e42260ec10ff5fbb54a7cd2e1f236b5658826bb1f2139fd5b0cafffe9423941e

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2023, 19:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f9a54e53247feac3ffc37e48ca67f300_exe32.exe
Size

8.8MB
MD5

f9a54e53247feac3ffc37e48ca67f300
SHA1

348ee9568deec8cb5f30bedd38e2ff170ba0073d
SHA256

e42260ec10ff5fbb54a7cd2e1f236b5658826bb1f2139fd5b0cafffe9423941e
SHA512

e834e85512f188e07524238e3d7747f24d3f8dd0b2697c917fdd079051fec98bb2645f2dd0623cd03ba74b83386e411554090ae3ef592ec11352f19c1d8b5728
SSDEEP

196608:5SGyUYmlrVndt5dAZ1/lYbrHVTZ9rUqlcBhf:oGyKlx/5uZRlYbrHV3jlcBhf

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\is-6RFHF.tmp	SetupTmp.tmp

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ItlsHKOT\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\ItlsHKOT64.sys"	DrvOTInj64.Exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	f9a54e53247feac3ffc37e48ca67f300_exe32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	CPManager.exe

Executes dropped EXE 9 IoCs

pid	Process
232	SetupTmp.exe
2024	SetupTmp.tmp
1624	instdrvOT.Exe
4844	CPManager.exe
1808	CPManager.exe
4404	instdrvOT.exe
640	MgOT64.exe
4892	ClipLDR64.exe
3984	DrvOTInj64.Exe

Loads dropped DLL 23 IoCs

pid	Process
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
4844	CPManager.exe
4844	CPManager.exe
4844	CPManager.exe
4844	CPManager.exe
640	MgOT64.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
3984	DrvOTInj64.Exe
640	MgOT64.exe
1808	CPManager.exe
1808	CPManager.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	f9a54e53247feac3ffc37e48ca67f300_exe32.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	f9a54e53247feac3ffc37e48ca67f300_exe32.exe

Drops file in System32 directory 50 IoCs

description	ioc	Process
File created	C:\Windows\system32\is-ICDJB.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-U19BK.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-2NK1Q.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-IB2TS.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-45SFP.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-DVV89.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-3QPAA.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-DBIU2.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-VBL83.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-T3EC3.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-287N8.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-E1GMT.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-G40SF.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-JHMJ4.tmp	SetupTmp.tmp
File created	C:\Windows\system32\is-BQP8H.tmp	SetupTmp.tmp
File created	C:\Windows\system32\is-M15QK.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-OF9QC.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-1886H.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-R1FDV.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-TA3JV.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-CNI1D.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-CNVG3.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-GG7RK.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-1E9CV.tmp	SetupTmp.tmp
File created	C:\Windows\system32\is-OLC36.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-GVPBJ.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-OHFPD.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-40I9V.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-0NQCS.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-16DPJ.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-GBPCN.tmp	SetupTmp.tmp
File created	C:\Windows\system32\is-SOC8C.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-JAA89.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-39D91.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-763AN.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-89SH1.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-MUDSB.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-FK2I1.tmp	SetupTmp.tmp
File created	C:\Windows\system32\is-E55CV.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-21DPB.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-BBQ3U.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-O6KEJ.tmp	SetupTmp.tmp
File created	C:\Windows\system32\is-D2QAR.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-BF0UC.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-RKT4P.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-1BME9.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-LLTV5.tmp	SetupTmp.tmp
File created	C:\Windows\system32\is-6IJR7.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-8H348.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-O7KDB.tmp	SetupTmp.tmp

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\CryptorPlus\unins000.dat	SetupTmp.tmp
File created	C:\Program Files (x86)\CryptorPlus\unins000.dat	SetupTmp.tmp
File created	C:\Program Files (x86)\CryptorPlus\is-LKS01.tmp	SetupTmp.tmp
File created	C:\Program Files (x86)\CryptorPlus\is-SH06A.tmp	SetupTmp.tmp
File created	C:\Program Files (x86)\CryptorPlus\is-3LKHU.tmp	SetupTmp.tmp
File created	C:\Program Files (x86)\CryptorPlus\is-LIRNO.tmp	SetupTmp.tmp
File created	C:\Program Files (x86)\CryptorPlus\is-C5MQD.tmp	SetupTmp.tmp
File created	C:\Program Files (x86)\CryptorPlus\is-G6LAU.tmp	SetupTmp.tmp
File created	C:\Program Files (x86)\CryptorPlus\is-638MK.tmp	SetupTmp.tmp
File created	C:\Program Files (x86)\CryptorPlus\is-AHSUC.tmp	SetupTmp.tmp
File created	C:\Program Files (x86)\CryptorPlus\is-RT5US.tmp	SetupTmp.tmp
File created	C:\Program Files (x86)\CryptorPlus\is-3SIBO.tmp	SetupTmp.tmp

