sectoprat | e43b79bf105ec37a7cfff9ad84ea28a0320f1aeba4b47fa5ad119672f9b52acb

Analysis

max time kernel
90s
max time network
86s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 23:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ISetup8.exe
Size

451KB
MD5

762256f7246e75a7537109d5371af60b
SHA1

953a670596dc2ded2aa93b6a1e6e3332aadfd7af
SHA256

e43b79bf105ec37a7cfff9ad84ea28a0320f1aeba4b47fa5ad119672f9b52acb
SHA512

aeb4937d560d212046404788cbfe85fafb412736c6e487409c6cbca9827c4a127865f060acb6982f07b78411ceec8052d29f8bb893efe7c357640bd594c55b48
SSDEEP

6144:+0HYlMeYOX8mE94DowCxV0jZVqmnvi1UVX1Zbt2S0gjaUH:+04lMXmQ4LCxWjZji1U/rhaUH

Score

10^/10

sectoprat stealc zgrat zloader botnet discovery evasion persistence rat spyware stealer trojan

Malware Config

Extracted

Family

stealc

http://185.172.128.150

Attributes

url_path
/c698e1bc8a2f5e6d.php

Signatures

Detect ZGRat V1 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1328-251-0x0000000000BC0000-0x00000000044B8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1328-274-0x000000001EDF0000-0x000000001EF00000-memory.dmp	family_zgrat_v1
behavioral1/memory/1328-278-0x0000000005C30000-0x0000000005C54000-memory.dmp	family_zgrat_v1
behavioral1/memory/1628-1529-0x000000001C1B0000-0x000000001C2C0000-memory.dmp	family_zgrat_v1
C:\Program Files\iolo technologies\System Mechanic\SMCommon.dll	family_zgrat_v1
behavioral1/memory/1628-1774-0x000000001C2C0000-0x000000001C2E4000-memory.dmp	family_zgrat_v1
C:\Program Files\iolo technologies\System Mechanic\EntitlementDefinitions.dll	family_zgrat_v1

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1664-894-0x0000000000180000-0x0000000000246000-memory.dmp	family_sectoprat

Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

Processes:

SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

description	ioc	process
File created	C:\Windows\system32\drivers\pgfilter.sys	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Windows\system32\drivers\pgfilter.sys	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2840 netsh.exe

pid	process
2840	netsh.exe

Executes dropped EXE 12 IoCs

Processes:

u26o.0.exerun.exeu26o.3.exenfregdrv.exeincinerator.exeiolo.exeioloTrayApp.exeLBGovernor.exeioloTrayApp.exeLBGovernor.exeactivebridge.exeactivebridge.exe

pid	process
1504	u26o.0.exe
2040	run.exe
540	u26o.3.exe
2948	nfregdrv.exe
1872	incinerator.exe
1628	iolo.exe
2340	ioloTrayApp.exe
1148	LBGovernor.exe
1088	ioloTrayApp.exe
2480	LBGovernor.exe
1336	activebridge.exe
1832	activebridge.exe

Loads dropped DLL 42 IoCs

Processes:

ISetup8.exerun.exeu26o.0.execmd.exenfregdrv.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exeincinerator.exeiolo.exetaskmgr.exeioloTrayApp.exeactivebridge.exeactivebridge.exe

pid	process
2832	ISetup8.exe
2832	ISetup8.exe
2832	ISetup8.exe
2832	ISetup8.exe
2832	ISetup8.exe
2832	ISetup8.exe
2832	ISetup8.exe
2832	ISetup8.exe
2832	ISetup8.exe
2040	run.exe
1504	u26o.0.exe
1504	u26o.0.exe
2832	ISetup8.exe
2832	ISetup8.exe
2832	ISetup8.exe
2832	ISetup8.exe
3020	cmd.exe
2948	nfregdrv.exe
1328	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
1872	incinerator.exe
1628	iolo.exe
1628	iolo.exe
1628	iolo.exe
1628	iolo.exe
1628	iolo.exe
1092
1092
3016	taskmgr.exe
3016	taskmgr.exe
2340	ioloTrayApp.exe
2340	ioloTrayApp.exe
2340	ioloTrayApp.exe
1628	iolo.exe
1628	iolo.exe
3016	taskmgr.exe
3016	taskmgr.exe
1336	activebridge.exe
1336	activebridge.exe
1336	activebridge.exe
1832	activebridge.exe
1832	activebridge.exe
1832	activebridge.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

incinerator.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2ED38AC-BD32-4164-BB38-30573675E8D5}\LocalServer32	incinerator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2ED38AC-BD32-4164-BB38-30573675E8D5}\LocalServer32\ = "C:\\Program Files\\iolo technologies\\System Mechanic\\incinerator.exe"	incinerator.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 2 IoCs

Processes:

run.execmd.exe

description pid process target process

PID 2040 set thread context of 3020 2040 run.exe cmd.exe
PID 3020 set thread context of 1664 3020 cmd.exe MSBuild.exe

description	pid	process	target process
PID 2040 set thread context of 3020	2040	run.exe	cmd.exe
PID 3020 set thread context of 1664	3020	cmd.exe	MSBuild.exe

Drops file in Program Files directory 64 IoCs

Processes:

SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

description	ioc	process
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Microsoft.AI.ServerTelemetryChannel.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\ioloTrayApp.exe.config	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Microsoft.Diagnostics.FastSerialization.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Microsoft.Practices.Prism.MefExtensions.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Microsoft.IdentityModel.Abstractions.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\System.Memory.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\InstallDriver.bat	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\WPF_Driver\driver\wfp\windows10\std\i386\pgfilter.sys	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\WPF_Driver\install_wfp_driver_windows10.bat	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Microsoft.mshtml.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\MessageRpc.Net.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Microsoft.Win32.TaskScheduler.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\System.Windows.Interactivity.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\it\ACResources.resources.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\LBGovernor.exe	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\WPF_Driver\release\win32\nfapi.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\WPF_Driver\release\win32\nfregdrv.exe	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Incinerator.exe	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Microsoft.Practices.Prism.Interactivity.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\SDKModels.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\ko\ACResources.resources.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\PDFsFilter.inf	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\WPF_Driver\driver\wfp\windows7\std\i386\pgfilter.sys	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\System.Diagnostics.DiagnosticSource.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\de\ACResources.resources.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\WPF_Driver\driver\tdi\wpp\amd64\netfilter2.sys	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\mpns.exe	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\EndpointProtectionClient.Net.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\WWSDK.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\SystemShield.ico	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\DeviceId.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\System.Net.Http.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\pt-br\ACResources.resources.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\WPF_Driver\driver\wfp\windows10\wpp\i386\pgfilter.sys	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\MacAddressVendorLookup.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\DotNetZip.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\WPF_Driver\install_wfp_driver_windows7_x64.bat	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Microsoft.Diagnostics.Tracing.TraceEvent.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\ACResources.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Microsoft.Practices.EnterpriseLibrary.Common.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Microsoft.Web.WebView2.WinForms.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\WPF_Driver\release\win32\libeay32.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\nfapi.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Newtonsoft.Json.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\ioloIcon.ico	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\UIResources.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\portscan.exe	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\EndpointProtectionInterfaces.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\WSC.exe	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\NLog.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\ToolKit.Interop.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\WPF_Driver\driver\wfp\windows7\wpp\i386\pgfilter.sys	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\libssl-1_1-x64.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\WPF_Driver\driver\tdi\wpp\i386\netfilter2.sys	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\WPF_Driver\release\win32\ssleay32.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Microsoft.Practices.Prism.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\netscan.dll.config	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\log4net.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Microsoft.Identity.Client.NativeInterop.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\SystemShield.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\GvrMgr.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\UninstallDriver.bat	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\WPF_Driver\driver\wfp\windows10\std\amd64\pgfilter.sys	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\WPF_Driver\driver\wfp\windows8\wpp\amd64\pgfilter.sys	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

u26o.3.exeiolo.exeioloTrayApp.exeactivebridge.exeincinerator.exeactivebridge.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u26o.3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iolo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ioloTrayApp.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ioloTrayApp.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	activebridge.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u26o.3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	incinerator.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iolo.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	activebridge.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	activebridge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u26o.3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	incinerator.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iolo.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ioloTrayApp.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	incinerator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	activebridge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	activebridge.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	activebridge.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

u26o.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u26o.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u26o.0.exe

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiolo.exeioloTrayApp.exeactivebridge.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\iolo.exe = "11001"	iolo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	ioloTrayApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c600000000020000000000106600000001000020000000b2fd338dd97d8a013a24849b16c6a474626b17232dd5f55d21bf5f43cb5bd80c000000000e8000000002000020000000063d8ec71333a0025d8a063e3e20590ffb026639a3882669f2b1ff705fb35dd29000000082bc2f01654ef688b28aefdfe714be7e6e1909fc4ba10dfcf5e61bced41412479e7622837056bc57d4f3953cbabd1c2bbdbaaaba8976f7ddec80b80c06bae45e18e17c1afe83354183f02f9195665ac4f0c2a26cbdb286d2711492b62520a0bb1f4ca4b6b909f7937716ee92c7bfed5bd4ff912e64900cf28bb960179c5dfa6e46bbf71d41186f4c764441061a773d03400000001f1c443e41d2f094f594f1fc7d5a4e829635264babaeeb58988b21a0464653f92813b1efaf91da6d0cd790ba324cb91394c9cd3d3bf77d21609322c2db34f87f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\activebridge.exe = "11001"	activebridge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F4A20121-05B5-11EF-9AB8-560090747152} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c600000000020000000000106600000001000020000000bd75e5c38da973326ad2898fe75cfd43f85d14d963a15566bfdbd153a28d4f19000000000e80000000020000200000008be8d156cee97e6630a50278ec54a682ca6f63d7786b0ed7331a391b66e962672000000030b2a60c40e9dd6c5b77c1f58189dd3d0585cfaab6120dae7c316d68962c946f40000000411a703582c5fd2ef70f3780fd843039cf24aa200f35ae743035808cdd0ea92bb36b35984a11ffc2b17961419ae0ed66c9ab53e31002200422b9bbaba96c589b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	iolo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\activebridge.exe = "11001"	activebridge.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	iolo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\iolo.exe = "11001"	iolo.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9028efc9c299da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	iolo.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	activebridge.exe

