75d167249768d3b15728389b25c65e97f6ad92610b26b7d65fe8e2db83c41e4d

Analysis

max time kernel
209s
max time network
196s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-11-2024 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

farlab_setup.exe
Size

1.7MB
MD5

a7703240793e447ec11f535e808d2096
SHA1

913af985f540dab68be0cdf999f6d7cb52d5be96
SHA256

6a17ebf5da6aa3a1f4813e5f46fdd5d19d026bcfac91f232359f98e43df3c38f
SHA512

57bdcdfcfa11f6b5bf4149be0fee0444fcf67ccececf1009b166b17b7dce30da1a472f1890736186f4ef76e02ed23cc0dd2a41dc9bff94218a059832d4b5c69e
SSDEEP

49152:C9CKxz5eM8JvooqXrFzYA8hVU2AGm63yjpGIcLJjmyGpf8:MCm5eMOooqhomhjrcLS8

Score

10^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 5 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\clr_optimization_v4.0.30319_32-2 = "V2.0\|Action=Block\|Dir=Out\|App=C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorsvw.exe\|Svc=clr_optimization_v4.0.30319_32\|Name=Block traffic for clr_optimization_v4.0.30319_32\|"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\clr_optimization_v4.0.30319_64-1 = "V2.0\|Action=Block\|Dir=In\|App=C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorsvw.exe\|Svc=clr_optimization_v4.0.30319_64\|Name=Block traffic for clr_optimization_v4.0.30319_64\|"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\clr_optimization_v4.0.30319_64-2 = "V2.0\|Action=Block\|Dir=Out\|App=C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorsvw.exe\|Svc=clr_optimization_v4.0.30319_64\|Name=Block traffic for clr_optimization_v4.0.30319_64\|"	msiexec.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\clr_optimization_v4.0.30319_32-1 = "V2.0\|Action=Block\|Dir=In\|App=C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorsvw.exe\|Svc=clr_optimization_v4.0.30319_32\|Name=Block traffic for clr_optimization_v4.0.30319_32\|"	msiexec.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 10 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}\ = ".NET Framework"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}\ComponentID = ".NETFramework"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}\ = ".NET Framework"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}\Version = "4,0,30319,0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}\Locale	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}\ComponentID = ".NETFramework"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}\Locale	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}\Version = "4,0,30319,0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}	msiexec.exe

Manipulates Digital Signatures 1 TTPs 24 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "WINTRUST.DLL"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "SoftpubCheckCert"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "CORPolicyEE"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "WINTRUST.DLL"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "WINTRUST.DLL"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "SoftpubLoadMessage"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "WINTRUST.DLL"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorsecimpl.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "WINTRUST.DLL"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "WINTRUST.DLL"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorsecimpl.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "SoftpubInitialize"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "WINTRUST.DLL"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "WintrustCertificateTrust"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "CORPolicyEE"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "SoftpubLoadSignature"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "WINTRUST.DLL"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "SoftpubLoadSignature"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "SoftpubCheckCert"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "SoftpubInitialize"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "SoftpubLoadMessage"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "WINTRUST.DLL"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "WINTRUST.DLL"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "WintrustCertificateTrust"	msiexec.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 55 IoCs

pid	Process
1736	farlab_setup.tmp
2504	farlab_setup.tmp
664	FarLabUninstaller.exe
1092	NDP472-KB4054531-Web.exe
1856	Setup.exe
2840	SetupUtility.exe
1892	ServiceModelReg.exe
1280	ServiceModelReg.exe
2420	regtlibv12.exe
2248	regtlibv12.exe
2472	regtlibv12.exe
2416	regtlibv12.exe
864	regtlibv12.exe
1728	regtlibv12.exe
2556	regtlibv12.exe
1736	regtlibv12.exe
2512	regtlibv12.exe
2756	regtlibv12.exe
2084	regtlibv12.exe
2652	regtlibv12.exe
1472	regtlibv12.exe
2844	regtlibv12.exe
628	aspnet_regiis.exe
2572	aspnet_regiis.exe
740	ngen.exe
408	mscorsvw.exe
1544	ngen.exe
2136	mscorsvw.exe
1044	mscorsvw.exe
1044	ngen.exe
2672	mscorsvw.exe
904	ngen.exe
2448	mscorsvw.exe
1040	mscorsvw.exe
756	mscorsvw.exe
628	mscorsvw.exe
1744	mscorsvw.exe
2104	mscorsvw.exe
2556	mscorsvw.exe
280	mscorsvw.exe
2508	mscorsvw.exe
2228	mscorsvw.exe
2652	mscorsvw.exe
2992	mscorsvw.exe
2152	mscorsvw.exe
1008	mscorsvw.exe
2940	mscorsvw.exe
1224	mscorsvw.exe
2796	mscorsvw.exe
1952	mscorsvw.exe
1948	mscorsvw.exe
768	mscorsvw.exe
1652	mscorsvw.exe
2588	mscorsvw.exe
1548	mscorsvw.exe

Loads dropped DLL 64 IoCs

pid	Process
2552	farlab_setup.exe
1736	farlab_setup.tmp
1736	farlab_setup.tmp
1736	farlab_setup.tmp
1692	farlab_setup.exe
2504	farlab_setup.tmp
2504	farlab_setup.tmp
2504	farlab_setup.tmp
2504	farlab_setup.tmp
2504	farlab_setup.tmp
1092	NDP472-KB4054531-Web.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
2664	MsiExec.exe
2676	MsiExec.exe
2664	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2664	MsiExec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc00A.dat	aspnet_regiis.exe
File created	C:\Windows\SysWOW64\msvcp120_clr0400.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp120_clr0400.dll	msiexec.exe
File created	C:\Windows\system32\perfh00A.dat	aspnet_regiis.exe
File opened for modification	C:\Windows\SysWOW64\aspnet_counters.dll	msiexec.exe
File created	C:\Windows\system32\msvcr100_clr0400.dll	msiexec.exe
File created	C:\Windows\system32\perfc007.dat	aspnet_regiis.exe
File created	C:\Windows\system32\perfc009.dat	aspnet_regiis.exe
File created	C:\Windows\system32\perfc00A.dat	aspnet_regiis.exe
File created	C:\Windows\system32\perfc010.dat	aspnet_regiis.exe
File created	C:\Windows\system32\perfh010.dat	aspnet_regiis.exe
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	aspnet_regiis.exe
File opened for modification	C:\Windows\system32\msvcr120_clr0400.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp110_clr0400.dll	msiexec.exe
File created	C:\Windows\system32\perfh011.dat	aspnet_regiis.exe
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	aspnet_regiis.exe
File opened for modification	C:\Windows\SysWOW64\en-US\dfshim.dll.mui	msiexec.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\7073EBB8E2F3C70E0FA1F650B7DEA970.mof	mofcomp.exe
File created	C:\Windows\system32\perfh010.dat	aspnet_regiis.exe
File created	C:\Windows\SysWOW64\aspnet_counters.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp120_clr0400.dll	Setup.exe
File created	C:\Windows\system32\perfh009.dat	aspnet_regiis.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\7073EBB8E2F3C70E0FA1F650B7DEA970.mof	mofcomp.exe
File created	C:\Windows\system32\perfh00C.dat	aspnet_regiis.exe
File created	C:\Windows\system32\perfc011.dat	aspnet_regiis.exe
File opened for modification	C:\Windows\SysWOW64\msvcr100_clr0400.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcr120_clr0400.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcr110_clr0400.dll	msiexec.exe
File created	C:\Windows\system32\msvcp110_clr0400.dll	msiexec.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\E6195BA9E153534E5472835E2F29A5B0.mof	mofcomp.exe
File created	C:\Windows\system32\perfc00C.dat	aspnet_regiis.exe
File created	C:\Windows\system32\PerfStringBackup.TMP	aspnet_regiis.exe
File opened for modification	C:\Windows\system32\msvcr100_clr0400.dll	msiexec.exe
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	aspnet_regiis.exe
File created	C:\Windows\system32\perfh009.dat	aspnet_regiis.exe
File created	C:\Windows\system32\perfh00C.dat	aspnet_regiis.exe
File created	C:\Windows\SysWOW64\en-US\dfshim.dll.mui	msiexec.exe
File created	C:\Windows\SysWOW64\msvcr100_clr0400.dll	msiexec.exe
File created	C:\Windows\system32\perfh00A.dat	aspnet_regiis.exe
File opened for modification	C:\Windows\system32\aspnet_counters.dll	msiexec.exe
File created	C:\Windows\system32\aspnet_counters.dll	msiexec.exe
File created	C:\Windows\system32\msvcr110_clr0400.dll	msiexec.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\6F8564A71977AE6B940705DCC4847A8D.mof	mofcomp.exe
File created	C:\Windows\system32\perfh007.dat	aspnet_regiis.exe
File created	C:\Windows\system32\perfc009.dat	aspnet_regiis.exe
File opened for modification	C:\Windows\system32\msvcr110_clr0400.dll	msiexec.exe
File created	C:\Windows\system32\en-US\dfshim.dll.mui	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcr120_clr0400.dll	Setup.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\D361F8B496FD6DAF7BEEF497E09C0DC1.mof	mofcomp.exe
File opened for modification	C:\Windows\SysWOW64\msvcp110_clr0400.dll	msiexec.exe
File created	C:\Windows\system32\msvcr120_clr0400.dll	msiexec.exe
File created	C:\Windows\system32\perfc010.dat	aspnet_regiis.exe
File created	C:\Windows\system32\perfh011.dat	aspnet_regiis.exe
File created	C:\Windows\system32\perfh007.dat	aspnet_regiis.exe
File opened for modification	C:\Windows\SysWOW64\msvcr110_clr0400.dll	msiexec.exe
File opened for modification	C:\Windows\system32\en-US\dfshim.dll.mui	msiexec.exe
File created	C:\Windows\system32\msvcp120_clr0400.dll	msiexec.exe
File created	C:\Windows\system32\perfc007.dat	aspnet_regiis.exe
File opened for modification	C:\Windows\SysWOW64\msvcr120_clr0400.dll	msiexec.exe
File created	C:\Windows\system32\perfc00C.dat	aspnet_regiis.exe
File opened for modification	C:\Windows\SysWOW64\msvcp120_clr0400.dll	msiexec.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\716FDC254E211F547A560E1A71D0E6CA.mof	mofcomp.exe
File created	C:\Windows\system32\perfc011.dat	aspnet_regiis.exe
File created	C:\Windows\SysWOW64\msvcp110_clr0400.dll	msiexec.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml	msiexec.exe
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	farlab_setup.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-7RD4C.tmp	farlab_setup.tmp
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml	msiexec.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml	msiexec.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml	msiexec.exe
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	farlab_setup.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe	farlab_setup.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe	farlab_setup.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-R8GVT.tmp	farlab_setup.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-GMK5P.tmp	farlab_setup.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-LJV3J.tmp	farlab_setup.tmp

