Malware Analysis Report

2025-04-03 10:42

Sample ID 241109-3cvcfsvbkd
Target StrideSetup.exe
SHA256 cef0c590bbf88c948495f8b3d0681732056a2b44f3c0169f488b265fed9ae29f
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

cef0c590bbf88c948495f8b3d0681732056a2b44f3c0169f488b265fed9ae29f

Threat Level: Shows suspicious behavior

The file StrideSetup.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Loads dropped DLL

Enumerates connected drives

System Location Discovery: System Language Discovery

System Time Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 23:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 23:22

Reported

2024-11-09 23:23

Platform

win11-20241007-en

Max time kernel

14s

Max time network

7s

Command Line

"C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A

System Time Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000089ac4f3df1c89d300000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000089ac4f3d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090089ac4f3d000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d89ac4f3d000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000089ac4f3d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5EEED86FA37C675230642F55C84DDBF67CD33C80 C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5EEED86FA37C675230642F55C84DDBF67CD33C80\Blob = 040000000100000010000000a733edbf1b5de119c491c94aeaf76dc70f000000010000003000000082ef60cde833832df196a3351df5b2b90029e31f679cec503aeea7ca8893db9d81d4e576a9f216dd0baec61cb02a14600b00000001000000380000004400690067006900430065007200740020004300530020005200530041003400300039003600200052006f006f00740020004700350000006200000001000000200000007353b6d6c2d6da4247773f3f07d075decb5134212bead0928ef1f4611526094153000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000680193b1d24a40426994462c1c5a88a925b4474f1d0000000100000010000000cfa020613a558555d3c1ea201f6276da0300000001000000140000005eeed86fa37c675230642f55c84ddbf67cd33c8019000000010000001000000016aee18d205d4e54b5aee9b3c1466a21200000000100000068050000308205643082034ca003020102021006cee131be6d55c807f7c0c7fb44e620300d06092a864886f70d01010c0500304c310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e312430220603550403131b4469676943657274204353205253413430393620526f6f74204735301e170d3231303131353030303030305a170d3436303131343233353935395a304c310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e312430220603550403131b4469676943657274204353205253413430393620526f6f7420473530820222300d06092a864886f70d01010105000382020f003082020a0282020100b6337380d8620370142c111c395e7cae7c83861dfe262f4c24ad8bea835fa9bc3d5bfc0b984c024730ece2feece8345b665ebf3bd72ca625ff8c59b3dfeada7c29d9465072081d6ed11b0add1fcd9989fa0f0f73c4e19c1d7532cd6f97da2a6a95b26cc909d0ea0b7b7d17064999efd6dee0c853d4aec677f186bb231cb8c0df59f78e7dd1ef82e6268b5a38b5ff75d5b2d94f09f3378850da11a48a1414d15304007df36a4418fe507032071ca89a0e3a1dc50a1f6e0b2669b73ca257702c86fa4c6e95a95843b9ac12d6ff3fedd743176b4cce9ec490abfffa10509aa39057d6e78c10ae9f161acf351d7fd776ed8a9c35a728b8a75d21fc3037ddde08194f15c6e7a6da90478ef794534c8e5302befd99e5ea86d0af0302d39baa93f1ab288e2001ff4cfbccb72940f587a41213051f436ed751509f38b420ed1709128fccb919af9fcdbe6911d3af55106d1786799652c6b2009de5af38b035f4886b8f0e043d7ceeafcdd36a104ac6cd86ca223da14a5cfb0eff88df5c62a7c0b91ed9ac6c7e3837fe779325c2858a4fb537065a068114f1ce949d9991ea325ace673d6e0466ad0c4f2da32ef79ef5789df70afd7e8fe3428a5596bcf19f372dfc9e5f95fe8c181bfc8efd4b90afd703681263ace293a7a2cb04e54f64ce03fac6149fd98be8ccd4628c6be4002c199f1a06c6318154fb53249aaf5599ba9d75aeb8c2dd0203010001a3423040301d0603551d0e04160414680193b1d24a40426994462c1c5a88a925b4474f300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff300d06092a864886f70d01010c0500038202010092fceeb802791702517d21c54967a7a4f1a82438eb0c68ea5a426b9cf473c1694a2db33705504298929e06792c2e0699f6efdf2ba0cdb3920183b5a0cb27