3b7a59af4ae63146127cb813f39e5310fedb82b3d0d7b6f8ffe0211c441ab536

Analysis

max time kernel
141s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55295fb4033a25836c27c2e9c674f58f_JaffaCakes118.exe
Size

16.5MB
MD5

55295fb4033a25836c27c2e9c674f58f
SHA1

c79a09c4185a8bd90857249b4245ae039a1a51bd
SHA256

3b7a59af4ae63146127cb813f39e5310fedb82b3d0d7b6f8ffe0211c441ab536
SHA512

3dec041ca014b736720aff9e8a9a15558867c5024affb7c685d87f74ac10d076fd0319ff70534f6cd637df83427aac2946262444e7ea7ee751e27e5f0d35ad5f
SSDEEP

393216:lVXlIwOBYpWjU2It74yrSJe/JSTSx1KOcy/iIJqPOZsE8I:ztxojYz2J2MQB3qPOZsnI

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	55295fb4033a25836c27c2e9c674f58f_JaffaCakes118.exe

Executes dropped EXE 15 IoCs

pid	Process
924	setup.exe
1012	Setup.exe
2168	Setup.exe
5104	InstHelp.exe
5012	InstHelp.exe
7136	installanchorservice.exe
6572	THXSPKEQ_CLV_PCAPP_US_1_00_05.exe
7896	setup.exe
8120	setup.exe
6216	InstHelp.exe
6176	InstHelp.exe
6104	InstHelp.exe
3004	InstHelp.exe
4980	setup.exe
7736	setup.exe

Loads dropped DLL 64 IoCs

pid	Process
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
7136	installanchorservice.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
2168	Setup.exe
8120	setup.exe
8120	setup.exe
8120	setup.exe
8120	setup.exe
8120	setup.exe
8120	setup.exe
8120	setup.exe
8120	setup.exe
8120	setup.exe
8120	setup.exe
8120	setup.exe
8120	setup.exe
8120	setup.exe
8120	setup.exe
8120	setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpdReg = "C:\\Windows\\UpdReg.EXE"	Setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iKeD009.tmp	Setup.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{82F99DC9-389A-4528-940C-88248731A620}\CMNSd467.rra	Setup.exe
File opened for modification	C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\en-US\CTActMgr.rsc.mui	Setup.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\ispB961.tmp\iGdi.dll	Setup.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\IsProBE.tlb	Setup.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{82F99DC9-389A-4528-940C-88248731A620}\Bitmaps\bill2d64.rra	Setup.exe
File created	C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\zh-TW\CTAc4f92.rra	Setup.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{82F99DC9-389A-4528-940C-88248731A620}\setup.ibt	Setup.exe
File opened for modification	C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\nl-NL\CTActMgr.rsc.mui	Setup.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{B5722CBD-37F8-4643-8496-12E4F2EA925A}\_setup.dll	setup.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{82F99DC9-389A-4528-940C-88248731A620}\_setup.dll	Setup.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\IsProBE.tlb	Setup.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{82F99DC9-389A-4528-940C-88248731A620}\Install.log	Setup.exe
File opened for modification	C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\HookWndU.dll	Setup.exe
File created	C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\CTAc4ec7.rra	Setup.exe
File opened for modification	C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\zh-CN\CTActMgr.rsc.mui	Setup.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{82F99DC9-389A-4528-940C-88248731A620}\data7327.rra	Setup.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\ispB92F.tmp\temp.000	Setup.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\ctoD03A.tmp	Setup.exe
File created	C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\CTAc4e69.rra	Setup.exe
File opened for modification	C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\DevHlpr.dll	Setup.exe
File opened for modification	C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\pt-BR\CTActMgr.rsc.mui	Setup.exe
File created	C:\Program Files (x86)\Creative\THX TruStudio Pro\SCTool\data4f92.rra	Setup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\fnp_registrations.xml	installanchorservice.exe
File created	C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\de-DE\CTAc4f25.rra	Setup.exe
File opened for modification	C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\es-ES\CTActMgr.rsc.mui	Setup.exe
File created	C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\it-IT\CTAc4f25.rra	Setup.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{82F99DC9-389A-4528-940C-88248731A620}\Bitmaps\THX_72e9.rra	Setup.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{82F99DC9-389A-4528-940C-88248731A620}\data1.hdr	Setup.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{82F99DC9-389A-4528-940C-88248731A620}\setu7356.rra	Setup.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\iKernel.rgs	Setup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe	installanchorservice.exe
File created	C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\fr-FR\CTAc4f25.rra	Setup.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\DotD029.tmp	Setup.exe
File opened for modification	C:\Program Files (x86)\Creative\THX TruStudio Pro\SCTool\setup.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\ko-KR\CTActMgr.rsc.mui	Setup.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{82F99DC9-389A-4528-940C-88248731A620}\Bitmaps\bill4d6f.rra	Setup.exe
File created	C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\CTSW4ec7.rra	Setup.exe
File created	C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\en-US\CTAc4f25.rra	Setup.exe
File created	C:\Program Files (x86)\Creative\THX TruStudio Pro\SCTool\data4fd1.rra	Setup.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iKeD009.tmp	Setup.exe
File opened for modification	C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\CTActMgr.exe	Setup.exe
File created	C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\pt-BR\CTAc4f92.rra	Setup.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\ispB961.tmp\temp.000	Setup.exe
File created	C:\Program Files (x86)\Creative\THX TruStudio Pro\SCTool\setu502e.rra	Setup.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{82F99DC9-389A-4528-940C-88248731A620}\data1.cab	Setup.exe
File opened for modification	C:\Program Files (x86)\Creative\THX TruStudio Pro\SCTool\setup.inx	Setup.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{82F99DC9-389A-4528-940C-88248731A620}\setup.inx	Setup.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\DotD029.tmp	Setup.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{82F99DC9-389A-4528-940C-88248731A620}\CTCABEX.DLL	Setup.exe
File opened for modification	C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\zh-TW\CTActMgr.rsc.mui	Setup.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iscD05A.tmp	Setup.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iusD06B.tmp	Setup.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{B075DEC8-6521-4A82-B70A-4729B159F067}\CTCA63f5.rra	setup.exe
File created	C:\Program Files (x86)\Creative\THX TruStudio Pro\SCTool\setu503e.rra	Setup.exe
File opened for modification	C:\Program Files (x86)\Creative\THX TruStudio Pro\Disk.id	Setup.exe
File opened for modification	C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\CTSWS.bff	Setup.exe
File opened for modification	C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\ja-JP\CTActMgr.rsc.mui	Setup.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{82F99DC9-389A-4528-940C-88248731A620}\setup.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\it-IT\CTActMgr.rsc.mui	Setup.exe
File opened for modification	C:\Program Files (x86)\Creative\THX TruStudio Pro\SCTool\data2.cab	Setup.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{82F99DC9-389A-4528-940C-88248731A620}\layout.bin	Setup.exe
File opened for modification	C:\Program Files (x86)\Creative\THX TruStudio Pro\SCTool\setup.log	setup.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\iKernel.rgs	Setup.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\	setup.exe
File opened for modification	C:\Windows\	Setup.exe
File created	C:\Windows\Updr4e4a.rra	Setup.exe
File opened for modification	C:\Windows\Updreg.EXE	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55295fb4033a25836c27c2e9c674f58f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installanchorservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	THXSPKEQ_CLV_PCAPP_US_1_00_05.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Checks SCSI registry key(s) 3 TTPs 13 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d4141155d34ac580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d4141150000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d414115000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d414115000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d41411500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	Setup.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA}\TypeLib\Version = "1.0"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\TypeLib	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5469EE67-1493-402F-8E2C-99936C9E4983}\TypeLib\Version = "1.0"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8D5B971-D521-4113-82D6-869817B452DE}\ = "IMSIMsgHandler"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EBF-B5F0-11D2-80B9-00104B1F6CEA}\ = "ISetupMedia"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{348440B0-C79A-11D3-B28B-00C04F59FBE9}\TypeLib\Version = "1.0"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61892D50-28EF-11D3-A8FF-00105A088FAC}\ = "ISetupProgress"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2064-CB55-11D2-8094-00104B1F9838}\TypeLib	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9}\ = "ISetupMainWindow2"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E26CAD5-1B59-4D1D-9063-2D91314C9E45}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21D98482-146C-4EBF-AF1E-B04395110005}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8415DE38-1C1D-11D3-889D-00C04F72F303}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAB9BF17-267D-11D3-88B6-00C04F72F303}\TypeLib	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECBE1E54-3649-4287-9888-D9FB133CAE0D}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00345390-4F77-11D3-A908-00105A088FAC}\ProxyStubClsid32	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}\TypeLib\Version = "1.0"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1B9357F-24B9-11D3-88B2-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5469EE67-1493-402F-8E2C-99936C9E4983}\TypeLib\Version = "1.0"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D8B6332-D8B1-11D2-80C5-00104B1F6CEA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B15A454-9067-4878-B10E-B9DFFE03049D}\TypeLib	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9AEE3F7A-A79F-4B41-BC48-E7946FFEAB35}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EC3-B5F0-11D2-80B9-00104B1F6CEA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}\ = "ISetupFileErrorInfo"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D8B6331-D8B1-11D2-80C5-00104B1F6CEA}\TypeLib\Version = "1.0"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00A0DBE3-B12E-4DC3-8C27-4197CA4DF76B}	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17773851-7FF4-44C1-B084-1E1EDB2BFD4D}	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2084-CB55-11D2-8094-00104B1F9838}\TypeLib	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3CD7A86-04E4-4B47-88E8-3EE03A3DEE56}\ProxyStubClsid32	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{91814EBF-B5F0-11D2-80B9-00104B1F6CEA}	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2A3A842-FBA3-49D4-8806-7734716364A2}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B964AF40-4AB7-11D3-A908-00105A088FAC}\ = "ISetupSDMessage"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D8B6331-D8B1-11D2-80C5-00104B1F6CEA}\ProxyStubClsid32	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83755DD1-086B-11D3-8868-00C04F72F303}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B12A5014-0AA8-451A-B621-F717998B0B53}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\ = "ISetupTransferEvents"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA}	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\ = "ISetupOpType"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A74C06E4-12DF-4060-9AA7-83CFAA66D604}\TypeLib\Version = "1.0"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{112EB4F0-5A48-11D3-A90A-00105A088FAC}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{787D0980-F63F-462C-86BC-FC23847C70F4}	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AFED5DD0-0694-11D4-A934-00105A088FAC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D8B6331-D8B1-11D2-80C5-00104B1F6CEA}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EC5-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib\Version = "1.0"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2A3A842-FBA3-49D4-8806-7734716364A2}\TypeLib	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C5C8B37-CCB7-11D5-ABEC-00B0D0238DF5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3EDC2C10-66FE-11D3-A90F-00105A088FAC}\ = "ISetupGUIObject"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0D1DB92-DE05-4926-A5DC-01F3F9857587}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E67BBC9-18CB-4B22-BACD-687CDF6387B6}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3CD7A86-04E4-4B47-88E8-3EE03A3DEE56}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0D1DB92-DE05-4926-A5DC-01F3F9857587}\ProxyStubClsid32	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\InProcServer32\ = "C:\\Program Files (x86)\\Common Files\\InstallShield\\Professional\\RunTime\\Objectps.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44D61997-B7D4-11D2-80BA-00104B1F6CEA}\TypeLib	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2084-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39040274-3D36-11D3-88EE-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9}\ProxyStubClsid32	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECBE1E54-3649-4287-9888-D9FB133CAE0D}\ProxyStubClsid32	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21D98482-146C-4EBF-AF1E-B04395110005}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\Version = "1.0"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{761C8359-55AF-4E7B-9C83-C1A927E0F617}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8415DE38-1C1D-11D3-889D-00C04F72F303}\TypeLib	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1B9357F-24B9-11D3-88B2-00C04F72F303}	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B15A454-9067-4878-B10E-B9DFFE03049D}\ProxyStubClsid32	Setup.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\627F8D7827656399D27D7F9044C9FEB3F33EFA9A	THXSPKEQ_CLV_PCAPP_US_1_00_05.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\627F8D7827656399D27D7F9044C9FEB3F33EFA9A\Blob = 0f00000001000000100000005f3d1aa6f471a760663eb7ef254281ef53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c0620000000100000020000000ab7036365c7154aa29c2c29f5d4191163b162a2225011357d56d07ffa7bc1f72090000000100000016000000301406082b0601050507030306082b060105050703011400000001000000140000005ff3246c8f9124af9b5f3eb0346af42d5ca85dcc1d0000000100000010000000d4803ac36c256817d4ec5936f29bc4e70b000000010000000e00000074006800610077007400650000006800000001000000080000000000876ace99d101030000000100000014000000627f8d7827656399d27d7f9044c9feb3f33efa9a20000000010000002b0300003082032730820290a003020102020101300d06092a864886f70d01010405003081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d301e170d3936303830313030303030305a170d3230313233313233353935395a3081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d236366a8bd7c25b9eda8141628f38ee490455d6d0ef1c1b951647ef1848353a52f42b6a068f3b2fea56e3af868d9e17f79eb46575024defcb09a22151d89bd067d0ba0d92061473d493cb972a009c5c4e0cbcfa1552fcf2446eda114a6e089f2f2de3f9aa3a8673b6465358c88905bd8311b8733faa078df4424de7409d1c370203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010405000381810026482c16c258fae816740caaaa5f543ff2d7c978605e5e6e37632277367eb217c434b9f50885fcc90138ff4dbef2164243e7bb5a46fbc1c6111ff14ab02846c9c3c4427dbcfaab596ed5b7518811e3a485196b824ca40c12ade9a4ae3ff1c349659a8cc5c83e25b79499bb92327107f0865eed5027a60da623f9bbcba6071442	THXSPKEQ_CLV_PCAPP_US_1_00_05.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\627F8D7827656399D27D7F9044C9FEB3F33EFA9A\Blob = 1900000001000000100000005dc45e2cd1845791bdde7600050af510030000000100000014000000627f8d7827656399d27d7f9044c9feb3f33efa9a6800000001000000080000000000876ace99d1010b000000010000000e00000074006800610077007400650000001d0000000100000010000000d4803ac36c256817d4ec5936f29bc4e71400000001000000140000005ff3246c8f9124af9b5f3eb0346af42d5ca85dcc090000000100000016000000301406082b0601050507030306082b06010505070301620000000100000020000000ab7036365c7154aa29c2c29f5d4191163b162a2225011357d56d07ffa7bc1f7253000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c00f00000001000000100000005f3d1aa6f471a760663eb7ef254281ef20000000010000002b0300003082032730820290a003020102020101300d06092a864886f70d01010405003081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d301e170d3936303830313030303030305a170d3230313233313233353935395a3081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d236366a8bd7c25b9eda8141628f38ee490455d6d0ef1c1b951647ef1848353a52f42b6a068f3b2fea56e3af868d9e17f79eb46575024defcb09a22151d89bd067d0ba0d92061473d493cb972a009c5c4e0cbcfa1552fcf2446eda114a6e089f2f2de3f9aa3a8673b6465358c88905bd8311b8733faa078df4424de7409d1c370203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010405000381810026482c16c258fae816740caaaa5f543ff2d7c978605e5e6e37632277367eb217c434b9f50885fcc90138ff4dbef2164243e7bb5a46fbc1c6111ff14ab02846c9c3c4427dbcfaab596ed5b7518811e3a485196b824ca40c12ade9a4ae3ff1c349659a8cc5c83e25b79499bb92327107f0865eed5027a60da623f9bbcba6071442	THXSPKEQ_CLV_PCAPP_US_1_00_05.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeBackupPrivilege	5408	vssvc.exe
Token: SeRestorePrivilege	5408	vssvc.exe
Token: SeAuditPrivilege	5408	vssvc.exe
Token: SeBackupPrivilege	6188	srtasks.exe
Token: SeRestorePrivilege	6188	srtasks.exe
Token: SeSecurityPrivilege	6188	srtasks.exe
Token: SeTakeOwnershipPrivilege	6188	srtasks.exe
Token: SeBackupPrivilege	6188	srtasks.exe
Token: SeRestorePrivilege	6188	srtasks.exe
Token: SeSecurityPrivilege	6188	srtasks.exe
Token: SeTakeOwnershipPrivilege	6188	srtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4136	55295fb4033a25836c27c2e9c674f58f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 924	4136	55295fb4033a25836c27c2e9c674f58f_JaffaCakes118.exe	89
PID 4136 wrote to memory of 924	4136	55295fb4033a25836c27c2e9c674f58f_JaffaCakes118.exe	89
PID 4136 wrote to memory of 924	4136	55295fb4033a25836c27c2e9c674f58f_JaffaCakes118.exe	89
PID 924 wrote to memory of 1012	924	setup.exe	90
PID 924 wrote to memory of 1012	924	setup.exe	90
PID 924 wrote to memory of 1012	924	setup.exe	90
PID 1012 wrote to memory of 2168	1012	Setup.exe	91
PID 1012 wrote to memory of 2168	1012	Setup.exe	91
PID 1012 wrote to memory of 2168	1012	Setup.exe	91
PID 2168 wrote to memory of 5104	2168	Setup.exe	97
PID 2168 wrote to memory of 5104	2168	Setup.exe	97
PID 2168 wrote to memory of 5012	2168	Setup.exe	98
PID 2168 wrote to memory of 5012	2168	Setup.exe	98
PID 2168 wrote to memory of 7136	2168	Setup.exe	102
PID 2168 wrote to memory of 7136	2168	Setup.exe	102
PID 2168 wrote to memory of 7136	2168	Setup.exe	102
PID 2168 wrote to memory of 6572	2168	Setup.exe	112
PID 2168 wrote to memory of 6572	2168	Setup.exe	112
PID 2168 wrote to memory of 6572	2168	Setup.exe	112
PID 6572 wrote to memory of 7896	6572	THXSPKEQ_CLV_PCAPP_US_1_00_05.exe	113
PID 6572 wrote to memory of 7896	6572	THXSPKEQ_CLV_PCAPP_US_1_00_05.exe	113
PID 6572 wrote to memory of 7896	6572	THXSPKEQ_CLV_PCAPP_US_1_00_05.exe	113
PID 7896 wrote to memory of 8120	7896	setup.exe	114
PID 7896 wrote to memory of 8120	7896	setup.exe	114
PID 7896 wrote to memory of 8120	7896	setup.exe	114
PID 8120 wrote to memory of 6216	8120	setup.exe	115
PID 8120 wrote to memory of 6216	8120	setup.exe	115
PID 8120 wrote to memory of 6176	8120	setup.exe	116
PID 8120 wrote to memory of 6176	8120	setup.exe	116
PID 8120 wrote to memory of 6104	8120	setup.exe	117
PID 8120 wrote to memory of 6104	8120	setup.exe	117
PID 8120 wrote to memory of 3004	8120	setup.exe	118
PID 8120 wrote to memory of 3004	8120	setup.exe	118
PID 2168 wrote to memory of 4980	2168	Setup.exe	119
PID 2168 wrote to memory of 4980	2168	Setup.exe	119
PID 2168 wrote to memory of 4980	2168	Setup.exe	119
PID 4980 wrote to memory of 7736	4980	setup.exe	120
PID 4980 wrote to memory of 7736	4980	setup.exe	120
PID 4980 wrote to memory of 7736	4980	setup.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\55295fb4033a25836c27c2e9c674f58f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\55295fb4033a25836c27c2e9c674f58f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Audio\Setup\Setup.exe
    C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Audio\Setup\Setup.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Audio\Setup\Setup.exe
      -deleter
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Checks SCSI registry key(s)
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2168
    - - C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\InstHelp.exe
        