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardCreateRoles.ascx.resx	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Net.Http.dll	msiexec.exe
File created	C:\Windows\inf\SMSvcHost 4.0.0.0\0019\_SMSvcHostPerfCounters.ini	lodctr.exe
File opened for modification	C:\Windows\Installer\MSIDB99.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE822.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Diagnostics.TextWriterTraceListener.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Net.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageAllRoles.aspx.resx	msiexec.exe
File created	C:\Windows\inf\aspnet_state\0013\aspnet_state_perf.ini	aspnet_regiis.exe
File opened for modification	C:\Windows\Installer\MSIE4AF.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\home2.aspx	msiexec.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Messaging\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll	msiexec.exe
File created	C:\Windows\inf\ASP.NET\0001\aspnet_perf2.ini	aspnet_regiis.exe
File created	C:\Windows\inf\MSDTC Bridge 4.0.0.0\0014\_TransactionBridgePerfCounters.ini	lodctr.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Data.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Build.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.ServiceProcess.dll	msiexec.exe
File created	C:\Windows\inf\ASP.NET\0416\aspnet_perf2.ini	aspnet_regiis.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\_DataPerfCounters.ini	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpe.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WorkflowServiceHostPerformanceCounters.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Device.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Runtime.InteropServices.WindowsRuntime.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Runtime.InteropServices.RuntimeInformation.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe.config	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\Browsers\blackberry.browser	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Common.targets	msiexec.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Resources.ResourceManager\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Resources.ResourceManager.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\1033\Microsoft.VisualBasic.Activities.CompilerUI.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\_SMSvcHostPerfCounters.ini	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.Claims\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.Claims.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.AppContext\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.AppContext.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\Browsers\generic.browser	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Linq.Expressions.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIACE5.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.Serialization.Formatters.Soap.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Data.Entity.Design.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\NlsLexicons0009.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\Browsers\ucbrowser.browser	msiexec.exe
File created	C:\Windows\inf\aspnet_state\0010\aspnet_state_perf.ini	aspnet_regiis.exe
File created	C:\Windows\inf\MSDTC Bridge 4.0.0.0\000E\_TransactionBridgePerfCounters.ini	lodctr.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Internal.Tasks.Dataflow\v4.0_4.0.0.0__b77a5c561934e089\Microsoft.Internal.Tasks.Dataflow.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_perf.ini	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\DebugAndTrace.aspx.resx	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg	msiexec.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll	msiexec.exe
File created	C:\Windows\inf\ASP.NET\0000\aspnet_perf2.ini	aspnet_regiis.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Xml.XPath.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Xml.XmlSerializer.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.CSharp.targets	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7838.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe.config	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Drawing.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Security.Cryptography.Encoding.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallSqlState.sql	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.VisualBasic.Compatibility.Data.dll	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 56 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lodctr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lodctr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SetupUtility.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FarLabUninstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regtlibv12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NDP472-KB4054531-Web.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regtlibv12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	farlab_setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lodctr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regtlibv12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ServiceModelReg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regtlibv12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lodctr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lodctr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	farlab_setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regtlibv12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regtlibv12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mofcomp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lodctr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mofcomp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lodctr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regtlibv12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lodctr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	farlab_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	farlab_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mofcomp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\AppPath = "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7}\Policy = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\Policy = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7}\CLSID = "{20FD4E26-8E0F-4F73-A0E0-F27B8C57BE6F}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7}\Policy = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\Policy = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7}\CLSID = "{20FD4E26-8E0F-4F73-A0E0-F27B8C57BE6F}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\AppPath = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AED-AECE-4E27-9BCB-5358B13F9FF9}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AED-AECE-4E27-9BCB-5358B13F9FF9}\AppPath = "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AED-AECE-4E27-9BCB-5358B13F9FF9}\Policy = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\AppName = "dfsvc.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\AppName = "dfsvc.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AED-AECE-4E27-9BCB-5358B13F9FF9}\AppName = "dfsvc.exe"	msiexec.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E9963B7-B2BF-4685-9378-8FEBEA364EF8}\InprocServer32\4.0.0.0\Class = "Microsoft.Aspnet.Snapin.About"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A605AF61-CA33-3CAB-8DE5-4686EE45446D}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4E1E7F6-A035-41B3-9856-A3C3A1C4684F}\InprocServer32\Class = "System.ServiceModel.ServiceMoniker40.ServiceMoniker40"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BEE4BFEC-6683-3E67-9167-3C0CBC68F40A}\2.4	regtlibv12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6B7F18AE-F5AC-368F-8DFD-AB5E2D229ED7}\4.0.0.0\Class = "System.Runtime.CompilerServices.MethodCodeType"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8351108F-34E3-3CC9-BF5A-C76C48060835}\4.0.0.0\Class = "System.Runtime.InteropServices.ArrayWithOffset"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{CA5C1C2B-61F8-3FC4-B66B-17163A3066A5}\4.0.0.0\Class = "System.Void"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D93EACA8-8176-387B-9667-6D32B504047B}\4.0.0.0\Class = "System.Security.Policy.ApplicationVersionMatch"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{11472518-C3B8-3BF4-9705-2135E1709883}\4.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6BD98650-5AE6-3F03-B6CF-1463BBD45E6D}\4.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{215B68E5-0E78-4505-BE40-962EE3A0C379}\ = "IPimcManager2"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{82B28727-8F1B-3C0D-92A6-EBE9F1F4B8C4}\4.0.0.0\Class = "System.Globalization.LineOrientation"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A2C06560-E728-39D5-8230-7EB08001C79E}\4.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{0CFE1ABF-373D-3208-85C2-947434046704}\4.0.0.0\Class = "System.IO.SeekOrigin"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{299E2A7D-6551-3ED1-B4A0-A51CB56EEFE7}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{62AD7D6B-52CC-3ED4-A20D-1A32EF6BF1DA}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8D583B4D-52C8-3243-829E-999D660D3947}\4.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{049C5C49-BAF0-429C-8B8F-2CC11F5AA422}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E9963B7-B2BF-4685-9378-8FEBEA364EF8}\ = "Microsoft.Aspnet.Snapin.About"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{67D8C1D1-8D1A-3AB2-B8BF-5CB8D43199F5}\4.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{7A8D353E-4BE8-308B-A3EB-5DEA56BB7798}\4.0.0.0\Class = "System.Security.AccessControl.AccessControlType"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8D583B4D-52C8-3243-829E-999D660D3947}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{94942670-4ACF-3572-92D1-0916CD777E00}\4.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{9ABE23BD-D5D5-30F6-B127-9B3AB98F7DBB}\4.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A7B042D-578A-4366-9A3D-154C0498458E}\InprocServer32\RuntimeVersion = "v4.0.30319"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A7B042D-578A-4366-9A3D-154C0498458E}\InprocServer32\Class = "System.Management.Instrumentation.ManagedCommonProvider"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{0AD279C7-05FB-3A46-9031-92E00C9F7C29}\4.