b53c231a9849a2ec2d99a55943acd2b193d657d71cbc93d6c640e1b36f1955b713d7e54333a4b5abcbdac131640d74d62cedc38d6eebbbaf194761612dc0f405b96f78dc3af74240655391bd990d939254a6a937592b9bcb99c6bc3df70484f094331d0f825a39cb2e45c32819a3b29b98c8fc316b608ff6e98628bce03c7d745d16895b6924c7108bc44bbb364fd4593fc3b0a49199f82ed14a019df58812efbf5a116a594f596b5a67f38fb4130fc0d82f3d2872aa197f117d6a5b9f95e75fb7944ff13ea15aff2dcc9ddf27778f32731c670a76f3fa5cb1bfbc1dbd0c289bb2c717670b330fc3bd36dcfbba420babed84c362d68416a9b1076ba96eeec6cfe6b04429c2f0b361802a8b6fd2145c25875464f3a44cc1a1f8a76beafeea3afc79db0e8fdcc6f3c9d46cdee983a18e1d22ecc93ab2007bdc3ba7421a7fdc8ba9113d8ea7c0206f5d095d4344e68f66cca95b07f1ef9b7a0eb354e194fd0e2cc693d755fd719835b8094affc629282cf6522ddb14189227e2167e8ccad461be828791eb98373fbf5f5d773f34ac1b3843ab687299321e3a1a19a5a3384c23d7a3e7ccd52a9217900b5a4bbd16bdfb866ae28999ece4a05518c9a3081f13e0320872d0 C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5EEED86FA37C675230642F55C84DDBF67CD33C80\Blob = 5c00000001000000040000000010000019000000010000001000000016aee18d205d4e54b5aee9b3c1466a210300000001000000140000005eeed86fa37c675230642f55c84ddbf67cd33c801d0000000100000010000000cfa020613a558555d3c1ea201f6276da140000000100000014000000680193b1d24a40426994462c1c5a88a925b4474f090000000100000016000000301406082b0601050507030306082b0601050507030853000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007353b6d6c2d6da4247773f3f07d075decb5134212bead0928ef1f461152609410b00000001000000380000004400690067006900430065007200740020004300530020005200530041003400300039003600200052006f006f00740020004700350000000f000000010000003000000082ef60cde833832df196a3351df5b2b90029e31f679cec503aeea7ca8893db9d81d4e576a9f216dd0baec61cb02a1460040000000100000010000000a733edbf1b5de119c491c94aeaf76dc7200000000100000068050000308205643082034ca003020102021006cee131be6d55c807f7c0c7fb44e620300d06092a864886f70d01010c0500304c310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e312430220603550403131b4469676943657274204353205253413430393620526f6f74204735301e170d3231303131353030303030305a170d3436303131343233353935395a304c310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e312430220603550403131b4469676943657274204353205253413430393620526f6f7420473530820222300d06092a864886f70d01010105000382020f003082020a0282020100b6337380d8620370142c111c395e7cae7c83861dfe262f4c24ad8bea835fa9bc3d5bfc0b984c024730ece2feece8345b665ebf3bd72ca625ff8c59b3dfeada7c29d9465072081d6ed11b0add1fcd9989fa0f0f73c4e19c1d7532cd6f97da2a6a95b26cc909d0ea0b7b7d17064999efd6dee0c853d4aec677f186bb231cb8c0df59f78e7dd1ef82e6268b5a38b5ff75d5b2d94f09f3378850da11a48a1414d15304007df36a4418fe507032071ca89a0e3a1dc50a1f6e0b2669b73ca257702c86fa4c6e95a95843b9ac12d6ff3fedd743176b4cce9ec490abfffa10509aa39057d6e78c10ae9f161acf351d7fd776ed8a9c35a728b8a75d21fc3037ddde08194f15c6e7a6da90478ef794534c8e5302befd99e5ea86d0af0302d39baa93f1ab288e2001ff4cfbccb72940f587a41213051f436ed751509f38b420ed1709128fccb919af9fcdbe6911d3af55106d1786799652c6b2009de5af38b035f4886b8f0e043d7ceeafcdd36a104ac6cd86ca223da14a5cfb0eff88df5c62a7c0b91ed9ac6c7e3837fe779325c2858a4fb537065a068114f1ce949d9991ea325ace673d6e0466ad0c4f2da32ef79ef5789df70afd7e8fe3428a5596bcf19f372dfc9e5f95fe8c181bfc8efd4b90afd703681263ace293a7a2cb04e54f64ce03fac6149fd98be8ccd4628c6be4002c199f1a06c6318154fb53249aaf5599ba9d75aeb8c2dd0203010001a3423040301d0603551d0e04160414680193b1d24a40426994462c1c5a88a925b4474f300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff300d06092a864886f70d01010c0500038202010092fceeb802791702517d21c54967a7a4f1a82438eb0c68ea5a426b9cf473c1694a2db33705504298929e06792c2e0699f6efdf2ba0cdb3920183b5a0cb27b53c231a9849a2ec2d99a55943acd2b193d657d71cbc93d6c640e1b36f1955b713d7e54333a4b5abcbdac131640d74d62cedc38d6eebbbaf194761612dc0f405b96f78dc3af74240655391bd990d939254a6a937592b9bcb99c6bc3df70484f094331d0f825a39cb2e45c32819a3b29b98c8fc316b608ff6e98628bce03