1bc7bcc829eed7cac232c93562c790f3da414200bb530f19bb7b2f738617be14

Analysis

max time kernel
1597s
max time network
1500s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
13-03-2024 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

appsanywhere-setup-[21340a9268].exe
Size

1.3MB
MD5

6722faaf408ace33c4ef75fcd8c84059
SHA1

512c0d5b9cdff05d5f61dd341b88d01cd110d9cd
SHA256

1bc7bcc829eed7cac232c93562c790f3da414200bb530f19bb7b2f738617be14
SHA512

f62f72a8be19443c28ef9c4088c115470566dd267e34f1e9d7abe86d03cd7f0654872ef2c5b640bdb58b84f5644c25595916124c676f313d9c0d33f994f5d8f8
SSDEEP

24576:+txKp3bA6iEMppN4tc1Gu7KzudF46FzwbCyEHx:+t8p3JirrcAn5

Score

6^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
12	2196	msiexec.exe
13	2196	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Net.NetworkInformation.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\S2Startup.xml	msiexec.exe
File opened for modification	C:\Program Files\AppsAnywhere\AppsAnywhere\S2Updater.xml	MsiExec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\resources\icons\tray\AA-busy-trayicon.ico	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Reflection.Primitives.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Security.Cryptography.X509Certificates.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\AppsAnywhereUpdaterService.exe	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Runtime.InteropServices.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\AppsAnywhereLauncher.exe	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Security.Cryptography.Primitives.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\AppsAnywhereLauncher.exe.config	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Runtime.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.ComponentModel.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\InstallerTools.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\Ionic.Zip.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\Windows Icon.ico	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\Newtonsoft.Json.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Runtime.Serialization.Primitives.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Text.Encoding.Extensions.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Collections.Concurrent.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\AppsAnywhere.exe	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Dynamic.Runtime.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Diagnostics.Tools.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Reflection.Emit.ILGeneration.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.IO.Compression.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Windows.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Data.SQLite.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\AppsAnywhereUpdaterService.exe.config	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Runtime.Handles.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Linq.Parallel.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\AppsAnywhere.exe.config	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Net.Requests.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\AppsAnywhereUpdaterService.InstallState	MsiExec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Diagnostics.Contracts.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\AppsAnywhereUpdater.exe.config	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Xml.XmlSerializer.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Diagnostics.Debug.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Linq.Queryable.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Xml.XDocument.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Diagnostics.Tracing.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.IO.Compression.FileSystem.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.ServiceModel.Duplex.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Security.Principal.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\AppsAnywhereLauncher.bat	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.ObjectModel.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Net.Primitives.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Threading.Tasks.Parallel.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.ComponentModel.TypeConverter.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.ServiceModel.Http.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.ServiceModel.NetTcp.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Globalization.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Linq.Expressions.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.ServiceModel.Security.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Threading.Timer.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Collections.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\AppsAnywhereUpdater.exe	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\Microsoft.TeamFoundation.Common.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Net.Http.WebRequest.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\AAServiceConfig.xml	AppsAnywhereUpdaterService.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\Microsoft.VisualStudio.Services.Common.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Security.Cryptography.Encoding.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Resources.ResourceManager.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Runtime.Serialization.Json.dll	msiexec.exe
File created	C:\Program Files\AppsAnywhere\AppsAnywhere\System.Runtime.Serialization.Xml.dll	msiexec.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\SystemTemp\~DF13C5B47F75F048DD.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\{D90F1DF5-62F5-4127-B1FD-F4DDF0194D6D}\_853F67D554F05449430E7E.exe	msiexec.exe
File created	C:\Windows\Installer\e57d788.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE66D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE67E.tmp	msiexec.exe
File created	C:\Windows\Installer\e57d784.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF811E61883521BC85.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE021.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D90F1DF5-62F5-4127-B1FD-F4DDF0194D6D}	msiexec.exe
File created	C:\Windows\Installer\{D90F1DF5-62F5-4127-B1FD-F4DDF0194D6D}\_853F67D554F05449430E7E.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE206.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFD0F79AAC3CC13CF5.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d784.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDED7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDFA3.tmp	msiexec.exe
File created	C:\Windows\Fonts\System_Detect.ttf	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE534.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFA76B0D2500B98C31.TMP	msiexec.exe

Executes dropped EXE 5 IoCs

pid	Process
4104	AppsAnywhereUpdaterService.exe
3880	AppsAnywhere.exe
4888	AppsAnywhereLauncher.exe
4476	AppsAnywhere.exe
232	AppsAnywhere.exe

