB

MD5
83222120c8095b8623fe827fb70faf6b

SHA1
9294136b07c36fab5523ef345fe05f03ea516b15

SHA256
eff79de319ca8941a2e62fb573230d82b79b80958e5a26ab1a4e87193eb13503

SHA512
3077e4ea7ebfd4d25b60b9727fbab183827aad5ba914e8cd3d9557fa3913fd82efe2cd20b1a193d8c7e1b81ee44f04dadfcb8f18507977c78dd5c8b071f8addb

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\Newtonsoft.Json.dll
Filesize
464KB

MD5
83222120c8095b8623fe827fb70faf6b

SHA1
9294136b07c36fab5523ef345fe05f03ea516b15

SHA256
eff79de319ca8941a2e62fb573230d82b79b80958e5a26ab1a4e87193eb13503

SHA512
3077e4ea7ebfd4d25b60b9727fbab183827aad5ba914e8cd3d9557fa3913fd82efe2cd20b1a193d8c7e1b81ee44f04dadfcb8f18507977c78dd5c8b071f8addb

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\Newtonsoft.Json.dll
Filesize
464KB

MD5
83222120c8095b8623fe827fb70faf6b

SHA1
9294136b07c36fab5523ef345fe05f03ea516b15

SHA256
eff79de319ca8941a2e62fb573230d82b79b80958e5a26ab1a4e87193eb13503

SHA512
3077e4ea7ebfd4d25b60b9727fbab183827aad5ba914e8cd3d9557fa3913fd82efe2cd20b1a193d8c7e1b81ee44f04dadfcb8f18507977c78dd5c8b071f8addb

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\Newtonsoft.Json.dll
Filesize
464KB

MD5
83222120c8095b8623fe827fb70faf6b

SHA1
9294136b07c36fab5523ef345fe05f03ea516b15

SHA256
eff79de319ca8941a2e62fb573230d82b79b80958e5a26ab1a4e87193eb13503

SHA512
3077e4ea7ebfd4d25b60b9727fbab183827aad5ba914e8cd3d9557fa3913fd82efe2cd20b1a193d8c7e1b81ee44f04dadfcb8f18507977c78dd5c8b071f8addb

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\SharpRaven.dll
Filesize
72KB

MD5
c1a31ab7394444fd8aa2e8fe3c7c5094

SHA1
649a0915f4e063314e3f04d284fea8656f6eb62b

SHA256
64b7231eda298844697d38dd3539bd97fe995d88ae0c5e0c09d63a908f7336c4

SHA512
3514a69552dd1e1b63a235d7e3a1e982a72a9741ade4a931fc8d8e61f402228ad3243be9321d87fdefdfe137fc357925a931966266ec58c19296adb210be9b0e

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\SharpRaven.dll
Filesize
72KB

MD5
c1a31ab7394444fd8aa2e8fe3c7c5094

SHA1
649a0915f4e063314e3f04d284fea8656f6eb62b

SHA256
64b7231eda298844697d38dd3539bd97fe995d88ae0c5e0c09d63a908f7336c4

SHA512
3514a69552dd1e1b63a235d7e3a1e982a72a9741ade4a931fc8d8e61f402228ad3243be9321d87fdefdfe137fc357925a931966266ec58c19296adb210be9b0e

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\SharpRaven.dll
Filesize
72KB

MD5
c1a31ab7394444fd8aa2e8fe3c7c5094

SHA1
649a0915f4e063314e3f04d284fea8656f6eb62b

SHA256
64b7231eda298844697d38dd3539bd97fe995d88ae0c5e0c09d63a908f7336c4

SHA512
3514a69552dd1e1b63a235d7e3a1e982a72a9741ade4a931fc8d8e61f402228ad3243be9321d87fdefdfe137fc357925a931966266ec58c19296adb210be9b0e

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\SharpRaven.dll
Filesize
72KB

MD5
c1a31ab7394444fd8aa2e8fe3c7c5094

SHA1
649a0915f4e063314e3f04d284fea8656f6eb62b

SHA256
64b7231eda298844697d38dd3539bd97fe995d88ae0c5e0c09d63a908f7336c4

SHA512
3514a69552dd1e1b63a235d7e3a1e982a72a9741ade4a931fc8d8e61f402228ad3243be9321d87fdefdfe137fc357925a931966266ec58c19296adb210be9b0e

