blackmoon | 8620bceae6df2d39248b05ff78a7213e27466c9204b791aee93155612ca9f311

Analysis

max time kernel
153s
max time network
157s
platform
windows10-1703_x64
resource
win10-20231023-en
resource tags

arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
submitted
03/11/2023, 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TGSetup4.2x64.exe
Size

96.6MB
MD5

7cc0e4de3ade2fb36ba6ff823334a7de
SHA1

b460aa34ec4cf92ca354d8e6b5535d05f8ca96f6
SHA256

8620bceae6df2d39248b05ff78a7213e27466c9204b791aee93155612ca9f311
SHA512

7086971b3df61368ed0bda46022436a22cce4590d5e13e2662104c2f9a81bf7967271627ddfbb3a23685e06ccc81622d221fb3b78066d6951ed8dbca0ec7036e
SSDEEP

3145728:k/rum2oEAI1q41beObGzXEz9+Dr/80rC0p:er72oT+eObGAMDrkFy

Score

10^/10

blackmoon gh0strat banker evasion rat trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral2/memory/4444-982-0x0000000002140000-0x000000000217C000-memory.dmp	family_blackmoon
behavioral2/memory/2128-1013-0x0000000002F00000-0x0000000002F45000-memory.dmp	family_blackmoon

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/2128-1013-0x0000000002F00000-0x0000000002F45000-memory.dmp	family_gh0strat
behavioral2/memory/2128-1019-0x0000000002FB0000-0x0000000002FC5000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	MsiExec.exe

Executes dropped EXE 5 IoCs

pid	Process
3184	5bc7f12bcd6eeb67RRE.exe
1416	5bc7f12bcd6eeb67RRE.exe
2132	5bc7f12bcd6eeb67RRE.exe
4444	Bor32-update-flase.exe
2128	Haloonoroff.exe

Loads dropped DLL 28 IoCs

pid	Process
4252	MsiExec.exe
2452	MsiExec.exe
2452	MsiExec.exe
2452	MsiExec.exe
2452	MsiExec.exe
2452	MsiExec.exe
968	MsiExec.exe
968	MsiExec.exe
968	MsiExec.exe
968	MsiExec.exe
968	MsiExec.exe
968	MsiExec.exe
3184	5bc7f12bcd6eeb67RRE.exe
1416	5bc7f12bcd6eeb67RRE.exe
2132	5bc7f12bcd6eeb67RRE.exe
2452	MsiExec.exe
2452	MsiExec.exe
4444	Bor32-update-flase.exe
4444	Bor32-update-flase.exe
4444	Bor32-update-flase.exe
2128	Haloonoroff.exe
2128	Haloonoroff.exe
2128	Haloonoroff.exe
2128	Haloonoroff.exe
2128	Haloonoroff.exe
2128	Haloonoroff.exe
2128	Haloonoroff.exe
2128	Haloonoroff.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4444-988-0x0000000002180000-0x000000000218B000-memory.dmp	upx
behavioral2/memory/4444-1005-0x0000000002180000-0x000000000218B000-memory.dmp	upx
behavioral2/memory/2128-1017-0x0000000002840000-0x000000000284B000-memory.dmp	upx
behavioral2/memory/2128-1024-0x0000000002840000-0x000000000284B000-memory.dmp	upx