Modifies registry class 43 IoCs

Processes:

incinerator.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C4831C1C-E17D-4711-BDF2-0FD935DC2F39}\1.0\0	incinerator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{603D0C8E-469F-460A-BCBB-BBF6E90A7C15}\TypeLib	incinerator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{603D0C8E-469F-460A-BCBB-BBF6E90A7C15}\TypeLib\ = "{C4831C1C-E17D-4711-BDF2-0FD935DC2F39}"	incinerator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{603D0C8E-469F-460A-BCBB-BBF6E90A7C15}	incinerator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{603D0C8E-469F-460A-BCBB-BBF6E90A7C15}\ = "IIncinerator"	incinerator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{603D0C8E-469F-460A-BCBB-BBF6E90A7C15}\TypeLib	incinerator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2ED38AC-BD32-4164-BB38-30573675E8D5}\LocalServer32	incinerator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2ED38AC-BD32-4164-BB38-30573675E8D5}\ProgID	incinerator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2ED38AC-BD32-4164-BB38-30573675E8D5}\TypeLib\ = "{C4831C1C-E17D-4711-BDF2-0FD935DC2F39}"	incinerator.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{E2ED38AC-BD32-4164-BB38-30573675E8D5}\Elevation	incinerator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C4831C1C-E17D-4711-BDF2-0FD935DC2F39}	incinerator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C4831C1C-E17D-4711-BDF2-0FD935DC2F39}\1.0\FLAGS\ = "0"	incinerator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C4831C1C-E17D-4711-BDF2-0FD935DC2F39}\1.0\0\win64\ = "C:\\Program Files\\iolo technologies\\System Mechanic\\incinerator.exe"	incinerator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{603D0C8E-469F-460A-BCBB-BBF6E90A7C15}\ProxyStubClsid32	incinerator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{603D0C8E-469F-460A-BCBB-BBF6E90A7C15}\ProxyStubClsid32	incinerator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2ED38AC-BD32-4164-BB38-30573675E8D5}	incinerator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{603D0C8E-469F-460A-BCBB-BBF6E90A7C15}	incinerator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{603D0C8E-469F-460A-BCBB-BBF6E90A7C15}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	incinerator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{603D0C8E-469F-460A-BCBB-BBF6E90A7C15}\TypeLib\ = "{C4831C1C-E17D-4711-BDF2-0FD935DC2F39}"	incinerator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2ED38AC-BD32-4164-BB38-30573675E8D5}\ = "Incinerator"	incinerator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2ED38AC-BD32-4164-BB38-30573675E8D5}\ProgID\ = "Incinerator.IncineratorImpl"	incinerator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C4831C1C-E17D-4711-BDF2-0FD935DC2F39}\1.0	incinerator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{603D0C8E-469F-460A-BCBB-BBF6E90A7C15}\TypeLib\Version = "1.0"	incinerator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2ED38AC-BD32-4164-BB38-30573675E8D5}\LocalServer32\ = "C:\\Program Files\\iolo technologies\\System Mechanic\\incinerator.exe"	incinerator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Incinerator.IncineratorImpl\Clsid	incinerator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Incinerator.IncineratorImpl\Clsid\ = "{E2ED38AC-BD32-4164-BB38-30573675E8D5}"	incinerator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2ED38AC-BD32-4164-BB38-30573675E8D5}\Version\ = "1.0"	incinerator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2ED38AC-BD32-4164-BB38-30573675E8D5}\TypeLib	incinerator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2ED38AC-BD32-4164-BB38-30573675E8D5}\Elevation\Enabled = "1"	incinerator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{603D0C8E-469F-460A-BCBB-BBF6E90A7C15}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	incinerator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C4831C1C-E17D-4711-BDF2-0FD935DC2F39}\1.0\ = "Incinerator"	incinerator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C4831C1C-E17D-4711-BDF2-0FD935DC2F39}\1.0\HELPDIR	incinerator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{603D0C8E-469F-460A-BCBB-BBF6E90A7C15}\ = "IIncinerator"	incinerator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{603D0C8E-469F-460A-BCBB-BBF6E90A7C15}\TypeLib\Version = "1.0"	incinerator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Incinerator.IncineratorImpl	incinerator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C4831C1C-E17D-4711-BDF2-0FD935DC2F39}\1.0\FLAGS	incinerator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2ED38AC-BD32-4164-BB38-30573675E8D5}\Version	incinerator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2ED38AC-BD32-4164-BB38-30573675E8D5}\Elevation\IconReference = "@C:\\Program Files\\iolo technologies\\System Mechanic\\incinerator.exe,-102"	incinerator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C4831C1C-E17D-4711-BDF2-0FD935DC2F39}\1.0\0\win64	incinerator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C4831C1C-E17D-4711-BDF2-0FD935DC2F39}\1.0\HELPDIR\ = "C:\\Program Files\\iolo technologies\\System Mechanic\\"	incinerator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Incinerator.IncineratorImpl\ = "Incinerator"	incinerator.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{E2ED38AC-BD32-4164-BB38-30573675E8D5}	incinerator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2ED38AC-BD32-4164-BB38-30573675E8D5}\LocalizedString = "@C:\\Program Files\\iolo technologies\\System Mechanic\\incinerator.exe,-101"	incinerator.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

activebridge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	activebridge.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	activebridge.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	activebridge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

u26o.0.exerun.execmd.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exeMSBuild.exetaskmgr.exeiolo.exeioloTrayApp.exeioloTrayApp.exeactivebridge.exeactivebridge.exe

pid	process
1504	u26o.0.exe
2040	run.exe
2040	run.exe
1504	u26o.0.exe
3020	cmd.exe
3020	cmd.exe
1328	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
1328	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
1328	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
1328	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
1328	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
1664	MSBuild.exe
1664	MSBuild.exe
1664	MSBuild.exe
1664	MSBuild.exe
1328	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
1628	iolo.exe
1628	iolo.exe
3016	taskmgr.exe
1628	iolo.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
2340	ioloTrayApp.exe
2340	ioloTrayApp.exe
3016	taskmgr.exe
2340	ioloTrayApp.exe
2340	ioloTrayApp.exe
3016	taskmgr.exe
2340	ioloTrayApp.exe
2340	ioloTrayApp.exe
3016	taskmgr.exe
1628	iolo.exe
3016	taskmgr.exe
1088	ioloTrayApp.exe
1088	ioloTrayApp.exe
2340	ioloTrayApp.exe
1336	activebridge.exe
1336	activebridge.exe
3016	taskmgr.exe
2340	ioloTrayApp.exe
2340	ioloTrayApp.exe
2340	ioloTrayApp.exe
2340	ioloTrayApp.exe
2340	ioloTrayApp.exe
2340	ioloTrayApp.exe
2340	ioloTrayApp.exe
3016	taskmgr.exe
3016	taskmgr.exe
2340	ioloTrayApp.exe
1832	activebridge.exe
1832	activebridge.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

3016 taskmgr.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

480
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

run.execmd.exe

pid process

2040 run.exe
3020 cmd.exe
3020 cmd.exe

pid	process
3016	taskmgr.exe

pid	process
480

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exeMSBuild.exetaskmgr.exeiolo.exeioloTrayApp.exeLBGovernor.exe