        C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\InstHelp.exe /mce
        5⤵
        Executes dropped EXE
        
        PID:5104
    - - C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\InstHelp.exe
        
        C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\InstHelp.exe /clear
        5⤵
        Executes dropped EXE
        
        PID:5012
    - - C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\installanchorservice.exe
        
        C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\installanchorservice.exe creative TAMB-CVS1D-1-LB
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:7136
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\SpkEQ\THXSPKEQ_CLV_PCAPP_US_1_00_05.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\SpkEQ\THXSPKEQ_CLV_PCAPP_US_1_00_05.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious use of WriteProcessMemory
        
        PID:6572
      - C:\Windows\temp\CRF000\setup.exe
        
        /s
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:7896
        
        C:\Windows\temp\CRF000\setup.exe
        
        -deleter /s
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:8120
        
        C:\Users\Admin\AppData\Local\Temp\{55053158-EF0D-403D-B95F-6F70AFF653C6}\{B075DEC8-6521-4A82-B70A-4729B159F067}\InstHelp.exe
        
        C:\Users\Admin\AppData\Local\Temp\{55053158-EF0D-403D-B95F-6F70AFF653C6}\{B075DEC8-6521-4A82-B70A-4729B159F067}\InstHelp.exe /programfiles64
        8⤵
        Executes dropped EXE
        
        PID:6216
        
        C:\Users\Admin\AppData\Local\Temp\{55053158-EF0D-403D-B95F-6F70AFF653C6}\{B075DEC8-6521-4A82-B70A-4729B159F067}\InstHelp.exe
        
        C:\Users\Admin\AppData\Local\Temp\{55053158-EF0D-403D-B95F-6F70AFF653C6}\{B075DEC8-6521-4A82-B70A-4729B159F067}\InstHelp.exe /clear
        8⤵
        Executes dropped EXE
        
        PID:6176
        
        C:\Users\Admin\AppData\Local\Temp\{55053158-EF0D-403D-B95F-6F70AFF653C6}\{B075DEC8-6521-4A82-B70A-4729B159F067}\InstHelp.exe
        
        C:\Users\Admin\AppData\Local\Temp\{55053158-EF0D-403D-B95F-6F70AFF653C6}\{B075DEC8-6521-4A82-B70A-4729B159F067}\InstHelp.exe /mce
        8⤵
        Executes dropped EXE
        
