Malware Analysis Report

2024-09-22 16:36

Sample ID 240201-zxldhaebg7
Target КМSрiсо.exe
SHA256 838e46c53ecc12301e73abfe5d5aa2785ee2f9090a1106cedd75acc0a57dd32d
Tags
babadeda cryptbot crypter discovery evasion loader persistence spyware stealer themida trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

838e46c53ecc12301e73abfe5d5aa2785ee2f9090a1106cedd75acc0a57dd32d

Threat Level: Known bad

The file КМSрiсо.exe was found to be: Known bad.

Malicious Activity Summary

babadeda cryptbot crypter discovery evasion loader persistence spyware stealer themida trojan upx

CryptBot

Babadeda Crypter

Babadeda

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Sets file execution options in registry

Creates new service(s)

Reads user/profile data of web browsers

Executes dropped EXE

UPX packed file

Drops startup file

Checks BIOS information in registry

Themida packer

Loads dropped DLL

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Enumerates connected drives

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Launches sc.exe

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies Control Panel

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Modifies Internet Explorer Phishing Filter

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Creates scheduled task(s)

Checks processor information in registry

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-02-01 21:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-01 21:05

Reported

2024-02-01 21:08

Platform

win10v2004-20231215-en

Max time kernel

81s

Max time network

83s

Command Line

"C:\Users\Admin\AppData\Local\Temp\КМSрiсо.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

CryptBot

spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files (x86)\folder1\Setup1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe N/A

Creates new service(s)

persistence

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe C:\Program Files\KMSpico\KMSELDI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\Debugger = "C:\\Windows\\SECOH-QAD.exe" C:\Program Files\KMSpico\KMSELDI.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe C:\Program Files\KMSpico\KMSELDI.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe C:\Program Files\KMSpico\AutoPico.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\Debugger = "C:\\Windows\\SECOH-QAD.exe" C:\Program Files\KMSpico\AutoPico.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe C:\Program Files\KMSpico\AutoPico.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\folder1\Setup1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files (x86)\folder1\Setup1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk C:\Program Files (x86)\folder1\Setup1.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\folder1\Setup1.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\K: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\B: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\S: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\U: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\J: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\T: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\W: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\X: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\Y: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\Vestris.ResourceLib.dll C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Windows\system32\is-BFAHJ.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Windows\system32\is-OQ1QD.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\folder1\Setup1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\KMSpico\cert\kmscertW81\ProfessionalWMC\is-U1DK8.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\driver\is-2MGM6.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\scripts\is-8QB9S.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\sounds\is-JI2OG.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-UOLLK.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\ProPlus\is-NBJD0.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscertW7\Embedded\is-R1BIA.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscertW81\CoreConnectedSingleLanguage\is-A8K7L.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\Word\is-R167I.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2016\VisioPro\is-D9EA2.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\logs\is-52HUA.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-EMHNU.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\sounds\is-PG66A.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File opened for modification C:\Program Files\KMSpico\KMSELDI.exe C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\is-2322F.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-3A58Q.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\Word\is-03ISM.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscertW81\EmbeddedIndustry\is-9GNNF.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\sounds\is-6FEUV.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-D5L8V.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-D6TNF.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscertW6\Business\is-BVUHV.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscertW8\is-RRS6F.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File opened for modification C:\Program Files (x86)\folder1 C:\Users\Admin\AppData\Local\Temp\КМSрiсо.exe N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-1DNL6.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\OneNote\is-KF508.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\Outlook\is-162OP.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2016\SkypeforBusiness\is-F0HTQ.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscertW10\Professional\is-A5NSS.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscertW7\Embedded\is-QA828.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-S4VNV.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2016\is-30I67.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscertW8\Core\is-6AJSI.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\sounds\is-GNIMD.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2013\is-EPF2K.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscertW8\ProfessionalWMC\is-ESCF7.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2016\is-JP034.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2016\Standard\is-QR8JS.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscertW7\Embedded\is-MO2EN.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscertW81\ServerDatacenter\is-H80QU.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\OneNote\is-EBC8U.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-4JB79.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2013\ProjectPro\is-A5EJ6.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\Word\is-RS87K.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2013\Standard\is-BHR1K.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2016\Excel\is-V97GA.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscertW6\is-4KBSE.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-NU8L8.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\is-OTMME.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-EH38I.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-L3K6Q.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\ProPlus\is-EMH48.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\Publisher\is-JF3TV.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2013\Lync\is-2NVI5.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\OneNote\is-4U5NO.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-UQ25L.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2013\Excel\is-6I65V.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\Access\is-UEIF4.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\Standard\is-RR56E.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscertW10\Core\is-CAD87.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-OU90O.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2016\ProjectPro\is-UFEKR.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2016\Standard\is-AN16K.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscertW8\CoreSingleLanguage\is-AJQF5.tmp C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e57a24b.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA367.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA378.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA3A7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA696.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SECOH-QAD.dll C:\Program Files\KMSpico\KMSELDI.exe N/A
File created C:\Windows\SECOH-QAD.exe C:\Program Files\KMSpico\KMSELDI.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57a24b.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA2F7.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA336.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA356.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{8DF27864-44E9-4A93-928A-75C0E8302965} C:\Windows\system32\msiexec.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner\xltoolkit.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner\xltoolkit.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\Desktop\PaintDesktopVersion = "0" C:\Program Files\KMSpico\KMSELDI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\Desktop\PaintDesktopVersion = "0" C:\Program Files\KMSpico\AutoPico.exe N/A