Loads dropped DLL 15 IoCs

pid	Process
2156	MsiExec.exe
2156	MsiExec.exe
1976	MsiExec.exe
1976	MsiExec.exe
1976	MsiExec.exe
1976	MsiExec.exe
1976	MsiExec.exe
1976	MsiExec.exe
1976	MsiExec.exe
1976	MsiExec.exe
4104	AppsAnywhereUpdaterService.exe
4104	AppsAnywhereUpdaterService.exe
4104	AppsAnywhereUpdaterService.exe
4888	AppsAnywhereLauncher.exe
4888	AppsAnywhereLauncher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3588	schtasks.exe
1368	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1072EDCF-684E-4248-A3B0-F63B947B5F86}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1072EDCF-684E-4248-A3B0-F63B947B5F86}\AppPath = "C:\\Program Files\\AppsAnywhere\\AppsAnywhere\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1072EDCF-684E-4248-A3B0-F63B947B5F86}\AppName = "AppsAnywhereLauncher.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1072EDCF-684E-4248-A3B0-F63B947B5F86}\Policy = "3"	msiexec.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD1F09D5F2672141BDF4FDD0F91D4D6\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\software2hub\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Linq.Queryable.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Reflection.Emit.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Diagnostics.Tracing.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.ComponentModel.EventBasedAsync.dll\System.ComponentModel.EventBasedAsync,Version="4.0.10.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",Proces = 7a002d006e0069006e003d003100780078003800550062005d0044007000420077007d002d004b003e0025002d00270037006b003d007900700059005800410046007000710078004d005e0049005e00270000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.ServiceModel.Primitives.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|AppsAnywhereLauncher.exe\AppsAnywhereLauncher,Version="2.0.2.0",Culture="neutral",ProcessorArchitecture="AMD64" = 7a002d006e0069006e003d003100780078003800550062005d0044007000420077007d002d004b003e007b0062004b007500300050003d00270026002b006f002d00580076006d004100540064007a00370000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\software2hub\URL Protocol	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.IO.Compression.FileSystem.dll\System.IO.Compression.FileSystem,Version="4.0.0.0",Culture="neutral",PublicKeyToken="B77A5C561934E089",ProcessorArchitec = 7a002d006e0069006e003d003100780078003800550062005d0044007000420077007d002d004b003e007a007700470066005b006000460067004a002a005b00690060003400390046006f002b002d00590000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|AppsAnywhere.exe\AppsAnywhere,Version="2.0.2.0",Culture="neutral",ProcessorArchitecture="AMD64" = 7a002d006e0069006e003d003100780078003800550062005d0044007000420077007d002d004b003e00670034005400340041006a0077003d00250041002d0070002600690042005e00770052006500360000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.ComponentModel.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Reflection.Emit.ILGeneration.dll	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\software2hub\DefaultIcon\(Default) = "\"C:\\Program Files\\AppsAnywhere\\AppsAnywhere\\AppsAnywhereLauncher.exe,1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\software2hub\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD1F09D5F2672141BDF4FDD0F91D4D6\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|InstallerTools.dll\InstallerTools,Version="2.0.2.0",Culture="neutral",ProcessorArchitecture="AMD64" = 7a002d006e0069006e003d003100780078003800550062005d0044007000420077007d002d004b003e0078005a00350074003d006b004d0067007800470027005a005e00640067007300360032004800500000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\software2hub\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Dynamic.Runtime.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Diagnostics.Tools.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Reflection.Extensions.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Security.Cryptography.Encoding.dll\System.Security.Cryptography.Encoding,Version="4.0.1.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",Process = 7a002d006e0069006e003d003100780078003800550062005d0044007000420077007d002d004b003e003400370072004200560050006300270070003800570024002500600069003f004b0026002800590000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Runtime.Serialization.Json.dll\System.Runtime.Serialization.Json,Version="4.0.0.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchit = 7a002d006e0069006e003d003100780078003800550062005d0044007000420077007d002d004b003e002d00650065004c0053004700290035004c0032002800460039006b0038003000310034004a00760000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Net.Http.dll\System.Net.Http,Version="4.0.0.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 7a002d006e0069006e003d003100780078003800550062005d0044007000420077007d002d004b003e0041004c0041006e002a004f006b0058005f005200770049005f004d0057003f00320055004b00380000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD1F09D5F2672141BDF4FDD0F91D4D6\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\software2hub	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Collections.Concurrent.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Windows.dll\System.Windows,Version="4.0.0.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 7a002d006e0069006e003d003100780078003800550062005d0044007000420077007d002d004b003e006600590048004900620078004a005a00720036007e00340027003d006500630078004b004b006d0000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Diagnostics.Debug.dll\System.Diagnostics.Debug,Version="4.0.10.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 7a002d006e0069006e003d003100780078003800550062005d0044007000420077007d002d004b003e006c005f0037007700360072002d0029002a0070004b00270039005d0067002600360069005100400000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|Ionic.Zip.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Reflection.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Net.Primitives.dll\System.Net.Primitives,Version="4.0.10.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 7a002d006e0069006e003d003100780078003800550062005d0044007000420077007d002d004b003e00720063007a00390033004d00570052006100640025007b007a0069004a0069004300520071004a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Linq.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Linq.Parallel.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Net.WebHeaderCollection.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Runtime.InteropServices.dll	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD1F09D5F2672141BDF4FDD0F91D4D6\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD1F09D5F2672141BDF4FDD0F91D4D6\AuthorizedLUAApp = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD1F09D5F2672141BDF4FDD0F91D4D6\Clients = 3a0000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.ServiceModel.Http.dll\System.ServiceModel.Http,Version="4.0.10.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 7a002d006e0069006e003d003100780078003800550062005d0044007000420077007d002d004b003e007300250032002700400059007a007400460033004e005400520068005f003500750030007e00760000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Globalization.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Reflection.Emit.Lightweight.