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\SharpRaven.dll
Filesize
72KB

MD5
c1a31ab7394444fd8aa2e8fe3c7c5094

SHA1
649a0915f4e063314e3f04d284fea8656f6eb62b

SHA256
64b7231eda298844697d38dd3539bd97fe995d88ae0c5e0c09d63a908f7336c4

SHA512
3514a69552dd1e1b63a235d7e3a1e982a72a9741ade4a931fc8d8e61f402228ad3243be9321d87fdefdfe137fc357925a931966266ec58c19296adb210be9b0e

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\System.Threading.dll
Filesize
378KB

MD5
f5ee17938d7c545bf62ad955803661c7

SHA1
dd0647d250539f1ec580737de102e2515558f422

SHA256
8a791af9e3861e231662b657098a823b21a084cbb6a4901d6ccf363405849a78

SHA512
669a89ad811cda4f3ff4aa318aa03e26e4cb41ea22bc321bad02a671273d867cbd223a64bb30da592a5484a9f1cec77c96f5bf63b1fe586b6d3688b8c9da530c

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\System.Threading.dll
Filesize
378KB

MD5
f5ee17938d7c545bf62ad955803661c7

SHA1
dd0647d250539f1ec580737de102e2515558f422

SHA256
8a791af9e3861e231662b657098a823b21a084cbb6a4901d6ccf363405849a78

SHA512
669a89ad811cda4f3ff4aa318aa03e26e4cb41ea22bc321bad02a671273d867cbd223a64bb30da592a5484a9f1cec77c96f5bf63b1fe586b6d3688b8c9da530c

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\System.Threading.dll
Filesize
378KB

MD5
f5ee17938d7c545bf62ad955803661c7

SHA1
dd0647d250539f1ec580737de102e2515558f422

SHA256
8a791af9e3861e231662b657098a823b21a084cbb6a4901d6ccf363405849a78

SHA512
669a89ad811cda4f3ff4aa318aa03e26e4cb41ea22bc321bad02a671273d867cbd223a64bb30da592a5484a9f1cec77c96f5bf63b1fe586b6d3688b8c9da530c

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\System.Threading.dll
Filesize
378KB

MD5
f5ee17938d7c545bf62ad955803661c7

SHA1
dd0647d250539f1ec580737de102e2515558f422

SHA256
8a791af9e3861e231662b657098a823b21a084cbb6a4901d6ccf363405849a78

SHA512
669a89ad811cda4f3ff4aa318aa03e26e4cb41ea22bc321bad02a671273d867cbd223a64bb30da592a5484a9f1cec77c96f5bf63b1fe586b6d3688b8c9da530c

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\System.Threading.dll
Filesize
378KB

MD5
f5ee17938d7c545bf62ad955803661c7

SHA1
dd0647d250539f1ec580737de102e2515558f422

SHA256
8a791af9e3861e231662b657098a823b21a084cbb6a4901d6ccf363405849a78

SHA512
669a89ad811cda4f3ff4aa318aa03e26e4cb41ea22bc321bad02a671273d867cbd223a64bb30da592a5484a9f1cec77c96f5bf63b1fe586b6d3688b8c9da530c

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\Walliant.exe
Filesize
205KB

MD5
deb44715821d03b166544691e006378c

SHA1
f9042017cd17b222ff60196a5efc750daf000b09

SHA256
5662ac34ed38164352a51a1054a5ceea64ca74817bb6f0d98f083350c95c1322

SHA512
b357c87f0fb003cbeae951d41bc8bc9b39ebc6f000af12ba77c18cf909a78d051d0344e57166c5d06b0ecd6408a7b5e481f971afb7899871b76dd4a72deba602

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\Walliant.exe
Filesize
205KB

MD5
deb44715821d03b166544691e006378c

SHA1
f9042017cd17b222ff60196a5efc750daf000b09

SHA256
5662ac34ed38164352a51a1054a5ceea64ca74817bb6f0d98f083350c95c1322

SHA512
b357c87f0fb003cbeae951d41bc8bc9b39ebc6f000af12ba77c18cf909a78d051d0344e57166c5d06b0ecd6408a7b5e481f971afb7899871b76dd4a72deba602