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	Haloonoroff.exe
File opened (read-only)	\??\S:	TGSetup4.2x64.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	Haloonoroff.exe
File opened (read-only)	\??\U:	Haloonoroff.exe
File opened (read-only)	\??\Y:	Haloonoroff.exe
File opened (read-only)	\??\U:	TGSetup4.2x64.exe
File opened (read-only)	\??\V:	TGSetup4.2x64.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\I:	Haloonoroff.exe
File opened (read-only)	\??\S:	Haloonoroff.exe
File opened (read-only)	\??\T:	TGSetup4.2x64.exe
File opened (read-only)	\??\P:	TGSetup4.2x64.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	Haloonoroff.exe
File opened (read-only)	\??\H:	Haloonoroff.exe
File opened (read-only)	\??\I:	TGSetup4.2x64.exe
File opened (read-only)	\??\K:	TGSetup4.2x64.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	Haloonoroff.exe
File opened (read-only)	\??\G:	TGSetup4.2x64.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	TGSetup4.2x64.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	Haloonoroff.exe
File opened (read-only)	\??\A:	TGSetup4.2x64.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	Haloonoroff.exe
File opened (read-only)	\??\B:	TGSetup4.2x64.exe
File opened (read-only)	\??\E:	Haloonoroff.exe
File opened (read-only)	\??\M:	Haloonoroff.exe
File opened (read-only)	\??\O:	Haloonoroff.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	Haloonoroff.exe
File opened (read-only)	\??\Q:	TGSetup4.2x64.exe
File opened (read-only)	\??\T:	Haloonoroff.exe
File opened (read-only)	\??\O:	TGSetup4.2x64.exe
File opened (read-only)	\??\Z:	TGSetup4.2x64.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	Haloonoroff.exe
File opened (read-only)	\??\X:	TGSetup4.2x64.exe
File opened (read-only)	\??\J:	TGSetup4.2x64.exe
File opened (read-only)	\??\N:	TGSetup4.2x64.exe
File opened (read-only)	\??\R:	TGSetup4.2x64.exe
File opened (read-only)	\??\A:	msiexec.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e5869d1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6B87.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6E39.tmp	msiexec.exe
File created	C:\Windows\Installer\e5869d3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA9DD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5869d1.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{F9D0755C-B48E-4BB4-9558-0D80C4FC337A}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6DAB.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6AAC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI74F2.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Haloonoroff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Haloonoroff.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3516	taskkill.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5570D9FE84B4BB45985D0084CCF33A7\SourceList\Net\1 = "C:\\FOXWEBX\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5570D9FE84B4BB45985D0084CCF33A7\SourceList\Media\1 = "Disk1;Disk1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5570D9FE84B4BB45985D0084CCF33A7	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5570D9FE84B4BB45985D0084CCF33A7\PackageCode = "08B2F5F0C4E9E634CAEE29A2002A2E4E"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5570D9FE84B4BB45985D0084CCF33A7\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5570D9FE84B4BB45985D0084CCF33A7\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5570D9FE84B4BB45985D0084CCF33A7\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C5570D9FE84B4BB45985D0084CCF33A7\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5570D9FE84B4BB45985D0084CCF33A7\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5570D9FE84B4BB45985D0084CCF33A7\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A356FA3E34DCB9A4E978B656C9984349	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5570D9FE84B4BB45985D0084CCF33A7\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5570D9FE84B4BB45985D0084CCF33A7\SourceList\LastUsedSource = "n;1;C:\\FOXWEBX\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C5570D9FE84B4BB45985D0084CCF33A7	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5570D9FE84B4BB45985D0084CCF33A7\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A356FA3E34DCB9A4E978B656C9984349\C5570D9FE84B4BB45985D0084CCF33A7	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5570D9FE84B4BB45985D0084CCF33A7\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5570D9FE84B4BB45985D0084CCF33A7\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5570D9FE84B4BB45985D0084CCF33A7\ProductName = "Telegram"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5570D9FE84B4BB45985D0084CCF33A7\Language = "2052"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5570D9FE84B4BB45985D0084CCF33A7\Version = "16777216"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5570D9FE84B4BB45985D0084CCF33A7\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5570D9FE84B4BB45985D0084CCF33A7\SourceList\PackageName = "TS1.msi"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4068	msiexec.exe
4068	msiexec.exe
2128	Haloonoroff.exe
2128	Haloonoroff.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4068	msiexec.exe
Token: SeCreateTokenPrivilege	1560	TGSetup4.2x64.exe
Token: SeAssignPrimaryTokenPrivilege	1560	TGSetup4.2x64.exe
Token: SeLockMemoryPrivilege	1560	TGSetup4.2x64.exe
Token: SeIncreaseQuotaPrivilege	1560	TGSetup4.2x64.exe
Token: SeMachineAccountPrivilege	1560	TGSetup4.2x64.exe
Token: SeTcbPrivilege	1560	TGSetup4.2x64.exe
Token: SeSecurityPrivilege	1560	TGSetup4.2x64.exe
Token: SeTakeOwnershipPrivilege	1560	TGSetup4.2x64.exe
Token: SeLoadDriverPrivilege	1560	TGSetup4.2x64.exe
Token: SeSystemProfilePrivilege	1560	TGSetup4.2x64.exe
Token: SeSystemtimePrivilege	1560	TGSetup4.2x64.exe
Token: SeProfSingleProcessPrivilege	1560	TGSetup4.2x64.exe
Token: SeIncBasePriorityPrivilege	1560	TGSetup4.2x64.exe
Token: SeCreatePagefilePrivilege	1560	TGSetup4.2x64.exe
Token: SeCreatePermanentPrivilege	1560	TGSetup4.2x64.exe
Token: SeBackupPrivilege	1560	TGSetup4.2x64.exe
Token: SeRestorePrivilege	1560	TGSetup4.2x64.exe
Token: SeShutdownPrivilege	1560	TGSetup4.2x64.exe
Token: SeDebugPrivilege	1560	TGSetup4.2x64.exe
Token: SeAuditPrivilege	1560	TGSetup4.2x64.exe
Token: SeSystemEnvironmentPrivilege	1560	TGSetup4.2x64.exe
Token: SeChangeNotifyPrivilege	1560	TGSetup4.2x64.exe
Token: SeRemoteShutdownPrivilege	1560	TGSetup4.2x64.exe
Token: SeUndockPrivilege	1560	TGSetup4.2x64.exe
Token: SeSyncAgentPrivilege	1560	TGSetup4.2x64.exe
Token: SeEnableDelegationPrivilege	1560	TGSetup4.2x64.exe
Token: SeManageVolumePrivilege	1560	TGSetup4.2x64.exe
Token: SeImpersonatePrivilege	1560	TGSetup4.2x64.exe
Token: SeCreateGlobalPrivilege	1560	TGSetup4.2x64.exe
Token: SeCreateTokenPrivilege	1560	TGSetup4.2x64.exe
Token: SeAssignPrimaryTokenPrivilege	1560	TGSetup4.2x64.exe
Token: SeLockMemoryPrivilege	1560	TGSetup4.2x64.exe
Token: SeIncreaseQuotaPrivilege	1560	TGSetup4.2x64.exe
Token: SeMachineAccountPrivilege	1560	TGSetup4.2x64.exe
Token: SeTcbPrivilege	1560	TGSetup4.2x64.exe
Token: SeSecurityPrivilege	1560	TGSetup4.2x64.exe
Token: SeTakeOwnershipPrivilege	1560	TGSetup4.2x64.exe
Token: SeLoadDriverPrivilege	1560	TGSetup4.2x64.exe
Token: SeSystemProfilePrivilege	1560	TGSetup4.2x64.exe
Token: SeSystemtimePrivilege	1560	TGSetup4.2x64.exe
Token: SeProfSingleProcessPrivilege	1560	TGSetup4.2x64.exe
Token: SeIncBasePriorityPrivilege	1560	TGSetup4.2x64.exe
Token: SeCreatePagefilePrivilege	1560	TGSetup4.2x64.exe
Token: SeCreatePermanentPrivilege	1560	TGSetup4.2x64.exe
Token: SeBackupPrivilege	1560	TGSetup4.2x64.exe
Token: SeRestorePrivilege	1560	TGSetup4.2x64.exe
Token: SeShutdownPrivilege	1560	TGSetup4.2x64.exe
Token: SeDebugPrivilege	1560	TGSetup4.2x64.exe
Token: SeAuditPrivilege	1560	TGSetup4.2x64.exe
Token: SeSystemEnvironmentPrivilege	1560	TGSetup4.2x64.exe
Token: SeChangeNotifyPrivilege	1560	TGSetup4.2x64.exe
Token: SeRemoteShutdownPrivilege	1560	TGSetup4.2x64.exe
Token: SeUndockPrivilege	1560	TGSetup4.2x64.exe
Token: SeSyncAgentPrivilege	1560	TGSetup4.2x64.exe
Token: SeEnableDelegationPrivilege	1560	TGSetup4.2x64.exe
Token: SeManageVolumePrivilege	1560	TGSetup4.2x64.exe
Token: SeImpersonatePrivilege	1560	TGSetup4.2x64.exe
Token: SeCreateGlobalPrivilege	1560	TGSetup4.2x64.exe
Token: SeCreateTokenPrivilege	1560	TGSetup4.2x64.exe
Token: SeAssignPrimaryTokenPrivilege	1560	TGSetup4.2x64.exe
Token: SeLockMemoryPrivilege	1560	TGSetup4.2x64.exe
Token: SeIncreaseQuotaPrivilege	1560	TGSetup4.2x64.exe
Token: SeMachineAccountPrivilege	1560	TGSetup4.2x64.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1560	TGSetup4.2x64.exe
2260	msiexec.exe
2260	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4444	Bor32-update-flase.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 4252	4068	msiexec.exe	73
PID 4068 wrote to memory of 4252	4068	msiexec.exe	73
PID 4068 wrote to memory of 4252	4068	msiexec.exe	73
PID 1560 wrote to memory of 2260	1560	TGSetup4.2x64.exe	74
PID 1560 wrote to memory of 2260	1560	TGSetup4.2x64.exe	74
PID 1560 wrote to memory of 2260	1560	TGSetup4.2x64.exe	74
PID 4068 wrote to memory of 2452	4068	msiexec.exe	75
PID 4068 wrote to memory of 2452	4068	msiexec.exe	75
PID 4068 wrote to memory of 2452	4068	msiexec.exe	75
PID 4068 wrote to memory of 1364	4068	msiexec.exe	79
PID 4068 wrote to memory of 1364	4068	msiexec.exe	79
PID 4068 wrote to memory of 968	4068	msiexec.exe	81
PID 4068 wrote to memory of 968	4068	msiexec.exe	81
PID 4068 wrote to memory of 968	4068	msiexec.exe	81
PID 968 wrote to memory of 3184	968	MsiExec.exe	83
PID 968 wrote to memory of 3184	968	MsiExec.exe	83
PID 968 wrote to memory of 1416	968	MsiExec.exe	85
PID 968 wrote to memory of 1416	968	MsiExec.exe	85
PID 968 wrote to memory of 2132	968	MsiExec.exe	88
PID 968 wrote to memory of 2132	968	MsiExec.exe	88
PID 4444 wrote to memory of 2128	4444	Bor32-update-flase.exe	90
PID 4444 wrote to memory of 2128	4444	Bor32-update-flase.exe	90
PID 4444 wrote to memory of 2128	4444	Bor32-update-flase.exe	90
PID 2128 wrote to memory of 3516	2128	Haloonoroff.exe	92
PID 2128 wrote to memory of 3516	2128	Haloonoroff.exe	92
PID 2128 wrote to memory of 3516	2128	Haloonoroff.exe	92