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{68DB6E95-F774-3AE3-B1DE-B0CC80F6E174}\4.0.0.0	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{816C979C-D3D2-3101-B5CA-E4A5C5E966FA}\4.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D89E7F8E-9F99-3EE9-8FCE-D97E64C8650E}\4.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{D535A40B-83C0-36FC-82D1-7EF2DE252ECC}\4.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C3E92FB0-4D2C-3FA7-8DCA-B4CF51DAB643}\4.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{562E9B67-79AB-3033-9180-4BDBBB891853}\4.0.0.0\Class = "System.EnterpriseServices.TransactionOption"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{F75B6772-91E4-4D2F-9D44-61A447109C2B}\DllSurrogate	aspnet_regiis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{56ABB41C-4516-30F6-882E-57F234AB5028}\4.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{9DC6AC40-EDFA-3E34-9AD1-B7A0A9E3A40A}\4.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B125618B-1B4E-37C3-B31A-331D6021B52D}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{B3E5A7FF-AFC6-3F2B-8FFF-300C7C567693}\4.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8EBCC90469BFE03EA485673BA14799F\KB2533523 = "Servicing_Key"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E9963B7-B2BF-4685-9378-8FEBEA364EF8}\InprocServer32\Assembly = "AspNetMMCExt, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{1E552DAE-602E-3CB5-9BFA-22AEB1FC38A5}\4.0.0.0	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{94942670-4ACF-3572-92D1-0916CD777E00}\4.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{049C5C49-BAF0-429C-8B8F-2CC11F5AA422}\ = "IPimcSurrogate2"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{F62FF05F-99CE-30DB-8344-2B2C26F5765C}\4.0.0.0	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{0EF507FF-0B48-40AD-84DB-E4C7AB81B74A}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8EBCC90469BFE03EA485673BA14799F\F_CDF_core_amd64 = "NetFx_Full_amd64"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8EBCC90469BFE03EA485673BA14799F\KB2805221 = "Servicing_Key"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{56ABB41C-4516-30F6-882E-57F234AB5028}\4.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{23D4A35B-C997-3401-8372-736025B17744}\4.0.0.0\Class = "System.Single"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{4548A129-2855-35E8-A892-FF506C877AA8}\4.0.0.0\Class = "System.Security.Permissions.HostProtectionResource"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{F0778630-AC34-3D71-9FAB-617F61243065}\4.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{3E4D0EE1-9F86-3CF4-9E00-59873F6BDF86}\4.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4E1E7F6-A035-41B3-9856-A3C3A1C4684F}\InprocServer32\RuntimeVersion = "v4.0.30319"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{45FB4600-E6E8-4928-B25E-50476FF79425}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{0675DA92-4737-3250-A89C-802D9B630C1F}\4.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{42A66664-072F-3A67-A189-7D440709A77E}\4.0.0.0\Class = "System.Configuration.Assemblies.AssemblyHash"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{5A235286-93F1-3C18-A3AE-16D345A87A24}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{72B06367-DE53-3111-9C49-B816EFEE3148}\4.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8830F669-E622-3DA0-BC37-4A02A151E142}\4.0.0.0\Class = "System.Security.Principal.WindowsAccountType"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0EF507FF-0B48-40AD-84DB-E4C7AB81B74A}\NumMethods\ = "20"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{70446B90-F93B-3578-9B7B-95D05A12DA60}\4.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{742BDC16-F04E-3E0E-8FF1-E3250940B5BF}\4.0.0.0\Class = "System.Security.Permissions.KeyContainerPermissionFlags"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{C335350A-892D-37F7-967C-99B3C4C4A301}\4.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{BA68FFCE-C94A-3A7B-ABB9-BE5259B66D1B}\4.0.0.0\Assembly = "System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2504	farlab_setup.tmp
2504	farlab_setup.tmp
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
2632	msiexec.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
2632	msiexec.exe
2632	msiexec.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe
1856	Setup.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1856	Setup.exe
Token: SeIncreaseQuotaPrivilege	1856	Setup.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeSecurityPrivilege	2632	msiexec.exe
Token: SeCreateTokenPrivilege	1856	Setup.exe
Token: SeAssignPrimaryTokenPrivilege	1856	Setup.exe
Token: SeLockMemoryPrivilege	1856	Setup.exe
Token: SeIncreaseQuotaPrivilege	1856	Setup.exe
Token: SeMachineAccountPrivilege	1856	Setup.exe
Token: SeTcbPrivilege	1856	Setup.exe
Token: SeSecurityPrivilege	1856	Setup.exe
Token: SeTakeOwnershipPrivilege	1856	Setup.exe
Token: SeLoadDriverPrivilege	1856	Setup.exe
Token: SeSystemProfilePrivilege	1856	Setup.exe
Token: SeSystemtimePrivilege	1856	Setup.exe
Token: SeProfSingleProcessPrivilege	1856	Setup.exe
Token: SeIncBasePriorityPrivilege	1856	Setup.exe
Token: SeCreatePagefilePrivilege	1856	Setup.exe
Token: SeCreatePermanentPrivilege	1856	Setup.exe
Token: SeBackupPrivilege	1856	Setup.exe
Token: SeRestorePrivilege	1856	Setup.exe
Token: SeShutdownPrivilege	1856	Setup.exe
Token: SeDebugPrivilege	1856	Setup.exe
Token: SeAuditPrivilege	1856	Setup.exe
Token: SeSystemEnvironmentPrivilege	1856	Setup.exe
Token: SeChangeNotifyPrivilege	1856	Setup.exe
Token: SeRemoteShutdownPrivilege	1856	Setup.exe
Token: SeUndockPrivilege	1856	Setup.exe
Token: SeSyncAgentPrivilege	1856	Setup.exe
Token: SeEnableDelegationPrivilege	1856	Setup.exe
Token: SeManageVolumePrivilege	1856	Setup.exe
Token: SeImpersonatePrivilege	1856	Setup.exe
Token: SeCreateGlobalPrivilege	1856	Setup.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2504	farlab_setup.tmp
2504	farlab_setup.tmp
2504	farlab_setup.tmp
2504	farlab_setup.tmp
2504	farlab_setup.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 1736	2552	farlab_setup.exe	30
PID 2552 wrote to memory of 1736	2552	farlab_setup.exe	30
PID 2552 wrote to memory of 1736	2552	farlab_setup.exe	30
PID 2552 wrote to memory of 1736	2552	farlab_setup.exe	30
PID 2552 wrote to memory of 1736	2552	farlab_setup.exe	30
PID 2552 wrote to memory of 1736	2552	farlab_setup.exe	30
PID 2552 wrote to memory of 1736	2552	farlab_setup.exe	30
PID 1736 wrote to memory of 1692	1736	farlab_setup.tmp	31
PID 1736 wrote to memory of 1692	1736	farlab_setup.tmp	31
PID 1736 wrote to memory of 1692	1736	farlab_setup.tmp	31
PID 1736 wrote to memory of 1692	1736	farlab_setup.tmp	31
PID 1736 wrote to memory of 1692	1736	farlab_setup.tmp	31
PID 1736 wrote to memory of 1692	1736	farlab_setup.tmp	31
PID 1736 wrote to memory of 1692	1736	farlab_setup.tmp	31
PID 1692 wrote to memory of 2504	1692	farlab_setup.exe	32
PID 1692 wrote to memory of 2504	1692	farlab_setup.exe	32
PID 1692 wrote to memory of 2504	1692	farlab_setup.exe	32
PID 1692 wrote to memory of 2504	1692	farlab_setup.exe	32
PID 1692 wrote to memory of 2504	1692	farlab_setup.exe	32
PID 1692 wrote to memory of 2504	1692	farlab_setup.exe	32
PID 1692 wrote to memory of 2504	1692	farlab_setup.exe	32
PID 2504 wrote to memory of 664	2504	farlab_setup.tmp	36
PID 2504 wrote to memory of 664	2504	farlab_setup.tmp	36
PID 2504 wrote to memory of 664	2504	farlab_setup.tmp	36
PID 2504 wrote to memory of 664	2504	farlab_setup.tmp	36
PID 2504 wrote to memory of 664	2504	farlab_setup.tmp	36
PID 2504 wrote to memory of 664	2504	farlab_setup.tmp	36
PID 2504 wrote to memory of 664	2504	farlab_setup.tmp	36
PID 2504 wrote to memory of 1092	2504	farlab_setup.tmp	37
PID 2504 wrote to memory of 1092	2504	farlab_setup.tmp	37
PID 2504 wrote to memory of 1092	2504	farlab_setup.tmp	37
PID 2504 wrote to memory of 1092	2504	farlab_setup.tmp	37
PID 2504 wrote to memory of 1092	2504	farlab_setup.tmp	37
PID 2504 wrote to memory of 1092	2504	farlab_setup.tmp	37
PID 2504 wrote to memory of 1092	2504	farlab_setup.tmp	37
PID 1092 wrote to memory of 1856	1092	NDP472-KB4054531-Web.exe	38
PID 1092 wrote to memory of 1856	1092	NDP472-KB4054531-Web.exe	38
PID 1092 wrote to memory of 1856	1092	NDP472-KB4054531-Web.exe	38
PID 1092 wrote to memory of 1856	1092	NDP472-KB4054531-Web.exe	38
PID 1092 wrote to memory of 1856	1092	NDP472-KB4054531-Web.exe	38
PID 1092 wrote to memory of 1856	1092	NDP472-KB4054531-Web.exe	38
PID 1092 wrote to memory of 1856	1092	NDP472-KB4054531-Web.exe	38
PID 1856 wrote to memory of 2840	1856	Setup.exe	39
PID 1856 wrote to memory of 2840	1856	Setup.exe	39
PID 1856 wrote to memory of 2840	1856	Setup.exe	39
PID 1856 wrote to memory of 2840	1856	Setup.exe	39
PID 1856 wrote to memory of 2840	1856	Setup.exe	39
PID 1856 wrote to memory of 2840	1856	Setup.exe	39
PID 1856 wrote to memory of 2840	1856	Setup.exe	39
PID 2632 wrote to memory of 2664	2632	msiexec.exe	41
PID 2632 wrote to memory of 2664	2632	msiexec.exe	41
PID 2632 wrote to memory of 2664	2632	msiexec.exe	41
PID 2632 wrote to memory of 2664	2632	msiexec.exe	41
PID 2632 wrote to memory of 2664	2632	msiexec.exe	41
PID 2632 wrote to memory of 2676	2632	msiexec.exe	42
PID 2632 wrote to memory of 2676	2632	msiexec.exe	42
PID 2632 wrote to memory of 2676	2632	msiexec.exe	42
PID 2632 wrote to memory of 2676	2632	msiexec.exe	42
PID 2632 wrote to memory of 2676	2632	msiexec.exe	42
PID 2632 wrote to memory of 2676	2632	msiexec.exe	42
PID 2632 wrote to memory of 2676	2632	msiexec.exe	42
PID 2632 wrote to memory of 1144	2632	msiexec.exe	43
PID 2632 wrote to memory of 1144	2632	msiexec.exe	43
PID 2632 wrote to memory of 1144	2632	msiexec.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe
"C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Local\Temp\is-DE61Q.tmp\farlab_setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-DE61Q.tmp\farlab_setup.tmp" /SL5="$30144,1570064,56832,C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe
    "C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe" /SILENT
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\is-BK3HD.tmp\farlab_setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-BK3HD.tmp\farlab_setup.tmp" /SL5="$40152,1570064,56832,C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe" /SILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe
        