description	pid	process
Token: SeDebugPrivilege	1328	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Token: SeDebugPrivilege	1664	MSBuild.exe
Token: SeBackupPrivilege	1328	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Token: SeSecurityPrivilege	1328	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Token: SeBackupPrivilege	1328	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Token: SeDebugPrivilege	3016	taskmgr.exe
Token: SeDebugPrivilege	1628	iolo.exe
Token: SeIncreaseQuotaPrivilege	1628	iolo.exe
Token: SeSecurityPrivilege	1628	iolo.exe
Token: SeTakeOwnershipPrivilege	1628	iolo.exe
Token: SeLoadDriverPrivilege	1628	iolo.exe
Token: SeSystemProfilePrivilege	1628	iolo.exe
Token: SeSystemtimePrivilege	1628	iolo.exe
Token: SeProfSingleProcessPrivilege	1628	iolo.exe
Token: SeIncBasePriorityPrivilege	1628	iolo.exe
Token: SeCreatePagefilePrivilege	1628	iolo.exe
Token: SeBackupPrivilege	1628	iolo.exe
Token: SeRestorePrivilege	1628	iolo.exe
Token: SeShutdownPrivilege	1628	iolo.exe
Token: SeDebugPrivilege	1628	iolo.exe
Token: SeSystemEnvironmentPrivilege	1628	iolo.exe
Token: SeRemoteShutdownPrivilege	1628	iolo.exe
Token: SeUndockPrivilege	1628	iolo.exe
Token: SeManageVolumePrivilege	1628	iolo.exe
Token: 33	1628	iolo.exe
Token: 34	1628	iolo.exe
Token: 35	1628	iolo.exe
Token: SeDebugPrivilege	2340	ioloTrayApp.exe
Token: SeAssignPrimaryTokenPrivilege	1148	LBGovernor.exe
Token: SeDebugPrivilege	1148	LBGovernor.exe
Token: SeChangeNotifyPrivilege	1148	LBGovernor.exe
Token: SeIncBasePriorityPrivilege	1148	LBGovernor.exe
Token: SeIncreaseQuotaPrivilege	1148	LBGovernor.exe
Token: SeProfSingleProcessPrivilege	1148	LBGovernor.exe
Token: SeCreateGlobalPrivilege	1148	LBGovernor.exe
Token: SeBackupPrivilege	1148	LBGovernor.exe
Token: SeRestorePrivilege	1148	LBGovernor.exe
Token: SeIncreaseQuotaPrivilege	2340	ioloTrayApp.exe
Token: SeSecurityPrivilege	2340	ioloTrayApp.exe
Token: SeTakeOwnershipPrivilege	2340	ioloTrayApp.exe
Token: SeLoadDriverPrivilege	2340	ioloTrayApp.exe
Token: SeSystemProfilePrivilege	2340	ioloTrayApp.exe
Token: SeSystemtimePrivilege	2340	ioloTrayApp.exe
Token: SeProfSingleProcessPrivilege	2340	ioloTrayApp.exe
Token: SeIncBasePriorityPrivilege	2340	ioloTrayApp.exe
Token: SeCreatePagefilePrivilege	2340	ioloTrayApp.exe
Token: SeBackupPrivilege	2340	ioloTrayApp.exe
Token: SeRestorePrivilege	2340	ioloTrayApp.exe
Token: SeShutdownPrivilege	2340	ioloTrayApp.exe
Token: SeDebugPrivilege	2340	ioloTrayApp.exe
Token: SeSystemEnvironmentPrivilege	2340	ioloTrayApp.exe
Token: SeRemoteShutdownPrivilege	2340	ioloTrayApp.exe
Token: SeUndockPrivilege	2340	ioloTrayApp.exe
Token: SeManageVolumePrivilege	2340	ioloTrayApp.exe
Token: 33	2340	ioloTrayApp.exe
Token: 34	2340	ioloTrayApp.exe
Token: 35	2340	ioloTrayApp.exe
Token: SeBackupPrivilege	2340	ioloTrayApp.exe
Token: SeBackupPrivilege	2340	ioloTrayApp.exe
Token: SeSecurityPrivilege	2340	ioloTrayApp.exe
Token: SeSecurityPrivilege	2340	ioloTrayApp.exe
Token: SeSecurityPrivilege	2340	ioloTrayApp.exe
Token: SeSecurityPrivilege	2340	ioloTrayApp.exe
Token: SeSecurityPrivilege	2340	ioloTrayApp.exe

Suspicious use of FindShellTrayWindow 58 IoCs

Processes:

u26o.3.exetaskmgr.exeiexplore.exeioloTrayApp.exe

pid	process
540	u26o.3.exe
540	u26o.3.exe
540	u26o.3.exe
540	u26o.3.exe
540	u26o.3.exe
540	u26o.3.exe
540	u26o.3.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
1264	iexplore.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
2340	ioloTrayApp.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe

Suspicious use of SendNotifyMessage 57 IoCs

Processes:

u26o.3.exetaskmgr.exeioloTrayApp.exe

pid	process
540	u26o.3.exe
540	u26o.3.exe
540	u26o.3.exe
540	u26o.3.exe
540	u26o.3.exe
540	u26o.3.exe
540	u26o.3.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
2340	ioloTrayApp.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

run.exeMSBuild.exeiexplore.exeIEXPLORE.EXEiolo.exeioloTrayApp.exeactivebridge.exe

pid	process
2040	run.exe
2040	run.exe
1664	MSBuild.exe
1264	iexplore.exe
1264	iexplore.exe
2676	IEXPLORE.EXE
2676	IEXPLORE.EXE
1628	iolo.exe
1628	iolo.exe
2340	ioloTrayApp.exe
2340	ioloTrayApp.exe
1832	activebridge.exe
1832	activebridge.exe
2676	IEXPLORE.EXE
2676	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ISetup8.exerun.exeu26o.3.execmd.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exeiexplore.exeiolo.exeioloTrayApp.exe

description	pid	process	target process
PID 2832 wrote to memory of 1504	2832	ISetup8.exe	u26o.0.exe
PID 2832 wrote to memory of 1504	2832	ISetup8.exe	u26o.0.exe
PID 2832 wrote to memory of 1504	2832	ISetup8.exe	u26o.0.exe
PID 2832 wrote to memory of 1504	2832	ISetup8.exe	u26o.0.exe
PID 2832 wrote to memory of 2040	2832	ISetup8.exe	run.exe
PID 2832 wrote to memory of 2040	2832	ISetup8.exe	run.exe
PID 2832 wrote to memory of 2040	2832	ISetup8.exe	run.exe
PID 2832 wrote to memory of 2040	2832	ISetup8.exe	run.exe
PID 2832 wrote to memory of 2040	2832	ISetup8.exe	run.exe
PID 2832 wrote to memory of 2040	2832	ISetup8.exe	run.exe
PID 2832 wrote to memory of 2040	2832	ISetup8.exe	run.exe
PID 2040 wrote to memory of 3020	2040	run.exe	cmd.exe
PID 2040 wrote to memory of 3020	2040	run.exe	cmd.exe
PID 2040 wrote to memory of 3020	2040	run.exe	cmd.exe
PID 2040 wrote to memory of 3020	2040	run.exe	cmd.exe
PID 2832 wrote to memory of 540	2832	ISetup8.exe	u26o.3.exe
PID 2832 wrote to memory of 540	2832	ISetup8.exe	u26o.3.exe
PID 2832 wrote to memory of 540	2832	ISetup8.exe	u26o.3.exe
PID 2832 wrote to memory of 540	2832	ISetup8.exe	u26o.3.exe
PID 2040 wrote to memory of 3020	2040	run.exe	cmd.exe
PID 540 wrote to memory of 1328	540	u26o.3.exe	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 540 wrote to memory of 1328	540	u26o.3.exe	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 540 wrote to memory of 1328	540	u26o.3.exe	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 540 wrote to memory of 1328	540	u26o.3.exe	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 3020 wrote to memory of 1664	3020	cmd.exe	MSBuild.exe
PID 3020 wrote to memory of 1664	3020	cmd.exe	MSBuild.exe
PID 3020 wrote to memory of 1664	3020	cmd.exe	MSBuild.exe
PID 3020 wrote to memory of 1664	3020	cmd.exe	MSBuild.exe
PID 3020 wrote to memory of 1664	3020	cmd.exe	MSBuild.exe
PID 3020 wrote to memory of 1664	3020	cmd.exe	MSBuild.exe
PID 1328 wrote to memory of 2948	1328	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	nfregdrv.exe
PID 1328 wrote to memory of 2948	1328	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	nfregdrv.exe
PID 1328 wrote to memory of 2948	1328	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	nfregdrv.exe
PID 1328 wrote to memory of 2948	1328	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	nfregdrv.exe
PID 1328 wrote to memory of 1872	1328	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	incinerator.exe
PID 1328 wrote to memory of 1872	1328	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	incinerator.exe
PID 1328 wrote to memory of 1872	1328	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	incinerator.exe
PID 1328 wrote to memory of 2840	1328	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	netsh.exe
PID 1328 wrote to memory of 2840	1328	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	netsh.exe
PID 1328 wrote to memory of 2840	1328	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	netsh.exe
PID 1328 wrote to memory of 1264	1328	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	iexplore.exe
PID 1328 wrote to memory of 1264	1328	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	iexplore.exe
PID 1328 wrote to memory of 1264	1328	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	iexplore.exe
PID 1328 wrote to memory of 1628	1328	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	iolo.exe
PID 1328 wrote to memory of 1628	1328	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	iolo.exe
PID 1328 wrote to memory of 1628	1328	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	iolo.exe
PID 1264 wrote to memory of 2676	1264	iexplore.exe	IEXPLORE.EXE
PID 1264 wrote to memory of 2676	1264	iexplore.exe	IEXPLORE.EXE
PID 1264 wrote to memory of 2676	1264	iexplore.exe	IEXPLORE.EXE
PID 1264 wrote to memory of 2676	1264	iexplore.exe	IEXPLORE.EXE
PID 1628 wrote to memory of 2340	1628	iolo.exe	ioloTrayApp.exe
PID 1628 wrote to memory of 2340	1628	iolo.exe	ioloTrayApp.exe
PID 1628 wrote to memory of 2340	1628	iolo.exe	ioloTrayApp.exe
PID 1628 wrote to memory of 1148	1628	iolo.exe	LBGovernor.exe
PID 1628 wrote to memory of 1148	1628	iolo.exe	LBGovernor.exe
PID 1628 wrote to memory of 1148	1628	iolo.exe	LBGovernor.exe
PID 1628 wrote to memory of 1088	1628	iolo.exe	ioloTrayApp.exe
PID 1628 wrote to memory of 1088	1628	iolo.exe	ioloTrayApp.exe
PID 1628 wrote to memory of 1088	1628	iolo.exe	ioloTrayApp.exe
PID 1628 wrote to memory of 2480	1628	iolo.exe	LBGovernor.exe
PID 1628 wrote to memory of 2480	1628	iolo.exe	LBGovernor.exe
PID 1628 wrote to memory of 2480	1628	iolo.exe	LBGovernor.exe
PID 2340 wrote to memory of 1336	2340	ioloTrayApp.exe	activebridge.exe
PID 2340 wrote to memory of 1336	2340	ioloTrayApp.exe	activebridge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ISetup8.exe
"C:\Users\Admin\AppData\Local\Temp\ISetup8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832

