Analysis Overview
SHA256
83d3a2141aba68df2861190d239f7b72ef342605c242489a7a0aa83526af0b1b
Threat Level: Likely malicious
The file rmeinstaller.exe was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Modifies file permissions
Enumerates connected drives
Drops file in System32 directory
Event Triggered Execution: Component Object Model Hijacking
Drops file in Windows directory
Loads dropped DLL
Checks installed software on the system
Drops file in Program Files directory
Executes dropped EXE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Uses Volume Shadow Copy service COM API
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Checks SCSI registry key(s)
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-20 14:15
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 14:15
Reported
2024-06-20 14:20
Platform
win7-20240221-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Possible privilege escalation attempt
Modifies file permissions
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\madiface_usb.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\SET8FA4.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\SET8FB6.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\TotalMixFX.chm | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\infstrng.dat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\madiface_usb_asio.dll | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\SET8FB5.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\SET8FC6.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\infpub.dat | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\SET8FA2.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\SET8FA3.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\SET8FA3.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\madiface_usb.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\SET8FC6.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\TotalMixFX.exe | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\SET8FB5.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\SET8FB6.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\madiface_usb_asio_64.dll | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\SET8FD9.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\SET8FD9.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\infstor.dat | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\madiface_usb.inf_amd64_neutral_7763194d4a920f2e\madiface_usb.PNF | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\SET8FA4.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\SET8FD7.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\madiface_usb_64.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\SET8FD8.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421} | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\SET8FA2.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\madiface_usb.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\madifaceusb.exe | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\INFCACHE.0 | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\SET8FD7.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\SET8FD8.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\madiface_usb.inf_amd64_neutral_7763194d4a920f2e\madiface_usb.PNF | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Users\Admin\AppData\Local\Temp\rme\dpinst64.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~1\DIFX\4A7292F75FEBBD3C\dpinst64.exe | C:\Users\Admin\AppData\Local\Temp\rme\dpinst64.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\INF\oem2.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\f762bd9.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Users\Admin\AppData\Local\Temp\rme\dpinst64.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\f762bd1.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f762bd6.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI2D69.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3B8F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\DPINST.LOG | C:\Users\Admin\AppData\Local\Temp\rme\dpinst64.exe | N/A |
| File opened for modification | C:\Windows\INF\oem2.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\f762bd1.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f762bd4.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f762bd9.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\f762bd4.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f762bd6.msi | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rme\dpinst64.exe | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rmeinstaller.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2d\52C64B7E | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10 = "System Health Authentication" | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0918C00-B056-4087-88DF-817F245868B2}\InProcServer32 | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0918C00-B056-4087-88DF-817F245868B2} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F0918C00-B056-4087-88DF-817F245868B2}\InProcServer32 | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F0918C00-B056-4087-88DF-817F245868B2} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0918C00-B056-4087-88DF-817F245868B2}\InProcServer32\ = "C:\\Windows\\system32\\madiface_usb_asio_64.dll" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F0918C00-B056-4087-88DF-817F245868B2}\InProcServer32\ = "C:\\Windows\\SysWow64\\madiface_usb_asio.dll" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rmeinstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rmeinstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rmeinstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rmeinstaller.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\rmeinstaller.exe
"C:\Users\Admin\AppData\Local\Temp\rmeinstaller.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-file-l1-2-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-file-l1-2-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-file-l1-2-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-file-l2-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-file-l2-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-file-l2-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-localization-l1-2-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-localization-l1-2-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-localization-l1-2-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-processthreads-l1-1-1.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-processthreads-l1-1-1.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-processthreads-l1-1-1.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-synch-l1-2-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-synch-l1-2-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-synch-l1-2-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-timezone-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-timezone-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-timezone-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-crt-conio-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-conio-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-conio-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-crt-convert-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-convert-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-convert-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-crt-environment-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-environment-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-environment-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-crt-filesystem-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-filesystem-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-filesystem-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-crt-heap-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-heap-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-heap-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-crt-locale-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-locale-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-locale-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-crt-math-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-math-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-math-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-crt-multibyte-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-multibyte-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-multibyte-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-crt-private-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-private-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-private-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-crt-process-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-process-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-process-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-crt-runtime-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-runtime-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-runtime-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-crt-string-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-string-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-string-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-crt-time-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-time-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-time-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-crt-utility-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-utility-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-utility-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\concrt140.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\concrt140.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\concrt140.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\msvcp140.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\msvcp140.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\msvcp140.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\ucrtbase.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\ucrtbase.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\ucrtbase.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\vcamp140.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\vcamp140.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\vcamp140.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\vccorlib140.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\vccorlib140.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\vccorlib140.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\vcomp140.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\vcomp140.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\vcomp140.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\vcruntime140.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\vcruntime140.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\vcruntime140.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-console-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-console-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-console-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-datetime-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-datetime-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-datetime-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-debug-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-debug-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-debug-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-errorhandling-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-errorhandling-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-errorhandling-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-file-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-file-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-file-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-file-l1-2-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-file-l1-2-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-file-l1-2-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-file-l2-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-file-l2-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-file-l2-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-handle-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-handle-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-handle-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-heap-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-heap-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-heap-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-interlocked-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-interlocked-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-interlocked-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-libraryloader-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-libraryloader-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-libraryloader-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-localization-l1-2-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-localization-l1-2-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-localization-l1-2-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-memory-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-memory-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-memory-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-namedpipe-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-namedpipe-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-namedpipe-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-processenvironment-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-processenvironment-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-processenvironment-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-processthreads-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-processthreads-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-processthreads-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-processthreads-l1-1-1.