        PID:6104
        
        C:\Users\Admin\AppData\Local\Temp\{55053158-EF0D-403D-B95F-6F70AFF653C6}\{B075DEC8-6521-4A82-B70A-4729B159F067}\InstHelp.exe
        
        C:\Users\Admin\AppData\Local\Temp\{55053158-EF0D-403D-B95F-6F70AFF653C6}\{B075DEC8-6521-4A82-B70A-4729B159F067}\InstHelp.exe /clear
        8⤵
        Executes dropped EXE
        
        PID:3004
    - - C:\Program Files (x86)\Creative\THX TruStudio Pro\SCTool\setup.exe
        
        "C:\Program Files (x86)\Creative\THX TruStudio Pro\SCTool\setup.exe" /L0x9 /backup_sc /s
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4980
      - C:\Program Files (x86)\Creative\THX TruStudio Pro\SCTool\setup.exe
        
        -deleter /L0x9 /backup_sc /s
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7736

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5408

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\DotNetInstaller.exe

Filesize
5KB

MD5
f89558047e71f655a4ddb99e893213ed

SHA1
68a0cd5af1aa62c46e965e8e5c85c33de4d4678a

SHA256
4f9c15127e16eae3a7ddaed55817fb549ed31168f9861285c9349c468b260579

SHA512
6ca5e7ba0db836f88685868d0788119fd441f47972907727f4eb711955f63cc74e3e818b93069a1c2baa5c49e387978acbe8ecfbbbc1723a7f40f4c0e41dac45

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\ctor.dll

Filesize
68KB

MD5
66cf4f30f925485e00191c16d00038c4

SHA1
80b576f6e5eebd5577cde81cbd6394136b9f08e6

SHA256
9620bdd78c1cad92a2118eab21e4dfa0ec8e9b59673adb84f917331b78402ad0

SHA512
18072bdf7ab50132a08d620b5571c4c8ecb245124d91ebfda5cba1aac4fc41e020ae037cd7a49cfd119978b91c628428e85d2e7bf7ef362d319d9451e6c62cf3

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iGdi.dll

Filesize
184KB

MD5
298c79ac2f609736788cc7cacdeeef32

SHA1
1cce1dcc23a941e650edfeaa7de59327fa452ba2

SHA256
63671696aa87c0862e6381bc759116cd377c5331ab50ae6d05ba7cd29cf02580

SHA512
29fc496780a4fdac6a8c4af6b737973019e3087b5d3d8fe8625d4ce1de88e437eea0254d8900934846c6519ce0bffbcddfe1aa01cf5736b47dba58f06071fe23

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iKernel.dll

Filesize
712KB

MD5
1ea0c41b4f2f0e807700f9a72d99ac05

SHA1
65c693fd17be74d1c8dfeadd591f3c3408ae321c

SHA256
cb29c9091d22a94e1aa72a6f2a83e01013e5148d8dcfba8c90d2cdbd6d9b6e48

SHA512
3f4e80bd8d3808fb76acef835c70cc00503acf38f13d3cec54bbf9cf87343a4c1d148a146fa432ca884eaf3c327e199c17432c91f6d6424fb3c17890255feda3

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iscript.dll

Filesize
260KB

MD5
84cfe010fd3403ad28835bb500a1a81b

SHA1
c57afea136a09266eae1af92bbd53d7c0b084ea0

SHA256
a1c284e21ca49ef189e98e7847826556e64185c5542bd50c75ee30b25ea3d08a

SHA512
fce50dea91d5e34b6ede4a6dfa4978648062b0eb6fc167f12925002521674d513e978552b46ff3e693ae819bf695367d2fda70d5ee8e6fc7f44d205893e31ccb

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iuser.dll

Filesize
188KB

MD5
b54e00b79373514e838220436bd3f275

SHA1
9cea61a706a28439574d8f1aafe40cd040f5e156

SHA256
c25957200e1390b6a5facb4b1c52c55a8690bd3ca63dbb2f2cc770510e74448e

SHA512
8efba669069d41c16e059cdf9bc74944e858b40e07f82a8160a3522e95ad770ab620bee78e0b10a184f31744931aeb790f4dcd4b895617875537ebd29b40a848

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\setup.dll

Filesize
304KB

MD5
369ecaca6c59265f47d234da8faab871

SHA1
162bf1cb2d201766e4f0fa52dbeddd603eca9a21

SHA256
ad010c642f2bb264c69c153dcde78daa0bbf4699155f22e16641bba82158e7b1

SHA512
3430ccc7c78633c860c29778a0b854d5acf52b65283e88f18cad51796ece59cee1b2b040ffebd50a6ea52d2ce88836a06c136b92d7efc97e75ce8989d7571392

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\IsPD07B.tmp

Filesize
101KB

MD5
fcd8f741b79248a1a25937cdc780ebc4

SHA1
f66ae868a445d4b802bfa369eff485f52b78782e

SHA256
0858229878facde89776f9e4ec61e45cf14eca0bb6be9123234a9dedd0119c1a

SHA512
c1854935c69b9c90ed8ffc8c8b9bdaf3dbbe5cafd835adf5732f19c1736b1b47e04842d3cf4cb0e813c39450c4c55f830145b196e8eb781465950b5c668aa3f0

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\Objectps.dll

Filesize
32KB

MD5
f935e7f618e9fab282302c0951545417

SHA1
e04ea46a0445d78580839102164602a24e581464

SHA256
b2278ce559b4d4cdce30c6b44f3664d1a6d1a5f0d9e1d99b87ba14bdcf31f4c5

SHA512
4f0f11b35415ad8879bd182de17dfdc43045133bc11107254cffb8478508ec21a5400c707d66186e042bfef865ddd628d5526b0d32e4e08d7ef8ceabf9d49218

Download Submit
C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\CTActMgr.dat

Filesize
8KB

MD5
aec115cc50d131508187bc59c48940f8

SHA1
668979ddc37f82a14b408f5cdf144dcd474f7f6d

SHA256
0d3aa8ef8393a59ab10b6b1bb3f9d5f2078b6afa9bed3a59328c6278ad57c619

SHA512
bfb459ccb19c8ac8f7c20d5d7f0172021a63e9649d9bf70e27b90647a0fecbabea7f0d254b9711e342f1717b7cd5d59a1195d1377ca3d2f5a7f2ecec9913c5b5

Download Submit
C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\CTActMgr.exe

Filesize
1.4MB

MD5
400861388f4113ffd7843f1a9318640b

SHA1
c5852c3fc8fea22a039f3c3662f6d5d87e3fdcef

SHA256
c922d8964fb17af3cb58c46c44651eda9b6caa4b073159413d8685edb535da8a

SHA512
85015b486b91d0700ae34ab513892b28c318593a2354cd13435b357215d1922fc43f92d54b549462778afe3675b2d05375f88f59395b61cf6d64e3bf1100956e

Download Submit
C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\CTActMgr.fnp

Filesize
3.6MB

MD5
71032afe2c8c18239d33d797d96b08b1

SHA1
0dc77a3bc81b791d8170cdc0e9cbe2c40630ce96

SHA256
abe62dfd0230e311575c81b6dcfe319e010520155c2727b05d4247283e7bc5fd

SHA512
7c574dcf1aa4b542e6b4c2d2bb7440591424491b4934e65349daf4c52d204c5058f7f04d297e9a50e8766eb7c5b8d06a0c915392db6938e478f0777c2f106fdf

Download Submit
C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\CTActMgr.rsc

Filesize
50KB

MD5
efe01a58a1cd2c53d6fdc1ef17abe1bc

SHA1
bcb5fcc98f8ddd90c6a8e269ee93c5fa7457e264

SHA256
75b1587c43e15b9c3f85ed2f8cc995fb7a44245bc280b0b89b7a9b39d01eb4f3

SHA512
0ade1068d671031cdf42268c751b65a5b01894d737e3527418ddbcb437447af480895957ff260ed10e14cd812e8ad0f5dea17680b0fa017deb9b739d3c6a6117

Download Submit
C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\CTLoadRs.dll

Filesize
231KB

MD5
544013c383833189a61c2f72b8814319

SHA1
c19955cc8a64428b56b7159297c92072d6ef9750

SHA256
d6598a18abbfb22e139d8ddb6d654fe6e15fe88aae121f395932685a91e58406

SHA512
e178f3594baef988de9e97b43c88603be355fb55d663c58c9bd27a704f9095c81bf6cd2d6a91fccc6dd3054411d5fc9a5011817b0fe35640558ac3f1b81baa7d

Download Submit
C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\CTSWS.bff

Filesize
336KB

MD5
408ffa89d597a4df69d7d39cf09d7ae7

SHA1
db166d69984d0ff75ebd968475851557796ec2f2

SHA256
04591b5a329f787a529a855214c58df2e860f9f0c39773b88718c810f8e0407c

SHA512
e8e2f5651c2aff4b4f322c6e8668bccae757e4505ae1cf04e098b3bb95b68319a86f75d1bec215b77e42040dddd33f5a29c38371cc67b3f2688f0a01a6cf1480

Download Submit
C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\DevHlpr.dll

Filesize
212KB

MD5
a8552fd17e377f3fba5bbc6c5cf4d6cc

SHA1
09d81bb89a7f204df837832f61bdf41a769ab341

SHA256
29e9abc5621d1c4dc505b6529c8b07c6214ca056026fc79e5eb4cd2d22cbb04a

SHA512
a5531701f2a8fba5be956be73856d134a6ee623f89fe3bbf7a519afa93dc4456c3d5221a43867eb0b381c2e1ec476a4bb60ede583f1affc7d2d410a876a62f00

Download Submit
C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\HookWndU.dll

Filesize
460KB

MD5
9e6b38e9e0e3f9dd0398dbf58a5c813b

SHA1
0ac1fa4cc7d1e55914bfe83cce8edcd165d08a7d

SHA256
66e2ed00b468e5435b9e279ee39fedf8562ef80229cc215707fb064522341649

SHA512
6e6d5f744304867e8d1000309cf9695cc1c0dddfb139a5e8e0cde7f0f1629588feedccb72dd0560337e6cedcc1c629b4134644da98debd0980f4c01c58ae41a7

Download Submit
C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\de-DE\CTActMgr.rsc.mui

Filesize
52KB

MD5
e392957357e4c879339569d3c917f8ee

SHA1
b339c971d3d380147f6639568f243fd8217fc9bc

SHA256
99fa0973e8883aca52896aba17bd23c065b2f3b36d2e4a70acc4487b2dba7a62

SHA512
6b59414f4a7c4814cf3d55451ec6ca4e76c9ed0feb34d9f2a2ed4b6963f8b6b3b0068dd02c229ba01570ecf53bd8195f5b623df3a5d3adb9ca3754ec72e8e794

Download Submit
C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\en-US\CTActMgr.rsc.mui

Filesize
49KB

MD5
ec3ecab4ff36d7637ff5971909992385

SHA1
b8dfd7cff084a7e14c3aa1116040a12498ddd3e6

SHA256
db3cf55ac5c25edecfc0625a5819bff62c0ef644f594ecfa9fd123989c3ff2af

SHA512
ad95dd67a67a920ce97c607c1d97b87a8074ee8927c0c31c9b6d21f6d723616bbea7b375723dae10290d841021078adb7e401e0ccdd8819d9e7135c69b9df956