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.IO.dll\System.IO,Version="4.0.10.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 7a002d006e0069006e003d003100780078003800550062005d0044007000420077007d002d004b003e005800260067004d00330068004900330058003000510036005f00750073004900450051007800320000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\software2hub\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Security.Cryptography.Algorithms.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Net.WebHeaderCollection.dll\System.Net.WebHeaderCollection,Version="4.0.0.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture = 7a002d006e0069006e003d003100780078003800550062005d0044007000420077007d002d004b003e0036003600740046006a003800320063002e006f00400057004b0075006f006200760070005000480000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Management.Automation.dll\System.Management.Automation,Version="1.0.0.0",Culture="neutral",PublicKeyToken="31BF3856AD364E35",ProcessorArchitecture="MS = 7a002d006e0069006e003d003100780078003800550062005d0044007000420077007d002d004b003e002a00460044006e006a00370071007d00320031005f0037002800550072007100580063003d00490000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Resources.ResourceManager.dll\System.Resources.ResourceManager,Version="4.0.0.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitec = 7a002d006e0069006e003d003100780078003800550062005d0044007000420077007d002d004b003e005000440073006b0040007700490070006a00500074006500410055005f00370057004f004c00410000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Runtime.InteropServices.dll\System.Runtime.InteropServices,Version="4.0.20.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitectur = 7a002d006e0069006e003d003100780078003800550062005d0044007000420077007d002d004b003e002100690058004e0062007a00300047004400750075003000720065005800770040007a0073005f0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Net.Http.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Runtime.Serialization.Xml.dll\System.Runtime.Serialization.Xml,Version="4.0.10.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchite = 7a002d006e0069006e003d003100780078003800550062005d0044007000420077007d002d004b003e00480046006e006a00330069007d007200500067002c0055005800260064007d00390059002e006c0000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Security.Cryptography.X509Certificates.dll\System.Security.Cryptography.X509Certificates,Version="4.0.0.0",Culture="neutral",PublicKeyToken="B03F5F7F1 = 7a002d006e0069006e003d003100780078003800550062005d0044007000420077007d002d004b003e0068005d00410057004b003300590075002c007500630077006700380046006d0068004c007d00620000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|AppsAnywhereUpdater.exe\AppsAnywhereUpdater,Version="2.0.2.0",Culture="neutral",ProcessorArchitecture="AMD64" = 7a002d006e0069006e003d003100780078003800550062005d0044007000420077007d002d004b003e003400380040006a005f0050002c006c007a0036004400560077002d0025002a002d0032006300470000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD1F09D5F2672141BDF4FDD0F91D4D6\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Diagnostics.Contracts.dll\System.Diagnostics.Contracts,Version="4.0.0.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MS = 7a002d006e0069006e003d003100780078003800550062005d0044007000420077007d002d004b003e006c00520070006500600048005e0076004f004200600076004500300065006a005b004f007b00250000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Reflection.Primitives.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Security.Cryptography.Algorithms.dll\System.Security.Cryptography.Algorithms,Version="4.0.0.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",Pro = 7a002d006e0069006e003d003100780078003800550062005d0044007000420077007d002d004b003e006a0062004c004700540029004c00520060005e0053004b0052005b0079007700490025006a00650000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Security.Cryptography.Encoding.dll	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5FD1F09D5F2672141BDF4FDD0F91D4D6\DefaultFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD1F09D5F2672141BDF4FDD0F91D4D6\PackageCode = "536DC2B24FE25E346A41E409C4F49F72"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\software2hub\DefaultIcon	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|Microsoft.VisualStudio.Services.Common.dll\Microsoft.VisualStudio.Services.Common,Version="12.0.0.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",Proc = 7a002d006e0069006e003d003100780078003800550062005d0044007000420077007d002d004b003e006100210038004f00430040005500740047002e00760047006200660036005b00280055005700510000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.ServiceModel.Http.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files\|AppsAnywhere\|AppsAnywhere\|System.Runtime.Numerics.dll	msiexec.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Microsoft\SystemCertificates\CA\Certificates\C2826E266D7405D34EF89762636AE4B36E86CB5E	appsanywhere-setup-[21340a9268].exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Microsoft\SystemCertificates\CA\Certificates\C2826E266D7405D34EF89762636AE4B36E86CB5E\Blob = 030000000100000014000000c2826e266d7405d34ef89762636ae4b36e86cb5e1400000001000000140000006f1d3549106c32fa59a09ebc8ae81f95be717a0c04000000010000001000000080a7f9fb2258a37af1261f5ab2f5c94d0f0000000100000030000000025ff92cf084f70b1cf4714e6436dfe69e51efb0c546b66ba5318f161134fbb835bcccbaccc670dd75e444c4d13ee154190000000100000010000000a5ffac72fb9fe65812afe054e568b5b65c000000010000000400000000100000180000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e9060000308206e5308204cda003020102021100da43bd139bd258bb4dd61cacc4f3dbe0300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3230303231383030303030305a170d3333303530313233353935395a3044310b3009060355040613024e4c31193017060355040a13104745414e5420566572656e6967696e67311a3018060355040313114745414e54204f5620525341204341203430820222300d06092a864886f70d01010105000382020f003082020a0282020100a58862d5a1223ec83d64a44c030f50afc32d86cafa476d1549f15e87b4e0c2d2d08ba45244b3a1e28af810c1bfd6d87c9628efef19c13156644f2b0588f9933e22ce7efcfe4303b53708ef818f89aecedf4a8540fd34245f3731bb84e5dd61e2faa26628b255bbf24eb87b9dea63a92d69086e13834b33b100d276e0818fc7d8783970f2cbaff7e36784e943d70ad27c0337ae9931ba0dfbf9295c76e250854c65331d407e8fe8349522a0fd27f53b38026a3255f5e9e667ff38c9d878f303e9eaf6d67f51f43b745ddcb8693125674ea1532ca6526d078b731fe5f4338a65f0420bd8215b1b204ea5bd810eefdd3dda21f49a542f6b9f05713b456398374f14d6dda319e1d336307f8e67575410829470649f77c9679d869e1c8756ba023c2ab3ec2fe266739814a3a2fb55d262b077e0906d24e86a51143f841e26ae14773e5636634c2383983fa720ae7949e7469ad0364f949aab2903c62faf4a410cf5d96831be10ae554ef4cba65600fa2905ad7291bb2db692f100366b7b9707e7bde522e2c7763c7b363a58217471dbe4095119d7daac77ede648c585f3f2080cfb05c7e910db537576a390cfebb8573c74806c0fa9d28ae3028729936a2cc472a83521372c28cdc7c5957719d7bee436f2d29d68aebd9277e6ddb07bc6975fb0d3533c7f4495c8ec716671a5e6792228fc972ac21b5cf4bd25ad481b204a75321bfb0203010001a382018b30820187301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e041604146f1d3549106c32fa59a09ebc8ae81f95be717a0c300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b0601050507030230380603551d200431302f302d0604551d20003025302306082b06010505070201161768747470733a2f2f7365637469676f2e636f6d2f43505330500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038202010052d942dded318ffd4131f3e17508545de2e36f4c69f14136f24cd6139c43cc629b7c6827ad3d91970e602c8c7efdc355ada77fffe32ba53a69325c6ae7d02c5d8656df145ab2bbe48c67cd477bedff544097c888df594684883a75f217e4de1eb0b92b41e37c1e2c87287ea4866e3deba224555b67c73e428143ea1189f8790fb879e112ad606102a5da8afec746fa6c7702d87a40219eb946a62a19fc22484f63d34f17fe18733a72e52736a754cdfbeb42003c92dd7f0125f1da877f33e73c9e526aac6cf6f65ac9bde24e484317d1cfedb34d9686c7cc86461ae97ba35192e6bd1d44ab4f2be3cfc467897eb792f8c2dd0357c55a3dbb04045d44385a73fd84b61fa992c1c15a3496e762aa891c8be6dcf2c91e41661282d7455ad05dd093fb7c2005f814ea1782579098073fd892b756112eed8a24fcb15503a97995953b1b891362c8bb366e6116585525efa8d58882688397e89e012a3778cb2064c6fe65eb253d54cb29887286e7206adbc30455cff9a9150a34bc16088b59364e1561d03c7cf016c5f5888ff3875df05927e706c4e85c57609dbceea7d14e09a178f79c3dcef762bced6a975172c2951a43a96932093ff97e9401d12d9c64fdd52dc8df791bef9b39242a9ce0a954f69b50697613f384c85ae9229c20bb62ff589725bddea0f9903f89690b48c7299c56feb97e9006abc3ebe44dc6e97515a0798876	