C:\Users\Admin\AppData\Local\Temp\u26o.0.exe
"C:\Users\Admin\AppData\Local\Temp\u26o.0.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1504

C:\Users\Admin\AppData\Local\Temp\u26o.2\run.exe
"C:\Users\Admin\AppData\Local\Temp\u26o.2\run.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1664

C:\Users\Admin\AppData\Local\Temp\u26o.3.exe
"C:\Users\Admin\AppData\Local\Temp\u26o.3.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:540

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
3⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328

C:\Program Files\iolo technologies\System Mechanic\WPF_Driver\release\win32\nfregdrv.exe
"C:\Program Files\iolo technologies\System Mechanic\WPF_Driver\release\win32\nfregdrv.exe" pgfilter
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2948

C:\Program Files\iolo technologies\System Mechanic\incinerator.exe
"C:\Program Files\iolo technologies\System Mechanic\incinerator.exe" /regserver
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Checks SCSI registry key(s)
- Modifies registry class
PID:1872

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name=ioloTrayApp dir=in action=allow program="C:\Program Files\iolo technologies\System Mechanic\ioloTrayApp.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:2840

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.iolo.com/landing/thanks-for-installing-system-mechanic/?utm_source=sm&utm_medium=product&p=5488cb36-be62-4606-b07b-2ee938868bd1&pg=bf06aa46-be9b-4ecb-94f1-047d8c0a149f&b=00000000-0000-0000-0000-000000000000&e=11a12794-499e-4fa0-a281-a9a9aa8b2685&l=en&sn=&appver=24.3.0.57&inapp=0&utm_campaign=3
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1264

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1264 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2676

C:\Program Files\iolo technologies\System Mechanic\iolo.exe
"C:\Program Files\iolo technologies\System Mechanic\iolo.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628

C:\Program Files\iolo technologies\System Mechanic\ioloTrayApp.exe
"C:\Program Files\iolo technologies\System Mechanic\ioloTrayApp.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340

C:\Program Files\iolo technologies\System Mechanic\activebridge.exe
"C:\Program Files\iolo technologies\System Mechanic\activebridge.exe" -events_triggered 9003 -override24Hour true
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:1336

C:\Program Files\iolo technologies\System Mechanic\activebridge.exe
"C:\Program Files\iolo technologies\System Mechanic\activebridge.exe" -events_triggered 9002 -override24Hour true
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1832

C:\Program Files\iolo technologies\System Mechanic\LBGovernor.exe
"C:\Program Files\iolo technologies\System Mechanic\LBGovernor.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Program Files\iolo technologies\System Mechanic\ioloTrayApp.exe
"C:\Program Files\iolo technologies\System Mechanic\ioloTrayApp.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1088

C:\Program Files\iolo technologies\System Mechanic\LBGovernor.exe
"C:\Program Files\iolo technologies\System Mechanic\LBGovernor.exe"
5⤵
- Executes dropped EXE
PID:2480

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3016

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\iolo technologies\System Mechanic\ACResources.dll
Filesize
609KB

MD5
6d925384da7c78f14a455adbf23e24e4

SHA1
72b46c0ccded6f735db7e59f8e386c4679ae1c03

SHA256
4f82615a6f8e0944dcc9c2314298b0e3f5dec95d3e79d0771242a3084e752f11

SHA512
7c9d3935c8ceb2444217b4cd209ca91cda005805608701dd46e3dd1dc6e5ea06a48bab39ac1dc29e9809c1c6f577e4e044efe6bc585abbab38b47eb5fbb02c26

Download Submit
C:\Program Files\iolo technologies\System Mechanic\DotNetZip.dll
Filesize
471KB

MD5
8a6d548743f990ca0334a7845f891711

SHA1
39f94a41bba5a203519f966f57376133bbeffbca

SHA256
4d25d26de33d44df54056bf847945f99f4b101906ad61a91a159ad237583d311

SHA512
0848453bb56a5e7429341beee493d970c4a9adaf00055e07d2aab724d8f2a73e9ba6fdccdc2d916fe4af2a1da43483c5a3b0ac242b922951f8b8b319cdab6e28

Download Submit
C:\Program Files\iolo technologies\System Mechanic\EndpointProtectionClient.Net.dll
Filesize
93KB

MD5
3298b14cc71ef9af86d9ea65f5f5aaab

SHA1
64fd6a4b8bb5679684495715d9f3e183977e8a18

SHA256
fdeb9c9b7b99ec87ea37b4daff254eac17854884a6af13eb1f2e4851caf7810e

SHA512
a172a8940172c4d2c3e7249fc43c47788df120e914a8c8510055857cd1ff09868c6b265c7905c86d33852f3e748cace49b8ed60239dbfa403a0a585e1becf860

Download Submit
C:\Program Files\iolo technologies\System Mechanic\EntitlementDefinitions.dll
Filesize
125KB

MD5
3604503fa63cef9b43b6a61350c7d59c

SHA1
db2bd97a252e7e5685e466af8d0733969a9dda1b

SHA256
aaad1961e2b872bd16f4941196f9d6373121b03ddc9124daf4281a3e56abecce

SHA512
047e4f14969ca6b98962ce24dc1f1087f8193f88f56f2b93bb6f297187c4d8a174bb01f477d787140ffb614c626873fc2d80ae5d6b9cade31445d27f639f8cc0

Download Submit
C:\Program Files\iolo technologies\System Mechanic\Microsoft.AI.ServerTelemetryChannel.dll
Filesize
119KB

MD5
9bfe59d2c751d1e7c995111e1571da0b

SHA1
331379c17cc69c0f3a4ff7e6969f0e2a3c55a6ee

SHA256
182ee364c9ff421c04c26ef537791e7d83d8f615c95d5b0374a8197836b6aeb3

SHA512
e94a5d1c750afbb32b453f131b897882d22e03c7364ff65a17fd090e71c30590758d4f6f43bdccd8f8ba146eb9a0f12a1dc8c530c0b94994054d2c2a9fe79bd7

Download Submit
C:\Program Files\iolo technologies\System Mechanic\Microsoft.ApplicationInsights.dll
Filesize
377KB

MD5
1ee57089b208e9f12317d509e9a18e07

SHA1
a7745e69b3d921b900a1e850ac10916a82d60105

SHA256
dd0951ad341e6ee453d0cc40ee4ff4969848885ea773d7a282a862abf7abf159

SHA512
557670a9e017dbe0f1382a9f528e9e53955ca2fe203f800420b671db401fc19dd951a288f7c0a187b33e486f0c589b719a64aceb8766a7a53f1d5b590ac3ef3c

Download Submit
C:\Program Files\iolo technologies\System Mechanic\Microsoft.Practices.Prism.dll
Filesize
147KB

MD5
2a532749f77d7ef8c54798b5c5d4105f

SHA1
2e73508b69d5fb8a8c60a19a4155703c18255afe

SHA256
f1043059a9a6630d152bb6a56effb3f1e295546ab4cf791487762571866b740f

SHA512
cc607232db9e354c6728a9d150a111fdac8ca6f5a0ad3bb644b72b3336f6c39836004eea06ddc7dcf7bc1b30cac72a3d7f83ab2d7217ad4cd409b6e8ba1f0518

Download Submit
C:\Program Files\iolo technologies\System Mechanic\Microsoft.Win32.TaskScheduler.dll
Filesize
234KB

MD5
69f5b8f16afa0e00862f442401aed9ee

SHA1
3ba5a721be48a244b4fbfa5a54eaf0c33625648c

SHA256
bb9f7254ec7d7107a4cdc2f0b63e9f6bdfe28767060ff91b939cc12746e56d29

SHA512
eec8b816eecb07234c409057d2fc5ca89a942949ca4c6ed8179447723393fd0c88cd773d4e9ecbb568073013c0275ccd66307b94111e016d90f6444a772fba8d

Download Submit
C:\Program Files\iolo technologies\System Mechanic\Newtonsoft.Json.dll
Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Program Files\iolo technologies\System Mechanic\SDKModels.dll
Filesize
605KB

MD5
227496d4625550cce706115cf906f36d

SHA1
8231e2ea0011b256a88b980346666188247af488

SHA256
91c497726b569492b98395caa57b477bbd2c65f4c42e1fe30c3af9ba5a2900a1

SHA512
94f56091f1fff4ec50df9966a27a3bdb236d84b5c5df36addaeff41dcf6e04c897e60abf059e84b3125f4da1db04e43c9f536235fc698f71fc6cda00fb19c9a9

Download Submit
C:\Program Files\iolo technologies\System Mechanic\SMCommon.dll
Filesize
1.1MB

MD5
e9f3052507adc6cf89efe53ece95f8f9

SHA1
d28f3e0e39ab7728b20fc2c0bd3273a405cffec7

SHA256
2e384b2dddba1d836035f1ee61cf7547ea98c1cb1b9e4e3521e39c20fc48493e

SHA512
395f69d55ec6354c097d9977034fcfc1a9a7a8290a1d820bc930d896704b09ee737b5e662bad4d9218f89fcc19e3eba4e3f23bb43e87306ec7d31838bf92c2c5