Download Submit
C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\es-ES\CTActMgr.rsc.mui

Filesize
51KB

MD5
4453da3f9b2c825d66f8f021d0abdcdb

SHA1
f13d1b1661d12de2b2de15cac0fa6706f9a3ae42

SHA256
834ad6180213a08d718e37cc5a1680aa61e48309aa0fc65426ad29d091b4d482

SHA512
e288ef9154cb3e90db380569b5cf94649ce825af371d831e12e7fa3f1141b71acc76c9f11278f9bc0c0e0946f75c16862928d4026036e144542c8be3c6573358

Download Submit
C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\fr-FR\CTActMgr.rsc.mui

Filesize
51KB

MD5
23e120f6fcdec2b6fb162b7e988a3112

SHA1
37b4262fa700083029012936b71e9485ce2b45bd

SHA256
51c9061ec1df8fc8f672f7ce4fe10c52015db1e71219cc15e8e19322e627d674

SHA512
1a007ce58a4359d9c7d0145b99b571b93232ded4b4102722b69b6be559fd654c684fb9de51f5b8dcc0720cb9419bfd4c5d8618a490fbc82131eccb2856d3c375

Download Submit
C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\it-IT\CTActMgr.rsc.mui

Filesize
50KB

MD5
de1ebc799aa7d95cef509f4ce68cf9fe

SHA1
f8a4e22247179d9bf733a68971313735c517e6ac

SHA256
744f7e12110806cf555b3fabac2cbb335aecd740846a7da96fba887ddadc0db4

SHA512
251b1551046a98dc61eef03e6a6e7b874c1c622b7ff4454d31d4b13df393f60262ad36718bb3ebb268e9317b275f62c49e4991062588672e745d724350e4cba7

Download Submit
C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\ja-JP\CTActMgr.rsc.mui

Filesize
49KB

MD5
7ef64c9ab3c45a9255eaffb5131c0615

SHA1
f22e999119c9426afbcf2e0899329535d0dca11c

SHA256
8696e802d1e511854180e574571119c42ea39d030c5dc7ddae0ff3b42f32c4f8

SHA512
2d9e7602fa999e65527a78e78e83f21c31dc8a417ae8f261687e7bdd603cb39d6f2689ecfdb0ea75c42c594b52f0352f892ce32d1e0cc4704de48e12c654746a

Download Submit
C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\ko-KR\CTActMgr.rsc.mui

Filesize
49KB

MD5
60cb65d8dbbc845d20f95e113ba21c1c

SHA1
1eacb4db475e04b51d0d3edb5d40d53c3544585d

SHA256
84cb6da9023e7f1ec363d129fc26ac0b6cb884cae5df336e59211595c501018b

SHA512
c2f7120753e61296b141e1066e8388a55da6888481a49496246a638534d06c56bfb369626f5c4f5f32801216b229ac7908661015e7c10fda41304719a0bade62

Download Submit
C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\nl-NL\CTActMgr.rsc.mui

Filesize
50KB

MD5
26bc589ee1fd32fa3c13c88968f40034

SHA1
93d3b6a2edc7ede62c4086d1c5bbe39a93ff44ae

SHA256
1da04b8d05ecd94e6c1494c3ed5363af5d0327cafd7e238ddde90c75abe7e0e1

SHA512
ae35f4bf627451584c2fdba28a0e0bf1e7b808290290e5a777badb06b50a75452181c94243adb63d39e7bad032ec5aae213b6bc22848b572b37c6995ec8668d3

Download Submit
C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\pt-BR\CTActMgr.rsc.mui

Filesize
50KB

MD5
0192ffd894db852556742ce8c3821b91

SHA1
509f0a9694d09e44fc280c41f0007efd1337c11e

SHA256
c4c9ab1fc771abd40a57e2ab15b2a1d81ec5f35dc3891c2f22547420937a2260

SHA512
861150598723bb68501e8a4f436025c56855cc71908a4148efc4033d4528e185d41df6df4888fad2a7c60ea39beee5cff4ca2ba130d5bcadeade5370e4d1f36c

Download Submit
C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\zh-CN\CTActMgr.rsc.mui

Filesize
49KB

MD5
20ec10ab7f4f98011c78abd445b0d7eb

SHA1
71184ff255cff8cd7c43d17a788e1b74f056e643

SHA256
afac161b4dcccefc29d883648b75d731c5fff722db27c049474d7e735b437a70

SHA512
b125c3ad7f27fe022fe437848530d2b665311e837f1f5d11d0026662cdc51b581a81cb8fdbdec2ad52b5e264ec2029fdcdc88ff0b5d0615341251701efc8bbc1

Download Submit
C:\Program Files (x86)\Creative\THX TruStudio Pro\ActMgr\zh-TW\CTActMgr.rsc.mui

Filesize
49KB

MD5
560a5aa0cd87378658deb88345e7a13f

SHA1
67e5a5cdb5cbb92fb85f2a5103fa59f5b68ae59e

SHA256
93f716a309ed7b4be68e20e94bf9c0c6e79998731bc867145e2662fad76bd5f8

SHA512
89ac7d1ed12357036a7ec44d539cb06bff2fb2f94900aa90e46339d08c2d9be12a3ecd2161b120b0e20dfb5e1a362d7b1317a71ff4860f49e95229aabcb7b340

Download Submit
C:\Program Files (x86)\Creative\THX TruStudio Pro\SCTool\data1.cab

Filesize
1.5MB

MD5
266699e18747d5c8cf15f6d5352b2a20

SHA1
4d2d39d53899c161724578e67676a2e65490407a

SHA256
a6634e62486a34563d4482838647837bae3c9a85472b56235e4a981a2704d234

SHA512
16d40e0222ac1363d1e175a78b37b850e07d99c765c3fc3fad742d76c04f0069a07f28e611e71b0593cb11728d3f96d69e518e024962ee20977b539c80e6256d

Download Submit
C:\Program Files (x86)\Creative\THX TruStudio Pro\SCTool\data1.hdr

Filesize
17KB

MD5
94f57f4698d0503abe7216e27758dd77

SHA1
aecc24b2c2d38404b2a86cc8aa0e4f72a9b0e6d5

SHA256
77ce5af747e7ce1c6eaa1f94220bf6a52c1bbdabb550739e6d2f29a2ed6269c2

SHA512
ff444cf9aa9722b09ab958eb1a1d3ff826219730bddd48725c93694ae4c343194bf1b312464fece3290eb5234b3da413364ee23e2a8e70b85a3f29d83a6eff22

Download Submit
C:\Program Files (x86)\Creative\THX TruStudio Pro\SCTool\data2.cab

Filesize
512B

MD5
5bbb73621f7d7b4abc527700db41d105

SHA1
e60372c165114701bf9c538a8d1c6411cebd2248

SHA256
85b4226cc830c7740e29104ea85741c621ae1234b29e4051bcaa55b7c6441bd6

SHA512
c7bcd060774a2b5e8d9679f60d7898199dd61833997181ae9bdf680e7a610f266e2431b74a7bfa7c1131f3f8d4fd540d369513c894cd720cf3aa2974c2db38d6

Download Submit
C:\Program Files (x86)\Creative\THX TruStudio Pro\SCTool\layout.bin

Filesize
455B

MD5
336d2595dd091b3da91f3d01bfde290f

SHA1
c30a6e95f21289aaa0d2a7dcb7b8fd15d0afaa9e

SHA256
4dc95db475a03bc6c57cf5d5c2b3f3ecb6a535b74671eef3bd8025b8122aa975

SHA512
8e60d6470154c3b0bf1c23488bfd69f3d6a99c098d2a4f106adc5a8501fa3741cfd6eefeda82d5dfd05e8b7868c18ad64e27a3bcd8b0642d9b3c4927b38f12a3

Download Submit
C:\Program Files (x86)\Creative\THX TruStudio Pro\SCTool\setup.ini

Filesize
599B

MD5
5f29f105cdb723f9b434864393159471

SHA1
8ff5d1cf77a47e096b1a06b41eb608fd3107ee88

SHA256
61c55a2103696df05f66d1d756f4fb6904807ecc60d40fbfa492bcddf6ca6f09

SHA512
356d49133c6be33c58f1afbc384d5f450fd482a1d66a62ccbec76599d82c0c6910fc6758eb031b9a92257d3e9a461f3a4824035102ea872cc74fc02652579003

Download Submit
C:\Program Files (x86)\Creative\THX TruStudio Pro\SCTool\setup.inx

Filesize
195KB

MD5
1887e9ac29adc836b66981a2d6093b95

SHA1
124838745a0202f24d8c26c8a2dc1810a774b42d

SHA256
810275c341dca1bbb45abd34fb1ee22d6cbcd5290b78c394a630569244df90cf

SHA512
f2c60952e6258c454b525aea002575792c31cc40125c3af444ed17025c4e61fcd790dde2f81457c3c332c2a4760c33b9fd214f4e3859859417348e30871db13f

Download Submit
C:\Program Files (x86)\Creative\THX TruStudio Pro\SCTool\setup.iss

Filesize
165B

MD5
963c0afffc87e6452aa420d9f9d7cf93

SHA1
8cba7d921422da5cf36dd10f902ecbf5a6ea4300

SHA256
6c8d7760db008576103e0ecc40b2c89ad97eb07c857aa033ea0e12e5a56f44b3

SHA512
c3f19d8875b43ef8b425e792159f2cf2d3ea8a03f0bb0c54712d52864f2836da75fc72f69ececa2df2fcc1a3e943be13408a7993f82994b66c906ab0f35d7615

Download Submit
C:\Program Files (x86)\Creative\THX TruStudio Pro\SCTool\setup.log

Filesize
86B

MD5
459db8708f93beac0f75e149e1d990f6

SHA1
5ba54d951aa2793fd2b02358fc297192f52cf416

SHA256
84a449cbbad3ff9711b85798310495f798aebf5b1860fb1a8e6b578673ce43f5

SHA512
626ea7435334b764923ef951760d450c7ca95093702495cc47d72e430602258c1786f55786a4419ba5126daf8bacf03ffd2da64955dafd4d01143939a81dd9fb

Download Submit
C:\Program Files (x86)\InstallShield Installation Information\{82F99DC9-389A-4528-940C-88248731A620}\Bitmaps\THX_PRO.ico

Filesize
293KB

MD5
4e3d527b6eb7996e19450d06c87a9998

SHA1
a4549875d948b1f685d02c3d67332687088e3701

SHA256
49f01d1b426e7c3571037c540de609464a23f70024ddff2e0ae3847bcc89174b

SHA512
e89d5b13e1c49248a38123a1182fa80babd380f69bfcb6caf8e26f998e262fbefe469e734ec7db84a4103b6811a63fa3e763a9ac2ef04cd19a1f19e2b87c4725

Download Submit
C:\Program Files (x86)\InstallShield Installation Information\{82F99DC9-389A-4528-940C-88248731A620}\Bitmaps\bill2d64.rra