Modifies Internet Explorer Phishing Filter

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion C:\Windows\system32\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform C:\Windows\system32\SppExtComObj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\d450596f-894d-49e0-966a-fd39ed4c4c64\DiscoveredKeyManagementServiceIpAddress C:\Program Files\KMSpico\AutoPico.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\d450596f-894d-49e0-966a-fd39ed4c4c64 C:\Windows\system32\SppExtComObj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\d450596f-894d-49e0-966a-fd39ed4c4c64\DiscoveredKeyManagementServiceIpAddress = "10.200.171.209" C:\Windows\system32\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft C:\Windows\system32\SppExtComObj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588\DiscoveredKeyManagementServiceIpAddress = "10.200.171.209" C:\Windows\system32\SppExtComObj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588\DiscoveredKeyManagementServiceIpAddress C:\Program Files\KMSpico\AutoPico.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\85dd8b5f-eaa4-4af3-a628-cce9e77c9a03\DiscoveredKeyManagementServiceIpAddress = "10.200.171.209" C:\Windows\system32\SppExtComObj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\d450596f-894d-49e0-966a-fd39ed4c4c64\DiscoveredKeyManagementServiceIpAddress C:\Program Files\KMSpico\KMSELDI.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT C:\Windows\system32\SppExtComObj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588\DiscoveredKeyManagementServiceIpAddress C:\Program Files\KMSpico\KMSELDI.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\85dd8b5f-eaa4-4af3-a628-cce9e77c9a03 C:\Windows\system32\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588 C:\Windows\system32\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE C:\Windows\system32\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f C:\Windows\system32\SppExtComObj.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeSystemtimePrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeAuditPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeUndockPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeManageVolumePrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeImpersonatePrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeSystemtimePrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeAuditPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeUndockPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeManageVolumePrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeImpersonatePrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5088 wrote to memory of 4900 N/A N/A C:\Program Files (x86)\folder1\Setup.exe
PID 5088 wrote to memory of 4900 N/A N/A C:\Program Files (x86)\folder1\Setup.exe
PID 5088 wrote to memory of 4900 N/A N/A C:\Program Files (x86)\folder1\Setup.exe
PID 5088 wrote to memory of 4256 N/A N/A C:\Program Files (x86)\folder1\KMSpico.exe
PID 5088 wrote to memory of 4256 N/A N/A C:\Program Files (x86)\folder1\KMSpico.exe
PID 5088 wrote to memory of 4256 N/A N/A C:\Program Files (x86)\folder1\KMSpico.exe
PID 5088 wrote to memory of 2304 N/A N/A C:\Program Files (x86)\folder1\Setup1.exe
PID 5088 wrote to memory of 2304 N/A N/A C:\Program Files (x86)\folder1\Setup1.exe
PID 4256 wrote to memory of 3444 N/A C:\Program Files (x86)\folder1\KMSpico.exe C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp
PID 4256 wrote to memory of 3444 N/A C:\Program Files (x86)\folder1\KMSpico.exe C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp
PID 4256 wrote to memory of 3444 N/A C:\Program Files (x86)\folder1\KMSpico.exe C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp
PID 2304 wrote to memory of 3380 N/A C:\Program Files (x86)\folder1\Setup1.exe C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
PID 2304 wrote to memory of 3380 N/A C:\Program Files (x86)\folder1\Setup1.exe C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
PID 2664 wrote to memory of 776 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2664 wrote to memory of 776 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2664 wrote to memory of 776 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4900 wrote to memory of 1736 N/A C:\Program Files (x86)\folder1\Setup.exe C:\Windows\SysWOW64\msiexec.exe
PID 4900 wrote to memory of 1736 N/A C:\Program Files (x86)\folder1\Setup.exe C:\Windows\SysWOW64\msiexec.exe
PID 4900 wrote to memory of 1736 N/A C:\Program Files (x86)\folder1\Setup.exe C:\Windows\SysWOW64\msiexec.exe
PID 2664 wrote to memory of 1996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2664 wrote to memory of 1996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2664 wrote to memory of 1996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2664 wrote to memory of 4784 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner\xltoolkit.exe
PID 2664 wrote to memory of 4784 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner\xltoolkit.exe
PID 2664 wrote to memory of 4784 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner\xltoolkit.exe
PID 3444 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp C:\Windows\system32\cmd.exe
PID 3444 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp C:\Windows\system32\cmd.exe
PID 3444 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp C:\Windows\system32\cmd.exe
PID 3444 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp C:\Windows\system32\cmd.exe
PID 3444 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp C:\Program Files\KMSpico\UninsHs.exe
PID 3444 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp C:\Program Files\KMSpico\UninsHs.exe
PID 3444 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp C:\Program Files\KMSpico\UninsHs.exe
PID 3444 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp C:\Program Files\KMSpico\KMSELDI.exe
PID 3444 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp C:\Program Files\KMSpico\KMSELDI.exe
PID 5048 wrote to memory of 4372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 5048 wrote to memory of 4372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4252 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\DllHost.exe
PID 4252 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\DllHost.exe
PID 2916 wrote to memory of 220 N/A C:\Windows\SECOH-QAD.exe C:\Windows\system32\SppExtComObj.exe
PID 2916 wrote to memory of 220 N/A C:\Windows\SECOH-QAD.exe C:\Windows\system32\SppExtComObj.exe
PID 2916 wrote to memory of 220 N/A C:\Windows\SECOH-QAD.exe C:\Windows\system32\SppExtComObj.exe
PID 220 wrote to memory of 3120 N/A C:\Windows\system32\SppExtComObj.exe C:\Windows\System32\SLUI.exe
PID 220 wrote to memory of 3120 N/A C:\Windows\system32\SppExtComObj.exe C:\Windows\System32\SLUI.exe
PID 3444 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp C:\Program Files\KMSpico\AutoPico.exe
PID 3444 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp C:\Program Files\KMSpico\AutoPico.exe
PID 220 wrote to memory of 3804 N/A C:\Windows\system32\SppExtComObj.exe C:\Windows\System32\SLUI.exe
PID 220 wrote to memory of 3804 N/A C:\Windows\system32\SppExtComObj.exe C:\Windows\System32\SLUI.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\КМSрiсо.exe

"C:\Users\Admin\AppData\Local\Temp\КМSрiсо.exe"

C:\Program Files (x86)\folder1\Setup.exe

"C:\Program Files (x86)\folder1\Setup.exe"

C:\Program Files (x86)\folder1\KMSpico.exe

"C:\Program Files (x86)\folder1\KMSpico.exe"

C:\Program Files (x86)\folder1\Setup1.exe

"C:\Program Files (x86)\folder1\Setup1.exe"

C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp

"C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp" /SL5="$601F8,2952592,69120,C:\Program Files (x86)\folder1\KMSpico.exe"

C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe

"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding BF468A9187BECFDA5465C0922A90D5EE C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\adv1.msi" AI_SETUPEXEPATH="C:\Program Files (x86)\folder1\Setup.exe" SETUPEXEDIR="C:\Program Files (x86)\folder1\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1706580992 " AI_EUIMSI=""

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 6B065ED3F9DD7AB3037C3E611ED344AC

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner\xltoolkit.exe

"C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner\xltoolkit.exe"

C:\Windows\system32\schtasks.exe

SCHTASKS /Create /TN "AutoPico Daily Restart" /TR "'C:\Program Files\KMSpico\AutoPico.exe' /silent" /SC DAILY /ST 23:59:59 /RU "NT AUTHORITY\SYSTEM" /RL Highest /F

C:\Windows\system32\sc.exe

sc create "Service KMSELDI" binPath= "C:\Program Files\KMSpico\Service_KMS.exe" type= own error= normal start= auto DisplayName= "Service KMSELDI"

C:\Program Files\KMSpico\KMSELDI.exe

"C:\Program Files\KMSpico\KMSELDI.exe" /silent /backup

C:\Program Files\KMSpico\UninsHs.exe

"C:\Program Files\KMSpico\UninsHs.exe" /r0=KMSpico,default,C:\Program Files (x86)\folder1\KMSpico.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Task.cmd""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Service.cmd""

C:\Windows\SECOH-QAD.exe

C:\Windows\SECOH-QAD.exe C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\SLUI.exe

"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent

C:\Program Files\KMSpico\AutoPico.exe

"C:\Program Files\KMSpico\AutoPico.exe" /silent

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\System32\SLUI.exe

"C:\Windows\System32\SLUI.exe" RuleId=379cccfb-d4e0-48fe-b0f2-0136097be147;Action=CleanupState;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;Trigger=TimerEvent

C:\Program Files\KMSpico\KMSELDI.exe

"C:\Program Files\KMSpico\KMSELDI.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x450 0x314

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 2.pool.ntp.org udp
US 8.8.8.8:53 251.35.250.129.in-addr.arpa udp
US 8.8.8.8:53 3.pool.ntp.org udp
US 8.8.8.8:53 33.149.177.185.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 cempqe34.top udp
N/A 127.0.0.1:1688 tcp
N/A 127.0.0.1:1688 tcp
N/A 127.0.0.1:1688 tcp
N/A 127.0.0.1:1688 tcp
N/A 127.0.0.1:1688 tcp
N/A 127.0.0.1:1688 tcp
US 8.8.8.8:53 cempqe34.top udp

Files

C:\Program Files (x86)\folder1\Setup.exe

MD5 71aca7e73a3b51665eff3cb4df0680b6
SHA1 e3bc471db0613967662dd0ddb16067ea0e7f2056
SHA256 b2a2124154fa07959a907b0bcd1a252033297ce24a79941159ed52dae1346334
SHA512 08eaf34b0d9cce842d47ef15a4f7982d3bbfc382853128a90f99b4a681e8672d62cc8626e5045d22866bfdfce2d1b2f40a6a3b3825e49abc7925b24417adfe0d