Download Submit
C:\Program Files\iolo technologies\System Mechanic\SMInfrastructure.dll
Filesize
8.3MB

MD5
215e72b2bf69344c1fc931569cb68229

SHA1
cf35c255d22ccd288c86aa484aed2ecc4745375d

SHA256
e2c94041c282d7cd515c2cdd3a16ff35a9a7c1579b580c6c49629e2a996e91b4

SHA512
12c041e87c77d85eb55ce5ef3ea0362eba8575bc50ae1b35e261234e93f5d3f33493f59e2f53d97c20089b29ce55c20c1ed147da4e64d0861bcc3b518c94d5af

Download Submit
C:\Program Files\iolo technologies\System Mechanic\System.Diagnostics.DiagnosticSource.dll
Filesize
184KB

MD5
faef01b70b8e775a92d4b9e2383f2749

SHA1
a35b2fb5fb243319ac4c9b776dad416d76d3aeea

SHA256
c8a5ca93d8e40dafd48759226f70f90af8ccbc3a8df45d4e6fd5dc5626b05ab9

SHA512
c4b482e1249555f9dabbee97b030792617a250362aef175dfd9877a875808a9e91278ff6d3cfac04730a8e919095f01a4c27254a94191433704dbbd6d7a78ab8

Download Submit
C:\Program Files\iolo technologies\System Mechanic\System.Net.Http.dll
Filesize
193KB

MD5
e4b20eceadd0a1d030b407b02b913ebf

SHA1
bd1bfad57bbafe2b96fe72fd9fa791d5784290cb

SHA256
f48e85c97f8e473240db925d00ee871be9e2e7b684b313b911d5c2c14c47078a

SHA512
95b5819c9c27b123ff9c6a8a8703b6bd8857c006c67035d62c4ea58acda41266bc8a8c43847a010d28e4dd5195b04cf0d1dc409f0ce7d5bf59b36cd5d6845622

Download Submit
C:\Program Files\iolo technologies\System Mechanic\ToolKit.Interop.dll
Filesize
24KB

MD5
07bb9d8291df372f8fcb09fba6b6677a

SHA1
419ef1e3946318e40e4ddd51e517589b1c35282c

SHA256
caa770b60bb7c916722dff28625191264fa6fe34e758b8a89add20f919bf8efd

SHA512
0681e8d2065b37bfab7f8c1e65fff598c7e51eb066b33275dcdb48a81e0d346657b7dce069e0a2ec7cef5e272ebf69021dbef9199758342c08a707aba3682e07

Download Submit
C:\Program Files\iolo technologies\System Mechanic\ToolKit.dll
Filesize
9.7MB

MD5
75bedf466c5fd9e5982fee58d786fb2a

SHA1
8ba531159c1a943467c868a9ee1a2c9a49fc487b

SHA256
a8114261983ac5d6bd5f94f94949fdb78d47791d6ce0a15fd7d9301502c467f4

SHA512
1c918c2a60176cca07d2116ea0c63c86761450f23b098839a88a672cdcb2e003ab0fe5569186851348968abf37cfe7c6f1f6b48862fc219e121848c71325c54a

Download Submit
C:\Program Files\iolo technologies\System Mechanic\UIResources.dll
Filesize
6.5MB

MD5
de57cdf22c1868356f28ecc0dbdffa25

SHA1
50e448edc8360d99129ec5ac9f2a7c20feafd6eb

SHA256
0408e24b5a2fa97b3db42c66b9486b5562aa08b1ad26a19ec106ab87b7dc0147

SHA512
5426502a7c68b882c04e7c4f300b16217f01428a66fb8ab63536a6eca5ffb17366f16d0e8a27acc9928ad66538300ac11e50698fa7eb6694e7c2d96713a062a1

Download Submit
C:\Program Files\iolo technologies\System Mechanic\WPF_Driver\release\win32\nfapi.dll
Filesize
164KB

MD5
ad6c6bd1a9f0436942468962f2c63aef

SHA1
879ccfe45e59a523980f5a2b73c0f6329ac67981

SHA256
9e8199987ac9a9601cd01af5c40ca30852b3c2d4e085fbb20415b44a254ad290

SHA512
6bdbdf5ed6753b1098dbaeaa6b666e28fcf263580d84e668946dd17801ef0676cc478170133b9436b3702f9c95cc9bd5ef9c0e56e54df6af5ac608f06e11d2bf

Download Submit
C:\Program Files\iolo technologies\System Mechanic\WPF_Driver\release\win32\nfregdrv.exe
Filesize
48KB

MD5
92a6df47283b49b207045fa7a4502bc1

SHA1
718e9ff5f0fd9143de4f8fcf135d78165f991e9d

SHA256
d714695c9775bd7dbb1fa40882bbe03216acb3994b94514a68892454eada0358

SHA512
f2b08a4ae33e87a786fe25a2d902c8acb002faa4893a1f21d5608cbe070477af1b9c553c8960486a65089ad1e0be1491cb93cc60da9f3394c893525fa075d645

Download Submit
C:\Program Files\iolo technologies\System Mechanic\iolo.exe
Filesize
4.3MB

MD5
f80109a582e68b9748aec0de5d00a904

SHA1
fd3f14169c5d4e735ca904a39df530904afc8272

SHA256
0f8245266d778f3349eb12e63606c649424f586918e4ccc884b7917cf5ae4d86

SHA512
b9fb48d780676c79c5643bc832d65738dd9579a73ae9763bf56824d1eec2f2cb20c68e4d1b7696d8bb7a7bbb4a0deee6e5490cd1946d1f0cddb713ae3c750248

Download Submit
C:\Program Files\iolo technologies\System Mechanic\iolo.exe.config
Filesize
6KB

MD5
eb25751f1266178ab0542b4edb93eb92

SHA1
9f330bb64103929652a4a9ddc1ea8536bdaa44a7

SHA256
7c9f449599d7546d009e4650c77e177fb2e7dfdbe539fce842fd77a4534ee45c

SHA512
a93655790167bd5968ee45c16c882d4390eefebdc1ed264d88fc8372953e554a43c455f418d53b4cfeb110234d8781f0a21dcea485ecf4695cc5dffa4d364a48

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iolo\System Mechanic.lnk
Filesize
1KB

MD5
15204662b65196ddc289212fd75edb81

SHA1
0e7f33e5f585c31c3bddbbbb3be75f126364bd48

SHA256
863834615cce3515a3ec6397ed6827a67ef095b56c7ae7477d2ca8194e978d5c

SHA512
d39b73d363ececfdc31439b3517cf6cd91c66508a038c8723787c7d28a87158b937a790c6b34ca0bad2fdf913760a6ddaf024a7b89966fc431d29eb940310cd4

Download Submit
C:\ProgramData\iolo technologies\logs\bootstrap.log
Filesize
4KB

MD5
1076073048a7a391bafbfe4c6cdd770d

SHA1
37a2ce24b2ad8e7e73307adca08c7f7cafcf5851

SHA256
8a63eb374ea5325b061128cc757f360a2c88c0a07bc694566013fa0a6969915a

SHA512
f6037a191b2a92265d2c2e78a878055c3bfbf64e5e3c2d0687f0adff54c659545f50a625a6d70d66e019d4648cbccd901d3e1e072a05794555d174e0446f34f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1
Filesize
867B

MD5
c5dfb849ca051355ee2dba1ac33eb028

SHA1
d69b561148f01c77c54578c10926df5b856976ad

SHA256
cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b

SHA512
88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
55620025de775077660eb317e42af772

SHA1
a796d64c62b513e598659dc2837bb83abb10f469

SHA256
f786fd34aa912e503fe876cce1441ed76bcad171b7fefd27f177cda52667d3d5

SHA512
0c19fab1a3166bd1fbee23d780ef553af5d0252bf8037b6e4f826a3313d72e8b5705e094f2db603645e4cd9ef4fe9b1a3bd6fe6bed4a4b73428f29657419e95c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
e03c3ba8539143b6cfce640bcf0451b8

SHA1
154ac628a3c6808bb1d5badf3d615028ab1f9c46

SHA256
adc1b2f25a7d17d5fa2c02925ca271b00fa7eb165be516dbaba9fd8533ca9245

SHA512
ed4b07a9508aee1664ccf416a6d08ffb16c93450324ff9c9683dd3319265b82af2e2186436f060b172aaf51376114630a20fbd1c14bce748d1db004cf317dcd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
04db4adf1cf5e8e6b0da3497b2be588c

SHA1
e82567d12113c0c4fb0aeb6d39cbad33cfb03090

SHA256
549e61ebff6f09caaef039bc5299dac26c14727c8a46c6e7651d2976f4bafac8

SHA512
edb841868e3e4469f2f8319d675a214229dc1a59a938568784eec1d9be0a6cfe0999a8b77db0d5cd6e948f352f1ecb421de8a0fe9afa173ac423d02f4debb377

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
053baacc43f493a67a743b8e7cc34d5c

SHA1
21d979038e53c7d6de04b06f2ba19699d7107737

SHA256
df91df493d864211a283b62bebc124547f7bf7872765707038d4e7e4d2982080

SHA512
e17eb364719ef4375cbc670e6119473f6cc391750f06e0987a99ab452edb6c5a454049d271e0d3faad2d3d8ec7ea8f8010d83a3ac1da4b127038059b9b70b63b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
b377651f680a0b60b9a90da421e9c21c