Filesize
1.2MB

MD5
f674d043813f0e911ee7c57ef99fb6c4

SHA1
d96e74aca10e400c3c2ff8b1c4084952a15a62bf

SHA256
c81e71cec91059788b9b91b299c2541553b1397390f05c1705b90b86b0d13b18

SHA512
df73126a6d9a04d1329b0a5208c74e0716edf2edc418be01a4018c1ee29a18abbc0e26f8677e49c5ee7e1ff6a0c1811c22f25e6fef64634e502083175f9df038

Download Submit
C:\ProgramData\Creative\THX7615.rra

Filesize
132KB

MD5
b9e557977e5a848efea04832f39b1c3c

SHA1
e29a9242c26fcfc2eaea7d3edba90922a8623029

SHA256
e83dbf019ff19149072c9627e34be7030caf8b1a996480faea6fc62e99e2076a

SHA512
6287873c7413f60a9efb2485b7b2cb5910f98f4954018452aafb9bc8242875c46f4a8c77493f6adf1b17f83af3779a5bbd559dcff925fa7508f4703f7a590ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Audio\Setup\CMNSUPT.CAB

Filesize
938KB

MD5
84c9fd3e2e5ca33cf6a992b72889d14f

SHA1
ce2c39e4334c7cc70035d88e4e296764957ce079

SHA256
577b2c53455729fa74d030cd8642a74cc7fca05092bc914df01fc522ee2462c3

SHA512
b1b67a360fced2ecf5e0d66b10ac773182866a17e759674a30360edf71916fa2f678342b65e29e45a2aaea158c97fc746d3ab28b72fb22c492c9ef37bfcc2c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Audio\Setup\CTCABEX.DLL

Filesize
280KB

MD5
5a19e45818366b49cc93b5bc483265e8

SHA1
288ebe662a9f522a1e76fa2557e32eaddc494ea1

SHA256
98f09feacdc59f4c9b3b8be70ecc199e75ef995029b64d1aad0803faf013a5d9

SHA512
4bbd146091ff41da1036af11cdde00b437e0f4d42d465028d9c4cf9711aac902be54e60da9b9989e44e9c67efe740ac5157c9faceaf97a71fbfac2c644e240a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Audio\Setup\SUPPORT.CAB

Filesize
2.8MB

MD5
4b44d97655c96ec9ad77e62407edc90e

SHA1
4773b00e925e68256b237cf343efd2180f5ad3e0

SHA256
e3e4d464341d711f8cc904aef1cc15c372ad592d988f8bc506d4fc95894cdd11

SHA512
5a7cd5db2d8b8e62ccb76052ae2856c66c5b72fbae1c327ed54e811309345eda3909526ae69f5e8200abe1c296f0f1c2404b9fb2b7484987eb7050b507594ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Audio\Setup\_Setup1.dll

Filesize
44KB

MD5
a304f4186762946f1d5887c07d6b2c92

SHA1
ae63a0ff4e77c9f63e2c476fd868581caa00ee7d

SHA256
3728b02e9b0654b207da281762947ed222a1d4d934dbbf9180caaa018b6a627f

SHA512
63b57fd78d341e95fdb64c1ad4c8759173fbe6161d451afa553c06fff2e4df48692d318e6982af8323733285d91b16432bbe34d003adfd550d493949f245573c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Audio\Setup\data1.cab

Filesize
1.2MB

MD5
c5057f387233c6eb2e6c11fa9c812614

SHA1
28c047dca8588513acf21f32b8d5fa81abcd57ee

SHA256
2bf65e973dd733cd6cd332149326c6ff891c9e3b05f2b26ff6e8e9dbab421663

SHA512
3bcd8a34370a75f137b350567934a712e5eadc4e8976867222ec5da6d4da974521f8a203cca83023a2588dc867f15a3c0d1683070e307e483dbea18a66c4445c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Audio\Setup\data1.hdr

Filesize
17KB

MD5
db86c000785f8562bae66abd056efdb8

SHA1
6c7b7244235b8e95605dc67be753f533053d335d

SHA256
000897a1d86e5298abe30b4ea2f2633e4d2d248394fb4b7b1ecbd254026e4058

SHA512
f56b91e220b683aa0ea29746ae40404e47ddc317769667ae24be6edf169fe79908918008380279a79c80f52dae0c6a25261234a894b8801d8374fd04e0e5bee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Audio\Setup\layout.bin

Filesize
492B

MD5
0324e7f16f119c7c826edf32dfdee5a2

SHA1
da5feb94f79434d13f1abdf803bb6e127a331c76

SHA256
0313de0bf19ce40fdf7a475e52463c4c33bdd5874104624ecfc99d34e2a962ce

SHA512
58444a5de66fd6f08e526137e8beb0277ff124fd7460ec37277b5a51908d115d5f1aa2ba083954dbaacef53233cd095e44d8fd3dd41e6c0937a0d91daff1bb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Audio\Setup\setup.ibt

Filesize
425KB

MD5
0fcd29b249c145bab33f24c8341dd0a3

SHA1
375d97a6c23974da0f73db806533bc3205676ec0

SHA256
8af43e8f489b166177d6820783f55d32911baed67378e5542ee0a3e3c51ec4bc

SHA512
57c5c61be9c2105dcc6da9830b527cb0acd83f04faab418df603874a3b682cd33148b3092ad8eb0b9ca91aa011278a5576aac62aa4074ebb4759928892091e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Audio\Setup\setup.inx

Filesize
586KB

MD5
36ce0e4f749ad73701e8186efce0eeeb

SHA1
672a0845b25cfd92a3fd2565fd371582a9f1b9f3

SHA256
3c55ffb3326c26a5a92e4f06354e4d381664324ca8af2ac1468675a7db9800b6

SHA512
af268246d474c67fb56f45f8cedb360469ec1590ae23a2082bb54b0283c332eed5ca201049b2af13baa37f810cef9d9915e888fcffb05a0322d6ba4b48dec2eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CTShared\CTRedist\ASFTCV\setup.exe

Filesize
114KB

MD5
cafb55aa463c6df8802122838d50d2bb

SHA1
90054dfba153d69c426723121f2746d2aa18f912

SHA256
c500187ab0bafe03622c8fc4754915ed4cd36f643e691baf21c172c233660cc8

SHA512
e0d064db008543bf0d62ef93e60529393e7e7f1ff121f6e0cb7274a0ec981a3edeeb25cfb0a6564558aa8f6ed2750af39714cea3fd0bf3a5059f165b7a6813cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CTShared\CTRedist\ASFTCV\setup.skn

Filesize
40KB

MD5
80a74317e5617c5f88bb0116fef7f442

SHA1
e82cd59d105f1126948b190f2363baad95881e1d

SHA256
066b519ddcadb23dd5d030f92984b66ac77f38d44d9a3c7582fe00281abddcb7

SHA512
d9e7368ff85a8336d3919f9c61fd581047c3158700f63dc590f8707df58988427a0af7cdea864c5940f60a55613b6363517ecc4a0f4c65a63b246cd58137d3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Disk.id

Filesize
39B

MD5
1062b2f6509d172c0746327bee8cfba1

SHA1
73959f1a2f3fc93047934a4112c39b91ce5e6a00

SHA256
d47e4400c97f05fd1556cc3a6e26789b1360e5acc74c70a75c08f1dff567ddc1

SHA512
773be36565f8074ff93be300dad6f292ca91a2f2ea363b6587d8b27ee08b344cc451f5efe3997b3a1bd96689055732a1ac6c05b054fa3ed42b623f65784c053f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\SCTool\engine32.cab

Filesize
448KB

MD5
de89c44f15d1bfbcca26778af838f720

SHA1
5765184ccb2a2eed633d62abf50507235bb920b0

SHA256
fe5dc5947f277b459cb55877439e74e9bb2fb891cb42b72abc42322a51e8423d

SHA512
8aa8d3c94ec73d89af71461f4188c308f1f7d88af4a37736ac7b8ab1691933a067fe6e11ca58c19e984002faeb3fafb2c3ec28edac198b59b2b0934580de95fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\setup.exe

Filesize
257KB

MD5
ed5d04e77a9eee553f9dcbc7609b32fe

SHA1
882e2336c79f3e8ae77e6664ad663d822b0e55c4

SHA256
421163097f31b0247c7f9ce6620898c868ff0a7c1a5d60e3bfcd21ddd2116282

SHA512
6ea52bf67eba8d9fa81529737c642dde598c3465fa7a8c5a05659f7e33299fe5e8a5ab6852695892aedb112b0318f86dd4c949601a66f3f7918ca3ec752b6c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\isp5E29.tmp\_Setup.dll

Filesize
144KB

MD5
17f3e712c1e60081570d7fbba3b970b5

SHA1
5ba3784a17a47496353b588acbc06904057793ca

SHA256
5dff0320dfcb792d5f006976f18e5c0099a4a9d4fb408277d90ef1909b491737

SHA512
d1a12eb5a41d621b5bf1a0a9b9faf07a9b36f5cfc6795db10f126e4566d2a5333eb62999f2e13cc1725fadc14f446b16d5fa3d4fe6568bfd28399e687b85a859

Download Submit
C:\Users\Admin\AppData\Local\Temp\isp7442.tmp\_Setup.dll

Filesize
372KB

MD5
605bc80c8645eeea68ac5c7423f7851d

SHA1
c1f070f38f34e67b0ccf2fa499821ce67fc41ecc

SHA256
cf52fef5b28bd7c6a4c4ce1c86e3b25921989cfeffca3d9aa4b28f2d9d37eb91

SHA512
44e56a59b1f4f518229635a6dedcbdd25dbf28c118529dc1c872964601f82f557af82cf16fcf1da9f4d10a306313dac3a4d7a6cb60f6bf352faeccff074a90cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ispB960.tmp\_Setup.dll

Filesize
360KB

MD5
32fa757c64fb62f07f3205016656a0a7

SHA1
78c7d2f00878e2efa591a6e3ac80edab8242473b

SHA256
ff6944c00f11ab10cc9bcbfe4f6f0cbab088b52448904282a695eea56787d82a

SHA512
d87aef916ce072f16b6ca5978a424f2dc648d880241651019e6f21377834fdbba8dd424b002db373888840b358e13122c87e3db51a7bde6cdb1509fe74ac647a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iss5E09.tmp\setup.ini

Filesize
487B

MD5
df92315da961d029e3943dc81ecc8a4e

SHA1
565e8dc3b16ebb5497945d1142c8cb84c18845b5

SHA256
5a5399998ee5a02dc3fdc46753b313da6271aab0a835442b3dc077a4b6ed9264

SHA512
42488ff2ad4d60be92231464e0e9eb9128738acc088011ae4f1c82079019a2ae7b3afff3aa543ed0aec8d3a77479dd7a91f277b8a41750ff5bc52bcf83b1afe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\issB8F0.tmp\setup.ini

Filesize
683B

MD5
76a256045fd04f1a3b6d95ffeccabbd6

SHA1
a670168957ddeb4c53565552226c2ce590462e8c

SHA256
bb8450ed94eb4c4bbed9b9fe3e7bbc863d4c732f206e58abb7a2a03861b68e3c

SHA512
079021c6f198287c1b688741b8ddcbdf9b107cd96f100d77132d0eb726101431a1c7ff641035e8d69e1ef1a07f11f16d92eb817e6238a9a9f4e1cd67f60927f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\skinb97c.rra

