Overview
overview
8Static
static
3Vega X Executor.exe
windows7-x64
8Vega X Executor.exe
windows10-2004-x64
8$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...23.exe
windows7-x64
4$PLUGINSDI...23.exe
windows10-2004-x64
1Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 23:19
Static task
static1
Behavioral task
behavioral1
Sample
Vega X Executor.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Vega X Executor.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/winrar-x64-623.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/winrar-x64-623.exe
Resource
win10v2004-20240226-en
General
-
Target
Vega X Executor.exe
-
Size
3.6MB
-
MD5
a686d0021f0ba9da27dbe213b65ae4ab
-
SHA1
8ddab9c0f8e9f26e8acf35010d2db8cfd6d481b9
-
SHA256
3046b3cee8825417932df44387b9370dbc658fbe217f650c65689a062168e71b
-
SHA512
bd8c268c87625df7a2514449aea804990e030e576e3edc5e8ab25d89da08421bb20aeda4e42e93b7af4c356d693932989ba983a9376ec7fe38e200cac214909e
-
SSDEEP
98304:DjT3zBOBfKMpHGqcfsLyQecNEqCNCjRqGy5XYBHOhN2qlxl:Dn3z/MpmJ0LdDLCAyiHOvR
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 9 IoCs
pid Process 1048 rem.exe 1296 set_0.exe 2552 set_2.exe 2964 set_2.tmp 1688 _setup64.tmp 1564 DPService.exe 2020 set_4.exe 1416 MaintenanceHelper.exe 2944 set_5.exe -
Loads dropped DLL 52 IoCs
pid Process 1584 Vega X Executor.exe 1584 Vega X Executor.exe 1584 Vega X Executor.exe 1584 Vega X Executor.exe 1584 Vega X Executor.exe 1048 rem.exe 1048 rem.exe 1048 rem.exe 1296 set_0.exe 1296 set_0.exe 1048 rem.exe 1048 rem.exe 1048 rem.exe 1048 rem.exe 1048 rem.exe 2552 set_2.exe 2964 set_2.tmp 2964 set_2.tmp 1136 Process not Found 1136 Process not Found 1136 Process not Found 2964 set_2.tmp 1048 rem.exe 1048 rem.exe 1048 rem.exe 1048 rem.exe 1048 rem.exe 2020 set_4.exe 1048 rem.exe 1048 rem.exe 1048 rem.exe 2944 set_5.exe 2944 set_5.exe 2944 set_5.exe 1676 MsiExec.exe 1676 MsiExec.exe 1936 MsiExec.exe 1936 MsiExec.exe 1936 MsiExec.exe 1936 MsiExec.exe 1936 MsiExec.exe 1936 MsiExec.exe 1936 MsiExec.exe 1936 MsiExec.exe 1936 MsiExec.exe 2944 set_5.exe 1936 MsiExec.exe 1936 MsiExec.exe 1936 MsiExec.exe 108 MsiExec.exe 1936 MsiExec.exe 1048 rem.exe -
resource yara_rule behavioral1/files/0x0007000000015f9e-141.dat upx behavioral1/memory/1048-145-0x0000000004930000-0x0000000004EF1000-memory.dmp upx behavioral1/memory/1296-146-0x0000000000350000-0x0000000000911000-memory.dmp upx behavioral1/memory/1296-154-0x0000000000350000-0x0000000000911000-memory.dmp upx behavioral1/memory/1296-165-0x0000000000350000-0x0000000000911000-memory.dmp upx -
Blocklisted process makes network request 4 IoCs
flow pid Process 65 1736 msiexec.exe 68 1936 MsiExec.exe 69 1936 MsiExec.exe 70 1936 MsiExec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: set_5.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: set_5.exe File opened (read-only) \??\V: set_5.exe File opened (read-only) \??\W: set_5.exe File opened (read-only) \??\Y: set_5.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: set_5.exe File opened (read-only) \??\L: set_5.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: set_5.exe File opened (read-only) \??\S: set_5.exe File opened (read-only) \??\N: set_5.exe File opened (read-only) \??\P: set_5.exe File opened (read-only) \??\U: set_5.exe File opened (read-only) \??\X: set_5.exe File opened (read-only) \??\H: set_5.exe File opened (read-only) \??\K: set_5.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: set_5.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\T: set_5.exe File opened (read-only) \??\Z: set_5.exe File opened (read-only) \??\M: set_5.exe File opened (read-only) \??