floxif | 95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71

Analysis

max time kernel
38s
max time network
131s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24-12-2024 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe
Size

4.7MB
MD5

3889f2ac27d00aef4f83566995be690a
SHA1

0655a684de9d8bffa31be40066e3529c360d02d6
SHA256

95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71
SHA512

b7ce1e52b2021e84311f268ed1f88b839667b367cdf12d452ca4508476ff7c274995e4d429ba2bd9551057c2e770e122963ec25daa7ac7b0bf72ca9e085deb6e
SSDEEP

98304:J91Y8tDpaAm8nGA52QmbDnFHEF/ZcUE8ufqDsNbXXM49ejvAbp6arR:J9eWpaAxN4VEXcmufhNz9UjAboat

Score

10^/10

floxif backdoor discovery persistence privilege_escalation trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x0009000000012238-2.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0009000000012238-2.dat	acprotect

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 4 IoCs

pid	Process
2188	sg.tmp
1744	SoftwareUpdatePro.exe
6140	GUAssistComSvc.exe
4664	GUAssistComSvc.exe

Loads dropped DLL 15 IoCs

pid	Process
2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe
2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe
1744	SoftwareUpdatePro.exe
1744	SoftwareUpdatePro.exe
1744	SoftwareUpdatePro.exe
1744	SoftwareUpdatePro.exe
1744	SoftwareUpdatePro.exe
1744	SoftwareUpdatePro.exe
1744	SoftwareUpdatePro.exe
1744	SoftwareUpdatePro.exe
1744	SoftwareUpdatePro.exe
1744	SoftwareUpdatePro.exe
1744	SoftwareUpdatePro.exe
600	Process not Found
4592	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2580-0-0x0000000000400000-0x0000000000575000-memory.dmp	upx
behavioral1/files/0x0009000000012238-2.dat	upx
behavioral1/memory/2580-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2580-2620-0x0000000000400000-0x0000000000575000-memory.dmp	upx
behavioral1/memory/2580-2627-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2580-2628-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2580-2732-0x0000000000400000-0x0000000000575000-memory.dmp	upx
behavioral1/memory/4592-2736-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4592-2735-0x0000000000400000-0x0000000000575000-memory.dmp	upx
behavioral1/memory/2580-2734-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4592-2759-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4592-2758-0x0000000000400000-0x0000000000575000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SoftwareUpdatePro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3484	PING.EXE
3964	PING.EXE
4104	PING.EXE
4064	PING.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	SoftwareUpdatePro.exe

Modifies registry class 49 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3DA5E31D-E553-4525-8AC5-EBD92B29A408}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~3475910477018507369\\x64"	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F10E0193-E389-4E51-BDD8-D3DAF5F63851}\ProxyStubClsid32	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F10E0193-E389-4E51-BDD8-D3DAF5F63851}	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D6544943-452E-404F-9B94-93E27E656D85}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\~3475910477018507369\\x64\\GUAssistComSvc.exe\""	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GUAssistComSvc.GUShellLink\ = "GUShellLink Class"	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GUAssistComSvc.GUShellLink\CLSID	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D6544943-452E-404F-9B94-93E27E656D85}	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3DA5E31D-E553-4525-8AC5-EBD92B29A408}	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3DA5E31D-E553-4525-8AC5-EBD92B29A408}\1.0\0	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F10E0193-E389-4E51-BDD8-D3DAF5F63851}\ = "IGUShellLink"	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F10E0193-E389-4E51-BDD8-D3DAF5F63851}\TypeLib	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GUAssistComSvc.GUShellLink	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GUAssistComSvc.GUShellLink.1	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D6544943-452E-404F-9B94-93E27E656D85}\ProgID	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3DA5E31D-E553-4525-8AC5-EBD92B29A408}\1.0\HELPDIR	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{0BCB705C-0F64-405B-8CB3-CDF41B796E19}\ = "GUAssistComSvc"	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GUAssistComSvc.GUShellLink.1\CLSID\ = "{D6544943-452E-404F-9B94-93E27E656D85}"	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GUAssistComSvc.GUShellLink\CurVer	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D6544943-452E-404F-9B94-93E27E656D85}\VersionIndependentProgID\ = "GUAssistComSvc.GUShellLink"	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D6544943-452E-404F-9B94-93E27E656D85}\Programmable	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3DA5E31D-E553-4525-8AC5-EBD92B29A408}\1.0	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3DA5E31D-E553-4525-8AC5-EBD92B29A408}\1.0\FLAGS\ = "0"	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3DA5E31D-E553-4525-8AC5-EBD92B29A408}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~3475910477018507369\\x64\\GUAssistComSvc.exe"	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{0BCB705C-0F64-405B-8CB3-CDF41B796E19}	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F10E0193-E389-4E51-BDD8-D3DAF5F63851}\TypeLib\Version = "1.0"	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D6544943-452E-404F-9B94-93E27E656D85}\LocalServer32	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F10E0193-E389-4E51-BDD8-D3DAF5F63851}\TypeLib\ = "{3DA5E31D-E553-4525-8AC5-EBD92B29A408}"	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F10E0193-E389-4E51-BDD8-D3DAF5F63851}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GUAssistComSvc.GUShellLink\CurVer\ = "GUAssistComSvc.GUShellLink.1"	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3DA5E31D-E553-4525-8AC5-EBD92B29A408}\1.0\ = "GUAssistComSvc 1.0 ÀàÐÍ¿â"	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F10E0193-E389-4E51-BDD8-D3DAF5F63851}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F10E0193-E389-4E51-BDD8-D3DAF5F63851}\ProxyStubClsid32	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D6544943-452E-404F-9B94-93E27E656D85}\ = "GUShellLink Class"	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GUAssistComSvc.GUShellLink.1\ = "GUShellLink Class"	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GUAssistComSvc.GUShellLink\CLSID\ = "{D6544943-452E-404F-9B94-93E27E656D85}"	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D6544943-452E-404F-9B94-93E27E656D85}\ProgID\ = "GUAssistComSvc.GUShellLink.1"	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D6544943-452E-404F-9B94-93E27E656D85}\TypeLib	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D6544943-452E-404F-9B94-93E27E656D85}\TypeLib\ = "{3DA5E31D-E553-4525-8AC5-EBD92B29A408}"	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3DA5E31D-E553-4525-8AC5-EBD92B29A408}\1.0\0\win64	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F10E0193-E389-4E51-BDD8-D3DAF5F63851}	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GUAssistComSvc.EXE	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F10E0193-E389-4E51-BDD8-D3DAF5F63851}\TypeLib\Version = "1.0"	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GUAssistComSvc.GUShellLink.1\CLSID	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D6544943-452E-404F-9B94-93E27E656D85}\VersionIndependentProgID	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3DA5E31D-E553-4525-8AC5-EBD92B29A408}\1.0\FLAGS	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F10E0193-E389-4E51-BDD8-D3DAF5F63851}\ = "IGUShellLink"	GUAssistComSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F10E0193-E389-4E51-BDD8-D3DAF5F63851}\TypeLib	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F10E0193-E389-4E51-BDD8-D3DAF5F63851}\TypeLib\ = "{3DA5E31D-E553-4525-8AC5-EBD92B29A408}"	GUAssistComSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GUAssistComSvc.EXE\AppID = "{0BCB705C-0F64-405B-8CB3-CDF41B796E19}"	GUAssistComSvc.exe

