bb8c908c4276347e457f93277f23b335aad163256cbbbbd250c26056c2ee965b

Analysis

max time kernel
142s
max time network
176s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
27-01-2024 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mango Clicker.exe
Size

1.3MB
MD5

eef04da2a7842b1d45938aaa9238c9f8
SHA1

1d0b01171736113a662ab84ea639581a8b2464f4
SHA256

bb8c908c4276347e457f93277f23b335aad163256cbbbbd250c26056c2ee965b
SHA512

888ea7682e5567982c5959a4768e364e441f46c49d140e9222f4bd1b6c965d85e2bd9cf42c20e8ab26fcd7918329024fcc2f7c90530e3da06340c2cdd29f7a25
SSDEEP

24576:6BbOpLrSLnm7tjpfaRds33u+QfTt37+DK8V4I1uMqaZ4XOHbW5MPJC3OVgnyX:JaLnoJpfWzrJ7M4I1uM3FK5+C3ryX

Score

8^/10

discovery upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 9 IoCs

pid	Process
2680	set.exe
3020	setup_0.exe
1088	setup_2.exe
2584	setup_2.tmp
2708	_setup64.tmp
1612	DPService.exe
2236	setup_4.exe
1052	MaintenanceHelper.exe
1876	setup_5.exe

Loads dropped DLL 64 IoCs

pid	Process
2220	Mango Clicker.exe
2220	Mango Clicker.exe
2220	Mango Clicker.exe
2220	Mango Clicker.exe
2220	Mango Clicker.exe
2680	set.exe
2680	set.exe
2680	set.exe
2680	set.exe
2680	set.exe
2680	set.exe
3020	setup_0.exe
3020	setup_0.exe
3020	setup_0.exe
3020	setup_0.exe
2680	set.exe
2680	set.exe
2680	set.exe
2680	set.exe
2680	set.exe
1088	setup_2.exe
1088	setup_2.exe
1088	setup_2.exe
2584	setup_2.tmp
2584	setup_2.tmp
2584	setup_2.tmp
2584	setup_2.tmp
2680	set.exe
2680	set.exe
2680	set.exe
2680	set.exe
2680	set.exe
2236	setup_4.exe
2236	setup_4.exe
2236	setup_4.exe
1052	MaintenanceHelper.exe
1052	MaintenanceHelper.exe
2680	set.exe
2680	set.exe
2680	set.exe
1876	setup_5.exe
1876	setup_5.exe
1876	setup_5.exe
1876	setup_5.exe
1876	setup_5.exe
2964	MsiExec.exe
2964	MsiExec.exe
756	MsiExec.exe
756	MsiExec.exe
756	MsiExec.exe
756	MsiExec.exe
756	MsiExec.exe
756	MsiExec.exe
756	MsiExec.exe
756	MsiExec.exe
756	MsiExec.exe
1876	setup_5.exe
756	MsiExec.exe
756	MsiExec.exe
756	MsiExec.exe
524	MsiExec.exe
756	MsiExec.exe
2680	set.exe
1240	Process not Found

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00060000000194fd-140.dat	upx
behavioral1/memory/2680-144-0x00000000044E0000-0x0000000004A4D000-memory.dmp	upx
behavioral1/memory/3020-150-0x0000000000A10000-0x0000000000F7D000-memory.dmp	upx
behavioral1/memory/3020-157-0x0000000000A10000-0x0000000000F7D000-memory.dmp	upx