        "C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe" ss1
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:664
    - - C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe
        
        "C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe" /q /norestart
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1092
      - C:\ac0ba72aca448f27fa5b322872\Setup.exe
        
        C:\ac0ba72aca448f27fa5b322872\\Setup.exe /q /norestart /x86 /x64 /web
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\ac0ba72aca448f27fa5b322872\SetupUtility.exe
        
        SetupUtility.exe /screboot
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2840

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Modifies firewall policy service
- Boot or Logon Autostart Execution: Active Setup
- Manipulates Digital Signatures
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 247149ADD9C7DCAAE9A3A512F5A4C2C1
  2⤵
  - Loads dropped DLL
  PID:2664
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\netmemorycache.ini"
    3⤵
    PID:1752
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe" -iru
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:628
  - - C:\Windows\system32\wbem\mofcomp.exe
      mofcomp C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet.mof
      4⤵
      Drops file in System32 directory
      PID:2180
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" /m:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelPerformanceCounters.man"
    3⤵
    PID:2996
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" /m:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WorkflowServiceHostPerformanceCounters.man"
    3⤵
    PID:1892
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\_SMSvcHostPerfCounters.ini"
    3⤵
    - Drops file in Windows directory
    PID:1960
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\_TransactionBridgePerfCounters.ini"
    3⤵
    PID:1252
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\PerfCounters.ini"
    3⤵
    PID:2240
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\_Networkingperfcounters.ini
    3⤵
    PID:1520
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\_DataOracleClientPerfCounters_shared12_neutral.ini
    3⤵
    PID:1892
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe update /queue
    3⤵
    - Executes dropped EXE
    PID:740
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems 1
    3⤵
    - Executes dropped EXE
    PID:1544
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 130 -InterruptEvent 0 -NGENProcess e8 -Pipe f4 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:2136
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent e8 -InterruptEvent 0 -NGENProcess 190 -Pipe 138 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:1044
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F824A4296FD2271DD49196E150CFA791
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2676
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\netmemorycache.ini"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:684
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" -iru
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2572
  - - C:\Windows\SysWOW64\wbem\mofcomp.exe
      mofcomp C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet.mof
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:2184
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" /m:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelPerformanceCounters.man"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2588
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" /m:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\WorkflowServiceHostPerformanceCounters.man"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2172
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\_SMSvcHostPerfCounters.ini"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2496
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\_TransactionBridgePerfCounters.ini"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2760
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\PerfCounters.ini"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1480
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\_Networkingperfcounters.ini
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2372
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\_DataOracleClientPerfCounters_shared12_neutral.ini
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1504
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe update /queue
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1044
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe executeQueuedItems 1
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:904
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 144 -InterruptEvent 0 -NGENProcess 104 -Pipe 110 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2448
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess 1a4 -Pipe 14c -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1040
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 0 -NGENProcess 10c -Pipe 1a4 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:756
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 0 -NGENProcess 104 -Pipe 10c -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:628
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b4 -InterruptEvent 0 -NGENProcess 1ac -Pipe 104 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1744
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b8 -InterruptEvent 0 -NGENProcess 1b0 -Pipe 1ac -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2104
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 0 -NGENProcess 1b4 -Pipe 1b0 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2556
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 0 -NGENProcess 1b8 -Pipe 1b4 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:280
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 0 -NGENProcess 1bc -Pipe 1b8 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2508
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 1bc -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2228
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 1c4 -Pipe 1c0 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2652
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 0 -NGENProcess 1c8 -Pipe 1c4 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2992
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 0 -NGENProcess 1cc -Pipe 1c8 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2152
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 0 -NGENProcess 1d0 -Pipe 1cc -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1008
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 0 -NGENProcess 1d4 -Pipe 1d0 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2940
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 1d8 -Pipe 1d4 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1224
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 0 -NGENProcess 1dc -Pipe 1d8 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2796
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 1e0 -Pipe 1dc -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1952
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 0 -NGENProcess 1e4 -Pipe 1e0 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1948
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 0 -NGENProcess 1e8 -Pipe 1e4 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:768
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 0 -NGENProcess 1ec -Pipe 1e8 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1652
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 0 -NGENProcess 1f0 -Pipe 1ec -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2588
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 0 -NGENProcess 1f4 -Pipe 1f0 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1548
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 898166D522C1A15156209C5FDE43B76F M Global\MSI0000
  2⤵
  PID:1144
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe" -msi -ia -v
    3⤵
    - Executes dropped EXE
    PID:1892
  - - C:\Windows\system32\wevtutil.exe
      um C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Windows.ApplicationServer.Applications.45.man
      4⤵
      PID:3048
  - - C:\Windows\system32\wevtutil.exe
      im C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Windows.ApplicationServer.Applications.45.man
      4⤵
      PID:1516
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.JScript.tlb"
    3⤵
    - Executes dropped EXE
    PID:2420
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoree.tlb"
    3⤵
    - Executes dropped EXE
    PID:2472
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.tlb"
    3⤵
    - Executes dropped EXE
    PID:864
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Drawing.tlb"
    3⤵
    - Executes dropped EXE
    PID:2556
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.EnterpriseServices.tlb"
    3⤵
    - Executes dropped EXE
    PID:2512
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.tlb"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:2084
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Windows.Forms.tlb"
    3⤵
    - Executes dropped EXE
    PID:1472
- - C:\Windows\system32\wbem\mofcomp.exe
    "C:\Windows\system32\wbem\mofcomp.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MOF\ServiceModel.mof"
    3⤵
    - Drops file in System32 directory
    PID:2812
- - C:\Windows\system32\wbem\mofcomp.exe
    "C:\Windows\system32\wbem\mofcomp.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MOF\ServiceModel35.mof"
    3⤵
    - Drops file in System32 directory
    PID:2700
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2947C24E77B1DB38514D8D99B03C5255 M Global\MSI0000
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1816
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe" -msi -ia -v
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1280
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.JScript.tlb"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2248
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.tlb"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2416
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.tlb"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1728
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Drawing.tlb"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1736
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.EnterpriseServices.tlb"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2756
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.tlb"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2652
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Windows.Forms.tlb"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2844
- - C:\Windows\SysWOW64\wbem\mofcomp.exe
    "C:\Windows\SysWOW64\wbem\mofcomp.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MOF\ServiceModel.mof"
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2312
- - C:\Windows\SysWOW64\wbem\mofcomp.exe
    "C:\Windows\SysWOW64\wbem\mofcomp.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MOF\ServiceModel35.mof"
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1532

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f774f8a.rbs

Filesize
4.4MB

MD5
32244b8e042341d711c096ab9ff8ba12

SHA1
8231db36fcb7649ce075a376e6ac2338ddda2aff

SHA256
cb63cbf00951d2d73088450aee32b0895f739b8c3bb9e174c20fc542f9548bc1

SHA512
cacea2a7d92196d1a1df5a7a5e10a3cf63d2b0a099b46c5c6e623f97419be348da16c356a93a9c407987cbe1a7369cc3bae056e00320ec04351b209157a91d66

Download Submit
C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe

Filesize
295KB

MD5
2e376eb0b1d34d82196ca36e2af62c9a

SHA1
9900e6e87d35d98a46ef1e562af7fd0a3cc483fa

SHA256
7d68d482cbfcabb5aae94131903209271032693317c684d00df5731c8c8f123e

SHA512
a6a4704880cb8df80defd913f070c6e7086e7f8f765dc7c7346dc273eb4b412999462b7c40863bafd9337a5e91199b4a11bc89df97596cda6d2c1d3dea6a3b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HFI40A9.tmp.html

Filesize
16KB

MD5
8a46ff31ea96965f3be636108705e9c9

SHA1
81a396aa705beb26b0cc7bcdbc2347c1267e5d5b

SHA256
fed146e20f86795af7d3103719c32f90dc400d48942eadede2c68d7537ac23a3

SHA512
f2c2df9280f4e0221c89cd44671b96b6d089b7e64735d2d2b9f2f061f9db6de198838df7afc635e02edc1b038da70aecb7f33404fd35047bba6d81069f22e8d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20241108_090933127-MSI_netfx_Full_x64.msi.txt

Filesize
1KB

MD5
ebff162857162ab370c6acf05e7e1223

SHA1
d443a895983ecf28c7b1a0006731c75463ccc6c3

SHA256
3c812ee9531fb7efe7d3b2fef72483e80532d3e4511dc8c30627aa928b6c3420

SHA512
2b88f0e2eb20524c194e945682e6ac70ac079eb6d7949003f9ff237d5f92fb2652ad40f6e63bcd03c300d98ecacab01627eb5d6fb5c405671528b95d0d58b3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RGIB2EB.tmp

Filesize
10KB

MD5
dbef78447120e830587017c581f994f1

SHA1
ea5214b9503e9a3b5335053b9f2e85c1bd26f3ce

SHA256
a380116d80066949811b29c5b53c20488c1ca6b05a955c1698aff58fc18ebf94

SHA512
eda079a1c4e25d18099accf11860b7c78c9c303c855d87ddfd1750a41e47571db6acf929921a20be693a18d948799279c3f7be47574a2004810021271d735b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBA5A.tmp

Filesize
105KB

MD5
64362991b01414cd34a25b6cf50c996c

SHA1
2a7095d44892cc44fd79cb3729e63226c3880ee0

SHA256
d7937cdcb9f99ea7fd30a0b21c11b82176ac416b724b5a876fdec2a6700e6997

SHA512
4e28168ee18cbdec6b5dda102f988450be25b12211e849afd864f008137397516b97270fef24d52632c1e5ee9075505b3854978553c85ea25f374767a828f87f

Download Submit
C:\Windows\Installer\MSI4F87.tmp

Filesize
291KB

MD5
75fb9a8745aca61b2e5331458977dfdc

SHA1
4bdc9382030781a0cedfdbea06bd6bf0ef3cf61f

SHA256
e3dee969908f521936fd327b83aec0f0d0930845546aa221f18cbebfd122327e

SHA512
8c56f906b2add736f28c2a6236aed2ecebd7978c9c19f6ee300737f3664df85e66a57c55a29ec7a9befb0575e843898e677d91fa9403ea6a7ee3d0cb8fb71b15