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-processthreads-l1-1-1.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-processthreads-l1-1-1.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-profile-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-profile-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-profile-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-rtlsupport-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-rtlsupport-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-rtlsupport-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-string-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-string-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-string-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-synch-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-synch-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-synch-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-synch-l1-2-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-synch-l1-2-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-synch-l1-2-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-sysinfo-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-sysinfo-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-sysinfo-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-timezone-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-timezone-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-timezone-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-util-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-util-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-util-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-crt-conio-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-conio-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-conio-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-crt-convert-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-convert-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-convert-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-crt-environment-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-environment-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-environment-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-crt-filesystem-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-filesystem-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-filesystem-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-crt-heap-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-heap-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-heap-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-crt-locale-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-locale-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-locale-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-crt-math-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-math-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-math-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-crt-multibyte-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-multibyte-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-multibyte-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-crt-private-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-private-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-private-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-crt-process-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-process-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-process-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-crt-runtime-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-runtime-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-runtime-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-crt-stdio-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-stdio-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-stdio-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-crt-string-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-string-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-string-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-crt-time-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-time-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-time-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-crt-utility-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-utility-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-utility-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\concrt140.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\concrt140.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\concrt140.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\msvcp140.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\msvcp140.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\msvcp140.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\ucrtbase.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\ucrtbase.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\ucrtbase.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\vcamp140.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\vcamp140.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\vcamp140.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\vccorlib140.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\vccorlib140.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\vccorlib140.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\vcomp140.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\vcomp140.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\vcomp140.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\vcruntime140.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\vcruntime140.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\vcruntime140.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "reg add "HKCR\CLSID\{F0918C00-B056-4087-88DF-817F245868B2}\InProcServer32" /ve /t REG_SZ /d "C:\Windows\system32\madiface_usb_asio_64.dll" /f /reg:64"
C:\Windows\SysWOW64\reg.exe
reg add "HKCR\CLSID\{F0918C00-B056-4087-88DF-817F245868B2}\InProcServer32" /ve /t REG_SZ /d "C:\Windows\system32\madiface_usb_asio_64.dll" /f /reg:64
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "reg add "HKCR\CLSID\{F0918C00-B056-4087-88DF-817F245868B2}\InProcServer32" /ve /t REG_SZ /d "C:\Windows\system32\madiface_usb_asio.dll" /f /reg:32"
C:\Windows\SysWOW64\reg.exe
reg add "HKCR\CLSID\{F0918C00-B056-4087-88DF-817F245868B2}\InProcServer32" /ve /t REG_SZ /d "C:\Windows\system32\madiface_usb_asio.dll" /f /reg:32
C:\Users\Admin\AppData\Local\Temp\rme\dpinst64.exe
C:\Users\Admin\AppData\Local\Temp\rme\dpinst64.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{2bea9706-0008-17ad-21af-25066406615c}\madiface_usb.inf" "9" "64c0b64fb" "0000000000000494" "WinSta0\Default" "000000000000054C" "208" "c:\users\admin\appdata\local\temp\rme"
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{09424254-84cf-3d01-8284-b41c01e78567} Global\{3895c1a3-9e0e-42a2-7821-6635955f0614} C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\madiface_usb.inf C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\madiface_usb.cat
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005C4" "00000000000005C8"
Network
Files
C:\Users\Admin\AppData\Local\Temp\MSI62b64.LOG
| MD5 | 61f7f711eb7bc9241ee25ed7a88df58a |
| SHA1 | ba4d1e08c3c0024dea053a1ee784d05b4bb53e31 |
| SHA256 | f1a9878c328e1766b1f551324f89961c8a1eed14aa4b58a46023caf0e4485617 |
| SHA512 | f16a95d652c15a2e8ec01a4a4cf54a579dae376b1e5702061c332cde2a1f716ebee1d327b373c71c2929e3b15dd33b56645c5873cfff5d08cbb060cdb92d55d3 |
C:\Users\Admin\AppData\Local\Temp\rme\vc_runtimeMinimum_x86.msi
| MD5 | 9296d67466d3e8c8d73adb4fcdd1608a |
| SHA1 | 666d56b4d0ecb2e874659734785a2084fdea73ba |
| SHA256 | bd71d622f9bd0f3fdefda68172a8c755bda611b175b94fc07d7f04be1dd6b15e |
| SHA512 | 26a32a4b4bffef0e12cab0460ba70454f446674c494036a2c18124ebdd6635d91af1101e7e9efe6dcc2fc94f2d44033c752d1700c0e6c4bcd78b6488ccacfbbb |
C:\Users\Admin\AppData\Local\Temp\rme\cab1.cab
| MD5 | 5cfc93ce6a0ab1e16277b124c75819fd |
| SHA1 | 561485b8d24c7d9658f25ac70c45eda22cdb9068 |
| SHA256 | d1577594a0ed06811d5b3ba09107eef8a7544aa348ad3410472a95968904e4c6 |
| SHA512 | c8c8b241c3f7858a929b466ee78755f1f1d2f6e2b993b0148e87c12e6b5f15fa38715ada3307caaf5b1fb70d5ef08429ee2eb437a3aef9e1a11783ee8c8a5329 |
C:\Config.Msi\f762bd5.rbs
| MD5 | 59b55b86acd9814bab75dc6d6a9e1b32 |
| SHA1 | 690d2d1c816973d412ffb2c9a40ccd079d169e61 |
| SHA256 | 47a1a5ea2f1842368073b0a2fcb0217b482f949b2b94374ec435942557613f73 |
| SHA512 | 4bac4fe7e8b40a34fc2e05c9c2d8c264559f94cf11759ff16f84bb0dc9707c2c2aca93db5173fb382acbf3c8c10a6902d0ef4eb04960728d96cf9ee3a70d2292 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-console-l1-1-0.dll
| MD5 | 46744df7776add8bf4d9531c889d83c6 |
| SHA1 | 0240933e1eaf57e8f21f44dc5e4115a20e3cb472 |
| SHA256 | 6b4b0bcd8044bcad603fb023cd91622ee3c442a378619b92289d47438134f05e |
| SHA512 | 560b5575db307eab3d1be39dad0307579e74e34ae1b36e9914607df5fdd98b5c80c21e4fcd3b9bfed8a813fe3ee72474c505fd80412297e70534cef1aaf8c3f1 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-datetime-l1-1-0.dll
| MD5 | 7b3ec6b824bce1d0b91342a60e707335 |
| SHA1 | ce4442c4c5587cb26e10e099cad71b61fbd056a0 |
| SHA256 | 2dbc4a6f30354026e8fdd93e53e489e9185f31143458b9dacf5489aa9af7c525 |
| SHA512 | 8f869aa69b97fbf722f6af4b3fddd7c958ad5ddaef968a112dcfe629a81d718983657ce0fb21c4b799cddca9d6234deb14a8ba384fabf3d80e0d032a607b93d8 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-debug-l1-1-0.dll
| MD5 | e4c94687941e1096b9fa827467be7da6 |
| SHA1 | 46daaac7eed8b9bd2387f145439f14de2f269604 |
| SHA256 | 212579c60d5d3cac0e0caa51711b734835f2bbb9555a6fc638b1aeb438e986bc |
| SHA512 | 8194ea5b7427b626e259ba46a0c78cfbec55a63739ff9adfff020b187aa3b4e5c04ab78c1a5cdb1efe1b925a3b749ea63716d8d3b7296acf2992f65ceae9d138 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-errorhandling-l1-1-0.dll
| MD5 | 8714649a19399098bc4d0ba1dfbd8d62 |
| SHA1 | 18af2210e4ea061ba0bc61d13f7912e4de583e1c |
| SHA256 | 4c69840da98178d360ea2cd9faf8e5f20abbf610e76f63789e6b62333f7087a6 |
| SHA512 | 6e259a81a8e360512d34832be42f1ad65fbe01e782f1f869636c302581dbcc5825c1b75e24f9ee4bc04a6d2e3809f4bfcda5d584923140774da0c724d55532a3 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-file-l1-1-0.dll
| MD5 | 35f2fca230ce07cae8f42643a62106f8 |
| SHA1 | 5a75d8d00834a293917501a907199e368da943d0 |
| SHA256 | 881545b5920cf0008a3b71d91fe8d6011b0633233955729d22e3ef3aaa246ef0 |
| SHA512 | 64b5be716261cef342c7cb88c6c743a0d7340a6042c1fc3146228b842e46a2df8b75b0181caa604ad0c3fda9daecc6c0fe983685d8b346b52d5d72d1874b91c4 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-file-l1-2-0.dll
| MD5 | 410b053a4d2fdeb399fa188acf9c717f |
| SHA1 | 1e2371c503afd676c5ff937e65aaab4f0f8ca7a5 |
| SHA256 | 34a6d2d937e7049986b2811cf277164cc2240a5cd888111fe062244a6a568a40 |
| SHA512 | 1b06573eace7d4287d21b0ff291cc7f8cb42eab36340b8f083de38d2aab6aa16327a5d77032a4893727ed74974e2b3fd01dfc5626423a28b3c87d0f56b36a13a |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-file-l2-1-0.dll
| MD5 | 0ef36a2a6a77ff8ec014f2911e59d483 |
| SHA1 | 7e91067193864a293d8f49a5650ff483fef7e5f9 |
| SHA256 | d2d45f0c46fa3bfaf6edcc0482188841bd469ef676270fff5a75bef9b5fa3477 |