Blocklisted process makes network request 4 IoCs

flow	pid	Process
65	1060	msiexec.exe
68	756	MsiExec.exe
69	756	MsiExec.exe
70	756	MsiExec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	setup_5.exe
File opened (read-only)	\??\Q:	setup_5.exe
File opened (read-only)	\??\T:	setup_5.exe
File opened (read-only)	\??\U:	setup_5.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\M:	setup_5.exe
File opened (read-only)	\??\P:	setup_5.exe
File opened (read-only)	\??\Z:	setup_5.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	setup_5.exe
File opened (read-only)	\??\K:	setup_5.exe
File opened (read-only)	\??\Y:	setup_5.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	setup_5.exe
File opened (read-only)	\??\L:	setup_5.exe
File opened (read-only)	\??\S:	setup_5.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	setup_5.exe
File opened (read-only)	\??\J:	setup_5.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	setup_5.exe
File opened (read-only)	\??\H:	setup_5.exe
File opened (read-only)	\??\I:	setup_5.exe
File opened (read-only)	\??\N:	setup_5.exe
File opened (read-only)	\??\R:	setup_5.exe
File opened (read-only)	\??\X:	setup_5.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	setup_5.exe
File opened (read-only)	\??\W:	setup_5.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File created	C:\Program Files (x86)\PCMaintainer\Uninstaller.exe	setup_4.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI1BBA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2662.tmp	msiexec.exe
File created	C:\Windows\Installer\f78148a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f78148a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1D50.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1E4D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f78148d.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1E8C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2024.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1E0D.tmp	msiexec.exe
File created	C:\Windows\Installer\f78148d.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI245C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI29FC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI20B1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI247C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2209.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1D90.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1F29.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2249.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File created	C:\Windows\Installer\f78148f.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0005000000019396-28.dat	nsis_installer_1
behavioral1/files/0x0005000000019396-28.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1632	schtasks.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2448	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d80bef292bee784c8e3c940d61fdfeb80000000002000000000010660000000100002000000069da9f1ca2c73193ed2b37c911e39c8583009dfc81df9699fa56d323ef1cbcec000000000e8000000002000020000000651b3c21b918379740a36993f94e045dd416521e4d9b917330eea7dcdf55fd7f900000002ebad1f4b2c03692912388cda3a11dcf9bb40fd77f85b9be3be95d5f54dc6bae9425bd8e9e7a36ba91ebf282a6dd197eb353ff9d8df8387f0095ed2c9f80eb1785b8f76801474a9f7e71593c2f186128258bae583855725da72aa8f1d9ab6c9ee21838ef94f73e8e843ba1250f082365d2e54f32c145fe9ae192cf42e90eafef91eb9e6bd7324a6cab2a1e8cf6585f77400000001ed30fa0372676f40e2c84c7a3ff7997f5d49fe23a09dcf5aa3453c66330f83d5ced9233ba0e3745aa8b39e14941db9770851067b910fda45bb6b5c284d51d12	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d80bef292bee784c8e3c940d61fdfeb8000000000200000000001066000000010000200000004c0c6a065a053f5bce95cce8b160840c5bc42d2046584d8c52ca0324aa4a74b8000000000e80000000020000200000004460fb12c63ea967f93e9e1fae25b70919cbab0e8c1f912b35195c25c2fe52622000000083f7730fd1c91570c516e6e8031f6f1e78c87627e5b86119e6ffffb0c530f9a440000000d31835fdae4ad75f33db26faf0813dc8b717b02bc17ff58052fc74a6fd11f46ee4fdda2b5a5c0e39a684cd493865348274cd1564d03ab9c741913b32b7b6a37e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{70149811-BCAD-11EE-88F9-76B33C18F4CF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0278645ba50da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "B8DDBE5C483C5BC4A933A9E42F81D915"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductIcon = "C:\\Windows\\Installer\\{C845414C-903C-4218-9DE7-132AB97FDF62}\\logo.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Johan.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3"	msiexec.exe