Download Submit
C:\Windows\Installer\MSI5275.tmp

Filesize
255KB

MD5
9593870e12c484ef7f943cb7752717dc

SHA1
e750d6776abfebc955af8b16689e414bc86ba988

SHA256
caf3f71c11b10bece30705b2aa32b975ef9f52f519490af6deebee668194ee89

SHA512
6fe4d73961df36a6af203a3eec7b3c3682c13065f5cdad8690c43c861cec11b5271e82efb4437869ba8bab2178d97410f5aaece5d7bceff05d386cce0a6e9af1

Download Submit
C:\Windows\Installer\MSI64E0.tmp

Filesize
202KB

MD5
ba84dd4e0c1408828ccc1de09f585eda

SHA1
e8e10065d479f8f591b9885ea8487bc673301298

SHA256
3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

SHA512
7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe.config

Filesize
161B

MD5
9a740fb9a29d2cc61fa447e640109141

SHA1
5d438029e218977a64a2c30ddf824b4fd3523178

SHA256
9d6823fb2d5c4948c1e38b099ff2a238066950552659dd922d3df63c4a09c896

SHA512
b1b85bf43c1af94d4a782a15246f59f61a3af5a27b4f83fc39cf1ee75808efec8a31882b4a5d4953713397e7d534bc49fab28f81a96bf11c8a5ab73b9b3c6e53

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web_lowtrust.config

Filesize
5KB

MD5
07134c1e521d7eccde5fc1ae7d778067

SHA1
67793f4545f764789d9f36d497533a0da956ccec

SHA256
b386f2a75e99571822c15bc5b57daadae210ad8db3585cf9229f92a1e47e4811

SHA512
80969dcd112665f00ca24ea18b9e286b7da7acc06a9449f9cc5a35a6ec2e6cf349eb3c719ee1ffe76983b7c19b01ab6cfffc71ad768c3d31d16c91350f184cf6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web_minimaltrust.config

Filesize
4KB

MD5
64dbcee736e12c39da44f7b5c4c2d694

SHA1
66951f9be79844285b9ce0a1ec705d8c16766d51

SHA256
0c1aa27ba67af39f019ce2387312fe0d74f3f23ae2fcc34290b799ba0374a292

SHA512
9f6ce82f6e841aefee297e16ac02327e2c497e886058d49ae4c559c2260c41bad25e3e6b2905d7374283a37cd4aaa3e9e1e76e87206b75a951217ea70c202d9b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\NlsData0009.dll

Filesize
18KB

MD5
6520eff266875135a85c5bc0ab33e8b3

SHA1
a568618f12ad80815dc7a99206e80f4e3db428dd

SHA256
d461aae84388cc9e1626ba068f2ff71274c5e8058bd95f3a958c477a8ec11968

SHA512
6a60c0031a8a0951bd4906efa09094781f510c9781a52aa8a0e87838b1e693abf9d8fe4b69319ab6d0b880a0d169cf5046d1c7f27ff8ad806db437a10dcbbd5c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe.config

Filesize
281B

MD5
c5b1320a8e2e2e36fba39626a3b75ed0

SHA1
3e978970892351939a9a8c1a10806ecb70833991

SHA256
f3e74bb1fa170c71933b3e329457f2db137f9cd32b08c29b63401c17e4a1ae52

SHA512
058afcb0e8edbd98f27cb4c39502c0cd73f2f96ee09fd259d190e276b29d4d95ccabaf15c9aef91048a547fadaaeef78f838853107f31164dfff2f16142c0920

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Filesize
108KB

MD5
51ba7cfa594cbf97358e5f5cfe574952

SHA1
c23b4417ffa891a6aa19abd3b57c87e0d024e24b

SHA256
735be09701444134d9f374c47231b01731ae76221647cbfec95fd8310648679f

SHA512
b7179096659ffeca172740088a34f003eb06747b25d8a363caec8421470f5830dd9c04d8d8551192ed1bd3ddc2066f9c8fd617c7e0d46ef59817b38cb7cec86b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe

Filesize
106KB

MD5
7b08042914fd8b4c68dcaf9ee456c365

SHA1
63d986b2c4dd4276c02812a782433f86cd47f2e4

SHA256
53940c8a89b8015edef7dbfd6e759205a576c22794da3d97d34df9f384019de0

SHA512
77f8f115b6340c81409fbad8a62978a3169c5278f60890eb1f4e00f8fcc74be7f84e590c786ea492fba5c780775d67aa85fe65649fb31f98a8ca49f04d0b27ab

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe.config

Filesize
182B

MD5
c002006ced9de9edddd0fbc440a33623

SHA1
7144330e908fd57d439ce9200a388bfe37fb716a

SHA256
2d4610ade011e530d817dd3ba4fc787e5dc0c2297cc520c30a643b8fb13f9093

SHA512
c2a5ee9cc44eafc4be7d2be7fa8f6b7e911ace2ebb656281ef8854eb9e93f567e224aaebd3238dc00c6a28bc92784d0317434ac9976d209b09286553bb891afe

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\NlsData0009.dll

Filesize
18KB

MD5
a025bee281432df00d7c92a23df29155

SHA1
56946dc01ca617bac76290a865f65723a80a82e6

SHA256
a256d30a99870b14a7a752f6f216f207d1c4453478908d6353a8511904bf2542

SHA512
b90821ad49e297438e16bc02aba95072c4d466ab86c355836e31950f6d7ed67dd8d76a66aa7cbd2c5393aa59ddc9d68dab090255f62b815b27b381d62b6a2a50

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log

Filesize
118KB

MD5
3196e5c43d84c65ae16caa96a28d3ace

SHA1
b644571a945e747b74e75a41a41fe9700839629a

SHA256
0ae95e0118622fe5e48a0138bc68da8ddac6e6e2745e7bfccceca7959c0cf6a5

SHA512
dcef4ef7ba4c9068989fb7e059ee7fae14afe16081af4ba112b152c423c128e18bf774fa994b4aa74a3bf876f6c89c79b297492ec50b2cefdcd43c50f6ae8180

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe

Filesize
96KB

MD5
7f039e051a21ca24011eb0cb883765fb

SHA1
d3f250bebb5be84f72474430639996968c930676

SHA256
6ccea8682511cfb02017de0d9b51650952a69f0a08324557b8ce1849a5dec6e0

SHA512
a2d6d4389e2fe2bc319b2c695071024362b60eeba6032359d7e3071585ac6a46c5a7287835359002bfe796021db05588d0a8898f0236bd68c3eba577ba848c49

Download Submit
C:\Windows\SysWOW64\PerfStringBackup.TMP

Filesize
4.5MB

MD5
4dd4bf665cc5001af9a6e61fa63c246a

SHA1
46a9a53e70524e50ff319f524473ea275dd70c7c

SHA256
49029962974e3645f98cdeb8d891816f4f9d7df55b809612dc6b11ec5322ae74

SHA512
3a9ddb8f9f3be272296363cbf1cdeb3bdb4259ab290809e1ddf0167b5c9aab35942099f33a71526172582d073b3023f22540f9cbebc37a7aff217b7a65e337ff

Download Submit
C:\Windows\System32\perfc007.dat

Filesize
144KB

MD5
97e213becc9bd4a882202f881b3446ac

SHA1
d691c924b8000d2c19c2397cf1ed348d3c04cf1d

SHA256
c822ca0861645131634995205b99d91f03580ad3e59c50112d38226b32bec105

SHA512
dfb91dc9b62dcb1a5dd1b73fba9f2d1aabafa4e4a58baf7bc5588bdf8d07a2f3cda663c7c9546681c24cde3929bc82e75062b9bbc2e7b138f862a422e599ab4c

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
153KB

MD5
554b422d4e19d47a7cdd1395b07a1a03

SHA1
678a51c66cc4adc59b437a0e8cfc592054d1ea93

SHA256
684497c2b83ba247f50e8785c50dd4c162295eef3c61956f21e4dc2a62def042

SHA512
8c2bd0ec611f45a6b7dd421361c0fb43674699bd01432176d29780ea07d1856d4350d81c99de2ee99f27ac6ac5a8c00a88a11731ec318b3adce48413004846c6

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
145KB

MD5
3271517d9b71bca32ba174b678744f2f

SHA1
7995cf5b76b3288b11d8bd0a64ce092dcdb19563

SHA256
5bfffad334032545a30459a097c4730f41ff7fe088b5e05c5ed1c6a4e6cc2af2

SHA512
e1230ee65a675c86309fcc42ae96d601ee62b4bccd1f00c651ea44653c008b2209d3c3f93b766704a133a7f6867fdd79113aee0cf7af0085c90eb6864bc65e0c

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
142KB

MD5
699d4a8522d4cb2fe10a24f9602ed237

SHA1
6f702b7195432ae85e384eb86fbd0b00dc9be07c

SHA256
39edd8ca0a9274afae1817fde5129714d852a0324268588ab1b9eaff6dc03120

SHA512
ae7c2f4e86b2f0c3328b6bc11352e77024cda033f8930e4e7b53fc3b53a4140eabc4722fd060af8fedf643fbce75f046661a1e022ab6d733adcf505a4b61ed8b

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
118KB

MD5
8956ec662d09f1f1407894a9e2dde739

SHA1
cbe5a0fe0008452d48fa0b2610b53c71dcefb9a3

SHA256
2c9f1fe8465e38f68606a6275b83a92fdbc8b7350c4a03507ac3fd92f8f82923

SHA512
f95ec2098f5c902dda99df6943953730e52e0de7be241655d765f4f9e10c5c293f9530f9e9b348b9120737a4aef4b18559f9c6f191402b232c9af5fde01d35b3