C:\Program Files (x86)\folder1\KMSpico.exe

MD5 5640bf57d19cab0bd092cf0953fce23b
SHA1 44f31136f8716758c7726fcc4b13056ab7150b2b
SHA256 a3b570a4ee94b107be8d4ab591dab34ac81998bb337e9a71afa81338eacf9e51
SHA512 fe7d48e40e21a667c96ce80169dc715a997f7e222fbf67a2cfbc75182c7643b3fd31e1ca0b78add69d2c998d0cca467449cc378b58f11f7221afa7a277ca346c

C:\Program Files (x86)\folder1\Setup.exe

MD5 6261e450cc2bbe041b333f1bbc94a3ff
SHA1 66de680d287b8e186b123cb60684085295c03277
SHA256 de4612ce4a33ab8b203faecc440830e38ac3a4a035ddc1df365a2bca86b120f3
SHA512 3bb67e19a3c1f37d191274b7eea93c30ee0441ca0f568870eb2e4312769296aeb71093f09a04c07f3058cce14faf555e2ea411052d4dfc2a265dff8e83814367

C:\Program Files (x86)\folder1\Setup.exe

MD5 afcf45f8d3d001502cc0a6948bb5a1e7
SHA1 b3d0ce388833e174831b96b1bd943d867375d23a
SHA256 d1e4b101ff83a4c3cfdc87edb379c70beb1a9289617d8cf46f80e96f068e901f
SHA512 7b4c714234b2f713d1b989d5c9620da9d41559cc672ee1bb8962b81245b135c391248dc3ba4d7f7924179948b9a7db57ebb886fa216a614c29f92f2fc7041b2f

memory/4256-30-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Program Files (x86)\folder1\Setup1.exe

MD5 5ecac117b100146dbf4a5c1dea95869a
SHA1 567d9e94edeb04398e94c9ab7121b39eb3392f8b
SHA256 dee29bf3de4abc834d0ca0f134982a05489bee9a041ff7749452740f15272d38
SHA512 c0fda45d5a5e70b3cd8f11ffa4b3f9496a1ed1c158deb1ae1deaa9468d2f89e579c1cf428ebfa8cc778de00a8c8b45cfa3e7f1abf63fc944d1d2361864e4ff3b

C:\Program Files (x86)\folder1\Setup1.exe

MD5 bcab138d8992f5169d772e770b1fea67
SHA1 a570ddf240c589e01b76e3d5536c6a3cc41aa032
SHA256 92c18869737749d1d38fdecfbe644da8dfee9f00dcf87e17c42833db2a5b5841
SHA512 b3905f83d8f5e5ecc12afdacf090251f7151343b6f1fa2c610cd1fde6cca33e06e13e29ff3faf44449e7f37f613fa17e394e96058c0d1ec7801c4be298f44770

memory/2304-37-0x00007FF70EF10000-0x00007FF70F7CD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\decoder.dll

MD5 e41fb3565e27c5494663b86cc98c80ac
SHA1 a5afa15d985ce00067821008b8c0bbb92acda55c
SHA256 60fe679a338d731a00db843c0c6b1234b6034bb6faa9dbf27991807c7dca9505
SHA512 79b566a2fc6c0b76d426041f64c1df0277d954a85557f499fae91a3126006bc3e40562de9f0512d52b4b1071c763338c43f97b5af2bf845f4c36f4a9f971e619

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\decoder.dll

MD5 819875914a5a086ad41cf1657151b355
SHA1 3a79e5eac00d46d7ed18ce707fee3ad24e1bfc4b
SHA256 45730defe1587ed420381ca3be3cbce43327fb4adfc63eff29a82ed539dffa59
SHA512 5cc3e5416df8df6f19c2b39d4fe76afbb1e0a4dee21aba62b3bc89b8b68580e7f6a8cf1bf95897e5d604b968792178675dd1fa36aa3223c98356a298c5f41461

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\decoder.dll

MD5 c06533040694d047ffd183b8f0785433
SHA1 a57ebb66b7e8b1cf159990a707f60deb52af0836
SHA256 b9ea44ed2a72e68b9c8ca6ab44fa57d65cce7b967584eed7ebdf72b68e801943
SHA512 f61370a911b6cd72e618ba0d12f048d578d9efc9f8841c6eec09093cd2cf62cca1f1fdf88a1ac36083f2ee69a63be768ceb7bfc9cb84da97131d54347110c940

memory/2304-36-0x00007FF70EF10000-0x00007FF70F7CD000-memory.dmp

memory/2304-49-0x00007FF70EF10000-0x00007FF70F7CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp

MD5 88d1caee322099b529d203b105dfcb4d
SHA1 50e75857e26c0428c483462fefd1eb6d0c539aee
SHA256 53439296d7f52377be9590bec03e1a8f08f5b0344178c3bf4e6d2e0a408b1983
SHA512 b6785bdda7cabaf935cc8112b5876dcbc0c8bd2eec18f0d45497cff6abf16d03489ae35bf69fd9102d91d1eac40813d5f1e8a362a10196bc1484d674f6a9ebaa

memory/2304-54-0x00007FF70EF10000-0x00007FF70F7CD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\adv1.msi

MD5 983ea9a00d360734069239e2ee9fcd12
SHA1 e8fe44bd639b8cd419b110c5bb9cc13c216bfe74
SHA256 892fc722306c178ac4c413ff4bc3043a6f31daabe958320721834892a3fa6dc4
SHA512 ad0c1a881453f3d7e49f080061e096685c043c593d55fa3497e3c535bd907ab74e44f4dc413029ee263de5376791a49ded69595f13232b7df50169aa8fa73ad3

C:\Users\Admin\AppData\Local\Temp\is-E5CGL.tmp\KMSpico.tmp

MD5 86a6bd538f51baf95f07fd4687c29d33
SHA1 05df9df6919d92c704ec242d470a5297379454f9
SHA256 6e3a42c15f30e1b901d3921d2e1e38b98fea60ad13d0cb9db12a036e5fccb687
SHA512 bd1843cbba1bff41629dfd722bd97609b8438c273a5e869d6b18d48a6eb2c2f7d035b7bc356a3dd380eddc1e6f5dae816c64c0aa573e8346f0710e31f483dfe1

memory/3444-67-0x0000000000640000-0x0000000000641000-memory.dmp

memory/2304-52-0x00007FF70EF10000-0x00007FF70F7CD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe

MD5 cfbdcebec42dc81570aab66115567666
SHA1 15b531224b7b6f588195f986dfdbf5a382616cfe
SHA256 2adefaefa3c593200a07c3518bcb91863149ddaebb11d41ab64ea8a78af7c27d
SHA512 b7a4b5bf276a05626e42b905426a12293d2090a1f6e658dae89bebdee2be8079c10af54f9b845605d7d51c51a2eb53c62d06a64b7e99a5bfe07838d2227341c4

C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe

MD5 00c8d0aff8fd2965408aa92d075ebec4
SHA1 4e6931d025d5d2512c5ff3bfac41ecccc17444df
SHA256 c42a888cb0757a1456b4dffa34ceb4086173fd8599fe90b173e91453f44d30c8
SHA512 cf9fda1894797b24efc9faa4ec5ddc054877fd0352dbc266cb8db622804580fb1bd8b223d7a3f2994803a615224b2a86b96d4147c24413f7777e2c3d942ba606

memory/3380-78-0x00007FF6A6BE0000-0x00007FF6A749D000-memory.dmp

memory/2304-77-0x00007FFFC9830000-0x00007FFFC9A25000-memory.dmp

memory/3380-79-0x00007FF6A6BE0000-0x00007FF6A749D000-memory.dmp

memory/3380-80-0x00007FFFC9830000-0x00007FFFC9A25000-memory.dmp

memory/2304-76-0x00007FF70EF10000-0x00007FF70F7CD000-memory.dmp

memory/3380-81-0x00007FF6A6BE0000-0x00007FF6A749D000-memory.dmp

memory/2304-48-0x00007FFFC9830000-0x00007FFFC9A25000-memory.dmp

C:\Program Files (x86)\folder1\Setup1.exe

MD5 a63631cb2c4acf11cdd73bfdf37aeedf
SHA1 9fbd44421d763e566967bdfe76e6f05d66a3b649
SHA256 286709269ed85119d3cd4d53c114e54962980496e69a2b35159f4f845c9a2373
SHA512 36ef6a79c3102fdf97c57a088573fba1d070b3209ee60339089eb92e72d665f099699ee15dcee795986ee9b0a5f0ad59e1bb7353fbce7a7ce9535e48479ef1f8