Runs .reg file with regedit 3 IoCs

pid	Process
1216	regedit.exe
1536	regedit.exe
584	regedit.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
4104	PING.EXE
4064	PING.EXE
3484	PING.EXE
3964	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe
Token: SeBackupPrivilege	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe
Token: SeRestorePrivilege	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe
Token: 33	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe
Token: SeIncBasePriorityPrivilege	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe
Token: SeCreateGlobalPrivilege	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe
Token: 33	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe
Token: SeIncBasePriorityPrivilege	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe
Token: 33	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe
Token: SeIncBasePriorityPrivilege	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe
Token: SeRestorePrivilege	2188	sg.tmp
Token: 35	2188	sg.tmp
Token: SeSecurityPrivilege	2188	sg.tmp
Token: SeSecurityPrivilege	2188	sg.tmp
Token: 33	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe
Token: SeIncBasePriorityPrivilege	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe
Token: SeDebugPrivilege	1744	SoftwareUpdatePro.exe
Token: 33	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe
Token: SeIncBasePriorityPrivilege	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe
Token: SeDebugPrivilege	4592	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe
Token: SeBackupPrivilege	4592	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe
Token: SeRestorePrivilege	4592	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe
Token: 33	4592	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe
Token: SeIncBasePriorityPrivilege	4592	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1744	SoftwareUpdatePro.exe
1744	SoftwareUpdatePro.exe
1744	SoftwareUpdatePro.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1744	SoftwareUpdatePro.exe
1744	SoftwareUpdatePro.exe
1744	SoftwareUpdatePro.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1744	SoftwareUpdatePro.exe
1744	SoftwareUpdatePro.exe
1744	SoftwareUpdatePro.exe
1744	SoftwareUpdatePro.exe
1744	SoftwareUpdatePro.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 1248	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe	29
PID 2580 wrote to memory of 1248	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe	29
PID 2580 wrote to memory of 1248	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe	29
PID 2580 wrote to memory of 1248	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe	29
PID 2580 wrote to memory of 2188	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe	31
PID 2580 wrote to memory of 2188	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe	31
PID 2580 wrote to memory of 2188	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe	31
PID 2580 wrote to memory of 2188	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe	31
PID 2580 wrote to memory of 2656	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe	33
PID 2580 wrote to memory of 2656	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe	33
PID 2580 wrote to memory of 2656	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe	33
PID 2580 wrote to memory of 2656	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe	33
PID 2656 wrote to memory of 1216	2656	WScript.exe	34
PID 2656 wrote to memory of 1216	2656	WScript.exe	34
PID 2656 wrote to memory of 1216	2656	WScript.exe	34
PID 2656 wrote to memory of 1536	2656	WScript.exe	35
PID 2656 wrote to memory of 1536	2656	WScript.exe	35
PID 2656 wrote to memory of 1536	2656	WScript.exe	35
PID 2656 wrote to memory of 584	2656	WScript.exe	36
PID 2656 wrote to memory of 584	2656	WScript.exe	36
PID 2656 wrote to memory of 584	2656	WScript.exe	36
PID 2656 wrote to memory of 1744	2656	WScript.exe	37
PID 2656 wrote to memory of 1744	2656	WScript.exe	37
PID 2656 wrote to memory of 1744	2656	WScript.exe	37
PID 2656 wrote to memory of 1744	2656	WScript.exe	37
PID 2656 wrote to memory of 1744	2656	WScript.exe	37
PID 2656 wrote to memory of 1744	2656	WScript.exe	37
PID 2656 wrote to memory of 1744	2656	WScript.exe	37
PID 1744 wrote to memory of 6140	1744	SoftwareUpdatePro.exe	39
PID 1744 wrote to memory of 6140	1744	SoftwareUpdatePro.exe	39
PID 1744 wrote to memory of 6140	1744	SoftwareUpdatePro.exe	39
PID 1744 wrote to memory of 6140	1744	SoftwareUpdatePro.exe	39
PID 2580 wrote to memory of 4592	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe	42
PID 2580 wrote to memory of 4592	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe	42
PID 2580 wrote to memory of 4592	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe	42
PID 2580 wrote to memory of 4592	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe	42
PID 2580 wrote to memory of 4592	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe	42
PID 2580 wrote to memory of 4592	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe	42
PID 2580 wrote to memory of 4592	2580	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe	42
PID 4592 wrote to memory of 4464	4592	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe	43
PID 4592 wrote to memory of 4464	4592	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe	43
PID 4592 wrote to memory of 4464	4592	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe	43
PID 4592 wrote to memory of 4464	4592	95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe	43
PID 4464 wrote to memory of 4104	4464	cmd.exe	45
PID 4464 wrote to memory of 4104	4464	cmd.exe	45
PID 4464 wrote to memory of 4104	4464	cmd.exe	45
PID 4464 wrote to memory of 4064	4464	cmd.exe	46
PID 4464 wrote to memory of 4064	4464	cmd.exe	46
PID 4464 wrote to memory of 4064	4464	cmd.exe	46
PID 4464 wrote to memory of 3484	4464	cmd.exe	47
PID 4464 wrote to memory of 3484	4464	cmd.exe	47
PID 4464 wrote to memory of 3484	4464	cmd.exe	47
PID 4464 wrote to memory of 3964	4464	cmd.exe	48
PID 4464 wrote to memory of 3964	4464	cmd.exe	48
PID 4464 wrote to memory of 3964	4464	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe
"C:\Users\Admin\AppData\Local\Temp\95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\system32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:1248
- C:\Users\Admin\AppData\Local\Temp\~2863664993744837534~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~3475910477018507369"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\GSUP.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\regedit.exe
    "C:\Windows\regedit.exe" /s Name.reg
    3⤵
    - Runs .reg file with regedit
    PID:1216
- - C:\Windows\regedit.exe
    "C:\Windows\regedit.exe" /s License.reg
    3⤵
    - Runs .reg file with regedit
    PID:1536
- - C:\Windows\regedit.exe
    "C:\Windows\regedit.exe" /s GlaryUtilities5.reg
    3⤵
    - Runs .reg file with regedit
    PID:584
- - C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\SoftwareUpdatePro.exe
    "C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\SoftwareUpdatePro.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\x64\GUAssistComSvc.exe
      "C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\x64\GUAssistComSvc.exe" /Regserver
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:6140
- C:\Users\Admin\AppData\Local\Temp\95ed8543aaa61b0a6c004492140eb4df03d18c3a5512563493ae7cd06f0d4d71.exe
  PECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~1082636916355805125.cmd"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\~1082636916355805125.cmd"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4464
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4104
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4064
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3484
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3964