Modifies system certificate store 2 TTPs 17 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	DPService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	set.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	set.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	DPService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	set.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	set.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	DPService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	set.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	set.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	set.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	set.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	set.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	set.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	set.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	set.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	set.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	set.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2584	setup_2.tmp
2584	setup_2.tmp
2964	MsiExec.exe
756	MsiExec.exe
756	MsiExec.exe
1060	msiexec.exe
1060	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1612	DPService.exe
Token: SeDebugPrivilege	2236	setup_4.exe
Token: SeDebugPrivilege	1052	MaintenanceHelper.exe
Token: SeRestorePrivilege	1060	msiexec.exe
Token: SeTakeOwnershipPrivilege	1060	msiexec.exe
Token: SeSecurityPrivilege	1060	msiexec.exe
Token: SeCreateTokenPrivilege	1876	setup_5.exe
Token: SeAssignPrimaryTokenPrivilege	1876	setup_5.exe
Token: SeLockMemoryPrivilege	1876	setup_5.exe
Token: SeIncreaseQuotaPrivilege	1876	setup_5.exe
Token: SeMachineAccountPrivilege	1876	setup_5.exe
Token: SeTcbPrivilege	1876	setup_5.exe
Token: SeSecurityPrivilege	1876	setup_5.exe
Token: SeTakeOwnershipPrivilege	1876	setup_5.exe
Token: SeLoadDriverPrivilege	1876	setup_5.exe
Token: SeSystemProfilePrivilege	1876	setup_5.exe
Token: SeSystemtimePrivilege	1876	setup_5.exe
Token: SeProfSingleProcessPrivilege	1876	setup_5.exe
Token: SeIncBasePriorityPrivilege	1876	setup_5.exe
Token: SeCreatePagefilePrivilege	1876	setup_5.exe
Token: SeCreatePermanentPrivilege	1876	setup_5.exe
Token: SeBackupPrivilege	1876	setup_5.exe
Token: SeRestorePrivilege	1876	setup_5.exe
Token: SeShutdownPrivilege	1876	setup_5.exe
Token: SeDebugPrivilege	1876	setup_5.exe
Token: SeAuditPrivilege	1876	setup_5.exe
Token: SeSystemEnvironmentPrivilege	1876	setup_5.exe
Token: SeChangeNotifyPrivilege	1876	setup_5.exe
Token: SeRemoteShutdownPrivilege	1876	setup_5.exe
Token: SeUndockPrivilege	1876	setup_5.exe
Token: SeSyncAgentPrivilege	1876	setup_5.exe
Token: SeEnableDelegationPrivilege	1876	setup_5.exe
Token: SeManageVolumePrivilege	1876	setup_5.exe
Token: SeImpersonatePrivilege	1876	setup_5.exe
Token: SeCreateGlobalPrivilege	1876	setup_5.exe
Token: SeCreateTokenPrivilege	1876	setup_5.exe
Token: SeAssignPrimaryTokenPrivilege	1876	setup_5.exe
Token: SeLockMemoryPrivilege	1876	setup_5.exe
Token: SeIncreaseQuotaPrivilege	1876	setup_5.exe
Token: SeMachineAccountPrivilege	1876	setup_5.exe
Token: SeTcbPrivilege	1876	setup_5.exe
Token: SeSecurityPrivilege	1876	setup_5.exe
Token: SeTakeOwnershipPrivilege	1876	setup_5.exe
Token: SeLoadDriverPrivilege	1876	setup_5.exe
Token: SeSystemProfilePrivilege	1876	setup_5.exe
Token: SeSystemtimePrivilege	1876	setup_5.exe
Token: SeProfSingleProcessPrivilege	1876	setup_5.exe
Token: SeIncBasePriorityPrivilege	1876	setup_5.exe
Token: SeCreatePagefilePrivilege	1876	setup_5.exe
Token: SeCreatePermanentPrivilege	1876	setup_5.exe
Token: SeBackupPrivilege	1876	setup_5.exe
Token: SeRestorePrivilege	1876	setup_5.exe
Token: SeShutdownPrivilege	1876	setup_5.exe
Token: SeDebugPrivilege	1876	setup_5.exe
Token: SeAuditPrivilege	1876	setup_5.exe
Token: SeSystemEnvironmentPrivilege	1876	setup_5.exe
Token: SeChangeNotifyPrivilege	1876	setup_5.exe
Token: SeRemoteShutdownPrivilege	1876	setup_5.exe
Token: SeUndockPrivilege	1876	setup_5.exe
Token: SeSyncAgentPrivilege	1876	setup_5.exe
Token: SeEnableDelegationPrivilege	1876	setup_5.exe
Token: SeManageVolumePrivilege	1876	setup_5.exe
Token: SeImpersonatePrivilege	1876	setup_5.exe
Token: SeCreateGlobalPrivilege	1876	setup_5.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2584	setup_2.tmp
1876	setup_5.exe
1912	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1912	iexplore.exe
1912	iexplore.exe
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2680	2220	Mango Clicker.exe	32
PID 2220 wrote to memory of 2680	2220	Mango Clicker.exe	32
PID 2220 wrote to memory of 2680	2220	Mango Clicker.exe	32
PID 2220 wrote to memory of 2680	2220	Mango Clicker.exe	32
PID 2220 wrote to memory of 2680	2220	Mango Clicker.exe	32
PID 2220 wrote to memory of 2680	2220	Mango Clicker.exe	32
PID 2220 wrote to memory of 2680	2220	Mango Clicker.exe	32
PID 2680 wrote to memory of 3020	2680	set.exe	34
PID 2680 wrote to memory of 3020	2680	set.exe	34
PID 2680 wrote to memory of 3020	2680	set.exe	34
PID 2680 wrote to memory of 3020	2680	set.exe	34
PID 2680 wrote to memory of 3020	2680	set.exe	34
PID 2680 wrote to memory of 3020	2680	set.exe	34
PID 2680 wrote to memory of 3020	2680	set.exe	34
PID 2680 wrote to memory of 1088	2680	set.exe	35
PID 2680 wrote to memory of 1088	2680	set.exe	35
PID 2680 wrote to memory of 1088	2680	set.exe	35
PID 2680 wrote to memory of 1088	2680	set.exe	35
PID 2680 wrote to memory of 1088	2680	set.exe	35
PID 2680 wrote to memory of 1088	2680	set.exe	35
PID 2680 wrote to memory of 1088	2680	set.exe	35
PID 1088 wrote to memory of 2584	1088	setup_2.exe	36
PID 1088 wrote to memory of 2584	1088	setup_2.exe	36
PID 1088 wrote to memory of 2584	1088	setup_2.exe	36
PID 1088 wrote to memory of 2584	1088	setup_2.exe	36
PID 1088 wrote to memory of 2584	1088	setup_2.exe	36
PID 1088 wrote to memory of 2584	1088	setup_2.exe	36
PID 1088 wrote to memory of 2584	1088	setup_2.exe	36
PID 2584 wrote to memory of 2708	2584	setup_2.tmp	37
PID 2584 wrote to memory of 2708	2584	setup_2.tmp	37
PID 2584 wrote to memory of 2708	2584	setup_2.tmp	37
PID 2584 wrote to memory of 2708	2584	setup_2.tmp	37
PID 2584 wrote to memory of 2368	2584	setup_2.tmp	39
PID 2584 wrote to memory of 2368	2584	setup_2.tmp	39
PID 2584 wrote to memory of 2368	2584	setup_2.tmp	39
PID 2584 wrote to memory of 2368	2584	setup_2.tmp	39
PID 2584 wrote to memory of 1632	2584	setup_2.tmp	41
PID 2584 wrote to memory of 1632	2584	setup_2.tmp	41
PID 2584 wrote to memory of 1632	2584	setup_2.tmp	41
PID 2584 wrote to memory of 1632	2584	setup_2.tmp	41
PID 2584 wrote to memory of 1612	2584	setup_2.tmp	43
PID 2584 wrote to memory of 1612	2584	setup_2.tmp	43
PID 2584 wrote to memory of 1612	2584	setup_2.tmp	43
PID 2584 wrote to memory of 1612	2584	setup_2.tmp	43
PID 2680 wrote to memory of 2236	2680	set.exe	45
PID 2680 wrote to memory of 2236	2680	set.exe	45
PID 2680 wrote to memory of 2236	2680	set.exe	45
PID 2680 wrote to memory of 2236	2680	set.exe	45
PID 2680 wrote to memory of 2236	2680	set.exe	45
PID 2680 wrote to memory of 2236	2680	set.exe	45
PID 2680 wrote to memory of 2236	2680	set.exe	45
PID 2236 wrote to memory of 1052	2236	setup_4.exe	46
PID 2236 wrote to memory of 1052	2236	setup_4.exe	46
PID 2236 wrote to memory of 1052	2236	setup_4.exe	46
PID 2236 wrote to memory of 1052	2236	setup_4.exe	46
PID 2236 wrote to memory of 1052	2236	setup_4.exe	46
PID 2236 wrote to memory of 1052	2236	setup_4.exe	46
PID 2236 wrote to memory of 1052	2236	setup_4.exe	46
PID 2680 wrote to memory of 1876	2680	set.exe	47
PID 2680 wrote to memory of 1876	2680	set.exe	47
PID 2680 wrote to memory of 1876	2680	set.exe	47
PID 2680 wrote to memory of 1876	2680	set.exe	47
PID 2680 wrote to memory of 1876	2680	set.exe	47
PID 2680 wrote to memory of 1876	2680	set.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Mango Clicker.exe
"C:\Users\Admin\AppData\Local\Temp\Mango Clicker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\nsjA315.tmp\set.exe
  "C:\Users\Admin\AppData\Local\Temp\nsjA315.tmp\set.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Local\Temp\nsy3083.tmp\setup_0.exe
    "C:\Users\Admin\AppData\Local\Temp\nsy3083.tmp\setup_0.exe" --silent --allusers=0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3020
- - C:\Users\Admin\AppData\Local\Temp\nsy3083.tmp\setup_2.exe
    "C:\Users\Admin\AppData\Local\Temp\nsy3083.tmp\setup_2.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=2964 /CLICKID=2477 /SOURCEID=2477
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1088
  - - C:\Users\Admin\AppData\Local\Temp\is-LMP3B.tmp\setup_2.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-LMP3B.tmp\setup_2.tmp" /SL5="$C0170,6358074,832512,C:\Users\Admin\AppData\Local\Temp\nsy3083.tmp\setup_2.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=2964 /CLICKID=2477 /SOURCEID=2477
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Users\Admin\AppData\Local\Temp\is-N4K8T.tmp\_isetup\_setup64.tmp
        