C:\Program Files (x86)\folder1\KMSpico.exe

MD5 1a0becb5aafadf48446b7dd7dd34c2d3
SHA1 7c5dddfef216367e5ca684d9f0ec0811366810ae
SHA256 ca1654765726f3154858e816d6c603cc36ac96775ff48c4027f0acfe3da9a190
SHA512 c8e685eca80a153a53d1bfb181d26fbdce5ca7e530021deaf08bd521d6590a3468b3745bfb2a5c89c7ee445f23870409a2ee9648507e35c360da0a21d2ae70f4

C:\Program Files (x86)\folder1\KMSpico.exe

MD5 3eb13c3a05829c2c126966f3be059ec5
SHA1 099d31de9d6406e5588129967818f1c1b8012b03
SHA256 8045df1f0aabccae0c17d2b409cca3c91b961c9d93cc2abdc05fcff31bb2a939
SHA512 0eab7b26b5478a3b08204e37f57febb7e70cdd005fd2a050ef1db555676803ad92b8463d6b9faa816b4acd01ed79fa042b77025f76eea450a316a13dc5c9420b

memory/3380-82-0x00007FF6A6BE0000-0x00007FF6A749D000-memory.dmp

memory/3380-83-0x00007FF6A6BE0000-0x00007FF6A749D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSIA105.tmp

MD5 f6cea54153fb0d12b62175e90273d98e
SHA1 fdfdbfd45842c8e86ab35d495e25fb2386baed54
SHA256 d025bbc467aa91328754a46db82535137200ec349fb095da48358eb99d88ab0d
SHA512 6d93f440cb94211384ae399234679132148b292c4218933ebc79f1774353427ec391ad560edff911bb3f5fbdea39c7a68eb940c32f1f2be0b35b7bba890ec55b

C:\Users\Admin\AppData\Local\Temp\MSIA105.tmp

MD5 23e914ee494864d33b1c4f8328d78571
SHA1 e4ce49eb4a8c7f4c9960ca0afbbf8cbecc92c641
SHA256 21d94c26d1e9847bdf0661e53f06e60171e3568ef597e7b3e526373cef9ef817
SHA512 0a2cd7c5c849ad253d6f0f8de37e7e4fbea715e3077ad9d7233ff8fdc6939bce93838bd8c2701cfdada5092d0a1b1579a9d4acc212535c2a4363ca89a6094f93

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\adv1.msi

MD5 ca87ceb6d2ff6189ed7c775932c70235
SHA1 69b562dbfb51972992592fd0041f81b348bd477f
SHA256 583a92331f4ee365081c059df12aa64a69252b101689ead59b3d1c8a362b2f4c
SHA512 a504c71e870d7d345a4095aebc8c9a8d7b31c4dea1b9fc5217889e42b886ca9e4630fbd35b5bf3a4fe443a7e1ad7b1ad4d3c8d0e80e13fe58cc51a4ffe712fc9

C:\Users\Admin\AppData\Local\Temp\MSIA096.tmp

MD5 35161ca11ed9c3de7d2aaa7e7d477460
SHA1 413682de2d149e23d5d57441466ee1cf11fe9718
SHA256 31b067419055f4e453401672fc501045453e2528fe30381338df3a347578079a
SHA512 31ca3f09f3ef422d7a11936dced0aecbc33f8b9a7e68bd5f6e3ec29723465fd724ae70fdc234af070f7931dde0f6eb9a090819485109d63412d47217fa199ea5

C:\Users\Admin\AppData\Local\Temp\MSIA096.tmp

MD5 09f13e2a4c7958d0b842a02ad5986216
SHA1 68dd8f78170bf496563e93d7fa96350f30c25724
SHA256 89b84d28fdf04796ddc78e7b01dd7ddcb6e35fc406915b50374f92ee7e964a64
SHA512 c8b5b4d7058f3f2ada45cd56661e0c11527754894dcc2099b917fe846e98f0826838848e67c6f1e7d51ec4d21daae2245e68ee67821672b04dc4a72ec2502e4b

C:\Windows\Installer\MSIA2F7.tmp

MD5 d73df384fb54fcc1bcd0c2ae75727b11
SHA1 6f7d6f484c51770282ee0685f6d2db0e271b239b
SHA256 487b379b65d03eb696c14ad036d9c6a8e6a26f4c30db348428f9147397fc83b2
SHA512 913ea1130d5e514bbfb3b0168df753f60ca46f393c2770d4aa1a7146f5cdcf73385cc4e4ae2344e9298ed0110b82ac8bbf29715c8b1643e642bfd93b3c72e754

C:\Windows\Installer\MSIA356.tmp

MD5 46935397d2a146e477151f6607ce763f
SHA1 1698df4d8c3a71fad2c99b9675a7043268449f3f
SHA256 c2394e027335122a2d80e9ea0cb403dd127a6327c5ef5b770c8949e88c5e0856
SHA512 95a23571584a7cd75f669517ac42953129a782cdc9456f4e51dd51aa880d846a1baf1968d7908ea2a66d7e41a8886b2ab4eceb9592932a71c1bfd3d818812923

C:\Windows\Installer\MSIA367.tmp

MD5 99ea320284c4c9289159a13e1e9bda07
SHA1 f26673334406ef15594ff6552f68a7d187f25c3a
SHA256 28956c3851912c3b1fd1d2ec73e0d67d333da3f16bc49af7ea8e40eecd239af3
SHA512 5f31167c9f07e4fb855357f0df00cf71cb27ec51abaadd30aec1350e642ceea02e7840c1cc1fb05b81d44c415af4807321630c8fa221de18bedbd5b049d36ae9

C:\Windows\Installer\MSIA3A7.tmp

MD5 c84c354f152de37e114b731a75b885bd
SHA1 6986fdef003da52f806f04be7973704887891846
SHA256 9d4397f71f24f88ed964d5b8ae8cc4c082fd5ad5deed0cb9c0757299b458e62c
SHA512 4001c70687413310ba6de4961dcfa698f13fd1447db60a42c3a3037fa4df04b6145becb45182623a2bc3b2c5183d6d8f9c2c86d30df7c425525699c24cdf9ebc

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\decoder.dll

MD5 ca3dc706ccc60bee3466dc4d2661db9e
SHA1 7b13b75ae67930686d04291d53d02b6660e85d41
SHA256 f5457e35fdaa95b4baba0e06977d619c28d7a7268d173ed2645510efa823f3e5
SHA512 e2aa2a2005492ab0310f0a2ce1d1c424ab304f6db2dbc5700e85dcf3d3620158cf395ecc3160799c8b6bc3ddd1c3d4365b35ab8b1c11d211b7480d342171c5a6

C:\Windows\Installer\MSIA3A7.tmp

MD5 c921d7ce46c4fab51452ff9c3181a0e1
SHA1 f6cf1cedabcb276b0e5c047ef0ec5bf83065a4f1
SHA256 4ab14b743c2e9fd89fb20626dc6fe69dcdd848c620f03e3fc094136f7f2fe1d6
SHA512 6c110badbdb7ed73c7c01bdbf353a06987be3cd785a800e54fadfa4905cf3648f91c9fbe434054d0597a9eb4fac51967a6fe711d88841dffb70c2e4deb90aec0

