raccoon | be2d002254d6faabfe84901983be74f44ebde466f955effa74ea990aad6aa59b

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

635ef412c7ecb2f3ab712a916c7f8395_JaffaCakes118.exe
Size

11.0MB
MD5

635ef412c7ecb2f3ab712a916c7f8395
SHA1

e99388a956bfa877b7ce648ecf8f1d9116b62e99
SHA256

be2d002254d6faabfe84901983be74f44ebde466f955effa74ea990aad6aa59b
SHA512

165539c6d45d799093dd42a7362db26c80d80799b1ba8e8091bab2048e258b82ff81dddcdef60ac060a897cb4eaebe608dd34f0cdd4ce44b8dcb76c9faae62a6
SSDEEP

196608:5T7valuflJpZifDBtHjbHNbrkU5LNZTGywSnhrzsYxiXYqbY9ePC4aZ:9aluflrsPH5LfcMzszYqbY9em

Score

10^/10

raccoon e2b58b2c24d80fcfd249021c5a21ac97c09e40a1 adware discovery evasion persistence privilege_escalation stealer upx

Malware Config

Extracted

Family

raccoon

Version

1.7.3

Botnet

e2b58b2c24d80fcfd249021c5a21ac97c09e40a1

Attributes

url4cnc
https://telete.in/mohibrainos

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4748-532-0x0000000000400000-0x0000000000492000-memory.dmp	family_raccoon_v1
behavioral2/memory/4748-533-0x0000000000400000-0x0000000000492000-memory.dmp	family_raccoon_v1

Drops file in Drivers directory 3 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\DRIVERS\idmwfp.sys	RUNDLL32.EXE
File opened for modification	C:\Windows\system32\DRIVERS\SET148D.tmp	RUNDLL32.EXE
File created	C:\Windows\system32\DRIVERS\SET148D.tmp	RUNDLL32.EXE

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1948 netsh.exe

pid	process
1948	netsh.exe

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsn8109.tmp\Aero.dll	acprotect
behavioral2/memory/228-60-0x0000000074F60000-0x0000000074F69000-memory.dmp	acprotect
behavioral2/memory/228-77-0x0000000074F60000-0x0000000074F69000-memory.dmp	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Uninstall.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Uninstall.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 8 IoCs

Processes:

635ef412c7ecb2f3ab712a916c7f8395_JaffaCakes118.tmpInternet.Download.Manager.v6.38.18.exeaFCDKiW1DOxXjGm.exeUninstall.exeIDMan.exeaFCDKiW1DOxXjGm.exeaFCDKiW1DOxXjGm.exeaFCDKiW1DOxXjGm.exe

pid	process
1772	635ef412c7ecb2f3ab712a916c7f8395_JaffaCakes118.tmp
228	Internet.Download.Manager.v6.38.18.exe
816	aFCDKiW1DOxXjGm.exe
1516	Uninstall.exe
2480	IDMan.exe
4704	aFCDKiW1DOxXjGm.exe
2080	aFCDKiW1DOxXjGm.exe
4748	aFCDKiW1DOxXjGm.exe

Loads dropped DLL 20 IoCs

Processes:

Internet.Download.Manager.v6.38.18.exeregsvr32.exeregsvr32.exeIDMan.exe

pid	process
228	Internet.Download.Manager.v6.38.18.exe
228	Internet.Download.Manager.v6.38.18.exe
228	Internet.Download.Manager.v6.38.18.exe
228	Internet.Download.Manager.v6.38.18.exe
228	Internet.Download.Manager.v6.38.18.exe
228	Internet.Download.Manager.v6.38.18.exe
228	Internet.Download.Manager.v6.38.18.exe
228	Internet.Download.Manager.v6.38.18.exe
228	Internet.Download.Manager.v6.38.18.exe
2680	regsvr32.exe
1056	regsvr32.exe
228	Internet.Download.Manager.v6.38.18.exe
2480	IDMan.exe
2480	IDMan.exe
2480	IDMan.exe
2480	IDMan.exe
2480	IDMan.exe
3392
3392
228	Internet.Download.Manager.v6.38.18.exe

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

RUNDLL32.EXE

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" RUNDLL32.EXE
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

IDMan.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	IDMan.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	IDMan.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

aFCDKiW1DOxXjGm.exe

description pid process target process

PID 816 set thread context of 4748 816 aFCDKiW1DOxXjGm.exe aFCDKiW1DOxXjGm.exe

description	pid	process	target process
PID 816 set thread context of 4748	816	aFCDKiW1DOxXjGm.exe	aFCDKiW1DOxXjGm.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsn8109.tmp\Aero.dll	upx
behavioral2/memory/228-60-0x0000000074F60000-0x0000000074F69000-memory.dmp	upx
behavioral2/memory/228-77-0x0000000074F60000-0x0000000074F69000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

Internet.Download.Manager.v6.38.18.exe

description	ioc	process
File created	C:\Program Files (x86)\Internet Download Manager\Languages\template_inst.lng	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\PureFlat\PureFlat_Small_Hot.bmp	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Uninstall.exe	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_th.lng	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_al.lng	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_th.lng	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_vn.txt	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\idman.chm	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_hi.lng	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_sr.lng	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_es.lng	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_iw.lng	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_cz.txt	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\PureFlat\PureFlat_Larg.bmp	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\IDMan (YASCHIR).exe	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmmkb.dll	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmmzcc.xpi	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmwfp64.sys	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_es.txt	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\IDMOpExt.nex	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\IDMShellExt.dll	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\IDMVMPrs.dll	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\grabber_ru.chm	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_hu.lng	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmtdi64.sys	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmwfp.inf	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\tutor.chm	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\libssl.dll	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_ru.lng	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_uz.lng	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_ua.txt	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmcchandler2.dll	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\libcrypto.dll	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_fr.lng	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\PureFlat\PureFlat_Larg_Hot.bmp	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_vn.lng	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_fr.lng	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_chn.txt	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_my.lng	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_hu.txt	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_chn.lng	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_ptbr.txt	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\PureFlat\PureFlat_Small.bmp	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\defexclist.txt	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmwfp32.sys	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_ru.chm	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmwfp.cat	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_tr.lng	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_de.txt	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_it.txt	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_kr.txt	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmfc.dat	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmtdi32.sys	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Uninstall-ME.exe	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\IEGetAll.htm	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmfsa.dll	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_it.lng	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_ua.lng	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\downlWithIDM.dll	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmBroker.exe	Internet.Download.Manager.v6.38.18.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_am.lng	Internet.Download.Manager.v6.38.18.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

reg.exereg.exereg.exetaskkill.exereg.exereg.exereg.exenet.exereg.exereg.exereg.exeaFCDKiW1DOxXjGm.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe635ef412c7ecb2f3ab712a916c7f8395_JaffaCakes118.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exetaskkill.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exenet.exereg.exereg.exeregsvr32.exewhoami.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aFCDKiW1DOxXjGm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	635ef412c7ecb2f3ab712a916c7f8395_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whoami.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

runonce.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Kills process with taskkill 7 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4872 taskkill.exe
4432 taskkill.exe
1948 taskkill.exe
4996 taskkill.exe
2428 taskkill.exe
908 taskkill.exe
3476 taskkill.exe

pid	process
4872	taskkill.exe
4432	taskkill.exe
1948	taskkill.exe
4996	taskkill.exe
2428	taskkill.exe
908	taskkill.exe
3476	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

Processes:

IDMan.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Скачать с помощью IDM\ = "C:\\Program Files (x86)\\Internet Download Manager\\IEExt.htm"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Скачать с помощью IDM\contexts = "243"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Скачать все ссылки с помощью IDM\contexts = "243"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Low Rights	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Скачать с помощью IDM	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Скачать все ссылки с помощью IDM	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Скачать все ссылки с помощью IDM\ = "C:\\Program Files (x86)\\Internet Download Manager\\IEGetAll.htm"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe

Modifies registry class 64 IoCs

Processes:

IDMan.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}\ = "ICIDMLinkTransmitter2"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873}\ = "ICIDMLinkTransmitter"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\VersionIndependentProgID\ = "IDMIECC.IDMHelperLinksStorage"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC69364C-34D7-4225-B16F-8595C743C775}\TypeLib\ = "{6A89524B-E1B6-4D71-972A-8FD53F240936}"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6A89524B-E1B6-4D71-972A-8FD53F240936}\1.0\HELPDIR	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3BDFC55C-ED33-43BB-9A77-57C2AF4B56EF}\1.0\FLAGS	IDMan.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ThreadingModel = "Apartment"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28670AE0-CAF4-4836-8418-0F456023EBF7}\NumMethods	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB}\TypeLib\Version = "1.0"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}\1.0\HELPDIR	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\ProxyStubClsid32	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}\TypeLib	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\VersionIndependentProgID	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr\CLSID\ = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ThreadingModel = "Apartment"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr\CurVer\ = "DownlWithIDM.IDMDwnlMgr.1"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC69364C-34D7-4225-B16F-8595C743C775}\ProxyStubClsid32	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}\TypeLib\ = "{5518B636-6884-48CA-A9A7-1CFD3F3BA916}"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor\CLSID	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMIEHlprObj\CurVer\ = "IDMIECC.IDMIEHlprObj.1"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMHelperLinksStorage\ = "IDMHelperLinksStorage Class"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{98D060EC-53AF-4F61-8180-43C507C9FF94}	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB}\ProxyStubClsid32	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873}\TypeLib\ = "{ECF21EAB-3AA8-4355-82BE-F777990001DD}"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3BDFC55C-ED33-43BB-9A77-57C2AF4B56EF}\1.0\0\win32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC.dll"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor.1\CLSID\ = "{5312C54E-A385-46B7-B200-ABAF81B03935}"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98D060EC-53AF-4F61-8180-43C507C9FF94}	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB}\ProxyStubClsid32	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}\1.0\0\win32\ = "C:\\Program Files (x86)\\Internet Download Manager\\idmfsa.dll"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}\TypeLib\Version = "1.0"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\Insertable	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\VersionIndependentProgID	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB}\TypeLib	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\TypeLib\ = "{5518B636-6884-48CA-A9A7-1CFD3F3BA916}"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\VersionIndependentProgID	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6A89524B-E1B6-4D71-972A-8FD53F240936}	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}\InProcServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\idmfsa.dll"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\Programmable	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\TypeLib\Version = "1.0"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMIEHlprObj	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.LinkProcessor\CLSID	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr.1\ = "IDMDwnlMgr Class"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\Programmable	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\TypeLib\ = "{37294E01-DB54-43AF-9D50-93FF7267DF5D}"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMHelperLinksStorage.1\CLSID\ = "{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}\InProcServer32\ThreadingModel = "Both"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3BDFC55C-ED33-43BB-9A77-57C2AF4B56EF}\1.0\ = "IDMIECC 1.0 Type Library"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\ProgID	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\TypeLib	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC.dll"	IDMan.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

635ef412c7ecb2f3ab712a916c7f8395_JaffaCakes118.tmpaFCDKiW1DOxXjGm.exe

pid	process
1772	635ef412c7ecb2f3ab712a916c7f8395_JaffaCakes118.tmp
1772	635ef412c7ecb2f3ab712a916c7f8395_JaffaCakes118.tmp
816	aFCDKiW1DOxXjGm.exe
816	aFCDKiW1DOxXjGm.exe
816	aFCDKiW1DOxXjGm.exe
816	aFCDKiW1DOxXjGm.exe
816	aFCDKiW1DOxXjGm.exe
816	aFCDKiW1DOxXjGm.exe

Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid process

656
656
656
656
656
656

pid	process
656
656
656
656
656
656

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

whoami.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeIDMan.exeaFCDKiW1DOxXjGm.exe

description	pid	process
Token: SeDebugPrivilege	2424	whoami.exe
Token: SeDebugPrivilege	1948	taskkill.exe
Token: SeDebugPrivilege	4996	taskkill.exe
Token: SeDebugPrivilege	2428	taskkill.exe
Token: SeDebugPrivilege	908	taskkill.exe
Token: SeDebugPrivilege	3476	taskkill.exe
Token: SeDebugPrivilege	4872	taskkill.exe
Token: SeDebugPrivilege	4432	taskkill.exe
Token: SeRestorePrivilege	2480	IDMan.exe
Token: SeDebugPrivilege	816	aFCDKiW1DOxXjGm.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

635ef412c7ecb2f3ab712a916c7f8395_JaffaCakes118.tmp

pid process

1772 635ef412c7ecb2f3ab712a916c7f8395_JaffaCakes118.tmp
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

IDMan.exe

pid process

2480 IDMan.exe
2480 IDMan.exe
2480 IDMan.exe

pid	process
2480	IDMan.exe
2480	IDMan.exe
2480	IDMan.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