| SHA512 | e47a65575bc490f354957e215b1195e12efb3ad5f9981b0ffbf6edfada8ac3742ccbecc4c903f1bcafdd98117e92e6ea30d7705cb945c721ee2055f623d6800b |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-handle-l1-1-0.dll
| MD5 | ac558e9c034db3e823933c0879c68dc2 |
| SHA1 | 21dcde4913b38f90548cb444c5dbea3c82084d92 |
| SHA256 | 9147c1793123698fbd69c62a0fe0bc3a16bcfa7ece3a9e177628d3f238f54fd0 |
| SHA512 | cf0fe2e1e525d44a50299901d578b257ca1c319a52c0f904a6f37fcdce2b5150bfd58783601186f201944cf99104d7327be90c16343b0a33079fd2d3cfe4a154 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-heap-l1-1-0.dll
| MD5 | 05717f52c27bf3f82e4aa9c22c363aae |
| SHA1 | 17bb0161ea661605ddb0f1c89dad7d6920deb081 |
| SHA256 | 41d79a4cb19988d0f4558dad4c504b7b1b005debc705596aef52c846b93433eb |
| SHA512 | a089c86e23f497472c45131e22abf0cf20fb270f40f5fd9da0dd28a18fbda595d46c1dd2c59505a5cf5158ff7f3e9219a5b0b95bdac6873de117df247da32c07 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-interlocked-l1-1-0.dll
| MD5 | 1eb2c869a01d5fa3cecc2ef8cb4bf064 |
| SHA1 | c3384126ca7c535634d198ee71c9aaeffb4fdb53 |
| SHA256 | 757edd8092fb34163940b35ad43454edfdc24b8e9de67133a662d2e83f1182f4 |
| SHA512 | afdf285d91808fe608345b25221803f520262a6f39afef17e323bb1a6755a619f3cd1bb9251acd40defe4434d637b288efefa0f4fba8ce287bd03897dede678f |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-libraryloader-l1-1-0.dll
| MD5 | c8ca5eecb39694c51ff8df111e0974cd |
| SHA1 | 1278573ee9982d3500a17d0e651741a008e43d01 |
| SHA256 | a4d60ad8bc529e8dcdbc509a073138e0983d3aab7fa398cc49d7878088d82b38 |
| SHA512 | 06d22fcd83d72343d3513517f767981d7518c67319b5d6278898453a3b97202897a4ef1884bf4063cd9d905b5253a39baa175859279a8126ec1353065571faaf |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 2baa0dd1046fd679c239d3776bac53fe |
| SHA1 | 96e98d0808fe05c7ca71499253ec2b1bb53826dc |
| SHA256 | 3c0ff7a835b90e15bf138e90b13c7f1636d4ef6b5f8358b5333f537f3f9c955e |
| SHA512 | 99ffe1a222e8bd98c5bee0492d925c4a6eef8d753bf26a18242b9c544c1bb4a4894cc55abad6d79e3fa37c7b0fdc5fd41621d5ed41845c1507fbc5ffdca94e50 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-memory-l1-1-0.dll
| MD5 | 3c434c09f9c6a31c36db5b924cf13206 |
| SHA1 | 27b12d9490447d0b17e10247fb62390683757e3e |
| SHA256 | 599a3b72b33d7c90bba33c4596c27e920c53d8d10baceac5fce4b79cfd0fe638 |
| SHA512 | caff2edb1be208dcb2ca0d3d48fe46f108486d542247e2a1535c06dd73fc0b815752be6d5a5bcf2368015b772c99bd33402070697cf2c5aaded4bd5f998ad8ec |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-namedpipe-l1-1-0.dll
| MD5 | a77f07b883dbcce2fafbc1305dd37c77 |
| SHA1 | 000c364671ca7c238edb54f1390a869c66fb7c3b |
| SHA256 | 64c4dc9f63d7e14b2b753adb90c0f8d17d2715a7efdca6caa29b8cfb30ceb0da |
| SHA512 | 4867899bf883d2c650b378064e5e95695ab7575cf2379fd542493871bf54785dc2a6f2fa270d61a388a1630d706e57a9bc50a348a4654242c614069cd8976034 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-processenvironment-l1-1-0.dll
| MD5 | 5b7dac5c673a4a74395e803ea0fdc926 |
| SHA1 | c5f0fbad849ac937a5197bff88d771c691745da4 |
| SHA256 | f34f04f6b3bed4e9cf32f9cf1f73431b21be10b4713aac33459d06f8732e83a7 |
| SHA512 | 5cd6f35752decf9b8ea87120fadd9053f1834bc69f61799df80958d7914568d984ba1a754a3f6546f26473d850c161346119ab6dbb883b3ec88c8012a272cf33 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-processthreads-l1-1-0.dll
| MD5 | 049afa6fbec2fc47e70f31e6dff2d78d |
| SHA1 | 573e34470a1353a5d5edb94ff80da4dc75934b87 |
| SHA256 | 31d5fd2495eaf7b9da87a971b4b93b8afadb6331bfa5f92f93dccca7821b953b |
| SHA512 | 9054453fa4ac9cad6b9543f91e9369da8ae6dae7d3f731e7cc282f5ad75a05014dfb5b7b4dbf44becd7ac42d0c65d2bb94f19975af1d45d45440c5c140b6063a |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 49b73436f79b754c3b457aa50dcf063b |
| SHA1 | f194e26af1800776b76fadc783447b2ae1529f86 |
| SHA256 | c32c1927fe6afd085b2a4811248f5e7c1d2f955978c6d2e8dbea2cc50f5ba7ca |
| SHA512 | 2659c24ce42f8e9d9164f71ced1ea16245f3f1dde2047911ac8b95301e31dc2a99811769d2260e7c0349a48d26c564055ac605e723c3427a3cc7545b992ad804 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-profile-l1-1-0.dll
| MD5 | 64e6464af2821139adb2673d04718d5d |
| SHA1 | 63ed0d18deaa903ecf3af79c0a1593a079746247 |
| SHA256 | e0e5bad131041f36acd02562bb23d16751fd5c6a70a0d96ae6a1c2a2c42d63c0 |
| SHA512 | 9de0fd290b7a94df1770e224e50aecc9110a9f871b91fc84047159696f62876cf6123030ae09648474bfe329bd5bda238ce69c01ba110b8bf9ce8a6affc4c7fb |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-rtlsupport-l1-1-0.dll
| MD5 | 4995311dbe3c5e926833597a7bd67333 |
| SHA1 | e33316ac06fb458c22b9df28c43f544ef19bbfd7 |
| SHA256 | 9c68ebfc908b4f8bbc1897085bc9d0074c023bfba1736f8b56952c0b7c8ccc31 |
| SHA512 | e35a310e15e401d81ef1b03992dd0535aed3aed4be5c9bb835677314b4006f90c08a8c7f70749e54be9a7586f461e3685cb9429e53a9839adda97e3e5d403010 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-string-l1-1-0.dll
| MD5 | 7caff0ff196f67f80840f63453d3a1e7 |
| SHA1 | 4edeeed434ec95d4c624ef5015f8b4da6dd4ac59 |
| SHA256 | 8dcadf58b6dc4e8523bd67835c27b3e9d59390d248c3a886b2ec9e26841bc709 |
| SHA512 | 36e239b513c07a04cc0f82056019162295fb8a5af015c881fc06458a06e9e83aa675b1ede4aaf43ea56a36b7a48372519fbb106154a890e617c08b3b25bd66a7 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-synch-l1-1-0.dll
| MD5 | 4f797363edd7311d10cdf215fc7d9971 |
| SHA1 | 43b81fade4b0507e153ceeffc9a621ce03252564 |
| SHA256 | e1b9035e22dedcc2694e4355f9e37ce39196c96e1e5477e694b852a0c4d768a1 |
| SHA512 | 17e564657f06b4dafe54a6901037d6fec6e682f446a620c96f656048dfbb335cb776afb6c55cdbf0eca004868a752b9ba725652d6e3df8879e72609f7cfa9685 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-synch-l1-2-0.dll
| MD5 | c41b08226256aed986578b9b64924c13 |
| SHA1 | a01da9e3a8d0bf5302c3e095c08634f6b5df3885 |
| SHA256 | dd2cb911080181a0deabe7bea0ed347c15d959856b17fadcecb6174acf6c9fb4 |
| SHA512 | 1d068a110ea9db58f596bc7caa7b7820b45e58743778265c9bf6e38d4b5c6cea2e5e3d839f713561a0d4f421bdc7bf8ce4c6f58e2c47327dddd6c587bc87f351 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-sysinfo-l1-1-0.dll
| MD5 | 564e81678c2283fa85fb3a5abf947c75 |
| SHA1 | 7ef6ad96bc84c2a0ba8682f3987b1156a599efd2 |
| SHA256 | a67035f841b47e215e100447d89294afe5183444d7fd2d6917b5139540083753 |
| SHA512 | b28dd987daacb657f635e7100af85fcf5f9b050c510296abebbcd7165cd5fbde49f5dee416e78bef26c119cbfcd61eb2e622ecd3be92045817e6544eb76ee042 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | 5334d111e114ff8e2807b72d8ec530b9 |
| SHA1 | da2afd670094213ccb6909c8e1188ff1afb50812 |
| SHA256 | 139659d7673a6cba79e52f708c39a65c4112339080b8a6c5b7d7222495539eb0 |
| SHA512 | 45424166654f8d8298b51ca5098dd3aa19e6ca37bb77e1c895d2bcf71f779aec17dfd037bb9b4dc89d48031dcab536c250800ab4db220468f5577caa8959b439 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-util-l1-1-0.dll
| MD5 | 3a2261f41fa2bc305751707c89944d80 |
| SHA1 | eb8ad6c1243a44fd1a56079dcb8074359191f4c7 |
| SHA256 | fdd7b079e4c4c70480d939bafdda657cb3a297da4c38ea01a12ea52ad93692b7 |
| SHA512 | c9bac3d4661d9e59a4556a1b3e32cfb8c69aa07ee1cf0b5b3bf978223227af7a364ed5d29ee29cd3418700d07a728207f9c31259fe690f54deeb34ab0296439a |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | 912dbb8665c811fe23821ca1b1e728d1 |
| SHA1 | 3351d47c1a675db92f20781d56fcd17e93b384c8 |
| SHA256 | d767eb6c7cc445fbd965bb6b6a465e05a9c92062f14a4c5fb1808153342bdb4e |
| SHA512 | 8474ce7fd56ed777bcd6fd99abbe7d5814b04773eaaab987b796f68eb36ab5741034db75c050711b52b8d6e7c652307ab09003443fb8a55af2f8345ff6b9a016 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | 1ce111f0e26b88a3bc46af537ac5fc4f |
| SHA1 | b50915a28ee93e0953a67a71b79bc0e62637810a |
| SHA256 | 091a9d7715f8be3a06b1677c3d2fbc1f38d7ae6cf6b4e3e20435fce02087cc4f |
| SHA512 | f55c784d794734d96b952e775c65f3da00cac44365a50d5acfa8ab343d9e6c529b07330276a5acb1bd00b945504d5e907d92baf2f651426b61021d64dce8a622 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | d9649d7e652cb2357b23c7da40763626 |
| SHA1 | e354550b7803b7895ac16800201fe9f2093c5629 |
| SHA256 | 25cbed8d0881d7e2968c9394c321ec9474d01b60bf378d0f40794a6bcf9c24f1 |
| SHA512 | 3b18a8497bac3e5fc2eb34cbd564fb5a47a573f4725f874da9112f05e3bc1f9963209443a7fa39090e5e0b0fde9efedcca1df2a5e53cc805b7c5f0478a720ccd |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | 446b5f593d0a99cc32bd5e755a00dad2 |
| SHA1 | a2888f93cc9066b8ea21d2094f3f18f98ceb1a0f |
| SHA256 | c69cfb5f511c4ad49b4e5ed53ed17f4f8c67f17825ec8d6a0fe516d590fcdcfa |
| SHA512 | 7f5bb6838b03425b73dfae996438515b42903cb0b4665e96c732b045439859dd6b4f414c77893d2f251ad8612ccb4b46d67e234be546ea56a0ee12908d747a55 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | 5eb567958f683506c67be991c317c060 |
| SHA1 | df805b283e005506d807a89143439bb0083b0c0d |
| SHA256 | 1828b459b22778c62cfdd51d1b4d0ab74434accec14fcd4d067c88b9ef99ee6d |
| SHA512 | 85401538efc8c5b2f23bd731236757a28e0835f1994b2e17e5fe7e6726fce9422fe0beeb21a575d04987ed1e6356e3084211b077bd36cf444082b87568b4b1d2 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | fb496b1f206cf6f524a3c0b88b7f5ea8 |
| SHA1 | 9388046a230ad88ebe16a6093ba78eb0d60a47c5 |
| SHA256 | 8f37f4fa633a48a58dfc464d3f2657e9257e6341086dc64ebb0aa7eb3177bd55 |
| SHA512 | 7e5238362b6128cddd53664741675736e9363ece5572eedd143f1523d36c136493280eebd1ef68a49cc113ce1a415bf3f611df184d6ae0c6b96db1d564b29a15 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 7330b150cf52485916fdd229976f62b8 |
| SHA1 | eba6346cafb01b860f0960fc8a9324babc6f2bf4 |
| SHA256 | b170735bd5c01a7e5ac6ce59de70c6f3e4994deadb5fa9cef4a9a49f797efc00 |
| SHA512 | 011d27667edfc34b8418eead80b10815293404947f05af1cd5e6ad8d5d3b0f27ed9ff72033f4cb3ecd486abfd1e456d5dff2f196ec37cf3e22f904aaf3a22ac6 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-crt-multibyte-l1-1-0.dll
| MD5 | 9ebabf8e441ee119f02799c524cc590e |
| SHA1 | 803d04c7cf4a20895bc8fbb4ca2e8b8d8975d35c |
| SHA256 | 13fd5f3aa593829b6cb37d6d5a03cf334776c25f5a8a38dd59ceea0d4ef130bd |
| SHA512 | d36cb80188d26aef92d7c85b96c3d07e28ca3b677673e29beabf2c432747f22c67d5fa955313cfac6e9e64effc86c9c3cce5c30bfca54cac5dd21b04afbc8d97 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-crt-private-l1-1-0.dll
| MD5 | 6c64d892b4d22c711764c6123f5b6358 |
| SHA1 | cf9d6afcbabc7ce5cb4dbd2aba58011b7b220489 |
| SHA256 | 4cf48f5ca6c87fea6dbb9faa11cde8810742134bed9b0e262cfcf6d3319bfbd8 |
| SHA512 | a9a70367aca9828257768416e9a6b237c965cfc8f49df99016c79ae569255f7c89a99b9dc7d5f6eca962e7df30cf3504770b34bd3227386ebefaf26b244c4bbf |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-crt-process-l1-1-0.dll
| MD5 | 4903f20f24b4bf172c7df518b593157f |
| SHA1 | 3ea92847b20f25e6d573ab1eaa687e2feaf479ef |
| SHA256 | e2d767b448a3c316fee79ba53b01a075bd6b692061ed970df1c741926834a129 |
| SHA512 | cf2eb798e84d850213d7a78e43d7ea411d957f482807148839b5baf9f2f3b22de6c3d402ab72e98a939bb7751f6408d461b6b7577bafbcc0c55665cd8617837e |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | f0306295c4bf51adef8cca4fdb437a47 |
| SHA1 | 9fdc73c592344fe4920dbec9a725540401182e11 |
| SHA256 | 328def74a556654fa2ba3b8cac140fafc888d90ffa7112311d85f208bbe8b793 |
| SHA512 | c57b6b3eb7b2cf8e5206d3a1aa8e433734c848f703cf3ac778d231e8fa0cb63f3501bd4c036d5c47598e37a23dadbaea3a5e7a9067eadd12882951e623ee5540 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | b580a9034e7175ddde3c127962421133 |
| SHA1 | 2b09778e0585d65042769a734be9593ccf39c2fa |
| SHA256 | e0f845985901126775af838fae6ef7022b58ae04bc49e697c03f875294017e4b |
| SHA512 | 5b3670b5f1bc993c5c22f02b76b7a4d57bdfbbe9a7d633e66896df8ae3a15506652c017a341e3497ea6a04b80e4588e4b7b01106ac1d78abf52b3a21daabce1f |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-crt-string-l1-1-0.dll
| MD5 | 58492f8a1456356f189c956fbfce5bb9 |
| SHA1 | 86df36b7926c7977eda986694f365e2efb1779ed |
| SHA256 | c32e1417f12ef1d31b742195211fbbe8d75daa7d445fed98e3c4f0352805a7da |
| SHA512 | 52354bb816773daf5a66d85af889533deff52a4f1028254ba7cfe773578c2c8d07fdcc69a9fe4d2cf3de88895ea9fb60f4419396808b77fc3f633a87ce881967 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-crt-time-l1-1-0.dll
| MD5 | 79a9d993f5bc3f5f9447c35adcb9b87d |
| SHA1 | 67990b8406f852946cac914d81a96eb815100dd6 |
| SHA256 | 126d0677f82ce42360bde0c9025b3d4abffe9ceac24bb04ab1dd0706cf4e20c4 |
| SHA512 | 654e5aa66aad0d531ffc7a34cc96006796b9b5d3ef5d289207f33ffc46a975ae7d1ee808abbcd4ceaf40f1596d7994f61fccb7285200012fc242f0df398eb70d |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | e460b157be8c119fbd24532960082e15 |
| SHA1 | 5b3d52547b4e356fdf57eb06d06a1f2c21769c79 |
| SHA256 | 5a618a0b967de5558cb673aba2518b1b38549f5c979c2e06e02c6e92c69a3d79 |
| SHA512 | 7a046b87d6691755bc25ca9a64989550befbe9285fad3b1a00dd27a3ec783a0426ef662c05eb3455a61347dea4fe6e1bd759386476280679c2353a4cf81e8115 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\concrt140.dll
| MD5 | d769cc7219e1515620aebba1c4df8f7b |
| SHA1 | 006a7bf65e9d26f06c7aed822d70326ff967d74b |
| SHA256 | 783feed3393d047f3feeeb733c5279b1c9cdb1b0bb2a2b6a4ba66826b45d9fb6 |