C:\Windows\Installer\MSIA378.tmp

MD5 a40cc940333e22b1a2d2f17e963844a0
SHA1 50284f083e5acde1082972633568fa757edcc402
SHA256 9477c3da3edb28216d1887203ca2c9a33305c02593e1f013bd2583eacfe5d693
SHA512 c8c001b10cfbbbe90ee43541eca23924bc06a00f285a0fe86d550f667877876e145831e4ba9204781f065d410042c1154d180231ef0276bc67a454c27b739f5a

C:\Windows\Installer\MSIA378.tmp

MD5 197891a5b580aff92ed5f3bc64e619ce
SHA1 4b434508bfc79257fc404d4090e0361e033d5f32
SHA256 e7828818e8050943d366c07d6d88e0eff7dfc51ab8a278853978d426f0c87af8
SHA512 8457e8384159ac957358e2a1500ee05dfa6730338cf654b01680daeaeaf3627e474612f2ad2f89b32d249c669b5ea0835448c37c70adf802a59fa2d1038e5183

C:\Windows\Installer\MSIA367.tmp

MD5 27c0641a2aa860b8ce859936319d0b0c
SHA1 d375bfba8c36973803235fa857f90ccdf6d9db88
SHA256 2cce350d1e1af962ae7fc071d80da5e29cc310a253bf78059e936d4ff0bdf222
SHA512 0e89886f245e73f436ecf7351d13d2c856db5516f9f6fd2e3b40a2f7d35e4d4065c6d7bda55388506a2ad8213c388f434aef52bceb34742a9502a92397c7e8ce

C:\Windows\Installer\MSIA356.tmp

MD5 53dbb1d5b284bd322ef448d0fd58ca1c
SHA1 668bf62618e0a4bf1c23c9a76845ea8635932fd2
SHA256 2026774ffc75849cd909e333279fef3d1bbcd4ac4cf1ada4e4c300f4c6e5a46b
SHA512 c3ec8f3c85c2096a5c714211ad2ad00f4a1a24be824f119611e554fdab538b46224121b413876e615ddbaac6ede0ba290fce25e00105563b8e9b335b6be64f3a

C:\Windows\Installer\MSIA336.tmp

MD5 4d725fdf0a3e9c07c97900c8d75865e2
SHA1 1837217384000bb97f78e9a71afcbd6fa5beaabf
SHA256 8d953676746f89a517926de3b054722737f6b5aa1536ee490dfb6227999762b3
SHA512 15adef1182e28fe7be180a6240ea0a57d95f5b3ee993d664f0f4feb18aa3935a67b4927d6c7b85cf6b027c0ea6bfbcf3e5ec321ac2a6d17ca4b5a96c2c9c82ce

C:\Windows\Installer\MSIA336.tmp

MD5 1fdb2c71d6545c82bc1afd05bf705405
SHA1 38aa9edcade35243abafe57a3849f7c6f4383506
SHA256 5660b755e41fc03e340b3d3a846c6a72c0927c5da6e12814e9df560feb4a9e45
SHA512 b5e03dff4101d3f44e697cbd65b62a23391ab6783b4195cf5602d4f5284e576ab7586c1d898fe5770337989b3fc827a5db6a732296d5257e6fa0b72cf5e4ea7b

C:\Windows\Installer\MSIA2F7.tmp

MD5 4741ceda7c21907b55e75df85e25b52b
SHA1 2528ebdb41fc1aadac5ccd2c98f7f1ea993a4954
SHA256 a57d6ab85cd6f53c6383ca77e6f7697caf67ec17f6417ed3d93610016dbfa731
SHA512 cc366f278eb6a7632b82b817bb3b71b08eb04a650f85e4341284f68ec4f8c9d614f1532fb68192fb45612c5247d0e0b7984a102c308b96de39c7ab81ef949980

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\librsvg-2-1.dll

MD5 b23f547b72a5c9454dc28debc55e41c3
SHA1 5564b0b8b87b7ec39d7c9674457e3166837f3ece
SHA256 65a5d80f19eda32caaf3a0972957fb67f79ca3bda248c8bbcd73ad8ae6bb29ba
SHA512 87d59d8e452c9a06a2a7f90ad217e4796e1a73f4326e546a5f18a3486d66b38f8cd06243343a054945eea4f48c70ce2531ace67ed18798a569f83d0bc52caa19

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.IO.dll

MD5 18a32afb2c4d9638bb0bddc1dee60788
SHA1 1e76b32a88cb2fb7bd0caf962636058426dd6230
SHA256 f534d81c3f035c5b91c303096c4dc5b4d46f6d75ad5568eaee92cc9dc6aa75f3
SHA512 48121a28644b8d46b2ffa129dbc3061712eb6377c6b1d76df577fb9929cd1c48bb0deecb5bab1f43293918f3b7f453b880b4fcefc15019b4dd290ae36cb71c88

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Linq.dll

MD5 6d6917bae13e128f00d95da1fd3f191e
SHA1 4c5ae1e9e7e4c8147f913c350a9b4561ca3f1851
SHA256 dc9ea055006a22a2faaa81b37d48a8ab1c98127b158181fd894388bd6c2049f4
SHA512 eabf0f2fdf1f29f425f04198c920451bb686a900931b9dfe418b62252c7d025936784fa0251fc7fb25809e4933c8e1f872b8290870c8afa2b24177750a24e105

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.IO.UnmanagedMemoryStream.dll

MD5 64abb65b37b941b10b119ef32531b50a
SHA1 9cf171c463f11575fe0a7a507101da6177cd10fc
SHA256 a0c98af8925ac0ab86c1f768f9ccac1cbcf19027b23814f64860d3f28b686fb7
SHA512 a5708fec9d02449409a931b8fd998fc27f6c7ea2a0f32a7a73707550ec298cdbf5ab9ee13388c5a01f6f3ff9e99fddfe8cf563c6f8e55f1ceb55139c1178efeb

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.IO.Pipes.dll

MD5 004cc9cbffb46f50c1f037002c3655ce
SHA1 86947f12790e70bafd4c3f72cad8e386a6015d04
SHA256 0f387e9591a5613ef02da3c6d32abce4f9c3e1e577a3ffd0cef85c345a3fa1df
SHA512 69d1545c912d82d6ec1eb928e16e0c1d45c9a04e980adfa77f7a764a7f5b642c91b9e74ffa3e5a33343453bcaedf0aca31258f78495cc3c10e771ae1e917e7ac

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.IO.MemoryMappedFiles.dll

MD5 a58039e022feca900e6db589672c7ad8
SHA1 804333e184d8c7f306bedd5a86e9134461c0226a
SHA256 841403493c0b651bb2d78d0befe912d438ee60e406806cad21b9a30f227323b4
SHA512 1c4cecaf1579f0a67ba18d0b7ad50edd2afdf16c98770e801affaca358a977bd2108327723d4173d95b5c86fe8bd6cf0bb6aa2dce69c84ee5c83049ec07ad88b

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.IO.IsolatedStorage.dll

MD5 f37c2957428bade9781b58f1fc32b576
SHA1 94ad0c9e7b3fc0b3c56ac7574f429a43e6db67fe
SHA256 b7bdb4930cfd82361b2f59c164aac4687798c72e3d0e0c73d21ca7516f19adc0
SHA512 301494cd941a5e4aef6ad7d6f02edb13d183625d18f240a37bb9b7971d166ba4c8c38da11c05a9d9080defa0ab1a7057dda47e98eeebafda01035339e380624b