C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\x64\GUAssistComSvc.exe
"C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\x64\GUAssistComSvc.exe" -Embedding
1⤵
- Executes dropped EXE
PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BCOPU31\ga[2].js

Filesize
45KB

MD5
e9372f0ebbcf71f851e3d321ef2a8e5a

SHA1
2c7d19d1af7d97085c977d1b69dcb8b84483d87c

SHA256
1259ea99bd76596239bfd3102c679eb0a5052578dc526b0452f4d42f8bcdd45f

SHA512
c3a1c74ac968fc2fa366d9c25442162773db9af1289adfb165fc71e7750a7e62bd22f424f241730f3c2427afff8a540c214b3b97219a360a231d4875e6ddee6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8P9TO0C6\jquery.min[1].js

Filesize
91KB

MD5
ddb84c1587287b2df08966081ef063bf

SHA1
9eb9ac595e9b5544e2dc79fff7cd2d0b4b5ef71f

SHA256
88171413fc76dda23ab32baa17b11e4fff89141c633ece737852445f1ba6c1bd

SHA512
0640605a22f437f10521b2d96064e06e4b0a1b96d2e8fb709d6bd593781c72ff8a86d2bfe3090bc4244687e91e94a897c7b132e237d369b2e0dc01083c2ec434

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1082636916355805125.cmd

Filesize
373B

MD5
3f967a5a3136de09be732987b309145f

SHA1
49fc77f3577ed8fc43b9683600332f162eaaa243

SHA256
91ced7ef8e3fe5a82058e9a280defdf2f3ca0c9e5fe8227976e3b082df2ac002

SHA512
e9e8be3204130f0881b6aacae6f96c74b55457d449bc44a3a61693b76cc2f1e0a1839b84f8ebaccf67cdb0eff1a53275bec1e8396a4f17644904c118dd6c73b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\AppMetrics.dll

Filesize
103KB

MD5
c55003af05163fdfcd4abd7cc2f5b109

SHA1
d891ac9678c3b9dd8e65c15890a48b49ae08d647

SHA256
e1ba5c55f0dbd979e193f1f35ae1aebbd89cc57f98f2df7123ae1162209f5428

SHA512
1b3ce59de0e1d9ea625c1204af0dd9fdbd79b2deaf0a26655cf61e86f80e025ac35e6c929e8406587635095b9b4597b654dfdf59c9c3346f3e4de5204f5fac3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\CheckUpdate.dll