SHA1
a8319901ead4eb42bc3586ed1065c6ddfc8a8d9f

SHA256
79a456131b2a352cc48331e3f637ea674ea523191791c5e302ad1ac00d9d52b3

SHA512
8ca9e3598807d559f5fc2672ef30a1f90243a013982b7295265edbb9b08d6fd91120a8bb14568400c2c8c1ec5fa34bcd24c8259f8aec0fff6a9ac9b6c714a293

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
7b5b8a2b28449ab4c24b2aa2a3569adb

SHA1
2103217965d6f2dfec2733a499e120277776feae

SHA256
e5ea7983e00f08249ed0f13df300bdf45a1725c792adfbc8088c64b29af60e55

SHA512
0983fdc75d1c7a5e43722d7d234833a2551bfa37a84ab82c8f332211cfd3626e7e143a6d50ff73c393a2d7c1ec0c041d19d2eb5ffc2ffc6ae745f5b1d71993eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
a3e25a160bdbb25a9e7db07394fba4dc

SHA1
6abf891fede457a51ac0f4a1700bdc48797b9d36

SHA256
e495b7d2de5b5c683a558f9406653b9aa05162eea2fbb32266f119117ffb7821

SHA512
1775d24f9d8131dfcabff2887f3941d5d02c1161652cd4f4736bc3d8e5f34d1f31f5a347b4c32a8a540446204acc0d40236356b5a4c4c8636f23ae6bd388312c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
90027af3bace8ad70157193412ba40e9

SHA1
3dc9804248c3340cdfe322ab7247a18b42e8958d

SHA256
389c6b8f2398e25f1a5020e80dc5a169dff8d6e40f7783889ca86a88e1ec91d1

SHA512
53a93b892025af47dc8b901c250431b60153573fa3944faf0fe5dff05f7705f01edfe51303d4161b550ce81119ac7f5e7275213303f4ce7a955a07c79995c1d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
359ebe5453e06bb6396780627598e44f

SHA1
0640b8cf69ab0b6fe801aacfa31c0b3dfa302002

SHA256
7ca777263ca1ae72147fa21f3e8b0331772a7bb383413c4bddc358f4189b8bf8

SHA512
29dfcee472e3d0bc53f6d5085dfe15d8a1ebae172e07632d4ef7896fa4b7476da50d79cf32542b4d30ce0d026ef86e38278b6039fa1331440f1fa9587454060a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
d163604c895d18c40e768e7f8f16e267

SHA1
b729370f69cf7c35f8f9eedea6082b86a010232e

SHA256
fe0de27f6a152d1b24a57c455e6beacd484c67da9e88d525dfc9e176e506fd22

SHA512
fdd352ae454e2faf0351c3671d0c0be9722bb32ae8fe11657fbd212c5888d8160421598dd83b305b5c02cd3a0cff9ff3eda14b83726037ff1d60c453b5428019

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
3d17a214bdd55796f54623642643015e

SHA1
8f0602fbcc3a6a92c0cce3b002ef51a7d1e6edb6

SHA256
9d85f15cc39410b3a20e4553a6cb65687531979277714cf5c29065f4dbfa1093

SHA512
ef4db9b0946ac28ce6b48b9b84f8dc7d04b91637acab8fa091e9bf7b8e61b8f4d519f27cce5682a967a774319582a76d71cbd802bd67c4b493e53d3d6bcdd2ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
bd8fde961e52639e0f8a067a5e5727d0

SHA1
5ac29141df64b013f8bc64dc446269ba55c251c6

SHA256
3309641b25d42788934e78c2016183db66545be587f91fb23babd8a6b4b0ebb9

SHA512
40d23203a677f1a927c63298979d8cdc6e92707b4d3c42022aa4233eeda9a97a9dfeb512f150e0116b811b10aa350daa9ea203d8e2d70430eed462633c63ad71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
35fc15bbbe8369ede682a9df674263e9

SHA1
4d1f022bf7bc1232e78a571bb568c00f8271d58a

SHA256
9e07a98d8ada0af7afeafdc97f5987d0eb16983b28fcb11f7cb4714e19b36432

SHA512
6b32d5e22f702c9cb63ff4c4d6d111da44e0d9d2a36aaf0ea0b708eb497444a7ce6a92415d7aa885a1c31d6d67cee7f7af65d19ed9b314345524c867a072807f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
325d6665e0a739c484f223d6a7ab6388

SHA1
f54747ee14c89e5beaedf8369af995e1e8cdf077

SHA256
2a5eea6b92e0e31110eacaf0092b42a264bb893eb67c76ec04f98b2595229faf

SHA512
67baca7c5cf16870d9f479f21da811f43cb0cc7874b60ddce9697694f8c209cc143064244a72e8a0a7eebbd2b96b2bbc057a1f0d02aa2d86aec59cc8465c1e2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
076732095bf2b37a2a01337ad7e79e39

SHA1
482517d81bfcdd22cabb949901719bf38e793bd7

SHA256
dfbac870eb4913e22599bdc0c9a95a54774d0b49d868be17141c7dcf868b034e

SHA512
9d48b53b395a3e85e2c3104e2e747394f1e844bad7fe8342a8796790b463862c2b74f3cbb5cdfc40f48ab44184e252829a8fd80f9c9c4c4450757a96ef31c4cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
354a618eb2544fb70e50dfd41f95a79f

SHA1
0bbcf5de3a33edb62b8c10c9b205a6c85801850a

SHA256
46627b92abf13a2ead8535ed9f49482dda89deabc85b469904d714d897f61d37

SHA512
d677957748eb6f60ede632222ada922612e924b46ea839bee38500d5251e22ac6ec7831f2dbab04dd991863e0018837eed3f7c5ab5ee910c6db512a94e02209b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
be1888f124f2e15da3b79e04f14c5888

SHA1
df09885763f84e6e41c62afd92035710eb8cf8e7

SHA256
94ab7d0797c4af37be7db78ffa182fa9fcbcd7d385f5aa2e1a6608bf34657121

SHA512
8942de01c79870010825c2037fb3da4d2a5fa58226acc653baf4a7318637ff2966ae68f62225a81e92057a8c984612729dfb1e5a2eac850a7b7742080d3ad11d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
b27fc88ea3b27e8b36a7ea6d4fead49b

SHA1
d31b083273f2b2011700ab0ecb837345157d9bf3

SHA256
c09117c8a65459b053354714daef7bad925957f2b0ab7eee7e5e05212e040f96

SHA512
f679063269c7a9850f1a1c16f502294029bfc26c0de2d7a876baa6add53e6a048289f875c276d6726a778becce5ebaf33f00743ee3d6f05c3e6925271e781989

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
643a90ac3b07b0a6d5889ce5061f8f87

SHA1
f7d8259118b028fb469584cfaf0104eac990f782

SHA256
0f1b4c4f099da5bc74f5f1e1e6595b8d581760086930808be2e0823aefbbd169

SHA512
ce8a86359f498f4bb71da7b0f9c76569167eeadbcb52bbb565160e3347acfce891265ff0536fe5b3352e752847bcb94c09d2c05dd8483576fa38e4c4a1b7ab48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
1f0e02cc7694a44b768fc36c563316b5

SHA1
bc0372a83b5ea383893733bf5d51e9e36bef9f65

SHA256
a1ce553d6f83f7e593763d4d7f3ccc11ac7fe6b43b1c9e49bda86a651eb1ca4d

SHA512
b94c0c212014fb1e4cce5579dee616f4ec697f92dada37c4c20e5628cdc1a8647376a6ace41da2a5f8971af716bb34fe73d371b2be7cb7de8675081df95bb1cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
b19c3c1e7b4c75c350b3b64e77c7456d

SHA1
3a6333b04834525d628de56bfff61eae9e21d56b

SHA256
91011b8e8050fcabeee4a114661341524db0d19f35df3b4068d0cd89babd17be

SHA512
723e9caaf20eec8cc550d0bf72e91c118a62acce477cc8f202c78753017dc6db4aaafbd27adff8d33f0fc65fb1588a8a0228d3f39dd79b392cab90ca183f29cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
f1d2855c4d22793b33817fb7e1a7cbfe

SHA1
96a45b5778353ba6b89d1fc643d27d62086d63b3

SHA256
5616a40f9aef2ac06a3f9d899e5942774bf8dfe33c18a938a324dbf306d1dffb

SHA512
d611a148058eadb87ac4bbd540f28293c09f5d0165355d9e572d4f3e0f9b343f66792cb87101cf5be0d5ad8975ec8f3b1ed9cc605e7f7e652d16e1d9b16055d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1
Filesize
242B

MD5
3c77a61dd8d6ea76adc924098797c4e8

SHA1
e9fbe0d7e21e75db88560172549a383f285e8458

SHA256
1ed47caf4f8233304d75cc212d736307da2a530f496f35efdc962adc530b92e8

SHA512
b2660107ed64c13843e87a59acf906bc3c338c5a20d06c424a1c82fc56e97d4ebf744d4e5486a3a345ab5568965e411279ca2686d34ef396e87d4adc19cb238c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\252e99e709753c2ab04b66e213ab7d72cfdb494a7016e07d23bc17fe7cebab94\f7035d6e57324e53a84cb6b5e8088211.tmp
Filesize
1KB