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	f9a54e53247feac3ffc37e48ca67f300_exe32.exe
File created	C:\Windows\assembly\Desktop.ini	f9a54e53247feac3ffc37e48ca67f300_exe32.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	f9a54e53247feac3ffc37e48ca67f300_exe32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cpdfile	SetupTmp.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cpdfile\shell	SetupTmp.tmp
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cpdfile\shell\cpdopen\command	SetupTmp.tmp
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cpd	SetupTmp.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cpd\ = "cpdfile"	SetupTmp.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cpdfile\shell\cpdopen	SetupTmp.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cpdfile\shell\cpdopen\command\ = "C:\\Program Files (x86)\\CryptorPlus\\CPManager.exe %1"	SetupTmp.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	CPManager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60168000000010000000000000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	CPManager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c000000010000000400000000080000190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b816800000001000000000000007e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	CPManager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	CPManager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	CPManager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	CPManager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60168000000010000000000000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d5c0000000100000004000000000800002000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	CPManager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c000000010000000400000000080000190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b816800000001000000000000007e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	CPManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	CPManager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	CPManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	CPManager.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2740	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
640	MgOT64.exe
640	MgOT64.exe
640	MgOT64.exe
640	MgOT64.exe
640	MgOT64.exe
640	MgOT64.exe
640	MgOT64.exe
640	MgOT64.exe
640	MgOT64.exe
640	MgOT64.exe
640	MgOT64.exe
640	MgOT64.exe
640	MgOT64.exe
640	MgOT64.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe
1808	CPManager.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1808	CPManager.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
660	Process not Found
660	Process not Found
3984	DrvOTInj64.Exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1624	instdrvOT.Exe
Token: SeSecurityPrivilege	4404	instdrvOT.exe
Token: SeDebugPrivilege	1808	CPManager.exe
Token: SeIncreaseQuotaPrivilege	3984	DrvOTInj64.Exe
Token: SeSecurityPrivilege	3984	DrvOTInj64.Exe
Token: SeLoadDriverPrivilege	3984	DrvOTInj64.Exe
Token: SeSystemProfilePrivilege	3984	DrvOTInj64.Exe
Token: SeSystemtimePrivilege	3984	DrvOTInj64.Exe
Token: SeProfSingleProcessPrivilege	3984	DrvOTInj64.Exe
Token: SeIncBasePriorityPrivilege	3984	DrvOTInj64.Exe
Token: SeCreatePagefilePrivilege	3984	DrvOTInj64.Exe
Token: SeShutdownPrivilege	3984	DrvOTInj64.Exe
Token: SeDebugPrivilege	3984	DrvOTInj64.Exe
Token: SeSystemEnvironmentPrivilege	3984	DrvOTInj64.Exe
Token: SeRemoteShutdownPrivilege	3984	DrvOTInj64.Exe
Token: SeUndockPrivilege	3984	DrvOTInj64.Exe
Token: SeManageVolumePrivilege	3984	DrvOTInj64.Exe
Token: 33	3984	DrvOTInj64.Exe
Token: 34	3984	DrvOTInj64.Exe
Token: 35	3984	DrvOTInj64.Exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1808	CPManager.exe
1808	CPManager.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1808	CPManager.exe
1808	CPManager.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2740	explorer.exe
2740	explorer.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 232	1812	f9a54e53247feac3ffc37e48ca67f300_exe32.exe	83
PID 1812 wrote to memory of 232	1812	f9a54e53247feac3ffc37e48ca67f300_exe32.exe	83
PID 1812 wrote to memory of 232	1812	f9a54e53247feac3ffc37e48ca67f300_exe32.exe	83
PID 232 wrote to memory of 2024	232	SetupTmp.exe	84
PID 232 wrote to memory of 2024	232	SetupTmp.exe	84
PID 232 wrote to memory of 2024	232	SetupTmp.exe	84
PID 2024 wrote to memory of 4356	2024	SetupTmp.tmp	88
PID 2024 wrote to memory of 4356	2024	SetupTmp.tmp	88
PID 2024 wrote to memory of 3132	2024	SetupTmp.tmp	90
PID 2024 wrote to memory of 3132	2024	SetupTmp.tmp	90
PID 2024 wrote to memory of 1624	2024	SetupTmp.tmp	93
PID 2024 wrote to memory of 1624	2024	SetupTmp.tmp	93
PID 2024 wrote to memory of 1624	2024	SetupTmp.tmp	93
PID 2024 wrote to memory of 4844	2024	SetupTmp.tmp	94
PID 2024 wrote to memory of 4844	2024	SetupTmp.tmp	94
PID 2024 wrote to memory of 4844	2024	SetupTmp.tmp	94
PID 1812 wrote to memory of 1808	1812	f9a54e53247feac3ffc37e48ca67f300_exe32.exe	95
PID 1812 wrote to memory of 1808	1812	f9a54e53247feac3ffc37e48ca67f300_exe32.exe	95
PID 1812 wrote to memory of 1808	1812	f9a54e53247feac3ffc37e48ca67f300_exe32.exe	95
PID 1808 wrote to memory of 4404	1808	CPManager.exe	98
PID 1808 wrote to memory of 4404	1808	CPManager.exe	98
PID 1808 wrote to memory of 4404	1808	CPManager.exe	98
PID 1808 wrote to memory of 640	1808	CPManager.exe	99
PID 1808 wrote to memory of 640	1808	CPManager.exe	99
PID 1808 wrote to memory of 4892	1808	CPManager.exe	102
PID 1808 wrote to memory of 4892	1808	CPManager.exe	102
PID 1808 wrote to memory of 5012	1808	CPManager.exe	103
PID 1808 wrote to memory of 5012	1808	CPManager.exe	103
PID 1808 wrote to memory of 3984	1808	CPManager.exe	105
PID 1808 wrote to memory of 3984	1808	CPManager.exe	105

C:\Users\Admin\AppData\Local\Temp\f9a54e53247feac3ffc37e48ca67f300_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\f9a54e53247feac3ffc37e48ca67f300_exe32.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1812
- C:\ProgramData\MyGuard\SetupTmp.exe
  "C:\ProgramData\MyGuard\SetupTmp.exe" /Silent
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Users\Admin\AppData\Local\Temp\is-76B08.tmp\SetupTmp.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-76B08.tmp\SetupTmp.tmp" /SL5="$801D4,7067166,53248,C:\ProgramData\MyGuard\SetupTmp.exe" /Silent
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\system32\cacls.exe
      "cacls" "C:\ProgramData\MyGuard" /T /C /E /P Everyone:F
      4⤵
      PID:4356
  - - C:\Windows\system32\cacls.exe
      "cacls" "C:\ProgramData\CryptorPlus" /T /C /E /P Everyone:F
      4⤵
      PID:3132
  - - C:\Windows\SysWOW64\instdrvOT.Exe
      "C:\Windows\SysWOW64\instdrvOT.Exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1624
  - - C:\Program Files (x86)\CryptorPlus\CPManager.exe
      "C:\Program Files (x86)\CryptorPlus\CPManager.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      PID:4844
- C:\Program Files (x86)\CryptorPlus\CPManager.exe
  "C:\Program Files (x86)\CryptorPlus\CPManager.exe" CPEXE
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\SysWOW64\instdrvOT.exe
    "C:\Windows\SysWow64\instdrvOT.exe" ITMSYSTEM hide C
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4404
- - C:\Windows\SysWOW64\MgOT64.exe
    "C:\Windows\SysWow64\MgOT64.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:640
- - C:\Windows\SysWOW64\ClipLDR64.exe
    "C:\Windows\SysWow64\ClipLDR64.exe"
    3⤵
    - Executes dropped EXE
    PID:4892
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe" C:\Users\Admin\AppData\Local\Temp\MyGuardTray.exe
    3⤵
    PID:5012
- - C:\Windows\SysWOW64\DrvOTInj64.Exe
    "C:\Windows\system32\DrvOTInj64.Exe" LItlsHKOT/ITLSHKOT.sys/ItlsHKOT64.sys/HKOTAPI.DLL/HKOTAPI64.DLL/*/svchost.exe/
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:3984

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CryptorPlus\CPLng.Dat

Filesize
25KB

MD5
7e3384d9172f29b19620abf08b9b0b82

SHA1
d227ad21874430b873377e2407081b2401a6ef56

SHA256
21b508dfc8a79aa7410740111617ea0af36fc07d0b60ab4d66a389e37d74db64

SHA512
1f67a6d2d270db13ded8900204e337c338bea8074722e1fa4e07951acca4baa5d2537457927d14881bc7c2ad16ac661ae0b63adaaeb946523d53ca5cc3a8f4b5

Download Submit
C:\Program Files (x86)\CryptorPlus\CPManager.exe

Filesize
1.5MB

MD5
b256b7e1abb9111ecfd68449c4947fa8

SHA1
7e41b95b5fe013262f7ff929f65c71fc73c1f091

SHA256
5af3ee9d717a170c9cc7174838f0547fdfdd5f70f693bc1db5b2e40d86b8ec3b

SHA512
c04af25194e8d1e976d9c6d9750818f2ab1f07c545ff68f8d5a5ce7c8030961cef0b132097620910f68ee5dcd3e79a295c5391b9852b7c7d18bf016ada4560df