Filesize
795KB

MD5
eb8418379ae4e590d394b0eeb2559b8d

SHA1
5dbe28a50b30741bd8c08bbf8e0d17b2ee8bac59

SHA256
5d290d936e2bfecf046ff8c77e94ef02092863ec1ff7cd21545ad0755d25d827

SHA512
7747c464cbe820c0b82919ca73e51aa641a38b6f7e7978cfd78502a60af61fce438415d4df0a106a903e0fed9468ce0d984f5d3bb04dd8b8697bc9af03dbf65c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\CrashReport.dll

Filesize
290KB

MD5
b67018b8bb66e2c26ee82ed4809db70e

SHA1
fb533ff79c7e8198e71d408df0c26b501532150d

SHA256
1ddfd4ed42d3ca28032a665e2f4a2a3cb8f8fbe230c0cb3e13fe411b621e762b

SHA512
0c9967bc8e7c30ba99c17c81d215b0b55dc035e86c6f0e6dcdd5c87b968721eed06bc1e0474285c7809d620d77a1b1884b6cff4493a64539b558d2aeb19fee47

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\CrashReport.exe

Filesize
943KB

MD5
86e1a1de635b6aeba96565b02a166c76

SHA1
b288057dff1fc64b7136a6883f03c3cf88b8fdf7

SHA256
1a5e73d8fa1461491bce47ab8e592c9729f8b946cadf92b93cbb75e2d2f7d74e

SHA512
b587911953398ff8ab460f124450ed90619604603dc1b1c9b89748f14105ae27cf4957154695515d368f183de5ca5722557c2df0193235965765c37c4e543422

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\CreateSort.ini

Filesize
22B

MD5
694d7f304b1ae12f75a93595c4990a2b

SHA1
caac0d36e2aad042d4fff6ad312880ca999544e7

SHA256
a1e33ca8b91de097166477c79df1bc26e64f73b9e6c2b679c29abaf31aec0968

SHA512
cd61c17b6f964ff5cadae569c4cb27d869cacbdb809d7bb649aa4f25c8631ea0f5c3410fabd75e05da2c7017b3e80c1a6b727c7b3f81568d1cef46fe0f7dcb52

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\Error.ini

Filesize
67B

MD5
a0dd662b71ab2117f6a77735abb78b1e

SHA1
379a3dba466af2a0bb0f646c0f0b621db788e874

SHA256
e7f20b0db8afaac6e68a8b671e5f1776e237d04cd3086ea2d7b59d06c8dd3075

SHA512
f972048d9b530067a3fb49f365e852fcb6fa75f7009f3b38b54d172e913bb4db5ce4c9ae17baa52a782c9acbcf496cf47c1120d7432d99458f288ca8164ef667

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\GSUP.vbs

Filesize
245B

MD5
2d2fd4215b1321890756f6fb8da456f6

SHA1
6ba839ecb3028e7c2e2274375d24a4417fb52253

SHA256
0090c99436580294a1292193fcc8056d91529b28cada2a3f8ecf7dd1befcf341

SHA512
88bdaa2d57a9ceeba6397bbd2acaa0939678f2c276f45a6882782d44be304addc61495428a64f57fafcb56d2ec96d8a1310421529a6b39025f5fe887cd908594

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\GUAssistComSvc.exe

Filesize
119KB

MD5
2bc47e11d2bda5df759a28f5823cbdd4

SHA1
9c9a352685fead9f5dbf70200c8fd607e15f9030

SHA256
abd4296eeb8014abccd725d13572f6a3776bf29e2285e9330c1ee90c60bda2bb

SHA512
55cda739deb975c7ae8d0cd0990ef69c89b05370eb9a420df3e2c7b53f115917b62dfd837abc47b2ed8326bac6218f2cdfd15ef2117fe5ce4732a95571a4365c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\GlaryUtilities5.reg

Filesize
248B

MD5
d3af7a86a0994a9791c75e0f173f485d

SHA1
68d6d6d3fa77622a5b483958b8dbeb66640bd04b

SHA256
84294785b975fc324cfe441833d365c2ee5c3c9a455017a32efdcd689e975a52

SHA512
c0029eb57d2945b49446de1443093e4bb0c64f814deb72070e20cea9e011f4a36d482c6aa9008a88dd888bdb698d9c016e09f3aa8a28b376d780fe8a1f934b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\Initialize_Standalone_Pro.exe

Filesize
78KB

MD5
fa26843121d6ae7f2534a99855be800c

SHA1
9dff91d34e41bebffa319c1c3c52f7fcb6929969

SHA256
3de5123d0d7f9b7194856dd99770b9d31f2cb69d7160d300100d36a42b9122ec

SHA512
ba90448bfbb6bbfd81369b1304d820bcb8b4513d5cc697cc4d599c8c286f1042281e78fa706487e3698df74cb3e4ac56ac4784be328ae0f011b1ab83d67e21b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\Languages.dll

Filesize
93KB

MD5
2502da974c7630531b16e0a607fbd84b

SHA1
7d0d979144f6cc33671d368e12d434be4213f345

SHA256
402d79fb235493472c9b1bececcf9f020ebcc4697f3f60acd748d1fc83da7b10

SHA512
3db7e60d405888d72be501e590442a562213020cf0c2320db25aea2ac6ef6118cb885522c653114cb7b1de6e1719b12fe3b864c5a91994eb67732121c8443fa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\License.reg