Filesize
16KB

MD5
ad4695c916e1610ced05e6c9a34f45d2

SHA1
e0053ffa31732e131b4a3d81204d93b953443785

SHA256
d12f20294bfae4b572b71cbbb2f6d553b21982c90495fbf69833556b1790d949

SHA512
ff44b05c6bb53ae34431e6623a2c2e52d85984b33c7650269b35317822b860c9a38ba0a0f2154396b81811dabae9d2b3d32669ce87c7e87695e3633292a06eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\Audio\AudioDrv.ini

Filesize
688B

MD5
cd0eab689bb79790745353fdf79109f4

SHA1
4836d2d5b2c50b3a3a6af3500e6707c337a31518

SHA256
6b539a4c71d43f4a1cbeb31eca30e6ee4a20b3fa0f2cffbc0a1bef3bd3378fc8

SHA512
074d4736145d397dd4262fac401bfd20d377c3a7b16b065bfb3e8335cf32d0a7781298e2f2795f80a3885874185a83656b50d9c943d8dc49666cbfb73b69b3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\Audio\CTHwAccl.exe

Filesize
40KB

MD5
ff06251fd7078bdcd68f417dcae012f4

SHA1
6faba92a0d0aba7598593f78d53b142ae1a8fdf3

SHA256
e293f8d7f3a7ac6c1ca850235d211af24afc727e10ff7b23ce5a71055bb66b0a

SHA512
20e819fe17a600594851789d9b1b4df0867dc59058feff83440c6898474f0b27243a350b89ed83b1159a6f19a586d8cec643d4fbd0d30901befd57848239e1a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\Audio\CTRWE.DLL

Filesize
40KB

MD5
040f00bea29d6ae631fd94b72b5d6cb4

SHA1
2ba92e2c843154094c6ecfd0dcc5a1e3b6b4ecc3

SHA256
d39c1f34abd98ac68b94f2c5678c7652192e953ae4f74115455b8bc7d1ebf6b0

SHA512
7a2a4ed5b7a4f7860214a858ac36a41e55c4b1e20d725c010722384381fb134c7b69e6289f67fbb974911efda55c77c841820801f9e3733a67c623de04f5d5bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\Audio\CTRWEU.EXE

Filesize
48KB

MD5
ad557eb6eeb5e820f82015d7978b3fb0

SHA1
937825c1efb063690d54f552f1febb4af6769279

SHA256
c377ea6c55ea65c4a39793ba8e16b9b9ff3d90f897c12f6c7734115f36d049b0

SHA512
2f109b0ae443a7e12e4a6a861946d51376a148e501f20ad67f26c5e3f790593fe2285e4b4ea3707c9c3031bbe835cffedec7e5e86e3e7b4b762d299976b8edec

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\Audio\RegEdit.dll

Filesize
52KB

MD5
5d631154a91f65b8a27add9d626f12f6

SHA1
b80c85bfe9638ba6e88aa17222c7e775a3c41519

SHA256
fbd668af48aedc63d2bb449afd72a49217a80a665f90678dab326c8d63f2c6a4

SHA512
908ee7b87e54cc222b664c6746e789a90f236968e20774d5cabac4404ab30c040840058a0a4dbfcd1d545a936948f60d3517bcb0d1fe27e71a27b732cc074432

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\Audio\Updreg.exe

Filesize
88KB

MD5
c419df63e0121d72411285780c2fc6cc

SHA1
1b9682064bc79c310c7b253d0cef2f4fa440a80d

SHA256
f47f854d327c589d174d3bb5b55d5c05f5aca73df52a6bef47596b9010190291

SHA512
03fb325f5cc90c755b07c239355d60872635a5a616937765da494edf5b51d42907be3d5a76b5b981dc9cb19ec92f3648645489b4235c2e662fe09ebfee0fc4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\COMPINFO.DB

Filesize
10KB

MD5
8a68f2b0cae3cdfc7c48ccb9759edd50

SHA1
e3008280853ce9658468de1d113423bcc8033238

SHA256
83648c6d3fd305b53a24b33e42689e0a984201518f42e680bf859dd383ad7a54

SHA512
fbe41df3882dc7390f69114d1d2cccd6b635b71f6a0bbc8ed183116e8949dd0a13943fab317563fd138ea075684602219eba5bfcd8abb25e06e2d5547c884435

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\CTComp.dat

Filesize
4KB

MD5
97a0d519d20b888458c88899b0b276ec

SHA1
f2da9844a556ea76dd814e53c781fed5fcd17015

SHA256
f2cebb021983e9d904893fd437953228b117db2ccb094bb6c0811b2c3c99635d

SHA512
7bfaa626e003f5f43c8b7c4a7d3fe55cebb82e6d4c8c032c3acaafe2d6b1ca2bf1700f9b93a41d63e87b77710a4d2eba3dee9f7bb5839c8f8ac33f95cd69d29c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\CTDeInst.dll

Filesize
56KB

MD5
76893a9123cda779a800a05980f4939d

SHA1
d4ca5836c87970417f3b192dc00ba461f9bae630

SHA256
8d0f884d54d19f9b4a57700a2027ce5fb2363f44fa998b09930ad580f8ddf3c7

SHA512
eba40c239a6acdd206e57f770680b76ffb162d008865ae03a846e225c2d192364fa73a3d19fdf7a6244378c23ff74235f3b480bca86b5e4daa49235aaa3dd8b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\CTShared.ini

Filesize
22B

MD5
e8b22e2a6c507afced4bab471b37f22d

SHA1
2456bf2a50a76c0fb1562008d40d8788e9fed15c

SHA256
0b674b16f4f0b540f8c53cdce33d23f3ba0a3d938f661a17b09a819c18dab26e

SHA512
e001bc15042a60ba72a6c7500d75409d1bce07f8fc5bb09b7d69e64dbc975cc7dbfb4a8c2f4e241fd3538b6d98eee6f0bb69c99d549c2c5e745cf6e0bb16c6cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\CTUIXtra.dll

Filesize
64KB

MD5
2dbf5862f25583c2ee8f4720d8101207

SHA1
f0fa4a43406311bb8b09b9f47147d4dd816a281e

SHA256
8c8a330d0935858848397c4ccac85f331b9661753c85b8fca8f17dfb201784c8

SHA512
8c9af6bd78ce15da0ce5cc9040a41732716ba71c88b4f357a35f4ef01ea0a9fbd222078e4198601293ff2dbf9522ff755025e575e21146acdda85697e42d9a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\CardScan.dll

Filesize
84KB

MD5
ef964962f6031b6a572aa202f2bd4269

SHA1
f5cbb534c9f604f4df1e542a264bfbe428a89522

SHA256
dc91a6f490290f983e84853591e830052a2315979ca427714f654839323e03ae

SHA512
21f3ff9d24687ac5754573959008c4399e82fb4287680d2bfe12dada0c471c0e015daefd70188e3ae52d06968897c31d08948c7b350039f62fbc4945798cda33

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\Common.dll

Filesize
128KB

MD5
7b66eca3d2efdf0500ca63b0a4f18ac1

SHA1
a6ce9529a3b2c85c9f13abf5974b176bb6d5c194

SHA256
013e947e5f0c653607d3bfb7a0df1ab68ae6a54b7edd943f816e34d1ca0d5312

SHA512
390fe0a2abe8c57f93f5823af89c64660107e46a1b0e9231f80d6da8af2d99ac8e991360be7fd4fa7ddb9ab7ebdc56a9d8949d9b4d2f9e4b801e17ee1e44b462

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\Common\FNP_Act_Installer.dll

Filesize
1.4MB

MD5
59ef0e75e8cff14befa264dec72f736a

SHA1
085cacf6faae1f8576dcfede6134da7c5b7c3af7

SHA256
39e0b9f2476109df6530c0aec945b8f705d268e52bf6d4a1415a41fcc066112f

SHA512
5b5b5d839895d893325d334b8c4702e81cd834ba4531a681f7667a3c68762175a4fd66fe8d27f5c29c69a139c54029c6e08cad34f2964169604f0c14ac9aeb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\Common\installanchorservice.exe

Filesize
108KB

MD5
f798486a8662d2b9447349afef6395d3

SHA1
e9d8eda8ff1dc412fb55ea24d9d0b47e1ba4d5ea

SHA256
1a371e03be34ae67f35dce216540a12bc2b53f272660f02d01037df2305faa09

SHA512
c39f077e76e149500ddcc19c58a038311f79a02f21f23bfaebfb1099e96bf31741f4ab656a61e85753c64705455188f49ae6a1b945ea7a05809ecb1b5fdce6aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\Common\uninstallanchorservice.exe

Filesize
108KB

MD5
6141ce7ff8c86f389295683e872d5c0d

SHA1
961ce920cb6ec79c915429f19906c76e54bebb55

SHA256
34a4360c26dc2635bf6c9adb42316116794df77b55630074938374df88e40823

SHA512
c647f3e32f93faf9acd3ec6ce8773f573fe84375522916603841216a014ae9c541bc6cfb32670bf8dd477e06c4bdac1eb26c874e27e33b827a4d71e5a88fef6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\Creative_Installer.ico

Filesize
202KB

MD5
0f577ff887eb12a06dac60a48931c78c

SHA1
8927bcc1e7813468f8c490984486fd26a121deef

SHA256
41dfcb0920fc7cc0dcf9f675b6cc2ad351af8f496cf017329b48424d80ff2a58

SHA512
125ef16bbc5481f9644d7707f14cc8232ec7c42f3187f8242d0f6bd4ad8f33a6feb66d15885618ae5ace5153283737c5f891607e036b7a0c9f257c4c77d5b521

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\English\_IsUser.dll

Filesize
156KB

MD5
c56fd923a73ef830d5aae083b4f94ccd

SHA1
be85788409635203c92ddb3c73723622d0d59d95

SHA256
7013f2a76e5ef139bee4a6a4a64421477c5cd01c47016443413009c8e8a7f998

SHA512
1a5c81ec17c3ad15648d58f60a55551253680e15692499bf664779c1f833dd35aef3b0321ccd019d06928c19f742cf869f56ee1f63f86aacffb0b813212d7277

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\Error.ini

Filesize
1KB

MD5
9818bdb1cb7441f0a873fe2520b8bbe0

SHA1
241b7d1bca5905c89df05e9accbe28f8a70c5cea

SHA256
a9af741a77ee16676c99063f0a3429b67f65aa09dbab9d9ac7d6802aa638c71e

SHA512
350a4fee0569499be2d93f899ad6335bfaf57ae3f9b76dcce75a0b7545df35808cf171cf2311abc75ad4b3f152fbc4bc51c085205fac122b3c9206fda52121b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\IHL.dll

Filesize
88KB

MD5
bf409d2c1e3ddb81c81781f0e5ab6c61

SHA1
85f543c33367a5d5a009c2afdc1cfa85aa77026b

SHA256
95bb5fe0198810be95bfa31763d90b07a1f80356d4e9e90dfa5d5c709237f7e5

SHA512
946175d121092b0d9ad3e151485be40e2c17f628742849c71bb15f32621ad4cf6b0ae49e6cc76d5be951a4b9efaf307d3d15dcb4b55cd73ee4d97f0483dd5962