c7d745d16895b6924c7108bc44bbb364fd4593fc3b0a49199f82ed14a019df58812efbf5a116a594f596b5a67f38fb4130fc0d82f3d2872aa197f117d6a5b9f95e75fb7944ff13ea15aff2dcc9ddf27778f32731c670a76f3fa5cb1bfbc1dbd0c289bb2c717670b330fc3bd36dcfbba420babed84c362d68416a9b1076ba96eeec6cfe6b04429c2f0b361802a8b6fd2145c25875464f3a44cc1a1f8a76beafeea3afc79db0e8fdcc6f3c9d46cdee983a18e1d22ecc93ab2007bdc3ba7421a7fdc8ba9113d8ea7c0206f5d095d4344e68f66cca95b07f1ef9b7a0eb354e194fd0e2cc693d755fd719835b8094affc629282cf6522ddb14189227e2167e8ccad461be828791eb98373fbf5f5d773f34ac1b3843ab687299321e3a1a19a5a3384c23d7a3e7ccd52a9217900b5a4bbd16bdfb866ae28999ece4a05518c9a3081f13e0320872d0 C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5EEED86FA37C675230642F55C84DDBF67CD33C80 C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5EEED86FA37C675230642F55C84DDBF67CD33C80\Blob = 0f000000010000003000000082ef60cde833832df196a3351df5b2b90029e31f679cec503aeea7ca8893db9d81d4e576a9f216dd0baec61cb02a14600b00000001000000380000004400690067006900430065007200740020004300530020005200530041003400300039003600200052006f006f00740020004700350000006200000001000000200000007353b6d6c2d6da4247773f3f07d075decb5134212bead0928ef1f4611526094153000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000680193b1d24a40426994462c1c5a88a925b4474f1d0000000100000010000000cfa020613a558555d3c1ea201f6276da0300000001000000140000005eeed86fa37c675230642f55c84ddbf67cd33c80200000000100000068050000308205643082034ca003020102021006cee131be6d55c807f7c0c7fb44e620300d06092a864886f70d01010c0500304c310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e312430220603550403131b4469676943657274204353205253413430393620526f6f74204735301e170d3231303131353030303030305a170d3436303131343233353935395a304c310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e312430220603550403131b4469676943657274204353205253413430393620526f6f7420473530820222300d06092a864886f70d01010105000382020f003082020a0282020100b6337380d8620370142c111c395e7cae7c83861dfe262f4c24ad8bea835fa9bc3d5bfc0b984c024730ece2feece8345b665ebf3bd72ca625ff8c59b3dfeada7c29d9465072081d6ed11b0add1fcd9989fa0f0f73c4e19c1d7532cd6f97da2a6a95b26cc909d0ea0b7b7d17064999efd6dee0c853d4aec677f186bb231cb8c0df59f78e7dd1ef82e6268b5a38b5ff75d5b2d94f09f3378850da11a48a1414d15304007df36a4418fe507032071ca89a0e3a1dc50a1f6e0b2669b73ca257702c86fa4c6e95a95843b9ac12d6ff3fedd743176b4cce9ec490abfffa10509aa39057d6e78c10ae9f161acf351d7fd776ed8a9c35a728b8a75d21fc3037ddde08194f15c6e7a6da90478ef794534c8e5302befd99e5ea86d0af0302d39baa93f1ab288e2001ff4cfbccb72940f587a41213051f436ed751509f38b420ed1709128fccb919af9fcdbe6911d3af55106d1786799652c6b2009de5af38b035f4886b8f0e043d7ceeafcdd36a104ac6cd86ca223da14a5cfb0eff88df5c62a7c0b91ed9ac6c7e3837fe779325c2858a4fb537065a068114f1ce949d9991ea325ace673d6e0466ad0c4f2da32ef79ef5789df70afd7e8fe3428a5596bcf19f372dfc9e5f95fe8c181bfc8efd4b90afd703681263ace293a7a2cb04e54f64ce03fac6149fd98be8ccd4628c6be4002c199f1a06c6318154fb53249aaf5599ba9d75aeb8c2dd0203010001a3423040301d0603551d0e04160414680193b1d24a40426994462c1c5a88a925b4474f300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff300d06092a864886f70d01010c0500038202010092fceeb802791702517d21c54967a7a4f1a82438eb0c68ea5a426b9cf473c1694a2db33705504298929e06792c2e0699f6efdf2ba0cdb3920183b5a0cb27b53c231a9849a2ec2d99a55943acd2b193d657d71cbc93d6c640e1b36f1955b713d7e54333a4b5abcbdac131640d74d62cedc38d6eebbbaf194761612dc0f405b96f78dc3af74240655391bd990d939254a6a937592b9bcb99c6bc3df70484f094331d0f825a39cb2e45c32819a3b29b98c8fc316b608ff6e98628bce03c7d745d16895b6924c7108bc44bbb364fd4593fc3b0a49199f82ed14a019df58812efbf5a116a594f596b5a67f38fb4130fc0d82f3d2872aa197f117d6a5b9f95e75fb7944ff13ea15aff2dcc9ddf27778f32731c670a76f3fa5cb1bfbc1dbd0c289bb2c717670b330fc3bd36dcfbba420babed84c362d68416a9b1076ba96eeec6cfe6b04429c2f0b361802a8b6fd2145c25875464f3a44cc1a1f8a76beafeea3afc79db0e8fdcc6f3c9d46cdee983a18e1d22ecc93ab2007bdc3ba7421a7fdc8ba9113d8ea7c0206f5d095d4344e68f66cca95b07f1ef9b7a0eb354e194fd0e2cc693d755fd719835b8094affc629282cf6522ddb14189227e2167e8ccad461be828791eb98373fbf5f5d773f34ac1b3843ab687299321e3a1a19a5a3384c23d7a3e7ccd52a9217900b5a4bbd16bdfb866ae28999ece4a05518c9a3081f13e0320872d0 