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\TGSetup4.2x64.exe
"C:\Users\Admin\AppData\Local\Temp\TGSetup4.2x64.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i C:\FOXWEBX\TS1.msi AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\TGSetup4.2x64.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates "
  2⤵
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:2260

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6BC47091F2A804A0A503832B0EFD6333 C
  2⤵
  - Loads dropped DLL
  PID:4252
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 218AD782203F98BCD9111664CE236BD2 C
  2⤵
  - Loads dropped DLL
  PID:2452
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1364
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 431EE58049A0620BDA7919C59C01E3F5
  2⤵
  - UAC bypass
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Users\Default\Desktop\TSONENEW\5bc7f12bcd6eeb67RRE.exe
    C:\Users\Default\Desktop\TSONENEW\5bc7f12bcd6eeb67RRE.exe x C:\Users\Default\Desktop\TSONENEW\277cc5cb9a66.GUL -oC:\Users\Admin\AppData\ -pa572d99d85ac2c08CUD -aos
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3184
- - C:\Users\Default\Desktop\TSONENEW\5bc7f12bcd6eeb67RRE.exe
    C:\Users\Default\Desktop\TSONENEW\5bc7f12bcd6eeb67RRE.exe x C:\Users\Default\Desktop\TSONENEW\33e0c891d232.ABE -oC:\Users\Default\Desktop\TSONENEW\ -pa9b322247e1713e6SFV -aos
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1416
- - C:\Users\Default\Desktop\TSONENEW\5bc7f12bcd6eeb67RRE.exe
    C:\Users\Default\Desktop\TSONENEW\5bc7f12bcd6eeb67RRE.exe x C:\Users\Default\Desktop\TSONENEW\d21d4c555221.UQD -oC:\Users\Admin\AppData\Roaming\ -p0d36d68608d7376dXBN -aos
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2132

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3976

C:\Users\Default\Desktop\TSONENEW\yybob\Bor32-update-flase.exe
"C:\Users\Default\Desktop\TSONENEW\yybob\Bor32-update-flase.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Users\Admin\AppData\WPerceptionsimulation\AMPPL\ALGinfo\ARMonitorControl\Haloonoroff.exe
  C:\Users\Admin\AppData\WPerceptionsimulation\AMPPL\ALGinfo\ARMonitorControl\Haloonoroff.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ipaip2.exe
    3⤵
    - Kills process with taskkill
    PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5869d2.rbs

Filesize
96KB

MD5
2193d1cf9475cb60b70e13772bd63f7d

SHA1
3b1cd4a957c0ab8f83fd01d0bef74cd84bf51b43

SHA256
bc1454577c934d8dae2c0fe22bfe56651a52022a749603684a228aa8778d7787

SHA512
08842aa572a93d5acf76a4b32eeb5e22bc3af35f85cb6c599aa7c905f352b93b38b9ec17be8781eb24f6500140b297fbad74811c203f717fbda16c0fdaef766e

Download Submit
C:\FOXWEBX\TS1.msi

Filesize
880KB

MD5
2befda13c0801e51cc68151cc70c0306

SHA1
39cac0698a765f50db7033d2e767bee414bcbf43

SHA256
a066b60cf0b32c7dfdc3e402f811c8818eefd64b306c6835c660b4fa4b3a6610

SHA512
7e129dd55e55911d36d32968e4eb6599ae5f88db32cde16cf55de3b6fcb24991abdaa25184fc78e42c63e12f871a65a5566bf34b3948d384212e04551dd922dc

Download Submit
C:\FOXWEBX\TS1.msi

Filesize
880KB

MD5
2befda13c0801e51cc68151cc70c0306

SHA1
39cac0698a765f50db7033d2e767bee414bcbf43

SHA256
a066b60cf0b32c7dfdc3e402f811c8818eefd64b306c6835c660b4fa4b3a6610

SHA512
7e129dd55e55911d36d32968e4eb6599ae5f88db32cde16cf55de3b6fcb24991abdaa25184fc78e42c63e12f871a65a5566bf34b3948d384212e04551dd922dc

Download Submit
C:\FOXWEBX\TS11.cab

Filesize
94.1MB

MD5
23a3b272c72927d02d639d50b342a18e

SHA1
9185c2252bfb760dadad41530d661360acd563cd

SHA256
f115898b25717b507271a549f31f757c85581a0b63dd7fd9d422be80f7c4c80f

SHA512
3eb57db6d3c1e1f6cfa105712aceb48531bb91fcd6f01147d31fe93085b764052642267a58fd8d469765fb3f4292bcaa5891ba6c1448c02c953412a9879272c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBC1C.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBCAA.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID5B0.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID8AD.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID998.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID998.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID9E7.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDA17.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDB22.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
C:\Users\Admin\AppData\WPerceptionsimulation\AMPPL\ALGinfo\ARMonitorControl\Haloonoroff.exe