Download Submit
C:\Program Files (x86)\CryptorPlus\CPManager.exe

Filesize
1.5MB

MD5
b256b7e1abb9111ecfd68449c4947fa8

SHA1
7e41b95b5fe013262f7ff929f65c71fc73c1f091

SHA256
5af3ee9d717a170c9cc7174838f0547fdfdd5f70f693bc1db5b2e40d86b8ec3b

SHA512
c04af25194e8d1e976d9c6d9750818f2ab1f07c545ff68f8d5a5ce7c8030961cef0b132097620910f68ee5dcd3e79a295c5391b9852b7c7d18bf016ada4560df

Download Submit
C:\Program Files (x86)\CryptorPlus\CPManager.exe

Filesize
1.5MB

MD5
b256b7e1abb9111ecfd68449c4947fa8

SHA1
7e41b95b5fe013262f7ff929f65c71fc73c1f091

SHA256
5af3ee9d717a170c9cc7174838f0547fdfdd5f70f693bc1db5b2e40d86b8ec3b

SHA512
c04af25194e8d1e976d9c6d9750818f2ab1f07c545ff68f8d5a5ce7c8030961cef0b132097620910f68ee5dcd3e79a295c5391b9852b7c7d18bf016ada4560df

Download Submit
C:\Program Files (x86)\CryptorPlus\MgNetLib.dll

Filesize
485KB

MD5
7fca45a04fae4661ab8ff4689ea928f5

SHA1
e0ed854b85a59ba182c943e05790ebf294736364

SHA256
59599804ac57260d6cb1b32e015466c841a4c098007196350d070360eb1050f9

SHA512
2d1166a7d951b86bbff5cfe391ea124fc2958dbd68a9ac3b05d583c62ef983c7941ce030a180949779e91847885cf5035dd4bcd0232b194ddef182f488ad4aa9

Download Submit
C:\Program Files (x86)\CryptorPlus\MgNetLib.dll

Filesize
485KB

MD5
7fca45a04fae4661ab8ff4689ea928f5

SHA1
e0ed854b85a59ba182c943e05790ebf294736364

SHA256
59599804ac57260d6cb1b32e015466c841a4c098007196350d070360eb1050f9

SHA512
2d1166a7d951b86bbff5cfe391ea124fc2958dbd68a9ac3b05d583c62ef983c7941ce030a180949779e91847885cf5035dd4bcd0232b194ddef182f488ad4aa9

Download Submit
C:\Program Files (x86)\CryptorPlus\MgNetLib.dll

Filesize
485KB

MD5
7fca45a04fae4661ab8ff4689ea928f5

SHA1
e0ed854b85a59ba182c943e05790ebf294736364

SHA256
59599804ac57260d6cb1b32e015466c841a4c098007196350d070360eb1050f9

SHA512
2d1166a7d951b86bbff5cfe391ea124fc2958dbd68a9ac3b05d583c62ef983c7941ce030a180949779e91847885cf5035dd4bcd0232b194ddef182f488ad4aa9

Download Submit
C:\Program Files (x86)\CryptorPlus\MgNetLib.dll

Filesize
485KB

MD5
7fca45a04fae4661ab8ff4689ea928f5

SHA1
e0ed854b85a59ba182c943e05790ebf294736364

SHA256
59599804ac57260d6cb1b32e015466c841a4c098007196350d070360eb1050f9

SHA512
2d1166a7d951b86bbff5cfe391ea124fc2958dbd68a9ac3b05d583c62ef983c7941ce030a180949779e91847885cf5035dd4bcd0232b194ddef182f488ad4aa9

Download Submit
C:\Program Files (x86)\CryptorPlus\MgNetLib.dll

Filesize
485KB

MD5
7fca45a04fae4661ab8ff4689ea928f5

SHA1
e0ed854b85a59ba182c943e05790ebf294736364

SHA256
59599804ac57260d6cb1b32e015466c841a4c098007196350d070360eb1050f9

SHA512
2d1166a7d951b86bbff5cfe391ea124fc2958dbd68a9ac3b05d583c62ef983c7941ce030a180949779e91847885cf5035dd4bcd0232b194ddef182f488ad4aa9

Download Submit
C:\Program Files (x86)\CryptorPlus\MgNetLib.dll

Filesize
485KB

MD5
7fca45a04fae4661ab8ff4689ea928f5

SHA1
e0ed854b85a59ba182c943e05790ebf294736364

SHA256
59599804ac57260d6cb1b32e015466c841a4c098007196350d070360eb1050f9

SHA512
2d1166a7d951b86bbff5cfe391ea124fc2958dbd68a9ac3b05d583c62ef983c7941ce030a180949779e91847885cf5035dd4bcd0232b194ddef182f488ad4aa9

Download Submit
C:\Program Files (x86)\CryptorPlus\MgNetLib.dll

Filesize
485KB

MD5
7fca45a04fae4661ab8ff4689ea928f5

SHA1
e0ed854b85a59ba182c943e05790ebf294736364

SHA256
59599804ac57260d6cb1b32e015466c841a4c098007196350d070360eb1050f9

SHA512
2d1166a7d951b86bbff5cfe391ea124fc2958dbd68a9ac3b05d583c62ef983c7941ce030a180949779e91847885cf5035dd4bcd0232b194ddef182f488ad4aa9

Download Submit
C:\Program Files (x86)\CryptorPlus\MgNetLib.dll

Filesize
485KB

MD5
7fca45a04fae4661ab8ff4689ea928f5

SHA1
e0ed854b85a59ba182c943e05790ebf294736364

SHA256
59599804ac57260d6cb1b32e015466c841a4c098007196350d070360eb1050f9

SHA512
2d1166a7d951b86bbff5cfe391ea124fc2958dbd68a9ac3b05d583c62ef983c7941ce030a180949779e91847885cf5035dd4bcd0232b194ddef182f488ad4aa9

Download Submit
C:\Program Files (x86)\CryptorPlus\MgNetLib.dll

Filesize
485KB

MD5
7fca45a04fae4661ab8ff4689ea928f5

SHA1
e0ed854b85a59ba182c943e05790ebf294736364

SHA256
59599804ac57260d6cb1b32e015466c841a4c098007196350d070360eb1050f9

SHA512
2d1166a7d951b86bbff5cfe391ea124fc2958dbd68a9ac3b05d583c62ef983c7941ce030a180949779e91847885cf5035dd4bcd0232b194ddef182f488ad4aa9

Download Submit
C:\Program Files (x86)\CryptorPlus\System.Net.Json.dll

Filesize
15KB

MD5
577cbbfa3ed386ba14927655460134a3

SHA1
b8c8d6792614b69431dfb378a7579ce9a776523a

SHA256
c238999ea3caf3c490717aef20186bb49c115a2c53057bdb202dac5e6ea113c1

SHA512
7b5a82841a4a89a40935722c7ca45faf12eeefaca66d51710000492e9b588b94e88b0249b97de04c5f985bdcf8516999abc7f90b87f0ee68db1483538fbb1980