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\InstHelp.exe

Filesize
50KB

MD5
693d110d37331a42b5035e73c447e31d

SHA1
33fb7e2394470049c1d0a1aeea31d0e6a2e14ae7

SHA256
4932183c695afcbd5c755159d677946afdbf8d959299b54aed0d3b5e479be1f3

SHA512
f6b3675827dea4a4ab45f0cb8b4bba0c31374f0a76340a3cc065453760e6dd840e9081f41adcd793ae621e84785b9b162b9c8fbf1ebf58ebc2403012a8198eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\InstHlpr.dat

Filesize
8KB

MD5
0472366ef18e5c93f821f44e6bbb6b61

SHA1
d47c087a6b0543fe235ae623b713a70dd6816a86

SHA256
a02d23d8a148cdbf99e855cdb6b64b5ce3c6539ffb0ef328f24027713cc64c1d

SHA512
320163cf9083041e55a1ed78255fccf4faa4289c48ee02c7b31d0a6bb1cbbcdf07777e8cdc3a50261e8dcaf3a4f9eaf7e749289de4856c1dacdeb8d5ac5628a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\InstHlpr.dll

Filesize
216KB

MD5
1c643fb3d3d6b1a9754fc6041d627b84

SHA1
c03bce9f30a3a67f6f74e9608461bdac9d0d7a13

SHA256
a8ffd76b1c65d9532f7116ab84cce7d4065e6449c636671af26130db6c91d972

SHA512
5841908e88deac3a84473ede6a35ff02b75b1ef6b4ff70b3fe1818fc69d60c048d22f9c58d702ece4846d69c82af099b77c2dc02f9a750bae2372de70c934dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\InstHlpr.exe

Filesize
1.2MB

MD5
a8a8525902854cf937c29482c8f5c66e

SHA1
4ab44a00ebd188f3c7d617cba808182a91472c62

SHA256
cce522df799d6e8aae25bb06d89c6408f27e4b512b56124aab270a26fa5151dc

SHA512
8a01a9e5da15d01aaeb38bc34d638fe903ebc3df85133b00d8dc19b1ad0bffa70433bbf2c9e0c340e5924f66c3792d075bbdafccc6142a4300d1d3e5826ba7ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\InstHlpr.fnp

Filesize
3.6MB

MD5
d27f867e32108d16ebced5f66bf05999

SHA1
9e8eaf24da22625a73760c72a71ec23146e89d97

SHA256
c63bc21f109433e9f7895c76b490b73eff29caea8c3423ee5f118ff836d7af7c

SHA512
c128e908df39116c3d976a5e370b3999c432389eab42d62d8767dd4647b45152d300ea1b10abf19885b8bfd4f14f34dfa439c08a2a9fd30d45ae9e483a0162a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\Pfmod968.rra

Filesize
6KB

MD5
3ddf69a759f5a9e6ad9de94a5455ea56

SHA1
3f27b7dbb47034cce90cdb3660e435838d882841

SHA256
ae9049c14d040bcc8151f087e47c3adab959954826526106aee309c1c07cbd01

SHA512
abaf548f1a6640b23601e294adf545f00919bc9d5a83b53215119cd2e6d46e0c2d632bc661d66f1924bba478f17fa1e2164ce18e5aac7b17666a7dceb3a6b5a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\RTFUtil.dll

Filesize
28KB

MD5
6c94c1a0c37e47181872e542a70e4074

SHA1
9422a7f91c7a56551bf6b2b9aba929fc68df31b0

SHA256
59b865998650d1c4f4fe625f1f014caae2a0d74a3f0afacdab5553b43026b889

SHA512
8b5fb5bcf718b66d7e6a892768650dd16cb00e4684852c4b686ff4c93b06dc40e0e6d32a24e561e94453b164d94e0ea61e55b07370190bd4b082c6ba022a1d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\RegEdit.dll

Filesize
44KB

MD5
29c060fabbbae7b6977aebc338425b6f

SHA1
2b069c68d20c494bdf1672127aec3d2ca0c739e5

SHA256
fec56ee5e5e0ab643b3123f860bcdf657186ea32f0263363c1f03a5b4b13e74d

SHA512
3f711810865af5f44df0f323410c7ed0de2fbbb1da168078f0a2a78abdc74fad750cd9ec17a8029a373887b172a75b2e3a147c206f6f8c091be72593232f0e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\Registry.rgi

Filesize
403B

MD5
9bc6ba2196fc52edcf1178246cae1bf1

SHA1
80b91344a4089cb76cefeb389a6a2ee3e06d27b6

SHA256
8c4c75afed662fb4f403bf3e6cbe24a6080fbf10e9cfdaff06f8a0a02dbfe029

SHA512
20367d0c114b393baa6324687dc88f4085797e8ce351ddc1c2579ba3f30ccaa1ca6f41ac3f11a8e117452fde24f975c8d7b2deff37e71e8fdc5135d322466d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\VERINFO.DLL

Filesize
28KB

MD5
4246bb96a71a5a95109e6175d445643d

SHA1
46e355e6424932692ae6ac2d05b3dc5c3b503032

SHA256
1f82831391eacf7dee16063e244ec3bb0ca2322c6052c6c744bad0e8efb66b6f

SHA512
829c4dde8e777e2d60b939583af592f7cf241b17fcc4d3ed217814a8668a71bf0f11c8486f52d0efe4b274d23c46a2c44db67cc6df17065c9db7257967cd3d01

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\WMIUtils.dll

Filesize
64KB

MD5
91b4bb9d6d5001aff265e85193484ab7

SHA1
80521d7ec4ae08c06a4bcab5f72df5c1428b98f9

SHA256
2797dcd307e0546f35af7d10d084cf77ed47504e519f360551a0d2391765b60e

SHA512
a6c8997dd9c88a71ffa8235860abde96fb089b736fbd67cbbb0ec7414f4b8bdbcb121d4f907b222cbe0ad9a3f42e43d4fca79bac586c9fd6425cefce6fef739f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\_IsRes.dll

Filesize
356KB

MD5
acb826195230ba7c391b447c94910cce

SHA1
818affc0c770fab09a2f34fab3b2847623efd102

SHA256
269f7f808409cbfce1a800221e28cf03f4743f5b3d98d5479ae4e8a6e3afb58b

SHA512
7ada14e3829bac14d2fb5622109d7c594dcf9bf89e1fffb46308b58524779bd96e48d9cb341265738fbd9a7ad11c0bde972bd3b7f97ba31f896f4c9f9337c45a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\_IsUser.dll

Filesize
92KB

MD5
81878098d99e38e39c9cb237436960e8

SHA1
f7d7151ded6fc0690e4d460d9de5f047ccf18660

SHA256
dd8126f6a9650238a38b3b9610b182876eff68324aafd8f3a3a4a37c1281ce3f

SHA512
8a8d779071874d4b4530a0dbfc60af476258961b03288d63b679d9b46663325008efeda5976c28c5d39c7a3d42c577de423a291ed0ea7c993f5db78f220826a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\isrt.dll

Filesize
392KB

MD5
ea8a40913840238aed96eeb9dc19af1e

SHA1
8f94967525d852a5aaa1fb5ef8cdb20a98709877

SHA256
bea0a8f8454b94bd4cb2bf35a5363e538f816fdddd1d231358703d005faee17e

SHA512
94973dca8cb25abd65c83ba2a680b3fab4ea7401f2d2b28f95369f678fd15f134d7d1dcbc812f285d30ab8003765928ccbd11d3924d2363f4a6f25d5b3df969a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\pbar.bmp

Filesize
216B

MD5
9b2b98c357733955aa975121a3f01cf7

SHA1
4b7396d8af1f649a84a29f7dec05dbabcbddaa81

SHA256
4b96197f031ef0631ef090da06d14f7f62ab0ceb8d80cde5a990c8e2d48621d3

SHA512
72245c8c1823aab6e23c76e995123ce298e1b3f96f3d0b1532f6d978e948ce6f74f64c747a6637d9f5457a8599a671cffaa15dcce33204cb94649afe304d0ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BDF9E43-A216-4916-A6E8-9DD4982892C2}\{82F99DC9-389A-4528-940C-88248731A620}\pbarbk.bmp

Filesize
214B

MD5
c54a9baed9b64eaf39fd614499e9d9b1

SHA1
34802d7188d1e236dffba5268625c3dd4b1eb329

SHA256
6c076d96c60bd05f4eb38aa129ca6cef77b86ff3daa20b0e2989f60884969fef

SHA512
48e673991543007f9cfa9a771f016a8a72fd0277b8f10247a36f6c69f0e14744ecc4b907652987c76d3526b209409389a647d3f36c68e7de2b7bd04bf7597f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{55053158-EF0D-403D-B95F-6F70AFF653C6}\core630a.rra

Filesize
63KB

MD5
09d38ceca6a012f4ce5b54f03db9b21a

SHA1
01fcb72f22205e406ff9a48c5b98d7b7457d7d98

SHA256
f6d7bc8ca6550662166f34407968c7d3669613e50e98a4e40bec1589e74ff5d1

SHA512
8c73ca3af53a9baf1b9801f87a8ff759da9b40637a86567c6cc10ab491accb446b40c8966807bd06d52eb57384e2d6a4886510de338019cfd7ef966b45315ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{55053158-EF0D-403D-B95F-6F70AFF653C6}\{B075DEC8-6521-4A82-B70A-4729B159F067}\CToem.cfg

Filesize
262B

MD5
e28767349864c670717da17bbf79de76

SHA1
d686806497b75e3e7ae59f90b64b94f5e33bd28b

SHA256
11e2f00b6f4245cf45d8621f5881691d24adf5b1a68f2c7f7c141bf0f46c3c54

SHA512
418b59b71d58f62007fe9997cb1029c09feee41242025f8e7f3a674c63185d6a00d11771a51acaa38db13222ea8f9de01b5badd7c655f523b4a292eb5417ccce

Download Submit
C:\Users\Admin\AppData\Local\Temp\{55053158-EF0D-403D-B95F-6F70AFF653C6}\{B075DEC8-6521-4A82-B70A-4729B159F067}\Registry.rgi

Filesize
34B

MD5
68312d7e82aeb04d6f09985e86b4091b

SHA1
f571fea16994b0313d3a5fa9f2a6d4ef56614e9b

SHA256
d0ac0a1c59b3fb172f92e6dcd45732ddedfe92674ff3ce161a197b28dad4b31c

SHA512
fa11d567ef99ccf16ea24983ad639b4fda2d5dc7eba23b964857abc9ecddbf3a558dbb64d828de4fea15647e3578b414d4277cf3d8e99205d4e45086872c0202

Download Submit
C:\Users\Admin\AppData\Local\Temp\{55053158-EF0D-403D-B95F-6F70AFF653C6}\{B075DEC8-6521-4A82-B70A-4729B159F067}\SUPPORT.CAB