C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5EEED86FA37C675230642F55C84DDBF67CD33C80\Blob = 19000000010000001000000016aee18d205d4e54b5aee9b3c1466a210300000001000000140000005eeed86fa37c675230642f55c84ddbf67cd33c801d0000000100000010000000cfa020613a558555d3c1ea201f6276da140000000100000014000000680193b1d24a40426994462c1c5a88a925b4474f090000000100000016000000301406082b0601050507030306082b0601050507030853000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007353b6d6c2d6da4247773f3f07d075decb5134212bead0928ef1f461152609410b00000001000000380000004400690067006900430065007200740020004300530020005200530041003400300039003600200052006f006f00740020004700350000000f000000010000003000000082ef60cde833832df196a3351df5b2b90029e31f679cec503aeea7ca8893db9d81d4e576a9f216dd0baec61cb02a1460200000000100000068050000308205643082034ca003020102021006cee131be6d55c807f7c0c7fb44e620300d06092a864886f70d01010c0500304c310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e312430220603550403131b4469676943657274204353205253413430393620526f6f74204735301e170d3231303131353030303030305a170d3436303131343233353935395a304c310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e312430220603550403131b4469676943657274204353205253413430393620526f6f7420473530820222300d06092a864886f70d01010105000382020f003082020a0282020100b6337380d8620370142c111c395e7cae7c83861dfe262f4c24ad8bea835fa9bc3d5bfc0b984c024730ece2feece8345b665ebf3bd72ca625ff8c59b3dfeada7c29d9465072081d6ed11b0add1fcd9989fa0f0f73c4e19c1d7532cd6f97da2a6a95b26cc909d0ea0b7b7d17064999efd6dee0c853d4aec677f186bb231cb8c0df59f78e7dd1ef82e6268b5a38b5ff75d5b2d94f09f3378850da11a48a1414d15304007df36a4418fe507032071ca89a0e3a1dc50a1f6e0b2669b73ca257702c86fa4c6e95a95843b9ac12d6ff3fedd743176b4cce9ec490abfffa10509aa39057d6e78c10ae9f161acf351d7fd776ed8a9c35a728b8a75d21fc3037ddde08194f15c6e7a6da90478ef794534c8e5302befd99e5ea86d0af0302d39baa93f1ab288e2001ff4cfbccb72940f587a41213051f436ed751509f38b420ed1709128fccb919af9fcdbe6911d3af55106d1786799652c6b2009de5af38b035f4886b8f0e043d7ceeafcdd36a104ac6cd86ca223da14a5cfb0eff88df5c62a7c0b91ed9ac6c7e3837fe779325c2858a4fb537065a068114f1ce949d9991ea325ace673d6e0466ad0c4f2da32ef79ef5789df70afd7e8fe3428a5596bcf19f372dfc9e5f95fe8c181bfc8efd4b90afd703681263ace293a7a2cb04e54f64ce03fac6149fd98be8ccd4628c6be4002c199f1a06c6318154fb53249aaf5599ba9d75aeb8c2dd0203010001a3423040301d0603551d0e04160414680193b1d24a40426994462c1c5a88a925b4474f300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff300d06092a864886f70d01010c0500038202010092fceeb802791702517d21c54967a7a4f1a82438eb0c68ea5a426b9cf473c1694a2db33705504298929e06792c2e0699f6efdf2ba0cdb3920183b5a0cb27b53c231a9849a2ec2d99a55943acd2b193d657d71cbc93d6c640e1b36f1955b713d7e54333a4b5abcbdac131640d74d62cedc38d6eebbbaf194761612dc0f405b96f78dc3af74240655391bd990d939254a6a937592b9bcb99c6bc3df70484f094331d0f825a39cb2e45c32819a3b29b98c8fc316b608ff6e98628bce03c7d745d16895b6924c7108bc44bbb364fd4593fc3b0a49199f82ed14a019df58812efbf5a116a594f596b5a67f38fb4130fc0d82f3d2872aa197f117d6a5b9f95e75fb7944ff13ea15aff2dcc9ddf27778f32731c670a76f3fa5cb1bfbc1dbd0c289bb2c717670b330fc3bd36dcfbba420babed84c362d68416a9b1076ba96eeec6cfe6b04429c2f0b361802a8b6fd2145c25875464f3a44cc1a1f8a76beafeea3afc79db0e8fdcc6f3c9d46cdee983a18e1d22ecc93ab2007bdc3ba7421a7fdc8ba9113d8ea7c0206f5d095d4344e68f66cca95b07f1ef9b7a0eb354e194fd0e2cc693d755fd719835b8094affc629282cf6522ddb14189227e2167e8ccad461be828791eb98373fbf5f5d773f34ac1b3843ab687299321e3a1a19a5a3384c23d7a3e7ccd52a9217900b5a4bbd16bdfb866ae28999ece4a05518c9a3081f13e0320872d0 C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe

"C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 63A8A337E7716C06E8E6E938E2F651CB C

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe

"C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe" /i "C:\Users\Admin\AppData\Roaming\Stride\Stride 5.0.6\install\0F45DFB\StrideSetup.msi" AI_EUIMSI=1 APPDIR="C:\Program Files\Stride" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Stride" SECONDSEQUENCE="1" CLIENTPROCESSID="5084" CHAINERUIPROCESSID="5084Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="Stride" AI_INSTALLPERUSER="0" PRIMARYFOLDER="APPDIR" ROOTDRIVE="F:\" AI_FOUND_PREREQS=".NET Framework 4.7.2" AI_DETECTED_ADMIN_USER="1" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1730953953 " TARGETDIR="F:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\StrideSetup.exe" AI_INSTALL="1"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Stride\Stride 5.0.6\install\decoder.dll

MD5 8a3f1a0da39530dcb8962dd0fadb187f
SHA1 d5294f6be549ec1f779da78d903683bab2835d1a
SHA256 c6988e36b1e1d6ffc89d9fa77ad35f132f5aa89e680d0155e0b6aee1c524c99f
SHA512 1e0d5be3ee164fb16de629a975f3c3da61659b99a0fc766850ffeeddb2d32b7ee0d3b85c77f01d34d9fe2933bd7bd11c6dba7b35d30faed7ce09485fd706d49d

C:\Users\Admin\AppData\Roaming\Stride\Stride 5.0.6\install\0F45DFB\StrideSetup.msi

MD5 775c85ef44bf84630ad3c91a44fac042
SHA1 985d94cc355d0be896008c4982a0b4031783d847
SHA256 adff585419f2c8d4c6ef68eedbbd73b59baa4dc12ff142cbdb32479b6c160679
SHA512 9fdf17ea5c4173b09fb95e102c546a3308c952d7a62ee037fd4c6e65811fb1593b4cad0bf04595b5765d778be8d3b7286225874e2ebee6e7f73c96eb7d2e3dd8

C:\Users\Admin\AppData\Local\Temp\MSI9A1E.tmp

MD5 6ea65025106536eb75f026e46643b099
SHA1 d6f5801e370c92d8e5c2336b4022cc6cb6ec1f99
SHA256 dae76cce74d63e7935fde4383020659d75b68632f8a01f2053ec895e69bb4efb
SHA512 062aed4c7541346b7338e1d234a50aa9af76f103a65268ba65a42508a26c10cc27ccfce6131485403afa36d8a8cd69f3bf1e55cd1a1f675357b87228aacbb988