Download Submit
C:\Program Files (x86)\CryptorPlus\System.Net.Json.dll

Filesize
15KB

MD5
577cbbfa3ed386ba14927655460134a3

SHA1
b8c8d6792614b69431dfb378a7579ce9a776523a

SHA256
c238999ea3caf3c490717aef20186bb49c115a2c53057bdb202dac5e6ea113c1

SHA512
7b5a82841a4a89a40935722c7ca45faf12eeefaca66d51710000492e9b588b94e88b0249b97de04c5f985bdcf8516999abc7f90b87f0ee68db1483538fbb1980

Download Submit
C:\Program Files (x86)\CryptorPlus\System.Net.Json.dll

Filesize
15KB

MD5
577cbbfa3ed386ba14927655460134a3

SHA1
b8c8d6792614b69431dfb378a7579ce9a776523a

SHA256
c238999ea3caf3c490717aef20186bb49c115a2c53057bdb202dac5e6ea113c1

SHA512
7b5a82841a4a89a40935722c7ca45faf12eeefaca66d51710000492e9b588b94e88b0249b97de04c5f985bdcf8516999abc7f90b87f0ee68db1483538fbb1980

Download Submit
C:\Program Files (x86)\CryptorPlus\System.Net.Json.dll

Filesize
15KB

MD5
577cbbfa3ed386ba14927655460134a3

SHA1
b8c8d6792614b69431dfb378a7579ce9a776523a

SHA256
c238999ea3caf3c490717aef20186bb49c115a2c53057bdb202dac5e6ea113c1

SHA512
7b5a82841a4a89a40935722c7ca45faf12eeefaca66d51710000492e9b588b94e88b0249b97de04c5f985bdcf8516999abc7f90b87f0ee68db1483538fbb1980

Download Submit
C:\Program Files (x86)\CryptorPlus\System.Net.Json.dll

Filesize
15KB

MD5
577cbbfa3ed386ba14927655460134a3

SHA1
b8c8d6792614b69431dfb378a7579ce9a776523a

SHA256
c238999ea3caf3c490717aef20186bb49c115a2c53057bdb202dac5e6ea113c1

SHA512
7b5a82841a4a89a40935722c7ca45faf12eeefaca66d51710000492e9b588b94e88b0249b97de04c5f985bdcf8516999abc7f90b87f0ee68db1483538fbb1980

Download Submit
C:\ProgramData\MyGuard\CryptorTmp\20231012093051223742\System.zip

Filesize
7.1MB

MD5
d056e4f22ff19219e3c943a1958ff7c6

SHA1
ba1905ca6d4fa30c8d6059911383fbeabf57618c

SHA256
fe1bb39ead2250bf4d575b195e608947bccdc125166f5f0c1360c51f5d74f374

SHA512
6de81c4bcbab52e0f3ecc452aa526ae8bb3c3772aeab99f725af54b18e4958bb0aa8879faf9fd78ecaa040b728de1ecaff436639e190cd8bbda16a873e8bd3a9

Download Submit
C:\ProgramData\MyGuard\Log\Cryptor Plus\20231016.log

Filesize
5KB

MD5
1476714933ea5c4a3fbb6ef235189a68

SHA1
57cda66f425d187c3eab0aa0fcc230229c950cd1

SHA256
408971570d4e2a1b96ea4b215820940ae0afa840da763eb4cb0412469b1ab5aa

SHA512
a94f35b3d4afea04dab7a505a8308a53124d42867dc826589f710ea6594ee023589c0ea8ee72f2e93905621d56e84c1e4fca632653825550d3ecf1d1f421717e

Download Submit
C:\ProgramData\MyGuard\Log\Cryptor Plus\20231016.log

Filesize
6KB

MD5
12151aabf05ad8ba5f8c6d2fbbd42747

SHA1
2506aab4fc7c2cc69eee06b32fd299584f9fb496

SHA256
b27a01a7f0a02189061c4bd0f1d4741cb3ead76e1376407b43c70a5aab5a7fb0

SHA512
a8776971b4bacf2ea990641ffb8ff85cea1dbf478edd89326b0666b95c888f49086d0f4801c1aaa86f93bc26e8c7512945691d6e75fac22f9c907aeba5c51b09

Download Submit
C:\ProgramData\MyGuard\Log\Cryptor Plus\20231016.log

Filesize
5KB

MD5
a41f794901d6f00ae988e6ee99238e0a

SHA1
2dffccf7f5ee3b7712159bd6779e674589cec7a9

SHA256
29876b4ac5ccc4bd7c3cb5f97563466c4cc5f8f82e51f93d8f5c11937aee4cb9

SHA512
dae91071794739b67e67ff0af556b451010a410672d7a997017a1bdd2fdb8fa546eaed0167b577e79bd51bd24c2a97cd06e8b2a71a7dd045ac4283167c265c46

Download Submit
C:\ProgramData\MyGuard\Log\Cryptor Plus\20231016.log

Filesize
6KB

MD5
1cab9a3de831d2ecb79fc3066b6101a1

SHA1
aa5b460ef99dea0de7932c42ee45f83a3746e60b

SHA256
cb562a95270fa940c27da60facfe0d2bbeead4f9bebc7fdc668cbc7483df5ad8

SHA512
72a0b45c9875cf24f6dad24acb0837dea98cc2dca2c1662666ced7da94defbe27f39970d059eb8fe3ca3b4ed1342cb4643cb1eb1999a4f9640539d91f891ffcd

Download Submit
C:\ProgramData\MyGuard\Log\Cryptor Plus\20231016.log

Filesize
6KB

MD5
76d3cb1b0f9f64eeda3a17e1b5d3c68b

SHA1
70eb5569bd1731e23203a49a0548571d0f60282a

SHA256
78da853d92a45c065af475fadf66d38b12202c6674264e127ef55fae1331ebfe

SHA512
63214c1b9db93ba059be87a19c90933932c81a38f234b3497e5eda7fe06296ec768289456dd8bf60760f2aa8ff3feec739f820c32f097e288f7209b7f444fb86

Download Submit
C:\ProgramData\MyGuard\Log\Cryptor Plus\20231016.log

Filesize
6KB

MD5
39fd0cf9a94e3950e30868e26ed21cc0

SHA1
b1f9a94c97943601476b5ad0f093503de90c566a

SHA256
e61113cf5002462b92755f88573bd9dbfab30a7b4dc84b6d774c30be7b394168

SHA512
6360d069c21996fa91f5c95537af5db5bc367ccd0b09504e6a952fbc642e72910c7d9c5ab69c81d2e792aa3b36d4f1be7b3a7904c006825ba0eb997d559dc8d7

Download Submit
C:\ProgramData\MyGuard\Log\Cryptor Plus\20231016.log

Filesize
8KB

MD5
51ec0fb7bcca1e7dab0c458de2eb0df6

SHA1
f9dd1c0d604a0c8ae25a77d0c2d090d4e7f2b1c4

SHA256
6eeaba2e584457fba8b7aa0239333c681f2a35cc8fb0919ba7d1a008ef7b6aa0

SHA512
27f7622a2807ee0c8eb559f5f1e802060cd931d051e6a704542543427bd03b1ff7fbd469aa508aab6f9da395684f50229642a46fda0d5e1e7f1187fe2a7d6350