\O: set_5.exe File opened (read-only) \??\R: set_5.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\A: set_5.exe File opened (read-only) \??\E: set_5.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url msiexec.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url msiexec.exe File created C:\Program Files (x86)\PCMaintainer\Uninstaller.exe set_4.exe File created C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe msiexec.exe File created C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk msiexec.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini msiexec.exe -
Drops file in Windows directory 25 IoCs
description ioc Process File opened for modification C:\Windows\Installer\f784492.ipi msiexec.exe File created C:\Windows\Installer\f784494.msi msiexec.exe File created C:\Windows\Installer\f784492.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI4BD9.tmp msiexec.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI4940.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4971.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4BDA.tmp msiexec.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI4C0B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4B1A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4981.tmp msiexec.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File opened for modification C:\Windows\Installer\f78448f.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI4992.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4B4A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4B7A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4B7B.tmp msiexec.exe File created C:\Windows\Installer\f78448f.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI4950.tmp msiexec.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI48C2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4D35.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4A3E.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 284 schtasks.exe -
Kills process with taskkill 1 IoCs
pid Process 2332 taskkill.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe -
Modifies registry class 24 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9\C414548CC3098124D97E31A29BF7FD26 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductIcon = "C:\\Windows\\Installer\\{C845414C-903C-4218-9DE7-132AB97FDF62}\\logo.exe" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Johan.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "B8DDBE5C483C5BC4A933A9E42F81D915" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216" msiexec.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A DPService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 rem.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 rem.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde rem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 rem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A rem.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 rem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 rem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 rem.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 rem.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd rem.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd rem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 rem.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 rem.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 DPService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd rem.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 DPService.