| SHA512 | 3e6f2114303c2612fcae3498f6fa70726d0df5e938384dee095db8a95115d10452b3cda62769dab9334b0799da8d7fb0f983df98f6e7273ae91391c01da7bf7a |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\msvcp140.dll
| MD5 | 2307ff4b14821a2bca90ef18511f2e0b |
| SHA1 | f12b3e69ad35fd76425628f45eb3ceb3c42ca39b |
| SHA256 | 463930767aaeb5603ebca7a068a17ca9482e64662a806942c4f48cbc6e1a8507 |
| SHA512 | c9c134be4af2d07afc47b2bd95449c2c464bf8f03c057287be8f75c712b2ff429b6f84a3ac46981d19629cdbcd7fff4f5371b54326ced4ba1785f35c2091f546 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\ucrtbase.dll
| MD5 | e3c9ea53694abfa282063f41a92713cd |
| SHA1 | c2bbb54680ef3e2dfc91fc9f5eaa702d2297f650 |
| SHA256 | b8e0d94a85e4826aa556e2e060fd99b8208ac5dd3055aff43cfde532265eb930 |
| SHA512 | 8228d0d3a6d872d42d34db7d6133f2bcf2848c0fe44f1c8e949f18892afa1f32d020be299d0a81869a73d24bcc1ceeb64e1d9e525ad6eebbecf5cd10d3609f13 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\vcamp140.dll
| MD5 | 6a632efc9695aae32a820d9d9def1a2b |
| SHA1 | 6a887f4e894eef80132c09abe4899e34c339805e |
| SHA256 | b2b552852c97f2a334e03e4fc1e1d429d94ea646a908bb4901a3e56aab6d42ab |
| SHA512 | 37982299078cee0b5251c4474ac1b609b4a972c38a0cac9eb13b31e6f41ebd83a735a252231f1d9e3b12c3edc2e47ae7e02892cea8a27f205f16aeb3227e31be |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\vccorlib140.dll
| MD5 | 79c80571941032aebea82a1a9dab9307 |
| SHA1 | e113bb8b3bd1d33e396ddb40059f6924e593b626 |
| SHA256 | 08b5754b15936cf467bcfc96e83255cbe77915ce0cc9d287af4e6117f54571e9 |
| SHA512 | 4e7128ceccd6e34c5e7c42594741a5d22c297252f7591a7a7eac5a9b0654f1fa23047daf4b71f99e9d0eceeb3dee594b2b531d77ccc025b7c26f959bd9d86ce2 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\vcomp140.dll
| MD5 | 6b2739f7a5238c8fb4442355dcfdbb0d |
| SHA1 | eff490909fbea9a3f6593fbf401f797730cea8eb |
| SHA256 | 41db8ab344bde359137d6a7d5be5dbf79c4bf2b52d8263c4fad3eac525606ab9 |
| SHA512 | f061a61ce4dbc499afbb8f18c2f2af5fd56286399253aa3e2ab86073e22148c56a044167acae81856b48cb03c4cfd060c8e1b74eb958083d182041a7c3e1ea89 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\vcruntime140.dll
| MD5 | d783e99fce7840747050ca0f8b79854d |
| SHA1 | 98c1539927ea6642effe71f45601a81317969d89 |
| SHA256 | 56e6c202747c00c99b812c236b47d065c475baa8bded1dec1d55c338eeaf85e8 |
| SHA512 | 8fa406574c3702ef413bfe4a1bb0a1b519c26cab0be254c5d4270aa7fa21748d029dc631cc5bcdbbf00a30146d106b02be72984809e6d126cf435f46fe7816de |
C:\Users\Admin\AppData\Local\Temp\MSI62b65.LOG
| MD5 | 212b8f6bedff26cf62408c053d1a4fe1 |
| SHA1 | 9c8aa8e62464fc63296cd11371021c136dee007f |
| SHA256 | 21576270eb93c566e536e66751bf59c812dad57996623df2f5bdbd2f3ae05ddf |
| SHA512 | 019205fccdc12532e6a83dae5ae63c5eb0de6a40aaafd32895c91bbed3c499ff928550d2197dad8272987e6228902804b9c3efe5442b5189e3072c7fc8dd94eb |
C:\Users\Admin\AppData\Local\Temp\rme\vc_runtimeMinimum_x64.msi
| MD5 | c9544e4d16735d584774349c68b5fb41 |
| SHA1 | d01f92ff1ece3a676eb63e95ab10dac425c6d85a |
| SHA256 | 31851932139554b56d9104462bc701cb83782ce1e1fc5657954ab1d26941127d |
| SHA512 | a78a0e804f32f8c7c273906c8dea88cdf03f871444e8fa9fa8a366943d13354ffaad034b0214f14718d959f8093bf43ccba66eca916b5fcf35431a145993ad1e |
C:\Users\Admin\AppData\Local\Temp\rme\cab1.cab
| MD5 | 7e2cf15a172f8e23931b4a87bff75169 |
| SHA1 | bcf2cfdffc780d1fe28c0ad5c4fbd49b845c2f9d |
| SHA256 | f837c31c2da2ebc1366b10507f15f7f66c5b416bd2ea602d76f044df1282c0b7 |
| SHA512 | ba001032b1934c5897241218ddc56f13575276c701f6d06544047d51838d2ff21cfc57738fe6fd0338b8127527b57777218c27d2763e1d3b42e633318853a33e |
C:\Config.Msi\f762bda.rbs
| MD5 | 8305b330e9fb37a62eb58be6026d2ca6 |
| SHA1 | 13bd16c86fceb96e59cea092faf1c60c2560b2d2 |
| SHA256 | 30cd49ef14bff9434de0fe4a49073d7d83c6030857274762a1941d7772e071e7 |
| SHA512 | 5d294a23e2b65c14d1070542a9271a7b4e89bbfcd58e98a869d44b35bd352914b915cd64206068228b5c0ca346fa639524ff41e05a0591a08eade9209c99040d |
C:\Users\Admin\AppData\Local\Temp\rme\x64\System64\api-ms-win-core-console-l1-1-0.dll
| MD5 | a7010d8fc8bc1aa1efba555b58648eab |
| SHA1 | 4bfdd524308e01a8d148d491f0af08727d1ffe77 |
| SHA256 | baeec36995ed8215e5ebc3a12b490e5628c001c6882e16d49a461306a2cb0d7e |
| SHA512 | 6f294eca3a9f9476098863c536639b2a57aa4296b100380fdd4403d09ff54caeb619276f9767e6692d892a50c41e1d998389a9d25ac954dec1763969c50fcd46 |
C:\Users\Admin\AppData\Local\Temp\rme\x64\System64\api-ms-win-core-datetime-l1-1-0.dll
| MD5 | fee2b177a6335870cf1fa26c890e3c1a |
| SHA1 | b133a9574e74585c24827c78738950072fa7cce8 |
| SHA256 | e3689fdde1cb83cdf99ac519286bed2f94bd4ba73d83514274a9aedfd51ef998 |
| SHA512 | ed374d9f712aefdbde66e925c6488e11d2139e0987c2df4811e5b3e8192bd941b75f1ed2a3c96f932fd54ec329f9b8c2a272739162641dc02d7970bab392029e |
C:\Users\Admin\AppData\Local\Temp\rme\x64\System64\api-ms-win-core-debug-l1-1-0.dll
| MD5 | e04c69bd2cda6ecd41b5f2f601a348a4 |
| SHA1 | 1b36c6f9c36de14f1d52b877fc49bb84d8218922 |
| SHA256 | 886ead3bb778979dd028451abecf81cfd8c58e910f8d03002dbffabcb55a89d8 |
| SHA512 | 96229807abd8598aabff46bb5d26fe33ebc44557777dec47c0ad41b266484be330c75532ceaa24c2c4e4efe112076045547fe699d5ed7c3e4ec0331d765b2dff |
C:\Users\Admin\AppData\Local\Temp\rme\x64\System64\api-ms-win-core-errorhandling-l1-1-0.dll
| MD5 | dfd5b066dd177e06cc04d8fb84b984a8 |
| SHA1 | 81b245f7983552a31151ef540795d675c806a0b9 |
| SHA256 | d1069b399dbd2d2c1c20eeb1b0382c22e5ce0863d9c351d166b4b58809f23e05 |
| SHA512 | 19993f0cd331b0e078e59d43b5cde6595207b5ddabc063c6ad47b159bd0c015defe66a4f9a942869427c1a546f13b3c15d05c673bef3d9d367845cf837a4d83a |
C:\Users\Admin\AppData\Local\Temp\rme\x64\System64\api-ms-win-core-file-l1-1-0.dll
| MD5 | 86a4c837ccbcc19065787b4eda417d11 |
| SHA1 | 7cd6564c30809acf113385e3ece4fd3bc19a08f3 |
| SHA256 | da97ae788b22848ce27bbaef85bbf9b2810dbf6d4c1f71a4d014553efa46130a |
| SHA512 | 456ee7b7d946abf7f72838e5372d7d85916f2eab3414791d56265c0b13e151c9ea13790287949577078f49d6cb6f32900ab4db5b0a9a4c11d85adb62a602ea00 |
C:\Users\Admin\AppData\Local\Temp\rme\x64\System64\api-ms-win-core-file-l1-2-0.dll
| MD5 | d423fa4e22cdf8b822c17b8192c17426 |
| SHA1 | 7d691d6b7bd4d5db6736fffb554f724b5e7f7b71 |
| SHA256 | e92d2051cfedfdd5f38a452c3e8229a46dd5740970d333084c94ca77c0a1ab5d |
| SHA512 | e50f68dda63e61d4eee98f1e6590b8ae58965bf3dfd1392ab0e1e3304d461ef4de389c63efcbbaf06ccae0386c48a9dff1dc997327b9cc5b1d61a88c61af1046 |
C:\Users\Admin\AppData\Local\Temp\rme\x64\System64\api-ms-win-core-file-l2-1-0.dll
| MD5 | 34819ee7eaf46ff8441b8d0051110589 |
| SHA1 | e7c0c533eeec5eaada3e152ca234ff0f07b2fffe |
| SHA256 | 8b9f9d61a8e3241bf44228ff4e7a57cfe994828e4a7a1ea1baf2759f5f35b704 |
| SHA512 | 1d4d648fa402c303e5811f0fb91c74d4ec2a28cdc2342a4a2a54819bc865b13f2a5d0015d26f8cc13a15bad587298544b5a7ff3587f4efbea4937e8716a30697 |
C:\Users\Admin\AppData\Local\Temp\rme\x64\System64\api-ms-win-core-handle-l1-1-0.dll
| MD5 | 885d03913343382e78803c9c70e9fb90 |
| SHA1 | f3b05bc5a9a1cfeedabea2253a0c2869ebc59bf5 |
| SHA256 | 6090fc5aaad65032651f75f870e824594babb1297de103488ee904398a2e9282 |
| SHA512 | 63e4cd7df0680ab5db45ddf2916708c0953ef9199888e8aa81a7459e314677c50ee333019a1537a67e941c09346cfb44aad3d7189e3ac56c27d833d809bcc0f4 |
C:\Users\Admin\AppData\Local\Temp\rme\x64\System64\api-ms-win-core-heap-l1-1-0.dll
| MD5 | aaad1911ec09a4438bee40fba9d6f9c0 |
| SHA1 | e6ffeb351f646832a4a26092e996df3e3efd51fa |
| SHA256 | bbad44b2cca0fe8747966470174e5bab4aa3f800e825aca7b4d444a1d43525da |
| SHA512 | 831ca8963a81a0b23083b3919b97736deedb28e1103531ccde7222a20595a465d8ca740222760b06763464f6780b4b09f4300fbaec24281bfe64d730e4feac3e |
C:\Users\Admin\AppData\Local\Temp\rme\x64\System64\api-ms-win-core-interlocked-l1-1-0.dll
| MD5 | 905252512f0b06ced00ad3afb32d7d03 |
| SHA1 | ba81252c572291d2d3ec03f248adf92e31c87371 |
| SHA256 | 6fa1390dbc09b91230a21444df9f52b8af70f4889424f2aa6563479d826ec97f |
| SHA512 | 96fb1c461864d4b6acdd876fd06974af72ff48469bc7fe75ff8248bde7149f55d74d1430d3cfe8e002a01ea7b5b14db5496bed112fe505b62149c5e1eed7b7af |
C:\Users\Admin\AppData\Local\Temp\rme\x64\System64\api-ms-win-core-libraryloader-l1-1-0.dll
| MD5 | d0c82c72ae617713f5bd6641ca0f675b |
| SHA1 | 818029d894cba3fa30567aa94cb610430397a0c1 |
| SHA256 | 2ae11cb73c1d5d3aae0142af4d9c5a34a5eb1d1fa2690c39a3fa2d4b600ccbd1 |
| SHA512 | 7e19078d49399e4ad7e5e2e0324b6b59f9c9b4987682106f90c2cadf81c950eacca4586808e2dd561f34ce2f788432b6da2e75d2547ce599e6a8a375f53e2e3e |
C:\Users\Admin\AppData\Local\Temp\{2bea9706-0008-17ad-21af-25066406615c}\madiface_usb.cat
| MD5 | ab61da865bb34150dad1c80294d1f1b6 |
| SHA1 | 3f5718aa5a0930a4afad5c146b7e11ab2b13489f |
| SHA256 | 215446205a16d6bfad8b5fb0af62a8bf3fe432e2e3a9538c0a99800e09266d70 |
| SHA512 | f7385a3733a1ffc10cca7a83a30f745ae34df15e6d91aab9458583b304cfbb0038a21b9c3c93b812d575239d7b8ba98aa3e3194e2324682399e97d1c15f78238 |
C:\Users\Admin\AppData\Local\Temp\{2bea9706-0008-17ad-21af-25066406615c}\SET7FBC.tmp
| MD5 | f59677178b148a77e9976334e6543455 |
| SHA1 | 714e80c4eea3de8860f9b962dcf236fb0caced46 |
| SHA256 | 8b127236019a65a90d2e7780f0e182f43729ea350c839bf1c56e69dd35c7a448 |
| SHA512 | 87db541827979cd313252186bec2f08bf5aedad97e3d8ef53ed8cde959031bc1146e5d852f359cc5dcca2e8a623d10092f53262fdfe70d59e563a3cbc6aa6fea |
C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\SET8FA4.tmp
| MD5 | b69aefdeccdc3955ce4968e4a020d18c |
| SHA1 | 978179d46aaa691cd618cf23d967827aacb8fa3e |
| SHA256 | a498daaea6775e1284f8806a557fe3d20437d23d350815c2ced135b4235e630e |
| SHA512 | 1c2eb1184f6816100ec0aac64bc929dd968dc7385e67c4c6b8a96d39c5d63fc02dedd2f8747cb850e4520a2067b2e3e61108de837cd3aada3c42604146bfcce8 |
C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\SET8FB5.tmp
| MD5 | d12bbaf0c6abf7aa720c111ae18b4d6a |
| SHA1 | 667693d0223be13bb88704d03e88572583104690 |
| SHA256 | 28c98398110e0ee2f4b6d29602ae26f2664a2d95550bea0b392109bd75463b47 |
| SHA512 | ce506a7cf97528518e77a07e2a8d4ab5bcb59a274d24f2430d59da580e30ac363daf15ef9a68099369654a40e77e3f80c2d5b3a11cd6fd428d9250da88a023de |
C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\SET8FB6.tmp
| MD5 | 21474dd81c87feb7365e65430eccdb86 |
| SHA1 | c4ecf9884a70085da1fc2d727d2de2e9b50e8c2b |
| SHA256 | ae85eec1278519946eb6428dba5b9cb892699ce55dfc14f3a21b9be5580db881 |
| SHA512 | 09b9d6adfa19f91b08579e1970e8c183508ee74ef82f4249e7f0794e3dd70205601181cf4b8345976033e79c505b94bb48895845c97da47fbf346d97045fa347 |
C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\SET8FC6.tmp
| MD5 | 30c2c4fa7d2f367691d91de91d20784d |
| SHA1 | 058e5da746a1a4f5043374bc9b7cbc57a08d4d77 |
| SHA256 | e7605cbda4e4df283aa053a4ea7f9d51460f9543528f482db64f190ed31199f8 |
| SHA512 | cc3c4a44ad18346558c21e3a05820c033c623b7381001fda68e3a07f7cdcd1ce4fe912ad0fd0ee6b83b37d99420ef78221a36a58bfa10a68aeaa77f18ef476e3 |
C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\SET8FD7.tmp
| MD5 | 1f5340984881d055691f86f11b098803 |
| SHA1 | 081a86b17799faa8036db3e9acde14800b8a30ba |
| SHA256 | 5b01352dc4e4a009ee537dc91e30b2a1ecabe9d92335bb4016846996517124fe |
| SHA512 | ce0997a70126afc41ff378daa2a3d160a6ec857ffb90cf34d183a580b553e9b47fe3b4f67657a3cc4e4b7bc8a84d3442357f3cad2facbba03bd2755e84a86ac5 |
C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\SET8FD8.tmp
| MD5 | 3c873599bb1b3b81f6237181c4bd60bc |
| SHA1 | a3bf316fa68846a0984babc854bd614d9cdee08b |
| SHA256 | 27dcef64947e5d1fe80a39f48ea144dfc9aa028d348ffcea1a833e4cf489407f |
| SHA512 | 4495c7790631de615452ba27adc099519eacab32d7f30cbd5b18e95380451f7d5f74b743be759fe033b5be62c9e95f1d9ae689de733ee978282649e34c80aade |
C:\Windows\System32\DriverStore\Temp\{6e5ec2e3-68fb-6e13-cf17-58796eaf8421}\SET8FD9.tmp
| MD5 | d61ed0a83f846bfa6ccba10980ef1b46 |
| SHA1 | 85c4d139732d7939ca9fd6b0a5a786f1585707e1 |
| SHA256 | 7c2ee331aeffd9279a45735e25ee766b1681f967bcea63aa969499bad95a2fc2 |
| SHA512 | b90adb2b580ff8ff0917b9b124c5f281d3005dbe49eaccdd9c38bef20afdf65b4339ef258f4a82d3e803d06c7ef1b06cbfd1546db80b1ae432181763d76898e6 |
C:\Windows\Temp\Cab986B.tmp
| MD5 | d59a6b36c5a94916241a3ead50222b6f |
| SHA1 | e274e9486d318c383bc4b9812844ba56f0cff3c6 |
| SHA256 | a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53 |
| SHA512 | 17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489 |
C:\Windows\Temp\Tar988D.tmp
| MD5 | b13f51572f55a2d31ed9f266d581e9ea |
| SHA1 | 7eef3111b878e159e520f34410ad87adecf0ca92 |
| SHA256 | 725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15 |
| SHA512 | f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 14:15
Reported
2024-06-20 14:20
Platform
win10v2004-20240611-en
Max time kernel
141s
Max time network
141s
Command Line
Signatures
Possible privilege escalation attempt
Modifies file permissions