Filesize
665KB

MD5
ff1799df96e1250fa7c27e4e533a0885

SHA1
ac3f2e816535b463f35efae79018f65991d8834c

SHA256
7cfd01d80cac85f2853afff5af5319b8eef677dd754917a2961861e48b88f366

SHA512
1202e1d521a7e977f54df84aaffb44ec5d253161421fb329c6c6f4051a667fb4618b611bd9e025e3052fe765c4d803d30c474491c8a2d393cd233f7b8655f346

Download Submit
C:\Users\Admin\AppData\WPerceptionsimulation\AMPPL\ALGinfo\ARMonitorControl\Haloonoroff.exe

Filesize
665KB

MD5
ff1799df96e1250fa7c27e4e533a0885

SHA1
ac3f2e816535b463f35efae79018f65991d8834c

SHA256
7cfd01d80cac85f2853afff5af5319b8eef677dd754917a2961861e48b88f366

SHA512
1202e1d521a7e977f54df84aaffb44ec5d253161421fb329c6c6f4051a667fb4618b611bd9e025e3052fe765c4d803d30c474491c8a2d393cd233f7b8655f346

Download Submit
C:\Users\Admin\AppData\WPerceptionsimulation\AMPPL\ALGinfo\ARMonitorControl\TDPCONTROL.DLL

Filesize
1.0MB

MD5
4ff45827ec92e40935f9939142cd40dc

SHA1
cad74928f3387e6bf28c3625803706061e956b34

SHA256
012ed8d16e9f7586fe44c0affe5bea6ff68f27231a6526d439643869a103e434

SHA512
a3dfe7976e5ffb4ba0c68e218c0924568d343e7937abb50785107de5e0adc11ad58a86e02fabb455845fbe8e545e48b57a67eb647c664390ed521d255ff3befe

Download Submit
C:\Users\Admin\AppData\WPerceptionsimulation\AMPPL\ALGinfo\ARMonitorControl\TDPSTAT.DLL

Filesize
88KB

MD5
9e4903ef1dd0c21ce42b9a0dc4b0604e

SHA1
a4cfa6010928b1552f047a21be86e57f7ed9f8f2

SHA256
ec125a3524afa2ce48f16b31f1b7977eaa2968ad1e7796a35510a02487dc33de

SHA512
b33bdfce69769a15295cae4be8298b53afe4518f7d2ef8df9a55425f316d9d52b51515c5eed11dff9164b3b148cccd1c05ae47807784edf70919a3e23bffbffa

Download Submit
C:\Users\Admin\AppData\WPerceptionsimulation\AMPPL\ALGinfo\ARMonitorControl\UPSDK.DLL

Filesize
1.1MB

MD5
4b57f53faaacc8052d76628c061e9d58

SHA1
893fa64f39983d0ad5fa925c19e423ab1c68e555

SHA256
f9f13914c19413f6f02aaf01caff71fe8305ca2a1c2635f0215f8faca6452e5d

SHA512
a04a3cedd990c70757e5ab5aa272989c6d38d0c241588e32c45fa9429bd2d7038f20b85829d1739a75163217290524bac448d5aeb7b704f53b17a96d9590bb0a

Download Submit
C:\Users\Admin\AppData\WPerceptionsimulation\AMPPL\ALGinfo\ARMonitorControl\cefvidf.dll

Filesize
88KB

MD5
cbeafc12fb4b3f25ef849aab1850b236

SHA1
abfdcdce99e23295b67e28f1dec4a425ac609b81

SHA256
c52af187f688e5e6763c54afd60425d825f76b2557a9a67114cf175eae2e0c5b

SHA512
209989b9a6825a62d5e97f6e06936d7da406e310c452fc3059557ff894518d8a5cd2c1de6e804b3f443e66c31fb8cedd03a4277baf3cda5e8c8e7c17003f5e89

Download Submit
C:\Users\Admin\AppData\WPerceptionsimulation\AMPPL\ALGinfo\ARMonitorControl\libcurl.dll

Filesize
326KB

MD5
ec9483f4b8c3910b09caab0f6cb7cd1b

SHA1
9931aaa8e626df273ee42f98e2fc91c2078fdc07

SHA256
4d9cae6e2e52270150542084af949d7b68300e378868165ff601378a38f7048f

SHA512
84b60fe3cd0ede19933b37ae0eaeba1f87174a21bc8086857e57c8729cec88f9fef4b50a2b870f55c858dd43b070fd22ffec5cb6f4fd5b950d6451b05eb65565

Download Submit
C:\Users\Admin\AppData\WPerceptionsimulation\AMPPL\ALGinfo\ARMonitorControl\plugins\Microsoft.VC80.ATL.manifest

Filesize
376B

MD5
0bc6649277383985213ae31dbf1f031c

SHA1
7095f33dd568291d75284f1f8e48c45c14974588

SHA256
c06fa0f404df8b4bb365d864e613a151d0f86deef03e86019a068ed89fd05158

SHA512
6cb2008b46efef5af8dd2b2efcf203917a6738354a9a925b9593406192e635c84c6d0bea5d68bde324c421d2eba79b891538f6f2f2514846b9db70c312421d06

Download Submit
C:\Users\Admin\AppData\WPerceptionsimulation\AMPPL\ALGinfo\ARMonitorControl\plugins\Microsoft.VC80.CRT.manifest

Filesize
314B

MD5
710c54c37d7ec902a5d3cdd5a4cf6ab5

SHA1
9e291d80a8707c81e644354a1e378aeca295d4c7

SHA256
ef893cb48c0ebe25465fbc05c055a42554452139b4ec78e25ec43237d0b53f80

SHA512
4d2ec03ff54a3bf129fb762fc64a910d0e104cd826acd4ab84ed191e6cc6a0fec3627e494c44d91b09feba5539ad7725f18158755d6b0016a50de9d29891c7e5

Download Submit
C:\Users\Admin\AppData\WPerceptionsimulation\AMPPL\ALGinfo\ARMonitorControl\plugins\version

Filesize
4B

MD5
f1d3ff8443297732862df21dc4e57262

SHA1
9069ca78e7450a285173431b3e52c5c25299e473

SHA256
df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119

SHA512
ec2d57691d9b2d40182ac565032054b7d784ba96b18bcb5be0bb4e70e3fb041eff582c8af66ee50256539f2181d7f9e53627c0189da7e75a4d5ef10ea93b20b3