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2964 set_2.tmp 2964 set_2.tmp 1676 MsiExec.exe 1936 MsiExec.exe 1936 MsiExec.exe 1736 msiexec.exe 1736 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1048 rem.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1564 DPService.exe Token: SeDebugPrivilege 2020 set_4.exe Token: SeDebugPrivilege 1416 MaintenanceHelper.exe Token: SeRestorePrivilege 1736 msiexec.exe Token: SeTakeOwnershipPrivilege 1736 msiexec.exe Token: SeSecurityPrivilege 1736 msiexec.exe Token: SeCreateTokenPrivilege 2944 set_5.exe Token: SeAssignPrimaryTokenPrivilege 2944 set_5.exe Token: SeLockMemoryPrivilege 2944 set_5.exe Token: SeIncreaseQuotaPrivilege 2944 set_5.exe Token: SeMachineAccountPrivilege 2944 set_5.exe Token: SeTcbPrivilege 2944 set_5.exe Token: SeSecurityPrivilege 2944 set_5.exe Token: SeTakeOwnershipPrivilege 2944 set_5.exe Token: SeLoadDriverPrivilege 2944 set_5.exe Token: SeSystemProfilePrivilege 2944 set_5.exe Token: SeSystemtimePrivilege 2944 set_5.exe Token: SeProfSingleProcessPrivilege 2944 set_5.exe Token: SeIncBasePriorityPrivilege 2944 set_5.exe Token: SeCreatePagefilePrivilege 2944 set_5.exe Token: SeCreatePermanentPrivilege 2944 set_5.exe Token: SeBackupPrivilege 2944 set_5.exe Token: SeRestorePrivilege 2944 set_5.exe Token: SeShutdownPrivilege 2944 set_5.exe Token: SeDebugPrivilege 2944 set_5.exe Token: SeAuditPrivilege 2944 set_5.exe Token: SeSystemEnvironmentPrivilege 2944 set_5.exe Token: SeChangeNotifyPrivilege 2944 set_5.exe Token: SeRemoteShutdownPrivilege 2944 set_5.exe Token: SeUndockPrivilege 2944 set_5.exe Token: SeSyncAgentPrivilege 2944 set_5.exe Token: SeEnableDelegationPrivilege 2944 set_5.exe Token: SeManageVolumePrivilege 2944 set_5.exe Token: SeImpersonatePrivilege 2944 set_5.exe Token: SeCreateGlobalPrivilege 2944 set_5.exe Token: SeCreateTokenPrivilege 2944 set_5.exe Token: SeAssignPrimaryTokenPrivilege 2944 set_5.exe Token: SeLockMemoryPrivilege 2944 set_5.exe Token: SeIncreaseQuotaPrivilege 2944 set_5.exe Token: SeMachineAccountPrivilege 2944 set_5.exe Token: SeTcbPrivilege 2944 set_5.exe Token: SeSecurityPrivilege 2944 set_5.exe Token: SeTakeOwnershipPrivilege 2944 set_5.exe Token: SeLoadDriverPrivilege 2944 set_5.exe Token: SeSystemProfilePrivilege 2944 set_5.exe Token: SeSystemtimePrivilege 2944 set_5.exe Token: SeProfSingleProcessPrivilege 2944 set_5.exe Token: SeIncBasePriorityPrivilege 2944 set_5.exe Token: SeCreatePagefilePrivilege 2944 set_5.exe Token: SeCreatePermanentPrivilege 2944 set_5.exe Token: SeBackupPrivilege 2944 set_5.exe Token: SeRestorePrivilege 2944 set_5.exe Token: SeShutdownPrivilege 2944 set_5.exe Token: SeDebugPrivilege 2944 set_5.exe Token: SeAuditPrivilege 2944 set_5.exe Token: SeSystemEnvironmentPrivilege 2944 set_5.exe Token: SeChangeNotifyPrivilege 2944 set_5.exe Token: SeRemoteShutdownPrivilege 2944 set_5.exe Token: SeUndockPrivilege 2944 set_5.exe Token: SeSyncAgentPrivilege 2944 set_5.exe Token: SeEnableDelegationPrivilege 2944 set_5.exe Token: SeManageVolumePrivilege 2944 set_5.exe Token: SeImpersonatePrivilege 2944 set_5.exe Token: SeCreateGlobalPrivilege 2944 set_5.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2964 set_2.tmp 2944 set_5.