Download Submit
C:\ProgramData\MyGuard\Log\Cryptor Plus\20231016.log

Filesize
9KB

MD5
d8398bacb620586a5bc5e328d0163d5d

SHA1
f6d1f9cf1e7c7c68b2b88308ef498d837dca28f1

SHA256
385215c7b3eef5c543efad7f0080a673f5cf9a66b7385304b3314bb4357eefc1

SHA512
df670276dfc97c45b8f872b760d71883da06d3c2d248e4842b713c858f9685ce33c95555f543801b01983a8224baeab07368d4c49b11ccaeeee86e5b5705ecd1

Download Submit
C:\ProgramData\MyGuard\SetupTmp.exe

Filesize
7.1MB

MD5
9d7d875bc8c6b94884151ddd978ee0f7

SHA1
61185986d24916c54751c022e98c2166fbd2fba0

SHA256
36ad6161db62967ebfdbdd32be09d4555396b56613aaad3265de3e01de974f4e

SHA512
0c566f6474bc76b0f814d0b6917db8257f7b6c63ec36e6cd1107a35c3853dec3429432c286568e1f5b03bf6eb04fb7566bbf412cff4c273cc30070e696788654

Download Submit
C:\ProgramData\MyGuard\SetupTmp.exe

Filesize
7.1MB

MD5
9d7d875bc8c6b94884151ddd978ee0f7

SHA1
61185986d24916c54751c022e98c2166fbd2fba0

SHA256
36ad6161db62967ebfdbdd32be09d4555396b56613aaad3265de3e01de974f4e

SHA512
0c566f6474bc76b0f814d0b6917db8257f7b6c63ec36e6cd1107a35c3853dec3429432c286568e1f5b03bf6eb04fb7566bbf412cff4c273cc30070e696788654

Download Submit
C:\ProgramData\MyGuard\SetupTmp.exe

Filesize
7.1MB

MD5
9d7d875bc8c6b94884151ddd978ee0f7

SHA1
61185986d24916c54751c022e98c2166fbd2fba0

SHA256
36ad6161db62967ebfdbdd32be09d4555396b56613aaad3265de3e01de974f4e

SHA512
0c566f6474bc76b0f814d0b6917db8257f7b6c63ec36e6cd1107a35c3853dec3429432c286568e1f5b03bf6eb04fb7566bbf412cff4c273cc30070e696788654

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2

Filesize
1KB

MD5
24bf0db099091e98b2759b8d2cbe10d2

SHA1
29fa76ec7596fbecef79833e1c758c5b0b31e92e

SHA256
90cb640fa18391ee390c6f2282896c2d44d2d4351afee3b678e45154aac98d8f

SHA512
43b5967636241617e46e5d66419877d20987162b4ed7b28fd8a483f4325a5c69b4885eb4fa4058d56cb1c022330b0872508029eb6dae4bb763ed23a3f6184ec5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EB35376744F392396307460D546222D_EA8D92B3458A834F48476616FF4FBC8F

Filesize
1KB

MD5
24741648bc3fc6d634b0f1a7074f2bd5

SHA1
96516be6d6ca8fc9ec2accc77ab3ab946d4f6b54

SHA256
49b5a91a6a21875f012fa963cb2bbd8b16a8f2e5c392fb3a9ccfae30928989d3

SHA512
f217293a36cc4e796ceb853ef14a3188b7b5b8b83ab954faaf6424ef48843f67d45c083bfc8f4106ab3b3a599f8ac4ad9798e3a0f8a889ef2c7ca31b35b9820d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2

Filesize
394B

MD5
5ff1a62f27e145cfcfefade8d8d85ce8

SHA1
fd6d19c619db3662a44dfa38774dd281fab4a2ba

SHA256
9e1aaefbe39ba0c81690c992d4433d5c4a34a6216f43156044fafeb58b2c0b59

SHA512
72146dabc8598ecb986500e6509046e2e6bd62f69bb9999ca3f03c35427932c75fe47658bf0f1cdfe684271adbf3061c882626894407baef7051d5f76fef3aea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
290B

MD5
aaf1b1978b09ce3de6f98b66c30e5f9e

SHA1
d97852f676de9510e3c535d72cd0d158bd8bfe98

SHA256
5e0a05c44f28f8ce53d9a883b8b9e08e274e4d2a14f072439c094e8cc822899c

SHA512
835b14755324ea266fd23a5b05c96622701a2388dcb756d1768c97e68678760c568be76a50ab64a66cb8742e0b6c7ea966bd5140305f39d0cf9ed1fa6da10b16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EB35376744F392396307460D546222D_EA8D92B3458A834F48476616FF4FBC8F

Filesize
398B

MD5
19dec6506d8c110b1fccd5a5e7e647a4

SHA1
5bc95dc3b9ea3f2ca614aa8b91d455b1fa5155ff

SHA256
82798ad54459c8aefde15b16e1de416761378f6864d82c7076602c3e706448d7

SHA512
1a60505c0d132b664d73dd2f6210d5f225de52dee8cb16ad39bc36ba38da418b5c67e7bfce4d60b1e7008cce26bc7666e1e020ad667082899a0872317373bc6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-76B08.tmp\SetupTmp.tmp

Filesize
669KB

MD5
52950ac9e2b481453082f096120e355a

SHA1
159c09db1abcee9114b4f792ffba255c78a6e6c3

SHA256
25fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd

SHA512
5b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-76B08.tmp\SetupTmp.tmp

Filesize
669KB

MD5
52950ac9e2b481453082f096120e355a

SHA1
159c09db1abcee9114b4f792ffba255c78a6e6c3

SHA256
25fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd

SHA512
5b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba

Download Submit
C:\Windows\SYSTEM32\AgentComMod64.dll

Filesize
41KB

MD5
9350fd9ae2e18b7ecf072cbce52c6bdc

SHA1
7a746b5428c915500183be221b70496986e7efef

SHA256
b6b2f38583e14d9ff342d4a547ec3bdd47bc1542ad7ff5ddb90a75fbf865a894

SHA512
55d5aafb7ff39efd9d92ce997d3b3f3a87bb9e181366eb57fd413a140b970cd140547b550013b71c05159428795a0a2b9a281ef211d463b6d9bf196b0b5b8e5a

Download Submit
C:\Windows\SysWOW64\AgentComMod.dll

Filesize
37KB

MD5
01b41336a8dda7c01bef140381db4019

SHA1
0fa6127fc4dad164856f33f56529147ee520c5c8

SHA256
7b9b0eae7de619dd971129fa9f0f6c6f8f0b5c6b345c3efd9bda6f03176e9e2e

SHA512
187d9dcc3a405fc32a951054ba8540f3058422da385a35453080c392044cc0d382ebffa738be8c95cb0f3442f1df7364d452e3e4728834d59a7ca7f0716a400b