Download Submit
C:\Users\Default\Desktop\TSONENEW\277cc5cb9a66.GUL

Filesize
11.5MB

MD5
1988ae2c1aa1e10f709a66bdc80173af

SHA1
4642b58b61add13c1c852a262993a419036c3aa2

SHA256
072e7150754e2835888f0d443fae3b0d80ab5e0e2e0e2e012234d75f18451bab

SHA512
57cc71c6d72a56ee5a04d12201a817313d91f6594e6d97aaafcece2e48783f4255b97e820dd09d76709455b3d6b6867c812e35480d381f67652ea1ec15689192

Download Submit
C:\Users\Default\Desktop\TSONENEW\33e0c891d232.ABE

Filesize
220KB

MD5
d9da86d235e72482e384b13c27a56d79

SHA1
37a91686b06279c51d7af18d195f35a43b5bd980

SHA256
ac57e97613f4cae58efc4bbb083168ef49d4e8c665108660addc92a6d581f382

SHA512
b86280b48c59a7530d84e8a46961a06b1c5d07bacdd22667d9cd11038dfa9b9d831c786a2f89925c14b722ff7cd1d969e1a9539147354cf08ae1d0ccccfaa202

Download Submit
C:\Users\Default\Desktop\TSONENEW\5bc7f12bcd6eeb67RRE.exe

Filesize
542KB

MD5
9b6773081ba13fc6065901497f6d023e

SHA1
4ad07dcf4215b5b1ccc7a4c0be273cf066733ebd

SHA256
4d12a1ab649f423b303a6f95a04c8a36336eba4f2f2580fdb3fe6c46914a0f57

SHA512
908305f843b79814077fa4a01a4d0060d78b1f05ca9c2c29c32355d9fab267cced3924178ce8dd4af0d53f16e421e11980cf5fe03241ddcbddd1770ed74a0090

Download Submit
C:\Users\Default\Desktop\TSONENEW\5bc7f12bcd6eeb67RRE.exe

Filesize
542KB

MD5
9b6773081ba13fc6065901497f6d023e

SHA1
4ad07dcf4215b5b1ccc7a4c0be273cf066733ebd

SHA256
4d12a1ab649f423b303a6f95a04c8a36336eba4f2f2580fdb3fe6c46914a0f57

SHA512
908305f843b79814077fa4a01a4d0060d78b1f05ca9c2c29c32355d9fab267cced3924178ce8dd4af0d53f16e421e11980cf5fe03241ddcbddd1770ed74a0090

Download Submit
C:\Users\Default\Desktop\TSONENEW\5bc7f12bcd6eeb67RRE.exe

Filesize
542KB

MD5
9b6773081ba13fc6065901497f6d023e

SHA1
4ad07dcf4215b5b1ccc7a4c0be273cf066733ebd

SHA256
4d12a1ab649f423b303a6f95a04c8a36336eba4f2f2580fdb3fe6c46914a0f57

SHA512
908305f843b79814077fa4a01a4d0060d78b1f05ca9c2c29c32355d9fab267cced3924178ce8dd4af0d53f16e421e11980cf5fe03241ddcbddd1770ed74a0090

Download Submit
C:\Users\Default\Desktop\TSONENEW\5bc7f12bcd6eeb67RRE.exe

Filesize
542KB

MD5
9b6773081ba13fc6065901497f6d023e

SHA1
4ad07dcf4215b5b1ccc7a4c0be273cf066733ebd

SHA256
4d12a1ab649f423b303a6f95a04c8a36336eba4f2f2580fdb3fe6c46914a0f57

SHA512
908305f843b79814077fa4a01a4d0060d78b1f05ca9c2c29c32355d9fab267cced3924178ce8dd4af0d53f16e421e11980cf5fe03241ddcbddd1770ed74a0090

Download Submit
C:\Users\Default\Desktop\TSONENEW\7z.dll

Filesize
1.7MB

MD5
cdbcf4378a3d45d82c60a8b8a181eecc

SHA1
9b5cbf2e4f99a24da7fdfe14f7680c412b4de463

SHA256
321cb992984204da29a2a80b6dd2493c8b59a77596ed4937eeff23bc26093e11

SHA512
af265ddb2e6d6d33a71adf0663b33aee52559b0ba743cae66f0fc67fb7083f8211a0c75df877bd2672fc64337e950fb8e2c6ea03137d89681bd8ebc046d1eec0

Download Submit
C:\Users\Default\Desktop\TSONENEW\QKFJSGCGWGRQ

Filesize
1KB

MD5
416c5c43f35b0b658a0c9a1a5d5d79fa

SHA1
03d51ed0031f43acb90cf683c177cbe0abde4b08

SHA256
889bdc10076b46e75199d7d3056662e965423496296547af8f1b334f4240d13d

SHA512
e870118681bba74bc9bedcd1cbea1fc619dfa4c7d648f5239e40b8d0e2e3d2fcf77fef95eeda91fc992b7a49512441c0d8e54acfeff0056e43641952c6da32ef

Download Submit
C:\Users\Default\Desktop\TSONENEW\WHelp.dll

Filesize
92KB

MD5
c482c3c2e21553dc3b5e782b0589c116

SHA1
f7ffc83bcb1d9ecafe24f35b2e164056b3c5ccf6

SHA256
104e3b628b84bc70311cd3e830e7d578840132024ca9d49fc112bbcbcbab76b9

SHA512
7423e412214848c6a48f5ae308c338646d74bd3b37bfe739bb10df3a5f997767b73e67ad06d52de059d3961db3caa99e41778808ab9c3617926419597824182b

Download Submit
C:\Users\Default\Desktop\TSONENEW\configurator\XOrg\7.6\11-x11-vmmouse.fdi

Filesize
340B

MD5
3c967dcdf0af275f85c46e4d0938325e

SHA1
0fc338c3a611bfbfe555be0ea7ebb0514ae81b38

SHA256
3c9495289cb58165a82152a7e87ed416988569befa9d069154e860f76e6e1100

SHA512
8e7c8b9e0993bb7c622ff9268d20523a2afa5d7290ad4344efc4fc32b4c1b3c3335644fef7f3702fcbddf710e1cdf889a9d14ee02823ba39320b4e93aaac45a1

Download Submit
C:\Users\Default\Desktop\TSONENEW\configurator\XOrg\7.6\hal-probe-vmmouse