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\Walliant.exe
Filesize
205KB

MD5
deb44715821d03b166544691e006378c

SHA1
f9042017cd17b222ff60196a5efc750daf000b09

SHA256
5662ac34ed38164352a51a1054a5ceea64ca74817bb6f0d98f083350c95c1322

SHA512
b357c87f0fb003cbeae951d41bc8bc9b39ebc6f000af12ba77c18cf909a78d051d0344e57166c5d06b0ecd6408a7b5e481f971afb7899871b76dd4a72deba602

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\Walliant.exe.config
Filesize
544B

MD5
3e8f51c2b6fd8149c32819eadec0ca72

SHA1
4e99b195e6ddcc8e0e5149ed66375fe71851dbd2

SHA256
0e7acbb755e5161d596d65bc357ec09ee0f82017d15f65504e4eec47dac927bd

SHA512
91d258f76052784ff14393bdd0e1ae8af8f09ca60f2bd54fd17d6e9946dbf5c7e570153a3ba3c6ae6eb4191579156a48dae0508bc9323fc76080c973e6262771

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\sdk.dll
Filesize
6.9MB

MD5
8f08dbdd92815428baabbf36b7eee4a4

SHA1
cb4a8eb2c4370c366886a97308091414f9c330e5

SHA256
a35559576e064054654920670e66b362da532c2fd511470d0c0d67120f2abfb9

SHA512
c9c0df87f962bc9bde3c5dde745d0fdc318e6530b7df0f41e3a4ad9b84e090fc0c07a79c28004462e28ba4a627452073600cdba0d72b50199e9173b5d9c3fe05

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\sdk.dll
Filesize
6.9MB

MD5
8f08dbdd92815428baabbf36b7eee4a4

SHA1
cb4a8eb2c4370c366886a97308091414f9c330e5

SHA256
a35559576e064054654920670e66b362da532c2fd511470d0c0d67120f2abfb9

SHA512
c9c0df87f962bc9bde3c5dde745d0fdc318e6530b7df0f41e3a4ad9b84e090fc0c07a79c28004462e28ba4a627452073600cdba0d72b50199e9173b5d9c3fe05

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC148C257\ICSharpCode.SharpZipLib.dll
Filesize
203KB

MD5
a93dac647ee7cddb93f549dcd783b323

SHA1
8569eeb79bf29c67b8bb4aeaa305f37bb3288ed8

SHA256
4f6eb0fe1f4cb547cf03ff19f9a1c051bf0cac1c793b88650f174c360ded3e39

SHA512
44a82d60a560f32aea5370871f1d4b38b0f20bcac0ed46686093efc45a361470085fcc0071e8cc91cdab99fc00438adf220faba802343f84a3cebd46b32d4886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC148C257\ICSharpCode.SharpZipLib.dll
Filesize
203KB

MD5
a93dac647ee7cddb93f549dcd783b323

SHA1
8569eeb79bf29c67b8bb4aeaa305f37bb3288ed8

SHA256
4f6eb0fe1f4cb547cf03ff19f9a1c051bf0cac1c793b88650f174c360ded3e39

SHA512
44a82d60a560f32aea5370871f1d4b38b0f20bcac0ed46686093efc45a361470085fcc0071e8cc91cdab99fc00438adf220faba802343f84a3cebd46b32d4886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC148C257\ICSharpCode.SharpZipLib.dll
Filesize
203KB

MD5
a93dac647ee7cddb93f549dcd783b323

SHA1
8569eeb79bf29c67b8bb4aeaa305f37bb3288ed8

SHA256
4f6eb0fe1f4cb547cf03ff19f9a1c051bf0cac1c793b88650f174c360ded3e39

SHA512
44a82d60a560f32aea5370871f1d4b38b0f20bcac0ed46686093efc45a361470085fcc0071e8cc91cdab99fc00438adf220faba802343f84a3cebd46b32d4886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC148C257\ICSharpCode.SharpZipLib.dll
Filesize
203KB