        helper 105 0x24C
        5⤵
        Executes dropped EXE
        
        PID:2708
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /Query /TN "DPUpdateTask"
        5⤵
        
        PID:2368
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /Create /TN "DPUpdateTask" /SC HOURLY /TR "C:\Users\Admin\AppData\Local\DP\DPUpdate.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:1632
    - - C:\Users\Admin\AppData\Local\DP\DPService.exe
        
        "C:\Users\Admin\AppData\Local\DP\DPService.exe" 2964:::clickId=2477:::srcId=2477
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
- - C:\Users\Admin\AppData\Local\Temp\nsy3083.tmp\setup_4.exe
    "C:\Users\Admin\AppData\Local\Temp\nsy3083.tmp\setup_4.exe" 2477 s
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Users\Admin\AppData\Local\Temp\MaintenanceHelper.exe
      "C:\Users\Admin\AppData\Local\Temp\MaintenanceHelper.exe" 2477 ng83 18 "http://www.pcmaintainer.com?c=18&s=53542955-a2da-4034-bfb2-dfdbb660e982&subid=2477"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1052
- - C:\Users\Admin\AppData\Local\Temp\nsy3083.tmp\setup_5.exe
    "C:\Users\Admin\AppData\Local\Temp\nsy3083.tmp\setup_5.exe" /qn CAMPAIGN="2477"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:1876
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Johan.msi" /qn CAMPAIGN=2477 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\nsy3083.tmp\setup_5.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\nsy3083.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1706056817 /qn CAMPAIGN=""2477"" " CAMPAIGN="2477"
      4⤵
      PID:2748
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://cobwebdoll.site/tracker/thank_you.php?trk=2477
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1912
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1912 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2704

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1060
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8942B7DBC75F5EA486D4005415272748 C
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2964
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 91B2DDDEA3F951C086C447B618A1DCBB
  2⤵
  - Loads dropped DLL
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:756
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:2448
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1C1215F47DBBA5DB4DFC5EF1B60557ED M Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f78148e.rbs