C:\Users\Admin\AppData\Local\Temp\MSI9ABB.tmp

MD5 91d4a8c2c296ef53dd8c01b9af69b735
SHA1 ad2e5311a0f2dbba988fbdb6fcf70034fda3920d
SHA256 a787e7a1ad12783fcbf3f853940590329e0ff0dddf17282324f2d95ed6408f23
SHA512 63c5506a55dea2b3bd1c99b79b5668f5afc0104564e92f07afb42f2f2b67eae9d0e0174cb36e6095a27a6c71496206042079b6e5a2b2ff787f3cb9ef20995e9e

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_5084\sys_close_normal.png

MD5 8ba33e929eb0c016036968b6f137c5fa
SHA1 b563d786bddd6f1c30924da25b71891696346e15
SHA256 bbcac1632131b21d40c80ff9e14156d36366d2e7bb05eed584e9d448497152d5
SHA512 ba3a70757bd0db308e689a56e2f359c4356c5a7dd9e2831f4162ea04381d4bbdbef6335d97a2c55f588c7172e1c2ebf7a3bd481d30871f05e61eea17246a958e

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_5084\sys_min_hot.png

MD5 1a883668b735248518bfc4eefd248113
SHA1 1112803a0558a1ad049d1cac6b8a9d626b582606
SHA256 bcbb601daa5a139419f3cd0f6084615574c41b837426ebff561b7846dfec038e
SHA512 d321878ed517544c815fd0236bdff6fcb6da5c5c3658338afba646f1d8f2e246c6c880d4f592ff574a18f9efdf160e5772bbf876fb207c8fd25c1f9dd9ddfd04

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_5084\nextcancelbuttons

MD5 583580e2c651f5c230fb3235b7ca0e3b
SHA1 a9bd6aeef43a6f4c0c00d1ecd98a585d7eb0aaa3
SHA256 65172283ee04f2fa18d0e57b21471be2e68017d1f61816aaaa6be070b446346f
SHA512 6c61e6c06c883113a7a0efbd352120354c070f5c17d770b6b821c42cb9d9ca895992842b29b51bd3e569b0c95e93709dd7c1c2a26bcff0ad425079f5302670ce

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_5084\StrideLogoNoTextWhite.png

MD5 7e811d909411ec74df1c8594bf4268cf
SHA1 2071ed7e66815264f4bd2b5b6ed79cf41da0c347
SHA256 c3008d3f99be01aab071b7127c83ccf20554dad94816733d19234a14e772bfd0
SHA512 110e8b30d69de4b83ce5e688da263a6d63efac10616e4be70e7b6c505f55aee2c7218ebd63408cb9090dd8074af76530686947050378ee32dabdc60f92d2c8ca

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_5084\PreparePrereqDlgProgress.gif

MD5 f550f449baed1315c7965bd826c2510b
SHA1 772e6e82765dcfda319a68380981d77b83a3ab1b
SHA256 0ee7650c7faf97126ddbc7d21812e093af4f2317f3edcff16d2d6137d3c0544d
SHA512 7608140bc2d83f509a2afdaacd394d0aa5a6f7816e96c11f4218e815c3aaabf9fc95dd3b3a44b165334772ebdab7dfa585833850db09442743e56b8e505f6a09

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_5084\backbutton

MD5 50e27244df2b1690728e8252088a253c
SHA1 b84ad02fd0ed3cb933ffbd123614a2495810442b
SHA256 71836c56ec4765d858dc756541123e44680f98da255faf1ece7b83d79809b1c3
SHA512 ba3d3535bfd2f17919e1a99e89fdb1c9a83507ff3c2846c62770e210a50aee1281445d510858d247cc9619861089aaf20f45b0b7c39f15c0ea039ac5498fa03e

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_5084\backgroundprepare

MD5 a0efb0e7b9cee25b09e09a1a64e96ba6
SHA1 0c1e18f6f5e6e5e6953e9fb99ca60fdec35d6e39
SHA256 f044f542bc46464054084c63596877f06c6e2c215c0e954c4ace9787ced82787
SHA512 7e53f9f564aaa529b3b15035671957c2923ec98ddee93758ea7a4c8645ee9058962078771b853e3490290fde1f57030dff5092d40d69418776ffee89f79c8a7c

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_5084\frame_bottom_mid.bmp

MD5 71fa2730c42ae45c8b373053cc504731
SHA1 ef523fc56f6566fbc41c7d51d29943e6be976d5e
SHA256 205209facdebf400319dbcb1020f0545d7564b9415c47497528593e344795afd
SHA512 ea4415619720cc1d9fb1bb89a14903bfd1471b89f9c4847df4839084aae573d49b4969d3799ad30ff25b71f6e31f8d9f30701e1240d3cd6a063819c04873f21f