Filesize
1KB

MD5
f283245c6ca47111b56c410a8478347f

SHA1
35729a3a30589deb71079754fc1e81e31d0bca5d

SHA256
435f89a6ba707aa84d7890069ace8dcb87592f348b594bcecbf62987d06d0d6c

SHA512
a48772a1a5d4087b3c5b033ee71ccb7e18413346bd6c17d8fcb5689ae382c2b97f294283a9095a640b27919d00c7e806c4589fb11af392c346fc58e65edea3df

Download Submit
C:\Users\Default\Desktop\TSONENEW\d21d4c555221.UQD

Filesize
54.6MB

MD5
c5f77235abbf1614a81a45318ae04bd6

SHA1
4d5a5816ed3980102cc2def5d84829aaf0654c4a

SHA256
2db853f2f4cad4d588cfa09086755d43faa2d785b18cf2166620a2f264f54209

SHA512
d7ba1abf009db0639e4cbd8ed1947e54109951c898745a22a7f1f1ac35c11ae9f76f1623b6cdc089f984485ebdb5b9e8aead71d505df5a0aa0cbc3c8d803757f

Download Submit
C:\Users\Default\Desktop\TSONENEW\yybob\Anyc

Filesize
164KB

MD5
03b5725530985100c9c4b6d8fac7127d

SHA1
f8dcbe012ab33851aa0d1e9e2b0d363786ecd649

SHA256
39de4aadd1181f462caaad70bee0a2584e08b2c34d19a12f8724a0b50ee76998

SHA512
b4ef74a5cd5f627c93479aac2e8a8c2cae700594808b240579c3dbd0ad78a68aa92163870269e379945539dc067f615b7e1be5fde2098309132e6ad4a60012de

Download Submit
C:\Users\Default\Desktop\TSONENEW\yybob\Bor32-update-flase.exe

Filesize
314KB

MD5
dfee4c679663ffb566a7150bbc1768c7

SHA1
8f8144d26b141d097df742e4ef4d5c85bba685a3

SHA256
f0a82dba182ef5d8fe32bd358473cc7e9ec0d07e0f4a33f50c49d7cccbb5bc7a

SHA512
23ff4b55e4d01d7712a3313f9aecd69331cb4fb5fce8b2d8610332a1e7b3ced19bdab64ef37ab2d335179844e176e6bd5a2f5c6562c61451c02b37cb2e58da52

Download Submit
C:\Users\Default\Desktop\TSONENEW\yybob\Bor32-update-flase.exe

Filesize
314KB

MD5
dfee4c679663ffb566a7150bbc1768c7

SHA1
8f8144d26b141d097df742e4ef4d5c85bba685a3

SHA256
f0a82dba182ef5d8fe32bd358473cc7e9ec0d07e0f4a33f50c49d7cccbb5bc7a

SHA512
23ff4b55e4d01d7712a3313f9aecd69331cb4fb5fce8b2d8610332a1e7b3ced19bdab64ef37ab2d335179844e176e6bd5a2f5c6562c61451c02b37cb2e58da52

Download Submit
C:\Users\Default\Desktop\TSONENEW\yybob\Plugins\qvlnk.dll

Filesize
44KB

MD5
3098d4447c720f2b38a362e352ebf6ea

SHA1
ce516dc6130e47402da7795922246da433408d82

SHA256
3c2960185ee1f69f593f943c876ffe7cbcd378266990bff48c4687b4cf810dd6

SHA512
80148bb2322811385f902ad39e04d1dba388fd6adc7e031a2821d292ee8cf269dacb5e68ef5f83cc2211da71d0c9773e1ae6a600d7ce02d9dbad6fa950c362b9

Download Submit
C:\Users\Default\Desktop\TSONENEW\yybob\eliminate.dll

Filesize
56KB

MD5
213d0de6bba1e16a570ed58ce9b1c405

SHA1
517bed3165bcf981d2d224299a5c814b2f38eae7

SHA256
de93b9267ecb3d78b5aa6feb90c93fa9ac6f0fc2d022a8c63014f2026a516eae

SHA512
3ba4cf073ae04ea06d066c4597bf6489a940420410b41ae6921c57cdd958a532f3dc66e3a0d956052d9aee7ae287d8f9660843b5304c34a23058a317e3ea58fd

Download Submit
C:\Windows\Installer\MSI6AAC.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
C:\Windows\Installer\MSI6B87.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
C:\Windows\Installer\MSI6E39.tmp

Filesize
381KB

MD5
85cb050d57d631fbed862aef48c50d8b

SHA1
fe15e935e871c640196d20db1d4681bb60d55add

SHA256
8b190f2dd956572773f4c9927e3137227e46f5907651d00103bcea09e50c3bef

SHA512
d09e3b09d7a66833693f12dfee844ba0db85132b8da3499dc0e0c7ab9c3d8221bf8cb5a97bc0190544670bdaf4e4e3917c0cefd75cbbca8ff0e0f11e5619f38e

Download Submit
C:\Windows\Installer\MSI74F2.tmp

Filesize
381KB

MD5
85cb050d57d631fbed862aef48c50d8b

SHA1
fe15e935e871c640196d20db1d4681bb60d55add

SHA256
8b190f2dd956572773f4c9927e3137227e46f5907651d00103bcea09e50c3bef

SHA512
d09e3b09d7a66833693f12dfee844ba0db85132b8da3499dc0e0c7ab9c3d8221bf8cb5a97bc0190544670bdaf4e4e3917c0cefd75cbbca8ff0e0f11e5619f38e

Download Submit
C:\Windows\Installer\MSIA9DD.tmp

Filesize
16KB

MD5
57554e63856f91cc3b19c1781a62bd49

SHA1
4bf74f032d68eded08537f241f4ef6dec5fdbf69

SHA256
96eb9e482ae504f18ec06c2dadccb12b17237f47ccd7d43ca3b8903973cf0bdb

SHA512
7fc5b37e5c0da16494251b1e6c633d79b0f1d7c64b402d2dfa59d5325bb2eeaa11d8a35ad6d1fd60a5462268f4a53616223d1a539dff6073a4e01e96dfc3df68

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
25.0MB

MD5
9b5d7e7aafce98ec2310f5e49bb58fa4

SHA1
45053f8a72762fbaf0bc7c5cbfcfb23b7c07208e

SHA256
3c2bcd6a11dec0c97eedf2d78f4d42f15d5ea3a2f2ad7596fe48b3abbd27bf56

SHA512
52794dce91ab8bfd5568ecb265b83576f1d1214ab8a5eafa6e34483cb986149480f18325b8b77092800c2669f97701c0cb95855709aadb18569adf0d79a4083f