Filesize
300B

MD5
4166301de467c3b0b39f28c5dca09542

SHA1
9d892f4cd7d45e95bf892c6e0fa6fb360c537561

SHA256
5e1b716df4bd03793f72adf14eeeae8c3e11105f8718607639029e2134521bdb

SHA512
765e56373d69fc217c677cdae9eb1dca1c302c77f6e68133fd6f29f3a85c5cca525e380da6cbd1bcb3ce2caf764fefb2e23da5d1dedb66442483729deac85c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\Microsoft.VC90.CRT.manifest

Filesize
524B

MD5
6bb5d2aad0ae1b4a82e7ddf7cf58802a

SHA1
70f7482f5f5c89ce09e26d745c532a9415cd5313

SHA256
9e0220511d4ebdb014cc17ecb8319d57e3b0fea09681a80d8084aa8647196582

SHA512
3ea373dacfd3816405f6268ac05886a7dc8709752c6d955ef881b482176f0671bcdc900906fc1ebdc22e9d349f6d5a8423d19e9e7c0e6f9f16b334c68137df2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\Microsoft.VC90.MFC.manifest

Filesize
548B

MD5
ce3ab3bd3ff80fce88dcb0ea3d48a0c9

SHA1
c6ba2c252c6d102911015d0211f6cab48095931c

SHA256
f7205c5c0a629d0cc60e30e288e339f08616be67b55757d4a403a2b54e23922b

SHA512
211e247ea82458fd68bcc91a6731e9e3630a9d5901f4be4af6099ad15a90caf2826e14846951fdd7d3b199994fd3ac97ca9e325cf0dfeb9474aea9b0d6339dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\Name.reg

Filesize
288B

MD5
01555526ffd922926ce6962630388df8

SHA1
0a886d531af1b8e3f652ab3563a9bfcf9b482a81

SHA256
99f8e23d34f19632a78df8f9e3d8e6570864aee39a76890f41353afa1c672949

SHA512
22e5b977b8fe6949a631908e4beb6d6c21eb42b2541275657710106e909f867568d85113e425a5a9f635055a20689ab69fa9081381525cd5a953dac3d8ab7402

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\Resources\SoftwareUpdatePro\Close.png

Filesize
3KB

MD5
547a786f1c9c3ef3329b4b2503dbce26

SHA1
ede7c3cfeeeee8910c901fb048cc61ac82d90d29

SHA256
fdb15f284ada8f83a54b0bd06e3ea405c6c94fcd1b314e5c2eb26c7b595127d3

SHA512
9e5d6fe5027368a912c5fec043858c56710018086824e6de828d9652c3e05c99650534577e83218f047f9a27a94d3a4e3152ee9efa95fd148a68b0956bcfb07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\Resources\SoftwareUpdatePro\Close_Check.png

Filesize
3KB

MD5
145f775f38796cbf59531a47b7586e14

SHA1
c90ac6d029862183b638d6584f8ffa0d41f04b42

SHA256
85eda195cecf4a05206c83e4775e1187db38202144baef1591622506658af867

SHA512
184f35caff0d02c248ec9a87e4837cf7cb0c9c9224fc962a3945761aa680f74f247c009c1058216290c2b7b19cfec263357c73f657ca6804779ff791d91cd2f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\Resources\SoftwareUpdatePro\Close_Move.png

Filesize
3KB

MD5
c3caa08ba115610abbbdd87bff593197

SHA1
ceee875a10369d44517c5eecab894a239e52db63

SHA256
b4f141b8b41fd3638324097a03f7afbf9338b2b364be6e2b1706d961af4f59e1

SHA512
6d4fd93a2a9601ba8a4d06e9874f2a85cf447d3f8550c5399a2a4d544a97a08aced3bda343b9699b2676d83a96518ce749acd2d988fc13f49f116033e2dfb201

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\Resources\SoftwareUpdatePro\Facebook.png

Filesize
1KB

MD5
1f352bccdeca68079ec0cfc24881f584

SHA1
39f4fba8fb2dc33b5c5e33532ceafb831bbc7737

SHA256
4e746e84b60a0e524cbe846d0a4823cf121bdff4be0147ee9932caa937e4aa8a

SHA512
b3ea6f11be428dc9dda70e8d40cb6699c762e4fcde62fbdbc974b36a370a031230478cd9d683d4b6d6a570f658d64cbc910e3d691604c6d318fb585a186aee9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\Resources\SoftwareUpdatePro\Facebook_Check.png

Filesize
1KB

MD5
a3bb7239747c2c4ff8e2b172f12f89af

SHA1
5821cd254117449df3271af8314fe6b898d8508f

SHA256
81aa79ef82294965b1210dc672286bc9b86787ca331e2fbd0ccfe38730734748

SHA512
e682b8b5892958138bfce92364dcb5aff5ea60bc692aad7a2a44dc01b1d95ca3b5774345b4ed3ee777506dde942f0a49fbca3c00f88a671878dc21deaab3b98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\Resources\SoftwareUpdatePro\Facebook_Move.png

Filesize
1KB

MD5
d145afbca342dd7270bcd22f2a614acb

SHA1
afb19329b1afcbadb5fd40bf7d5217c6a1525187

SHA256
92eff96d8bc57be774152ddebfbd3ed5e26b80a0765f29595931252ea3e94a63

SHA512
f1c12d193496ddf7f2e051e2001bc4a55138d205ffc2b7b5e65618d534dffa5c56d6f3f8221023d9391c67b576507cdd57ae4af77143dd3759fb6e4cbbea4860