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_5084\frame_bottom_left.bmp

MD5 1fb3755fe9676fca35b8d3c6a8e80b45
SHA1 7c60375472c2757650afbe045c1c97059ca66884
SHA256 384ebd5800becadf3bd9014686e6cc09344f75ce426e966d788eb5473b28aa21
SHA512 dee9db50320a27de65581c20d9e6cf429921ebee9d4e1190c044cc6063d217ca89f5667dc0d93faf7dcc2d931fe4e85c025c6f71c1651cbd2d12a43f915932c3

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_5084\frame_left_inactive.bmp

MD5 4b84f29fbce81aab5af97a311d0e51e2
SHA1 60723cf4b91c139661db5ecb0964deca1fc196ea
SHA256 c93be5a7c979c534274fc1a965d26c126efa5d58c14066b14937e5aba3b9eb55
SHA512 775eadccc44fddbd1e0d4231bc90d222f0a9749199e1963449ad20285ea92941a5685cdc12c0cd8c0ef0a21e10bdacaf139e5c69cd5e402cc110679323c23df1

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_5084\frame_left.bmp

MD5 30384472ae83ff8a7336b987292d8349
SHA1 85d3e6cffe47f5a0a4e1a87ac9da729537783cd0
SHA256 f545ec56bc9b690a6b952471669a8316e18274d64e2ebc9e365fcf44363a125a
SHA512 7611f930a0a1089cc5004203ec128c916f0c2aedae3a6fcc2eaffa8cd004dcbf154714e401947921a06896ca77c77daec7f9bda82369aacd3bb666f8a0331963

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_5084\frame_caption.bmp

MD5 8641f45594b8d413bf1da25ce59f1207
SHA1 afebb23f5a55d304d028ca9942526b3649cddb52
SHA256 0403ed31d75dcc182dd98f2b603da4c36b6325e9d159cac4371e1448244bb707
SHA512 86a5f959f8462f866466dc706d3ae627b1fb019b8a33ee7fe48e3b69f92bf33dc0f1417c0d5116552b25b488bcb5d9050a33773e6883ebe08410267d95b2353a

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_5084\frame_top_mid.bmp

MD5 4e0ac65606b6aacd85e11c470ceb4e54
SHA1 3f321e3bbde641b7733b806b9ef262243fb8af3b
SHA256 1d59fe11b3f1951c104f279c1338fc307940268971d016ebe929a9998a5038ee
SHA512 7b28bcb4e76af3b863a7c3390b6cd3316c4631434e1d1e2df8d6e0eb9987a61a4f1a24de59567394e346d45e332403a0817ed0b0b64d7a624dbe48e30db9bb64

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_5084\frame_top_left.bmp

MD5 1966f4308086a013b8837dddf88f67ad
SHA1 1b66c1b1ad519cad2a273e2e5b2cfd77b8e3a190
SHA256 17b5cd496d98db14e7c9757e38892883c7b378407e1f136889a9921abe040741
SHA512 ec50f92b77bca5117a9a262ba1951e37d6139b838099e1546ab2716c7bafb0fc542ce7f1993a19591c832384df01b722d87bb5a6a010091fc880de6e5cfa6c17

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_5084\sys_close_hot.png

MD5 17242d201d004bb34449aab0428d2df1
SHA1 77a332c6a6c4bfc47a2120203cfeabb8a2268a6b
SHA256 15405855866fa2b7c60afbc8ba720aae8f2ba7fb60bfa641dc9d10361e56f033
SHA512 605a97e2614c664417d53263be21c67b1504a46ee61b92b0a84ac18a7baab05eb56b72d4cf27372ae6c157928080ba16e24081e95458eb122ba18f3722c2d21f

C:\Users\Admin\AppData\Local\Temp\MSI9C85.tmp

MD5 0d093a6db075db4d3af06337a6cfc3f3
SHA1 7a27265809c47f96f29a09a960badd4c83bdb167
SHA256 f4c42c1393b907430c89bc504b24a589438690496a38bf7b75358adbdb48f6b3
SHA512 1d857ebfcf2526dd142ab72320073ae582dcf26c2d2a0d4c67267bd038182145572ca9c015f06a895555b90d8558dacfa4df6d7a105f6072d356a71532ac87f9

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 96329c73cc49cd960e2485210d01c4d2
SHA1 a496b98ad2f2bbf26687b5b7794a26aa4470148e
SHA256 4c159cab6c9ef5ff39e6141b0ccb5b8c6251a3d637520609dfbdd852fa94d466
SHA512 e98736a879cad24c693d6c5939654b2fd25bf9d348f738668624214f22d541a9b781c967201ab2d43cbac9207946824a0299d482485f4b63c48d5d2a839e5baf