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1584 wrote to memory of 1048 1584 Vega X Executor.exe 28 PID 1584 wrote to memory of 1048 1584 Vega X Executor.exe 28 PID 1584 wrote to memory of 1048 1584 Vega X Executor.exe 28 PID 1584 wrote to memory of 1048 1584 Vega X Executor.exe 28 PID 1048 wrote to memory of 1296 1048 rem.exe 30 PID 1048 wrote to memory of 1296 1048 rem.exe 30 PID 1048 wrote to memory of 1296 1048 rem.exe 30 PID 1048 wrote to memory of 1296 1048 rem.exe 30 PID 1048 wrote to memory of 1296 1048 rem.exe 30 PID 1048 wrote to memory of 1296 1048 rem.exe 30 PID 1048 wrote to memory of 1296 1048 rem.exe 30 PID 1048 wrote to memory of 2552 1048 rem.exe 33 PID 1048 wrote to memory of 2552 1048 rem.exe 33 PID 1048 wrote to memory of 2552 1048 rem.exe 33 PID 1048 wrote to memory of 2552 1048 rem.exe 33 PID 1048 wrote to memory of 2552 1048 rem.exe 33 PID 1048 wrote to memory of 2552 1048 rem.exe 33 PID 1048 wrote to memory of 2552 1048 rem.exe 33 PID 2552 wrote to memory of 2964 2552 set_2.exe 34 PID 2552 wrote to memory of 2964 2552 set_2.exe 34 PID 2552 wrote to memory of 2964 2552 set_2.exe 34 PID 2552 wrote to memory of 2964 2552 set_2.exe 34 PID 2552 wrote to memory of 2964 2552 set_2.exe 34 PID 2552 wrote to memory of 2964 2552 set_2.exe 34 PID 2552 wrote to memory of 2964 2552 set_2.exe 34 PID 2964 wrote to memory of 1688 2964 set_2.tmp 35 PID 2964 wrote to memory of 1688 2964 set_2.tmp 35 PID 2964 wrote to memory of 1688 2964 set_2.tmp 35 PID 2964 wrote to memory of 1688 2964 set_2.tmp 35 PID 2964 wrote to memory of 2828 2964 set_2.tmp 37 PID 2964 wrote to memory of 2828 2964 set_2.tmp 37 PID 2964 wrote to memory of 2828 2964 set_2.tmp 37 PID 2964 wrote to memory of 2828 2964 set_2.tmp 37 PID 2964 wrote to memory of 284 2964 set_2.tmp 39 PID 2964 wrote to memory of 284 2964 set_2.tmp 39 PID 2964 wrote to memory of 284 2964 set_2.tmp 39 PID 2964 wrote to memory of 284 2964 set_2.tmp 39 PID 2964 wrote to memory of 1564 2964 set_2.tmp 41 PID 2964 wrote to memory of 1564 2964 set_2.tmp 41 PID 2964 wrote to memory of 1564 2964 set_2.tmp 41 PID 2964 wrote to memory of 1564 2964 set_2.tmp 41 PID 1048 wrote to memory of 2020 1048 rem.exe 43 PID 1048 wrote to memory of 2020 1048 rem.exe 43 PID 1048 wrote to memory of 2020 1048 rem.exe 43 PID 1048 wrote to memory of 2020 1048 rem.exe 43 PID 1048 wrote to memory of 2020 1048 rem.exe 43 PID 1048 wrote to memory of 2020 1048 rem.exe 43 PID 1048 wrote to memory of 2020 1048 rem.exe 43 PID 2020 wrote to memory of 1416 2020 set_4.exe 44 PID 2020 wrote to memory of 1416 2020 set_4.exe 44 PID 2020 wrote to memory of 1416 2020 set_4.exe 44 PID 2020 wrote to memory of 1416 2020 set_4.exe 44 PID 1048 wrote to memory of 2944 1048 rem.exe 45 PID 1048 wrote to memory of 2944 1048 rem.exe 45 PID 1048 wrote to memory of 2944 1048 rem.exe 45 PID 1048 wrote to memory of 2944 1048 rem.exe 45 PID 1048 wrote to memory of 2944 1048 rem.exe 45 PID 1048 wrote to memory of 2944 1048 rem.exe 45 PID 1048 wrote to memory of 2944 1048 rem.exe 45 PID 1736 wrote to memory of 1676 1736 msiexec.exe 47 PID 1736 wrote to memory of 1676 1736 msiexec.exe 47 PID 1736 wrote to memory of 1676 1736 msiexec.exe 47 PID 1736 wrote to memory of 1676 1736 msiexec.exe 47 PID 1736 wrote to memory of 1676 1736 msiexec.exe 47 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vega X Executor.exe"C:\Users\Admin\AppData\Local\Temp\Vega X Executor.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe"C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_0.exe"C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_0.exe" --silent --allusers=03⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1296
-
-
C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_2.exe"C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_2.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=2964 /CLICKID=2778 /SOURCEID=27783⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp" /SL5="$E0166,6358074,832512,C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_2.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=2964 /CLICKID=2778 /SOURCEID=27784⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\is-ASNVH.tmp\_isetup\_setup64.tmphelper 105 0x1FC5⤵