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.IO.FileSystem.Watcher.dll

MD5 6ac5596f4aeb88842716640ae1047045
SHA1 fbf23bf89732b8b32cbc123830f20b2c2147ea60
SHA256 f875e323e57d704f1b17c84c7bc50f0d1ffcb0bed08c5f6af74a60fccc04c3bb
SHA512 ecb1f8d458e3f6b14d9086772f2f0ed33bf00f7f9b778f6896eaa45e38bbef493184f2296ab14588f3eacd698a5a96fb8adee6fb944a1553d50713bf5227ffce

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.IO.FileSystem.Primitives.dll

MD5 f764b511af044c89927070d413f54197
SHA1 fe6726705fb76bb64c11c787599cb044799a3f6c
SHA256 00762994e600cd4db1ef21c7161d808ddc409cadeca547ef49553f3a4d920ed8
SHA512 08dbc68b3ed5b519828537fe1c97158eff6754dcb219001c65c1ae344b2d8bbd6e3ac19c2d34977a23f36da3a67df8f9e94b10780cbfb826bd4e448960d765bf

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.IO.FileSystem.DriveInfo.dll

MD5 ab0b6870db47e35d54bd1809b4c60466
SHA1 09beb5e11a689205694dc3ee3bdf6a66b6eebfb0
SHA256 f09acd2d42983a7683e34c772e73c02f542450b681852836f2472d6977b764e7
SHA512 ed24b929666268e6a959bc2331e46cbaadc7a9b38e3da10078ae5d8ffff77a9d8d1757a0bad1fbc699156bc4471948f008b624c2a6c4eb35b58fe4758eb4199b

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.IO.FileSystem.dll

MD5 5e1824522e05f3612bd8c4f599763a86
SHA1 3372d225504cf30df6d3fd0e9b70f07ba34a8166
SHA256 ebfaa7aac28863225ca4e55305c2627239841d7e0070fa4567e1aea6eca6fdcf
SHA512 10234a737a12f25ba52b64a78cb9fb457fe10f83707a0fdc85b0ce357c6ec3846774cdf7476f427828476d12639382d2f20e5e69f863b6d5a98461ffae91e239

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Drawing.Primitives.dll

MD5 61b6fc62c4003ce711377a97cede84f5
SHA1 3b8f870b0da16bd6bdc6104aa44d036b24b61ac0
SHA256 2ff0d64f6d9bb38e15208c4d632c767a669a68e6b41adb0f27d99528b801ee3b
SHA512 611707f5d54dfffcbe5cb58204c925cab6ba488ffbd82a5c5efae9d1cfd10cd32205e5d05ead2cf7f8a3f5b392ca7538060a87695be40535d6657542b2043ab0

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.IO.Compression.ZipFile.dll

MD5 c4c4e310f604a98404f756bbd2d1fa6d
SHA1 2991e215a479ea048cb53f328b740db610547b75
SHA256 1209835143aa950e64cb9d28c565fae7f7df5278c013af621f4e689527279bfc
SHA512 f498f05bb85381cf9f91cc0a60eaab8a4798772ce18cf8c53329061fa461582a970b37d3578a800c80d8c87d8954d976213ee587894de51ac1ebd79422ab0f1b

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Globalization.dll

MD5 a25d659fff26c73b2f34ba6b92c84551
SHA1 69e6bf884f40d6d78e3c4f5f1d0103a666931619
SHA256 f4e9f919b625dcc6e2a5d0c76308543c71b7c3a6314a138058e7fa9f3426b3ea
SHA512 7f5632cf8aaa380e1f7c76b54c1efb5cac0412647a0f2e1986af07ed9dcf89b8c4563178ce79e54ef283e487706f61c156bffdd5a4b42317b39d74a92e236bb4

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Diagnostics.Tracing.dll

MD5 be47b1e09ab22f6289629f696d1df692
SHA1 60443a9d030f27276d9f83e9a916d2525e5dec05
SHA256 1e42052fb3302ddad235258336c922d0e69562787d92a03492a4a3daf71b5856
SHA512 e39cde6f82c2d8264fbe2877b08294a03111766a79c48082af584687f4be6bcd0fae3a5c28b901106205031e53688da43e19a2837fe3503a039a16cf05f1cd24

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Diagnostics.Tools.dll

MD5 bd36e482e5cfde3c791e62143dc5deb1
SHA1 32fb1bd024be0b7a2af182739fd384bd74610844
SHA256 d9562ec4dc0430ff3ab66a5d0238b72402ebdb17ceb31eebdb1daf91768c7d4d
SHA512 6e128b3bf3850c1972fd8fc8cee4d82ecb7dc98fe7c5a8b887523011dc270dccbb99a0d5496954c7a156ae3c92ff3435d30c0a87768e2dbcbbf8672b9e68cfce

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Diagnostics.TextWriterTraceListener.dll

MD5 2967113593429927e7938d95b5d3471c
SHA1 34a84e6878172df939f9748279490e1eb4533926
SHA256 d8631076802f2e9b690998c65d8e7f0bede7a772b3c04e7cba5f3391c395a9e1
SHA512 502295d8eec6acd1c7e7f4f6759bbbfbb452b7581b9e10cabf0b9735737e0baa61bba0e32bb4688f0ba43fef445e5728c7001a9a364118c13eac3d3332f13e3c

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Diagnostics.FileVersionInfo.dll

MD5 54ba6e35897cd238118b745c84d579e6
SHA1 07a9a5f273a65796ae77416a0d35905e949e3257
SHA256 a354569ac90b53002c7e447d72795013eb20c391d01b73197688057d07bcaa42
SHA512 2f2fb02c76bc1af89a6d97b8c0b9c2a6b176f912d2d76e3acfb5d5cf4741e58f6dd1335bdaf626c7bc92c256eb353d534f718b59e4e52bded9907e604115a5f4

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Diagnostics.Debug.dll

MD5 cf668ba196134d611d7b4fac0b571e8d
SHA1 2a960aef8bc74c7893dd225398298ce8b912ab10
SHA256 2769f8bb522846338bbe9aafb10381f64fcbdfbc6929a848463b8b9857f1d4fd
SHA512 302ca14e3c1985f34656c48dc175951d27dac6696724f9db33c0097314aba677f244421677ca1a5949a7d7a11077a0f564142d1136998127c216616f42abed5f

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Data.Common.dll

MD5 820e62146b181655b96e396c1a614f20
SHA1 c2ffbf7e99cf01574d79598e99c5739617d8fdc4
SHA256 5b66f112f3d1d6a23fc68ceae9330db2f09ee0f154081164fa2575659f1f9d29
SHA512 b8c5b438c016fbec3888ff428b95b822b5c8899867b711277aa8601b6785da53079dd80f60c1e4b853751a71b7accdfd8ca40fc0aa628f204caf8a9a898fb371

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Console.dll

MD5 564d1a61bae30f01c20a5808e8f7a82f
SHA1 e6039eb23d3a10ff31e40851ef0dd594c5689712
SHA256 1ca9706a4593bcc3b232efb14d2497812ab1797bf112b16665c6674c42fdc061
SHA512 c546a8d4dc852d133baf576e81bfca16763ca0e94c964d657cedbbf3153c64fdbea79329fd2a9d7ff04a0f28720a61e6d0255f8db91ed91dca2f56aaec5b5f4c

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.ComponentModel.dll

MD5 4f167e1cf791cefa55fde1949dde7d2f
SHA1 08badaf0444ca34230d82af4590f44c7ade78533
SHA256 df1a7bc429159db17be8c79a2dc56c0fa54c6a7e5174d5082f7ece9b67a4f982
SHA512 d804f60f3d2b5891eaa38ff683194924a705aba371c872e8bfef2325c90b7bf910851cbe89cdfd0a66cb1bf801bc25c92830b37947a7e60df8fe6bdcb53de15c