Filesize
200KB

MD5
bb4cac335a6cad52c49c8e35237504da

SHA1
5f1db4bfd705cf3ed2b6e6091eef98e12a20a1be

SHA256
a36a6ee86506d8b8b3cadec16b15b545c19c018149f1bbc0ffc0ae8562487a11

SHA512
2e15169507bb49044e3cb3f373896141d02fb9d06180e00da6dc418a109b223f74b03aa74d4d0b51f274a4b8d7c41ac610983d2c174c7b8bcd471596d99c9f4e

Download Submit
C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini

Filesize
395B

MD5
426fafdc8036ab61ddd25d3027c4f192

SHA1
370496efd4916099c4b2b9441bf89eb0eefdc6e9

SHA256
4671edbba3f050a9233f4dadd1e83e74a3e9f077de1dba6e8c2b76d0404ef37c

SHA512
3d49f912f72701ea3cf62d42a2f1d828ba0459996da08cf5fce0ffdf0edc843ff6bd3ae747969677624d69ddb2b48cd41f64eee892d58340ffc97c025385ce73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
5e597f7707b8cbeb74f1eb64a984c7c5

SHA1
58ced96a3f9f56411723c43b7e89bc21ca243e68

SHA256
abaf4766de79395885468cbe300766a89dcf37f30b8c50ac52ee1da3b432d75e

SHA512
d03a1737562f1973a971eb17362ee028290c9fb405607d08489d0b1ab3fb7eb8f1f7194346b7e3f84ffd3157509b9db0fcc62c91665948aa1decd639a97c7c77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
97f73674a0d09bb8e205345260e8dee4

SHA1
22a3c0e48814ec4728306994ef182e8474fad4bd

SHA256
7ad4746a74cb26757451de39b7c882ca9b62e815a9b98fe7e6cf8dcc2a12d0b4

SHA512
2db24ae54a2b76455d8eff04002c0e1e9514ff0869bd0937b3588e39b840bde08aae120e68240c797d3fa3afaa4ed79bd58be41a3b600a270ecea063108bf99e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5175900429f7557e4f36bd09879a2732

SHA1
9547c3ad28f87fb3e393945dd924dfa44b2713f3

SHA256
f8e31185d8714885aad1002a7ced6181aba8814378759205cdf423cd7a03786f

SHA512
b9494186865249d839b2857e53a12575d5515c78b246543175dd67550775f4de7c1c74d776ee27ff934777d6220a32f0c31fe738ec904a7ad3183b44c7e3380c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6fab814c97515f1242555267545dbf24

SHA1
084132ed45392b8e6e5071dddc14c8434cd3ff64

SHA256
d86955da033d90a106631260877617c4758d5f42a4347de8da0d50ba49801266

SHA512
f013620e738cbe1298072bca3fef67fbaf801650d387d687b5688e94a4d43aff3f5ddf78fbd67034bfa931881fa996e89484ecb4e7ec7a445a1bdc71efbdf040

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
37b1defeaa2db3ce9bfa8af2d96803bc

SHA1
1432a2daaa20d993dbcd4bd5fd3ba357af1ae77a

SHA256
279fe1265d5b78f759a4378b73a93d43386e3a49b4b620805ff839d79494f828

SHA512
5488961e814615c19e46aefb712c5f66a9692745c17595fddc947542042a0751f7718742c2983fb47b4274a4e8a146f8fc1faf054fc16379297077fa9cabb4ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e5a5eb57ecb8e3478201b50c654b3c6b

SHA1
1859653eb2cc39e44738bb6c0542a55e7869776a

SHA256
28b4b378cf5a35fd443c09686693fa67489b87f98d9855391e493f7f89e813be

SHA512
f4b5051c546ac12f4a9978fda5514774ceeb7ec1fec12ff90632bd28fa699056ac6251643a00026c99a7108ec0dc43a05b0c994c2d86a3dfb4e643173ff6defc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4d4694661ee46aa600fb4e3cb86cfc7b

SHA1
88b69c53c3f346ccb2f64cd206014bafd2aeb76d

SHA256
a03cf61bc06a7748b9016813d938364e0c3124f34305a1368b64a8bf5233d8cf

SHA512
595decef2715d6783c0da6a5a7272f0a14f82bfbe42e6c69c00f18411750d49e4dc70d87695cf42eeaac26695f3dccadbc3d541bcd199af534920b10c7242f85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4c2c8a2798dd5b12eb91a75e10f8b667

SHA1
bb2cd2c6c1b2abeec237087292546aa767d0ba94

SHA256
c49b9e18a6161bb348c0859afdad2cfa0de3fecf71e498328f6ab499e2a8170b

SHA512
b7d93c51d2f1628753bc3c3a9fb75a356c532591ca9e36c16e36e66e929ed589adee574214c9605823995f252260ae26a1cab546ee8a6a6dc93fc3e9137d4e42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
21c409c11a909987c9ff3baacbcb57e9