appsanywhere-setup-[21340a9268].exe
Key created	\REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	appsanywhere-setup-[21340a9268].exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	appsanywhere-setup-[21340a9268].exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
732	appsanywhere-setup-[21340a9268].exe
732	appsanywhere-setup-[21340a9268].exe
732	appsanywhere-setup-[21340a9268].exe
2196	msiexec.exe
2196	msiexec.exe
1976	MsiExec.exe
1976	MsiExec.exe
732	appsanywhere-setup-[21340a9268].exe
4104	AppsAnywhereUpdaterService.exe
4104	AppsAnywhereUpdaterService.exe
4104	AppsAnywhereUpdaterService.exe
4104	AppsAnywhereUpdaterService.exe
4888	AppsAnywhereLauncher.exe
4888	AppsAnywhereLauncher.exe
4888	AppsAnywhereLauncher.exe
4104	AppsAnywhereUpdaterService.exe
4104	AppsAnywhereUpdaterService.exe
4104	AppsAnywhereUpdaterService.exe
4104	AppsAnywhereUpdaterService.exe
4104	AppsAnywhereUpdaterService.exe
4104	AppsAnywhereUpdaterService.exe
4104	AppsAnywhereUpdaterService.exe
4104	AppsAnywhereUpdaterService.exe
4104	AppsAnywhereUpdaterService.exe
4104	AppsAnywhereUpdaterService.exe
4104	AppsAnywhereUpdaterService.exe
4104	AppsAnywhereUpdaterService.exe
4104	AppsAnywhereUpdaterService.exe
4104	AppsAnywhereUpdaterService.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	732	appsanywhere-setup-[21340a9268].exe
Token: SeShutdownPrivilege	2904	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2904	msiexec.exe
Token: SeSecurityPrivilege	2196	msiexec.exe
Token: SeCreateTokenPrivilege	2904	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2904	msiexec.exe
Token: SeLockMemoryPrivilege	2904	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2904	msiexec.exe
Token: SeMachineAccountPrivilege	2904	msiexec.exe
Token: SeTcbPrivilege	2904	msiexec.exe
Token: SeSecurityPrivilege	2904	msiexec.exe
Token: SeTakeOwnershipPrivilege	2904	msiexec.exe
Token: SeLoadDriverPrivilege	2904	msiexec.exe
Token: SeSystemProfilePrivilege	2904	msiexec.exe
Token: SeSystemtimePrivilege	2904	msiexec.exe
Token: SeProfSingleProcessPrivilege	2904	msiexec.exe
Token: SeIncBasePriorityPrivilege	2904	msiexec.exe
Token: SeCreatePagefilePrivilege	2904	msiexec.exe
Token: SeCreatePermanentPrivilege	2904	msiexec.exe
Token: SeBackupPrivilege	2904	msiexec.exe
Token: SeRestorePrivilege	2904	msiexec.exe
Token: SeShutdownPrivilege	2904	msiexec.exe
Token: SeDebugPrivilege	2904	msiexec.exe
Token: SeAuditPrivilege	2904	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2904	msiexec.exe
Token: SeChangeNotifyPrivilege	2904	msiexec.exe
Token: SeRemoteShutdownPrivilege	2904	msiexec.exe
Token: SeUndockPrivilege	2904	msiexec.exe
Token: SeSyncAgentPrivilege	2904	msiexec.exe
Token: SeEnableDelegationPrivilege	2904	msiexec.exe
Token: SeManageVolumePrivilege	2904	msiexec.exe
Token: SeImpersonatePrivilege	2904	msiexec.exe
Token: SeCreateGlobalPrivilege	2904	msiexec.exe
Token: SeRestorePrivilege	2196	msiexec.exe
Token: SeTakeOwnershipPrivilege	2196	msiexec.exe
Token: SeRestorePrivilege	2196	msiexec.exe
Token: SeTakeOwnershipPrivilege	2196	msiexec.exe
Token: SeRestorePrivilege	2196	msiexec.exe
Token: SeTakeOwnershipPrivilege	2196	msiexec.exe
Token: SeRestorePrivilege	2196	msiexec.exe
Token: SeTakeOwnershipPrivilege	2196	msiexec.exe
Token: SeRestorePrivilege	2196	msiexec.exe
Token: SeTakeOwnershipPrivilege	2196	msiexec.exe
Token: SeDebugPrivilege	1976	MsiExec.exe
Token: SeRestorePrivilege	2196	msiexec.exe
Token: SeTakeOwnershipPrivilege	2196	msiexec.exe
Token: SeRestorePrivilege	2196	msiexec.exe
Token: SeTakeOwnershipPrivilege	2196	msiexec.exe
Token: SeRestorePrivilege	2196	msiexec.exe
Token: SeTakeOwnershipPrivilege	2196	msiexec.exe
Token: SeRestorePrivilege	2196	msiexec.exe
Token: SeTakeOwnershipPrivilege	2196	msiexec.exe
Token: SeRestorePrivilege	2196	msiexec.exe
Token: SeTakeOwnershipPrivilege	2196	msiexec.exe
Token: SeRestorePrivilege	2196	msiexec.exe
Token: SeTakeOwnershipPrivilege	2196	msiexec.exe
Token: SeRestorePrivilege	2196	msiexec.exe
Token: SeTakeOwnershipPrivilege	2196	msiexec.exe
Token: SeRestorePrivilege	2196	msiexec.exe
Token: SeTakeOwnershipPrivilege	2196	msiexec.exe
Token: SeRestorePrivilege	2196	msiexec.exe
Token: SeTakeOwnershipPrivilege	2196	msiexec.exe
Token: SeRestorePrivilege	2196	msiexec.exe
Token: SeTakeOwnershipPrivilege	2196	msiexec.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
3880	AppsAnywhere.exe
3880	AppsAnywhere.exe
4476	AppsAnywhere.exe
4476	AppsAnywhere.exe
4476	AppsAnywhere.exe
232	AppsAnywhere.exe
232	AppsAnywhere.exe
232	AppsAnywhere.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
3880	AppsAnywhere.exe
3880	AppsAnywhere.exe
4476	AppsAnywhere.exe
4476	AppsAnywhere.exe
4476	AppsAnywhere.exe
232	AppsAnywhere.exe
232	AppsAnywhere.exe
232	AppsAnywhere.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4744	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 732 wrote to memory of 2904	732	appsanywhere-setup-[21340a9268].exe	79
PID 732 wrote to memory of 2904	732	appsanywhere-setup-[21340a9268].exe	79
PID 2196 wrote to memory of 2156	2196	msiexec.exe	83
PID 2196 wrote to memory of 2156	2196	msiexec.exe	83
PID 2196 wrote to memory of 2156	2196	msiexec.exe	83
PID 2196 wrote to memory of 1976	2196	msiexec.exe	84
PID 2196 wrote to memory of 1976	2196	msiexec.exe	84
PID 1976 wrote to memory of 3588	1976	MsiExec.exe	85
PID 1976 wrote to memory of 3588	1976	MsiExec.exe	85
PID 1976 wrote to memory of 1368	1976	MsiExec.exe	87
PID 1976 wrote to memory of 1368	1976	MsiExec.exe	87
PID 1976 wrote to memory of 4848	1976	MsiExec.exe	89
PID 1976 wrote to memory of 4848	1976	MsiExec.exe	89
PID 732 wrote to memory of 3880	732	appsanywhere-setup-[21340a9268].exe	92
PID 732 wrote to memory of 3880	732	appsanywhere-setup-[21340a9268].exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\appsanywhere-setup-[21340a9268].exe
"C:\Users\Admin\AppData\Local\Temp\appsanywhere-setup-[21340a9268].exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:732
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\apps-anywhere-installer-x64.msi" /qn /norestart
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Program Files\AppsAnywhere\AppsAnywhere\AppsAnywhere.exe
  "C:\Program Files\AppsAnywhere\AppsAnywhere\AppsAnywhere.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3880