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
679KB

MD5
130cd2976d842c4d7f6225bc569c6efd

SHA1
174599c7861004e19221e6b83989b398eeae9910

SHA256
7c3dc5e3e4a86b50b918671423596172ae1dca7a3ca7057401082e96d15af62e

SHA512
24daaabdd12987af0146cbd5cd2d05c9ae0a69771ec7408e2831cf416296cb916dec43c0d3a9d8da4060c3c0c5f489a801106d0305c391e207f30f9d7b1ac44f

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
646KB

MD5
5d82fc32d22b7840015aca29a677f702

SHA1
634c0604f4d16dc0576ded69e6b3ceab39589625

SHA256
c4ace92324a176396bae3463fd9502f6a0f1f375534bda07d7e9a2d38e48a2f5

SHA512
7fa97e141de08a628dfd75590fc0a953f878e7eb2864e262b404f6ec6bd2ad7bc6a9efec524a8e82375df4b0908e29cd7114d7be52d538693967405850b31e40

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
726KB

MD5
ee398a41ec986d60e91352b4de02750a

SHA1
f5f5709530ff35c4d0c1f1d18322eabc88e98907

SHA256
2066fe435db8ad979eaa095f728737c8e98fccc35c862c738b7fe98835741c51

SHA512
e30d2a8d360e9e1b3c1f80c01da39750deaf392229c014fc2e22059474f702a47996c59a5c3a42696d1ed43e7ff6e5f180779a65ee64be5f3362e2e894a355d0

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
727KB

MD5
23cfd66ced96456fda591b26414c0a36

SHA1
2fd65d408cc3101c40d3da9d3eea8d0a2ca20c1f

SHA256
aebb3abdd7e5733457987adff79bb8a7662e059368a628ec32b8943d708369a4

SHA512
0851402513350f10ba5f4255b2d7e1264ddbb8323fcf4e930cac2975d7e95a7368f0ee71b93413af29633064f4df0515202f6350e30392f2c269c9ef28e711e4

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
722KB

MD5
b91ee2d171f5682163225eb57aed83ed

SHA1
bacbe30271109cc84bf192a66c4ab4cc41ae3b3a

SHA256
91654b82dc82e4e7522ef46cadbd0b582881a369c9306d55856a5f748056bc24

SHA512
053b2c7e0a5648fcba226e07c6f435f4b2e09ceca7cf20328b27c4d0a2a06fe65c93f8ea1b92cfbd5f37866882d9482864df5e687b79c0816ef6790b721de772

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
406KB

MD5
cbd875112b1152281ce9f6c1e06ba86a

SHA1
c229b133d821389ba2aa619507d5bf874ee7c2b2

SHA256
c82712cbaf78493d5ec7590d62ae95e16b152697e57e4a0e5c71cfa7edfb8b94

SHA512
c2cc8ea55c8a6280455ce94fd37518945cbe1d6070fe62dfdf57df0ef8d8b3a7c6c719f2a8448d60b864e5be5df254941927b80f8960db3c4ecc72d3976bbd0f

Download Submit
C:\Windows\inf\.NET CLR Networking 4.0.0.0\0804\_Networkingperfcounters.ini

Filesize
162KB

MD5
1e6f1204fe6d523fd92be81efbe4e04a

SHA1
048bc3a594b3400646ccaf355e9aef3ea1807ccd

SHA256
b96641749344ef7a526a9beb091ee01f24b15be6e8cbb1910ab3950735d00664

SHA512
bd31a4f06e46972de1c52e3eba18e6445227de561917f114fa9689973279d5ac97d0fd6025de8c66d483bf71ce56f1b8406b04133e0a8d72ed5ae1f98328dc2c

Download Submit
C:\Windows\inf\ASP.NET\0001\aspnet_perf2.ini

Filesize
972KB

MD5
60d35695506c89e7b3a45173bdb84e20

SHA1
d2d980c004632a74b8ec97621df904573ea1e0d3

SHA256
9185acaab08190024106ed25782de038ad4e1df4f1e6cc0c30566c1657987922

SHA512
c3008a2bceb02ff3c72a54b25a724d76dc658632ef402b8a927a1f0f0168b4423d174b0fa53fcf0335acdb04723f5bc9d0fdcba40ca884b7b932b5505cca100b

Download Submit
C:\Windows\inf\ASP.NET_4.0.30319\0001\aspnet_perf.ini

Filesize
974KB

MD5
849b9d28dcb2c672a3bb5cf2154c0c48

SHA1
1cdec72079a700b833ff909150a3700bc699c7a2

SHA256
209367dc07168cf47d43e0e7a2482b40707292daf85ebfad1498a22ac4be9cae

SHA512
2fcd844cf8aad49fe3813e95951eacde786641fc0302fb0a09b89fe5ed62e598bca2f377269781e05bf89bf001ebf35a70e4324581938a09daa8da6fef70a15e

Download Submit
C:\Windows\inf\ASP.NET_4.0.30319\aspnet_perf.h

Filesize
7KB

MD5
8fe6d34e9ba1b68d13d3fa8f0be994e2

SHA1
40e9be0cd7fd665ce8e7170039b337cba21f0802

SHA256
2e1cb9b545075233c86c875c611029f8faf162c206fd0b024759def531c8309b

SHA512
954f7f13b2562398e5c96480d1335e992582e761e435ae76e3378b03b4092bae272801e2b97487517cd3930ae3d9ea1a47e01a8de92889ab1b6c53bcaebd02a5

Download Submit
C:\Windows\inf\MSDTC Bridge 4.0.0.0\0804\_TransactionBridgePerfCounters.ini

Filesize
132KB

MD5
9bbd7f42f8b83a37fdc5c9845f0f3bce

SHA1
844417b0337dd5859e0e14e9d4e9f470b9d15891

SHA256
fa9bc8de7d5fc1286ee3b377b7b64dfd45bf1ca64d351cf84219258d69d28b5f

SHA512
2ac7742a3e0d2032ef5895556443a55669e182679e80c962cadbc3e6f44b4f5c335c134bc2ba99588176af8f2b57d95b4be8720bd50eb8f9fda230acd895d8e5

Download Submit
C:\Windows\inf\SMSvcHost 4.0.0.0\0804\_SMSvcHostPerfCounters.ini

Filesize
130KB

MD5
77729c6bb134e72eca1af79065a7827d

SHA1
440432551e46e3578406640b80142145a6b0aee8

SHA256
a45b01d603ce04bb571a0d9e397402d7f5712b2d8c53a559d82ba51c82665226

SHA512
b3d3972bde1a957cf460396fb38e97a038b725d7546ef17369d3f89cca02394fca6b9db68a4d1bf50e5e682a83b881e340ef6eb888f20f2272e6e22a56971dc3

Download Submit
C:\Windows\inf\Windows Workflow Foundation 4.0.0.0\0804\PerfCounters.ini

Filesize
150KB

MD5
9373e6c17e6b07895743759b0285e5f1

SHA1
3158ddc28fc09d9ccd870b4ffa17d0846a1f8e5a

SHA256
30cba9ada8f072d597b1fb6209caf762c36aafbf5c724a2156b032ab3f5be3f8

SHA512
fd068acd0fad925bb8ed36953b20a20d7393459f238300b8760dd2627e35cdd033f6c218bcd3c9e16a892b5e1b8e795b12ec29c86a875aa617c5f88e9016c1ab

Download Submit
C:\Windows\inf\aspnet_state\0001\aspnet_state_perf.ini

Filesize
41KB

MD5
b5ebeb2f3699db3f59959362f2825e69

SHA1
f2182ecb27f2862225109a24255673c41ddbcee5

SHA256
d4e8445619208069dc343e9160eb394e3fb97529328d29b34c192a27ad683af9

SHA512
6f4a63194e8e218e1df584982a04de94fccb2309619d92c07fb107ff97b2bdc2dc301b2bdeb6016e5b1bf3afcdcdc276cc482eb51ffa027af5ef7c6bfef0aa71

Download Submit
C:\ac0ba72aca448f27fa5b322872\1025\LocalizedData.xml

Filesize
80KB

MD5
bd97655af30131b0d8387bab5f20e68d

SHA1
cb42103aea4de739573dacf49ebb527b00dc3e55

SHA256
bfca8cdb158986f6a333ece89daa3081a6a81f89ea868a697113a19121c14f7e

SHA512
c365faed844bb2d750acea77b308df2a9a8b94e2270ce2b75d17b4356262d0d65a4489bc55705a45c4b1bc28bd0cc2b2c1e167a43d3c7321f3e758f128ea7651

Download Submit
C:\ac0ba72aca448f27fa5b322872\1028\LocalizedData.xml

Filesize
69KB

MD5
5727d5160e0fb5d661eb4e6720430d1b

SHA1
b3b6ba3fda17ca68a20675ae06b3c56d576274b4

SHA256
0ad12bf18aa4fcc557ab9422ebef07ab0b8369395bcf695f0915ea99c689f99f

SHA512
7f0314a621137e4076f4ea22e82a6845912fae3b002ba4455952c683e6be89e5a3de4a7cd8f4df2a360247923ca472a53619a2d3635cdcfc1c66e03e7aac2a31

Download Submit
C:\ac0ba72aca448f27fa5b322872\1029\LocalizedData.xml

Filesize
85KB

MD5
eae0498ea94f2a7e7982ee773d10d3a5

SHA1
f0bc4a900f0eefd362760b77b7cc1829ac0bb93e

SHA256
309dac84e7aef6b4cca2cd7b1eeef8a30bd910373724ca56e8764fa3b420aa79

SHA512
978b97cb7c8274ed73063c1f9a9bce4d9c0fd9c186de67d2ce3b03d33dd88487b6f480eea481fe9c3687c3008a5403b85a16ba57072ac03baee1ffe1c14fb6e7