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Collections.Specialized.dll

MD5 f72152d834fbbb9c0d70a2822e0b68cf
SHA1 49eca7ac3d34ce69a1d48c0be56cdd13995adbb3
SHA256 ce3dd8b3cb2bfbbe5cdd1a339e593ad604f6bb6eb4f981555a3f53257609c8e5
SHA512 3b8018450aa7676a35fdc8bea1997d67e45e945522bd7ac963ef0ccf574aa6df67dbd85c8773d704b0daab05b20f6d79c2ce2a42f10610f73a303246d44078bf

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Collections.NonGeneric.dll

MD5 19437a479562b9adf0f965ac0ac2c2c6
SHA1 b36324f42d460b66d1431266b6033dc7f8f17707
SHA256 5c59f771d858fe8f0beacdde038ba5c77b6f91e7ad4adbea4685b5f02e6d931a
SHA512 5213b91a1dda8ea31716642ac4ea3a8fc50ae26fd34d2c86425bd25ef786d154a2ebed70ae2583a9fc70defa213ef35dbd6770e9f83c71b3831f02b3db658f15

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Collections.dll

MD5 4a264d07346dc69303bbe6e26e049883
SHA1 e093758cec19749f1d92b280b42aee86d4224fdc
SHA256 e256940626e265de760586937ce5ed2a45d9b91c96e1fa768f719682505db5c2
SHA512 d6cf4024cee7679b73f1b9aef749728a3c0851934016ab391315c955689dfa3595a8f6e2a9580244ace991895b4e255a65977490264258bb9f3c98f9370b33c5

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Collections.Concurrent.dll

MD5 939cb89fbb0da435b9528d9edb3feab0
SHA1 3825f2b13d43f34330bc278aeeefbbbfd95239cc
SHA256 9c887cfd9e21e9ee31ab8232248059b677f9a3086b033d38fbad053b4f20bc25
SHA512 4159cf39f29198942245e3a16a67e8b3fe54e871af407291204b5f5df2a76c2829680ba0d5bea261e31335bab2b6b8afa5a895bf635e515c94059a122dd36a1d

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.AppContext.dll

MD5 82e7fd917dfd1bda64ab990606d90bdd
SHA1 ab92034645c77737b6ef482e18296e896bea3751
SHA256 f0857a7c3737b0e80d9b4a9a986acb69b0d18d1fe0adc3b1e05d81f02ceb103b
SHA512 81ab0c3a10d64cdb0bb03ff65a10c3333d5ee91f21404acec41eb638a9eae77d38f00f18758d4cf8480910905d677349c71e762bb44a1ff4068084d5205c6f51

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\netstandard.dll

MD5 71cbae34507addc8dabe1c89af4b3ef4
SHA1 9f387d56f3ce619a71d138805f91cfced1760da3
SHA256 ba16b4b2732dd8ef67de808c429148d1a566dd9ab8b2b0b3a379f2d7be22f514
SHA512 d9ed6a4c9e724b092347d8fc3cc327b8e98b98ded369a2953469afbd6a4d54cbeb37b94ce15545c7f72f5a131e92a467af88c54933982b3975b3d186ffc5e610

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\Microsoft.Win32.Primitives.dll

MD5 5b2b93ee8801c83b4e652c7fbabf8c83
SHA1 89a8df867ccdf916881234db9de45ed4c57e5b0b
SHA256 7a1462297eb910a44c35062e021723b5553346407dc52cf013e78c8be032331a
SHA512 1d3f06f8bd04e6b85748e09bdd1e5bc6ee14f4bfdc9cf426fa76d3a268fa537557d7ad4fede1ca2e263a2462272bdb294c9d907e6f7579c60cbaaf1db41a41e9

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\Warden.dll

MD5 f091ee9d3f5936d7e4c14a41ec46ef32
SHA1 2a31b846e43ff4f42dd80cfca1460288fd8fd40d
SHA256 524a658caac71621f156fb4c6dd1e49ec20f3a218f6576bb3f02a5550fba5a00
SHA512 e0dd4d9c8e9403aea95a38dc80f76c1c939cf4b060391fdba230f5ca8da8efd58fa6d9c9a59c9078a39816a2d403f6ac92288f6ada00f1f8a1efed611140fa47

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\ZetaLongPaths.dll

MD5 09374c4581177a8c866b866f108c8958
SHA1 05f861bd4d4c038e8181e83a46e6e93bc04ca5df
SHA256 8af34db2c25f4387b878b2311ef60e74c4f83774c779689393199ecdb039baa2
SHA512 2099c97a43c59592c3af3ccd45551a883ca9654fbb1a1b98e4241693b60ef982f688a55488f394476cedcacb850a18361002179d383ea3a93bb98b31a5c0371b

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\WindowsInput.pdb

MD5 50e869af7b21aecb7598627f9d90e3ff
SHA1 e1b081b0619d8a63070d2d0e78c0ce760c919e6e
SHA256 ab913e1b256c09628963e9bc1c20c8c20ef29b408289a4b2655293f3fd4e7127
SHA512 72ba511de08f0aa7abd3962d4e047adbe137d7048a251490b88a9ba97a6b96227b3f74a444a6c636331dadc5b32ccbf59d93b087045fdddcf80170fa52a0d7c1

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\gdf

MD5 74fbc03507baa65d4943486c352a5f61
SHA1 cfa27f879485678a9501993af21bde741bd6ecc5
SHA256 b204602067e80332422f8e4d4304120819b9eab6a6c41c507744449037eb8cbc
SHA512 d940b05c54b3929e5b10302084e49cab76b1cdc4c25bc67d284cd257ec5414f87df735d464057c9ba96acb7150dc840f3fc58a9856953952fe23b2f40d215805

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\xltoolkit.exe

MD5 2af3bd5c63e01d7ade7c8da784173468
SHA1 af882de05ffd8295949dd191b6c08735fd73c55b
SHA256 a5f3c56400032bbb48b76951059106bcd1fac4faa15830440caecf7b1a2ccc20
SHA512 8082c58613aed5d56a5dcb2f3b90dc987304f60029726ef382f4ac51eee0e8c4bea9e83c5b3c62658d51fde643cdad6a8788cd92e9965c82679c52c0e291887c

C:\Config.Msi\e57a24e.rbs

MD5 32393c6663fd4b05127b32b61919faed
SHA1 666d18e7cc7738d323eb175ebd2115e80e62b7a6
SHA256 37847e62a9ac455a98ad077dbe2017ee768b2413129f558acf7a0f00a65194db
SHA512 73784f1a0497b2dd95a5f5aeb85c1ee5cbb71d9bdebf3b688d26a0de0d30e9cd679fb25258b1691259f993f54e6d7d0e9c18a0031205d42c3036ffe052b13c21

memory/4784-487-0x0000000000400000-0x0000000000928000-memory.dmp

memory/3444-491-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/4256-490-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3380-492-0x00007FF6A6BE0000-0x00007FF6A749D000-memory.dmp

C:\Windows\System32\Vestris.ResourceLib.dll

MD5 3d733144477cadcf77009ef614413630
SHA1 0a530a2524084f1d2a85b419f033e1892174ab31
SHA256 392d73617fd0a55218261572ece2f50301e0cfa29b5ed24c3f692130aa406af3
SHA512 be6b524d67d69385a02874a2d96d4270335846bece7b528308e136428fd67af66a4216d90da4f288aeefd00a0ba5d5f3b5493824fcb352b919ab25e7ef50b81c