- Executes dropped EXE
PID:1688
-
-
C:\Windows\system32\schtasks.exe"schtasks" /Query /TN "DPUpdateTask"5⤵PID:2828
-
-
C:\Windows\system32\schtasks.exe"schtasks" /Create /TN "DPUpdateTask" /SC HOURLY /TR "C:\Users\Admin\AppData\Local\DP\DPUpdate.exe"5⤵
- Creates scheduled task(s)
PID:284
-
-
C:\Users\Admin\AppData\Local\DP\DPService.exe"C:\Users\Admin\AppData\Local\DP\DPService.exe" 2964:::clickId=2778:::srcId=27785⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1564
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_4.exe"C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_4.exe" 2778 s3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\MaintenanceHelper.exe"C:\Users\Admin\AppData\Local\Temp\MaintenanceHelper.exe" 2778 ng83 18 "http://www.pcmaintainer.com?c=18&s=cb94bb52-11a0-49f7-b506-4f4499ea7c4d&subid=2778"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe"C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe" /qn CAMPAIGN="2778"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2944 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Johan.msi" /qn CAMPAIGN=2778 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1709162200 /qn CAMPAIGN=""2778"" " CAMPAIGN="2778"4⤵PID:2560
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B1247103FC99C0492EA7DF8E31D73324 C2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1676
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 211C1842D9AA51F1E4DDB2CEB29112DC2⤵
- Loads dropped DLL
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1936 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
PID:2332
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding AD1FDEBB763BDE54D0D056D0DCEA57C9 M Global\MSI00002⤵
- Loads dropped DLL
PID:108
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200KB
MD5a2c9bab35ac2853ce1aa34621d012572
SHA1ea6068ecbe8ce97ceb4023671c10616d91cf075a
SHA256b6576b2853ce7751f4bc799cba54017abccd8d30898d5a299f8531ed4d7b7ca3
SHA512501a06990da10a44bc455d1bfedb3b473635cc9d5092b00dbdd4c9e40e4b644d0e20656f0cdf84b14c74d9805bcf617b3807a8590a31c1c5ffa2b359754299d6
-
Filesize
284B
MD5064f9a5abec87750eefd0b16f53cfa6f
SHA15ab69b97fc77bbfa06ed94dc895643730f5b56df
SHA256b796ac54b9bf8af72f074bd9a5f9fff7bc5ff48af047d2a39c3f3c0d6f9746fa
SHA51203c9ed48a5686ba1aa6f6c566807ddf04ee010ff907700a2acb9b9bb424eb5fa3f4df0edb48a9f34fb1257b879722ff43b8d9c4bd6f37a5595903e859be56a02
-
Filesize
395B
MD5426fafdc8036ab61ddd25d3027c4f192
SHA1370496efd4916099c4b2b9441bf89eb0eefdc6e9
SHA2564671edbba3f050a9233f4dadd1e83e74a3e9f077de1dba6e8c2b76d0404ef37c
SHA5123d49f912f72701ea3cf62d42a2f1d828ba0459996da08cf5fce0ffdf0edc843ff6bd3ae747969677624d69ddb2b48cd41f64eee892d58340ffc97c025385ce73
-
Filesize
579B
MD5f55da450a5fb287e1e0f0dcc965756ca
SHA17e04de896a3e666d00e687d33ffad93be83d349e
SHA25631ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0
SHA51219bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
Filesize
1KB
MD578f2fcaa601f2fb4ebc937ba532e7549
SHA1ddfb16cd4931c973a2037d3fc83a4d7d775d05e4
SHA256552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988
SHA512bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C
Filesize252B
MD57ec15640a4c3aeebcc95111152893454
SHA1d73c00d150399a5c8c873a1bb368f38f345a94b5
SHA2564c6ffd6f66f12cb60ab6588c40de15e817d31eb300ceb57dc99391849a496847
SHA5121edeacacd09af2ed1ad8b955fbfd131b6e9f209a15f152ee1710cd66ce4c0a8a6bb2bdc4fdcbf1867d578a8d86dc794aa22a36c44e4d00ca92e93ce4bd1f0c22
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d906de2ce71c556f2f6ee3655e2f27ec