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\Resources\SoftwareUpdatePro\Max.png

Filesize
2KB

MD5
45faf030522c4e7f5d5905335f346f8d

SHA1
5417e1dd832d98a3057d851e77a55d19fc41aa06

SHA256
5192f0fc14b685564bfb1e62a8e72d2f1219b7cacf33a918bac0973ed5de45c0

SHA512
55d55b4d039fc381def6aedc42ed81192a8da5f5be95b962bc2bc903456a635f859b2f3df91754065011ff24e4a7c27ed182f7b2c03d7463d0de666a4c84869f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\Resources\SoftwareUpdatePro\Max_Check.png

Filesize
2KB

MD5
220bdc9b712d8e9c0e71e78aea539b25

SHA1
8fffbab836292020e84bd316a61f0897397f47d5

SHA256
bb328290450da34c9afb8331e0784aaed0ca65316053cebe66f4496ed12eef83

SHA512
69fd2158e2500d2b3f681a28f04fc18c70e748dfd3840256e91c631444631f80ef534d59f335486fe21e20106730ae704728e2ab65dc226fedc427e5ea5cbc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\Resources\SoftwareUpdatePro\Max_Move.png

Filesize
2KB

MD5
3587e8a711b90da860a6de246007e852

SHA1
3a09b716d8f116fd26b64897328b6c24665c432f

SHA256
1a2e95e824a19760584d50e2b461b041aeb1915b423f288086a5a3706ceff28b

SHA512
e81462d84f1b049a05241f84a6a969484cc25455fdecac452e8b7479fa69df73e97b655dfb67406701580d6ac41bb504219eb548b7a30c8670aa30b2f03abe87

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\Resources\SoftwareUpdatePro\Min.png

Filesize
2KB

MD5
995c26c844e0f0377ca5bf5ced006aec

SHA1
aaf7960fdcf54350f43e534e7f53310407a02fd5

SHA256
b507e1a96fa46a40d883248b3406e4604c4fb4df0f1d9055b702af63f5dad231

SHA512
7f1be0f9d186f606fec53170235f80578756378e19fcf6bc82d1500040cde45f78b9d6e15843e905d648e1c244c68a5bbce1ef3a8c91b1864a1d9cec7c14a782

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\Resources\SoftwareUpdatePro\Min_Check.png

Filesize
2KB

MD5
2c80db1135237028568f13df1ce3a0ba

SHA1
c53394125d7f55a629d29d415227979ad6a2d840

SHA256
2169bfed7c37faa5760bf88b94b37d8c3af2b5489610f04e88b7414687501553

SHA512
f7a82026985c92c81a10775fb2f2507c989d2f681e443f015b5f89b8f7104e4984ed1d28f99918544237adf1a96929d8826da1e7ef61bff1e19c5bb75bc32f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\Resources\SoftwareUpdatePro\Min_Move.png

Filesize
3KB

MD5
f8f60232dfd0348790775f4a07fff556

SHA1
d3546a3f1fd0ba9271e270b4cafedf7a42c0b091

SHA256
4ab82f003d1b3d582e46624092336d5e22cb54731ccede4b3b3a358716837ce8

SHA512
ba52c344e6d2702787b2d1f3e50ccb745eabfe429ee9dda5b75b009d2183f4d70455d9a384d21f700c3cf04f2f48cb0a29102a51af8e0bbe7882d46ae9e099c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\SoftwareUpdatePro.exe

Filesize
873KB

MD5
e4c54abfa71bcda084cfb7faa10d77b8

SHA1
284c00a9c12b7d51d25859fcc9d74ab4d0a94a57

SHA256
879743c71639a99805f40f645f20a7e07b37f9ee071f21715361da68a7f56b91

SHA512
9aaa1e62d1f893dece94d6c7ab6731b917522d6cf0b09e1fe327139d8387e33231bb1a2c4928b16af674da591334be6d8491adf50d28042cde2e20fae472ddc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\data\ModuleInfo.ini

Filesize
13KB

MD5
0994ccb7a4e4d254cd19b28e9ebca473

SHA1
39075002a0869fc2a1ba546c69b8dad0eb1bd33b

SHA256
bca640fd5617b66c0185b044a59579683f24b15c6301bd872a909861aee7458d

SHA512
3527e775256973fef75bb5698fe18f5bffbf90c238f207979400b46b5b3583e6ed41ed63899a8eed9d71dfd7275c28cfee8ee706f859ee15f7d3b3446594aad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\data\Softwareupdate.xml

Filesize
4KB

MD5
9e3a7d111b4791e3433b7ab20df05150

SHA1
2970a7bf20a265a19b336d359865bbed34604ba8

SHA256
cc244112cde02046d9cfe1f7374221073ac60459cf12d7da1a871609422b739f

SHA512
0d75198d89319be881e59868945a7fbf48c0e6d200c18b120248ee892772480e8c0ccdf1a10bd8b4205753c18f2e029e0f52866a2f3c7ac5ba8b777181a28c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\data\rule.ini

Filesize
14KB

MD5
dec3f261af4632c36b8d25bf7fc7590b

SHA1
b0be8df8cd8807b21acf5661d4c222474e511835

SHA256
062ad687c39b28a509c94f6c6ff1ccdb81f12663d6a18a4fa812def4032fff21

SHA512
a086c050bca7ec8937f2f0c358bf3b39be5d0e93869f426ee3f79dd5fe9ec11197d3dfe01878c84ad7cc69f49ac1e4e1e64e341aaad9e7da27b1643acb8071d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\data\rule.ini