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\SETA097.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\madiface_usb_64.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\TotalMixFX.exe | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\SETA0EB.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\madiface_usb.inf_amd64_7763194d4a920f2e\TotalMixFX.exe | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Users\Admin\AppData\Local\Temp\rme\dpinst64.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\SETA086.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\madiface_usb.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\madiface_usb.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\SETA0CA.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\TotalMixFX.chm | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\madiface_usb.inf_amd64_7763194d4a920f2e\madiface_usb.PNF | C:\Users\Admin\AppData\Local\Temp\rme\dpinst64.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\SETA097.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\SETA0A8.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\madiface_usb_asio.dll | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\SETA0CB.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\madifaceusb.exe | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\SETA086.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\SETA096.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6} | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\SETA0B8.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\madiface_usb.inf_amd64_7763194d4a920f2e\madiface_usb_asio.dll | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\drvstore.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\madiface_usb_asio_64.dll | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\SETA0CA.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\SETA0EB.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\madiface_usb.inf_amd64_7763194d4a920f2e\madiface_usb.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\madiface_usb.inf_amd64_7763194d4a920f2e\madiface_usb_64.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\madiface_usb.inf_amd64_7763194d4a920f2e\TotalMixFX.chm | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\madiface_usb.inf_amd64_7763194d4a920f2e\madifaceusb.exe | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\SETA0A8.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\SETA0B8.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\madiface_usb.inf_amd64_7763194d4a920f2e\madiface_usb.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\SETA096.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\SETA0B9.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\SETA0CB.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\madiface_usb.inf_amd64_7763194d4a920f2e\madiface_usb_asio_64.dll | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\madiface_usb.inf_amd64_7763194d4a920f2e\madiface_usb.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\madiface_usb.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\SETA0B9.tmp | C:\Windows\system32\DrvInst.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~1\DIFX\4A7292F75FEBBD3C\dpinst64.exe | C:\Users\Admin\AppData\Local\Temp\rme\dpinst64.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\e573b73.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e573b77.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\Config.Msi\e573b7a.rbs | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\inf\oem3.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\inf\oem3.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\e573b73.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3C9B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\DPINST.LOG | C:\Users\Admin\AppData\Local\Temp\rme\dpinst64.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{37B55901-995A-3650-80B1-BBFD047E2911} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e573b77.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{FAAD7243-0141-3987-AA2F-E56B20F80E41} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5A75.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\Config.Msi\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\Config.Msi\e573b7a.rbs | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Users\Admin\AppData\Local\Temp\rme\dpinst64.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rme\dpinst64.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Users\Admin\AppData\Local\Temp\rme\dpinst64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Users\Admin\AppData\Local\Temp\rme\dpinst64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Users\Admin\AppData\Local\Temp\rme\dpinst64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Users\Admin\AppData\Local\Temp\rme\dpinst64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Users\Admin\AppData\Local\Temp\rme\dpinst64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Users\Admin\AppData\Local\Temp\rme\dpinst64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Users\Admin\AppData\Local\Temp\rme\dpinst64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Users\Admin\AppData\Local\Temp\rme\dpinst64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Users\Admin\AppData\Local\Temp\rme\dpinst64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Users\Admin\AppData\Local\Temp\rme\dpinst64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Users\Admin\AppData\Local\Temp\rme\dpinst64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Users\Admin\AppData\Local\Temp\rme\dpinst64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Users\Admin\AppData\Local\Temp\rme\dpinst64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Users\Admin\AppData\Local\Temp\rme\dpinst64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Users\Admin\AppData\Local\Temp\rme\dpinst64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Users\Admin\AppData\Local\Temp\rme\dpinst64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\DrvInst.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F0918C00-B056-4087-88DF-817F245868B2} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0918C00-B056-4087-88DF-817F245868B2}\InProcServer32 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0918C00-B056-4087-88DF-817F245868B2}\InProcServer32\ = "C:\\Windows\\system32\\madiface_usb_asio_64.dll" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F0918C00-B056-4087-88DF-817F245868B2}\InProcServer32 | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F0918C00-B056-4087-88DF-817F245868B2}\InProcServer32\ = "C:\\Windows\\SysWow64\\madiface_usb_asio.dll" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0918C00-B056-4087-88DF-817F245868B2} | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rmeinstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rmeinstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rmeinstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rmeinstaller.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\rmeinstaller.exe
"C:\Users\Admin\AppData\Local\Temp\rmeinstaller.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-file-l1-2-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-file-l1-2-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-file-l1-2-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-file-l2-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-file-l2-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-file-l2-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-localization-l1-2-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-localization-l1-2-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-localization-l1-2-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-processthreads-l1-1-1.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-processthreads-l1-1-1.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-processthreads-l1-1-1.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-synch-l1-2-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-synch-l1-2-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-synch-l1-2-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-timezone-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-timezone-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-timezone-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-crt-conio-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-conio-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-conio-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-crt-convert-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-convert-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-convert-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-crt-environment-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-environment-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-environment-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-crt-filesystem-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-filesystem-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-filesystem-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-crt-heap-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-heap-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-heap-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-crt-locale-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-locale-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-locale-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-crt-math-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-math-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-math-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-crt-multibyte-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-multibyte-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-multibyte-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-crt-private-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-private-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-private-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-crt-process-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-process-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-process-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-crt-runtime-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-runtime-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-runtime-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-crt-string-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-string-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-string-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-crt-time-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-time-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-time-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\api-ms-win-crt-utility-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-utility-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\api-ms-win-crt-utility-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\concrt140.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\concrt140.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\concrt140.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\msvcp140.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\msvcp140.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\msvcp140.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\ucrtbase.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\ucrtbase.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\ucrtbase.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\vcamp140.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\vcamp140.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\vcamp140.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\vccorlib140.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\vccorlib140.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\vccorlib140.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\vcomp140.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\vcomp140.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\vcomp140.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\System32\vcruntime140.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\vcruntime140.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\System32\vcruntime140.