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4744

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F13F4315472C0BC37E6E9E0BC16ECE2E
  2⤵
  - Loads dropped DLL
  PID:2156
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 77179F8A4EBF979107959531BC49D25E E Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /tn "Software2 Updater Task" /xml "C:\Program Files\AppsAnywhere\AppsAnywhere\S2Updater.xml" /f
    3⤵
    - Creates scheduled task(s)
    PID:3588
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /tn "Software2 Request Client Startup Task" /xml "C:\Program Files\AppsAnywhere\AppsAnywhere\S2Startup.xml" /f
    3⤵
    - Creates scheduled task(s)
    PID:1368
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Delete /tn "Software2 Startup Task" /f
    3⤵
    PID:4848

C:\Program Files\AppsAnywhere\AppsAnywhere\AppsAnywhereUpdaterService.exe
"C:\Program Files\AppsAnywhere\AppsAnywhere\AppsAnywhereUpdaterService.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4104

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2460

C:\Program Files\AppsAnywhere\AppsAnywhere\AppsAnywhereLauncher.exe
"C:\Program Files\AppsAnywhere\AppsAnywhere\AppsAnywhereLauncher.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4888

C:\Program Files\AppsAnywhere\AppsAnywhere\AppsAnywhere.exe
"C:\Program Files\AppsAnywhere\AppsAnywhere\AppsAnywhere.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4476

C:\Program Files\AppsAnywhere\AppsAnywhere\AppsAnywhere.exe
"C:\Program Files\AppsAnywhere\AppsAnywhere\AppsAnywhere.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57d787.rbs

Filesize
560KB

MD5
560141c47ef901a117766e5a53c67399

SHA1
f1fa8708749472f653b96a5c33817af1e15d446b

SHA256
821d92cb27a6b90e0f35ba82aec3e42681801dfb440416b18ed264d3b9867824

SHA512
94698aa9d93d5af52e99eb80997e8e5e7f391af74d28d13a54aa5401d54e0410fd2ef00015d9a418b64aabc756a024f41091d6b10a1b3f20031754fabab2a8c4

Download Submit
C:\Program Files\AppsAnywhere\AppsAnywhere\AppsAnywhere.exe

Filesize
2.9MB

MD5
61784521f9ffcf6113bd803db8547ae4

SHA1
67d2d521e2a210ec5615b000e04ed5cefd49399a

SHA256
492ca08abed176b799901e8c2f857505b4fa575ee0e02b7430e12fbaa07b44b5

SHA512
3f843bd9ae4b7fd6f7609bf3701ef623ba9d6980d226dcd0531c98a0dedfb861ffde04dff2eb5f441e382600f598c91cbeb41569d14a1751f8513945e4b2c98d

Download Submit
C:\Program Files\AppsAnywhere\AppsAnywhere\AppsAnywhere.exe.config

Filesize
352B

MD5
4a34920618b6d59a9fc3afb147073174

SHA1
3c09f5a3e25581185c63706d329e3d7ae90326cf

SHA256
8eaeb8dc1099679bd0acdac424b91cd515dc2a970719320ae7d269960e3e3b8e

SHA512
64a66a29c542c77d63d2da197086eb230c89ce4f50ead9292d3b35d34fcc9978fa119799ea43d89060b71710249d8072d8482df8497c48f7437aa229fe3ac5f3

Download Submit
C:\Program Files\AppsAnywhere\AppsAnywhere\AppsAnywhereLauncher.exe

Filesize
565KB

MD5
6cf14b6a6c6cf88f1188457cfdfc3721

SHA1
9505789c579511d3cf108358b3737206b55f4f81

SHA256
9d68b80865d91abb16baf453ed90214c0022bb8c5ce694e946d205bb5d699122

SHA512
a037b6938c1ecc8f01a4db3fd44447933fcec7b0ecfe9198f625d3e3256aa20c67e178401f4737f4d54ff277aae077791a8a8fc7aadea417b9277040f68ccfd9

Download Submit
C:\Program Files\AppsAnywhere\AppsAnywhere\AppsAnywhereLauncher.exe.config

Filesize
1KB

MD5
5f41640cd976524d7d01e0724e02d834

SHA1
dbffc3ffb26a1581cad8c0890aabafc53fd4ca1d

SHA256
ac8e1a8749986d68c4a827f8cb576cf4d918669e5f6127dcce0bcdd3e91d4544

SHA512
c506f73ec3ea0f069fc812286fbdf431a5a5a2a9439369318393a609b249b2a1a19319bb0dcdabd1d660880522746fb4cb366e4fc8396c1f12fbe66cdb43bb9b

Download Submit
C:\Program Files\AppsAnywhere\AppsAnywhere\AppsAnywhereUpdaterService.exe

Filesize
87KB

MD5
d8cd9f8c6cc75fa199699b15b3b111ea

SHA1
556ab07c52463b508fa070685a91b6ee7f5d05a1

SHA256
b8b53fbce2faeaec57f5ba4905522353fdca90188edcffb2b89d5226daa1b93d

SHA512
d7782096d52005aa8cd0839a912ec74f8bac31da3b58cc2fb0beb32219fe95266c721f08d0eaecd9844a1e7b0a961a6aee75e687cb6148c7b09c0a864e49bddf

Download Submit
C:\Program Files\AppsAnywhere\AppsAnywhere\AppsAnywhereUpdaterService.exe.config

Filesize
220B

MD5
f11a96130447342d1b86850cabb6b465

SHA1
3ab2a984f09720e58842360458d99b17ca9cf260

SHA256
d6cdc3fdc23d33f94174c955271f70ae293c8b8a0f2e7092f15d56d566c505b0

SHA512
30f000947b19934c096552c1c19921a716068104e6ba09b774f4e72edb4b9fde544257b4d5bbf9e9d862911ec3265e0311ba028c052023190f4d6216b0e91801