SHA1
c351f98e3d2441cf3b3d3e44748618e08d621710

SHA256
3194dd5ab6e614882389043dc04df9bfd25e12c0aa1581c59f2f7280bacceab9

SHA512
188c1c5f8bb9632d61753f19e3f7c9b7d74d919d1c5c5fbd62c57a5b3a80a0402596b6f9878e0fb3528bb32e3d367718925a461d1669c15258d0cb1edf0cbde5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f9290fcb8682c5fb9a8bc62be822496a

SHA1
e5975e97e3dfc4c95e4d76af8b63e0395a8993b5

SHA256
e0576d0bf0440009eb188e4fdf00fb5d3aa919f782ad92ffc78394494a6394af

SHA512
3e15b687c2c431e73391457f83816fb7de27dd1149b0376bcf1faae74b292783c32ff96e35d19713e617ba1bbe507a48d17eeec6f5e4f591f73abd45c1caae39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
71162e0c79e9cf08d151dd8d4d7b04ee

SHA1
e5798461cfa84d201e7b28084edb2184db907f86

SHA256
9a56186b40092249708f2fb726385cfce8a85e2b459d9435d9d1cbaca7ff0270

SHA512
1ce85d7bffa967b25fc4c69fbdbf8ac454b07f864fa82174982b756747fea8e602055d1c80199a2cdaf62d39ee86dce0f706560dfcfd2d629e76cd03b63e7173

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
50b18a0a5ee708a59bbc39989f508251

SHA1
ad3ac54220b3bcc3b579121bd6203389119b6cea

SHA256
a1bd198db5270647200906bde37409bef51f2069a1b8f030b7d3af91c9718d6a

SHA512
10428695a62412e98f62bd18d25bbeaee6b9b54dff3fe8ad2d9b72e61f32670e126418228452552f8d45034d5ebfdf5cd8877b14759a3aba1c0d8c04d704627b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b260526b1c62aad4a1bb8236a2304c24

SHA1
d7428bfa85726e6b13a49439f477042b5d66e2f0

SHA256
5fe299ba6685bf3f6c9d8604a01350c5c5e805c37210c454b29a01fdad441983

SHA512
63570e936c1ce1dbdcbf285ee1e82bb1239cff057e34653a067c0df6709b4ac7c96228165184ffcdafa2edb92dc50334e07914133691373725ce827b0fd48ad8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9ae51c97a4293f2b5c0061a0b64b6acc

SHA1
a81b8b6bc31cb008d9e447a6b4a6a7d648834bcd

SHA256
e38c66ac447ac511e7b0276807a6fc5a0d8f6c538be9c595647acb2d05e90e62

SHA512
66c24ef1ad555f213834671131a3e758f5b2e264d3d2247c41a9fca82df98ea4865f84864e493b80f033659f7fbb624ea28f8a04929892b79d0a77d0daf691ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6e102c004e2fc26be9195353e50636c6

SHA1
7c235fd69ff95168ebb9b4d14b0cfb7635cf0462

SHA256
19a9a5edfe346b2bbcf2da6542f32d0f1628df48fffc03e723fdd0b9c5ff592a

SHA512
a12395991b5b513f927299a70c64b37f7cb05658a3e11479c00a33f577c238ce14a18ff89fdbead259e1bb5783654d7ab0af7f2f0c33a8ea716983610031265d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
632ac99c60a8c7f1e99aff9810894f83

SHA1
dfd4b751190f39ffc0d3447e36a4513211117584

SHA256
952dd3f4ef0702d96553cea26f99be19833947d80b46da2df38716e4567e8e23

SHA512
fb0a0b95af697934e864742c0b59a5f6e8f8e201fb0ea863fe64ed11412522657fd0a95c5524b03a8ac4bafb7efb52693d71833c9f4a7712153e35e5b7e1cbd6

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\57bec79515c1ec525f8858bf\1.0.0\tracking.ini

Filesize
84B

MD5
3ad4bdb1add17c32b164b93910570f1f

SHA1
348e6e0a248f680c8203ebb4317be2e065f5279a

SHA256
7667ae4c6b990e1dbcfd11beafafb3a16872b84d26b5f7745824cf98edb012a8

SHA512
e6fcede63bb6f90f5ad9b89781ff016304ad7a60d679e4806abb8d8ddae75283abc96c1251b93a133771af3fbd65674482f6f34a63be4c54ac82c1b33ab69047

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\57bec79515c1ec525f8858bf\1.0.0\tracking.ini

Filesize
84B

MD5
1a370679286f2bb888cf6326f6349ec5

SHA1
c24228462a54f9493569042436315c15024cae5c

SHA256
6dc131e96530db9e1aa504dda0ff9669f4c73886993b1e08f4bdae7171f856be

SHA512
aa1e739c775d6e51df872cc5642d70578e27e919e79f9e275aa87724e63a9b2b4e492e96070440b98ed60665d26d8e4a19edf3fc2f330d528e3189aef5b930f2

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\57bec79515c1ec525f8858bf\1.0.0\{95362C8E-2696-4336-B8B2-3CD8BB9EEDB5}.session