Download Submit
\??\Volume{ee705b7c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c81e3158-6eaf-47ff-a703-d9e269e785d2}_OnDiskSnapshotProp

Filesize
5KB

MD5
282ca171d85343e2cb9f8c34d533b91e

SHA1
368d41617d2c05f49a4a34c483b5427571eba9c5

SHA256
abfbdf21af040f42b098c06e3e8fe0aae2abf7723e736f8f6926f001a3478dd5

SHA512
e22816977a4d891be0900f211c5b2bcdae8ec14e3d142a73876bc4e12c83923f7904501808facf988bba73353aaf6100dc3ed82baee7b828222bec577c26e944

Download Submit
\Users\Admin\AppData\Local\Temp\MSIBC1C.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
\Users\Admin\AppData\Local\Temp\MSIBCAA.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
\Users\Admin\AppData\Local\Temp\MSID5B0.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
\Users\Admin\AppData\Local\Temp\MSID8AD.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
\Users\Admin\AppData\Local\Temp\MSID998.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
\Users\Admin\AppData\Local\Temp\MSID9E7.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
\Users\Admin\AppData\Local\Temp\MSIDA17.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
\Users\Admin\AppData\Local\Temp\MSIDB22.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
\Users\Admin\AppData\WPerceptionsimulation\AMPPL\ALGinfo\ARMonitorControl\TDPCONTROL.dll

Filesize
1.0MB

MD5
4ff45827ec92e40935f9939142cd40dc

SHA1
cad74928f3387e6bf28c3625803706061e956b34

SHA256
012ed8d16e9f7586fe44c0affe5bea6ff68f27231a6526d439643869a103e434

SHA512
a3dfe7976e5ffb4ba0c68e218c0924568d343e7937abb50785107de5e0adc11ad58a86e02fabb455845fbe8e545e48b57a67eb647c664390ed521d255ff3befe

Download Submit
\Users\Admin\AppData\WPerceptionsimulation\AMPPL\ALGinfo\ARMonitorControl\TDPCONTROL.dll

Filesize
1.0MB

MD5
4ff45827ec92e40935f9939142cd40dc

SHA1
cad74928f3387e6bf28c3625803706061e956b34

SHA256
012ed8d16e9f7586fe44c0affe5bea6ff68f27231a6526d439643869a103e434

SHA512
a3dfe7976e5ffb4ba0c68e218c0924568d343e7937abb50785107de5e0adc11ad58a86e02fabb455845fbe8e545e48b57a67eb647c664390ed521d255ff3befe

Download Submit
\Users\Admin\AppData\WPerceptionsimulation\AMPPL\ALGinfo\ARMonitorControl\TDPSTAT.dll

Filesize
88KB

MD5
9e4903ef1dd0c21ce42b9a0dc4b0604e

SHA1
a4cfa6010928b1552f047a21be86e57f7ed9f8f2

SHA256
ec125a3524afa2ce48f16b31f1b7977eaa2968ad1e7796a35510a02487dc33de

SHA512
b33bdfce69769a15295cae4be8298b53afe4518f7d2ef8df9a55425f316d9d52b51515c5eed11dff9164b3b148cccd1c05ae47807784edf70919a3e23bffbffa

Download Submit
\Users\Admin\AppData\WPerceptionsimulation\AMPPL\ALGinfo\ARMonitorControl\UPSDK.dll

Filesize
1.1MB

MD5
4b57f53faaacc8052d76628c061e9d58

SHA1
893fa64f39983d0ad5fa925c19e423ab1c68e555

SHA256
f9f13914c19413f6f02aaf01caff71fe8305ca2a1c2635f0215f8faca6452e5d

SHA512
a04a3cedd990c70757e5ab5aa272989c6d38d0c241588e32c45fa9429bd2d7038f20b85829d1739a75163217290524bac448d5aeb7b704f53b17a96d9590bb0a

Download Submit
\Users\Admin\AppData\WPerceptionsimulation\AMPPL\ALGinfo\ARMonitorControl\UPSDK.dll

Filesize
1.1MB

MD5
4b57f53faaacc8052d76628c061e9d58

SHA1
893fa64f39983d0ad5fa925c19e423ab1c68e555

SHA256
f9f13914c19413f6f02aaf01caff71fe8305ca2a1c2635f0215f8faca6452e5d

SHA512
a04a3cedd990c70757e5ab5aa272989c6d38d0c241588e32c45fa9429bd2d7038f20b85829d1739a75163217290524bac448d5aeb7b704f53b17a96d9590bb0a

Download Submit
\Users\Admin\AppData\WPerceptionsimulation\AMPPL\ALGinfo\ARMonitorControl\libcurl.dll

Filesize
326KB

MD5
ec9483f4b8c3910b09caab0f6cb7cd1b

SHA1
9931aaa8e626df273ee42f98e2fc91c2078fdc07

SHA256
4d9cae6e2e52270150542084af949d7b68300e378868165ff601378a38f7048f

SHA512
84b60fe3cd0ede19933b37ae0eaeba1f87174a21bc8086857e57c8729cec88f9fef4b50a2b870f55c858dd43b070fd22ffec5cb6f4fd5b950d6451b05eb65565

Download Submit
\Users\Default\Desktop\TSONENEW\7z.dll

Filesize
1.7MB

MD5
cdbcf4378a3d45d82c60a8b8a181eecc

SHA1
9b5cbf2e4f99a24da7fdfe14f7680c412b4de463

SHA256
321cb992984204da29a2a80b6dd2493c8b59a77596ed4937eeff23bc26093e11

SHA512
af265ddb2e6d6d33a71adf0663b33aee52559b0ba743cae66f0fc67fb7083f8211a0c75df877bd2672fc64337e950fb8e2c6ea03137d89681bd8ebc046d1eec0

Download Submit
\Users\Default\Desktop\TSONENEW\7z.dll

Filesize
1.7MB

MD5
cdbcf4378a3d45d82c60a8b8a181eecc

SHA1
9b5cbf2e4f99a24da7fdfe14f7680c412b4de463

SHA256
321cb992984204da29a2a80b6dd2493c8b59a77596ed4937eeff23bc26093e11

SHA512
af265ddb2e6d6d33a71adf0663b33aee52559b0ba743cae66f0fc67fb7083f8211a0c75df877bd2672fc64337e950fb8e2c6ea03137d89681bd8ebc046d1eec0