Download Submit
C:\Program Files\AppsAnywhere\AppsAnywhere\InstallerTools.dll

Filesize
37KB

MD5
2492f81fd8b07bb332eaed8ad68260c1

SHA1
e8341fe656b9964d0495c4c55f11fe8d80ec0ab3

SHA256
ee6803d0270febe5aa83a6dcd4b340f01d9b081276c5e05e1663858293a09f3b

SHA512
244149cbd5e4afe52a2d977f07e5677668c56d762b2cb2ebf51e5572b52ea40d5791ea80cfbe1d25eac40ed7a73280616b079918c491e1dbea8ae833086f1223

Download Submit
C:\Program Files\AppsAnywhere\AppsAnywhere\S2Startup.xml

Filesize
2KB

MD5
bb0115108409fd96fb043bd3bdc453c9

SHA1
fd56c6e690bac9126157a4a1af955f8ffba601d0

SHA256
ea79823a4bb03757b24f6c3163b09045531ee798d62ca6ee08598a027f1a3de0

SHA512
4608871019a8f062a94582537444d064d57213bb04cedbf7ae4dbfb6c25d9c595865609382b9e44efcdd1f6bf370ccfa7faa2971e169cb1d91fc7350ce2b6e2b

Download Submit
C:\Program Files\AppsAnywhere\AppsAnywhere\S2Updater.xml

Filesize
3KB

MD5
cb5ee13a5b1cf57fa8995c4d20cd6ca2

SHA1
b714f1e4fc4f3cd0b581700baab3eaf7f72f37ef

SHA256
827de651731e1a8639921eb8d7508d0d7842aa355cf7057ba0d6df4638f4b543

SHA512
b6c45941d1c56294b0750c10cafcba1a11968b402e934ad46bab3df784a99f1958127e91853926bb48320bf44fd524d1e4e80fae5eb639ad4bbec0cfd4b9ca2a

Download Submit
C:\Program Files\AppsAnywhere\AppsAnywhere\SQLite.Interop.dll

Filesize
1.6MB

MD5
7de130ce491d63ecb3920687a84df54a

SHA1
9784983d96036605f4f2b043191cf89be192666d

SHA256
1d534617b38323027a64579a581258a55c3986f5b4b15297126c8a4cef5aa105

SHA512
990b77c346b15357b6c1cdc5c3913c21c1b2fae17678c38e180c9ce1ae6f14d3a7357daf24828966cf94fefd8fdac61ea7a1ccd928724dee37d2ac1721345344

Download Submit
C:\Program Files\AppsAnywhere\AppsAnywhere\System.Data.SQLite.dll

Filesize
348KB

MD5
83dfd2fe35efb2154bcdd3b475f378f2

SHA1
43eaf586250bf5c8b32eb832cf3479a8dbf7cca2

SHA256
7a4dde948b573b5a92cb1f63a2201006e61ea24107d9668a36efa378e8d48f08

SHA512
0fa675541530a02285d4144df0f85a838a415466f7ea08251297e062a1fa33c475fd29539fa83a62600f4df124dc80f786b4bed2b7aecccc07d9dc09c517b90b

Download Submit
C:\Program Files\AppsAnywhere\AppsAnywhere\resources\icons\tray\AA-busy-trayicon.ico

Filesize
5KB

MD5
5959a353eac041f7c1956c30361c7c38

SHA1
d21d3a522ab87f321530c336ffd6836ff53d1420

SHA256
30b7e84e3fef313aa13799870b928b0bae0545c45601abdc7dc19c396e1a277f

SHA512
8c4380546fca0021ccfff2ac2c080aaa7b888f28bf99a7d1b0f78473f3a0872060e5a0ce219cf55b2be2a7a6acb03dcf04939ca052f4b3d2093a6ec1b802ee61

Download Submit
C:\Program Files\AppsAnywhere\AppsAnywhere\resources\icons\tray\AA-idle-trayicon.ico

Filesize
5KB

MD5
c668e1d6afea7312b9891a0f64e1de6a

SHA1
f2d4375659d75c9abbf3576f2b111dbb6e313008

SHA256
8b51882280187c27161da26592131e79861c31c0e4f17b8b8abcc3b1d15dde9e

SHA512
f000a4bea455954b86f7cc98431df4712a81b30822b8592b8c85c979e012dcd2db0e6794a7ddfa62501f2ab7abaeae451be77c4a6d8b9220abb64884a4b786e6

Download Submit
C:\ProgramData\Software2\s2_database.db

Filesize
16KB

MD5
355129308788a3a3e714009b7a0ae8e4

SHA1
05b8a3d378429ccb59bd40b74e84373989399644

SHA256
ad2991d1f5b879bbabc897f9b00960ec192b97967f3afd5150d9dd85693a7ffc

SHA512
cf3b9c09751a92a99acbe55d406bc8964444953b3ed2a206757215ccdf481deb0efe828fda6adbc651dc234c14288657c6d96c7fb4784a640092fa9a1f61ca49

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
b1f935cbd0a4e7baeb4cfa73725bb226

SHA1
e5a5f4e788f95ccf950f745d01b8956dd14cb66c

SHA256
d7f24ca6d10c289d45cce23f5a19cebc0ea2b9c6b867f6b4b23c4effb08180a9

SHA512
8891f8904cf16da4ea8ccfc8bb993b6c0ad3beb7c146765d22e82388d2c4f4f01d84c2979b05b6c4bf11e1e93430454cc83dda012010ebf3369d94153327592d

Download Submit
C:\Users\Admin\AppData\Local\Software2\AppsAnywhere\2.0\Configuration\Languages\English.xml

Filesize
8KB

MD5
156abc60b346083ad1a64035bbc41992

SHA1
4f6443500480cc45ac76eb2e9e697b82f5696547

SHA256
4447780efdf49ffb2f06b140fe7e9d97491c5754ff3ac299c25b5eada2ed6e61

SHA512
ae137e0757ddbb7e2403212614824141235c4d624532aef6ebf0f6a741f15c244114cf088e135a9c11aae5cdd46a29fdcf0057e2a9a3d901ddb859dae65200b6

Download Submit
C:\Users\Admin\AppData\Local\Software2\AppsAnywhere\2.0\Configuration\S2HubConfig.xml

Filesize
818B

MD5
275beafd9269126d3238f5574c03c67b

SHA1
6fcc89b39a3c519e0dcb4e168a9c9029ae706879

SHA256
b2a3cff9919702ce041f971be86f5a39e702a80c2ab9583771d5a067ab412c01

SHA512
442fc377128c0f45553f585bdb32c0be568eb534a3598b16f6619983179a896687feacd3ce0e117a8e70fc169c1f7f6882141e9cedd6676b5eb06ae57bbef440