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-console-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-console-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-console-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-datetime-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-datetime-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-datetime-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-debug-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-debug-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-debug-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-errorhandling-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-errorhandling-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-errorhandling-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-file-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-file-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-file-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-file-l1-2-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-file-l1-2-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-file-l1-2-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-file-l2-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-file-l2-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-file-l2-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-handle-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-handle-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-handle-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-heap-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-heap-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-heap-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-interlocked-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-interlocked-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-interlocked-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-libraryloader-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-libraryloader-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-libraryloader-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-localization-l1-2-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-localization-l1-2-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-localization-l1-2-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-memory-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-memory-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-memory-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-namedpipe-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-namedpipe-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-namedpipe-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-processenvironment-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-processenvironment-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-processenvironment-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-processthreads-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-processthreads-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-processthreads-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-processthreads-l1-1-1.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-processthreads-l1-1-1.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-processthreads-l1-1-1.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-profile-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-profile-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-profile-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-rtlsupport-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-rtlsupport-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-rtlsupport-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-string-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-string-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-string-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-synch-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-synch-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-synch-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-synch-l1-2-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-synch-l1-2-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-synch-l1-2-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-sysinfo-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-sysinfo-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-sysinfo-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-timezone-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-timezone-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-timezone-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-core-util-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-util-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-core-util-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-crt-conio-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-conio-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-conio-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-crt-convert-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-convert-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-convert-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-crt-environment-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-environment-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-environment-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-crt-filesystem-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-filesystem-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-filesystem-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-crt-heap-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-heap-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-heap-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-crt-locale-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-locale-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-locale-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-crt-math-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-math-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-math-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-crt-multibyte-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-multibyte-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-multibyte-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-crt-private-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-private-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-private-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-crt-process-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-process-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-process-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-crt-runtime-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-runtime-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-runtime-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-crt-stdio-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-stdio-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-stdio-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-crt-string-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-string-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-string-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-crt-time-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-time-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-time-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\api-ms-win-crt-utility-l1-1-0.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-utility-l1-1-0.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\api-ms-win-crt-utility-l1-1-0.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\concrt140.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\concrt140.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\concrt140.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\msvcp140.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\msvcp140.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\msvcp140.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\ucrtbase.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\ucrtbase.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\ucrtbase.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\vcamp140.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\vcamp140.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\vcamp140.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\vccorlib140.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\vccorlib140.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\vccorlib140.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\vcomp140.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\vcomp140.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\vcomp140.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\takeown.exe
takeown.exe /F C:\Windows\Sysnative\vcruntime140.dll
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\vcruntime140.dll /grant Users:(GR,GE)
C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\Windows\Sysnative\vcruntime140.dll /grant "NT SERVICE\TrustedInstaller:(F)"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "reg add "HKCR\CLSID\{F0918C00-B056-4087-88DF-817F245868B2}\InProcServer32" /ve /t REG_SZ /d "C:\Windows\system32\madiface_usb_asio_64.dll" /f /reg:64"
C:\Windows\SysWOW64\reg.exe
reg add "HKCR\CLSID\{F0918C00-B056-4087-88DF-817F245868B2}\InProcServer32" /ve /t REG_SZ /d "C:\Windows\system32\madiface_usb_asio_64.dll" /f /reg:64
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "reg add "HKCR\CLSID\{F0918C00-B056-4087-88DF-817F245868B2}\InProcServer32" /ve /t REG_SZ /d "C:\Windows\system32\madiface_usb_asio.dll" /f /reg:32"
C:\Windows\SysWOW64\reg.exe
reg add "HKCR\CLSID\{F0918C00-B056-4087-88DF-817F245868B2}\InProcServer32" /ve /t REG_SZ /d "C:\Windows\system32\madiface_usb_asio.dll" /f /reg:32
C:\Users\Admin\AppData\Local\Temp\rme\dpinst64.exe
C:\Users\Admin\AppData\Local\Temp\rme\dpinst64.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{6a5fc3d7-3a38-454e-947d-a6357157a592}\madiface_usb.inf" "9" "466508f07" "0000000000000158" "WinSta0\Default" "00000000000000E8" "208" "c:\users\admin\appdata\local\temp\rme"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\MSI73aa7.LOG
| MD5 | 462811d5ccf10602ffa73e4b7433a9ac |
| SHA1 | 6359f32c7958e951b173ee1294cfa94b304b07e8 |
| SHA256 | 44dcbd6e847721fc2877cd4c5f348e2598f636db23e79bb4a6bd30a25cc52fae |
| SHA512 | 128ea44894f01d4ca12ee990266f32334f42cdc349e04f36149bd085fefeee0c178bc7aac2f49dcd36373d417e58e056292fac7f732ef4f35cd9d42d07417216 |
C:\Users\Admin\AppData\Local\Temp\rme\vc_runtimeMinimum_x86.msi
| MD5 | 9296d67466d3e8c8d73adb4fcdd1608a |
| SHA1 | 666d56b4d0ecb2e874659734785a2084fdea73ba |
| SHA256 | bd71d622f9bd0f3fdefda68172a8c755bda611b175b94fc07d7f04be1dd6b15e |
| SHA512 | 26a32a4b4bffef0e12cab0460ba70454f446674c494036a2c18124ebdd6635d91af1101e7e9efe6dcc2fc94f2d44033c752d1700c0e6c4bcd78b6488ccacfbbb |
C:\Users\Admin\AppData\Local\Temp\rme\cab1.cab
| MD5 | 5cfc93ce6a0ab1e16277b124c75819fd |
| SHA1 | 561485b8d24c7d9658f25ac70c45eda22cdb9068 |
| SHA256 | d1577594a0ed06811d5b3ba09107eef8a7544aa348ad3410472a95968904e4c6 |
| SHA512 | c8c8b241c3f7858a929b466ee78755f1f1d2f6e2b993b0148e87c12e6b5f15fa38715ada3307caaf5b1fb70d5ef08429ee2eb437a3aef9e1a11783ee8c8a5329 |
C:\Config.Msi\e573b76.rbs
| MD5 | 129426e9c3e8027369b41e0bad8fc485 |
| SHA1 | bc929d906e7a21872bdd0bbe0148bff616ed1ecb |
| SHA256 | b03e8f8ef64981e3e9c710fb003a66d04164361551088a869251a84cc1b94fc7 |
| SHA512 | 92b493c3c785642a59238c40e83fe1465c6db5171fe01c18b82959181b0b3d694513884695939f875b591b77d894ac067d5d9833a8c127c99906c063ba66b860 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-console-l1-1-0.dll
| MD5 | 46744df7776add8bf4d9531c889d83c6 |
| SHA1 | 0240933e1eaf57e8f21f44dc5e4115a20e3cb472 |
| SHA256 | 6b4b0bcd8044bcad603fb023cd91622ee3c442a378619b92289d47438134f05e |
| SHA512 | 560b5575db307eab3d1be39dad0307579e74e34ae1b36e9914607df5fdd98b5c80c21e4fcd3b9bfed8a813fe3ee72474c505fd80412297e70534cef1aaf8c3f1 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-datetime-l1-1-0.dll
| MD5 | 7b3ec6b824bce1d0b91342a60e707335 |
| SHA1 | ce4442c4c5587cb26e10e099cad71b61fbd056a0 |
| SHA256 | 2dbc4a6f30354026e8fdd93e53e489e9185f31143458b9dacf5489aa9af7c525 |
| SHA512 | 8f869aa69b97fbf722f6af4b3fddd7c958ad5ddaef968a112dcfe629a81d718983657ce0fb21c4b799cddca9d6234deb14a8ba384fabf3d80e0d032a607b93d8 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-debug-l1-1-0.dll
| MD5 | e4c94687941e1096b9fa827467be7da6 |
| SHA1 | 46daaac7eed8b9bd2387f145439f14de2f269604 |
| SHA256 | 212579c60d5d3cac0e0caa51711b734835f2bbb9555a6fc638b1aeb438e986bc |
| SHA512 | 8194ea5b7427b626e259ba46a0c78cfbec55a63739ff9adfff020b187aa3b4e5c04ab78c1a5cdb1efe1b925a3b749ea63716d8d3b7296acf2992f65ceae9d138 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-errorhandling-l1-1-0.dll
| MD5 | 8714649a19399098bc4d0ba1dfbd8d62 |
| SHA1 | 18af2210e4ea061ba0bc61d13f7912e4de583e1c |
| SHA256 | 4c69840da98178d360ea2cd9faf8e5f20abbf610e76f63789e6b62333f7087a6 |
| SHA512 | 6e259a81a8e360512d34832be42f1ad65fbe01e782f1f869636c302581dbcc5825c1b75e24f9ee4bc04a6d2e3809f4bfcda5d584923140774da0c724d55532a3 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-file-l1-1-0.dll
| MD5 | 35f2fca230ce07cae8f42643a62106f8 |