635ef412c7ecb2f3ab712a916c7f8395_JaffaCakes118.exe635ef412c7ecb2f3ab712a916c7f8395_JaffaCakes118.tmpInternet.Download.Manager.v6.38.18.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3704 wrote to memory of 1772	3704	635ef412c7ecb2f3ab712a916c7f8395_JaffaCakes118.exe	635ef412c7ecb2f3ab712a916c7f8395_JaffaCakes118.tmp
PID 3704 wrote to memory of 1772	3704	635ef412c7ecb2f3ab712a916c7f8395_JaffaCakes118.exe	635ef412c7ecb2f3ab712a916c7f8395_JaffaCakes118.tmp
PID 3704 wrote to memory of 1772	3704	635ef412c7ecb2f3ab712a916c7f8395_JaffaCakes118.exe	635ef412c7ecb2f3ab712a916c7f8395_JaffaCakes118.tmp
PID 1772 wrote to memory of 228	1772	635ef412c7ecb2f3ab712a916c7f8395_JaffaCakes118.tmp	Internet.Download.Manager.v6.38.18.exe
PID 1772 wrote to memory of 228	1772	635ef412c7ecb2f3ab712a916c7f8395_JaffaCakes118.tmp	Internet.Download.Manager.v6.38.18.exe
PID 1772 wrote to memory of 228	1772	635ef412c7ecb2f3ab712a916c7f8395_JaffaCakes118.tmp	Internet.Download.Manager.v6.38.18.exe
PID 1772 wrote to memory of 816	1772	635ef412c7ecb2f3ab712a916c7f8395_JaffaCakes118.tmp	aFCDKiW1DOxXjGm.exe
PID 1772 wrote to memory of 816	1772	635ef412c7ecb2f3ab712a916c7f8395_JaffaCakes118.tmp	aFCDKiW1DOxXjGm.exe
PID 1772 wrote to memory of 816	1772	635ef412c7ecb2f3ab712a916c7f8395_JaffaCakes118.tmp	aFCDKiW1DOxXjGm.exe
PID 228 wrote to memory of 1948	228	Internet.Download.Manager.v6.38.18.exe	netsh.exe
PID 228 wrote to memory of 1948	228	Internet.Download.Manager.v6.38.18.exe	netsh.exe
PID 228 wrote to memory of 1948	228	Internet.Download.Manager.v6.38.18.exe	netsh.exe
PID 228 wrote to memory of 4992	228	Internet.Download.Manager.v6.38.18.exe	route.exe
PID 228 wrote to memory of 4992	228	Internet.Download.Manager.v6.38.18.exe	route.exe
PID 228 wrote to memory of 4992	228	Internet.Download.Manager.v6.38.18.exe	route.exe
PID 228 wrote to memory of 1772	228	Internet.Download.Manager.v6.38.18.exe	cmd.exe
PID 228 wrote to memory of 1772	228	Internet.Download.Manager.v6.38.18.exe	cmd.exe
PID 228 wrote to memory of 1772	228	Internet.Download.Manager.v6.38.18.exe	cmd.exe
PID 1772 wrote to memory of 4788	1772	cmd.exe	cmd.exe
PID 1772 wrote to memory of 4788	1772	cmd.exe	cmd.exe
PID 1772 wrote to memory of 4788	1772	cmd.exe	cmd.exe
PID 4788 wrote to memory of 3636	4788	cmd.exe	cmd.exe
PID 4788 wrote to memory of 3636	4788	cmd.exe	cmd.exe
PID 4788 wrote to memory of 3636	4788	cmd.exe	cmd.exe
PID 3636 wrote to memory of 2424	3636	cmd.exe	whoami.exe
PID 3636 wrote to memory of 2424	3636	cmd.exe	whoami.exe
PID 3636 wrote to memory of 2424	3636	cmd.exe	whoami.exe
PID 4788 wrote to memory of 4136	4788	cmd.exe	reg.exe
PID 4788 wrote to memory of 4136	4788	cmd.exe	reg.exe
PID 4788 wrote to memory of 4136	4788	cmd.exe	reg.exe
PID 4788 wrote to memory of 1948	4788	cmd.exe	taskkill.exe
PID 4788 wrote to memory of 1948	4788	cmd.exe	taskkill.exe
PID 4788 wrote to memory of 1948	4788	cmd.exe	taskkill.exe
PID 4788 wrote to memory of 4996	4788	cmd.exe	taskkill.exe
PID 4788 wrote to memory of 4996	4788	cmd.exe	taskkill.exe
PID 4788 wrote to memory of 4996	4788	cmd.exe	taskkill.exe
PID 4788 wrote to memory of 2428	4788	cmd.exe	taskkill.exe
PID 4788 wrote to memory of 2428	4788	cmd.exe	taskkill.exe
PID 4788 wrote to memory of 2428	4788	cmd.exe	taskkill.exe
PID 4788 wrote to memory of 908	4788	cmd.exe	taskkill.exe
PID 4788 wrote to memory of 908	4788	cmd.exe	taskkill.exe
PID 4788 wrote to memory of 908	4788	cmd.exe	taskkill.exe
PID 4788 wrote to memory of 3476	4788	cmd.exe	taskkill.exe
PID 4788 wrote to memory of 3476	4788	cmd.exe	taskkill.exe
PID 4788 wrote to memory of 3476	4788	cmd.exe	taskkill.exe
PID 4788 wrote to memory of 4872	4788	cmd.exe	taskkill.exe
PID 4788 wrote to memory of 4872	4788	cmd.exe	taskkill.exe
PID 4788 wrote to memory of 4872	4788	cmd.exe	taskkill.exe
PID 4788 wrote to memory of 4432	4788	cmd.exe	taskkill.exe
PID 4788 wrote to memory of 4432	4788	cmd.exe	taskkill.exe
PID 4788 wrote to memory of 4432	4788	cmd.exe	taskkill.exe
PID 4788 wrote to memory of 1568	4788	cmd.exe	reg.exe
PID 4788 wrote to memory of 1568	4788	cmd.exe	reg.exe
PID 4788 wrote to memory of 1568	4788	cmd.exe	reg.exe
PID 4788 wrote to memory of 620	4788	cmd.exe	reg.exe
PID 4788 wrote to memory of 620	4788	cmd.exe	reg.exe
PID 4788 wrote to memory of 620	4788	cmd.exe	reg.exe
PID 4788 wrote to memory of 4396	4788	cmd.exe	reg.exe
PID 4788 wrote to memory of 4396	4788	cmd.exe	reg.exe
PID 4788 wrote to memory of 4396	4788	cmd.exe	reg.exe
PID 4788 wrote to memory of 1056	4788	cmd.exe	reg.exe
PID 4788 wrote to memory of 1056	4788	cmd.exe	reg.exe
PID 4788 wrote to memory of 1056	4788	cmd.exe	reg.exe
PID 4788 wrote to memory of 2480	4788	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\635ef412c7ecb2f3ab712a916c7f8395_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\635ef412c7ecb2f3ab712a916c7f8395_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Users\Admin\AppData\Local\Temp\is-AQSES.tmp\635ef412c7ecb2f3ab712a916c7f8395_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-AQSES.tmp\635ef412c7ecb2f3ab712a916c7f8395_JaffaCakes118.tmp" /SL5="$502D6,10662069,857088,C:\Users\Admin\AppData\Local\Temp\635ef412c7ecb2f3ab712a916c7f8395_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Program Files (x86)\PHvFAHQcrMumh_PHvFAHQcrMumhPHvFAHQcrMumh\Internet.Download.Manager.v6.38.18.exe
    "C:\Program Files (x86)\PHvFAHQcrMumh_PHvFAHQcrMumhPHvFAHQcrMumh\Internet.Download.Manager.v6.38.18.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:228
  - - C:\Windows\SysWOW64\netsh.exe
      netsh.exe advfirewall firewall delete rule name="all" remoteip=95.141.193.133
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1948
  - - C:\Windows\SysWOW64\route.exe
      route.exe delete 95.141.193.133
      4⤵
      PID:4992
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C START /WAIT /MIN CMD.EXE /C "C:\Users\Admin\AppData\Local\Temp\nsn8109.tmp\Cleanup.cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1772
    - - C:\Windows\SysWOW64\cmd.exe
        
        CMD.EXE /C "C:\Users\Admin\AppData\Local\Temp\nsn8109.tmp\Cleanup.cmd"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4788
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c whoami /user /fo list
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\SysWOW64\whoami.exe
        
        whoami /user /fo list
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKU\S-1-5-19
        6⤵
        
        PID:4136
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /IM "IDMan.exe" /F
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /IM "IEMonitor.exe" /F
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4996
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /IM "IDMGrHlp.exe" /F
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /IM "idmBroker.exe" /F
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /IM "IDMIntegrator64.exe" /F
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3476
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /IM "IDMMsgHost.exe" /F
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4872
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /IM "MediumILStart.exe" /F
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4432
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
        6⤵
        
        PID:1568
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:620
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
        6⤵
        
        PID:4396
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1056
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
        6⤵
        
        PID:2480
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
        6⤵
        
        PID:4008
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
        6⤵
        
        PID:1848
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
        6⤵
        
        PID:4508
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
        6⤵
        
        PID:4376
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
        6⤵
        
        PID:4640
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4740
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3760
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
        6⤵
        
        PID:3548
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
        6⤵
        
        PID:2184
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4340
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
        6⤵
        
        PID:1680
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
        6⤵
        
        PID:1276
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
        6⤵
        
        PID:1188
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1496
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3388
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
        6⤵
        
        PID:4108
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
        6⤵
        
        PID:2156
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
        6⤵
        
        PID:1976
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
        6⤵
        
        PID:8
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
        6⤵
        
        PID:2944
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
        6⤵
        
        PID:536
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
        6⤵
        
        PID:1160
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
        6⤵
        
        PID:1068
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
        6⤵
        
        PID:4860
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
        6⤵
        
        PID:2372
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
        6⤵
        
        PID:2792
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3344
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
        6⤵
        
        PID:2036
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
        6⤵
        
        PID:2144
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
        6⤵
        
        PID:1388
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
        6⤵
        
        PID:4308
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
        6⤵
        
        PID:1872
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3084
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
        6⤵
        
        PID:4720
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2484
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:508
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
        6⤵
        
        PID:1612
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
        6⤵
        
        PID:2708
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1448
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
        6⤵
        
        PID:4520
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
        6⤵
        
        PID:724
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
        6⤵
        
        PID:2220
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
        6⤵
        
        PID:2216
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
        6⤵
        
        PID:4548
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
        6⤵
        
        PID:3636
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4404
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
        6⤵
        
        PID:4864
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
        6⤵
        
        PID:2004
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
        6⤵
        
        PID:2464
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
        6⤵
        
        PID:5020
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
        6⤵
        
        PID:2428
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
        6⤵
        
        PID:2756
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4316
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
        6⤵
        