MD5
a93dac647ee7cddb93f549dcd783b323

SHA1
8569eeb79bf29c67b8bb4aeaa305f37bb3288ed8

SHA256
4f6eb0fe1f4cb547cf03ff19f9a1c051bf0cac1c793b88650f174c360ded3e39

SHA512
44a82d60a560f32aea5370871f1d4b38b0f20bcac0ed46686093efc45a361470085fcc0071e8cc91cdab99fc00438adf220faba802343f84a3cebd46b32d4886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC148C257\ICSharpCode.SharpZipLib.dll
Filesize
203KB

MD5
a93dac647ee7cddb93f549dcd783b323

SHA1
8569eeb79bf29c67b8bb4aeaa305f37bb3288ed8

SHA256
4f6eb0fe1f4cb547cf03ff19f9a1c051bf0cac1c793b88650f174c360ded3e39

SHA512
44a82d60a560f32aea5370871f1d4b38b0f20bcac0ed46686093efc45a361470085fcc0071e8cc91cdab99fc00438adf220faba802343f84a3cebd46b32d4886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC148C257\Newtonsoft.Json.dll
Filesize
423KB

MD5
32d2b354d49a144ad9cc73fda584c11c

SHA1
8024998509d082f984b84f8235637b626944ba78

SHA256
ed30e38e44c49b859b801d05621d8e902d04d502ebf5de676de04c23825b0290

SHA512
c8d94823790264a0b3e9158c3453e4babf6523cd38ce626091f84d9b100e5fc5ab39d7ef6e082b207b54171e26136cce2033a99b7e2d1a17d8f0b2996723f491

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC148C257\Newtonsoft.Json.dll
Filesize
423KB

MD5
32d2b354d49a144ad9cc73fda584c11c

SHA1
8024998509d082f984b84f8235637b626944ba78

SHA256
ed30e38e44c49b859b801d05621d8e902d04d502ebf5de676de04c23825b0290

SHA512
c8d94823790264a0b3e9158c3453e4babf6523cd38ce626091f84d9b100e5fc5ab39d7ef6e082b207b54171e26136cce2033a99b7e2d1a17d8f0b2996723f491

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC148C257\Newtonsoft.Json.dll
Filesize
423KB

MD5
32d2b354d49a144ad9cc73fda584c11c

SHA1
8024998509d082f984b84f8235637b626944ba78

SHA256
ed30e38e44c49b859b801d05621d8e902d04d502ebf5de676de04c23825b0290

SHA512
c8d94823790264a0b3e9158c3453e4babf6523cd38ce626091f84d9b100e5fc5ab39d7ef6e082b207b54171e26136cce2033a99b7e2d1a17d8f0b2996723f491

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC148C257\Newtonsoft.Json.dll
Filesize
423KB

MD5
32d2b354d49a144ad9cc73fda584c11c

SHA1
8024998509d082f984b84f8235637b626944ba78

SHA256
ed30e38e44c49b859b801d05621d8e902d04d502ebf5de676de04c23825b0290

SHA512
c8d94823790264a0b3e9158c3453e4babf6523cd38ce626091f84d9b100e5fc5ab39d7ef6e082b207b54171e26136cce2033a99b7e2d1a17d8f0b2996723f491

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC148C257\Newtonsoft.Json.dll
Filesize
423KB

MD5
32d2b354d49a144ad9cc73fda584c11c

SHA1
8024998509d082f984b84f8235637b626944ba78

SHA256
ed30e38e44c49b859b801d05621d8e902d04d502ebf5de676de04c23825b0290

SHA512
c8d94823790264a0b3e9158c3453e4babf6523cd38ce626091f84d9b100e5fc5ab39d7ef6e082b207b54171e26136cce2033a99b7e2d1a17d8f0b2996723f491

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC148C257\WebCompanionInstaller.exe
Filesize
451KB

MD5
fb2ce6e0d7d5944e86697425c10cd11f

SHA1
0d4bee7a0b9350a3906bc4704cae72159dd83729

SHA256
ded4d86bf32884b7ad4639e26b4c79c0140060b8bca23660d31ebbcd66fa25b8

SHA512
e6daec17cf11ce4d9ccb28a489be80f1960a0a639138d2c770a5f84ddf7593f64824078796df7aa72e8407aae596333f646fea225207563f3e46dfcb1140eb8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC148C257\WebCompanionInstaller.exe
Filesize
451KB