Filesize
5KB

MD5
4ccd2ff7c718001b294a15ab8af94618

SHA1
66112dbe3b28692fed17e4fffec320c44c64e0a3

SHA256
a467a0f19ca3f0b2397faf27e6241efb53f52985a78c07e4949a8f8a6d6ce04a

SHA512
511ad8b363d3a7a185ec3f5973ccc4d42688109433da337dc84a27b2ed9836880842bc285ed0958b751d1bc09e9458fefe952efa57ebecee6293e32c7cd2a28b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W79VKSP8\plopp[1].php

Filesize
2B

MD5
444bcb3a3fcf8389296c49467f27e1d6

SHA1
7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb

SHA256
2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df

SHA512
9fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3769.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar378B.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjA315.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Johan.msi

Filesize
3.8MB

MD5
6024d8c2207fc4610416beaf8d360527

SHA1
793ab731b07bf86ecc3ba78e1b76dc2aa0b48f8a

SHA256
cb4cad56ea5391e44dc661513c4f021c5272db710cc1733251152d1cb0eb5829

SHA512
0bb9cd1ec8873137e654a94c21887b7d4c73a9e561563d52ddec18377552d1a33d256487362bb614ebb3d804047427977b3eb0070c92fc43d0dd656af13eeab4

Download Submit
C:\Windows\Installer\MSI1D90.tmp

Filesize
524KB

MD5
6ea65025106536eb75f026e46643b099

SHA1
d6f5801e370c92d8e5c2336b4022cc6cb6ec1f99

SHA256
dae76cce74d63e7935fde4383020659d75b68632f8a01f2053ec895e69bb4efb

SHA512
062aed4c7541346b7338e1d234a50aa9af76f103a65268ba65a42508a26c10cc27ccfce6131485403afa36d8a8cd69f3bf1e55cd1a1f675357b87228aacbb988

Download Submit
\Users\Admin\AppData\Local\DP\DPService.exe

Filesize
10.5MB

MD5
ddfb477871bbff45b66e5ffa20249e5d

SHA1
139af858e105c10753d9f0b74f26290bc9931623

SHA256
32288d7c4a12d6e8e3be7e0d8e09e32507fd37175ffa871c89b202ba19b16bd0

SHA512
13a71ae24749f1b6d44b461161f77cde05b16ed77c89ea3d220af1e24afc9ff739ca1b093e951d7cc8eea72441f45a3353a9306f5ed0dab2dd69089944264641

Download Submit
\Users\Admin\AppData\Local\Temp\INAFA7.tmp

Filesize
789KB

MD5
dd1f93eb81e6c99ba9be55b0c12e8bb4

SHA1
1d767983aaa4eb5c9e19409cf529969142033850

SHA256
f55b853958f07b15f0dae7a871c1ebe2ec117ef54ba3811d31cec4c8ae471d9b

SHA512
7968839ca3e7337b2e7774d92c4a3666e9b7d8d76000475b39c2bda6db3320fc9b2100322505997798af5631a007787fbd8d0d6fe0b51949c545c67e696aaf1a

Download Submit
\Users\Admin\AppData\Local\Temp\MaintenanceHelper.exe

Filesize
28KB

MD5
2f39d3e995c35e2ea9eabbd5963fa3ff

SHA1
4ee22f02bda76e606eb63e21d82a330a25e8466b

SHA256
dd858cdba29785ce9a8c96d7e0ddb81dd85e19d1f3dffcdb321125ff3d6b2497

SHA512
a19e40e2e9e019b55f839403db03d7aa27098a44db5b5ea579bdc83c56dcf10419f94ab2c03669203bf742895c997c1e9740dd7ac2ea8049177112e2b3a2511d

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2401270044517163020.dll

Filesize
4.9MB

MD5
1c3dc5b54299e6cb815646d550d1cb98

SHA1
a9c86892581a96986c762e1353a9fe6e50f67ae5

SHA256
80f1cbff20d69b17ed63dbab1a07e92e95df9d60afaaeb6b6ff6c3389efc6192

SHA512
0ebeddd3f8f975d6136d52f4858fed777c26c7df30c511fe2c1ef253b45288e8a48be201ab5044fec7bb9b092c58225f936bc48ea5201c33333d80c8dcfb9764

Download Submit
\Users\Admin\AppData\Local\Temp\is-LMP3B.tmp\setup_2.tmp

Filesize
3.1MB

MD5
0d719712d6af3886ee54f9bb1ab4d052

SHA1
eb954d80e14b1a32f3596adf707339d5f49a2cdb

SHA256
4737957a65dce16f7a7e3fecd591eb578ff919139b70bf653611e618ff0c2964

SHA512
39d1ddc8f02f2a8a830a5587323e35fbbd70fdcd3bf7331c81d5e52c002dc5a0dbd0f7dda78338dcc11645aaa7d1562975f5000d9f504fe88696ec5a3607715a

Download Submit
\Users\Admin\AppData\Local\Temp\is-N4K8T.tmp\_isetup\_setup64.tmp

Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
\Users\Admin\AppData\Local\Temp\nsjA315.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsjA315.tmp\inetc.dll