MD5
232c4e75c275ea407ddfa42d274e8b97

SHA1
2943fe3dc90beb3a86a7dc0404902c15879782f3

SHA256
0e95476e08986d5c2f8e2e190a8b0afa885cf466f2d00fc94e9b6ed242b235ac

SHA512
4d288d3b2e6697dedc3b2bfb9cde892faf8a44441900c3ec29319be3c4a9c592fb8dcee3d1fdb3b1246ed26a780554d481a1a48d1a851899a575b4ba5859397c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\9ef951303b25918b8ee62a4bc58552e0c98738a9fc6059c2173a5edb6f882909\4a20cba8d3074a12bdb48f6e86b3d91f.tmp
Filesize
1KB

MD5
a690f6ae1cd40a07fd04f7b32aaa41ea

SHA1
97ebf3f630acae3c6f00b53d9f0ad44af28e445e

SHA256
b861d1ac9ced5964effb7fd006666d4032f4c1e2350d68167ace15c182a138e0

SHA512
3402b7bba03d104304591b6e599f99d443f973395a902bd6a4c1a60cc0d1a0442a60335909c2e3089a76516ea0927c41cb4f0190cb3d2dc6f1ea9e1b6b5bd63c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\9ef951303b25918b8ee62a4bc58552e0c98738a9fc6059c2173a5edb6f882909\squkz5be.0eg
Filesize
1B

MD5
93b885adfe0da089cdf634904fd59f71

SHA1
5ba93c9db0cff93f52b521d7420e43f6eda2784f

SHA256
6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d

SHA512
b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC0D1.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC0F6.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\U26O1~1.ZIP
Filesize
3.7MB

MD5
78d3ca6355c93c72b494bb6a498bf639

SHA1
2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e

SHA256
a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001

SHA512
1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\b53efc4d
Filesize
1.4MB

MD5
6c7576d1950148df1e5aa972bf13f9fe

SHA1
512d1f30796051e951a763f0b9eb63cf9ba492d4

SHA256
06f1cf8dc45f9301ac6fddd436cc7d8dc12a9b05182346918682d6c67555a75f

SHA512
50c44767f852d864d7bebace9ce2a49ad55c1ea77839b5a60b6ad53f48984f8001a6c3aac67030f9e319e7d0c52694606e51d59fcd7f64405713e16b8b9d18da

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
Filesize
2KB

MD5
29f148381007b2f1d5c19aad276e47f6

SHA1
546982b91458dd07a440d1a2a14473ddfe7cc183

SHA256
e99796f16e9e10b05f274c379926c6276b3484ee3bcfa6b7507eab5bc876676c

SHA512
6e5685fe0d4a6c721d01af8d0fe27bf660b2cb01ec4311be9d8814d539ab30fe76574ddb3bdadc807689f1df18d54710dd1a12b6b733a0403ade92085f176391

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
Filesize
3KB

MD5
1d5a2e063b1a1107539720364632492e

SHA1
f1ef5b70aa2e2ec928d0fe61804cae8fdb7533f5

SHA256
934fcd10625ae5ef0fa9d818b384a0a953075487895f817e559f212b57d050a8

SHA512
ec8ac974d4d493c4ce4add1ccacef3437014adbb67aa4c403f39db056418b20f7d30653d5c40f8c8094bb0c51b95958b3c199b4dc40f9086317f87633f82d4ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgvEE63.tmp
Filesize
2B

MD5
c4103f122d27677c9db144cae1394a66

SHA1
1489f923c4dca729178b3e3233458550d8dddf29

SHA256
96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7

SHA512
5ea71dc6d0b4f57bf39aadd07c208c35f06cd2bac5fde210397f70de11d439c62ec1cdf3183758865fd387fcea0bada2f6c37a4a17851dd1d78fefe6f204ee54

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9DA7.tmp
Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\u26o.2\UIxMarketPlugin.dll
Filesize
1.6MB

MD5
d1ba9412e78bfc98074c5d724a1a87d6

SHA1
0572f98d78fb0b366b5a086c2a74cc68b771d368

SHA256
cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15

SHA512
8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\u26o.2\bunch.dat
Filesize
1.3MB

MD5
1e8237d3028ab52821d69099e0954f97

SHA1
30a6ae353adda0c471c6ed5b7a2458b07185abf2

SHA256
9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742

SHA512
a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\u26o.2\relay.dll
Filesize
1.5MB

MD5
10d51becd0bbce0fab147ff9658c565e

SHA1
4689a18112ff876d3c066bc8c14a08fd6b7b7a4a

SHA256
7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed

SHA512
29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29

Download Submit
C:\Users\Admin\AppData\Local\Temp\u26o.2\run.exe
Filesize
2.4MB

MD5
9fb4770ced09aae3b437c1c6eb6d7334

SHA1
fe54b31b0db8665aa5b22bed147e8295afc88a03

SHA256
a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3

SHA512
140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

Download Submit
C:\Users\Admin\AppData\Local\Temp\u26o.2\whale.dbf
Filesize
85KB

MD5
a723bf46048e0bfb15b8d77d7a648c3e

SHA1
8952d3c34e9341e4425571e10f22b782695bb915

SHA256
b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422

SHA512
ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273

Download Submit
C:\Users\Admin\Desktop\System Mechanic.lnk
Filesize
1KB

MD5
a012d3f6762d0584b3bb03aea4ef3668

SHA1
74ac7fd438b1aae242cda9f5b153123f5275b84b

SHA256
39d408356dd9f7d15fff0e06e86bbd1c56aeed6cc535aa50596f6cd6efa77f8b

SHA512
110a6ac3e7a09b50580dc6e9a80554070be6e26b87a1482370e348c997fe6bbdf2e7b5f7fa670959341a325a05a2a8769bac0150c02bbb2d89268e04107d775f

Download Submit
C:\Windows\System32\drivers\pgfilter.sys
Filesize
76KB

MD5
570dd0b08099a433e647b61ebda329b2

SHA1
9cc5492b6ada7d23151a8ce4b0ab7f069a619fd4

SHA256
119601631ccb44c47472c7085b7d3dec6389bb0937032113e023b41de91abdeb

SHA512
60b36fb14baf37f1862d46db1b569e7e59da3dc106b3f650953589f2ac80885867b359723ca6f0618c7549fbaefe62c7b8dbb5e793190418f06d146b24bf6183

Download Submit
\Program Files\iolo technologies\System Mechanic\Incinerator.exe
Filesize
4.0MB

MD5
47540ca81b17e31406abe52ecfa1c264

SHA1
677743a6288b149be0d518e9a444f5eafb11d470

SHA256
c1458aac3b601bb1fe84cfe3ef590383526a3e19ef7c3b5b8f40cd7295353e22

SHA512
b3af9deced301502312b9efbe9902b56e6324b41a6dfcb887c45f6cbb55918fc93ba976a6f8ca04c513b8c1804111f7d45c564390a09651881c308449ac871fc

Download Submit
\Program Files\iolo technologies\System Mechanic\WWSDK.dll
Filesize
93KB

MD5
22365d63bbdf0d58797348fdba509ec7

SHA1
f3f3dae811810c81643c9d16455ca206f3560e2f

SHA256
70b0641e69ab1f265d429bba2ad288bb8c369804fa4e1d5ece1544865ae4ba75

SHA512
abe33a2b1d358d26f9d1ae6fb2837d845c68710b7c579cba41ccfbeca2cc6a8bffac077428522aa56afa5db8f1a4d9f1162c06bbdf298e34e71c7eb784c535ea

Download Submit
\Program Files\iolo technologies\System Mechanic\defrag.dll
Filesize
340KB

MD5
d78a395b6fbef1c998d037a9e2b68e8b

SHA1
e75951a69bfb8354c5f5c4d38f2d1e7ab2474061

SHA256
ef4317a2b232bb08ca294e2ba3a46b0c4ffaaff503d6393db5b2825cd01099a4

SHA512
831ced8091484f2f905df2d5c29920a43c991620e5f73bbbb57ec2117f4e55bb36e9bdc13905c2ffda3bb2cf105076b5b44dd1807680f7008fc8195697f0c6c8

Download Submit
\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\u26o.0.exe
Filesize
302KB

MD5
fff0b72b805f8622530d454d3ffe4e40

SHA1
57900c51fdd51436d554e81c7febb9d202e1eb8b

SHA256
c032e2b1c04b5e2b9bc3ae439e75b993d1e3e03163ac6e589a50cec3745fec7e

SHA512
787eeb8e1184643711ab5a95adb297d9f35c49ad45b81cfe3e4c615067e7de0aea72bdcc452fe6bd9b4f9aebab63e4f5e03437f26dda24b39cddb834e4f65c42

Download Submit
\Users\Admin\AppData\Local\Temp\u26o.3.exe
Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
memory/540-226-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/1328-278-0x0000000005C30000-0x0000000005C54000-memory.dmp