        PID:3856
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
        6⤵
        
        PID:4892
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5004
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4612
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
        6⤵
        
        PID:4064
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1168
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
        6⤵
        
        PID:620
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
        6⤵
        
        PID:4396
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
        6⤵
        
        PID:1056
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
        6⤵
        
        PID:2480
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
        6⤵
        
        PID:2516
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
        6⤵
        
        PID:4008
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
        6⤵
        
        PID:1848
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
        6⤵
        
        PID:4508
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4376
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
        6⤵
        
        PID:4640
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4740
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
        6⤵
        
        PID:3760
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3548
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
        6⤵
        
        PID:2184
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
        6⤵
        
        PID:2352
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4340
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
        6⤵
        
        PID:3696
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
        6⤵
        
        PID:4792
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
        6⤵
        
        PID:4188
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
        6⤵
        
        PID:1492
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
        6⤵
        
        PID:3644
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:696
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
        6⤵
        
        PID:2100
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4628
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
        6⤵
        
        PID:2260
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
        6⤵
        
        PID:1396
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
        6⤵
        
        PID:3460
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
        6⤵
        
        PID:4392
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
        6⤵
        
        PID:1044
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
        6⤵
        
        PID:3528
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
        6⤵
        
        PID:4248
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
        6⤵
        
        PID:2972
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
        6⤵
        
        PID:1320
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4080
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:624
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
        6⤵
        
        PID:5068
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
        6⤵
        
        PID:2736
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
        6⤵
        
        PID:2936
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
        6⤵
        
        PID:4516
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
        6⤵
        
        PID:4124
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3844
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1452
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3964
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
        6⤵
        
        PID:4076
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
        6⤵
        
        PID:2388
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
        6⤵
        
        PID:3020
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
        6⤵
        
        PID:1376
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4140
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
        6⤵
        
        PID:3128
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
        6⤵
        
        PID:636
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
        6⤵
        
        PID:2960
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
        6⤵
        
        PID:3380
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4500
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
        6⤵
        
        PID:4032
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
        6⤵
        
        PID:2612
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
        6⤵
        
        PID:4320
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
        6⤵
        
        PID:3028
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
        6⤵
        
        PID:3860
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
        6⤵
        
        PID:3316
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
        6⤵
        
        PID:2588
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
        6⤵
        
        PID:908
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
        6⤵
        
        PID:336
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
        6⤵
        
        PID:3476
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
        6⤵
        
        PID:4968
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
        6⤵
        
        PID:4872
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2396
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
        6⤵
        
        PID:5112
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
        6⤵
        
        PID:532
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
        6⤵
        
        PID:2948
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:640
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
        6⤵
        
        PID:932
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
        6⤵
        
        PID:3892
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
        6⤵
        
        PID:4760
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
        6⤵
        
        PID:4708
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
        6⤵
        
        PID:2104
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
        6⤵
        
        PID:2456
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
        6⤵
        
        PID:2940
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4772
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
        6⤵
        
        PID:4356
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
        6⤵
        
        PID:3376
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
        6⤵
        
        PID:956
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1472
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
        6⤵
        
        PID:5060
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3884
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
        6⤵
        
        PID:1328
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
        6⤵
        
        PID:2348
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1188
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
        6⤵
        
        PID:1496
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3388
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
        6⤵
        
        PID:1356
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
        6⤵
        
        PID:208
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Internet Download Manager" /f
        6⤵
        
        PID:1976
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Internet Download Manager"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:8
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Internet Download Manager"
        6⤵
        
        PID:2056
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Wow6432Node\Internet Download Manager" /f
        6⤵
        
        PID:752
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Wow6432Node\Internet Download Manager"
        6⤵
        
        PID:1160
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Wow6432Node\Internet Download Manager"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3536
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Download Manager" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Download Manager"
        6⤵
        
        PID:2400
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Download Manager"
        6⤵
        
        PID:4860
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Wow6432Node\Download Manager" /f
        6⤵
        
        PID:2372
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Wow6432Node\Download Manager"
        6⤵
        
        PID:444
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Wow6432Node\Download Manager"
        6⤵
        
        PID:3344
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\DownloadManager" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\DownloadManager"
        6⤵
        
        PID:2144
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\DownloadManager"
        6⤵
        
        PID:2736
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Wow6432Node\DownloadManager" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2936
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Wow6432Node\DownloadManager"
        6⤵
        
        PID:4516
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Wow6432Node\DownloadManager"
        6⤵
        
        PID:4124
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Download Manager" /f
        6⤵
        
        PID:4720
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Download Manager"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4512
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Download Manager"
        6⤵
        
        PID:2484
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Wow6432Node\Download Manager" /f
        6⤵
        
        PID:4076
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Wow6432Node\Download Manager"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Wow6432Node\Download Manager"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Wow6432Node\DownloadManager" /f
        6⤵
        
        PID:1376
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Wow6432Node\DownloadManager"
        6⤵
        
        PID:4140
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Wow6432Node\DownloadManager"
        6⤵
        
        PID:3128
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Download Manager" /f
        6⤵
        
        PID:636
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Download Manager"
        6⤵
        
        PID:4012
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Download Manager"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Wow6432Node\Download Manager" /f
        6⤵
        
        PID:4136
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Wow6432Node\Download Manager"
        6⤵
        
        PID:4404
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Wow6432Node\Download Manager"
        6⤵
        
        PID:4548
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\DownloadManager" /f
        6⤵
        
        PID:2004
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\DownloadManager"
        6⤵
        
        PID:3804
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\DownloadManager"
        6⤵
        
        PID:2464
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Wow6432Node\DownloadManager" /f
        6⤵
        
        PID:4832
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Wow6432Node\DownloadManager"
        6⤵
        
        PID:3624
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Wow6432Node\DownloadManager"
        6⤵
        
        PID:2756
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM" /ve /f
        6⤵
        
        PID:4316
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM" /v "MData" /f
        6⤵
        
        PID:3856
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM" /v "Model" /f
        6⤵
        
        PID:4868
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM" /v "Therad" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU" /ve /f
        6⤵
        
        PID:4612
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU" /v "MData" /f
        6⤵
        
        PID:4064
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU" /v "Model" /f
        6⤵
        
        PID:2680
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU" /v "Therad" /f
        6⤵
        
        PID:2932
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\DownloadManager" /v "FName" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5076
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\DownloadManager" /v "LName" /f
        6⤵
        
        PID:2132
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\DownloadManager" /v "Email" /f
        6⤵
        
        PID:1832
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\DownloadManager" /v "Serial" /f
        6⤵
        
        PID:804
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\DownloadManager" /v "CheckUpdtVM" /f
        6⤵
        
        PID:4100
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\DownloadManager" /v "tvfrdt" /f
        6⤵
        
        PID:1848
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\DownloadManager" /v "LstCheck" /f
        6⤵
        
        PID:4904
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\DownloadManager" /v "scansk" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:988
  - - C:\Program Files (x86)\Internet Download Manager\Uninstall.exe
      "C:\Program Files (x86)\Internet Download Manager\Uninstall.exe" -instdriv
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:1516
    - - C:\Windows\system32\RUNDLL32.EXE
        
        "C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Internet Download Manager\idmwfp.inf
        5⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:876
      - C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        Checks processor information in registry
        
        PID:3772
        
        C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        
        PID:208
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        5⤵
        
        PID:752
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        6⤵
        
        PID:1320
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4332
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        6⤵
        
        PID:4600
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        6⤵
        
        PID:3964
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        5⤵
        
        PID:3380
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        6⤵
        
        PID:1948
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        5⤵
        
        PID:2428
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        6⤵
        
        PID:4748
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        5⤵
        
        PID:2712
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        6⤵
        
        PID:1168
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2680
      - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
        6⤵
        Loads dropped DLL
        