MD5
fb2ce6e0d7d5944e86697425c10cd11f

SHA1
0d4bee7a0b9350a3906bc4704cae72159dd83729

SHA256
ded4d86bf32884b7ad4639e26b4c79c0140060b8bca23660d31ebbcd66fa25b8

SHA512
e6daec17cf11ce4d9ccb28a489be80f1960a0a639138d2c770a5f84ddf7593f64824078796df7aa72e8407aae596333f646fea225207563f3e46dfcb1140eb8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC148C257\WebCompanionInstaller.exe.config
Filesize
2KB

MD5
d9385bdc6e1554260cb7d30f6464dd9e

SHA1
b26637f3a18a503f5fd0fcf5d6cc20c087082052

SHA256
80a15ac4f887309d99b0e6566644a6fb95c028e8e90b130ceec54d808879a81c

SHA512
4dee0f7e2dae834f171766c3f7097660faf0bcbdaa57dd248c5c484c290e36d1b9e5599edd75dbdf2cc730ff872ce3bf7a5329941c84475bfac0bb25f01f4667

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8HEQP.tmp\idp.dll
Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8HEQP.tmp\setup_0.exe
Filesize
4.0MB

MD5
167c38e1cf12b2b98f10847c80046e4b

SHA1
546717af2d3f74a4e95e00bc7071542a5ffc41ef

SHA256
ee21bf81d839fcc2fbed0bccbb421f8523476d7a836a8a12a3284879c028c5fd

SHA512
6d64619d64b60cb95d22ee2b152ba08004131d5464b7b135c189006c66c1e47b5e264f3b5585b6d2bece5616e646380bb11699702a8a859406bcc2eb674bcda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8HEQP.tmp\setup_0.exe
Filesize
4.0MB

MD5
167c38e1cf12b2b98f10847c80046e4b

SHA1
546717af2d3f74a4e95e00bc7071542a5ffc41ef

SHA256
ee21bf81d839fcc2fbed0bccbb421f8523476d7a836a8a12a3284879c028c5fd

SHA512
6d64619d64b60cb95d22ee2b152ba08004131d5464b7b135c189006c66c1e47b5e264f3b5585b6d2bece5616e646380bb11699702a8a859406bcc2eb674bcda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8HEQP.tmp\setup_1.exe
Filesize
270KB

MD5
2b3bb199a61eceefbf9fa722748c0513

SHA1
42623b2e651a2ad2757bc7b8071f4e05c01d8c89

SHA256
e99ae578a0944039158cc05b964370e565cfbb27feb77dbe78f578845ea8c90b

SHA512
de8bc689314c9c297d8de0681a7bfa6e3a5e23c21656d3f69a61144c5780d460df69d5ba4bcdaffd61d30832d947e62c73b0df1088f7abe725e6bb685a2a7e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8HEQP.tmp\setup_1.exe
Filesize
270KB

MD5
2b3bb199a61eceefbf9fa722748c0513

SHA1
42623b2e651a2ad2757bc7b8071f4e05c01d8c89

SHA256
e99ae578a0944039158cc05b964370e565cfbb27feb77dbe78f578845ea8c90b

SHA512
de8bc689314c9c297d8de0681a7bfa6e3a5e23c21656d3f69a61144c5780d460df69d5ba4bcdaffd61d30832d947e62c73b0df1088f7abe725e6bb685a2a7e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8HEQP.tmp\setup_2.exe
Filesize
542KB

MD5
1fe97398b67bd17b9dacc347da9d5aec

SHA1
59411d138e4a77895e5f280ea63f2b47fce00723

SHA256
e384df976f21e80cda75ebfd070f3ddf564b21d313c198bec6b3d8c1c84c36d5

SHA512
f8736c58b1bb6de8ae0e18c01e2fcad4764275665bbca84ed0ae79620897f846f6a4ffec440d04615d734b8935901c8e7a124d3a7b81bf836d7e227ac7d5da8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8HEQP.tmp\setup_2.exe
Filesize
542KB

MD5
1fe97398b67bd17b9dacc347da9d5aec

SHA1
59411d138e4a77895e5f280ea63f2b47fce00723

SHA256
e384df976f21e80cda75ebfd070f3ddf564b21d313c198bec6b3d8c1c84c36d5

SHA512
f8736c58b1bb6de8ae0e18c01e2fcad4764275665bbca84ed0ae79620897f846f6a4ffec440d04615d734b8935901c8e7a124d3a7b81bf836d7e227ac7d5da8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8HEQP.tmp\status.log
Filesize
2B

MD5
444bcb3a3fcf8389296c49467f27e1d6

SHA1
7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb

SHA256
2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df

SHA512
9fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JTGTB.tmp\setup.tmp
Filesize
3.0MB

MD5
083ec0ca152f9c480681d26bf8d4a0bd

SHA1
c12e36cba69583ed3484dbd2b5a47e5d270bfc3a

SHA256
745c78503303fc2cf7375b3b5d957942be56e4e054c28a30fde91d5a6c754d36

SHA512
ebb58bfba425c5abd829238c6e5ddacbadbd0e6b54f6e4e58cc449d5e208106c6ed53531484f87ddc06669b296f285c04387f271168725f5516bd09bca96f471

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KQETR.tmp\Akira Client.tmp
Filesize
2.9MB

MD5
4a6f78cd84b266ef50d035a10048d291

SHA1
e3161c9df09be1bbd3d47c720fd5b793aaa747d4

SHA256
6ca2b09686e78993a0f89fd0b28e554be7a69af35162bf755baa05b44bed1b7e

SHA512
62bb856a9dc590dc956ca502e156af069a4b6596a8bf5ecf2459263843f8a24619bb0de3386e9c008e6b3c05bf2e38fa287dcdc5d6d3d2b112150ec9fdbe3dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KQETR.tmp\Akira Client.tmp
Filesize
2.9MB

MD5
4a6f78cd84b266ef50d035a10048d291

SHA1
e3161c9df09be1bbd3d47c720fd5b793aaa747d4

SHA256
6ca2b09686e78993a0f89fd0b28e554be7a69af35162bf755baa05b44bed1b7e

SHA512
62bb856a9dc590dc956ca502e156af069a4b6596a8bf5ecf2459263843f8a24619bb0de3386e9c008e6b3c05bf2e38fa287dcdc5d6d3d2b112150ec9fdbe3dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ME4TN.tmp\setup.exe
Filesize
1.7MB

MD5
f975f46cea90a3d346ed4f6f62eb0a3f

SHA1
3e6b43f10c9dcc1e70efc28bc6bba908023a1b71

SHA256
90650c5f043fbd65f716a6949d1a1bcd41ed6b32bb806c8de97868edb1ee05f8

SHA512
fd1fe42b2a2bc2e38c41322086e5de2f9d68c1c871ad9c35a8d1e9870b7f61e82ee882f736a037eafed0bcddd93d6a7ebbb638195fbf264dde5ed3b7d662ab09

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ME4TN.tmp\setup.exe
Filesize
1.7MB

MD5
f975f46cea90a3d346ed4f6f62eb0a3f

SHA1
3e6b43f10c9dcc1e70efc28bc6bba908023a1b71

SHA256
90650c5f043fbd65f716a6949d1a1bcd41ed6b32bb806c8de97868edb1ee05f8

SHA512
fd1fe42b2a2bc2e38c41322086e5de2f9d68c1c871ad9c35a8d1e9870b7f61e82ee882f736a037eafed0bcddd93d6a7ebbb638195fbf264dde5ed3b7d662ab09

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ME4TN.tmp\setup.exe
Filesize
1.7MB

MD5
f975f46cea90a3d346ed4f6f62eb0a3f

SHA1
3e6b43f10c9dcc1e70efc28bc6bba908023a1b71

SHA256
90650c5f043fbd65f716a6949d1a1bcd41ed6b32bb806c8de97868edb1ee05f8

SHA512
fd1fe42b2a2bc2e38c41322086e5de2f9d68c1c871ad9c35a8d1e9870b7f61e82ee882f736a037eafed0bcddd93d6a7ebbb638195fbf264dde5ed3b7d662ab09

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SOSPC.tmp\setup_0.tmp
Filesize
3.0MB