| SHA1 | 5a75d8d00834a293917501a907199e368da943d0 |
| SHA256 | 881545b5920cf0008a3b71d91fe8d6011b0633233955729d22e3ef3aaa246ef0 |
| SHA512 | 64b5be716261cef342c7cb88c6c743a0d7340a6042c1fc3146228b842e46a2df8b75b0181caa604ad0c3fda9daecc6c0fe983685d8b346b52d5d72d1874b91c4 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-file-l1-2-0.dll
| MD5 | 410b053a4d2fdeb399fa188acf9c717f |
| SHA1 | 1e2371c503afd676c5ff937e65aaab4f0f8ca7a5 |
| SHA256 | 34a6d2d937e7049986b2811cf277164cc2240a5cd888111fe062244a6a568a40 |
| SHA512 | 1b06573eace7d4287d21b0ff291cc7f8cb42eab36340b8f083de38d2aab6aa16327a5d77032a4893727ed74974e2b3fd01dfc5626423a28b3c87d0f56b36a13a |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-file-l2-1-0.dll
| MD5 | 0ef36a2a6a77ff8ec014f2911e59d483 |
| SHA1 | 7e91067193864a293d8f49a5650ff483fef7e5f9 |
| SHA256 | d2d45f0c46fa3bfaf6edcc0482188841bd469ef676270fff5a75bef9b5fa3477 |
| SHA512 | e47a65575bc490f354957e215b1195e12efb3ad5f9981b0ffbf6edfada8ac3742ccbecc4c903f1bcafdd98117e92e6ea30d7705cb945c721ee2055f623d6800b |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-handle-l1-1-0.dll
| MD5 | ac558e9c034db3e823933c0879c68dc2 |
| SHA1 | 21dcde4913b38f90548cb444c5dbea3c82084d92 |
| SHA256 | 9147c1793123698fbd69c62a0fe0bc3a16bcfa7ece3a9e177628d3f238f54fd0 |
| SHA512 | cf0fe2e1e525d44a50299901d578b257ca1c319a52c0f904a6f37fcdce2b5150bfd58783601186f201944cf99104d7327be90c16343b0a33079fd2d3cfe4a154 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-heap-l1-1-0.dll
| MD5 | 05717f52c27bf3f82e4aa9c22c363aae |
| SHA1 | 17bb0161ea661605ddb0f1c89dad7d6920deb081 |
| SHA256 | 41d79a4cb19988d0f4558dad4c504b7b1b005debc705596aef52c846b93433eb |
| SHA512 | a089c86e23f497472c45131e22abf0cf20fb270f40f5fd9da0dd28a18fbda595d46c1dd2c59505a5cf5158ff7f3e9219a5b0b95bdac6873de117df247da32c07 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-interlocked-l1-1-0.dll
| MD5 | 1eb2c869a01d5fa3cecc2ef8cb4bf064 |
| SHA1 | c3384126ca7c535634d198ee71c9aaeffb4fdb53 |
| SHA256 | 757edd8092fb34163940b35ad43454edfdc24b8e9de67133a662d2e83f1182f4 |
| SHA512 | afdf285d91808fe608345b25221803f520262a6f39afef17e323bb1a6755a619f3cd1bb9251acd40defe4434d637b288efefa0f4fba8ce287bd03897dede678f |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-libraryloader-l1-1-0.dll
| MD5 | c8ca5eecb39694c51ff8df111e0974cd |
| SHA1 | 1278573ee9982d3500a17d0e651741a008e43d01 |
| SHA256 | a4d60ad8bc529e8dcdbc509a073138e0983d3aab7fa398cc49d7878088d82b38 |
| SHA512 | 06d22fcd83d72343d3513517f767981d7518c67319b5d6278898453a3b97202897a4ef1884bf4063cd9d905b5253a39baa175859279a8126ec1353065571faaf |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 2baa0dd1046fd679c239d3776bac53fe |
| SHA1 | 96e98d0808fe05c7ca71499253ec2b1bb53826dc |
| SHA256 | 3c0ff7a835b90e15bf138e90b13c7f1636d4ef6b5f8358b5333f537f3f9c955e |
| SHA512 | 99ffe1a222e8bd98c5bee0492d925c4a6eef8d753bf26a18242b9c544c1bb4a4894cc55abad6d79e3fa37c7b0fdc5fd41621d5ed41845c1507fbc5ffdca94e50 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-memory-l1-1-0.dll
| MD5 | 3c434c09f9c6a31c36db5b924cf13206 |
| SHA1 | 27b12d9490447d0b17e10247fb62390683757e3e |
| SHA256 | 599a3b72b33d7c90bba33c4596c27e920c53d8d10baceac5fce4b79cfd0fe638 |
| SHA512 | caff2edb1be208dcb2ca0d3d48fe46f108486d542247e2a1535c06dd73fc0b815752be6d5a5bcf2368015b772c99bd33402070697cf2c5aaded4bd5f998ad8ec |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-namedpipe-l1-1-0.dll
| MD5 | a77f07b883dbcce2fafbc1305dd37c77 |
| SHA1 | 000c364671ca7c238edb54f1390a869c66fb7c3b |
| SHA256 | 64c4dc9f63d7e14b2b753adb90c0f8d17d2715a7efdca6caa29b8cfb30ceb0da |
| SHA512 | 4867899bf883d2c650b378064e5e95695ab7575cf2379fd542493871bf54785dc2a6f2fa270d61a388a1630d706e57a9bc50a348a4654242c614069cd8976034 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-processenvironment-l1-1-0.dll
| MD5 | 5b7dac5c673a4a74395e803ea0fdc926 |
| SHA1 | c5f0fbad849ac937a5197bff88d771c691745da4 |
| SHA256 | f34f04f6b3bed4e9cf32f9cf1f73431b21be10b4713aac33459d06f8732e83a7 |
| SHA512 | 5cd6f35752decf9b8ea87120fadd9053f1834bc69f61799df80958d7914568d984ba1a754a3f6546f26473d850c161346119ab6dbb883b3ec88c8012a272cf33 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-processthreads-l1-1-0.dll
| MD5 | 049afa6fbec2fc47e70f31e6dff2d78d |
| SHA1 | 573e34470a1353a5d5edb94ff80da4dc75934b87 |
| SHA256 | 31d5fd2495eaf7b9da87a971b4b93b8afadb6331bfa5f92f93dccca7821b953b |
| SHA512 | 9054453fa4ac9cad6b9543f91e9369da8ae6dae7d3f731e7cc282f5ad75a05014dfb5b7b4dbf44becd7ac42d0c65d2bb94f19975af1d45d45440c5c140b6063a |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 49b73436f79b754c3b457aa50dcf063b |
| SHA1 | f194e26af1800776b76fadc783447b2ae1529f86 |
| SHA256 | c32c1927fe6afd085b2a4811248f5e7c1d2f955978c6d2e8dbea2cc50f5ba7ca |
| SHA512 | 2659c24ce42f8e9d9164f71ced1ea16245f3f1dde2047911ac8b95301e31dc2a99811769d2260e7c0349a48d26c564055ac605e723c3427a3cc7545b992ad804 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-profile-l1-1-0.dll
| MD5 | 64e6464af2821139adb2673d04718d5d |
| SHA1 | 63ed0d18deaa903ecf3af79c0a1593a079746247 |
| SHA256 | e0e5bad131041f36acd02562bb23d16751fd5c6a70a0d96ae6a1c2a2c42d63c0 |
| SHA512 | 9de0fd290b7a94df1770e224e50aecc9110a9f871b91fc84047159696f62876cf6123030ae09648474bfe329bd5bda238ce69c01ba110b8bf9ce8a6affc4c7fb |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-rtlsupport-l1-1-0.dll
| MD5 | 4995311dbe3c5e926833597a7bd67333 |
| SHA1 | e33316ac06fb458c22b9df28c43f544ef19bbfd7 |
| SHA256 | 9c68ebfc908b4f8bbc1897085bc9d0074c023bfba1736f8b56952c0b7c8ccc31 |
| SHA512 | e35a310e15e401d81ef1b03992dd0535aed3aed4be5c9bb835677314b4006f90c08a8c7f70749e54be9a7586f461e3685cb9429e53a9839adda97e3e5d403010 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-string-l1-1-0.dll
| MD5 | 7caff0ff196f67f80840f63453d3a1e7 |
| SHA1 | 4edeeed434ec95d4c624ef5015f8b4da6dd4ac59 |
| SHA256 | 8dcadf58b6dc4e8523bd67835c27b3e9d59390d248c3a886b2ec9e26841bc709 |
| SHA512 | 36e239b513c07a04cc0f82056019162295fb8a5af015c881fc06458a06e9e83aa675b1ede4aaf43ea56a36b7a48372519fbb106154a890e617c08b3b25bd66a7 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-synch-l1-1-0.dll
| MD5 | 4f797363edd7311d10cdf215fc7d9971 |
| SHA1 | 43b81fade4b0507e153ceeffc9a621ce03252564 |
| SHA256 | e1b9035e22dedcc2694e4355f9e37ce39196c96e1e5477e694b852a0c4d768a1 |
| SHA512 | 17e564657f06b4dafe54a6901037d6fec6e682f446a620c96f656048dfbb335cb776afb6c55cdbf0eca004868a752b9ba725652d6e3df8879e72609f7cfa9685 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-synch-l1-2-0.dll
| MD5 | c41b08226256aed986578b9b64924c13 |
| SHA1 | a01da9e3a8d0bf5302c3e095c08634f6b5df3885 |
| SHA256 | dd2cb911080181a0deabe7bea0ed347c15d959856b17fadcecb6174acf6c9fb4 |
| SHA512 | 1d068a110ea9db58f596bc7caa7b7820b45e58743778265c9bf6e38d4b5c6cea2e5e3d839f713561a0d4f421bdc7bf8ce4c6f58e2c47327dddd6c587bc87f351 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-sysinfo-l1-1-0.dll
| MD5 | 564e81678c2283fa85fb3a5abf947c75 |
| SHA1 | 7ef6ad96bc84c2a0ba8682f3987b1156a599efd2 |
| SHA256 | a67035f841b47e215e100447d89294afe5183444d7fd2d6917b5139540083753 |
| SHA512 | b28dd987daacb657f635e7100af85fcf5f9b050c510296abebbcd7165cd5fbde49f5dee416e78bef26c119cbfcd61eb2e622ecd3be92045817e6544eb76ee042 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | 5334d111e114ff8e2807b72d8ec530b9 |
| SHA1 | da2afd670094213ccb6909c8e1188ff1afb50812 |
| SHA256 | 139659d7673a6cba79e52f708c39a65c4112339080b8a6c5b7d7222495539eb0 |
| SHA512 | 45424166654f8d8298b51ca5098dd3aa19e6ca37bb77e1c895d2bcf71f779aec17dfd037bb9b4dc89d48031dcab536c250800ab4db220468f5577caa8959b439 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-core-util-l1-1-0.dll
| MD5 | 3a2261f41fa2bc305751707c89944d80 |
| SHA1 | eb8ad6c1243a44fd1a56079dcb8074359191f4c7 |
| SHA256 | fdd7b079e4c4c70480d939bafdda657cb3a297da4c38ea01a12ea52ad93692b7 |
| SHA512 | c9bac3d4661d9e59a4556a1b3e32cfb8c69aa07ee1cf0b5b3bf978223227af7a364ed5d29ee29cd3418700d07a728207f9c31259fe690f54deeb34ab0296439a |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | 912dbb8665c811fe23821ca1b1e728d1 |
| SHA1 | 3351d47c1a675db92f20781d56fcd17e93b384c8 |
| SHA256 | d767eb6c7cc445fbd965bb6b6a465e05a9c92062f14a4c5fb1808153342bdb4e |
| SHA512 | 8474ce7fd56ed777bcd6fd99abbe7d5814b04773eaaab987b796f68eb36ab5741034db75c050711b52b8d6e7c652307ab09003443fb8a55af2f8345ff6b9a016 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | 1ce111f0e26b88a3bc46af537ac5fc4f |
| SHA1 | b50915a28ee93e0953a67a71b79bc0e62637810a |
| SHA256 | 091a9d7715f8be3a06b1677c3d2fbc1f38d7ae6cf6b4e3e20435fce02087cc4f |
| SHA512 | f55c784d794734d96b952e775c65f3da00cac44365a50d5acfa8ab343d9e6c529b07330276a5acb1bd00b945504d5e907d92baf2f651426b61021d64dce8a622 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | d9649d7e652cb2357b23c7da40763626 |
| SHA1 | e354550b7803b7895ac16800201fe9f2093c5629 |
| SHA256 | 25cbed8d0881d7e2968c9394c321ec9474d01b60bf378d0f40794a6bcf9c24f1 |
| SHA512 | 3b18a8497bac3e5fc2eb34cbd564fb5a47a573f4725f874da9112f05e3bc1f9963209443a7fa39090e5e0b0fde9efedcca1df2a5e53cc805b7c5f0478a720ccd |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | 446b5f593d0a99cc32bd5e755a00dad2 |
| SHA1 | a2888f93cc9066b8ea21d2094f3f18f98ceb1a0f |
| SHA256 | c69cfb5f511c4ad49b4e5ed53ed17f4f8c67f17825ec8d6a0fe516d590fcdcfa |
| SHA512 | 7f5bb6838b03425b73dfae996438515b42903cb0b4665e96c732b045439859dd6b4f414c77893d2f251ad8612ccb4b46d67e234be546ea56a0ee12908d747a55 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | 5eb567958f683506c67be991c317c060 |
| SHA1 | df805b283e005506d807a89143439bb0083b0c0d |
| SHA256 | 1828b459b22778c62cfdd51d1b4d0ab74434accec14fcd4d067c88b9ef99ee6d |
| SHA512 | 85401538efc8c5b2f23bd731236757a28e0835f1994b2e17e5fe7e6726fce9422fe0beeb21a575d04987ed1e6356e3084211b077bd36cf444082b87568b4b1d2 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | fb496b1f206cf6f524a3c0b88b7f5ea8 |
| SHA1 | 9388046a230ad88ebe16a6093ba78eb0d60a47c5 |
| SHA256 | 8f37f4fa633a48a58dfc464d3f2657e9257e6341086dc64ebb0aa7eb3177bd55 |
| SHA512 | 7e5238362b6128cddd53664741675736e9363ece5572eedd143f1523d36c136493280eebd1ef68a49cc113ce1a415bf3f611df184d6ae0c6b96db1d564b29a15 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 7330b150cf52485916fdd229976f62b8 |
| SHA1 | eba6346cafb01b860f0960fc8a9324babc6f2bf4 |
| SHA256 | b170735bd5c01a7e5ac6ce59de70c6f3e4994deadb5fa9cef4a9a49f797efc00 |
| SHA512 | 011d27667edfc34b8418eead80b10815293404947f05af1cd5e6ad8d5d3b0f27ed9ff72033f4cb3ecd486abfd1e456d5dff2f196ec37cf3e22f904aaf3a22ac6 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-crt-multibyte-l1-1-0.dll
| MD5 | 9ebabf8e441ee119f02799c524cc590e |
| SHA1 | 803d04c7cf4a20895bc8fbb4ca2e8b8d8975d35c |
| SHA256 | 13fd5f3aa593829b6cb37d6d5a03cf334776c25f5a8a38dd59ceea0d4ef130bd |
| SHA512 | d36cb80188d26aef92d7c85b96c3d07e28ca3b677673e29beabf2c432747f22c67d5fa955313cfac6e9e64effc86c9c3cce5c30bfca54cac5dd21b04afbc8d97 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-crt-private-l1-1-0.dll
| MD5 | 6c64d892b4d22c711764c6123f5b6358 |
| SHA1 | cf9d6afcbabc7ce5cb4dbd2aba58011b7b220489 |
| SHA256 | 4cf48f5ca6c87fea6dbb9faa11cde8810742134bed9b0e262cfcf6d3319bfbd8 |
| SHA512 | a9a70367aca9828257768416e9a6b237c965cfc8f49df99016c79ae569255f7c89a99b9dc7d5f6eca962e7df30cf3504770b34bd3227386ebefaf26b244c4bbf |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-crt-process-l1-1-0.dll
| MD5 | 4903f20f24b4bf172c7df518b593157f |
| SHA1 | 3ea92847b20f25e6d573ab1eaa687e2feaf479ef |
| SHA256 | e2d767b448a3c316fee79ba53b01a075bd6b692061ed970df1c741926834a129 |
| SHA512 | cf2eb798e84d850213d7a78e43d7ea411d957f482807148839b5baf9f2f3b22de6c3d402ab72e98a939bb7751f6408d461b6b7577bafbcc0c55665cd8617837e |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | f0306295c4bf51adef8cca4fdb437a47 |
| SHA1 | 9fdc73c592344fe4920dbec9a725540401182e11 |
| SHA256 | 328def74a556654fa2ba3b8cac140fafc888d90ffa7112311d85f208bbe8b793 |
| SHA512 | c57b6b3eb7b2cf8e5206d3a1aa8e433734c848f703cf3ac778d231e8fa0cb63f3501bd4c036d5c47598e37a23dadbaea3a5e7a9067eadd12882951e623ee5540 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | b580a9034e7175ddde3c127962421133 |
| SHA1 | 2b09778e0585d65042769a734be9593ccf39c2fa |
| SHA256 | e0f845985901126775af838fae6ef7022b58ae04bc49e697c03f875294017e4b |
| SHA512 | 5b3670b5f1bc993c5c22f02b76b7a4d57bdfbbe9a7d633e66896df8ae3a15506652c017a341e3497ea6a04b80e4588e4b7b01106ac1d78abf52b3a21daabce1f |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-crt-string-l1-1-0.dll
| MD5 | 58492f8a1456356f189c956fbfce5bb9 |
| SHA1 | 86df36b7926c7977eda986694f365e2efb1779ed |
| SHA256 | c32e1417f12ef1d31b742195211fbbe8d75daa7d445fed98e3c4f0352805a7da |
| SHA512 | 52354bb816773daf5a66d85af889533deff52a4f1028254ba7cfe773578c2c8d07fdcc69a9fe4d2cf3de88895ea9fb60f4419396808b77fc3f633a87ce881967 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-crt-time-l1-1-0.dll
| MD5 | 79a9d993f5bc3f5f9447c35adcb9b87d |
| SHA1 | 67990b8406f852946cac914d81a96eb815100dd6 |
| SHA256 | 126d0677f82ce42360bde0c9025b3d4abffe9ceac24bb04ab1dd0706cf4e20c4 |
| SHA512 | 654e5aa66aad0d531ffc7a34cc96006796b9b5d3ef5d289207f33ffc46a975ae7d1ee808abbcd4ceaf40f1596d7994f61fccb7285200012fc242f0df398eb70d |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | e460b157be8c119fbd24532960082e15 |
| SHA1 | 5b3d52547b4e356fdf57eb06d06a1f2c21769c79 |
| SHA256 | 5a618a0b967de5558cb673aba2518b1b38549f5c979c2e06e02c6e92c69a3d79 |
| SHA512 | 7a046b87d6691755bc25ca9a64989550befbe9285fad3b1a00dd27a3ec783a0426ef662c05eb3455a61347dea4fe6e1bd759386476280679c2353a4cf81e8115 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\concrt140.dll
| MD5 | d769cc7219e1515620aebba1c4df8f7b |
| SHA1 | 006a7bf65e9d26f06c7aed822d70326ff967d74b |
| SHA256 | 783feed3393d047f3feeeb733c5279b1c9cdb1b0bb2a2b6a4ba66826b45d9fb6 |
| SHA512 | 3e6f2114303c2612fcae3498f6fa70726d0df5e938384dee095db8a95115d10452b3cda62769dab9334b0799da8d7fb0f983df98f6e7273ae91391c01da7bf7a |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\msvcp140.dll
| MD5 | 2307ff4b14821a2bca90ef18511f2e0b |
| SHA1 | f12b3e69ad35fd76425628f45eb3ceb3c42ca39b |
| SHA256 | 463930767aaeb5603ebca7a068a17ca9482e64662a806942c4f48cbc6e1a8507 |
| SHA512 | c9c134be4af2d07afc47b2bd95449c2c464bf8f03c057287be8f75c712b2ff429b6f84a3ac46981d19629cdbcd7fff4f5371b54326ced4ba1785f35c2091f546 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\ucrtbase.dll
| MD5 | e3c9ea53694abfa282063f41a92713cd |
| SHA1 | c2bbb54680ef3e2dfc91fc9f5eaa702d2297f650 |
| SHA256 | b8e0d94a85e4826aa556e2e060fd99b8208ac5dd3055aff43cfde532265eb930 |
| SHA512 | 8228d0d3a6d872d42d34db7d6133f2bcf2848c0fe44f1c8e949f18892afa1f32d020be299d0a81869a73d24bcc1ceeb64e1d9e525ad6eebbecf5cd10d3609f13 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\vcamp140.dll
| MD5 | 6a632efc9695aae32a820d9d9def1a2b |
| SHA1 | 6a887f4e894eef80132c09abe4899e34c339805e |
| SHA256 | b2b552852c97f2a334e03e4fc1e1d429d94ea646a908bb4901a3e56aab6d42ab |
| SHA512 | 37982299078cee0b5251c4474ac1b609b4a972c38a0cac9eb13b31e6f41ebd83a735a252231f1d9e3b12c3edc2e47ae7e02892cea8a27f205f16aeb3227e31be |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\vccorlib140.dll
| MD5 | 79c80571941032aebea82a1a9dab9307 |
| SHA1 | e113bb8b3bd1d33e396ddb40059f6924e593b626 |
| SHA256 | 08b5754b15936cf467bcfc96e83255cbe77915ce0cc9d287af4e6117f54571e9 |
| SHA512 | 4e7128ceccd6e34c5e7c42594741a5d22c297252f7591a7a7eac5a9b0654f1fa23047daf4b71f99e9d0eceeb3dee594b2b531d77ccc025b7c26f959bd9d86ce2 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\vcomp140.dll
| MD5 | 6b2739f7a5238c8fb4442355dcfdbb0d |
| SHA1 | eff490909fbea9a3f6593fbf401f797730cea8eb |
| SHA256 | 41db8ab344bde359137d6a7d5be5dbf79c4bf2b52d8263c4fad3eac525606ab9 |
| SHA512 | f061a61ce4dbc499afbb8f18c2f2af5fd56286399253aa3e2ab86073e22148c56a044167acae81856b48cb03c4cfd060c8e1b74eb958083d182041a7c3e1ea89 |
C:\Users\Admin\AppData\Local\Temp\rme\x86\System\vcruntime140.dll
| MD5 | d783e99fce7840747050ca0f8b79854d |
| SHA1 | 98c1539927ea6642effe71f45601a81317969d89 |
| SHA256 | 56e6c202747c00c99b812c236b47d065c475baa8bded1dec1d55c338eeaf85e8 |
| SHA512 | 8fa406574c3702ef413bfe4a1bb0a1b519c26cab0be254c5d4270aa7fa21748d029dc631cc5bcdbbf00a30146d106b02be72984809e6d126cf435f46fe7816de |
C:\Users\Admin\AppData\Local\Temp\MSI73aa8.LOG
| MD5 | 42c6566ca2d9b5428f670be594a5b51a |
| SHA1 | b6988c2d5f5c77cbec2b2a428cf82fbb9f2926a2 |
| SHA256 | f575cd2611b3336784bea7a4716831ea9fda64cf527a900d7734ba69c21ab56e |
| SHA512 | 10b4bd8744d6932221bbb53b97a47f58688ee9568837ae878b4bfba0dd411c51e1cb8c699367cea6990bbfcd0dcb794963ebdaef45c109801a44cc12bd2503c1 |
C:\Users\Admin\AppData\Local\Temp\rme\vc_runtimeMinimum_x64.msi
| MD5 | c9544e4d16735d584774349c68b5fb41 |
| SHA1 | d01f92ff1ece3a676eb63e95ab10dac425c6d85a |
| SHA256 | 31851932139554b56d9104462bc701cb83782ce1e1fc5657954ab1d26941127d |
| SHA512 | a78a0e804f32f8c7c273906c8dea88cdf03f871444e8fa9fa8a366943d13354ffaad034b0214f14718d959f8093bf43ccba66eca916b5fcf35431a145993ad1e |
C:\Users\Admin\AppData\Local\Temp\rme\cab1.cab
| MD5 | 7e2cf15a172f8e23931b4a87bff75169 |
| SHA1 | bcf2cfdffc780d1fe28c0ad5c4fbd49b845c2f9d |
| SHA256 | f837c31c2da2ebc1366b10507f15f7f66c5b416bd2ea602d76f044df1282c0b7 |
| SHA512 | ba001032b1934c5897241218ddc56f13575276c701f6d06544047d51838d2ff21cfc57738fe6fd0338b8127527b57777218c27d2763e1d3b42e633318853a33e |
C:\Windows\Installer\Config.Msi\e573b7a.rbs
| MD5 | cc3b3339f4e82b51a20727c0ed21191a |
| SHA1 | 7b5a3d69d9da05918602711489e356275b17de71 |
| SHA256 | c48fcd1b516674a509e57e1fc37753386dc44613660237d56ff1d2827fb8a5d5 |
| SHA512 | 460f54dc2bd08ca07110945f5ff83a80a344ccbd1adb07c59ebeeb7c601285de46f308090f2138cb27e47719e2d47301aeb4998d81b976bbfdb804837a215f39 |
C:\Users\Admin\AppData\Local\Temp\rme\x64\System64\api-ms-win-core-console-l1-1-0.dll
| MD5 | a7010d8fc8bc1aa1efba555b58648eab |
| SHA1 | 4bfdd524308e01a8d148d491f0af08727d1ffe77 |
| SHA256 | baeec36995ed8215e5ebc3a12b490e5628c001c6882e16d49a461306a2cb0d7e |
| SHA512 | 6f294eca3a9f9476098863c536639b2a57aa4296b100380fdd4403d09ff54caeb619276f9767e6692d892a50c41e1d998389a9d25ac954dec1763969c50fcd46 |
C:\Users\Admin\AppData\Local\Temp\rme\x64\System64\api-ms-win-core-datetime-l1-1-0.dll
| MD5 | fee2b177a6335870cf1fa26c890e3c1a |
| SHA1 | b133a9574e74585c24827c78738950072fa7cce8 |
| SHA256 | e3689fdde1cb83cdf99ac519286bed2f94bd4ba73d83514274a9aedfd51ef998 |
| SHA512 | ed374d9f712aefdbde66e925c6488e11d2139e0987c2df4811e5b3e8192bd941b75f1ed2a3c96f932fd54ec329f9b8c2a272739162641dc02d7970bab392029e |
C:\Users\Admin\AppData\Local\Temp\rme\x64\System64\api-ms-win-core-debug-l1-1-0.dll
| MD5 | e04c69bd2cda6ecd41b5f2f601a348a4 |
| SHA1 | 1b36c6f9c36de14f1d52b877fc49bb84d8218922 |
| SHA256 | 886ead3bb778979dd028451abecf81cfd8c58e910f8d03002dbffabcb55a89d8 |
| SHA512 | 96229807abd8598aabff46bb5d26fe33ebc44557777dec47c0ad41b266484be330c75532ceaa24c2c4e4efe112076045547fe699d5ed7c3e4ec0331d765b2dff |
C:\Users\Admin\AppData\Local\Temp\rme\x64\System64\api-ms-win-core-errorhandling-l1-1-0.dll
| MD5 | dfd5b066dd177e06cc04d8fb84b984a8 |
| SHA1 | 81b245f7983552a31151ef540795d675c806a0b9 |
| SHA256 | d1069b399dbd2d2c1c20eeb1b0382c22e5ce0863d9c351d166b4b58809f23e05 |
| SHA512 | 19993f0cd331b0e078e59d43b5cde6595207b5ddabc063c6ad47b159bd0c015defe66a4f9a942869427c1a546f13b3c15d05c673bef3d9d367845cf837a4d83a |
C:\Users\Admin\AppData\Local\Temp\rme\x64\System64\api-ms-win-core-file-l1-1-0.dll
| MD5 | 86a4c837ccbcc19065787b4eda417d11 |
| SHA1 | 7cd6564c30809acf113385e3ece4fd3bc19a08f3 |
| SHA256 | da97ae788b22848ce27bbaef85bbf9b2810dbf6d4c1f71a4d014553efa46130a |
| SHA512 | 456ee7b7d946abf7f72838e5372d7d85916f2eab3414791d56265c0b13e151c9ea13790287949577078f49d6cb6f32900ab4db5b0a9a4c11d85adb62a602ea00 |
C:\Users\Admin\AppData\Local\Temp\rme\x64\System64\api-ms-win-core-file-l1-2-0.dll
| MD5 | d423fa4e22cdf8b822c17b8192c17426 |
| SHA1 | 7d691d6b7bd4d5db6736fffb554f724b5e7f7b71 |
| SHA256 | e92d2051cfedfdd5f38a452c3e8229a46dd5740970d333084c94ca77c0a1ab5d |
| SHA512 | e50f68dda63e61d4eee98f1e6590b8ae58965bf3dfd1392ab0e1e3304d461ef4de389c63efcbbaf06ccae0386c48a9dff1dc997327b9cc5b1d61a88c61af1046 |
C:\Users\Admin\AppData\Local\Temp\rme\x64\System64\api-ms-win-core-file-l2-1-0.dll
| MD5 | 34819ee7eaf46ff8441b8d0051110589 |
| SHA1 | e7c0c533eeec5eaada3e152ca234ff0f07b2fffe |
| SHA256 | 8b9f9d61a8e3241bf44228ff4e7a57cfe994828e4a7a1ea1baf2759f5f35b704 |
| SHA512 | 1d4d648fa402c303e5811f0fb91c74d4ec2a28cdc2342a4a2a54819bc865b13f2a5d0015d26f8cc13a15bad587298544b5a7ff3587f4efbea4937e8716a30697 |
C:\Users\Admin\AppData\Local\Temp\rme\x64\System64\api-ms-win-core-handle-l1-1-0.dll
| MD5 | 885d03913343382e78803c9c70e9fb90 |
| SHA1 | f3b05bc5a9a1cfeedabea2253a0c2869ebc59bf5 |
| SHA256 | 6090fc5aaad65032651f75f870e824594babb1297de103488ee904398a2e9282 |
| SHA512 | 63e4cd7df0680ab5db45ddf2916708c0953ef9199888e8aa81a7459e314677c50ee333019a1537a67e941c09346cfb44aad3d7189e3ac56c27d833d809bcc0f4 |
C:\Users\Admin\AppData\Local\Temp\rme\x64\System64\api-ms-win-core-heap-l1-1-0.dll
| MD5 | aaad1911ec09a4438bee40fba9d6f9c0 |
| SHA1 | e6ffeb351f646832a4a26092e996df3e3efd51fa |
| SHA256 | bbad44b2cca0fe8747966470174e5bab4aa3f800e825aca7b4d444a1d43525da |
| SHA512 | 831ca8963a81a0b23083b3919b97736deedb28e1103531ccde7222a20595a465d8ca740222760b06763464f6780b4b09f4300fbaec24281bfe64d730e4feac3e |
C:\Users\Admin\AppData\Local\Temp\rme\x64\System64\api-ms-win-core-interlocked-l1-1-0.dll
| MD5 | 905252512f0b06ced00ad3afb32d7d03 |
| SHA1 | ba81252c572291d2d3ec03f248adf92e31c87371 |
| SHA256 | 6fa1390dbc09b91230a21444df9f52b8af70f4889424f2aa6563479d826ec97f |
| SHA512 | 96fb1c461864d4b6acdd876fd06974af72ff48469bc7fe75ff8248bde7149f55d74d1430d3cfe8e002a01ea7b5b14db5496bed112fe505b62149c5e1eed7b7af |
C:\Users\Admin\AppData\Local\Temp\rme\x64\System64\api-ms-win-core-libraryloader-l1-1-0.dll
| MD5 | d0c82c72ae617713f5bd6641ca0f675b |
| SHA1 | 818029d894cba3fa30567aa94cb610430397a0c1 |
| SHA256 | 2ae11cb73c1d5d3aae0142af4d9c5a34a5eb1d1fa2690c39a3fa2d4b600ccbd1 |
| SHA512 | 7e19078d49399e4ad7e5e2e0324b6b59f9c9b4987682106f90c2cadf81c950eacca4586808e2dd561f34ce2f788432b6da2e75d2547ce599e6a8a375f53e2e3e |
C:\Users\Admin\AppData\Local\Temp\{6a5fc3d7-3a38-454e-947d-a6357157a592}\SET926D.tmp
| MD5 | f59677178b148a77e9976334e6543455 |
| SHA1 | 714e80c4eea3de8860f9b962dcf236fb0caced46 |
| SHA256 | 8b127236019a65a90d2e7780f0e182f43729ea350c839bf1c56e69dd35c7a448 |
| SHA512 | 87db541827979cd313252186bec2f08bf5aedad97e3d8ef53ed8cde959031bc1146e5d852f359cc5dcca2e8a623d10092f53262fdfe70d59e563a3cbc6aa6fea |
C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\SETA086.tmp
| MD5 | 8750dec55d90896870be4e30bf2c757f |
| SHA1 | 63b4c936cf01ac1061f509e196ccfad5bd9db9aa |
| SHA256 | 764d01bc4d15ea2313e4100995e85171a047987c10724121bf6e7575d413e594 |
| SHA512 | 89857c488b02a4ee6348777e728afafa7d42fb60851fa5f2a809591ae62ac3f22d069c175ce44cdb3c90116342f226f6f6c5e93719fdd10ab4167579d56c5dea |
C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\SETA097.tmp
| MD5 | b69aefdeccdc3955ce4968e4a020d18c |
| SHA1 | 978179d46aaa691cd618cf23d967827aacb8fa3e |
| SHA256 | a498daaea6775e1284f8806a557fe3d20437d23d350815c2ced135b4235e630e |
| SHA512 | 1c2eb1184f6816100ec0aac64bc929dd968dc7385e67c4c6b8a96d39c5d63fc02dedd2f8747cb850e4520a2067b2e3e61108de837cd3aada3c42604146bfcce8 |
C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\SETA0A8.tmp
| MD5 | d12bbaf0c6abf7aa720c111ae18b4d6a |
| SHA1 | 667693d0223be13bb88704d03e88572583104690 |
| SHA256 | 28c98398110e0ee2f4b6d29602ae26f2664a2d95550bea0b392109bd75463b47 |
| SHA512 | ce506a7cf97528518e77a07e2a8d4ab5bcb59a274d24f2430d59da580e30ac363daf15ef9a68099369654a40e77e3f80c2d5b3a11cd6fd428d9250da88a023de |
C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\SETA0B8.tmp
| MD5 | 21474dd81c87feb7365e65430eccdb86 |
| SHA1 | c4ecf9884a70085da1fc2d727d2de2e9b50e8c2b |
| SHA256 | ae85eec1278519946eb6428dba5b9cb892699ce55dfc14f3a21b9be5580db881 |
| SHA512 | 09b9d6adfa19f91b08579e1970e8c183508ee74ef82f4249e7f0794e3dd70205601181cf4b8345976033e79c505b94bb48895845c97da47fbf346d97045fa347 |
C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\SETA0B9.tmp
| MD5 | 30c2c4fa7d2f367691d91de91d20784d |
| SHA1 | 058e5da746a1a4f5043374bc9b7cbc57a08d4d77 |
| SHA256 | e7605cbda4e4df283aa053a4ea7f9d51460f9543528f482db64f190ed31199f8 |
| SHA512 | cc3c4a44ad18346558c21e3a05820c033c623b7381001fda68e3a07f7cdcd1ce4fe912ad0fd0ee6b83b37d99420ef78221a36a58bfa10a68aeaa77f18ef476e3 |
C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\SETA0CA.tmp
| MD5 | 1f5340984881d055691f86f11b098803 |
| SHA1 | 081a86b17799faa8036db3e9acde14800b8a30ba |
| SHA256 | 5b01352dc4e4a009ee537dc91e30b2a1ecabe9d92335bb4016846996517124fe |
| SHA512 | ce0997a70126afc41ff378daa2a3d160a6ec857ffb90cf34d183a580b553e9b47fe3b4f67657a3cc4e4b7bc8a84d3442357f3cad2facbba03bd2755e84a86ac5 |
C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\SETA0CB.tmp
| MD5 | 3c873599bb1b3b81f6237181c4bd60bc |
| SHA1 | a3bf316fa68846a0984babc854bd614d9cdee08b |
| SHA256 | 27dcef64947e5d1fe80a39f48ea144dfc9aa028d348ffcea1a833e4cf489407f |
| SHA512 | 4495c7790631de615452ba27adc099519eacab32d7f30cbd5b18e95380451f7d5f74b743be759fe033b5be62c9e95f1d9ae689de733ee978282649e34c80aade |
C:\Windows\System32\DriverStore\Temp\{a99b5ce9-6b64-ea4e-91ec-63b679e1cee6}\SETA0EB.tmp
| MD5 | d61ed0a83f846bfa6ccba10980ef1b46 |
| SHA1 | 85c4d139732d7939ca9fd6b0a5a786f1585707e1 |
| SHA256 | 7c2ee331aeffd9279a45735e25ee766b1681f967bcea63aa969499bad95a2fc2 |
| SHA512 | b90adb2b580ff8ff0917b9b124c5f281d3005dbe49eaccdd9c38bef20afdf65b4339ef258f4a82d3e803d06c7ef1b06cbfd1546db80b1ae432181763d76898e6 |