Filesize
15KB

MD5
c31c4239a6b24e152507d2c222afdec5

SHA1
a3cbf754cb464b63e21b5d72651847c932ff42ab

SHA256
10eebc504bd128bc803929025d371cfcf8ab10e64fca6bad08a147f54e10ed99

SHA512
005efe5ae05747b83a943844a4f5ac6f7d8da2966ebc390020705e28717b2a1161f34987c3c47f0237dc4c425160b7ce1607068946ad22ede104d38b62ee17f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\ico\29566.ico

Filesize
23KB

MD5
b5a9389b8f5a3db73024ea3c49246b31

SHA1
556c9703cc6ea1298fcb02e5593d997b1020e4d1

SHA256
caa1c0f8704d1c75168b96e471831a6eea797d55e19712090b74d46d5d9de632

SHA512
8d58f4f33de1302c5bd6c31ca39d1e4f117e89286bd3c4282c9f09bcc502661b8c3cb31486299fb29cb522992262c5998d674a0a6567e72400a164a42d4b5f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\languages\English (proofread by Dillon Ring).lng

Filesize
230KB

MD5
0a0a1e36fff9fcbbfe74470eb2890840

SHA1
33ed0bac4fb901f26bd866e4f4fb19aaae8b147c

SHA256
012ccff71add5fe1aeefaf797545a1df3b46c567cf0b63ed7e02a4eb85c8e376

SHA512
aec4552c40b1e4a13324013a0d7b20df2901ab70553ef1aa77e0d94c9b117702a36911c30d28f0a8b087ed28db8d22c1d96931c50826c60901d4506fdf47b414

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\languages\korean.lng

Filesize
155KB

MD5
36b8205a0f130fbe5b0c2d880b5b9b01

SHA1
de77bc6e9a3af7b4bac280e3ffc9f37f5f28e216

SHA256
a1aa1e3b07a6fc2c2fed6659f9a28834bc19c806c746418d5afb4be2a948fdfb

SHA512
5c968e6d4dbe2e6ea12678696b764df260605b9c907128e23b14dbe073414e5f0fb8d29eaa24521b4ea692b9445aea45d2d6f9a112e20e4334aede74eea2564c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\machinecode.dll

Filesize
315KB

MD5
e4a5de693274a684d39eca3881c5eb08

SHA1
c0ff13eec09197dad24cb0ef1cced66eae2da071

SHA256
6592f393bd746b64eb5f5422e8e912871101dc7d39e5d780d9999ddabcce5220

SHA512
cb35a05d6022696c751e0aa207e84d591e2cb81327b50fb82883256052c6041122dc3cf6949f749be079036595b755cc3a160809e595c86604cf352b13f42548

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\mfc90.dll

Filesize
1.1MB

MD5
462ddcc5eb88f34aed991416f8e354b2

SHA1
6f4dbb36a8e7e594e12a2a9ed4b71af0faa762c1

SHA256
287bd98054c5d2c4126298ee50a2633edc745bc76a1ce04e980f3ecc577ce943

SHA512
35d21e545ce6436f5e70851e0665193bb1c696f61161145c92025a090d09e08f28272cbf1e271ff62ff31862544025290e22b15a7acde1aea655560300efe1ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\mfc90u.dll

Filesize
1.1MB

MD5
b9030d821e099c79de1c9125b790e2da

SHA1
79189e6f7887ca8f41fb17603bd9c2d46180efcf

SHA256
e30aabb518361fbeaf8068ffc786845ee84abbf1f71ae7d2733a11286531595a

SHA512
2e1ebcbe595c5a1fe09f5933d4ba190081ef343ea313725bb0f8fcbf98079a091ab8c0465ef437b310a1753ffc2d48d9d70ec80d773e7919a6485ef730e93ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\settings.ini

Filesize
46B

MD5
56688b599335e8fa00e0479e9e9bb4a0

SHA1
a4f4a65555f6891c5b6a1e556eb90473f56fd8b6

SHA256
af4c3b39f0580a5b68e402a13dd0e0e506055126e76c327adffb6ab8404dfc97

SHA512
76191dacbe1b3c399142ebc5d86ffdcd8368a7ed1f342d840eadd95d936af6885840f303d0a8346c922aba89e34aae4c5f79a80bdae12d404823341ffd094adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3475910477018507369\x64\GUAssistComSvc.exe

Filesize
136KB

MD5
93ea6d20557f17c611ea9cde629808ba

SHA1
714ad49dd1203970224f1477979811e8f468a601

SHA256
cec8fd20264ee461bfc939079b4d81ed3996a31e7839160b226b41592dc58e9c

SHA512
7a6351058fcfe5dc6d7a19dfd4518fa76b0db17090f9bd78be98a195893c807a622ad537d733cf6a81efe8cdc9e99c8d80b88e82db2121067023b58ed41bf723

Download Submit
C:\Users\Admin\AppData\Local\Temp\~ModuleUpdate.dat

Filesize
3KB

MD5
9a6ed1809633b8c3b38f07166333985b

SHA1
54afe8affd4b5995bb697b7e04c36a7bce59b307

SHA256
12ff0dfc2e13892d03f0fa11e15b52133e09acb75e1a0f92d70226a2a0dae23b

SHA512
da3f8d7e832831e7ea574ee4eae97589b046e1dd69bcd21f680e8883f03742ae5e734b4d8c5ccdf02d49402cf37505a2b9f69629efd2b2514def34e7b1eeac6b