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_5084\browsebutton

MD5 9554be0be090a59013222261971430ad
SHA1 9e307b13b4480d0e18cfb1c667f7cfe6c62cc97c
SHA256 f4302ee2090bc7d7a27c4bc970af6eb61c050f14f0876541a8d2f32bc41b9bab
SHA512 ac316f784994da4fed7deb43fe785258223aba5f43cc5532f3e7b874adc0bc6dbcd8e95e631703606dfaa2c40be2e2bb6fa5bc0a6217efe657e74531654ea71c

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_5084\metrobuttonimage

MD5 17368ff7073a6c7c2949d9a8eb743729
SHA1 d770cd409cf1a95908d26a51be8c646cace83e4c
SHA256 16e6e7662f3a204061c18090a64a8679f10bc408be802abd2c7c0e9fe865cbb4
SHA512 cbc3a378335f131d0146e5fe40cea38a741a0754a26304daebfda6f82c394cf0e151654782c6c8c7bbf7c354fcb72a2c66a77a87df528c2a3fa87c88f204059d

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_5084\ProgressImage.png

MD5 6bbc544a9fa50b6dc9cd6c31f841548e
SHA1 e63ffd2dd50865c41c564b00f75f11bd8c384b90
SHA256 728c6cc4230e5e5b6fdf152f4b9b11ac4d104fa57a39668edea8665527c3bcc2
SHA512 2cf43d3a3f2e88805824e4c322832af21c4c49d5309387aa731ddbea8cc280a6049cab4526e20b1c87c39c8781168c5ff80083c94becf0984b94593b89ab77f8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8757A0F68C921927F887F6D56B2C1640_711B0FFDF677284507E7F65614F211FA

MD5 92f4fb5a70c8b2b439d5db4d67d53adc
SHA1 5bd81ff1e7220b21da71ee4bdec9a9b0bc98b474
SHA256 8264163fb914003ec1b10966f45862f5e792c6db1a1af69bbe51bdc7cf4cc7c6
SHA512 3081a426ab7f51b06f201696511ac4476b688d74459f5b9130d365db4c62fbc14088ebc23284eb50f8833ece9b1798f433b9e0a0492f17fde17af0a55b7f42dc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1591D5F7B0682312DEC3539E38F11DA5_42A3F57312DF87F42A6DF55DF37AC1A6

MD5 224f4fea70af115c2226228f3c3214cd
SHA1 8be55d1d0f0d5cb569ff8be2721436aa8471cac7
SHA256 9056925e394c019c14821ad1d915620e699c2298d91a324a4ce47f2728de513d
SHA512 4acbebcc36418868df00e167997238bfa9031dd73c33ce5cff12b7d0f6563218ea54e137322292e7a10e859bd8acd63f48aaf050df7a9b1b69c1e803b61ff0ad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1591D5F7B0682312DEC3539E38F11DA5_42A3F57312DF87F42A6DF55DF37AC1A6

MD5 0fa63832376f3e8721761c6a625a68c8
SHA1 29ed9d00ead67fc517b7ba119e8aa4b39ecf4855
SHA256 034ff1959f2833bfdf089758468e0d6b6260a35babd4fd800b52b3a32c1d8ac2
SHA512 7ea9debf0dc185057314066bd5bf6119a4c4aab14eb8ca0fc8360a454b5e01d0bf54d515a5f53260bb64f5a36d1aa862013897be2bbb255b240a118191d218d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8757A0F68C921927F887F6D56B2C1640_711B0FFDF677284507E7F65614F211FA

MD5 065fece3e1db15878a4b6d3a92fcc82f
SHA1 8bfcbdbe66e0f6bdb72d17dcb41b4aac1269e6d4
SHA256 b59534eae9bfdbcfe28ffb6de2f49500a57a27dde8e1fc99d0663678d26f0279
SHA512 4f97632cafc8d54ca7f09b87e310bd2146cadc4eb045eb1ec21eabc204ca4cbf448f00633b82cfa0b082e77ac089cd44de201271f8aff800e0b54b51b5203935

C:\Users\Admin\AppData\Local\Temp\shiB9CA.tmp

MD5 b40e4304f279119d9345be970babce41
SHA1 f76f5b30e7c333efcba1d4e19215ef1fd21d6943
SHA256 06285446d57089fe85b3b6127bbc92508773af458ad5cf20abf4570d41c0fee7
SHA512 ad7e6b30b3ba32d641737f499874f23ccda7c4539def0465d1723d579c79c5e3e981df8526d31f2eb79dc0fe572eb4b71a780eb63df11170d4b6a0786f588299