MD5
4f6cbd3e8d2c1562dad5242476a85678

SHA1
c0a2a21c6d652290e04395a4b7a795b5f586dc25

SHA256
6dce6dee7180e4c320d39b6884567549579c1bf13f65f08f47c0ed0466144d09

SHA512
3820224a65487efe0621d6d9e62b24da0de4ff7e0d792c9ce9afc9323bbeb988a953938deaa92cae8e7901419a3f566218ba9aa2d4fe247facaf54f095c9f540

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SOSPC.tmp\setup_0.tmp
Filesize
3.0MB

MD5
4f6cbd3e8d2c1562dad5242476a85678

SHA1
c0a2a21c6d652290e04395a4b7a795b5f586dc25

SHA256
6dce6dee7180e4c320d39b6884567549579c1bf13f65f08f47c0ed0466144d09

SHA512
3820224a65487efe0621d6d9e62b24da0de4ff7e0d792c9ce9afc9323bbeb988a953938deaa92cae8e7901419a3f566218ba9aa2d4fe247facaf54f095c9f540

Download Submit
C:\Users\Admin\AppData\Local\Temp\shiF99D.tmp
Filesize
4.3MB

MD5
6c7cdd25c2cb0073306eb22aebfc663f

SHA1
a1eba8ab49272b9852fe6a543677e8af36271248

SHA256
58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

SHA512
17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\shiF9BE.tmp
Filesize
81KB

MD5
125b0f6bf378358e4f9c837ff6682d94

SHA1
8715beb626e0f4bd79a14819cc0f90b81a2e58ad

SHA256
e99eab3c75989b519f7f828373042701329acbd8ceadf4f3ff390f346ac76193

SHA512
b63bb6bfda70d42472868b5a1d3951cf9b2e00a7fadb08c1f599151a1801a19f5a75cfc3ace94c952cfd284eb261c7d6f11be0ebbcaa701b75036d3a6b442db2

Download Submit
C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Johan.msi
Filesize
3.8MB

MD5
6024d8c2207fc4610416beaf8d360527

SHA1
793ab731b07bf86ecc3ba78e1b76dc2aa0b48f8a

SHA256
cb4cad56ea5391e44dc661513c4f021c5272db710cc1733251152d1cb0eb5829

SHA512
0bb9cd1ec8873137e654a94c21887b7d4c73a9e561563d52ddec18377552d1a33d256487362bb614ebb3d804047427977b3eb0070c92fc43d0dd656af13eeab4

Download Submit
C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll
Filesize
206KB

MD5
8a3f1a0da39530dcb8962dd0fadb187f

SHA1
d5294f6be549ec1f779da78d903683bab2835d1a

SHA256
c6988e36b1e1d6ffc89d9fa77ad35f132f5aa89e680d0155e0b6aee1c524c99f

SHA512
1e0d5be3ee164fb16de629a975f3c3da61659b99a0fc766850ffeeddb2d32b7ee0d3b85c77f01d34d9fe2933bd7bd11c6dba7b35d30faed7ce09485fd706d49d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new
Filesize
960B

MD5
08d0fd62c4078884955a26a039e04ccd

SHA1
ce12e6e874523988df81fd22d7450d3ef44a6b3e

SHA256
78279ac4a999051a37dc572cd427b281a9641ca9be2799eaa7a6272ca9768bb5

SHA512
d8cd6bb3840bbb1ded2859345b1fd9d7520927c8f48a473d9a669c7a7c001b03a58ca26d71c82b181115c3db16a85074d10a40e2b4c4628ac865779bb265d667

Download Submit
C:\Windows\Installer\MSIF7C9.tmp
Filesize
789KB

MD5
dd1f93eb81e6c99ba9be55b0c12e8bb4

SHA1
1d767983aaa4eb5c9e19409cf529969142033850

SHA256
f55b853958f07b15f0dae7a871c1ebe2ec117ef54ba3811d31cec4c8ae471d9b

SHA512
7968839ca3e7337b2e7774d92c4a3666e9b7d8d76000475b39c2bda6db3320fc9b2100322505997798af5631a007787fbd8d0d6fe0b51949c545c67e696aaf1a