SHA1ab0befcd9db3bd41f4d84bb538577412a39dfffc
SHA25679d98492cb7f18eeb472db6e88883d7f330a63ecd551e23632e9976df2628a1d
SHA512121d45e778fd1f4fd478df2e7dcbf1c7f03300f199ce2be4614c356fedaaace7d6a69ca16c0fc63f7a9e2243c1628ff89a02ee9755f17a301afebabaeaa9078b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58dd7d82a6f7181adfc89bdda0cd5e938
SHA15c2ce5cbdc90db32101b114a96643123fdd579b1
SHA2562ac24c3a6ab790e2e364c66ec5c2144b854fe61bafabcc305b1b5c3f4b1cb0ec
SHA512754c685d3071f6fc4f5266b8599e1d914cf92ab7fe6988a35f88ae08ade68fe704273283ea086a987e976c17f46e1f51b927f25e45544f6673c3544aecdd530b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD518e8b3bd8c3a23586c3362a5c0e0ced9
SHA14b59f4fc1d6c7af785c01a1170b61799ec328a37
SHA256c762831a5abf526a96a4639bb30ef1138fb52d4ef0b25fccb962bc962d6471a1
SHA512791238a5d8125abbb6a110c4f78f57766293bcc00fd43792aa8e41365326d46fec6a02e01c1fc6d2738c8bab3ae0d34081e0b539592afc0a8f9f021c7e5517fe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5864530dba57760eb8bd041b3062bd962
SHA1f7af87e798649e3648aafd500c5e1774febf8ae7
SHA25668991357a19989ebe5209360154081275bacf4b313d0b6b7e19a2757b5d87631
SHA512dad0e12240583da69b9d396997b9d53d15715e07e7183b71d101c7b823cab3c28ccdc1a1af9dbcdc471f581d0565c0b53cd5cd62226a924632b7053c4bdb09b2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5852a053d9578371eb7a27d304eb0dadd
SHA1a6448b718b20da186446f95b21f9236ce2df868d
SHA2561a1d0ad5697f085eec155e24bcf61e803af579d60bb8d1003ce0d36fe691d7a3
SHA5120970ec52600df72f8eb7ba3dc3d44a528c7769b154b6506c4e8f3dcc7543a06b9ddb8fa39f7b4966e7745faebba36b6ed4845169ed233b61fbd073c2ff6dcb69
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54332b2a9f5e22be18336c57377ec52d9
SHA105b874569e5c6d80b5989506514dfebc2877b736
SHA25682403b18b18dab31339a14670a0b1d37760897bd8d1794dc38bc5bf6a8d4dbad
SHA512f444559705a86e12b3f9f1377d6fcec13c873eead52ba268ae4125f45c1f75f70d3a0d3dfdb3dbcf6f63a448c1314c17d50ae20a7f99b73ff7a98fa367539432
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
Filesize254B
MD573bd11080f91237cbc03d663d699fbac
SHA128258c6eabb84d5333889b674136ef01a3a25c42
SHA256c6ff6dfb3add5f83c3a32b748e8e2c39ef1ff5aff9151bcc5b75e00df57c163f
SHA512dc0fdf91fe3cb3221e9ce621e5ee712ace4d6338d2e1278b7766fdcc87006b9482fb05737d69f14de11dbad4b42197ff88bb62be117724cbf99cc6b624bac84d
-
Filesize
84B
MD5db8b69bb83c5cf122ad8f18187cee0ec
SHA14d84b7b1bb49f3713edc434697e2f447e37d036b
SHA2562c2395c4c4467de0c7c929f2b4f6dd2f4f6b182be61b7be17c9a560d4df65e2e
SHA51207f19eb7bafe21f54fb1474a76935857352936238b801d5979169ec8d49e25b899bc32e1a0474527d6855f0bced8358a3f3545da32e5d8b24ea5a7eaab9474c3
-
Filesize
26B
MD56bc190dd42a169dfa14515484427fc8e
SHA1b53bd614a834416e4a20292aa291a6d2fc221a5e
SHA256b3395b660eb1edb00ff91ece4596e3abe99fa558b149200f50aabf2cb77f5087
SHA5125b7011ed628b673217695809a38a800e9c8a42ceb0c54ab6f8bc39dba0745297a4fbd66d6b09188fcc952c08217152844dfc3ada7cf468c3aafcec379c0b16b6
-
C:\Users\Admin\AppData\Local\AdvinstAnalytics\57bec79515c1ec525f8858bf\1.0.0\{D1246B32-8898-40AA-8BF6-982CB33EDBA0}.session
Filesize4KB
MD5d41afeeae1ae9ccbb9b7ffbdb0573fd7
SHA16f173cffa47003e616b8b05b5be0c43f4250ba50
SHA2568de820384039a051768c506fd2e39632695a05c8b949d1202b5035779e43c78d
SHA5127316cee0464383c6ad3f43f6377f550d2a0f2c8d22c2da5c8b673da4c7f1f3761171a1c63759a3175d2bb7bafe7fab6e7734c7a6108cdd948b6f7a07a240c6e5
-
Filesize
4.6MB
MD512c4578c48034f0265a1197310bb6703
SHA13448d16b94eae3c13bc5cc90a235e4e53e9186db
SHA2564d78a57c19991d539f965e5721c96e5f271f6bc5951c67cef12dcae9bca9d612
SHA5123733098ff842d338fb4331588cdcd9ff093ec28b237cac244fcaa8b8241c530bef5f977acfc587cde4e30a39a164ad5a82d24a07eb6825173c1634601d352b30