Download Submit
C:\Users\Admin\AppData\Local\Software2\AppsAnywhere\Log\S2HubTracelog.log

Filesize
12KB

MD5
93e417b8b4c4f01de2884fbfbe1684af

SHA1
0466dce6cd90e35da529eb15a940e1e4b2cc2cf8

SHA256
d13e2af7111114a977bca37547d827a03a98211b595f8844447701d9c742ee2c

SHA512
3bd24050c17ccbbcae65c41fbf1cab35f81fe6b0f5aeff7d85f1285b57f5b7da45983816f93ac76a979539e644e6fa73a436b1fe0afe9390c2ef7976c7d122cb

Download Submit
C:\Users\Admin\AppData\Local\Software2\AppsAnywhere\Log\S2HubTracelog.log

Filesize
14KB

MD5
8b3873a961f8de99661a7187f64ac0b6

SHA1
359dc3b7ec2208cb8fe65a61ce2b8a64a53cf483

SHA256
bedf5fcbcfc00ad3ef4e7eb51882de7edc69ca3e9b8be47d5792a87de3ae6834

SHA512
17edc0cf1b0309fee12c007732a8ed2a9389c6f1d1a4d2e96950cbaa69a69ba1034bdd53bb7a942cf9b6c2c03f7fdd49ef36841b04dfb3f9ba962ebfe6c7c48e

Download Submit
C:\Users\Admin\AppData\Local\Software2\AppsAnywhere\Log\S2HubTracelog.log

Filesize
14KB

MD5
eae94f2bc382e0854db4d36f1fa9744b

SHA1
db79ac5b6c7e653cd3f1fbe7164857166325a382

SHA256
c5cbf6cefd73f7d462f2ec2de8efb41e9f4897722385bb9f5eb03153679b1145

SHA512
e99186dea533b9928591639015d4c0e04dedb7109cee1a2cda7de17f19da78a08de80db2b5e1af2f182057b20b1ffd8260904e08fa9f29cffb466167f5db62b6

Download Submit
C:\Users\Admin\AppData\Local\Software2\AppsAnywhere\Log\S2HubTracelog.log

Filesize
18KB

MD5
52e88d5950464a7f55e6617810bc9cdd

SHA1
aa62e6aa68e75c0fd8822dc0f386b44980462d91

SHA256
4e55c59bfe7f76dc56e7e55ec5aa3b8b2013795e920d14f7f7d4da9dc6d3b0df

SHA512
2489a09afcd6561c815326c5124daf69ae8489da5b58bb05dae481ab3ff9a370a3c29f63ffffe9ab717eccccfbd5910e46cb934274a7ebc491ab17348c382ea8

Download Submit
C:\Users\Admin\AppData\Local\Software2\AppsAnywhere\Log\S2HubTracelog.log

Filesize
10KB

MD5
3e1eef80df878db6af96ee06a4a8a100

SHA1
fea06cbb0e4eb505a4c10e65329e6c5eb3d67512

SHA256
06c5e9813edb1157e7ec1640e7932cdbd87defa32d747227f0eb1a3f95a025a9

SHA512
44ff76da2e006e80b1bf4b1ea64d98779527c737744640859a5d88ddc1cfae07dcfe5e5327bf10b85ee246347592d4e97f9b5d35a84ca2fc6a0d8c845bd7428a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFGDFA2.tmp

Filesize
150B

MD5
eeb125122350edf6c0285be181c78c7a

SHA1
31088001dc87fa82581b0dbf3dd884276c2bce15

SHA256
944b17486a0e513f8e404e7f77ca842e0f36e7712b93cba8ec19f44e555117f9

SHA512
fec1fb1a5f9384bf2cc89d51c7228d00039477b88696fe65894ea1c2150ddf0055e24a2f970cfe85c5a780a103a1ace4b596b469be243ddc235ff01f0e72ec92

Download Submit
C:\Users\Admin\AppData\Local\Temp\apps-anywhere-installer-x64.msi

Filesize
8.3MB

MD5
e893e8170393a58dd59d764b72208487

SHA1
1467b6fa97d25029d63942d3f1bfc348ffe81cd6

SHA256
60aae5c3ad7fde5895c06996dbc3cde3db97169c1d23034eec5167028d07cb21

SHA512
3d45a18ddf2c872d8ada7f65d09989944055396d3d8e162a5d8f47ad60c0e4b58cd5ee46075c79024d868bdc67240b970ad311d922bcae30640bcf07e759bd43

Download Submit
C:\WINDOWS\FONTS\SYSTEM_DETECT.TTF

Filesize
17KB

MD5
a907d492bc431fafb197f23ed8ec496d

SHA1
2f5e5116b0549d6d4dd8f586a50d1d2af3cd1257

SHA256
6f0be34fe39e54e3ebb571082c4859a8d611db95eccda61d5f32fde9305e78c9

SHA512
1b5a1a1e696b26485282aa43cd36831cc668600c5c3333f2a8195bd5b2abd273876e8331f30519d672ddbee29621e0ea39d4a93eb4dcbcf3022569372c6dc368

Download Submit
C:\Windows\Installer\MSIDED7.tmp

Filesize
298KB

MD5
684f2d21637cb5835172edad55b6a8d9

SHA1
5eac3b8d0733aa11543248b769d7c30d2c53fcdb

SHA256
da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0

SHA512
7b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c

Download Submit
C:\Windows\Installer\MSIE206.tmp

Filesize
127KB

MD5
fda0a2c4a34a45ce7733eec37b58f22c

SHA1
5650fc597103527696ea6e55dce6533c863e805a

SHA256
405f8e6a3b2b5bffaaf73621edfe246cad37c80639fcc36ea4a4ea714cccf68e

SHA512
33b1bb1340c409808389a7dd829c7869f6e0f0546eccf7d7b7db15ea0e82cf44a3b36fa5b2c2d1a0ebec75a9bd37ea18836cc4f64d6345b02123b8432bc4fc33

Download Submit
C:\Windows\Installer\e57d788.msi

Filesize
1.4MB

MD5
03013d5768b9c62222d3c7dc31a6148a

SHA1
0d0f226eb60b276f5db1067927a94f566fef269b

SHA256
ec9ab9515d0292ceb7742293502bcb8b9d22f9a5700b0cb88faee79b4fc88424

SHA512
a1fb8e002a7ee7ec0715ecbb7c0b04a249658a6b9c114f0dba56f9206040970ccfaa69c189f57e793a121a1f09d1b1f092f0ad5e4db4353d4587f07c5c52ba87