Download Submit
C:\Windows\SysWOW64\AgentComMod.dll

Filesize
37KB

MD5
01b41336a8dda7c01bef140381db4019

SHA1
0fa6127fc4dad164856f33f56529147ee520c5c8

SHA256
7b9b0eae7de619dd971129fa9f0f6c6f8f0b5c6b345c3efd9bda6f03176e9e2e

SHA512
187d9dcc3a405fc32a951054ba8540f3058422da385a35453080c392044cc0d382ebffa738be8c95cb0f3442f1df7364d452e3e4728834d59a7ca7f0716a400b

Download Submit
C:\Windows\SysWOW64\ClipLDR64.exe

Filesize
60KB

MD5
c020333b90b1ad4988c719dc57d16206

SHA1
cab91531e0177f8e503ecf4c2cb700dd9cecbd5d

SHA256
6485291fc3de7d8056469ab4b77ecaa20eb56562da838edb8e3eb69f646b35d8

SHA512
431ef3ede783893fdef00f484986393f8b8ad4f8f46ce7297c294db5ff9af7b7f23ce1c3e6e536459c15072e2f236b961adafc727dcd81294970737d1661647c

Download Submit
C:\Windows\SysWOW64\ClipLDR64.exe

Filesize
60KB

MD5
c020333b90b1ad4988c719dc57d16206

SHA1
cab91531e0177f8e503ecf4c2cb700dd9cecbd5d

SHA256
6485291fc3de7d8056469ab4b77ecaa20eb56562da838edb8e3eb69f646b35d8

SHA512
431ef3ede783893fdef00f484986393f8b8ad4f8f46ce7297c294db5ff9af7b7f23ce1c3e6e536459c15072e2f236b961adafc727dcd81294970737d1661647c

Download Submit
C:\Windows\SysWOW64\DrvOTInj64.Exe

Filesize
328KB

MD5
b9a770560e3650fb1b55cc0c2cab13af

SHA1
ba906f724a53f7d4c35e34a1c7df9ae19e2cca46

SHA256
50cc811cdff30aaab942bdd0413fea886d44e06f0ac1f1ec1064790e13b43c50

SHA512
7052e622dd84ec6f15f97dc975ad1aaf8c5f8724f7efbbd012a15b20c34cba55aa7f68edc5a4777abefab154339ded9424cf0adbd0423f9c9c1abdfd52d3d19b

Download Submit
C:\Windows\SysWOW64\DrvOTInj64.exe

Filesize
328KB

MD5
b9a770560e3650fb1b55cc0c2cab13af

SHA1
ba906f724a53f7d4c35e34a1c7df9ae19e2cca46

SHA256
50cc811cdff30aaab942bdd0413fea886d44e06f0ac1f1ec1064790e13b43c50

SHA512
7052e622dd84ec6f15f97dc975ad1aaf8c5f8724f7efbbd012a15b20c34cba55aa7f68edc5a4777abefab154339ded9424cf0adbd0423f9c9c1abdfd52d3d19b

Download Submit
C:\Windows\SysWOW64\HKOTAPI.Dll

Filesize
312KB

MD5
7f18e7ef4333b08dddc8f4f4ec1ebaef

SHA1
b24f512abb1e4742c8281d4c97d67500cd3e692f

SHA256
4d9a6025ff2d23dbdc0b66c324e32cd03a89102b8427cf565504f8ba47a291d7

SHA512
ee2bdd72afae96b9f41c52824f8cf0dafbaabb65c4fdbca9c14a8b95b361c44b2ac6d5dba18c9a426ea8bef497345d1a8dc57855b4652d7bb286c073ee6e689d

Download Submit
C:\Windows\SysWOW64\HKOTAPI.dll

Filesize
312KB

MD5
7f18e7ef4333b08dddc8f4f4ec1ebaef

SHA1
b24f512abb1e4742c8281d4c97d67500cd3e692f

SHA256
4d9a6025ff2d23dbdc0b66c324e32cd03a89102b8427cf565504f8ba47a291d7

SHA512
ee2bdd72afae96b9f41c52824f8cf0dafbaabb65c4fdbca9c14a8b95b361c44b2ac6d5dba18c9a426ea8bef497345d1a8dc57855b4652d7bb286c073ee6e689d

Download Submit
C:\Windows\SysWOW64\HKOTAPI64.dll

Filesize
464KB

MD5
4cfe35ff2854b0488f4fe5ddcba1018e

SHA1
2765a527c602e5a639cb1e08fd66e22820e2634a

SHA256
0b51ca773033e155ed95a961c9ec3647c5ac799c578ed79e6949e9514cfaef32

SHA512
dd3f033335eaf0d6cd2453793e1113a1d78ee94f1ec9b5f08535c40ded757c1f2ad6cdf42ea0108df8993fd404b595182c0a08dee16268b50fb22033a0eae296

Download Submit
C:\Windows\SysWOW64\HKOTAPI64.dll

Filesize
464KB

MD5
4cfe35ff2854b0488f4fe5ddcba1018e

SHA1
2765a527c602e5a639cb1e08fd66e22820e2634a

SHA256
0b51ca773033e155ed95a961c9ec3647c5ac799c578ed79e6949e9514cfaef32

SHA512
dd3f033335eaf0d6cd2453793e1113a1d78ee94f1ec9b5f08535c40ded757c1f2ad6cdf42ea0108df8993fd404b595182c0a08dee16268b50fb22033a0eae296

Download Submit
C:\Windows\SysWOW64\ItlsOTN.dll

Filesize
86KB

MD5
259eaa95e96f82656b4379c2228156cb

SHA1
ad3460c7ee721a769a7f91d05bc65ae0cc2b2ac5

SHA256
603e635a9e06257c75813aaa8f4dafd29bdcaa7e8018e194fe756ca58d997f76

SHA512
999b7f60868a6b8f08f2b389307e4dfe86b4855072258e3bd8d5c5ca6d52532c7bf5d6fac959c211134fe3614f7f4991101b7d7d1a09fcc0557bd2ec3ec360a6

Download Submit
C:\Windows\SysWOW64\ItlsOTN.dll

Filesize
86KB

MD5
259eaa95e96f82656b4379c2228156cb

SHA1
ad3460c7ee721a769a7f91d05bc65ae0cc2b2ac5

SHA256
603e635a9e06257c75813aaa8f4dafd29bdcaa7e8018e194fe756ca58d997f76

SHA512
999b7f60868a6b8f08f2b389307e4dfe86b4855072258e3bd8d5c5ca6d52532c7bf5d6fac959c211134fe3614f7f4991101b7d7d1a09fcc0557bd2ec3ec360a6

Download Submit
C:\Windows\SysWOW64\ItlsOTN.dll

Filesize
86KB

MD5
259eaa95e96f82656b4379c2228156cb

SHA1
ad3460c7ee721a769a7f91d05bc65ae0cc2b2ac5

SHA256
603e635a9e06257c75813aaa8f4dafd29bdcaa7e8018e194fe756ca58d997f76

SHA512
999b7f60868a6b8f08f2b389307e4dfe86b4855072258e3bd8d5c5ca6d52532c7bf5d6fac959c211134fe3614f7f4991101b7d7d1a09fcc0557bd2ec3ec360a6