Download Submit
C:\Windows\Installer\MSIF8A5.tmp
Filesize
524KB

MD5
6ea65025106536eb75f026e46643b099

SHA1
d6f5801e370c92d8e5c2336b4022cc6cb6ec1f99

SHA256
dae76cce74d63e7935fde4383020659d75b68632f8a01f2053ec895e69bb4efb

SHA512
062aed4c7541346b7338e1d234a50aa9af76f103a65268ba65a42508a26c10cc27ccfce6131485403afa36d8a8cd69f3bf1e55cd1a1f675357b87228aacbb988

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new
Filesize
466B

MD5
320f6b5d5b63e9ec1e8d388bbe90aa3d

SHA1
9c89b86d0343210d3273db733efb19d466188543

SHA256
8776509fcea8b14282d8ba5309328c1b0e4a6e3c635b71db5dfdaa3265ebd7f9

SHA512
cb829846a50b50ccc85c8cd06d0642889245d48fa28e1af43ccbda28596f8df8219d262783c9aa56f8ed163642ba5a16b3ddf6427980ab3908abfa2a6ba6f614

Download Submit
memory/424-201-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/424-185-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/424-248-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1072-463-0x0000000001150000-0x0000000001160000-memory.dmp

Filesize
64KB

Download
memory/1140-298-0x00000000020B0000-0x00000000020F0000-memory.dmp

Filesize
256KB

Download
memory/1140-310-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1140-312-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1756-302-0x00000000014F0000-0x0000000001500000-memory.dmp

Filesize
64KB

Download
memory/1756-641-0x000000006FD20000-0x0000000070442000-memory.dmp

Filesize
7.1MB

Download
memory/1756-240-0x00000000014F0000-0x0000000001500000-memory.dmp

Filesize
64KB

Download
memory/1756-362-0x00000000014F0000-0x0000000001500000-memory.dmp

Filesize
64KB

Download
memory/1756-303-0x00000000014F0000-0x0000000001500000-memory.dmp

Filesize
64KB

Download
memory/1756-927-0x000000006FD20000-0x0000000070442000-memory.dmp

Filesize
7.1MB

Download
memory/1756-361-0x00000000014F0000-0x0000000001500000-memory.dmp

Filesize
64KB

Download
memory/1756-304-0x00000000014F0000-0x0000000001500000-memory.dmp

Filesize
64KB

Download
memory/1756-363-0x00000000014F0000-0x0000000001500000-memory.dmp

Filesize
64KB

Download
memory/1756-353-0x00000000014F0000-0x0000000001500000-memory.dmp

Filesize
64KB

Download
memory/1756-744-0x000000006FD20000-0x0000000070442000-memory.dmp

Filesize
7.1MB

Download
memory/1756-371-0x000000006FD20000-0x0000000070442000-memory.dmp

Filesize
7.1MB

Download
memory/1756-300-0x00000000014F0000-0x0000000001500000-memory.dmp

Filesize
64KB

Download
memory/1756-301-0x00000000014F0000-0x0000000001500000-memory.dmp

Filesize
64KB

Download
memory/1756-308-0x00000000014F0000-0x0000000001500000-memory.dmp

Filesize
64KB

Download
memory/1756-646-0x000000006FD20000-0x0000000070442000-memory.dmp

Filesize
7.1MB

Download
memory/1756-630-0x000000006FD20000-0x0000000070442000-memory.dmp

Filesize
7.1MB

Download
memory/1756-305-0x000000006FD20000-0x0000000070442000-memory.dmp

Filesize
7.1MB

Download
memory/1800-176-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1800-147-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/1800-144-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1800-138-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/3980-133-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3980-143-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4192-177-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4192-164-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4588-665-0x0000000001840000-0x0000000001850000-memory.dmp

Filesize
64KB

Download
memory/4588-863-0x0000000001840000-0x0000000001850000-memory.dmp

Filesize
64KB

Download
memory/4604-2081-0x0000000000E00000-0x0000000000E10000-memory.dmp

Filesize
64KB

Download
memory/4604-1658-0x0000000000E00000-0x0000000000E10000-memory.dmp

Filesize
64KB

Download
memory/4712-200-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/4712-174-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/4712-299-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/4712-317-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/4712-462-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/4712-178-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/5076-192-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/5076-203-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/5076-202-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/5076-235-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/5076-247-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download