Download Submit
C:\ac0ba72aca448f27fa5b322872\1030\LocalizedData.xml

Filesize
83KB

MD5
c805fa6fd2e634ecd0083074194b3899

SHA1
079f0dc73703b987447cf3ddc1e4761047aeb605

SHA256
2b563a3837a23214d290f11b6acb6836ed065bc17c8965108b385ea3ac91922f

SHA512
ff5e3813a4769e6962c363dc64f251724df98be94b195c805cb8854717d3e633fa2c9ae160c55ee6e3872699e692a6ff8b58d2b8de36579f30edcf324c798e8f

Download Submit
C:\ac0ba72aca448f27fa5b322872\1031\LocalizedData.xml

Filesize
88KB

MD5
4ce791c97f9a6abae6de28487cbdf24c

SHA1
cb85c4b052eae862a55d0b8bf8f2c57e3412c0a0

SHA256
8e878d95152714e1b77c1c7cb8538501c732e06615bb614d3cd71d0b147beaa4

SHA512
4333de904e66d1ff795d8905a21b8c06830635de4bc25ecd3eb94aef7923937b67d5ff464b2e92249a3c5d61bf19ebae7868c9f5435544bd5c3e80fa925e7e4e

Download Submit
C:\ac0ba72aca448f27fa5b322872\1032\LocalizedData.xml

Filesize
90KB

MD5
b15beae6eebd44f084681316217c35fd

SHA1
ff93f038e65b85a68b4887f88eb792db1d6fc1ce

SHA256
c00d4950f2497d3de235b7d82a8bb737d17eb789551b2fbe8be822ac59d7db8b

SHA512
9af03bb58e5d6bf1a62c4fd1e86c4809b97b0f10929c6b7bdd5048afd29c8b21755ed73587dc4380dbd0a8302a9873bd0540553feff40a01fa8196a89c074b36

Download Submit
C:\ac0ba72aca448f27fa5b322872\1033\LocalizedData.xml

Filesize
83KB

MD5
f68f5e6d0ab12908f1d6451ea4b16d61

SHA1
f51ef1ccb08cfdab32c0ceacf5369c353eb036d5

SHA256
65471fdc2a95dd77759ad629bc57db6f4caf039d43d4e756053c30a7d5ff03c9

SHA512
7a64114083903522d319237063d05b619fdc3d4ce9945dd3124773b9f6a57b848007b77f55bcba5f29001c9f4d02ee68f35440c37e8326e96559bae485c0b4c3

Download Submit
C:\ac0ba72aca448f27fa5b322872\1035\LocalizedData.xml

Filesize
84KB

MD5
cdfc12ff066fef57a60e13a61e2fe9f7

SHA1
c412a703fbc4c436d6f40129dd793ff94188e0ab

SHA256
b9176ebcf72da0b18850a2d23eb90962c90e2c819b0aa2fb4d32b71ae387b82c

SHA512
0bea735854f1148ed044afae2f1da5dd0c8f5b9f3d758371b85656fd4bb98a77e6b495ec95797ec36b36f1029aa4f434c1a8ea1541ca738b8e634999b69ea9d0

Download Submit
C:\ac0ba72aca448f27fa5b322872\1036\LocalizedData.xml

Filesize
87KB

MD5
8122a6977d478cd6c93ac26998f38f91

SHA1
9a49baefafd4918ea5a538366d4091d2a867e4d9

SHA256
15454de5eb80f0b2bbec3e9855d1841b1ae7c95d38f838ba525cdc8b0270c7c7

SHA512
4ee048f39fb80f4e52dc80384c4566ab65d1aae3d52078d76d6fa63b1761625ba02bf5238532aaebf23c8b46c19448bbbdd9d885d22afe3b92b094a0bd6ea4b7

Download Submit
C:\ac0ba72aca448f27fa5b322872\1037\LocalizedData.xml

Filesize
78KB

MD5
52529d623cbe2229e179178037852000

SHA1
cdf681bcd3090d7ded20878a7e8759465f429c91

SHA256
2f0078da6c7d15c770d517030dc0d96d540a67a501cd54430637ffb77c23fb44

SHA512
6c4a05fb4e0f15ff297bd1371d0e33e020376b4f85b3bc4faedf92e9521deb2e47b55d1a4aacbc68b76ea6602a4f14d354a51098c8143cb2e5a6db77d97bab4e

Download Submit
C:\ac0ba72aca448f27fa5b322872\1038\LocalizedData.xml

Filesize
86KB

MD5
17e14f770796e2b7458f1fdb9511da1a

SHA1
c72c4ae5455e9851b6e5f2aabf1f3d78920258d8

SHA256
f73b516104eb7651bb66889799d771c44b8c6bfda501237f3325b6f2133c0af7

SHA512
dac5d1536ddf76d485b1512c4e1fc7d13e21ebd79f112f1cb53bd6d59395cfee9b6cc5afcb26f3bea0c7b190bdc6b19c49fedaadae89e92cf904c22b52fdb4fc

Download Submit
C:\ac0ba72aca448f27fa5b322872\1040\LocalizedData.xml

Filesize
85KB

MD5
2dd0b542600eddd67f44d35492e5d526

SHA1
8199817fd80d39d5536a6b21d7ee108c16792f81

SHA256
9fde0a246757fdcbd435abf67d10168b1875c9b1a85d51bb821cb7494e3f79d1

SHA512
d76a7fdecdd9ecd70601fec0765e97a1a42315edce8a483b7b22007e5b4de00ff84e09e1cb50a2127ce64b8de92ca38bb8f1acea707061d95c120c194a2cb187

Download Submit
C:\ac0ba72aca448f27fa5b322872\1041\LocalizedData.xml

Filesize
75KB

MD5
05ae74494480b60daa65cbd7d33e8ff3

SHA1
a54c87632654368909c2e9801f10a76ac864ca28

SHA256
a69cc0439bf7e72a59ac4c2b0f6d80cc8822165421a824bb234924de3e5d69e1

SHA512
16292e5ff02087380ff0b64b3c129af689a050d9562aba0ea9d71e692505d50ffefefd08eaca36f370b86a0f01309ea577336a89d5d5f7f9ea573098bb2f228c

Download Submit
C:\ac0ba72aca448f27fa5b322872\1042\LocalizedData.xml

Filesize
73KB

MD5
5659c33354875ffe975534d8b4c29675

SHA1
5cf25ba5da9d8c6fd6a6b7ba67bd02c663f48b21

SHA256
92d7923380007234dfed0329779621909bea28bc837c1975ac141ce872caae55

SHA512
38fafc1d3886d8cddff362d690c776280d6b586521c9f7991ff60d6403940820ae44d987f76ffea5f33899e12dcef07d6e12ec8b54245d5523f9a9f9f2adcb20

Download Submit
C:\ac0ba72aca448f27fa5b322872\1043\LocalizedData.xml

Filesize
85KB

MD5
9841af88c8432f1c28c390205fa25cdf

SHA1
7eff1df19b35080442254f0962e8337038b53024

SHA256
794c11a6abe5a9348cedf44a5421ef20e9de00e7cd34dc80e9d5a80538e45666

SHA512
3ddbfa7f7a3165144ffe6a772bb78d0659db60d71ac4d250ac3ff2a416396123ff9377c928012b5e84e7571ccbe52e132d6f3ad22fa5185878923c48995270ee

Download Submit
C:\ac0ba72aca448f27fa5b322872\1044\LocalizedData.xml

Filesize
84KB

MD5
be070a2a425774e4016376a7c5efc46e

SHA1
56ccfcca60b97ce227436f72bd56969d4b770557

SHA256
3a9354ac2acaf1671844a4d1c8f0e7c5c86ef183cb30dda4eef5bac02de6b2a7

SHA512
4c0045629f9a9a7d8a84b79303550a26fa8cad308b78656acfe579fc1c1f6dd5fd6d10c23fb87142406117357a1cb2ffe6364025233b70bf776ef0b696f31616

Download Submit
C:\ac0ba72aca448f27fa5b322872\1045\LocalizedData.xml

Filesize
87KB

MD5
603d2406053837c960df9a66e3af052d

SHA1
7afb11ea418cba19fa1b25d112c7acd110bfc638

SHA256
e2383afcb0c44bab237003b4a8c3dac2bdccada9f42c82ea2004aa04db901edd

SHA512
97d598473cbd9c3b66bbfc8c1f4ba47701bc66a9581262a75f6b4af5d469ff19b134ebd3d6108af3df1f9bee82f8f5f0ba864abb769dbb23677bc427a1247ea3

Download Submit
C:\ac0ba72aca448f27fa5b322872\1046\LocalizedData.xml

Filesize
84KB

MD5
af1f0f47f381c11a9c4296fcdca0ebbd

SHA1
838f581e6aa7596381d25784d8ca30a48c47eb9e

SHA256
00601e4ff88a8d6f0dcbf65fbbf14142cd86fdc7cb8f251893f70b597ef3a7eb

SHA512
8d326bdb639a797dc5e253936f7b39981f5bdeb112fd46a5d0596d6476ad17e790b43b1b2dce91bf33f27940cc32afa57e535c3f38e93cd30f27d4843a49d9eb

Download Submit
C:\ac0ba72aca448f27fa5b322872\1049\LocalizedData.xml

Filesize
86KB

MD5
d6f7e810eeaec18464d0ebf0e0589eb6

SHA1
962a25926f8196448821c4b21d5619d42cf3ae6d

SHA256
c43af2be229fa08f1d7f161ff9dd4dfd25a459a05ec8462c3b683ab7bd0cc4f8

SHA512
b78f9f98a9993478c2107eb738f1949d031f12ffbc78e7a4cfa67ff7dbefe5e456712eb6e23eebaaadb6a5645ff25600432e1c5e32f1e4493d090d9b8674bed3