-
Filesize
4.2MB
MD59ad938fc71eac8865f494f3eafa2ac2f
SHA1fffb84856e73fbe9a84fc0aadbf0a2affcedd4dc
SHA256aa2583eb25a48ded4591e5ce150b20affd46ddec667d40003ae54a71fe338ebf
SHA512207c33acfaf098d2de8564d8b7942e84e3c7edf83e6dbd09ec0b1361a100b8845814ad8a2436917659e950ce0b56b3c7d6e08d83880dfe791f0126466fda0230
-
Filesize
3.6MB
MD544581a8bed641c316baeed5e8b218b42
SHA1693614d3922a9a6b492bea3cecb71742cbc16539
SHA25672ff94a0c27ceb49205cd92553f930e249361d369347d4559f3273a0083bd04d
SHA512001584218e1086c492c40d8425cbdf8fe75bdbae4304ab989dd1fab64162da1789084a9faaaf666414c83f0dfc9e47b90b0cd10e6e0df88268126215d0297100
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\dub[1].php
Filesize2B
MD5444bcb3a3fcf8389296c49467f27e1d6
SHA17a85f4764bbd6daf1c3545efbbf0f279a6dc0beb
SHA2562689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df
SHA5129fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
524KB
MD56ea65025106536eb75f026e46643b099
SHA1d6f5801e370c92d8e5c2336b4022cc6cb6ec1f99
SHA256dae76cce74d63e7935fde4383020659d75b68632f8a01f2053ec895e69bb4efb
SHA512062aed4c7541346b7338e1d234a50aa9af76f103a65268ba65a42508a26c10cc27ccfce6131485403afa36d8a8cd69f3bf1e55cd1a1f675357b87228aacbb988
-
Filesize
914KB
MD591d4a8c2c296ef53dd8c01b9af69b735
SHA1ad2e5311a0f2dbba988fbdb6fcf70034fda3920d
SHA256a787e7a1ad12783fcbf3f853940590329e0ff0dddf17282324f2d95ed6408f23
SHA51263c5506a55dea2b3bd1c99b79b5668f5afc0104564e92f07afb42f2f2b67eae9d0e0174cb36e6095a27a6c71496206042079b6e5a2b2ff787f3cb9ef20995e9e
-
Filesize
28KB
MD52f39d3e995c35e2ea9eabbd5963fa3ff
SHA14ee22f02bda76e606eb63e21d82a330a25e8466b
SHA256dd858cdba29785ce9a8c96d7e0ddb81dd85e19d1f3dffcdb321125ff3d6b2497
SHA512a19e40e2e9e019b55f839403db03d7aa27098a44db5b5ea579bdc83c56dcf10419f94ab2c03669203bf742895c997c1e9740dd7ac2ea8049177112e2b3a2511d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
6KB
MD5e4211d6d009757c078a9fac7ff4f03d4
SHA1019cd56ba687d39d12d4b13991c9a42ea6ba03da
SHA256388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
SHA51217257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e
-
Filesize
67KB
MD55e4a373d57593278e2d4c25e56240c39
SHA1e626bface70ec78f0d928d3ae0a403fb2b9d3456
SHA256f72e9e6a36f55eb9dab2be7006194979fd8ecf9322d2a920f5a528e7799ccdb0
SHA5128d0fe0ed3ee747cbf6b5768964f43eced592fd1af588ccaa9b16a2c3f6c2bb498f5692f73853fc6dcb1f1e665f71f8821de0cebb0d25bf3ccdd3f2e0f92308b6
-
C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Johan.msi
Filesize3.8MB
MD56024d8c2207fc4610416beaf8d360527
SHA1793ab731b07bf86ecc3ba78e1b76dc2aa0b48f8a
SHA256cb4cad56ea5391e44dc661513c4f021c5272db710cc1733251152d1cb0eb5829
SHA5120bb9cd1ec8873137e654a94c21887b7d4c73a9e561563d52ddec18377552d1a33d256487362bb614ebb3d804047427977b3eb0070c92fc43d0dd656af13eeab4
-
Filesize
3.9MB
MD5720238100bceabcd27b01f6bc5c0d2de
SHA1e15b82e9f14ef454bc79ebe40a64d5703cdc1b45
SHA2565c21d2dcae08f8331b6061764aa801af20557c0da43ab4736ea2c8fc32878c86
SHA512ed29eeba3b1a680ed7dd7f859503fc73d719d944e6c28089d28d8feb81ed462c5ba9269d54a11d2470bf27130b43a9a9ab1e51b6bc7122a80e263b782f855c33
-
Filesize
2.7MB
MD5762917612bcaa7c4ccb893b0e5a7341e
SHA1848855805937109215efce31217a243ff50f79d8
SHA2569c88f6b5aa0497ca9e5dcf8214d07f4c4d7e48136fc3c8581b0e37193c03c553
SHA512d359668e38f7a99b3d39260d91914da956127284f358075f0be6ebb843c21d477158dcc01dc243f47024d64a8d5bef57b526b68af6d2afa2ebfb32653224392d
-
Filesize
2.9MB
MD5ef687899a2d59b5db2acf3eaea128582
SHA1884ab8eec19be39d87669208442917745415c5cc
SHA256f245f481478648d92bc12e576de32fb1f9c8a82144c32e3419f2ea93d4b6c1d8
SHA512a252a7405b6536c5098a8f0e1022281a779eb4e482b0babfed9dad55517d74247b64e03411f047f0a58be7c38a900e32874e36659609452d3bd5dabae0055d0c
-
Filesize
4.5MB
MD5b63b701a8733e67bfc8f602402e46170
SHA18cefd36f1a1eba4ba4edbb5d4397a2ae6f6c0862
SHA2565b60e1a426848da9bef61e4008d15b76309c87461c3c5d00cbcbbbea20b3fca2
SHA5126cdceddca68688bfd9b081667579ece48e6306bdb91a29c29e98984d4a33c6414064b757cda91745888adba0fbae68c433e46870d3f39ba40155fad894b96e8f
-
Filesize
4.2MB
MD5ff9eb15075f81b658bc729a5f576fc8f
SHA1ce632eacb5f4f5f2089f83522b8b241ab2cd7733
SHA25692f5308f1b34aa3ce666523fdc19a2da5b4cca6c319c8d97f60a210cdfd11791
SHA51226c7e5d505ae1e3078f650c1786947742a86f9acecec176682d3f99aab46046d0e813437075fcea0cb758bef982e9b7610c8478d726651ea5aaacfb980d6421d
-
Filesize
789KB
MD5dd1f93eb81e6c99ba9be55b0c12e8bb4
SHA11d767983aaa4eb5c9e19409cf529969142033850
SHA256f55b853958f07b15f0dae7a871c1ebe2ec117ef54ba3811d31cec4c8ae471d9b
SHA5127968839ca3e7337b2e7774d92c4a3666e9b7d8d76000475b39c2bda6db3320fc9b2100322505997798af5631a007787fbd8d0d6fe0b51949c545c67e696aaf1a
-
Filesize
5.2MB
MD52e9e548040cbc282125031030041b2a9
SHA1a84b26339be4cdd889ac806227c3260d57296605
SHA256b44501388ac04d3db78e167cc1dc4daea68aa5c7140a2976b5a8e04f6d2438eb
SHA5128be8af00aabe5e5ccac38faaf9ed499ea9c84d6a180a3cbce81297b58e1b4cfff5597638587c8f81058f59e19f87ac4bcdacfb34e1fce7ac61128837e39d3e7b
-
Filesize
3.1MB
MD50d719712d6af3886ee54f9bb1ab4d052
SHA1eb954d80e14b1a32f3596adf707339d5f49a2cdb
SHA2564737957a65dce16f7a7e3fecd591eb578ff919139b70bf653611e618ff0c2964
SHA51239d1ddc8f02f2a8a830a5587323e35fbbd70fdcd3bf7331c81d5e52c002dc5a0dbd0f7dda78338dcc11645aaa7d1562975f5000d9f504fe88696ec5a3607715a
-
Filesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
-
Filesize
12KB
MD54add245d4ba34b04f213409bfe504c07
SHA1ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
SHA2569111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
SHA5121bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d
-
Filesize
9KB
MD51d8f01a83ddd259bc339902c1d33c8f1
SHA19f7806af462c94c39e2ec6cc9c7ad05c44eba04e
SHA2564b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed
SHA51228bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567
-
Filesize
67KB
MD597239488089234cba883c71bdfe72dc3
SHA1adb6d883443bd1cd76873636bca83397d965202f
SHA256c2177fb623e3a75ed102871baa2c8f46beb2b78a4898832753c7bdcec849781f
SHA5125587e27ddbb8a2f57e3e608cd934cdf25622694a7ec7b20225ecc11e3ae02572f6f68c774c22fb5e71fd5d25a59d8b2231ed0550370e9d3f437698cd84b74135
-
Filesize
3.4MB
MD5a4021bbb19c38a8816dcbf7ff8c4dbc5
SHA1adb50991e404bdab31f1f42fba1555c4048f437d
SHA256aa9e875a62c99e4a11e2a7e38e2869f2fe5e7c7ea804158069f96690870f47fa
SHA5128964ae43e02094bd6ddc8852b26c92be96323a4da91a9ee6b18989f8994b6405ce8b96e521640e01522cc0264650b7bf778e1a7ed8b0ac712c8b95338ceba9f7
-
Filesize
6.9MB
MD51bde4b674f3e45559ff359381e197f81
SHA19d2bc8567fc6bfbd15464daf4cba4c3addedd84d
SHA256ced1aaaf3b853d319a353d7538c7e88c2ae91349b3f05ffad3f39c3954e6673d
SHA5128dc369bb0d4a2f31273507bd867ca3f1e669fe12ac77c19dee62f272289c1aa71cc0b9567b56176103d0e33bb9ae1fa383d65499da73bc7c748e82944149ecdd
-
Filesize
4.5MB
MD5fa24733f5a6a6f44d0e65d7d98b84aa6
SHA151a62beab55096e17f2e17f042f7bd7dedabf1ae
SHA256da1b144b5f908cb7e811489dfe660e06aa6df9c9158c6972ec9c79c48afacb7e
SHA5121953201d8cd448aa7d23c3e57665546ace835f97c8cc8d0f323573cef03a6f317f86c7c3841268ece1760b911c67845d7e6aa198a44f720dca02a5a8bcb8e21e
-
Filesize
206KB
MD58a3f1a0da39530dcb8962dd0fadb187f
SHA1d5294f6be549ec1f779da78d903683bab2835d1a
SHA256c6988e36b1e1d6ffc89d9fa77ad35f132f5aa89e680d0155e0b6aee1c524c99f
SHA5121e0d5be3ee164fb16de629a975f3c3da61659b99a0fc766850ffeeddb2d32b7ee0d3b85c77f01d34d9fe2933bd7bd11c6dba7b35d30faed7ce09485fd706d49d