        PID:1056
  - - C:\Program Files (x86)\Internet Download Manager\IDMan.exe
      "C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /rtr
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2480
- - C:\PHvFAHQcrMumhPHvFAHQcrMumhPHvFAHQcrMumh\aFCDKiW1DOxXjGm.exe
    "C:\PHvFAHQcrMumhPHvFAHQcrMumhPHvFAHQcrMumh\aFCDKiW1DOxXjGm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:816
  - - C:\PHvFAHQcrMumhPHvFAHQcrMumhPHvFAHQcrMumh\aFCDKiW1DOxXjGm.exe
      "C:\PHvFAHQcrMumhPHvFAHQcrMumhPHvFAHQcrMumh\aFCDKiW1DOxXjGm.exe"
      4⤵
      Executes dropped EXE
      PID:4704
  - - C:\PHvFAHQcrMumhPHvFAHQcrMumhPHvFAHQcrMumh\aFCDKiW1DOxXjGm.exe
      "C:\PHvFAHQcrMumhPHvFAHQcrMumhPHvFAHQcrMumh\aFCDKiW1DOxXjGm.exe"
      4⤵
      Executes dropped EXE
      PID:2080
  - - C:\PHvFAHQcrMumhPHvFAHQcrMumhPHvFAHQcrMumh\aFCDKiW1DOxXjGm.exe
      "C:\PHvFAHQcrMumhPHvFAHQcrMumhPHvFAHQcrMumh\aFCDKiW1DOxXjGm.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PHvFAHQcrMumhPHvFAHQcrMumhPHvFAHQcrMumh\aFCDKiW1DOxXjGm.exe

Filesize
1.0MB

MD5
be224ecbd3eb94bc9074b4b796957d89

SHA1
40cd0bcd10a8f5dd4715d076e08cc3877e99774a

SHA256
b5060e115212bc9ca8ce02bd52f532fc69e4cee25acb4436be5ec3f95ad82d50

SHA512
6e9bc3db862e0d1fa4d8192ff7ee2303186e837912b82e6ade0271383553bf953c0bbddc7c88857d25b7273d63802b4244b335c537f85e2285ec38f59804fb5a

Download Submit
C:\PROGRA~2\INTERN~2\idmwfp64.sys

Filesize
223KB

MD5
2aa81ab974c62144c8678f2cb3b6b7f4

SHA1
717e6ce7b216aa27f9c51942319400399f2e902c

SHA256
d48f8f9db8e128e72b1c6faafc3e6b3af49d4a7e295e057479bc6ff12359e0a2

SHA512
4fd394bb68f4da1a10cc002a1f96c74f81bf61502f10eb6d8187e3e983c025be06b59b950f508d320e39c396981ab1d7244a1dc6837183dc610cb3da4efb2b54

Download Submit
C:\Program Files (x86)\Internet Download Manager\IDMEdgeExt.crx

Filesize
82KB

MD5
1b3277d0ae6956e13f21c419093a9066

SHA1
a10a7bf78b9f4edaa756907740962626a251f6c1

SHA256
c9b70b69def8f1b3ae3db665bb6706514cee4d2778b198d352d11ea66d394822

SHA512
f805bc175a95d222d2bca0d0f9955abaf0decb5d6d0ad83120e857423070bb0cbf7e3a0d95d149e956af96cb5996b7fa4010263d2362493599ca31b61365c5c8

Download Submit
C:\Program Files (x86)\Internet Download Manager\IDMGetAll.dll

Filesize
73KB

MD5
d04845fab1c667c04458d0a981f3898e

SHA1
f30267bb7037a11669605c614fb92734be998677

SHA256
33a8a6b9413d60a38237bafc4c331dfebf0bf64f8057abc335b4a6a6b95c9381

SHA512
ccd166dbe9aaba3795963af7d63b1a561de90153c2eaefb12f3e9f9ddebd9b1f7861ee76f45b4ef19d41ca514f3796e98b3c3660596730be8d8eb9e1048ef59e

Download Submit
C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll

Filesize
464KB

MD5
88f83ad79e64dcef42756a42d68799dc

SHA1
75ff8c043387529ea536e5f7da7d526ff066852a

SHA256
135f7df262609a992c197e1f6ba06285d14d755574f937f1aa67d177b5cf171b

SHA512
e366ef8db07191a6ab7099ddf88ad35ec2daba266a01ff498bf68f373cdd3984a7345ed957e0c1341f27fd4e0eddba3cbff43a23cb3c74979807376b438dcc7a

Download Submit
C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll

Filesize
36KB

MD5
a3c44204992e307d121df09dd6a1577c

SHA1
9482d8ffda34904b1dfd0226b374d1db41ca093d

SHA256
48e5c5916f100880e68c9e667c4457eb0065c5c7ab40fb6d85028fd23d3e4838

SHA512
f700cf7accab0333bc412f68cdcfb25d68c693a27829bc38a655d52cb313552b59f9243fc51357e9dccd92863deecb529cc68adbc40387aad1437d625fd577f1

Download Submit
C:\Program Files (x86)\Internet Download Manager\IDMan.exe

Filesize
5.2MB

MD5
d11efd02c97d5654a95d9828ec226dd2

SHA1
47347caa91fc5f9ed17a40c5e9c5f198080615ab

SHA256
d99ee0d09972a36826ab55c7aeda4fd5df4255c02222462ada4ad649e59a22e2

SHA512
460c253c78df694f82c100734d64583661f49a49b82903240f02bcd79ff48fd165b0f2b4eb4f31773d704c8b09ad271bcae0842e6aee7aedcd17ce216f4cc2b2

Download Submit
C:\Program Files (x86)\Internet Download Manager\IDManTypeInfo.tlb

Filesize
2KB

MD5
60adb0ad984d5c3a4289ced459913963

SHA1
f8508d53a8d9d46e7e437a9f9c04dbfaf4d69519

SHA256
d421d11ef7cf2b766ca6fbc8e837912b2100339c686d48ca56f650649f7b9343

SHA512
2ca09a3b971218fc7116871d854a44e1c1a7abb16afca73bcbfa1e92fda1b8cf82e9b93c3dbc7b4e0efb9e31874b8ac592f151b08428bf1281a8a8d977e3a3fb

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_am.lng

Filesize
179KB

MD5
04c2c4ae4447f4fcdfe9891b31815c31

SHA1
8933389fc3affea4b2be275c292dd8c20be73cd2

SHA256
59feb468b93278b65159ba506e930505d22e766a4795d44662c1e6ce0bbbcf00

SHA512
af5d4ac168ca53fba4ae1c4e0d822eebcedc97a3d6668fc5846f81930c34200518a62be190dfc895a44fdf659b125b14bb1e4466d3d088df5b7f25770f4f9303

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_ar.lng

Filesize
94KB

MD5
0c2f98f765fd27281e4d69ac23716795

SHA1
459ecf10e1c73b12710b03ae65b392ca9f482dcf

SHA256
bbda9ce80448dac499d97420ede04b6ed7ff6083dc651225ed64bc03d9cb69b5

SHA512
0bc57043d3d2fce59a5ad70a753d27718fecde0a8babc940a3733ee3e22fcb0db7076f81be06e096c43bf1c49e37480eaae579d368f5f5b8785ddf230bbd313e

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_chn2.lng

Filesize
76KB

MD5
4ffc9407b04179d6ab6631891643310b

SHA1
f2e531a2e7582776d1a7e3fca9ac5bed75cc7eef

SHA256
cadc2511f15db0cb65ae2bb50fac6864ce765d207e08ddafd773ffbd0e3534d1

SHA512
e8c0819e61ace77b3263e478cefc7be8fc2c9267be48430b6b9a43be139be6256ec465522310f24502d8f6ed0da3a2dee1ef02ccc0c8e0eeb67b856b136becb8

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_cht.lng

Filesize
75KB

MD5
748fe90f8037e5ec3c6526334c6acd04

SHA1
0d6955b1b56f9440c3fea798efa528b4e4ff285a

SHA256
5ac9c869d9b2093509e52b503aa36a845cf0ca1cc638533196a85139b9c8ae52

SHA512
13d9c081d705cb9d645105f2eed272fbb16a0d9286ffc19bf8dc13bbcd172ef361f9041df37c7090676a79ffa520e3f38ffeae1197cb811c160440830e89fbb8

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_cz.lng

Filesize
96KB

MD5
ad49287674f036ad7a272fff8e468b20

SHA1
d3e2e3ee5ea5bcef5b4fe0e6195004220850858f

SHA256
449f23660278b268ce198c7ca7c1988e5aac4aa18928c45282f4f75a89904b66

SHA512
17bb5ef1eee005951b75d6e4ad5f4063c8dd43cd4984b794f322a98703e7ae2c85d29b91dd1b2b88149fd9ac9371d4ab54f0115f88c1693cbf8ed4deba2f73d4

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_de.lng

Filesize
114KB

MD5
5285b3ec06677270a7e9765035b4a68b

SHA1
b8885992ec767aa75739bb2afd5cce7a7b2f2b1c

SHA256
f3166ff6c62c6f1e0a20fa6da9040bf2b7dfc368ebb924293e23e623ad710edb

SHA512
aa2a01887a0d6a0c8617ce9300b16c3f1da28ed6a9033e3c2b395c20f3fb5008b41bcba481d1864b94b838825224f252fcc5c3f31ea6da35d9aab62c55735243

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_es.lng

Filesize
116KB

MD5
e5223cc0f24b447e17f67012b4f1f026

SHA1
45e0c903b9186b11bc8cd1976425230393e63a8c

SHA256
da67c969d0ec5c9db04415ad27f98759dd580881b5e6d34839d4c6fb0b05ea96

SHA512
e3efab7ae4498aa55bad8483a78d5fe53af12392df90c3791e1ecc99aa71461faacd47a909babb97e54f7f7e5fda946bbccc552f25584997455c9571aa0a25b2

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_fa.lng

Filesize
108KB

MD5
88dba7e850c1a4e13e78322136a61c49

SHA1
e95de8aa4919b06ac6661bb4c973a95579303e27

SHA256
bdc81db3e7cab8d8022697065d5b1d328bc47423edef9530e3eb8db60c75a245

SHA512
391ccdbda3b36e93bf88a84eba614d8e09e0a5b17715f181ba0781e987b3cca093a21219d156051ef8e3eb300e1a091fba829ae909b5dd8e1d4ba25329dd5670

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_fr.lng

Filesize
126KB

MD5
68a6dada4a95e802a705f88e39690825

SHA1
98de2780fffe3a6a537a7e534f262bbc3947ff04

SHA256
b4d4bfff664c5c381f3d00c8dd94f5ff0c2bf23e919f1aa1e48000323cd23abb

SHA512
b8d328e3e3f3707713de7a3d688217fecf0126dd2ce21112ec3401d53528d5f3e664c825c64536760416cde41958d8966e1bbda979af7281fef98b0e7aec78f8

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_ge.lng

Filesize
255KB

MD5
94b39957358b8ad6fd44cb4d58cd0232

SHA1
57b1c7168e3cae19569967039db053a49d9676d6

SHA256
e84e133ad8b0fc2585c044913e8ad4cb17d7ceed622de4a56bd92376d5a350cb

SHA512
2bcfda91f964f5abcc5ae9b0d171171d41f63748e856187b4ae1032967bc99d63ce1b837985c343aea1fee1d3f16d22eea8138cb65a2178db99e8196da2def0a

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_gr.lng

Filesize
107KB

MD5
0bad5ec5d39de002eb7c225e0d840f7f

SHA1
1c0874e9e8b218a7d70cde10cdfc8727113651a2

SHA256
db65ef51d8abda581c13994d13186e1efb3c16879e6475720c841d72d41ebe15

SHA512
9ca1616bb941ccc3265c132a4e2585892a7ce4202f499a97e71b8f2d51d1bce5b3d9c88900a71a03b9c59e4c27345bcb454706304cdfe357dbae130906daad4f

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_hu.lng

Filesize
98KB

MD5
47220123da512c99d58fcb0c4b9fba78

SHA1
799c6f3e665076a4964585700f34904baeb2afe8

SHA256
35469c7f7d4c6e877a0101091f39ab4dd5abe81b2f6ba200d2c12c3f51614ac3

SHA512
5bae79a8e8bfa6c26a5449f06a2aafa7e3fe808f3bfe82fb38626364f4d41b551782113b4994a777609741d1381740c39f1f93996bdca9f55c565e2208a0432b

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_id.lng

Filesize
93KB

MD5
4fc37880503b46a5d2dcbbc86123a488

SHA1
c21bb4df2e426d462613e8f8cf8b0059a242e952

SHA256
6acd5c9b492bdfb69939bf364ac989fecd91f033eb7484a3dcad4d7490eaf653

SHA512
680d04cef9d8eeeae4c3a269a323d15268c1a529cd78977912c60818b5025cd1346c559f1053b030fdf12f9139cfd181cee242888cdd8ac5e8b870270e8a6739

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_it.lng

Filesize
122KB

MD5
6182604aac88708e17080093fb6e839b

SHA1
2141fb5f5d9d14d5a2efbfef4034251113b58794

SHA256
cb7b8a7c43f28e654666e6ef33246498ad0ef6bc30259915a60a881082e6b56e

SHA512
82c03ab69a4b66fe5851361a8bb7e0053c6617b7b40f34ba4f120f66f36635abc5dd3832c58f8ff3df0dbd346449ffc9139d52823c71231c2eb362fdb10f0b62

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_iw.lng

Filesize
83KB

MD5
cf4cf41a7dfdbed842d53ef67afdac9b

SHA1
014ce165ba3d4b2ec9edd6e818ac370068293fcc

SHA256
55eee12afc157cb1b51fff074e55a3cf63630fb036ded1b51207f91af9ac0fd3

SHA512
8b4e53079735b924d65a428935da251f06c6e74f8b5b73205651641c1e8eb63f675b46d1f7a6a38e321cb7294876feeaecb1bbf0cf5d5d15968c82926ed06a2a

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_jp.lng

Filesize
76KB

MD5
eb10dc0005b3dd71baef3e74d1ff43fb

SHA1
9eb7a8f6282be5e1401fdb27818c15d5566fcc2b

SHA256
0288dec15ddcd53646975ba87d1af968f124dc4cbb39a7bd0582da17a8feb84e

SHA512
21f27a1cb71106298552a4d8bcfb792b7ae2ad07ebc8a1b0f4dceee035f570f72f6cefb309fd53d0b5ea9c86f55f663bd494ef2e462866c7033c2c22b99ebb76

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_kr.lng

Filesize
85KB

MD5
dfb270eb35b8dc8133eb11afa9f8dd49

SHA1
1a5621424779f6d4de55356fba0c5c32de456b0a

SHA256
fb027598d5ec83f29e5b72941713cfcfe265f1da77d84e9e38eda1e39888a87a

SHA512
b18cc394c1ce4554beec25126c807822f5e59edf109fa0d1d56dab2f02107cf72fc4cc697fa7420e020d1681524b3ff710f23d851a807fcaef9ec3f80afb222c

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_nl.lng

Filesize
87KB

MD5
abdd394a90aefc9b0d45d1a3c5a8a2ce

SHA1
69018f131edbacf4681fedcaa1cde2dca6ef28d7

SHA256
13d0656e4cf72225491361ef03fafd5ba77ff6ed6b3a84b63fd2a08d20d11e8a

SHA512
6f3103c69ea98bcedb126eabf4b9520350bf6f8b1d52da5765e7163fa91d4a9f0bd8f185f3a46f08254489f628f36c3d6b303130689537932a176c1404188c44

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_pl.lng

Filesize
118KB

MD5
e3624fc46f45c08f392625230b7a7207

SHA1
0937957f304824b2e4ec1641f535d6aceb71b4bc

SHA256
300991c0e17ce62a9a3cfb25199cb807cb1204d54cd9511da277b857903612d4

SHA512
8b24da8d692efaec267f3019cf7e379d9a47e5f42ade9870d7ac3366483b93ec932aa61f8fd776dafdcc8bc339edfae4efda1f7d392291b4d1f811b8416a504f

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_ptbr.lng

Filesize
115KB

MD5
e7264f58141de59a260f9d87f67ea7aa

SHA1
14a5053c38fc39977955f5e2cbf7ec984275376f

SHA256
ec6694b24461663fd74d01027f1ef612ca1626e92700254e431fb2defb7fdd62

SHA512
541d276fb4d6ab7084d9e464f55a917fb9adc9931ce0dde76301227040b6614d408917f0fffcfd9064434818a435edb9cd0c8c8207635583249c21d50106d937

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_ru.lng

Filesize
105KB

MD5
e96bf94dae5d91c97480471ec386e8b9

SHA1
a8be54ce16b0785aca0ae54fcf0f4aa153330722

SHA256
080bda3a06c09fb5a8e688b9a073d8dd8c2579e148df948a41b2542df71ec306

SHA512
650697e5091ee0b40ff937e0e3dfb9da2216dc67d2e27106f4722d5dfdb3a3d8108825edbd8151dc0508bfd4da2acd7fd461ed39c1ff7b2e1da66b962d3cdee9

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_sk.lng

Filesize
115KB

MD5
bb98edcd629bc5135131e995dd8178df

SHA1
8f81d988b5e85f11e5712669ed9cebb5ee7c4fdf

SHA256
23e5ccb3eeef49f031f1f27ad9822aafaeb2a8058df9e78a12ec02497b9f7bf5

SHA512
2d32de272942420faed0e2412129fbaf0c2c839d6ec5f13743f891fb9fe0eb2b29741615e84f3030879841d7e1b9b38b9ae9692217ee6afcb9779c0beed2feb5

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_th.lng

Filesize
97KB

MD5
4458f1ab858c6038f23b4ccde737ece4

SHA1
55021b07cab37920aa05e302d5d06993dfae5090

SHA256
e5769b1f1a9f22a53e988452248c5276d5c29ead02c5c3ebeba9767737dd88af

SHA512
7c3f5643c9476d328b9d8af8e8b264860af579deef09cc52051037c9b8798fbf0531f333923ec6a94e3fab1c190dc9240c530bfb3cc4edfe218319e0a5e64a53

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_tr.lng

Filesize
111KB

MD5
ba2489084acc5694a9ae15126cc0d7a9

SHA1
59dce1b4c45ac2999ad8bcadc4b0cff90c4fd265

SHA256
dc431acc47760e8fb7172c578b3d9b0cbd59c2f8bbdb342da9ee053527b08e27

SHA512
d28a7493e9261d0093ddba9b62bbc1a82de6d617f740944812b0282a6f300646186ab74d78561bd2838852c7bce5e14c5430074f2817023a6800bcffb849dc7d

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_ua.lng

Filesize
94KB

MD5
13f879e8a8238c677f1bc5224cf2b00f

SHA1
58a8ff0fef00de094ef4711adb88a8ee5d3d21c2

SHA256
6383699f275c757134f53ac62302ef9324de0e8255e4371e25d32e78585d7266

SHA512
ff11fffa35453ef5b270580aaaf900a9abbf74f5aa38eef4f28d097f9dec0f405af82ff72d74d6bbb0bf25e1acde96f60f9dd756b3bfeb1cf3d1062985a86d6c

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_vn.lng

Filesize
107KB

MD5
c6ebbfa4dfb862e634a1ed8a8a63f075

SHA1
1322df337e2248923db109700333cf6c66993698

SHA256
1425f4ee30f57ed854248fba10621f4aef9b40cf109a31f46bf635e252010113

SHA512
861a6a66438bdb93d5fb2f905fd71c4e9ef90a09f9a052219fbfd54d542def22a7dc57077212d3cf23cbc8070fd4660ecd959eabf2e18359eaecbe3b77de40ea

Download Submit
C:\Program Files (x86)\Internet Download Manager\Toolbar\PureFlat.tbi

Filesize
171B

MD5
7383a950fd9cf4e544d6c0daa11f3dc6

SHA1
04b1f5372560a000aa87d3afd2d400e6fae5b9b2

SHA256
b4a3be388ba7abdbd86b9bbf6d775ac2505860d16f714c46e1b761b0ce706e1b

SHA512
b0b63c6a3e716c568a904b888b0516ae715d13b157b83f9973ae9758349c2df8232e7ca1aa2536e8010e81be333e55bf13f52f3922143d0ee77dc9a7ad16bc7b

Download Submit
C:\Program Files (x86)\Internet Download Manager\Uninstall-ME.exe

Filesize
108KB

MD5
3b86658ed32eb7884e5accd0b1027e0a

SHA1
4fe5a76c1d9bc1ab3e9cf092b7768b7ebfd03cc9

SHA256
cd166d6e94d68e05c0fcfaf65e5d875854d53d73913bbd671be068ace14536e5

SHA512
51ae14915a12f95fd5dc3bd73ae33c3f3461216199159aec4359c1b30b010e668ce23e408fc9dd7484b0d4dca18fb00f5b53661a2d9130dd781814be04d7eeb4

Download Submit
C:\Program Files (x86)\Internet Download Manager\Uninstall.exe

Filesize
160KB

MD5
0e70518c4f09c3a109ada7c1a027c6ac

SHA1
5e7b219ee08c74bb9a087885da70c07d3cafd715

SHA256
651b6203fb15445dd140b0d06c8799eb428765a762f2a1d90322c1e70224b224

SHA512
ad905787b2cb137052f6c09692b1ba3a77689ae88f3043b85b225256ccb07273ead82eedfcfc85218be7f3d7b95cac521bba6d0d9d320a8bc909a4c1e0401dfc

Download Submit
C:\Program Files (x86)\Internet Download Manager\downlWithIDM.dll

Filesize
197KB

MD5
b94d0711637b322b8aa1fb96250c86b6

SHA1
4f555862896014b856763f3d667bce14ce137c8b

SHA256
38ac192d707f3ec697dd5fe01a0c6fc424184793df729f427c0cf5dfab6705fe

SHA512
72cdb05b4f45e9053ae2d12334dae412e415aebd018568c522fa5fe0f94dd26c7fe7bb81ccd8d6c7b5b42c795b3207dffa6345b8db24ce17beb601829e37a369

Download Submit
C:\Program Files (x86)\Internet Download Manager\idmfc.dat

Filesize
3KB

MD5
385f6876166771d57c2fb1e38130862d

SHA1
68378a679f40b92e69e9400d89b5cb1598e51b05

SHA256
8b92d6d42aa302b5a50c2017474ff33552d31d59d7cf3256aceeac9eef6e96f8

SHA512
97bcb4150d0f87311d9042ccaf5009c8854f1cfe9003a475479fce6af2006f3eb72814a14ed6c4379ee76fcd0adb6dcf943ad726be9b383dfd0c6c91bf5f05bc

Download Submit
C:\Program Files (x86)\Internet Download Manager\idmfsa.dll

Filesize
94KB

MD5
235f64226fcd9926fb3a64a4bf6f4cc8

SHA1
8f7339ca7577ff80e3df5f231c3c2c69f20a412a

SHA256
6f0ed0a7a21e73811675e8a13d35c7daa6309214477296a07fe52a3d477578ad

SHA512
9c6be540cffb43211e464656c16cb0f6f88fb7224087b690ca910acbd433eaf5479508f088b6e6b5437dd260923e26dd928a861db6a3ce76607ad9e77628262d

Download Submit
C:\Program Files (x86)\Internet Download Manager\idmvs.dll

Filesize
38KB

MD5
71050a07bda7a02820b96f9e1961927b

SHA1
02061768f2b0c9619e84ac847b53a6b4e2e99cef

SHA256
4f961233461704deb3a46e7f334f8426a82e3c344c75553b29bb481a7fd9c2f4

SHA512
5184227eca7bd6a4c82ef8fab95036ce165cd8e86a9e2ed921f9edec9961978a488179260010d9f2f846ba1d90fac3ca6e1f93984182a781fafb94df7c0e780b

Download Submit
C:\Program Files (x86)\Internet Download Manager\idmwfp.inf

Filesize
2KB

MD5
166e36297b7ea7326c4c74061ba2e8ef

SHA1
85d55e3be7a505a8ce154e9693670fabe5c2f3a6

SHA256
65c1ddf7a040192e05f01d4e289a0c3ccf42a86e8bbc32b0185de5bb86c4fc4b

SHA512
333c538cd67cda1521668eb69f5cd7017cd5b26647d6aee49151a45881ed16960574407401303c8c5b602a12d9511a484ad3495c8cae6f201fbcc44bd5a12564

Download Submit
C:\Program Files (x86)\PHvFAHQcrMumh_PHvFAHQcrMumhPHvFAHQcrMumh\Internet.Download.Manager.v6.38.18.exe

Filesize
8.4MB

MD5
f17a3b85966b29da4a82f267463534f6

SHA1
cdb578bfebf8df4cd12299e91c2a276ec1fd1879

SHA256
10910b1560105b2e36f108960d7e1152749e687a5507bd66b392ab8b270d7bfa

SHA512
77ad08f596d1afd6c08fba31d5f2e869433c0d81b720f51695c83acb9e3ab5ee33ac3f50236e24daa7287add629562b710d0e77abbaf333ec71c13f2562328f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AQSES.tmp\635ef412c7ecb2f3ab712a916c7f8395_JaffaCakes118.tmp

Filesize
2.5MB

MD5
e7a5edf16b19f39747b94be7b38dbc5d

SHA1
f72b798e4a0d698e664b00dae3bf14f3d40ec5f2

SHA256
127d023850a9569272d2bb02d2967432ac0c79eae5fd87ce21cde2c72537b2e6

SHA512
cfe390ae0b800ab5dc326b6c25d01b00bfd8b0d6d6b61753c1f2be5abcc3e3c8708c928115993974ae7317010f39930235412e5a47b6dc2d5c8ed6066a44111f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8109.tmp\Aero.dll

Filesize
6KB

MD5
869c5949a10b32d3a31966cc5291301b

SHA1
329080c974d593ecdefd02afa38dd663a10331c4

SHA256
b19961de6ca07e08704d6372718542f70dbbb203e59bf9bbe3a58f6e069a625c

SHA512
3b9dde16e9ca803b1048243dbf29c717ac0472dffa764542c234318a960828834aa650b1dfb8bba66c4e7a9ce3aaf453829afc57dfb33dc8c311d203150d4fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8109.tmp\Cleanup.cmd

Filesize
10KB

MD5
83b35ccf8c895db938a399c0802fc04b

SHA1
f3dd65310b93d474c991f50231711957463a1540

SHA256
051a2e1c9188161b792787d643d635351e5a4e319af94b79e13056c340302915

SHA512
8caaa8b04b18a6898f172dc792fd09bf8423e6a5e3ab250dac043812eb0a0710ff2eb925112b00ca347c7c1587e81c449ec2e8f2fd322ca094b4f2d3dd78401d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8109.tmp\LangDLL.dll

Filesize
5KB

MD5
109b201717ab5ef9b5628a9f3efef36f

SHA1
98db1f0cc5f110438a02015b722778af84d50ea7

SHA256
20e642707ef82852bcf153254cb94b629b93ee89a8e8a03f838eef6cbb493319

SHA512
174e241863294c12d0705c9d2de92f177eb8f3d91125b183d8d4899c89b9a202a4c7a81e0a541029a4e52513eee98029196a4c3b8663b479e69116347e5de5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8109.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8109.tmp\inetc.dll

Filesize
24KB

MD5
640bff73a5f8e37b202d911e4749b2e9

SHA1
9588dd7561ab7de3bca392b084bec91f3521c879

SHA256
c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

SHA512
39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8109.tmp\newadvsplash.dll

Filesize
8KB

MD5
55a723e125afbc9b3a41d46f41749068

SHA1
01618b26fec6b8c6bdb866e6e4d0f7a0529fe97c

SHA256
0a70cc4b93d87ecd93e538cfbed7c9a4b8b5c6f1042c6069757bda0d1279ed06

SHA512
559157fa1b3eb6ae1f9c0f2c71ccc692a0a0affb1d6498a8b8db1436d236fd91891897ac620ed5a588beba2efa43ef064211a7fcadb5c3a3c5e2be1d23ef9d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8109.tmp\nsDialogs.dll

Filesize
9KB

MD5
ec9640b70e07141febbe2cd4cc42510f

SHA1
64a5e4b90e5fe62aa40e7ac9e16342ed066f0306

SHA256
c5ba017732597a82f695b084d1aa7fe3b356168cc66105b9392a9c5b06be5188

SHA512
47605b217313c7fe6ce3e9a65da156a2fba8d91e4ed23731d3c5e432dd048ff5c8f9ae8bb85a6a39e1eac4e1b6a22862aa72d3b1b1c8255858997cdd4db5d1fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8109.tmp\nsExec.dll

Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8109.tmp\repackme.gif

Filesize
6KB

MD5
23d3840adb8f4f1efc083a1f7e640191

SHA1
adf0c7daa49637767b2abe2f390d1da4780eea9c

SHA256
82a1454402156d74f4f23c992d5d772b665546208eff44790871b8dcb36d2304

SHA512
7743a17141581ffa8023097678bf2eaf6db7d337af45052d00caba74f21f13e7ffa95097b629c3a28a3366eda873afdce240344adfdf7c0ef662a0ba0fe6db25

Download Submit
memory/228-77-0x0000000074F60000-0x0000000074F69000-memory.dmp

Filesize
36KB

Download
memory/228-60-0x0000000074F60000-0x0000000074F69000-memory.dmp

Filesize
36KB

Download
memory/816-33-0x0000000005B60000-0x0000000005BB6000-memory.dmp

Filesize
344KB

Download
memory/816-37-0x0000000006DA0000-0x0000000006DAC000-memory.dmp

Filesize
48KB

Download
memory/816-32-0x00000000058F0000-0x00000000058FA000-memory.dmp

Filesize
40KB

Download
memory/816-19-0x00000000735CE000-0x00000000735CF000-memory.dmp

Filesize
4KB

Download
memory/816-31-0x0000000005920000-0x00000000059B2000-memory.dmp

Filesize
584KB

Download
memory/816-30-0x0000000005E30000-0x00000000063D4000-memory.dmp

Filesize
5.6MB

Download
memory/816-29-0x00000000057E0000-0x000000000587C000-memory.dmp

Filesize
624KB

Download
memory/816-531-0x000000000ABF0000-0x000000000ACBC000-memory.dmp

Filesize
816KB

Download
memory/816-28-0x0000000000D50000-0x0000000000E58000-memory.dmp

Filesize
1.0MB

Download
memory/816-530-0x0000000001600000-0x00000000016F6000-memory.dmp

Filesize
984KB

Download
memory/816-53-0x00000000735CE000-0x00000000735CF000-memory.dmp

Filesize
4KB

Download
memory/1516-426-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1516-434-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1772-6-0x0000000000400000-0x000000000069A000-memory.dmp

Filesize
2.6MB

Download
memory/1772-21-0x0000000000400000-0x000000000069A000-memory.dmp

Filesize
2.6MB

Download
memory/3704-0-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3704-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/3704-27-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4748-532-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/4748-533-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download