Download Submit
C:\ac0ba72aca448f27fa5b322872\1053\LocalizedData.xml

Filesize
83KB

MD5
653ff0be9c7132b411bb95d7d6b90d78

SHA1
fd57ee34dd102fe6b8b709bf46829f7b1c0a7c42

SHA256
3c4c96b9ed7f536cbcc698760b7142db8411d6ba4ad784a29727bac2e7df7d9a

SHA512
77ed725595a50492d80ac2c593b25f30ec61a579348acef87e2f25484f2975abfeff946c04de6482be186864c3c9d42a673a3d4b679f19cbe34851d1c1496064

Download Submit
C:\ac0ba72aca448f27fa5b322872\1055\LocalizedData.xml

Filesize
83KB

MD5
bd0f034d3eff8d3a60f9acccadcfbf56

SHA1
c622870702e94cdf76979093440c22f9127e4b50

SHA256
d1896ac9b20686a00c7d0bf0f8dc8279b9a52f88025b8cc3b161100d224df7c9

SHA512
3d6e93c1498381a5e8bb34969cec3596a5006abc5f1ad1b3bfb3298e763b64f45538be05693c1c70787135ec3af2e813bed45dfd174dcbc0db3b711550737d65

Download Submit
C:\ac0ba72aca448f27fa5b322872\2052\LocalizedData.xml

Filesize
69KB

MD5
7497b47f7db96dff8e7c1198b7964006

SHA1
fc05395f849d386261b8bb7511893bbe6a4c5467

SHA256
f0b7e9242c27ea1652e9ea6d46b8617e189e31bf093e7e21e38e60d94cea16eb

SHA512
b24f97e32de52ac4cee276c0d4b4089cdcea90ac309f135c3b2273de15badffbed02044aa8f429e52376159e1def2c43c87405fa2a206b4ac55d74040e20951a

Download Submit
C:\ac0ba72aca448f27fa5b322872\2070\LocalizedData.xml

Filesize
86KB

MD5
382abfa1307279a35a6a70f7de7046e3

SHA1
fabfd301d954d04a1565d23c2f093b1c0ce574c1

SHA256
32a0606e178f5f77b7e13573a910b4fcb7587e9ff4823d3a95cc28dd73074ade

SHA512
b5ada4a1abe2689173f169b5d16b05da34158e55e9ae0b0b77f2de9e47469bbae77c958bbe62d756a8fbd610b995d9be8bd6606d1230371f0c7f2ea89f291046

Download Submit
C:\ac0ba72aca448f27fa5b322872\3082\LocalizedData.xml

Filesize
85KB

MD5
2bce3f6dd7abbe483ec92a688ef3b76e

SHA1
6a8adc8e3c481aa6e404239cd0ea419c0e98c262

SHA256
df8531355aa11a9a585b63a6fcc96c0c6c480e06a602d88a949bcac1ff7795bd

SHA512
0d03643ed072e5961f5ef5d1ebbd2cb0e730ea5e40c46892e7a83d11f47290f031564d3283fa24c587bf46df8f4e39abe92f38e6a42acded315b16c96d7e7e8d

Download Submit
C:\ac0ba72aca448f27fa5b322872\DHTMLHeader.html

Filesize
15KB

MD5
cd131d41791a543cc6f6ed1ea5bd257c

SHA1
f42a2708a0b42a13530d26515274d1fcdbfe8490

SHA256
e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb

SHA512
a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

Download Submit
C:\ac0ba72aca448f27fa5b322872\ParameterInfo.xml

Filesize
2.6MB

MD5
3ac6a8f0fe4aa7fb0ffe21b548abacbb

SHA1
5e30d7d1057a9e8a8732ad67d672ca7a608657ef

SHA256
68d6fcfd5f2986206763e1b49b86997c94a51260e4f9c02b8037aa5cf3c03142

SHA512
e5bff3554f4dd149e7b1bc3f5eae5d234a7e22e69f3e0d210a67511cf85bb9ce4c3a787a91af89b9d5f2ec91be62719312921716baf29d1f81571b8b2a6e6834

Download Submit
C:\ac0ba72aca448f27fa5b322872\SetupEngine.dll

Filesize
868KB

MD5
4c0b492d3e96d742ba8922912976b3f8

SHA1
ee571ea60f3bb2feea2f7a5ff0d02cc7d7524b6e

SHA256
c40f60ab16752e404cae3943f169d8260ad83f380e0c2bd363ad165982608f3e

SHA512
99e44ffa8b50fbfa378310198582404a4f90b2450677b1f152baa55c6e213fbb5fbd31d0207a45876a57837e2a5d642bd613843e77f9f70b0d842d8bcdf0cfad

Download Submit
C:\ac0ba72aca448f27fa5b322872\SetupUtility.exe

Filesize
216KB

MD5
ad024bbc264ffdb9db0911391dad64c3

SHA1
137a6f1fbbc491a193dee0ddedc3db5cf8c2d9de

SHA256
a6e53349f95700a67bdb8f6ea960965bccdc96034344be7634defd638cb908ad

SHA512
d094af833077ea1e64fe1bf8d698a2cdccbd8f85982045fdca6e4e0d58bef9df90ca34eee9b8ac14f51b198b52c0aa7d9fd0296ee83a59ffc285169b2b440999

Download Submit
C:\ac0ba72aca448f27fa5b322872\UiInfo.xml

Filesize
63KB

MD5
c99059acb88a8b651d7ab25e4047a52d

SHA1
45114125699fa472d54bc4c45c881667c117e5d4

SHA256
b879f9bc5b79349fa7b0bdbe63167be399c5278454c96773885bd70fbfe7c81d

SHA512
b23a7051f94d72d5a1a0914107e5c2be46c0ddee7ca510167065b55e2d1cb25f81927467370700b1cc7449348d152e9562566de501f3ea5673a2072248572e3b

Download Submit
C:\ac0ba72aca448f27fa5b322872\sqmapi.dll

Filesize
221KB

MD5
6404765deb80c2d8986f60dce505915b

SHA1
e40e18837c7d3e5f379c4faef19733d81367e98f

SHA256
b236253e9ecb1e377643ae5f91c0a429b91c9b30cca1751a7bc4403ea6d94120

SHA512
a5ff302f38020b31525111206d2f5db2d6a9828c70ef0b485f660f122a30ce7028b5a160dd5f5fbcccb5b59698c8df7f2e15fdf19619c82f4dec8d901b7548ba

Download Submit
\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe

Filesize
1.4MB

MD5
c84209349f18afe5a41ce04e9ae8f487

SHA1
cedbbf404b166a5e72d035760bcb0fa508e4f4cb

SHA256
4e49c56e4cf9df2e837a8a3010f5a8b4deb096429d56e7fd9ff70ab394663678

SHA512
37006954e3afe07fb02d24894cc34794618b78c27a1b514818985b6cc1fa3e896ed99ba2e4aac3f6469d263819bd94ee70e7113946c51ba83c93b74826fc8fa8

Download Submit
\Users\Admin\AppData\Local\Temp\is-DE61Q.tmp\farlab_setup.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
\Users\Admin\AppData\Local\Temp\is-V1FE8.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-V1FE8.tmp\idp.dll

Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
\ac0ba72aca448f27fa5b322872\Setup.exe

Filesize
86KB

MD5
40d87630ef1364a3dc4fd3387212c77d

SHA1
2ab844ca20815c51960ac5d1d75e93897c9f2df2

SHA256
a9d2cc918999858aa1e500a8fbc919b6397da6b44b666e3fc0edd38920748212

SHA512
d81f1e80186f3c9c78a45c235f30da9e6f5cd3ca1f6b153892a1c53decc350b7a5f4f9924f59ab83dc20c31acad783faeebbcb67c9419f74628da6459530c9d3

Download Submit
memory/664-2394-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/664-3075-0x000000006EAC0000-0x000000006EC09000-memory.dmp

Filesize
1.3MB

Download
memory/664-3879-0x000000006EAC0000-0x000000006EC09000-memory.dmp

Filesize
1.3MB

Download
memory/664-3876-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/664-3871-0x000000006EAC0000-0x000000006EC09000-memory.dmp

Filesize
1.3MB

Download
memory/664-3868-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/664-3860-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/664-3863-0x000000006EAC0000-0x000000006EC09000-memory.dmp

Filesize
1.3MB

Download
memory/664-302-0x0000000000440000-0x000000000044A000-memory.dmp

Filesize
40KB

Download
memory/664-3072-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/664-369-0x0000000000440000-0x000000000044A000-memory.dmp

Filesize
40KB

Download
memory/664-1317-0x0000000074660000-0x00000000746DD000-memory.dmp

Filesize
500KB

Download
memory/664-2395-0x0000000074B50000-0x0000000074C45000-memory.dmp

Filesize
980KB

Download
memory/664-104-0x0000000000080000-0x00000000000CC000-memory.dmp

Filesize
304KB

Download
memory/664-2393-0x0000000074660000-0x00000000746DD000-memory.dmp

Filesize
500KB

Download
memory/664-2397-0x000000006EAC0000-0x000000006EC09000-memory.dmp

Filesize
1.3MB

Download
memory/664-2399-0x000000006E9F0000-0x000000006EABA000-memory.dmp

Filesize
808KB

Download
memory/664-1336-0x0000000074730000-0x0000000074743000-memory.dmp

Filesize
76KB

Download
memory/664-1334-0x0000000073ED0000-0x0000000073F48000-memory.dmp

Filesize
480KB

Download
memory/664-1332-0x0000000074AD0000-0x0000000074B50000-memory.dmp

Filesize
512KB

Download
memory/664-1330-0x0000000074B50000-0x0000000074C45000-memory.dmp

Filesize
980KB

Download
memory/664-1320-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/1692-28-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1692-78-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1692-22-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1692-44-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1736-25-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1736-8-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2504-75-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2504-63-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2504-49-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2504-45-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2552-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2552-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2552-29-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2588-3763-0x0000000002A50000-0x0000000002B0A000-memory.dmp

Filesize
744KB

Download