Filesize
24KB

MD5
85f1dee21036d4ff06d42ddbb5839abb

SHA1
0fe07875bcb1766b81ca81f332f2685c6aa3793c

SHA256
19b2fa2d3fafb42238d97602b215b30860295198b0829cc297fd6903f994a1a9

SHA512
1a90bcb71b4c19470ee407ce605ab1358aaaad2a070268e3375a278e4a19530e221c36c29a818325e9f4a2da2bb647f89692d21865346c3d32d5d7cfd57bcd00

Download Submit
C:\Users\Admin\AppData\Local\Temp\{55053158-EF0D-403D-B95F-6F70AFF653C6}\{B075DEC8-6521-4A82-B70A-4729B159F067}\Setup.bmp

Filesize
8KB

MD5
897f2611f648113f778170942a425cc4

SHA1
d82d92d1d5d14c8a763ba4606a8ff1963bbda1ee

SHA256
1b26be070768c71e00254444ae966d480cf597e7265eede45072df0833cd65dc

SHA512
b7f3cd1e87363c44b3338263b534cb2ca53c17f6dbb210e344e771e9646b3ab1989aff22f17f174e349029f13285c0b01832217ccdf66cee3d12133d3812fbe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{55053158-EF0D-403D-B95F-6F70AFF653C6}\{B075DEC8-6521-4A82-B70A-4729B159F067}\Stri630a.rra

Filesize
175B

MD5
a3488153d833ab844f671728ec1ee908

SHA1
bfabbbee089845e295211f2cd005f5665805e766

SHA256
0d016f6086be8bc91e48b8d2f3a3d5a991de784df6f309a136a286ab8b21d477

SHA512
eef6e46400826076fc52b1f8b5741b73e1f6360d35ac582cdb13dcc2b9c78bbd9881674ee720020f6ed7104f4adf17192663e84fbc7b02741ec6d4d331f85857

Download Submit
C:\Users\Admin\AppData\Local\Temp\{55053158-EF0D-403D-B95F-6F70AFF653C6}\{B075DEC8-6521-4A82-B70A-4729B159F067}\TSpEQCV.ini

Filesize
108B

MD5
e58ef5bee83bd93179fc33a2ecf74c83

SHA1
1ed26fff07af7cf7657978640ffe52b3011bad78

SHA256
88e1fba31d386ae1917dcf11c70bf22994a0fffff5fd88ce2582f05669679201

SHA512
f12915d20579c8f59b0e813b2a5900503b1071fd8ae7059268b4c42ea5698b0b6b2f1e95a75e3e88fab5125f74c4ef209994ffb7c30bc14cfeb3d7cd7843668a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{55053158-EF0D-403D-B95F-6F70AFF653C6}\{B075DEC8-6521-4A82-B70A-4729B159F067}\defa631a.rra

Filesize
1KB

MD5
0abafe3f69d053494405061de2629c82

SHA1
e414b6f1e9eb416b9895012d24110b844f9f56d1

SHA256
8075162db275eb52f5d691b15fc0d970cb007f5bece33ce5db509edf51c1f020

SHA512
63448f2bef338ea44f3bf9ef35e594ef94b4259f3b2595d77a836e872129b879cef912e23cf48421babf1208275e21da1fabfdc494958bcfcd391c78308eaa27

Download Submit
C:\Users\Admin\AppData\Local\Temp\{55053158-EF0D-403D-B95F-6F70AFF653C6}\{B075DEC8-6521-4A82-B70A-4729B159F067}\setup.inx

Filesize
279KB

MD5
e9a459d24e9242560e2944e4481a7e86

SHA1
59118da9cd6bb0799d2899c9d10e97ed62755b63

SHA256
05a5177f603c66fb17381655f84afb432080ed1c87e84dabfabeeca1add03ef6

SHA512
f6943a01e8907e78c45bb269c4816db34e371f97fd44fbbca90fb80eac433013d6a1452a683d44fecf1612590292c8e6482979b8e2317ddf709e85a433d3ac68

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7F61D6F0-97D3-4B29-9836-8CDA60746304}\{B5722CBD-37F8-4643-8496-12E4F2EA925A}\Common.dll

Filesize
92KB

MD5
82e6c243154140c4491daf65b88a837e

SHA1
95f859b855cf52ee3f5eea7d12a497b7d8d674fa

SHA256
838ec65e8fe9f01d1395968a85a625e9504d7c0f3de6c4b5c441f5352cda6378

SHA512
b94ffd4670d523c618ac0d0ac9de4fb2b7995075dc5fee939040f65db806ee2f24a48ec266a6bd11214cc887c003bb6a0657b9eef0399079679177788613cf5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7F61D6F0-97D3-4B29-9836-8CDA60746304}\{B5722CBD-37F8-4643-8496-12E4F2EA925A}\_IsRes.dll

Filesize
292KB

MD5
3b1853234fb054d5028289be3d47bcbc

SHA1
468e7b2dd16f8b74fea7189b5406ac3aad6c763e

SHA256
a7ae6c7562b832282e0d5d3171f796bc404e32ecb0df316c462dd05b1fa48e6b

SHA512
c4af8c342ea27a2841199d2a7e37d60ef817bd9100a835e2c3aa49af1844f86eeb017a59b716b6e59f41452de5b2a1358520e250d261dd2a2d2ea0083c4e0f94

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7F61D6F0-97D3-4B29-9836-8CDA60746304}\{B5722CBD-37F8-4643-8496-12E4F2EA925A}\_IsUser.dll

Filesize
156KB

MD5
bdc9d78c7e9ef31f1ae128bd9d26d5f6

SHA1
86191a14a71c5c130fe2fc26e700ebc5077bf412

SHA256
54b6684d4424db0a46a8f756fee782a6aac358258eef6b40e16e91782acfcaa0

SHA512
e05781c1107077570f3dda68f5d53e5b643e593ad1e98ed7fbe46acded98354b682cbdc391d91d02dad3f38f0bc9b790ce63e792ab665f1e0a7685dfc4f6b8f0

Download Submit
C:\Windows\Temp\CRF000\License\English\License.txt

Filesize
25KB

MD5
9dce299551f7d5bd18770b61666d8f0a

SHA1
8d153afcd3f981bfd9615402cd5cc513b286ee58

SHA256
4d68e5565339500d78779db4e50e383e4ca7e5b61a500376a3d05d5ebe1f4e14

SHA512
3bf4c29110a897510f3e46ae8dd4723f2425c32141135cbb25210c9a4deb005a584690c409ae099421cf94374b39acef6ceca52ff635eb3ec1946d0e230be34f

Download Submit
C:\Windows\Temp\CRF000\creaf_ms.cab

Filesize
2.9MB

MD5
d463ab46795a76c1dd858a1b6552a20c

SHA1
e0aeb9c7bf8176307feb863868efc27b59a64fe0

SHA256
a25572779ce3a45e501f8f03c40e1a945edd7a7c9bf7303cb8087372f3285066

SHA512
32f1c35311b58efd2c2db97cb832f40e9f458c63b90abb2431c462301fe017bf469ee3908a5900ff88b3f1d2d9e6c8b959881921d406f432095b14e19b85550d

Download Submit
memory/2168-8234-0x0000000004340000-0x0000000004350000-memory.dmp

Filesize
64KB

Download
memory/2168-7843-0x0000000004CF0000-0x0000000004D01000-memory.dmp

Filesize
68KB

Download
memory/2168-7797-0x0000000004450000-0x0000000004519000-memory.dmp

Filesize
804KB

Download
memory/2168-8242-0x00000000043C0000-0x00000000043E2000-memory.dmp

Filesize
136KB

Download
memory/2168-8370-0x00000000043C0000-0x00000000043D1000-memory.dmp

Filesize
68KB

Download
memory/2168-12713-0x0000000004400000-0x0000000004422000-memory.dmp

Filesize
136KB

Download
memory/2168-293-0x0000000004BB0000-0x0000000004BE0000-memory.dmp

Filesize
192KB

Download
memory/2168-8421-0x0000000004430000-0x000000000443D000-memory.dmp

Filesize
52KB

Download
memory/2168-12681-0x0000000006550000-0x0000000006572000-memory.dmp

Filesize
136KB

Download
memory/2168-8212-0x00000000043A0000-0x00000000043C2000-memory.dmp

Filesize
136KB

Download
memory/2168-7912-0x00000000042E0000-0x000000000433B000-memory.dmp

Filesize
364KB

Download
memory/2168-7867-0x0000000005720000-0x0000000005750000-memory.dmp

Filesize
192KB

Download
memory/2168-7859-0x00000000050A0000-0x0000000005104000-memory.dmp

Filesize
400KB

Download
memory/2168-8286-0x00000000043C0000-0x00000000043D6000-memory.dmp

Filesize
88KB

Download
memory/2168-7850-0x0000000005030000-0x0000000005072000-memory.dmp

Filesize
264KB

Download
memory/2168-235-0x0000000004A40000-0x0000000004A8D000-memory.dmp

Filesize
308KB

Download
memory/7736-12834-0x00000000034C0000-0x0000000003524000-memory.dmp

Filesize
400KB

Download
memory/7736-12838-0x0000000003810000-0x0000000003840000-memory.dmp

Filesize
192KB

Download
memory/7736-12865-0x0000000003F00000-0x0000000003F0D000-memory.dmp

Filesize
52KB

Download
memory/7736-12860-0x0000000003F00000-0x0000000003F19000-memory.dmp

Filesize
100KB

Download
memory/7736-12738-0x0000000002720000-0x000000000276D000-memory.dmp

Filesize
308KB

Download
memory/7736-12781-0x00000000028D0000-0x0000000002900000-memory.dmp

Filesize
192KB

Download
memory/7736-12829-0x0000000003300000-0x0000000003342000-memory.dmp

Filesize
264KB

Download
memory/7736-12786-0x0000000002C30000-0x0000000002CF9000-memory.dmp

Filesize
804KB

Download
memory/7736-12828-0x00000000032E0000-0x00000000032F1000-memory.dmp

Filesize
68KB

Download
memory/8120-12439-0x0000000003AE0000-0x0000000003B10000-memory.dmp

Filesize
192KB

Download
memory/8120-12609-0x00000000040E0000-0x00000000040F0000-memory.dmp

Filesize
64KB

Download
memory/8120-12594-0x0000000005270000-0x0000000005292000-memory.dmp

Filesize
136KB

Download
memory/8120-12468-0x0000000005210000-0x000000000526B000-memory.dmp

Filesize
364KB

Download
memory/8120-12430-0x00000000033D0000-0x0000000003412000-memory.dmp

Filesize
264KB

Download
memory/8120-12435-0x00000000038A0000-0x0000000003904000-memory.dmp

Filesize
400KB

Download
memory/8120-12429-0x0000000002F20000-0x0000000002F31000-memory.dmp

Filesize
68KB

Download
memory/8120-12396-0x0000000002D50000-0x0000000002E19000-memory.dmp

Filesize
804KB

Download
memory/8120-8668-0x0000000002BA0000-0x0000000002BD0000-memory.dmp

Filesize
192KB

Download
memory/8120-8635-0x0000000002770000-0x00000000027BD000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads