54551f4b39f9045379c4ff93e0a8f81f2c3900b5157eeab6b41ff3f13e743372

Analysis

max time kernel
1193s
max time network
1170s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
25-07-2024 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.exe
Size

993KB
MD5

e4996114d73b1bb24b7e67b034e24822
SHA1

d52043af823c2a6f7cb27dfd278638e4abd652b5
SHA256

54551f4b39f9045379c4ff93e0a8f81f2c3900b5157eeab6b41ff3f13e743372
SHA512

a5f67e60415450c11bc04744a45309abb0bbed4d733e3705b772d3d7d2424d2bf4f1976a4ef1b22e5a2df169f82fa2846e38fb2abd78508c3d2491201d264b7e
SSDEEP

12288:rSxG0wgUF888888888888W88888888888BAOeFC0bYgVa/ebO+08WLfvsvXBIJ3R:exGlPeFC0kq9IvsvXB+3HI1Vsr3Vd

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

Processes:

FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmpFreemakeVideoConverterFull.exeFreemakeVideoConverterFull.tmpFileAssociationTool.exeFreemakeVideoConverter.exeFreemakeVC.exe

pid	process
3716	FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmp
2248	FreemakeVideoConverterFull.exe
1112	FreemakeVideoConverterFull.tmp
1844	FileAssociationTool.exe
4584	FreemakeVideoConverter.exe
4312	FreemakeVC.exe

Loads dropped DLL 64 IoCs

Processes:

FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmpFreemakeVideoConverterFull.tmpregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid	process
3716	FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmp
3716	FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmp
3716	FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmp
1112	FreemakeVideoConverterFull.tmp
1112	FreemakeVideoConverterFull.tmp
1112	FreemakeVideoConverterFull.tmp
4596	regsvr32.exe
4596	regsvr32.exe
4596	regsvr32.exe
4596	regsvr32.exe
4596	regsvr32.exe
4596	regsvr32.exe
4596	regsvr32.exe
3484	regsvr32.exe
3484	regsvr32.exe
3484	regsvr32.exe
3484	regsvr32.exe
3484	regsvr32.exe
3484	regsvr32.exe
3484	regsvr32.exe
3484	regsvr32.exe
3484	regsvr32.exe
3484	regsvr32.exe
3484	regsvr32.exe
4080	regsvr32.exe
4080	regsvr32.exe
4080	regsvr32.exe
4080	regsvr32.exe
4080	regsvr32.exe
4080	regsvr32.exe
4080	regsvr32.exe
4080	regsvr32.exe
4080	regsvr32.exe
4080	regsvr32.exe
4080	regsvr32.exe
4080	regsvr32.exe
4080	regsvr32.exe
4080	regsvr32.exe
4080	regsvr32.exe
3484	regsvr32.exe
3484	regsvr32.exe
3484	regsvr32.exe
3484	regsvr32.exe
3484	regsvr32.exe
3484	regsvr32.exe
3484	regsvr32.exe
3484	regsvr32.exe
3484	regsvr32.exe
3484	regsvr32.exe
3484	regsvr32.exe
2592	regsvr32.exe
2592	regsvr32.exe
2592	regsvr32.exe
2592	regsvr32.exe
2592	regsvr32.exe
2592	regsvr32.exe
2592	regsvr32.exe
2592	regsvr32.exe
3980	regsvr32.exe
3980	regsvr32.exe
3980	regsvr32.exe
3980	regsvr32.exe
3980	regsvr32.exe
3980	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates processes with tasklist 1 TTPs 6 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

1104 tasklist.exe
2848 tasklist.exe
2180 tasklist.exe
1376 tasklist.exe
4732 tasklist.exe
4208 tasklist.exe

pid	process
1104	tasklist.exe
2848	tasklist.exe
2180	tasklist.exe
1376	tasklist.exe
4732	tasklist.exe
4208	tasklist.exe

Drops file in Program Files directory 64 IoCs

Processes:

FreemakeVideoConverterFull.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Freemake\COM\1.1\bass.dll	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\COM\1.1\MilkdropPresets\is-CPSHV.tmp	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Video Converter\FreemakeVideoConverter\Languages\de-DE\is-QKC2V.tmp	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Video Converter\FMWeb\Uploader\is-SN05U.tmp	FreemakeVideoConverterFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Video Converter\FMWeb\Downloader\Microsoft.Threading.Tasks.Extensions.dll	FreemakeVideoConverterFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Video Converter\FMWeb\Downloader\Microsoft.Threading.Tasks.Extensions.Desktop.dll	FreemakeVideoConverterFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Video Converter\FMWeb\Downloader\System.Net.Http.dll	FreemakeVideoConverterFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Video Converter\FMWeb\Uploader\NewApiYouTubeUpload.dll	FreemakeVideoConverterFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Video Converter\FreemakeVideoConverter\Languages\zh-TW\Monetization.resources.dll	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Video Converter\FMWeb\Downloader\is-QLS12.tmp	FreemakeVideoConverterFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Video Converter\YoutubeContentLinksExtractor\System.Runtime.dll	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\COM\1.1\is-L3GU6.tmp	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\COM\1.1\MilkdropPresets\is-6GPCI.tmp	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Video Converter\FreemakeVideoConverter\Images\DVDMenu\is-9VJ3F.tmp	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Video Converter\FreemakeVideoConverter\Images\DVDMenu\is-12UFN.tmp	FreemakeVideoConverterFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Video Converter\FMWeb\Downloader\System.Threading.Tasks.dll	FreemakeVideoConverterFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Video Converter\FreemakeVideoConverter\Languages\zh-TW\FreemakeVideoConverter.resources.dll	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\is-HIEJ1.tmp	FreemakeVideoConverterFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\ConverterCommon\FreemakeConverterCommon.dll	FreemakeVideoConverterFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\Newtonsoft.Json.dll	FreemakeVideoConverterFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Video Converter\FreemakeVideoConverter\Languages\el-GR\FreemakeVideoConverter.resources.dll	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Video Converter\FMWeb\Downloader\is-AV35G.tmp	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\ConverterCommon\Resources\ImagesBranding\is-ASTSI.tmp	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Video Converter\FreemakeVideoConverter\Images\DVDMenu\is-P5SRQ.tmp	FreemakeVideoConverterFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\ConverterCommon\FMDownloader.GlobalSettings.dll	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Video Converter\FileAssociationTool\is-U1B8I.tmp	FreemakeVideoConverterFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Video Converter\MediaInfo.DotNetWrapper.dll	FreemakeVideoConverterFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\ConverterCommon\System.Net.Http.dll	FreemakeVideoConverterFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\COM\1.1\ffmpeg.exe	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Video Converter\FMWeb\Downloader\is-3BB05.tmp	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\ConverterCommon\is-42Q3F.tmp	FreemakeVideoConverterFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Video Converter\FMWeb\Downloader\Jint.dll	FreemakeVideoConverterFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Video Converter\FMWeb\Downloader\FMDownloader.TrackDownloaderLib.dll	FreemakeVideoConverterFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Video Converter\SplitTesting.dll	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Video Converter\FMWeb\Downloader\is-B8HRM.tmp	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\is-3EJB1.tmp	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\FreemakeCommon\Resources\is-L5TDL.tmp	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Video Converter\FreemakeVideoConverter\Images\DVDMenu\is-GGETQ.tmp	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Video Converter\is-SU12H.tmp	FreemakeVideoConverterFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\COM\1.1\MilkdropPresets\FMVisualization.dll	FreemakeVideoConverterFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\ConverterCommon\System.Net.Http.Primitives.dll	FreemakeVideoConverterFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Video Converter\Newtonsoft.Json.dll	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Video Converter\FreemakeVideoConverter\Images\DVDMenu\is-L3JP7.tmp	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Video Converter\FreemakeVideoConverter\ForFlash\is-MFNCK.tmp	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\COM\1.1\MilkdropPresets\is-1SIEQ.tmp	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\is-LBU07.tmp	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Video Converter\Uninstall\is-IPPFQ.tmp	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\is-0O365.tmp	FreemakeVideoConverterFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Video Converter\FreemakeVideoConverter\Languages\pt-BR\Monetization.resources.dll	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Video Converter\FreemakeVideoConverter\ForFlash\is-CR9FO.tmp	FreemakeVideoConverterFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Video Converter\FMWeb\Downloader\FMDownloader.Interface.dll	FreemakeVideoConverterFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\System.Runtime.dll	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Video Converter\is-SRG9M.tmp	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Video Converter\FreemakeVideoConverter\Images\DVDMenu\is-HFI8K.tmp	FreemakeVideoConverterFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Video Converter\FMWeb\Downloader\Freemake.CustomControls.dll	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\is-8LEK5.tmp	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Video Converter\FreemakeVideoConverter\Images\Visualization\is-GDVG1.tmp	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\COM\1.1\is-SH0O9.tmp	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\COM\1.1\is-OUV54.tmp	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Video Converter\FMWeb\Downloader\is-FN621.tmp	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Video Converter\FMWeb\Downloader\is-P1CCP.tmp	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\ConverterCommon\Resources\ImagesBranding\is-ELK7G.tmp	FreemakeVideoConverterFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Video Converter\FreemakeVideoConverter\ForFlash\is-UNH4B.tmp	FreemakeVideoConverterFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\COM\1.1\avfilter-3.dll	FreemakeVideoConverterFull.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.exetasklist.execmd.exefindstr.execmd.exeFreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmpcmd.exenetsh.exefindstr.execmd.exeregsvr32.execmd.exefindstr.exeregsvr32.exeFreemakeVideoConverterFull.execmd.exetasklist.exetasklist.exeregsvr32.exeregsvr32.exeFreemakeVideoConverterFull.tmptasklist.exefindstr.exefindstr.exeFreemakeVC.execmd.exefindstr.exetasklist.exeregsvr32.exeregsvr32.exeFreemakeVideoConverter.exenetsh.exetasklist.exeregsvr32.exenetsh.exenetsh.exeFileAssociationTool.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FreemakeVideoConverterFull.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FreemakeVideoConverterFull.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FreemakeVC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FreemakeVideoConverter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileAssociationTool.exe

Modifies registry class 64 IoCs

Processes:

FileAssociationTool.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.jpeg\Shell\Convert with Freemake\command\ = "\"C:\\Program Files (x86)\\Freemake\\Freemake Video Converter\\FreemakeVideoConverter.exe\" \"%1\" -ConvertWithCommand"	FileAssociationTool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{04B24ADA-08DF-4E32-A0CF-FECCD79DD3F5}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1898BF5-3C61-4CDE-A901-CAA80516CBF2}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\FreemakeVideoConverter.cavs\DefaultIcon	FileAssociationTool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.tod	FileAssociationTool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FreemakeVideoConverter.cavs\DefaultIcon	FileAssociationTool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{644CC3C4-0600-45A2-8EE0-577D6149CA9F}\TypeLib\ = "{8F935BB6-1360-4F01-89BE-8D394CA9E36C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8f75e71d-6ce1-43e2-a8c2-2ef1a320955b}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FreemakeVideoConverter.3gp\Shell\Open\Icon = "C:\\Program Files (x86)\\Freemake\\Freemake Video Converter\\Uninstall\\logo.ico"	FileAssociationTool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95B9901A-E176-409D-A104-0445AE7FF716}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.mpg\shell\Convert with Freemake\command\ = "\"C:\\Program Files (x86)\\Freemake\\Freemake Video Converter\\FreemakeVideoConverter.exe\" \"%1\" -ConvertWithCommand"	FileAssociationTool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EE969149-E37F-45C8-A2F6-9784026ED4FA}\ = "IFMColorRect"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9620AAE3-7818-422F-B3B3-73699E27F0C3}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{433BB557-EA8C-4D91-BE56-2E7340DBAAB4}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50ffaa60-daba-4875-8193-c404eb8ee4f8}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.m2t\shell\Convert with Freemake\command	FileAssociationTool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FreemakeVideoConverter.h261\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Freemake\\Freemake Video Converter\\FreemakeVideoConverter.exe\" \"%1\" -OpenWithCommand"	FileAssociationTool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FMMediaFormats.FormatCodecBase\CurVer\ = "FMMediaFormats.FormatCodecBase.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8F932824-DAB4-437A-B658-34E7D7355A2E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\FreemakeVideoConverter.flt\Shell\Open	FileAssociationTool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3AE9AFCE-7D22-45F6-97E9-3F551E1ACBC1}\TypeLib\ = "{89AE5069-13AA-4660-9F9F-C130596B8320}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.pva\shell\Convert with Freemake	FileAssociationTool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{dc3e97dd-3607-4915-a2d0-0afbbd73c2d1}\TypeLib\ = "{e5cd553d-2b25-48e4-a1a8-e685f79a1a54}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{22E65E8B-7B25-470B-84AF-60A058C4E9B7}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FreemakeVideoConverter.vob	FileAssociationTool.exe
Key created	\REGISTRY\MACHINE\Software\Classes\FreemakeVideoConverter.wmv\Shell\Open	FileAssociationTool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8F935BB6-1360-4F01-89BE-8D394CA9E36C}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{92AA846D-DF87-4267-BB72-804D55ACF14F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FreemakeVideoConverter.rv	FileAssociationTool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7d331115-ab8c-4405-a1bb-75119ad96d84}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d73654b0-164d-4da6-b941-1d11c7597bd6}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27F29E96-6CD1-45A4-9BD4-C4F5BB4D8EB6}\ = "IFormatFile"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23A93418-2CF0-40F3-BFFE-560E8C1753D6}\ = "ITransformCustomerTextWatermark"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FMMediaSource.MediaSourceSyncReader\CLSID\ = "{28be759f-b95f-4ad5-8748-0550cf9f9a0b}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.nc\shell\Convert with Freemake\command	FileAssociationTool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1898BF5-3C61-4CDE-A901-CAA80516CBF2}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FMMediaSource.MediaSourceCache\ = "MediaSourceCache Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{baad6aa7-889d-4db4-8666-f71544310e82}\TypeLib\ = "{8f935bb6-1360-4f01-89be-8d394ca9e36c}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BB66678B-C7F5-4958-9150-780372B8395C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.mkm	FileAssociationTool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3e4b14cc-b77a-40da-b6c5-a1361c0cacf1}\TypeLib\ = "{8f935bb6-1360-4f01-89be-8d394ca9e36c}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.film\shell\Convert with Freemake	FileAssociationTool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f9658a1b-4e5a-4fc9-92c8-376b01e98e05}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FreemakeVideoConverter.mj2\Shell\Open	FileAssociationTool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.jpeg\shell	FileAssociationTool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FreemakeVideoConverter.ea\DefaultIcon	FileAssociationTool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.smk\ = "FreemakeVideoConverter.smk"	FileAssociationTool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f9658a1b-4e5a-4fc9-92c8-376b01e98e05}\InprocServer32\ = "C:\\Program Files (x86)\\Freemake\\COM\\1.1\\FMTransformBase.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.mp\shell\Convert with Freemake\Icon = "C:\\Program Files (x86)\\Freemake\\Freemake Video Converter\\Uninstall\\logo.ico"	FileAssociationTool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6d491edd-aa0c-4ad5-b0db-4084e0100d28}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13AF8BBE-0396-4817-A08F-8D0F25AF3288}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FreemakeVideoConverter.roq\DefaultIcon	FileAssociationTool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ivr\ = "FreemakeVideoConverter.ivr"	FileAssociationTool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FMTransformBase.TransformAudioFade.1\ = "TransformAudioFade Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27cb0cb2-abc2-41a8-8a43-211163a92cd9}\TypeLib\ = "{e5cd553d-2b25-48e4-a1a8-e685f79a1a54}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.m4p\shell\Convert with Freemake\Icon = "C:\\Program Files (x86)\\Freemake\\Freemake Video Converter\\Uninstall\\logo.ico"	FileAssociationTool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1DB4D5B3-08CE-491C-87F7-380365818D80}\TypeLib\ = "{8F935BB6-1360-4F01-89BE-8D394CA9E36C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.gxf\shell\Convert with Freemake	FileAssociationTool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FMMediaSource.MediaSourceStreams.1\CLSID\ = "{1c31318d-138b-4a67-bc66-941651c81bf8}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2c69b6b7-7c30-47df-b341-f6e679442021}\ = "MediaSourceContainer Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDA777E5-1E97-4F90-8ABA-616F33095131}\TypeLib\ = "{780B9AFD-5231-496B-BD88-94DC8C9F4749}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECE1ADF4-FD0F-4B72-B848-8138F480BFB6}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.vfw\shell\Convert with Freemake\command\ = "\"C:\\Program Files (x86)\\Freemake\\Freemake Video Converter\\FreemakeVideoConverter.exe\" \"%1\" -ConvertWithCommand"	FileAssociationTool.exe
Key created	\REGISTRY\MACHINE\Software\Classes\FreemakeVideoConverter.swf\DefaultIcon	FileAssociationTool.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

FileAssociationTool.exeFreemakeVC.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1	FileAssociationTool.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	FileAssociationTool.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	FileAssociationTool.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae0300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd17e00000001000000080000000080c82b6886d7017a000000010000000c000000300a06082b060105050703091d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a07f0000000100000016000000301406082b0601050507030306082b060105050703096200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf690b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520036000000090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff1190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	FileAssociationTool.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 5c000000010000000400000000100000190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd10400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	FileAssociationTool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	FreemakeVC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	FileAssociationTool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	FileAssociationTool.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	FileAssociationTool.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	FreemakeVC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	FreemakeVC.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	35	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmpFreemakeVideoConverterFull.tmp

pid	process
3716	FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmp
3716	FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmp
3716	FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmp
3716	FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmp
1112	FreemakeVideoConverterFull.tmp
1112	FreemakeVideoConverterFull.tmp

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exeFreemakeVC.exe

description	pid	process
Token: SeDebugPrivilege	2848	tasklist.exe
Token: SeDebugPrivilege	2180	tasklist.exe
Token: SeDebugPrivilege	1376	tasklist.exe
Token: SeDebugPrivilege	4732	tasklist.exe
Token: SeDebugPrivilege	4208	tasklist.exe
Token: SeDebugPrivilege	1104	tasklist.exe
Token: SeDebugPrivilege	4312	FreemakeVC.exe
Token: SeDebugPrivilege	4312	FreemakeVC.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmpFreemakeVideoConverterFull.tmpFreemakeVC.exe

pid process

3716 FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmp
1112 FreemakeVideoConverterFull.tmp
4312 FreemakeVC.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

MiniSearchHost.exeFileAssociationTool.exeFreemakeVideoConverter.exe

pid process

3764 MiniSearchHost.exe
1844 FileAssociationTool.exe
4584 FreemakeVideoConverter.exe
4584 FreemakeVideoConverter.exe

pid	process
3764	MiniSearchHost.exe
1844	FileAssociationTool.exe
4584	FreemakeVideoConverter.exe
4584	FreemakeVideoConverter.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.exeFreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmpFreemakeVideoConverterFull.exeFreemakeVideoConverterFull.tmpcmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1692 wrote to memory of 3716	1692	FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.exe	FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmp
PID 1692 wrote to memory of 3716	1692	FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.exe	FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmp
PID 1692 wrote to memory of 3716	1692	FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.exe	FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmp
PID 3716 wrote to memory of 2908	3716	FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmp	cmd.exe
PID 3716 wrote to memory of 2908	3716	FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmp	cmd.exe
PID 3716 wrote to memory of 2908	3716	FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmp	cmd.exe
PID 3716 wrote to memory of 2248	3716	FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmp	FreemakeVideoConverterFull.exe
PID 3716 wrote to memory of 2248	3716	FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmp	FreemakeVideoConverterFull.exe
PID 3716 wrote to memory of 2248	3716	FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmp	FreemakeVideoConverterFull.exe
PID 3716 wrote to memory of 1536	3716	FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmp	netsh.exe
PID 3716 wrote to memory of 1536	3716	FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmp	netsh.exe
PID 3716 wrote to memory of 1536	3716	FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmp	netsh.exe
PID 2248 wrote to memory of 1112	2248	FreemakeVideoConverterFull.exe	FreemakeVideoConverterFull.tmp
PID 2248 wrote to memory of 1112	2248	FreemakeVideoConverterFull.exe	FreemakeVideoConverterFull.tmp
PID 2248 wrote to memory of 1112	2248	FreemakeVideoConverterFull.exe	FreemakeVideoConverterFull.tmp
PID 3716 wrote to memory of 3276	3716	FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmp	netsh.exe
PID 3716 wrote to memory of 3276	3716	FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmp	netsh.exe
PID 3716 wrote to memory of 3276	3716	FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmp	netsh.exe
PID 1112 wrote to memory of 1380	1112	FreemakeVideoConverterFull.tmp	cmd.exe
PID 1112 wrote to memory of 1380	1112	FreemakeVideoConverterFull.tmp	cmd.exe
PID 1112 wrote to memory of 1380	1112	FreemakeVideoConverterFull.tmp	cmd.exe
PID 1380 wrote to memory of 2848	1380	cmd.exe	tasklist.exe
PID 1380 wrote to memory of 2848	1380	cmd.exe	tasklist.exe
PID 1380 wrote to memory of 2848	1380	cmd.exe	tasklist.exe
PID 1380 wrote to memory of 2828	1380	cmd.exe	findstr.exe
PID 1380 wrote to memory of 2828	1380	cmd.exe	findstr.exe
PID 1380 wrote to memory of 2828	1380	cmd.exe	findstr.exe
PID 1112 wrote to memory of 4388	1112	FreemakeVideoConverterFull.tmp	cmd.exe
PID 1112 wrote to memory of 4388	1112	FreemakeVideoConverterFull.tmp	cmd.exe
PID 1112 wrote to memory of 4388	1112	FreemakeVideoConverterFull.tmp	cmd.exe
PID 4388 wrote to memory of 2180	4388	cmd.exe	tasklist.exe
PID 4388 wrote to memory of 2180	4388	cmd.exe	tasklist.exe
PID 4388 wrote to memory of 2180	4388	cmd.exe	tasklist.exe
PID 4388 wrote to memory of 4180	4388	cmd.exe	findstr.exe
PID 4388 wrote to memory of 4180	4388	cmd.exe	findstr.exe
PID 4388 wrote to memory of 4180	4388	cmd.exe	findstr.exe
PID 1112 wrote to memory of 2476	1112	FreemakeVideoConverterFull.tmp	cmd.exe
PID 1112 wrote to memory of 2476	1112	FreemakeVideoConverterFull.tmp	cmd.exe
PID 1112 wrote to memory of 2476	1112	FreemakeVideoConverterFull.tmp	cmd.exe
PID 2476 wrote to memory of 1376	2476	cmd.exe	tasklist.exe
PID 2476 wrote to memory of 1376	2476	cmd.exe	tasklist.exe
PID 2476 wrote to memory of 1376	2476	cmd.exe	tasklist.exe
PID 2476 wrote to memory of 3980	2476	cmd.exe	findstr.exe
PID 2476 wrote to memory of 3980	2476	cmd.exe	findstr.exe
PID 2476 wrote to memory of 3980	2476	cmd.exe	findstr.exe
PID 1112 wrote to memory of 4684	1112	FreemakeVideoConverterFull.tmp	cmd.exe
PID 1112 wrote to memory of 4684	1112	FreemakeVideoConverterFull.tmp	cmd.exe
PID 1112 wrote to memory of 4684	1112	FreemakeVideoConverterFull.tmp	cmd.exe
PID 4684 wrote to memory of 4732	4684	cmd.exe	tasklist.exe
PID 4684 wrote to memory of 4732	4684	cmd.exe	tasklist.exe
PID 4684 wrote to memory of 4732	4684	cmd.exe	tasklist.exe
PID 4684 wrote to memory of 1452	4684	cmd.exe	findstr.exe
PID 4684 wrote to memory of 1452	4684	cmd.exe	findstr.exe
PID 4684 wrote to memory of 1452	4684	cmd.exe	findstr.exe
PID 1112 wrote to memory of 4884	1112	FreemakeVideoConverterFull.tmp	cmd.exe
PID 1112 wrote to memory of 4884	1112	FreemakeVideoConverterFull.tmp	cmd.exe
PID 1112 wrote to memory of 4884	1112	FreemakeVideoConverterFull.tmp	cmd.exe
PID 4884 wrote to memory of 4208	4884	cmd.exe	tasklist.exe
PID 4884 wrote to memory of 4208	4884	cmd.exe	tasklist.exe
PID 4884 wrote to memory of 4208	4884	cmd.exe	tasklist.exe
PID 4884 wrote to memory of 3368	4884	cmd.exe	findstr.exe
PID 4884 wrote to memory of 3368	4884	cmd.exe	findstr.exe
PID 4884 wrote to memory of 3368	4884	cmd.exe	findstr.exe
PID 1112 wrote to memory of 492	1112	FreemakeVideoConverterFull.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.exe
"C:\Users\Admin\AppData\Local\Temp\FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\is-8CDRV.tmp\FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8CDRV.tmp\FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmp" /SL5="$5025E,492628,402432,C:\Users\Admin\AppData\Local\Temp\FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C "ver > "C:\Users\Admin\AppData\Local\Temp\is-B7NCV.tmp\~execwithresult.txt""
3⤵
- System Location Discovery: System Language Discovery
PID:2908

C:\Users\Admin\AppData\Local\Temp\FreemakeVideoConverterFull.exe
"C:\Users\Admin\AppData\Local\Temp\FreemakeVideoConverterFull.exe" /LANG=en /dotnet=0 /skip_welcome locale=GB /DIR="C:\Program Files (x86)\Freemake" /autoinstall
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248

C:\Users\Admin\AppData\Local\Temp\is-HT8HU.tmp\FreemakeVideoConverterFull.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HT8HU.tmp\FreemakeVideoConverterFull.tmp" /SL5="$6003E,80952626,402432,C:\Users\Admin\AppData\Local\Temp\FreemakeVideoConverterFull.exe" /LANG=en /dotnet=0 /skip_welcome locale=GB /DIR="C:\Program Files (x86)\Freemake" /autoinstall
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C tasklist | findstr "FreemakeVD.exe"
5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\SysWOW64\findstr.exe
findstr "FreemakeVD.exe"
6⤵
- System Location Discovery: System Language Discovery
PID:2828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C tasklist | findstr "FreemakeVC.exe"
5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\SysWOW64\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\SysWOW64\findstr.exe
findstr "FreemakeVC.exe"
6⤵
- System Location Discovery: System Language Discovery
PID:4180

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C tasklist | findstr "FreemakeAC.exe"
5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\SysWOW64\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\SysWOW64\findstr.exe
findstr "FreemakeAC.exe"
6⤵
- System Location Discovery: System Language Discovery
PID:3980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C tasklist | findstr "FreemakeMB.exe"
5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4684

C:\Windows\SysWOW64\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\SysWOW64\findstr.exe
findstr "FreemakeMB.exe"
6⤵
- System Location Discovery: System Language Discovery
PID:1452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C tasklist | findstr "FreemakeYB.exe"
5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\SysWOW64\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Windows\SysWOW64\findstr.exe
findstr "FreemakeYB.exe"
6⤵
- System Location Discovery: System Language Discovery
PID:3368

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-VBNUB.tmp\CheckRunningInstance.cmd""
5⤵
- System Location Discovery: System Language Discovery
PID:492

C:\Windows\SysWOW64\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\SysWOW64\findstr.exe
findstr "FreemakeAC | FreemakeVD | FreemakeMB | FreemakeVC | FreemakeYC | FreemakeYB"
6⤵
- System Location Discovery: System Language Discovery
PID:3424

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Freemake\COM\1.1\FMMediaFormats.dll"
5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4596

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Freemake\COM\1.1\FMTransformBase.dll"
5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3484

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Freemake\COM\1.1\FMMediaSource.dll"
5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4080

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Freemake\COM\1.1\FMVideoConverter.dll"
5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3484

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Freemake\COM\1.1\FMDVDMenu.dll"
5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2592

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Freemake\COM\1.1\FMMediaUtils.dll"
5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3980

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Freemake\COM\1.1\FMPlayerLib.dll"
5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2628

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" http add urlacl url=http://+:11425/ user=Admin
5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3532

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" http add urlacl url=http://+:11425/ user=\everyone
5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4388

C:\Program Files (x86)\Freemake\Freemake Video Converter\FileAssociationTool\FileAssociationTool.exe
"C:\Program Files (x86)\Freemake\Freemake Video Converter\FileAssociationTool\FileAssociationTool.exe" --installPath "C:\Program Files (x86)\Freemake\Freemake Video Converter\FreemakeVideoConverter.exe" --isNeedToAssociate true
5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:1844

C:\Program Files (x86)\Freemake\Freemake Video Converter\FreemakeVideoConverter.exe
"C:\Program Files (x86)\Freemake\Freemake Video Converter\FreemakeVideoConverter.exe" --AutoRunType=AfterInstall
5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4584

C:\Program Files (x86)\Freemake\Freemake Video Converter\FreemakeVC.exe
"C:\Program Files (x86)\Freemake\Freemake Video Converter\FreemakeVC.exe" --AutoRunType=AfterInstall
6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4312

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" http add urlacl url=http://+:11425/ user=Admin
3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1536

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" http add urlacl url=http://+:11425/ user=\everyone
3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3276

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Freemake\COM\1.1\FMMediaFormats.dll

Filesize
412KB

MD5
ce9c709a62ac85067989790bc39422e4

SHA1
485a1adfd5c027e91ed75b9a2673b10aba4f09dd

SHA256
21fb768dce87a2745af66a068061e360be2e7fd2fcd57fd1924a222130a50990

SHA512
ac88768279641724d8698ad156054e1f8e456e3d5e961c59efdcec2440cac19879ccfe9715af03c4cd2b479d5bd2ebdae41d406a273bee664f00841cd61030af

Download Submit
C:\Program Files (x86)\Freemake\COM\1.1\FMMediaSource.dll

Filesize
812KB

MD5
cf3447902fc5f86aa7dbf8bdbf967354

SHA1
50f7fb4634a17358f5b613f7467c49c317f1fc17

SHA256
5b0a4dc1c7d027c48940f60ef42b4085f46e9d0b741fe7fa855fd2826e244f5d

SHA512
d487c7d6f4143e5cc40bf96e2520ae6e9aa240a887f11a6b762af07f096c5fe088ef2f17f79c922c2a15bfbbff3ac00161526afd06f35c6f5037dca3419019f6

Download Submit
C:\Program Files (x86)\Freemake\COM\1.1\FMTransformBase.dll

Filesize
459KB

MD5
a481e9ed59045159e843b764604e3402

SHA1
79aa22668b39a4a928acda4dbad0b4f1d66553f0

SHA256
b6b21c0996383347b805d64394ca389ad2c29c0b1a72c99791f5e50d93287626

SHA512
143a6b66a0c36e2ff69a8616f4f4d8a319438b78f461467709743738a9bfbbff4ff0b2093e4e508ec63832353eb20648aa4cb1260125d81941b56ef8c3176f89

Download Submit
C:\Program Files (x86)\Freemake\COM\1.1\FMVideoConverter.dll

Filesize
2.4MB

MD5
36278d1e86865222141aa7892967b143

SHA1
e9cc171adc525886a258147e69c974247bb2ec09

SHA256
51c1e888d273d0ff2b1eb0c7120970b7439ef04bdc4e00636895231ac18315e0

SHA512
e41a55de774bc6891a53406b5431f7f6619c6c586b8b4b6700a982681de01ab472b2c4ba8743e174148453c80ebcda8dded028a8de73cbfc686ecf5d8f9d8a5b

Download Submit
C:\Program Files (x86)\Freemake\COM\1.1\avcodec-54.dll

Filesize
13.8MB

MD5
23a378f40b92364e51e7b12cfb0af6d5

SHA1
8224dd82e02a3bb83cb4ed84a6265c370471a850

SHA256
8742fd389e9983594a24d5599e4d8f418c5454f36d2fd8d9cbc07bee08d4ea54

SHA512
529ca2c531626174451cd8d103b442a66aadd87edd5d03af44eadad94b59d9aec0b60380fdbf4aa213544dba7d3b2afa6abd7201484e9072538fbc9fa8b65581

Download Submit
C:\Program Files (x86)\Freemake\COM\1.1\avformat-54.dll

Filesize
2.9MB

MD5
7396db8ff8a5977ecd76220d14f0ee04

SHA1
c815b965c7abe368e4f49394b2512eef60dc0ef0

SHA256
8bf698ee1d89f687bf32f4e1ac4908379479456effac70038f949c548efd18bc

SHA512
6442532a793e0b7fb1be1a022ce0d082487bc598085fcd8b10483bb90e5c0010789c580350bed35b69e2759d768138b489b270478b7f2a3b887826062e506a70

Download Submit
C:\Program Files (x86)\Freemake\COM\1.1\avresample-1.dll

Filesize
135KB

MD5
6d02a67f1a77371dcf16a3dd70ae3cb8

SHA1
5bdd8a649e35686362ef010420d85eff624d00a5

SHA256
9d23781f9b54a3f37e872ce23df6ac64a695dcadf794d388f9266861ef7f790e

SHA512
bb0c7ddc280d4d518a925e92706d5f567220a07181dedc4c1c3a6a745d567b7461590063304288395fdd61312d121d384568e89e94464ff4937137d9df7f1ea1

Download Submit
C:\Program Files (x86)\Freemake\COM\1.1\avutil-52.dll

Filesize
186KB

MD5
97809a2431bcc50fc718e2ced1e306e2

SHA1
a3fcac6a8034ccd9392063f57325051aa067ee85

SHA256
2f2ae85d42415914eed564acda3ffae7b1f3627e871913c0349d73526f3bbf55

SHA512
4ec6c69fabc49d30db9efff9ea72387f4915287b8b231f37d7cb8a062246dfb67c180cc6fbb586bfef95ef0615fe793d2f5167d0aca4cf9068522c3556f1479c

Download Submit
C:\Program Files (x86)\Freemake\COM\1.1\id3lib.dll

Filesize
560KB

MD5
a3228b7cb5d4d3ba572748a3da0017c7

SHA1
7abfc11a3e24e863c2751992a7c5e46f100d27d0

SHA256
3c16f05c4fb3a4fb6ac98ee70edcd5f6d790827b43641bdbdfec52aaca2291af

SHA512
d10a67ab65130933fe22a6bc52fc806ffb3e5eeea3dcdd5e0c589eb637a03ea38b4d141c482390caadb44f9290a7bd08b9079388ddb6777885c041df53c29c6d

Download Submit
C:\Program Files (x86)\Freemake\COM\1.1\libdvdcss-2.dll

Filesize
52KB

MD5
fc7623c00f213487967c9f8e47987a0c

SHA1
5753489380816556a47ea233836317eda31251b3

SHA256
5460970963359ddf76b4eaa9dce3710bd3a2d58a5fb168d305b789e646bf9241

SHA512
35475127dca833bda1f00e18ed0797952cc57c28b80f75fe5c54799ffec982cca549c0de3ccaaea38b92561e0298b367e662c492910b094e652e523516e374ba

Download Submit
C:\Program Files (x86)\Freemake\COM\1.1\libdvdnav.dll

Filesize
229KB

MD5
915547ec7701be659cc21452a1258b2b

SHA1
e0056e9ef53fa9714c0ddea1f069da07e502e85e

SHA256
6d63a4ed2c0226024b69bb27267488a43e5fd3ad5b2e342abfba3e55bc95884f

SHA512
617743e696090eb9eb42d38157bf216ee5e214e300c0db8b95a9614d372953f472bc7922676995b6bcd4247b8d506f0972af385b9e7e554a5dfff5e06cf081cb

Download Submit
C:\Program Files (x86)\Freemake\COM\1.1\msvcr100.dll

Filesize
752KB

MD5
67ec459e42d3081dd8fd34356f7cafc1

SHA1
1738050616169d5b17b5adac3ff0370b8c642734

SHA256
1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067

SHA512
9ed1c106df217e0b4e4fbd1f4275486ceba1d8a225d6c7e47b854b0b5e6158135b81be926f51db0ad5c624f9bd1d09282332cf064680dc9f7d287073b9686d33

Download Submit
C:\Program Files (x86)\Freemake\COM\1.1\swscale-2.dll

Filesize
326KB

MD5
d06d733f491a19bd76379565ffbf0556

SHA1
1125234bc8a4702b515bc0a12c9ca82e9583bd63

SHA256
05cd12a6f470b271cf47bd2637136e8720a00e67668df8d8499f406f0c52ea14

SHA512
e52ff24705db9fcc02571132e4d6debe329031c5c65a70de47e2f163e0c8f6e355d74abb9a24ad3cf888c8e7cf9f3df56df60dba4a87743f362624bf58a97f35

Download Submit
C:\Program Files (x86)\Freemake\COM\1.1\xvidcore.dll

Filesize
1.0MB

MD5
eaaa841ed3c3df66aba354852d2c7baa

SHA1
55e4707d4b66086da1595a93dcc02c6b62affb40

SHA256
8f3ffde67a530df8f5ecaca1ef2e3bf880a94e68b3a7f183f1313343418235ae

SHA512
ccc5ae4c8f4d5882c3140869c9d985f37945014a243aca72a5b7aeb2076686a89bf9b4f76f2d12c5513bc843451e56b3be7e40139166d69b96f435108851b6db

Download Submit
C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\ConverterCommon\is-7H751.tmp

Filesize
186KB

MD5
3002e884c5c15a15b68eaef3c62ff254

SHA1
d7e053ac51f562b92fd4032ad769adea7255230c

SHA256
3e71eb02ae8d01cb8159cc5f9ff3ff1976aec5872298ed45310b58f18708eac0

SHA512
0789fb15f8e062ac2af6785a240b9b7d482b5f179fdb2e6b5ef9f841092c1a631b27f3db7738163f73cb609d8f5918fe2bb166731107061ece21c7a18a2a3989

Download Submit
C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\ConverterCommon\is-8DIR8.tmp

Filesize
21KB

MD5
018841345cfbf45eda4cd1adb74fd68b

SHA1
f9928ef8b78f7cf2d3eb3ec68d28f36c89fff3da

SHA256
acf0e0555afed095cf12f719a3cd0e745435ced2575840a46a40ec61ed632265

SHA512
7dd159dc1d64e49a9106c2f04a46643c9aafb83fc017d4f98f63b63d6317fc4ab370fafb63bb512bfb6b4ec7ef2b2e6b362bb7f035a23dd1046d6dc2499ea5ff

Download Submit
C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\ConverterCommon\is-8NHOP.tmp

Filesize
137KB

MD5
4121b366895116acaadca2adfb59ac21

SHA1
f790ecf47b9b9f80fc1572e3b96bc46eae99a244

SHA256
445fa3a7a40ecf0d24c1125d0a550537a0000187de23f7fd8d39f6a28e32320a

SHA512
bdc9757304de0771b3ac8aeac8630e5f67d76bb5ab3434cd37263a9bd1465ddea5933e7e1564cd752c5805c615a3f3df34b6caac10ae22fd01cc9dbb196c710f

Download Submit
C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\ConverterCommon\is-8U8VE.tmp

Filesize
26KB

MD5
1925e1654510ee0914ff3360c6c94765

SHA1
a032c1456dc199189310ef4df533bceeb6c41a92

SHA256
6e599d81a2b8d803ca794c25111fea54c34356c4ed853b926c9ab42a4b0d6454

SHA512
1995a5f16aaa62d23d69022b613362b7cf952059cc9c4fbddfcbe0905b94b02599dd4b5a784344a2b541457ec255b8f38baccb7919f04f323d35b59b2e10d0d1

Download Submit
C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\ConverterCommon\is-I07MN.tmp

Filesize
34KB

MD5
85f6f590b5c4b8c7253e9c403c9be607

SHA1
d5a9db942a50c8821bacd7f6030202c57ec4708b

SHA256
d20552fd5c8c8c9759608a84db1e216da738f5e9f46de9e8a3f39a0d6265cb8b

SHA512
9c78cb444e28618d44e9deb23571fc7bbce268882c2803e0ccc0e84b3e6eab89c6af2aac0d81ef0d2c9fd1e9611cb35334ef3304fb16c5ba0481f6a7273c3660

Download Submit
C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\ConverterCommon\is-I9AVD.tmp

Filesize
367KB

MD5
313defd8ed9a742af1ff8a16fd508f3f

SHA1
ab14db48b983fd431eefb2ad98613ab2ce90cd8e

SHA256
e608a0c3236e6a833a994a3d251d85fb12648b76f834d0d9fd9786dcc613a368

SHA512
462125725a7954bda2032cb4f54324e892869ddd01f9355a13b32d394d70a6e2858a49aa27f8f7770dc9d6d77c4d2da8bde337a1c6cefd63643820914954056c

Download Submit
C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\ConverterCommon\is-ILTNT.tmp

Filesize
20KB

MD5
d552de7d39179b914db7cc2dbdd005c2

SHA1
044329c6c335224ba05a4e398a5fcb204f13ac36

SHA256
24bd076d31dc9d363eb2adb8b27a7d45d9f975aeec565132d27901537e31f239

SHA512
b82cbd6c4b3d378fba1793858c556ea1fdaa405905686ce219f192d16041e79aa063145c6d469aa7c15aa945d3ef344618fa0996d6611282a8718dd0de77d64d

Download Submit
C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\ConverterCommon\is-JJVUN.tmp

Filesize
2.0MB

MD5
66ca6655fdb4c256e5772bd620fc775a

SHA1
fae38455aca483010be3ab922534603da6dd39a9

SHA256
464cba755dff10abb52f8213c0b36588a3790ef365cbcacb8d9bfd0d92d1e786

SHA512
13a7c4e47e01b707065992016d9d431c7239c4c596425bd0459516d26935b71a268ae494725069e152a4270147c24f8fa195863c9b9cbf80243ed0d6d26a84da

Download Submit
C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\ConverterCommon\is-MB29P.tmp

Filesize
560KB

MD5
8f81c9520104b730c25d90a9dd511148

SHA1
7cf46cb81c3b51965c1f78762840eb5797594778

SHA256
f1f01b3474b92d6e1c3d6adfae74ee0ea0eba6e9935565fe2317686d80a2e886

SHA512
b4a66389bf06a6611df47e81b818cc2fcd0a854324a2564a4438866953f148950f59cd4c07c9d40cc3a9043b5ce12b150c8a56cccdf98d5e3f0225edf8c516f3

Download Submit
C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\ConverterCommon\is-QB9CR.tmp

Filesize
30KB

MD5
a56072ffc624339c31d7e205570788ac

SHA1
68947a16950d05eea8ad474f561d54fb6a5a3be6

SHA256
e3a81a23400db10f69acbbbe431bdb7be163723d6b47d9bf623e6adbe9ceed0c

SHA512
ff5fa57d85c2baca402eb856e2e3e763e50cbe4898a1656a233534ba0dc4c24825c31371fd37ea4b4eba2647122d5564bb19ee9e0bce9870c220e1ce72fc2843

Download Submit
C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\ConverterCommon\is-RRRG7.tmp

Filesize
56KB

MD5
e33a3e4e2ee59a622f07815dafb139e2

SHA1
99a0940ca8ea8c202d6f241c7ed6050e5c5523d6

SHA256
d3102299820373869e1093469305e26e1903778667efce7130524a493657ccac

SHA512
483f07aaac30f353d6d81a653ac8d59166661491c019398e4037c7ad03ed1407f083040bb3e4df026e8b553be098320f7189e112af631f55f3d98cda8e1db92d

Download Submit
C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\ConverterCommon\is-TQEPJ.tmp

Filesize
21KB

MD5
8e4e0ea396b5452bed54e6888cb07ca1

SHA1
1a7afcdd7f118b3ef8f1d9761fa71faeee16fd2c

SHA256
dfeab83e6a9555a6c18070c611d868e117fa2fef6f815da26e622feb2e610254

SHA512
e160570f598d5fdd637725a70595a7ddc247c20aed66c031ff9816142231c8ea58c69fef7f5eb8e10120e5e5ad68ececb1b584054832464046209c9e04cc1aae

Download Submit
C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\ConverterCommon\is-VF7U7.tmp

Filesize
11KB

MD5
7dd26c3dcef3e5bd5a3822ca2e22a87d

SHA1
7edbe81d96ea24484b3cf0dc6539203d3b81cf12

SHA256
4c479afa2f7cde4ba9029a5a8934736c62cd7396c37ee4aae8c0ce9a74517d10

SHA512
cb474a71ce1bc36c0c62bfcf66ec94b2be48dad93d8060dcdf812b807177abf3d3b142157d599e26bcbb51e07d2996548b7b9a378bf8fd89f5c89e8df1ddc56c

Download Submit
C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\ConverterCommon\is-VS8LA.tmp

Filesize
100KB

MD5
fc3bd6e569eca92b5c57aa67b9ccaf7e

SHA1
1ae7cd63a312146d467180ec2a092a109802bb77

SHA256
4a6da21b14f87a4b829ba8a1e6c0857df777b024d578319dda5b2686af8aa10e

SHA512
c1f4698cb4d689f810abc6a0c43040461fcfe80aadaeaa13543e52c20cad8c18a33340e1b071db54e3c97f5773768ec0daca4500f1f8ba19b12b9b86ed9ecb0b

Download Submit
C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\is-5OBSE.tmp

Filesize
2KB

MD5
4b6e75d7e279366baa742e583ce67d92

SHA1
1ca1c479a9143e2fff78ec6606df187c7e60e53a

SHA256
d0f1a3b3c161971280ed90f3b8b77a1018bcc5f8302ebd4bfb01c3fa3d50a7a7

SHA512
6efac695278fc675d6d6f0edc20b020c9b7b409b6abafb021ed5761e2ee4b1f348b4a3677f97397cd4177271e5dd51212bac6666cbfed4213502651c5a4b7298

Download Submit
C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\is-A9GEU.tmp

Filesize
145KB

MD5
766192bc12a0135ec8ff1dcc1a0d0334

SHA1
1e3f8ab6c8013691394f03d493d6aaca10bf9947

SHA256
4cce036c1c942bc7db60006e3db936cfc75dc15c6c4bf694645e3bc703f73798

SHA512
a119a429abcac8bc3083e0a11b209cbb56c0c57e8425f599b69e089380aeb9b1aab6353bbaef1a8e17415768e1c572707d87adc8a81de308c5e512c73662812e

Download Submit
C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\is-K3Q8F.tmp

Filesize
8KB

MD5
fb7411ac51ffa57c52120f2d75bb65b9

SHA1
98f50feaccecf4bbc900e43dde5f89f90ba61e6b

SHA256
b0879da0c172420917fc8cf383a52dc72347ccfd197503327aff271507965750

SHA512
7eb5b464a85b30312582fe178b4abbe3422ed15839c95d341bc50fb73071529dfe2b66a52795ab45bf8463dd43408df1227e0adf052f1260df9a1ddd2ba3b2b8

Download Submit
C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\is-N6GQU.tmp

Filesize
28KB

MD5
50a7c2624dcb5f7f5c9c945dd612e2bd

SHA1
ed259117b05922f51d1e4fd22bbda31ce3d96514

SHA256
389aa3028c6f7b7820090d884436befe90d93501a46478bea4e334456120d3f2

SHA512
82f7a1c5ddc42aedef4b8f9d2e702f198c04974733454b68a8fc21a369fb1fa7bc01f01fe38d945c34142c62095007d47174a45b56ac03d479f4a1d179f6dc62

Download Submit
C:\Program Files (x86)\Freemake\Freemake Video Converter\FMCommon\is-UT727.tmp

Filesize
19KB

MD5
79fbda1967dd3e45b486bc0f21dc2b1a

SHA1
e13c8b48cb8dc51c959b9e952775cfc1ed1d0c19

SHA256
e36addabf1d933278b0ef394e090900e051c8762b2fada63ac203bea830919c2

SHA512
b9311f87b0b35d89d48eb0404e383dd94d423b03d29094c62f1baeeccae12591f2910817423f82aed3cd1b7c9ee187f145cd2935dee47ca7c76e0bfb25acf8e6

Download Submit
C:\Program Files (x86)\Freemake\Freemake Video Converter\FMWeb\Downloader\is-KNJ79.tmp

Filesize
432B

MD5
1f3aba959f7a154afb38dffb9068f028

SHA1
76d525771144cff4f89dc63ad5885d28752bade4

SHA256
85bc6b1493da8cba9ea57f9328a4066e8c5ace3b6fe8503244c5cd05f1ef000f

SHA512
77c38e7f3c2abac0e66321f8cd9d8046fa6df6699fb7e7417e7a9dc8765b0c6b0824e895617d6915e49293ffa115ae29ab318a18207aa9551dee871152c1cf41

Download Submit
C:\Program Files (x86)\Freemake\Freemake Video Converter\FMWeb\Uploader\is-GGFGN.tmp

Filesize
36KB

MD5
d01819bfe03222dfa9e35a36555b6b6c

SHA1
25f8069590b14724f28e6a04b8a42e4ef4a8562d

SHA256
5f29e16edff5379e93d5be9bee4cddf98132b84326027688511ac0f3157aaf94

SHA512
e63901f39315972e446768f2c14b4279cf1dd382f97ac90c444c4d858c2a486736a259c47245026b11e5c0846310e7da020bf2466ea91aa0a15d22cb67b37477

Download Submit
C:\Program Files (x86)\Freemake\Freemake Video Converter\FileAssociationTool\FileAssociationTool.exe

Filesize
34KB

MD5
67f5bff7426bda1fd810aaf62a912bf9

SHA1
7bedb374072b789864cf71c62aa67b74b1a3c4e6

SHA256
a16c5223c79ac1bb53e1d29a87e620e06d33b3652104b8fa82dee52a9590d09c

SHA512
44dac96eede32255d63906333201abc9fccf0b6e0a24eaa8688ed1ac9685586876f015e7f09873b757f256e4a5f2eb3e98e36138b00b57c9ba777ec542dc7e84

Download Submit
C:\Program Files (x86)\Freemake\Freemake Video Converter\FoxSDK\msvcp100.dll

Filesize
411KB

MD5
03e9314004f504a14a61c3d364b62f66

SHA1
0aa3caac24fdf9d9d4c618e2bbf0a063036cd55d

SHA256
a3ba6421991241bea9c8334b62c3088f8f131ab906c3cc52113945d05016a35f

SHA512
2fcff4439d2759d93c57d49b24f28ae89b7698e284e76ac65fe2b50bdefc23a8cc3c83891d671de4e4c0f036cef810856de79ac2b028aa89a895bf35abff8c8d

Download Submit
C:\Program Files (x86)\Freemake\Freemake Video Converter\FreemakeVideoConverter.exe

Filesize
2.2MB

MD5
05ac7c6e22037e35bbe1520faab914c8

SHA1
a604e2b596d4235765fcb9fe410075c2818af3fb

SHA256
bbe878868ba411b6092b26200dcd2e393b2b96a022908c97318a89a0c9cb1712

SHA512
706ae9724cb406b45743789ff1da6631ecde0f88474906bd6d705c6cd0aedd3e10a355a8a784413ce1df729473107cf7bfa202bd41bd6015b973e936e45e760a

Download Submit
C:\ProgramData\Freemake\FreemakeVideoConverter\4312.txt

Filesize
2KB

MD5
cbe7b37c2eb53bb51b8bab454ea30923

SHA1
83e244017f7252b3607f6bb9bd29c2d20e9ccf3d

SHA256
4eab8f152adc71b07210a1e2a55a9e7111013b4cd618c1e2580540573538fe57

SHA512
4c17754498409652fddf723f4ffe788cad606dfabc819f729ab4368acceffc204f050553a28a9268653512427c4f626244bac48cee0cfebd2931fd746830866c

Download Submit
C:\ProgramData\Freemake\FreemakeVideoConverter\SummaryLog.txt

Filesize
2KB

MD5
039e4f5cdf39d5d196347db9aad6be31

SHA1
9ac5b9da01e4339460d39f6c600eb822c9bf96c5

SHA256
891faac7e096e97e5b10cea4a7711fb50000c270e09b48b796ad8e11374898a5

SHA512
8e6dd8059175d7fb29e7f8d076c2eafcb7e977c3af1c1785f25e1ffc8a82c20329b877d8b07adecfbab841a3056785aa042ef754d0bd8fc7daeb0324f8ec87e2

Download Submit
C:\ProgramData\Freemake\FreemakeVideoConverter\SummaryLog.txt

Filesize
4KB

MD5
424861b9578bafde06c34783ce51514e

SHA1
7fbc5d7d1fc3a5f990a35b7017252681055fccd1

SHA256
ac48a6fda4bc2dff95c6edeeee5f8f1b80ed260d21630d13274c042ee9a17e9c

SHA512
134aeb36da3fef7c10b5204e8c481ef044f425391b31991e606c834b7c40bd4a5951f86c5654858dc7ccfe5bfbc0b0c3636dc0eb4d11a47d4a6d7a3db807855e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8CDRV.tmp\FreemakeVideoConverterSetup_ea99b193-ccbf-c53d-69c2-9e134b3380c1.tmp

Filesize
1.4MB

MD5
14f5c8abebd8e51360030d1ae3137669

SHA1
1c72106cc170fe5b2bd20b9e59584af989fff486

SHA256
c9ba417f020aef7547038326d6892d1b4967634c7bb7068ed6498e8256546d46

SHA512
d575db9a4aac597751ccc5a524a8f5972298786c5f17713fc4072f2a84c0a7cade8e442c3737fb9e8879d5cd403788a638fe59821eb390b5d85e50fd9886ba32

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B7NCV.tmp\freemake_dl.dll

Filesize
131KB

MD5
ffb657374aa7751c97ef07edb00ef0c4

SHA1
048fe8294f3e27c83102ca1c9f64d6de2f6c6cd0

SHA256
0d114513e65753f2e261e928b59a0cd0df84cd0669b2bf75706fd04de0b817d6

SHA512
eb70ddc8aab5304f911eb0fc1ea7b507b01d6870c38549ba79743f8c78d16f7e7d55868c483661005633298997f9641413cd26ebe0b1988b4695a87f653d1a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B7NCV.tmp\itdownload.dll

Filesize
77KB

MD5
b4efe1200f09cbf02f0d2ae326a84f3b

SHA1
83102a7f5465a14c78d04ca6d8703c68a5c599ce

SHA256
6bd9984dd28ce8cc13e8eb3b5ee9f6c8a6967e3b2288918665e2ae67fa1eb56b

SHA512
14c83df5ca8ce92efddb07bda1c6fff9cfbbfb1348ff6c2e6b523110bb1fd10023e09986bc7967824a5cf37789080d81f2a5deedc3df3925825f73e2a87b52a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B7NCV.tmp\~execwithresult.txt

Filesize
46B

MD5
19914a4b806e919316f5d919eb4d0460

SHA1
a8880227fc8165e9f65caf8f1833d9606662bf3e

SHA256
c7343316ff8852ffa2c4ebc5797f234f46b1c72176d7d20e8576dba35c09d0cd

SHA512
de53c6402c7032e69d8908b51446c8683cee98de04dfb5e6d3e3ccd557684775f7413121bf12bd14d9fbbb853d8e9c6205710f0605e47e598ca860a15d48a203

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VBNUB.tmp\CheckRunningInstance.cmd

Filesize
96B

MD5
92dbcc7a2f8c552b1f541bd1018b44c5

SHA1
f9956c2066adacbd7cfe80941dabf46a4cc27db7

SHA256
5e314bf3f0a6e062a60d1b009e02f3128132de0206a3d197da27651a3d13fc32

SHA512
d393eb9b228f2ee74172ef28464b5b89daf14abc88135335a5bf364fa7bd4640c3b95c62296c6db15561ee010386a33120cf288446a9ce63a3cee0b3b82b7991

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VBNUB.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1112-1192-0x00000000024D0000-0x00000000024E8000-memory.dmp

Filesize
96KB

Download
memory/1112-1191-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/1112-73-0x00000000024D0000-0x00000000024E8000-memory.dmp

Filesize
96KB

Download
memory/1112-83-0x00000000024D0000-0x00000000024E8000-memory.dmp

Filesize
96KB

Download
memory/1112-82-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/1692-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/1692-68-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1692-0-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1692-26-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1844-3081-0x0000000000010000-0x000000000001C000-memory.dmp

Filesize
48KB

Download
memory/1844-3082-0x0000000002500000-0x0000000002514000-memory.dmp

Filesize
80KB

Download
memory/2248-81-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2248-3118-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2248-49-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2248-44-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2628-2811-0x0000000011000000-0x0000000011065000-memory.dmp

Filesize
404KB

Download
memory/3716-33-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/3716-39-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/3716-27-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/3716-28-0x0000000002C30000-0x0000000002C48000-memory.dmp

Filesize
96KB

Download
memory/3716-16-0x0000000002C30000-0x0000000002C48000-memory.dmp

Filesize
96KB

Download
memory/3716-48-0x0000000002C30000-0x0000000002C48000-memory.dmp

Filesize
96KB

Download
memory/3716-7-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/3716-47-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/3716-67-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/4080-2001-0x00000000626C0000-0x00000000626F5000-memory.dmp

Filesize
212KB

Download
memory/4312-3119-0x0000000007D30000-0x0000000008348000-memory.dmp

Filesize
6.1MB

Download
memory/4312-3154-0x0000000009860000-0x00000000098D6000-memory.dmp

Filesize
472KB

Download
memory/4312-3573-0x0000000011350000-0x000000001138C000-memory.dmp

Filesize
240KB

Download
memory/4312-3558-0x000000000D400000-0x000000000D40C000-memory.dmp

Filesize
48KB

Download
memory/4312-3553-0x000000000D360000-0x000000000D380000-memory.dmp

Filesize
128KB

Download
memory/4312-3546-0x0000000009C70000-0x0000000009C7E000-memory.dmp

Filesize
56KB

Download
memory/4312-3545-0x0000000009D10000-0x0000000009D48000-memory.dmp

Filesize
224KB

Download
memory/4312-3524-0x0000000009C30000-0x0000000009C3A000-memory.dmp

Filesize
40KB

Download
memory/4312-3519-0x0000000009CA0000-0x0000000009CCC000-memory.dmp

Filesize
176KB

Download
memory/4312-3508-0x0000000074870000-0x0000000074BC7000-memory.dmp

Filesize
3.3MB

Download
memory/4312-3502-0x000000000BF70000-0x000000000BF78000-memory.dmp

Filesize
32KB

Download
memory/4312-3501-0x000000000BFE0000-0x000000000C046000-memory.dmp

Filesize
408KB

Download
memory/4312-3484-0x0000000009970000-0x0000000009978000-memory.dmp

Filesize
32KB

Download
memory/4312-3479-0x0000000007B60000-0x0000000007B68000-memory.dmp

Filesize
32KB

Download
memory/4312-3468-0x00000000098E0000-0x0000000009930000-memory.dmp

Filesize
320KB

Download
memory/4312-3158-0x00000000097E0000-0x00000000097EA000-memory.dmp

Filesize
40KB

Download
memory/4312-3155-0x00000000094F0000-0x00000000094FA000-memory.dmp

Filesize
40KB

Download
memory/4312-3156-0x0000000009580000-0x0000000009596000-memory.dmp

Filesize
88KB

Download
memory/4312-3157-0x0000000009540000-0x0000000009548000-memory.dmp

Filesize
32KB

Download
memory/4312-3153-0x0000000009370000-0x000000000937C000-memory.dmp

Filesize
48KB

Download
memory/4312-3152-0x00000000095A0000-0x00000000097DE000-memory.dmp

Filesize
2.2MB

Download
memory/4312-3149-0x0000000008E90000-0x0000000008EB2000-memory.dmp

Filesize
136KB

Download
memory/4312-3148-0x0000000008ED0000-0x0000000008F60000-memory.dmp

Filesize
576KB

Download
memory/4312-3137-0x00000000077B0000-0x00000000077DA000-memory.dmp

Filesize
168KB

Download
memory/4312-3136-0x0000000007780000-0x00000000077A8000-memory.dmp

Filesize
160KB

Download
memory/4312-3135-0x00000000078E0000-0x0000000007A3E000-memory.dmp

Filesize
1.4MB

Download
memory/4312-3128-0x0000000007070000-0x0000000007084000-memory.dmp

Filesize
80KB

Download
memory/4312-3130-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/4312-3129-0x00000000070D0000-0x00000000070E8000-memory.dmp

Filesize
96KB

Download
memory/4312-3124-0x0000000006F60000-0x0000000006F6E000-memory.dmp

Filesize
56KB

Download
memory/4312-3125-0x0000000006F90000-0x0000000006F9E000-memory.dmp

Filesize
56KB

Download
memory/4312-3123-0x0000000007090000-0x00000000070C2000-memory.dmp

Filesize
200KB

Download
memory/4312-3122-0x0000000006F70000-0x0000000006F8A000-memory.dmp

Filesize
104KB

Download
memory/4312-3121-0x0000000006FB0000-0x0000000007042000-memory.dmp

Filesize
584KB

Download
memory/4312-3104-0x0000000000C00000-0x0000000001394000-memory.dmp

Filesize
7.6MB

Download
memory/4312-3106-0x0000000005E00000-0x0000000005E62000-memory.dmp

Filesize
392KB

Download
memory/4312-3107-0x0000000006410000-0x000000000658A000-memory.dmp

Filesize
1.5MB

Download
memory/4312-3108-0x00000000061D0000-0x00000000061E4000-memory.dmp

Filesize
80KB

Download
memory/4312-3109-0x00000000067A0000-0x00000000069A6000-memory.dmp

Filesize
2.0MB

Download
memory/4312-3110-0x0000000007160000-0x0000000007706000-memory.dmp

Filesize
5.6MB

Download
memory/4312-3120-0x0000000006BB0000-0x0000000006F07000-memory.dmp

Filesize
3.3MB

Download
memory/4596-1214-0x000000006A0C0000-0x000000006B4CD000-memory.dmp

Filesize
20.1MB

Download
memory/4596-1231-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/4596-1208-0x000000006A0C0000-0x000000006B4CD000-memory.dmp

Filesize
20.1MB

Download
memory/4596-1213-0x000000006A0C0000-0x000000006B4CD000-memory.dmp

Filesize
20.1MB

Download
memory/4596-1233-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/4596-1243-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/4596-1242-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/4596-1244-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/4596-1212-0x000000006A0C0000-0x000000006B4CD000-memory.dmp

Filesize
20.1MB

Download
memory/4596-1240-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/4596-1238-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/4596-1237-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/4596-1236-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/4596-1239-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/4596-1235-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/4596-1218-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/4596-1222-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/4596-1234-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/4596-1241-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/4596-1211-0x000000006A0C0000-0x000000006B4CD000-memory.dmp

Filesize
20.1MB

Download
memory/4596-1221-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/4596-1219-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/4596-1210-0x000000006A0C0000-0x000000006B4CD000-memory.dmp

Filesize
20.1MB

Download
memory/4596-1207-0x000000006A0C0000-0x000000006B4CD000-memory.dmp

Filesize
20.1MB

Download
memory/4596-1220-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/4596-1217-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/4596-1223-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/4596-1209-0x000000006A0C0000-0x000000006B4CD000-memory.dmp

Filesize
20.1MB

Download
memory/4596-1226-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/4596-1230-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/4596-1215-0x000000006A0C0000-0x000000006B4CD000-memory.dmp

Filesize
20.1MB

Download
memory/4596-1224-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/4596-1225-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/4596-1227-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/4596-1228-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/4596-1229-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/4596-1216-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/4596-1232-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download