Filesize
22KB

MD5
cab75d596adf6bac4ba6a8374dd71de9

SHA1
fb90d4f13331d0c9275fa815937a4ff22ead6fa3

SHA256
89e24e4124b607f3f98e4df508c4ddd2701d8f7fcf1dc6e2aba11d56c97c0c5a

SHA512
510786599289c8793526969cfe0a96e049436d40809c1c351642b2c67d5fb2394cb20887010727a5da35c52a20c5557ad940967053b1b59ad91ca1307208c391

Download Submit
\Users\Admin\AppData\Local\Temp\nsjA315.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
\Users\Admin\AppData\Local\Temp\nsjA315.tmp\set.exe

Filesize
7.0MB

MD5
eafdb1127064031e522f560dc58b7092

SHA1
91bd0ee3829b4637c660e67a7a67413f07fc3338

SHA256
84ab674c7e7298c1227f38d835c5369157ff6b9c34f1784ddb678edc1cdc2243

SHA512
6bcd6495953a062c4ac81e6ec1a67a74e7e1210a0c4183cb750bc9be5c473c7e3996f5ac9e548fa13c3c44f874941ba020a80bb0a85133e5b34f758372c9ed56

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3083.tmp\setup_0.exe

Filesize
3.2MB

MD5
a19a434f27c254cebb18208a6315032a

SHA1
015cfdc828c0f8dc40eb7cf70ab4f44845543d44

SHA256
296d2631f19c10a9dccbbb957aed958b7dbed4b4b411b73b13ab6f66d5d22f6e

SHA512
4ffdf2a78b05ee5d20e245bd8941b6e133cdc9e3fa8b0cc08e5663de7682a5fb64e2a653a9cc1bd5cac70a7c71a883f7d4d0a538cff3116890085046dbcfdc2b

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3083.tmp\setup_2.exe

Filesize
6.9MB

MD5
1bde4b674f3e45559ff359381e197f81

SHA1
9d2bc8567fc6bfbd15464daf4cba4c3addedd84d

SHA256
ced1aaaf3b853d319a353d7538c7e88c2ae91349b3f05ffad3f39c3954e6673d

SHA512
8dc369bb0d4a2f31273507bd867ca3f1e669fe12ac77c19dee62f272289c1aa71cc0b9567b56176103d0e33bb9ae1fa383d65499da73bc7c748e82944149ecdd

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3083.tmp\setup_4.exe

Filesize
67KB

MD5
5e4a373d57593278e2d4c25e56240c39

SHA1
e626bface70ec78f0d928d3ae0a403fb2b9d3456

SHA256
f72e9e6a36f55eb9dab2be7006194979fd8ecf9322d2a920f5a528e7799ccdb0

SHA512
8d0fe0ed3ee747cbf6b5768964f43eced592fd1af588ccaa9b16a2c3f6c2bb498f5692f73853fc6dcb1f1e665f71f8821de0cebb0d25bf3ccdd3f2e0f92308b6

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3083.tmp\setup_5.exe

Filesize
4.5MB

MD5
fa24733f5a6a6f44d0e65d7d98b84aa6

SHA1
51a62beab55096e17f2e17f042f7bd7dedabf1ae

SHA256
da1b144b5f908cb7e811489dfe660e06aa6df9c9158c6972ec9c79c48afacb7e

SHA512
1953201d8cd448aa7d23c3e57665546ace835f97c8cc8d0f323573cef03a6f317f86c7c3841268ece1760b911c67845d7e6aa198a44f720dca02a5a8bcb8e21e

Download Submit
\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll

Filesize
206KB

MD5
8a3f1a0da39530dcb8962dd0fadb187f

SHA1
d5294f6be549ec1f779da78d903683bab2835d1a

SHA256
c6988e36b1e1d6ffc89d9fa77ad35f132f5aa89e680d0155e0b6aee1c524c99f

SHA512
1e0d5be3ee164fb16de629a975f3c3da61659b99a0fc766850ffeeddb2d32b7ee0d3b85c77f01d34d9fe2933bd7bd11c6dba7b35d30faed7ce09485fd706d49d

Download Submit
memory/1052-432-0x0000000000290000-0x000000000029A000-memory.dmp

Filesize
40KB

Download
memory/1088-351-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1088-311-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1088-349-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2236-422-0x0000000000E70000-0x0000000000E84000-memory.dmp

Filesize
80KB

Download
memory/2584-347-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2680-144-0x00000000044E0000-0x0000000004A4D000-memory.dmp

Filesize
5.4MB

Download
memory/2680-350-0x00000000044E0000-0x0000000004A4D000-memory.dmp

Filesize
5.4MB

Download
memory/3020-157-0x0000000000A10000-0x0000000000F7D000-memory.dmp

Filesize
5.4MB

Download
memory/3020-150-0x0000000000A10000-0x0000000000F7D000-memory.dmp

Filesize
5.4MB

Download
memory/3020-149-0x0000000001560000-0x0000000001ACD000-memory.dmp

Filesize
5.4MB

Download
memory/3020-148-0x0000000001560000-0x0000000001ACD000-memory.dmp

Filesize
5.4MB

Download