Download Submit
memory/232-390-0x00007FFD5F210000-0x00007FFD5FCD2000-memory.dmp

Filesize
10.8MB

Download
memory/232-366-0x0000022C47180000-0x0000022C47190000-memory.dmp

Filesize
64KB

Download
memory/232-367-0x0000022C47180000-0x0000022C47190000-memory.dmp

Filesize
64KB

Download
memory/232-359-0x0000022C47180000-0x0000022C47190000-memory.dmp

Filesize
64KB

Download
memory/232-358-0x00007FFD5F210000-0x00007FFD5FCD2000-memory.dmp

Filesize
10.8MB

Download
memory/732-62-0x0000000021760000-0x000000002176A000-memory.dmp

Filesize
40KB

Download
memory/732-20-0x0000000002AC0000-0x0000000002AC8000-memory.dmp

Filesize
32KB

Download
memory/732-64-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/732-65-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/732-61-0x0000000021740000-0x000000002174A000-memory.dmp

Filesize
40KB

Download
memory/732-23-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/732-24-0x000000001D820000-0x000000001D82E000-memory.dmp

Filesize
56KB

Download
memory/732-21-0x000000001FE20000-0x000000001FE58000-memory.dmp

Filesize
224KB

Download
memory/732-0-0x0000000000670000-0x00000000007B8000-memory.dmp

Filesize
1.3MB

Download
memory/732-63-0x00007FFD5F210000-0x00007FFD5FCD2000-memory.dmp

Filesize
10.8MB

Download
memory/732-19-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/732-18-0x000000001FE70000-0x000000001FE92000-memory.dmp

Filesize
136KB

Download
memory/732-17-0x000000001FD20000-0x000000001FDB2000-memory.dmp

Filesize
584KB

Download
memory/732-14-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/732-312-0x00007FFD5F210000-0x00007FFD5FCD2000-memory.dmp

Filesize
10.8MB

Download
memory/732-66-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/732-12-0x0000000001050000-0x000000000105C000-memory.dmp

Filesize
48KB

Download
memory/732-13-0x0000000002990000-0x0000000002998000-memory.dmp

Filesize
32KB

Download
memory/732-2-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/732-1-0x00007FFD5F210000-0x00007FFD5FCD2000-memory.dmp

Filesize
10.8MB

Download
memory/1976-251-0x00007FFD5F210000-0x00007FFD5FCD2000-memory.dmp

Filesize
10.8MB

Download
memory/1976-207-0x00000216EAF40000-0x00000216EAF52000-memory.dmp

Filesize
72KB

Download
memory/1976-208-0x00000216EAFA0000-0x00000216EAFDC000-memory.dmp

Filesize
240KB

Download
memory/1976-197-0x00000216EA6B0000-0x00000216EA6B8000-memory.dmp

Filesize
32KB

Download
memory/1976-198-0x00007FFD5F210000-0x00007FFD5FCD2000-memory.dmp

Filesize
10.8MB

Download
memory/1976-199-0x00000216EA6C0000-0x00000216EA6D0000-memory.dmp

Filesize
64KB

Download
memory/1976-200-0x00000216EA6C0000-0x00000216EA6D0000-memory.dmp

Filesize
64KB

Download
memory/1976-217-0x00000216EAF80000-0x00000216EAF96000-memory.dmp

Filesize
88KB

Download
memory/3880-299-0x00007FFD5F210000-0x00007FFD5FCD2000-memory.dmp

Filesize
10.8MB

Download
memory/3880-301-0x000001FD4A5F0000-0x000001FD4A600000-memory.dmp

Filesize
64KB

Download
memory/3880-302-0x000001FD4A5F0000-0x000001FD4A600000-memory.dmp

Filesize
64KB

Download
memory/3880-270-0x000001FD4A5F0000-0x000001FD4A600000-memory.dmp

Filesize
64KB

Download
memory/3880-261-0x000001FD4A5F0000-0x000001FD4A600000-memory.dmp

Filesize
64KB

Download
memory/3880-258-0x00007FFD5F210000-0x00007FFD5FCD2000-memory.dmp

Filesize
10.8MB

Download
memory/3880-300-0x000001FD4A5F0000-0x000001FD4A600000-memory.dmp

Filesize
64KB

Download
memory/3880-275-0x000001FD4A5F0000-0x000001FD4A600000-memory.dmp

Filesize
64KB

Download
memory/4104-247-0x00007FFD5F210000-0x00007FFD5FCD2000-memory.dmp

Filesize
10.8MB

Download
memory/4104-298-0x000001F2F1CB0000-0x000001F2F1CC0000-memory.dmp

Filesize
64KB

Download
memory/4104-290-0x000001F2F1C40000-0x000001F2F1C7A000-memory.dmp

Filesize
232KB

Download
memory/4104-246-0x000001F2F1FA0000-0x000001F2F2280000-memory.dmp

Filesize
2.9MB

Download
memory/4104-286-0x000001F2F1E10000-0x000001F2F1E6E000-memory.dmp

Filesize
376KB

Download
memory/4104-291-0x000001F2F1C00000-0x000001F2F1C26000-memory.dmp

Filesize
152KB

Download
memory/4104-297-0x00007FFD5F210000-0x00007FFD5FCD2000-memory.dmp

Filesize
10.8MB

Download
memory/4104-249-0x000001F2F1CB0000-0x000001F2F1CC0000-memory.dmp

Filesize
64KB

Download
memory/4476-324-0x00007FFD5F210000-0x00007FFD5FCD2000-memory.dmp

Filesize
10.8MB

Download
memory/4476-325-0x0000025FCA400000-0x0000025FCA410000-memory.dmp

Filesize
64KB

Download
memory/4476-333-0x0000025FCA400000-0x0000025FCA410000-memory.dmp

Filesize
64KB

Download
memory/4476-356-0x00007FFD5F210000-0x00007FFD5FCD2000-memory.dmp

Filesize
10.8MB

Download
memory/4888-317-0x00007FFD5F210000-0x00007FFD5FCD2000-memory.dmp

Filesize
10.8MB

Download
memory/4888-316-0x0000029B30E00000-0x0000029B30E8C000-memory.dmp

Filesize
560KB

Download
memory/4888-320-0x0000029B4B650000-0x0000029B4B660000-memory.dmp

Filesize
64KB

Download
memory/4888-322-0x00007FFD5F210000-0x00007FFD5FCD2000-memory.dmp

Filesize
10.8MB

Download