Download Submit
\Users\Default\Desktop\TSONENEW\7z.dll

Filesize
1.7MB

MD5
cdbcf4378a3d45d82c60a8b8a181eecc

SHA1
9b5cbf2e4f99a24da7fdfe14f7680c412b4de463

SHA256
321cb992984204da29a2a80b6dd2493c8b59a77596ed4937eeff23bc26093e11

SHA512
af265ddb2e6d6d33a71adf0663b33aee52559b0ba743cae66f0fc67fb7083f8211a0c75df877bd2672fc64337e950fb8e2c6ea03137d89681bd8ebc046d1eec0

Download Submit
\Users\Default\Desktop\TSONENEW\WHelp.dll

Filesize
92KB

MD5
c482c3c2e21553dc3b5e782b0589c116

SHA1
f7ffc83bcb1d9ecafe24f35b2e164056b3c5ccf6

SHA256
104e3b628b84bc70311cd3e830e7d578840132024ca9d49fc112bbcbcbab76b9

SHA512
7423e412214848c6a48f5ae308c338646d74bd3b37bfe739bb10df3a5f997767b73e67ad06d52de059d3961db3caa99e41778808ab9c3617926419597824182b

Download Submit
\Users\Default\Desktop\TSONENEW\yybob\eliminate.dll

Filesize
56KB

MD5
213d0de6bba1e16a570ed58ce9b1c405

SHA1
517bed3165bcf981d2d224299a5c814b2f38eae7

SHA256
de93b9267ecb3d78b5aa6feb90c93fa9ac6f0fc2d022a8c63014f2026a516eae

SHA512
3ba4cf073ae04ea06d066c4597bf6489a940420410b41ae6921c57cdd958a532f3dc66e3a0d956052d9aee7ae287d8f9660843b5304c34a23058a317e3ea58fd

Download Submit
\Users\Default\Desktop\TSONENEW\yybob\eliminate.dll

Filesize
56KB

MD5
213d0de6bba1e16a570ed58ce9b1c405

SHA1
517bed3165bcf981d2d224299a5c814b2f38eae7

SHA256
de93b9267ecb3d78b5aa6feb90c93fa9ac6f0fc2d022a8c63014f2026a516eae

SHA512
3ba4cf073ae04ea06d066c4597bf6489a940420410b41ae6921c57cdd958a532f3dc66e3a0d956052d9aee7ae287d8f9660843b5304c34a23058a317e3ea58fd

Download Submit
\Users\Default\Desktop\TSONENEW\yybob\plugins\qvlnk.dll

Filesize
44KB

MD5
3098d4447c720f2b38a362e352ebf6ea

SHA1
ce516dc6130e47402da7795922246da433408d82

SHA256
3c2960185ee1f69f593f943c876ffe7cbcd378266990bff48c4687b4cf810dd6

SHA512
80148bb2322811385f902ad39e04d1dba388fd6adc7e031a2821d292ee8cf269dacb5e68ef5f83cc2211da71d0c9773e1ae6a600d7ce02d9dbad6fa950c362b9

Download Submit
\Windows\Installer\MSI6AAC.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
\Windows\Installer\MSI6B87.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
\Windows\Installer\MSI6E39.tmp

Filesize
381KB

MD5
85cb050d57d631fbed862aef48c50d8b

SHA1
fe15e935e871c640196d20db1d4681bb60d55add

SHA256
8b190f2dd956572773f4c9927e3137227e46f5907651d00103bcea09e50c3bef

SHA512
d09e3b09d7a66833693f12dfee844ba0db85132b8da3499dc0e0c7ab9c3d8221bf8cb5a97bc0190544670bdaf4e4e3917c0cefd75cbbca8ff0e0f11e5619f38e

Download Submit
\Windows\Installer\MSI74F2.tmp

Filesize
381KB

MD5
85cb050d57d631fbed862aef48c50d8b

SHA1
fe15e935e871c640196d20db1d4681bb60d55add

SHA256
8b190f2dd956572773f4c9927e3137227e46f5907651d00103bcea09e50c3bef

SHA512
d09e3b09d7a66833693f12dfee844ba0db85132b8da3499dc0e0c7ab9c3d8221bf8cb5a97bc0190544670bdaf4e4e3917c0cefd75cbbca8ff0e0f11e5619f38e

Download Submit
\Windows\Installer\MSIA9DD.tmp

Filesize
16KB

MD5
57554e63856f91cc3b19c1781a62bd49

SHA1
4bf74f032d68eded08537f241f4ef6dec5fdbf69

SHA256
96eb9e482ae504f18ec06c2dadccb12b17237f47ccd7d43ca3b8903973cf0bdb

SHA512
7fc5b37e5c0da16494251b1e6c633d79b0f1d7c64b402d2dfa59d5325bb2eeaa11d8a35ad6d1fd60a5462268f4a53616223d1a539dff6073a4e01e96dfc3df68

Download Submit
memory/2128-1017-0x0000000002840000-0x000000000284B000-memory.dmp

Filesize
44KB

Download
memory/2128-1025-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2128-1002-0x0000000000AA0000-0x0000000000BAA000-memory.dmp

Filesize
1.0MB

Download
memory/2128-1013-0x0000000002F00000-0x0000000002F45000-memory.dmp

Filesize
276KB

Download
memory/2128-1018-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/2128-1011-0x00000000024D0000-0x00000000024F3000-memory.dmp

Filesize
140KB

Download
memory/2128-1028-0x0000000000BB0000-0x0000000000CD2000-memory.dmp

Filesize
1.1MB

Download
memory/2128-1004-0x0000000000BB0000-0x0000000000CD2000-memory.dmp

Filesize
1.1MB

Download
memory/2128-1027-0x0000000000AA0000-0x0000000000BAA000-memory.dmp

Filesize
1.0MB

Download
memory/2128-1026-0x000000006B240000-0x000000006B29A000-memory.dmp

Filesize
360KB

Download
memory/2128-1008-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/2128-1019-0x0000000002FB0000-0x0000000002FC5000-memory.dmp

Filesize
84KB

Download
memory/2128-1024-0x0000000002840000-0x000000000284B000-memory.dmp

Filesize
44KB

Download
memory/4444-980-0x0000000000630000-0x0000000000640000-memory.dmp

Filesize
64KB

Download
memory/4444-982-0x0000000002140000-0x000000000217C000-memory.dmp

Filesize
240KB

Download
memory/4444-988-0x0000000002180000-0x000000000218B000-memory.dmp

Filesize
44KB

Download
memory/4444-1005-0x0000000002180000-0x000000000218B000-memory.dmp

Filesize
44KB

Download