Download Submit
C:\Windows\SysWOW64\MGOT64.exe

Filesize
78KB

MD5
87f2495983292f0d5303dff91c592abf

SHA1
25c1b0f4af4ae83f004e68d918b887d36f6a7a20

SHA256
f5062d5d9c84664ec0c259df18e75b13d85530b332540f55e1ba0ab849e0d12d

SHA512
87292cb8d46ef95a4e207906a1758ea5557d8ed6d395d66f78178b3d25d9b1efa0dd3e94bb21fc8e644a124d23ba44da26a6fd3d3b494814cb96a51edf3c2a7e

Download Submit
C:\Windows\SysWOW64\MgOT64.exe

Filesize
78KB

MD5
87f2495983292f0d5303dff91c592abf

SHA1
25c1b0f4af4ae83f004e68d918b887d36f6a7a20

SHA256
f5062d5d9c84664ec0c259df18e75b13d85530b332540f55e1ba0ab849e0d12d

SHA512
87292cb8d46ef95a4e207906a1758ea5557d8ed6d395d66f78178b3d25d9b1efa0dd3e94bb21fc8e644a124d23ba44da26a6fd3d3b494814cb96a51edf3c2a7e

Download Submit
C:\Windows\SysWOW64\PtrWide.dll

Filesize
23KB

MD5
58104f9d25d65c3a59214f76a9e86a60

SHA1
67972991162cc001472b2ca6d96dd40770b8443a

SHA256
19f0c9df24cdc16cb161176b10a93323d3d5180c858332e66a44163ebc42b517

SHA512
199ead98db6644f747618498a5418bd44d836210b8bd553b364a87661be6151763a34ce0187f2f9d996edda29a6ea5d4e25ed91605e943a6ddd9ba8e70029e7d

Download Submit
C:\Windows\SysWOW64\instdrvOT.Exe

Filesize
91KB

MD5
a2f32de5774bf45fa37f1f049bf262ce

SHA1
8e83357a1dfa9ea7306314bfa472074ab673f1e9

SHA256
85754c29d729c71972b65765d1a4dbef9394f92c2d0d394f35ce34c00fcea080

SHA512
573973b88ea2d53bf3a580584178edaf2381e8536e534d43241be5add5f7173ce852a280a2dfe683b9688620604052106e7039c5ad6899465beaba220922feab

Download Submit
C:\Windows\SysWOW64\instdrvOT.exe

Filesize
91KB

MD5
a2f32de5774bf45fa37f1f049bf262ce

SHA1
8e83357a1dfa9ea7306314bfa472074ab673f1e9

SHA256
85754c29d729c71972b65765d1a4dbef9394f92c2d0d394f35ce34c00fcea080

SHA512
573973b88ea2d53bf3a580584178edaf2381e8536e534d43241be5add5f7173ce852a280a2dfe683b9688620604052106e7039c5ad6899465beaba220922feab

Download Submit
C:\Windows\SysWOW64\instdrvOT.exe

Filesize
91KB

MD5
a2f32de5774bf45fa37f1f049bf262ce

SHA1
8e83357a1dfa9ea7306314bfa472074ab673f1e9

SHA256
85754c29d729c71972b65765d1a4dbef9394f92c2d0d394f35ce34c00fcea080

SHA512
573973b88ea2d53bf3a580584178edaf2381e8536e534d43241be5add5f7173ce852a280a2dfe683b9688620604052106e7039c5ad6899465beaba220922feab

Download Submit
C:\Windows\SysWOW64\itlsNUOT.dll

Filesize
7.0MB

MD5
e7faf6e859e007b9baf8e2641040ee5f

SHA1
eb088d1fbf46fb022bfc489b28ecaa87966372d7

SHA256
b42bc961e97e223e72a1cc0f629a7654afa2d5c722a4b79a5d30bc4a475d6c7d

SHA512
0bd96ba9c5084374608809a8cb33d0518d42454ea00cf3fd3a5a60b5cf3e75e277e63df319414d383496f1accf838025b27433720e17750ba4c48e0793b22086

Download Submit
C:\Windows\SysWOW64\itlsNUOT.dll

Filesize
7.0MB

MD5
e7faf6e859e007b9baf8e2641040ee5f

SHA1
eb088d1fbf46fb022bfc489b28ecaa87966372d7

SHA256
b42bc961e97e223e72a1cc0f629a7654afa2d5c722a4b79a5d30bc4a475d6c7d

SHA512
0bd96ba9c5084374608809a8cb33d0518d42454ea00cf3fd3a5a60b5cf3e75e277e63df319414d383496f1accf838025b27433720e17750ba4c48e0793b22086

Download Submit
C:\Windows\SysWOW64\itlsNUOT.dll

Filesize
7.0MB

MD5
e7faf6e859e007b9baf8e2641040ee5f

SHA1
eb088d1fbf46fb022bfc489b28ecaa87966372d7

SHA256
b42bc961e97e223e72a1cc0f629a7654afa2d5c722a4b79a5d30bc4a475d6c7d

SHA512
0bd96ba9c5084374608809a8cb33d0518d42454ea00cf3fd3a5a60b5cf3e75e277e63df319414d383496f1accf838025b27433720e17750ba4c48e0793b22086

Download Submit
C:\Windows\SysWOW64\miscfunc.dll

Filesize
29KB

MD5
2a6450207d3c9722939b7ac55a97dc85

SHA1
216ede312428b076ba795bd7e7658cbabb38cdf1

SHA256
42d0823fe84641010a9d51e4d9256d4ae6033bdcf398bb5337c3cc7fd101dfd4

SHA512
57615d67c4ebac9d819f2d0274d87fc65d2c6160795ecf3b32dbc8f35b7b8eeb8e481b9753799b17d561285635aed5f5bd10d69b0a39d46973de833f8e2424b0

Download Submit
C:\Windows\SysWOW64\miscfunc.dll

Filesize
29KB

MD5
2a6450207d3c9722939b7ac55a97dc85

SHA1
216ede312428b076ba795bd7e7658cbabb38cdf1

SHA256
42d0823fe84641010a9d51e4d9256d4ae6033bdcf398bb5337c3cc7fd101dfd4

SHA512
57615d67c4ebac9d819f2d0274d87fc65d2c6160795ecf3b32dbc8f35b7b8eeb8e481b9753799b17d561285635aed5f5bd10d69b0a39d46973de833f8e2424b0

Download Submit
C:\Windows\SysWOW64\ptrwide.dll

Filesize
23KB

MD5
58104f9d25d65c3a59214f76a9e86a60

SHA1
67972991162cc001472b2ca6d96dd40770b8443a

SHA256
19f0c9df24cdc16cb161176b10a93323d3d5180c858332e66a44163ebc42b517

SHA512
199ead98db6644f747618498a5418bd44d836210b8bd553b364a87661be6151763a34ce0187f2f9d996edda29a6ea5d4e25ed91605e943a6ddd9ba8e70029e7d