Download Submit
C:\Users\Admin\AppData\Roaming\GlarySoft\Glary Utilities 5\20241224_Exception.log

Filesize
1KB

MD5
df7cca587df8b37222d3cdc8e2775001

SHA1
0ac115b6fa8faf654e19562061748c3a1604e8a1

SHA256
ce8ae8dc4c48f99ba75b3b0eb67a6ba3c1ffe304047065659b49d0abcbfd49ec

SHA512
1c607569527b4a9b5e05eea9e1b2b4412ebd9383faca6290d392e9b5b689ca658076d3208c9d83e63700f43566baf743e1f235742944f4a9260e2e3ccb5e8af8

Download Submit
C:\Users\Admin\AppData\Roaming\GlarySoft\Glary Utilities 5\20241224_Exception.log

Filesize
1KB

MD5
ba338e23ed0af39c6da8046ae33f20f6

SHA1
b0f09587194f208f3a998be350dc63e043012aa8

SHA256
bfa4b368346d027a892969672bf27f07730bdda4a611fe54d4e66cfd79785931

SHA512
ba1e46c591fd113b21889c7d2037259d2a34d373df839ecdf9a7c66551ef414fb5e487e6b35328876a6808ed1d8e4d375d9737244314f34003b446aa6365a537

Download Submit
C:\Users\Admin\AppData\Roaming\GlarySoft\SoftwareUpdatePro\WebUpdate\WebUpdate.xml

Filesize
412KB

MD5
f2853f2e9b461823b7bd5a15e662ed2a

SHA1
fd7b7b1f03fd9a4063e5785a7ba19867a931a86a

SHA256
e54468245ab6e0823c4c59ce6109f457fdb6671e9a211ed2d097bb7fe7000a58

SHA512
1b1e5677e07307d38bedaf353c8e22ebcfdda9346e85499adaf7c647be0f1556ad652ffc14dcdc9dd4fa94cfc82de249672144fe6544066d39d735805a4480cf

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Users\Admin\AppData\Local\Temp\~2863664993744837534~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
\Users\Admin\AppData\Local\Temp\~3475910477018507369\Config.dll

Filesize
34KB

MD5
ec8474d709501615cf1b92513c3b1591

SHA1
be678c11b8dee0b24be5acb5e38d2e36f9c8f90b

SHA256
680e85ad261a2da34fb7dd2f5d55fcb06aed28466de826ba760eec7a91429264

SHA512
cb9e4d56674a3b238fe568e69699fbf5cb48bd3cb34119062589d761714ecfc9a3141a4acd5b7d50597feaafc41260791ec0403b5f5f4adc4c50e1cbd3d08822

Download Submit
\Users\Admin\AppData\Local\Temp\~3475910477018507369\LockDll.dll

Filesize
571KB

MD5
f28f850eae4192bf02c3b7bdae574cf0

SHA1
df370e3127a08e99ae419f8bfc612f5a122721ee

SHA256
74311033a0342c3865cc406e7a0a24d05437efe353688b8f997989d025353dc1

SHA512
ea28cfb890cf157e0911435cfcfa32b904d12f6ffa756b84b4d80c4ab55aaf2207cf8829428e3f4d43bb3f829ce4f1efe41fada6e8e3e5dd3847c01d46eba304

Download Submit
\Users\Admin\AppData\Local\Temp\~3475910477018507369\ObjectAdmin.dll

Filesize
72KB

MD5
b17f52640da0fb0f54e998cf259c13ac

SHA1
8d25cc674500ca40accabf8fc6c3d7b6e4373c2d

SHA256
f136c5a8a1d915661e062c4dac1f4895427ba4b428993d5169324581a3872495

SHA512
a246b93640fc9d68a1c011a0a80088727fb7c668f0d034ee552793a3dc44399abad66fed818309144cd580f857a73710e0dedacfd07b763536e816a085c159c0

Download Submit
\Users\Admin\AppData\Local\Temp\~3475910477018507369\ShortcutFixer.dll

Filesize
54KB

MD5
8e8bbcd396626ad4024c7f391e8a9699

SHA1
9f18ad80a12050ff81d968ca8414535eff5f276a

SHA256
ca61d8449347c11c1ec2d88a679a6eb397d7bbe13367614877f65d545b3bdfbe

SHA512
3f914826b22d12a5cce66b3e4b4d8c9191a8f152ac1c2f3b988cb40571c5304f7c28936ee7f5d6f148d5a907440e004d1fa1ffda490a2c1e260c50f04132b84a

Download Submit
\Users\Admin\AppData\Local\Temp\~3475910477018507369\zlib1.dll

Filesize
85KB

MD5
18f048e4354e4d29b37b22bda9229683

SHA1
03b677461baa7b8fab99b0d3f99fb635b12a91b4

SHA256
e205f0e3236cff4a2bde2299c097252eae1e959bcc7ec382b2f428f140be56c0

SHA512
192a1be4587dce9ee5628e63d6a6ed7d31ed8751fb107c2a0fd60e0ebf70c5f15368627374c3db8f316e88f8aa4b3d670c762dbf432f813a901519205aae5464

Download Submit
memory/2580-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2580-2627-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2580-2628-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2580-2732-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/2580-0-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/2580-2734-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2580-2620-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/4592-2736-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4592-2735-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/4592-2759-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4592-2758-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download