C:\Program Files\KMSpico\UninsHs.exe

MD5 245824502aefe21b01e42f61955aa7f4
SHA1 a58682a8aae6302f1c934709c5aa1f6c86b2be99
SHA256 0a265b4bb8acceafaffb001632fa7e4c3f8ac39a71eda37f253e15bc1b8db90d
SHA512 204b39e31f22ba99cf09c5c8458fc94ea21b47aacc4abd305f71ba20a35d36bfc0ff53b95180542911c9c6f259db897dee76090d953f7ee18a8079caefda7981

C:\Program Files\KMSpico\KMSELDI.exe

MD5 685bdb34a789f33dd4a8b44ae9447028
SHA1 1bdf1fc7ae275eb80d2313d619ef5257f8fcd080
SHA256 6e6261228d003910375563168798ddc0565772e563da5a181e856eccc6933273
SHA512 ffd805f2084ed33df8061f2abfaeb30a79e9a53e294a6c01aad5d03e3e39fbda230278ea3bfccce7262060ddc855850d4be44d16ecd28d2b16f0d07eb6c9816d

memory/3444-1271-0x0000000000640000-0x0000000000641000-memory.dmp

memory/3348-1270-0x0000000000E80000-0x0000000000F6A000-memory.dmp

memory/3348-1272-0x00007FFFAA250000-0x00007FFFAAD11000-memory.dmp

memory/3348-1274-0x0000000001790000-0x00000000017A0000-memory.dmp

memory/3348-1273-0x000000001C110000-0x000000001C650000-memory.dmp

memory/2096-1268-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2096-1267-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3348-1276-0x0000000001790000-0x00000000017A0000-memory.dmp

memory/3380-1275-0x00007FFFC9830000-0x00007FFFC9A25000-memory.dmp

C:\Program Files\KMSpico\logs\KMSELDI.log

MD5 dffa9afca6cc180b906247baa358ef1e
SHA1 a0be6aeb2376ed4453ced8bc20320fe2039dc9bd
SHA256 089589a8796d734ec0a74c72efd886f153511810b27cbaa14fa4abc76d38f9ae
SHA512 d46d39ff3ad243c26024e7f4b145d0aa425e5829a3b3858a4031c3e3a072891a0fa9ded83a53a3cc821dfc1fa629baae1d90aa47a9530b99930f10dd0e4293f7

memory/3348-1315-0x0000000001790000-0x00000000017A0000-memory.dmp

memory/3348-1295-0x0000000001790000-0x00000000017A0000-memory.dmp

C:\Program Files\KMSpico\logs\KMSELDI.log

MD5 7fa77dd49252d544dfc30bb122f166a4
SHA1 3b3c0cb974970535a042e4803653df1a729875a5
SHA256 6ecfc45d21e877e593a685c18896d6dc9d45cd0e9feac4b66c8e6cc6aea9d63c
SHA512 7858e28d2f3220c1960a89d3573b75c670f20d9682a39d8e0e0f9579059b584db49132079901c5ebc20cf603ab8aa45200472fab0b1d6ef3f7c29cbc29c716d3

memory/3444-1386-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/3348-1488-0x000000001EE80000-0x000000001EF80000-memory.dmp

memory/3348-1567-0x00007FFFAA250000-0x00007FFFAAD11000-memory.dmp

memory/3348-1569-0x000000001EE80000-0x000000001EF80000-memory.dmp

memory/2096-1563-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Program Files\KMSpico\AutoPico.exe

MD5 dc90e0f9302beec70326ca26aef6f13d
SHA1 76eb96abaacfbce36b87d82ea20a79696571b693
SHA256 79bdb1d005d0cb74f5d7cee01aa734c44581166179e243642b781a0947b4a9ed
SHA512 9326183978d4421ba27870d8c37f0a01dc920a6fd1358e8bba7a637c0ae21acbe2bed80ffcc192ccb8e9b49b23b4f495e5c957d28797f974c0a84c13b0d2398f

memory/4648-1640-0x0000000000FC0000-0x000000000107A000-memory.dmp

memory/3444-1639-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/3348-1636-0x00007FFFAA250000-0x00007FFFAAD11000-memory.dmp

memory/4648-1642-0x00007FFFAA250000-0x00007FFFAAD11000-memory.dmp

memory/4648-1643-0x000000001C130000-0x000000001C140000-memory.dmp

C:\Program Files\KMSpico\logs\AutoPico.log

MD5 5d7d6cd321e86e3af5ce092fa9ef1523
SHA1 b6fac7639f83a7fb425d13c810d74e59b869e553
SHA256 5ccc18558d93bdf4ac48da5b3f9c963c870211d855081ab150e276267001ad37
SHA512 117651763750f679c5e8eb862818a35e457531eaaf38b35136c1f3e713373b4b51f33108aa66acb8899bd34c4f5425ffb2e9e58fef9db9789bf107835242ffde

memory/4648-1706-0x00007FFFAA250000-0x00007FFFAAD11000-memory.dmp

memory/4256-1711-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3444-1710-0x0000000000400000-0x00000000004C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RLnwrSIFsMus\_Files\_Screen_Desktop.jpeg

MD5 38def73597194673f5efa2ea363b7bae
SHA1 884d9c576de426783166d68904d82efd4e09718a
SHA256 bf8eb08cf7320a50cf2afb5009fe05a2a242292cbd8deb852442f4c6a6a2ebc4
SHA512 097ba6d0d09faece90785226480719b1079787f16f024431a9ec9e67bce3e65a318d98fa0b796d2b946a0db22c64522dd1429491d8fd4d373dbf90cba952ac23

C:\Users\Admin\AppData\Local\Temp\RLnwrSIFsMus\_Files\_Information.txt

MD5 ab7ab5b5a4dbfbf1e1a7a9df965ff5eb
SHA1 1f3f24e9cf7a5e303b58867eaec8895f5e00eb48
SHA256 2d606cc3069a1d60cda02b5e1734b2888204a26dd3e1f41f38a2538595e5ab5a
SHA512 56e489664d45a4c9f8c2ad7952607612fbf28d74e0301a8d01e182bbcc8285d079caf4b66c497977ad75fa236d634ccedab19edb9a1c2db9481c6cec6454ea87

C:\Users\Admin\AppData\Local\Temp\RLnwrSIFsMus\_Files\_Information.txt

MD5 5b4b73cd6e2d2ba471a232a7ff635323
SHA1 b4ad749920f5941e942efb722bddca7f71f460d1
SHA256 daf1f1a849ea1402cd9f6d0dc18ceed84cf36a58cc9d7c798794eb8664e8f32d
SHA512 1419b1eb3da665f1fb66c429f6ab04cb83bcf1e831506717a03a0b3074718d54c062e27c27068ff4424673da2cabce19bce724df095976be495e6576d3e98703

memory/3312-1824-0x00007FFFAA250000-0x00007FFFAAD11000-memory.dmp

memory/3312-1825-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

memory/3312-1830-0x000000001FB80000-0x000000001FB90000-memory.dmp

memory/3312-1829-0x000000001FB80000-0x000000001FB90000-memory.dmp

memory/3312-1828-0x000000001FB80000-0x000000001FB90000-memory.dmp

memory/3312-1827-0x000000001FB80000-0x000000001FB90000-memory.dmp

memory/3380-1831-0x00007FF6A6BE0000-0x00007FF6A749D000-memory.dmp

memory/3312-1832-0x000000001FB80000-0x000000001FB90000-memory.dmp

memory/3312-1833-0x000000001FB80000-0x000000001FB90000-memory.dmp

memory/3312-1834-0x000000001FB80000-0x000000001FB90000-memory.dmp

memory/3312-1835-0x000000001FB80000-0x000000001FB90000-memory.dmp

memory/3312-1837-0x000000001FB80000-0x000000001FB90000-memory.dmp

memory/3312-1840-0x000000001FB80000-0x000000001FB90000-memory.dmp