Download Submit
C:\Windows\System32\AgentComMod64.dll

Filesize
41KB

MD5
9350fd9ae2e18b7ecf072cbce52c6bdc

SHA1
7a746b5428c915500183be221b70496986e7efef

SHA256
b6b2f38583e14d9ff342d4a547ec3bdd47bc1542ad7ff5ddb90a75fbf865a894

SHA512
55d5aafb7ff39efd9d92ce997d3b3f3a87bb9e181366eb57fd413a140b970cd140547b550013b71c05159428795a0a2b9a281ef211d463b6d9bf196b0b5b8e5a

Download Submit
C:\Windows\System32\AgentComMod64.dll

Filesize
41KB

MD5
9350fd9ae2e18b7ecf072cbce52c6bdc

SHA1
7a746b5428c915500183be221b70496986e7efef

SHA256
b6b2f38583e14d9ff342d4a547ec3bdd47bc1542ad7ff5ddb90a75fbf865a894

SHA512
55d5aafb7ff39efd9d92ce997d3b3f3a87bb9e181366eb57fd413a140b970cd140547b550013b71c05159428795a0a2b9a281ef211d463b6d9bf196b0b5b8e5a

Download Submit
memory/232-199-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/232-46-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/640-368-0x00007FF8CB0D0000-0x00007FF8CB0D2000-memory.dmp

Filesize
8KB

Download
memory/640-384-0x00007FF8CD900000-0x00007FF8CD904000-memory.dmp

Filesize
16KB

Download
memory/640-456-0x00007FF8CD6B0000-0x00007FF8CD8A5000-memory.dmp

Filesize
2.0MB

Download
memory/640-404-0x00007FF8CD390000-0x00007FF8CD44E000-memory.dmp

Filesize
760KB

Download
memory/640-403-0x00007FF8CD6B0000-0x00007FF8CD8A5000-memory.dmp

Filesize
2.0MB

Download
memory/640-400-0x00007FF8CD390000-0x00007FF8CD44E000-memory.dmp

Filesize
760KB

Download
memory/640-399-0x00007FF8CD4B0000-0x00007FF8CD4B4000-memory.dmp

Filesize
16KB

Download
memory/640-394-0x00007FF8CD920000-0x00007FF8CD924000-memory.dmp

Filesize
16KB

Download
memory/640-389-0x00007FF8CD490000-0x00007FF8CD494000-memory.dmp

Filesize
16KB

Download
memory/640-363-0x000007FEFFFF0000-0x000007FEFFFF1000-memory.dmp

Filesize
4KB

Download
memory/640-381-0x00007FF8CD910000-0x00007FF8CD912000-memory.dmp

Filesize
8KB

Download
memory/640-379-0x00007FF8CD8E0000-0x00007FF8CD8E4000-memory.dmp

Filesize
16KB

Download
memory/640-376-0x00007FF8CD8F0000-0x00007FF8CD8F2000-memory.dmp

Filesize
8KB

Download
memory/640-364-0x00007FF8CD8C0000-0x00007FF8CD8C4000-memory.dmp

Filesize
16KB

Download
memory/640-374-0x00007FF8CB0C0000-0x00007FF8CB0C4000-memory.dmp

Filesize
16KB

Download
memory/640-365-0x00007FF8CD6B0000-0x00007FF8CD8A5000-memory.dmp

Filesize
2.0MB

Download
memory/1624-186-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1808-416-0x0000000071650000-0x0000000071651000-memory.dmp

Filesize
4KB

Download
memory/1808-429-0x00000000715D0000-0x00000000715D2000-memory.dmp

Filesize
8KB

Download
memory/1808-465-0x0000000000B80000-0x0000000000B90000-memory.dmp

Filesize
64KB

Download
memory/1808-369-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/1808-245-0x0000000000B80000-0x0000000000B90000-memory.dmp

Filesize
64KB

Download
memory/1808-371-0x0000000000B80000-0x0000000000B90000-memory.dmp

Filesize
64KB

Download
memory/1808-461-0x0000000000B80000-0x0000000000B90000-memory.dmp

Filesize
64KB

Download
memory/1808-460-0x0000000075E90000-0x0000000075F80000-memory.dmp

Filesize
960KB

Download
memory/1808-210-0x0000000000B80000-0x0000000000B90000-memory.dmp

Filesize
64KB

Download
memory/1808-343-0x000000000A1A0000-0x000000000A1A1000-memory.dmp

Filesize
4KB

Download
memory/1808-340-0x0000000000B80000-0x0000000000B90000-memory.dmp

Filesize
64KB

Download
memory/1808-455-0x0000000000B80000-0x0000000000B90000-memory.dmp

Filesize
64KB

Download
memory/1808-452-0x0000000075E90000-0x0000000075F80000-memory.dmp

Filesize
960KB

Download
memory/1808-286-0x0000000009940000-0x000000000A047000-memory.dmp

Filesize
7.0MB

Download
memory/1808-434-0x00000000715A0000-0x00000000715A2000-memory.dmp

Filesize
8KB

Download
memory/1808-437-0x00000000715B0000-0x00000000715B4000-memory.dmp

Filesize
16KB

Download
memory/1808-443-0x0000000077BE3000-0x0000000077BE4000-memory.dmp

Filesize
4KB

Download
memory/1808-439-0x0000000071570000-0x0000000071572000-memory.dmp

Filesize
8KB

Download
memory/1808-432-0x00000000715E0000-0x00000000715E4000-memory.dmp

Filesize
16KB

Download
memory/1808-242-0x0000000000B80000-0x0000000000B90000-memory.dmp

Filesize
64KB

Download
memory/1808-209-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/1808-410-0x0000000071670000-0x0000000071672000-memory.dmp

Filesize
8KB

Download
memory/1808-413-0x0000000071680000-0x0000000071684000-memory.dmp

Filesize
16KB

Download
memory/1808-414-0x0000000000B80000-0x0000000000B90000-memory.dmp

Filesize
64KB

Download
memory/1808-417-0x0000000077BE2000-0x0000000077BE3000-memory.dmp

Filesize
4KB

Download
memory/1808-418-0x0000000071630000-0x0000000071632000-memory.dmp

Filesize
8KB

Download
memory/1808-427-0x0000000071610000-0x0000000071614000-memory.dmp

Filesize
16KB

Download
memory/1808-422-0x0000000071640000-0x0000000071644000-memory.dmp

Filesize
16KB

Download
memory/1808-421-0x0000000071650000-0x0000000071651000-memory.dmp

Filesize
4KB

Download
memory/1808-424-0x0000000071600000-0x0000000071602000-memory.dmp

Filesize
8KB

Download
memory/1812-345-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/1812-1-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/1812-2-0x00000000014A0000-0x00000000014B0000-memory.dmp

Filesize
64KB

Download
memory/1812-0-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/1812-208-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/1812-233-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/2024-52-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2024-197-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4404-263-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4844-198-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/4844-200-0x0000000000E40000-0x0000000000E50000-memory.dmp

Filesize
64KB

Download
memory/4844-207-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/4844-241-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download