Filesize
144KB

Download
memory/1328-281-0x000000001E6F0000-0x000000001E7A2000-memory.dmp

Filesize
712KB

Download
memory/1328-274-0x000000001EDF0000-0x000000001EF00000-memory.dmp

Filesize
1.1MB

Download
memory/1328-251-0x0000000000BC0000-0x00000000044B8000-memory.dmp

Filesize
57.0MB

Download
memory/1328-302-0x0000000022C00000-0x00000000259EE000-memory.dmp

Filesize
45.9MB

Download
memory/1328-301-0x000000001EF30000-0x000000001EF38000-memory.dmp

Filesize
32KB

Download
memory/1328-300-0x0000000000670000-0x000000000067A000-memory.dmp

Filesize
40KB

Download
memory/1328-280-0x0000000005C60000-0x0000000005C8A000-memory.dmp

Filesize
168KB

Download
memory/1328-296-0x000000001E310000-0x000000001E31C000-memory.dmp

Filesize
48KB

Download
memory/1328-275-0x0000000000550000-0x0000000000560000-memory.dmp

Filesize
64KB

Download
memory/1328-292-0x0000000005CA0000-0x0000000005CAA000-memory.dmp

Filesize
40KB

Download
memory/1328-1389-0x000000001DF40000-0x000000001DF80000-memory.dmp

Filesize
256KB

Download
memory/1328-293-0x000000001ED80000-0x000000001EDA2000-memory.dmp

Filesize
136KB

Download
memory/1328-290-0x0000000000670000-0x000000000067A000-memory.dmp

Filesize
40KB

Download
memory/1328-284-0x00000000004D0000-0x00000000004DA000-memory.dmp

Filesize
40KB

Download
memory/1328-276-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

Filesize
48KB

Download
memory/1328-291-0x0000000000670000-0x000000000067A000-memory.dmp

Filesize
40KB

Download
memory/1328-277-0x00000000006D0000-0x00000000006E4000-memory.dmp

Filesize
80KB

Download
memory/1328-283-0x00000000004F0000-0x0000000000552000-memory.dmp

Filesize
392KB

Download
memory/1328-288-0x000000001FF10000-0x0000000020210000-memory.dmp

Filesize
3.0MB

Download
memory/1328-282-0x000000001E190000-0x000000001E20A000-memory.dmp

Filesize
488KB

Download
memory/1328-279-0x0000000005B20000-0x0000000005B2A000-memory.dmp

Filesize
40KB

Download
memory/1336-2425-0x000000006A300000-0x000000006AD4C000-memory.dmp

Filesize
10.3MB

Download
memory/1336-2411-0x0000000001300000-0x000000000167C000-memory.dmp

Filesize
3.5MB

Download
memory/1504-172-0x0000000000400000-0x0000000001A17000-memory.dmp

Filesize
22.1MB

Download
memory/1504-23-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1628-1525-0x0000000000200000-0x000000000065A000-memory.dmp

Filesize
4.4MB

Download
memory/1628-1527-0x000000001BB20000-0x000000001C1A6000-memory.dmp

Filesize
6.5MB

Download
memory/1628-2497-0x000000006A300000-0x000000006AD4C000-memory.dmp

Filesize
10.3MB

Download
memory/1628-1774-0x000000001C2C0000-0x000000001C2E4000-memory.dmp

Filesize
144KB

Download
memory/1628-2426-0x000000001DBD0000-0x000000001DBDA000-memory.dmp

Filesize
40KB

Download
memory/1628-2376-0x000000006A300000-0x000000006AD4C000-memory.dmp

Filesize
10.3MB

Download
memory/1628-1772-0x000000001D630000-0x000000001D6AA000-memory.dmp

Filesize
488KB

Download
memory/1628-1803-0x000000001CF70000-0x000000001CFA2000-memory.dmp

Filesize
200KB

Download
memory/1628-1529-0x000000001C1B0000-0x000000001C2C0000-memory.dmp

Filesize
1.1MB

Download
memory/1628-1533-0x000000001C680000-0x000000001CEC8000-memory.dmp

Filesize
8.3MB

Download
memory/1628-1915-0x000000001DB20000-0x000000001DB52000-memory.dmp

Filesize
200KB

Download
memory/1628-1559-0x00000000006D0000-0x00000000006DA000-memory.dmp

Filesize
40KB

Download
memory/1628-1913-0x000000001C550000-0x000000001C572000-memory.dmp

Filesize
136KB

Download
memory/1628-1531-0x000000001C3F0000-0x000000001C48C000-memory.dmp

Filesize
624KB

Download
memory/1628-1923-0x000000001DD00000-0x000000001DD40000-memory.dmp

Filesize
256KB

Download
memory/1628-1544-0x000000001CED0000-0x000000001CF6C000-memory.dmp

Filesize
624KB

Download
memory/1628-1537-0x000000001C490000-0x000000001C542000-memory.dmp

Filesize
712KB

Download
memory/1628-1924-0x000000001DBD0000-0x000000001DBDA000-memory.dmp

Filesize
40KB

Download
memory/1628-1925-0x000000001DBD0000-0x000000001DBDA000-memory.dmp

Filesize
40KB

Download
memory/1628-1930-0x000000001DE90000-0x000000001DEAA000-memory.dmp

Filesize
104KB

Download
memory/1628-1929-0x000000001DD40000-0x000000001DD4E000-memory.dmp

Filesize
56KB

Download
memory/1628-1928-0x000000001DBE0000-0x000000001DBF8000-memory.dmp

Filesize
96KB

Download
memory/1628-1539-0x0000000000AA0000-0x0000000000ACA000-memory.dmp

Filesize
168KB

Download
memory/1628-1932-0x000000001DF40000-0x000000001DF4E000-memory.dmp

Filesize
56KB

Download
memory/1628-1933-0x000000001F0F0000-0x000000001F140000-memory.dmp

Filesize
320KB

Download
memory/1628-1934-0x000000001DFA0000-0x000000001DFA8000-memory.dmp

Filesize
32KB

Download
memory/1628-1935-0x000000001E050000-0x000000001E05C000-memory.dmp

Filesize
48KB

Download
memory/1628-1936-0x00000000214F0000-0x0000000021686000-memory.dmp

Filesize
1.6MB

Download
memory/1628-1535-0x000000001AB70000-0x000000001ABD2000-memory.dmp

Filesize
392KB

Download
memory/1664-719-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1664-718-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1664-714-0x00000000722F0000-0x0000000073352000-memory.dmp

Filesize
16.4MB

Download
memory/1664-894-0x0000000000180000-0x0000000000246000-memory.dmp

Filesize
792KB

Download
memory/1832-2434-0x000000001ABC0000-0x000000001ABCA000-memory.dmp

Filesize
40KB

Download
memory/1832-3065-0x000000001ABC0000-0x000000001ABCA000-memory.dmp

Filesize
40KB

Download
memory/1832-2435-0x000000001ABC0000-0x000000001ABCA000-memory.dmp

Filesize
40KB

Download
memory/1832-3066-0x000000001ABC0000-0x000000001ABCA000-memory.dmp

Filesize
40KB

Download
memory/1832-2432-0x000000001B280000-0x000000001B288000-memory.dmp

Filesize
32KB

Download
memory/1832-3505-0x000000006A300000-0x000000006AD4C000-memory.dmp

Filesize
10.3MB

Download
memory/1832-3627-0x000000006A300000-0x000000006AD4C000-memory.dmp

Filesize
10.3MB

Download
memory/1832-2431-0x000000001BF30000-0x000000001BF56000-memory.dmp

Filesize
152KB

Download
memory/1872-1375-0x0000000000F80000-0x0000000001387000-memory.dmp

Filesize
4.0MB

Download
memory/1872-1376-0x000000006CA70000-0x000000006D4BC000-memory.dmp

Filesize
10.3MB

Download
memory/2040-212-0x0000000073C40000-0x0000000073DB4000-memory.dmp

Filesize
1.5MB

Download
memory/2040-158-0x00000000770C0000-0x0000000077269000-memory.dmp

Filesize
1.7MB

Download
memory/2040-152-0x0000000073C40000-0x0000000073DB4000-memory.dmp

Filesize
1.5MB

Download
memory/2340-2373-0x000000001AA00000-0x000000001AA0A000-memory.dmp

Filesize
40KB

Download
memory/2340-2775-0x000000001C610000-0x000000001C61A000-memory.dmp

Filesize
40KB

Download
memory/2340-2375-0x0000000022BD0000-0x0000000023376000-memory.dmp

Filesize
7.6MB

Download
memory/2340-2374-0x000000001AA00000-0x000000001AA0A000-memory.dmp

Filesize
40KB

Download
memory/2340-2490-0x000000006A300000-0x000000006AD4C000-memory.dmp

Filesize
10.3MB

Download
memory/2340-2190-0x00000000013C0000-0x000000000157A000-memory.dmp

Filesize
1.7MB

Download
memory/2340-2491-0x000000001AA00000-0x000000001AA0A000-memory.dmp

Filesize
40KB

Download
memory/2340-2492-0x000000001AA00000-0x000000001AA0A000-memory.dmp

Filesize
40KB

Download
memory/2832-2-0x0000000000310000-0x000000000037D000-memory.dmp

Filesize
436KB

Download
memory/2832-187-0x0000000000400000-0x0000000001A3C000-memory.dmp

Filesize
22.2MB

Download
memory/2832-188-0x0000000001B00000-0x0000000001C00000-memory.dmp

Filesize
1024KB

Download
memory/2832-1-0x0000000001B00000-0x0000000001C00000-memory.dmp

Filesize
1024KB

Download
memory/2832-3-0x0000000000400000-0x0000000001A3C000-memory.dmp

Filesize
22.2MB

Download
memory/3016-1393-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3016-2417-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3016-1769-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3016-2418-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3016-2493-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3016-2494-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3016-2495-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3016-2496-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3016-1770-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3016-2433-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3016-1392-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3016-2378-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3016-2377-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3016-1938-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3016-1939-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3016-1937-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3016-1940-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3020-499-0x0000000073C40000-0x0000000073DB4000-memory.dmp

Filesize
1.5MB

Download
memory/3020-227-0x00000000770C0000-0x0000000077269000-memory.dmp

Filesize
1.7MB

Download