asyncrat | 31fdb1bf0a8b7e585501c3d3205095a0200dc8e40b1a6be5c6ff0f0638875e43

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92E44EAD94437A6F12BCD4BBF2E016BE0099B547CA78146272FBB16363AC3310.exe
Size

21.3MB
MD5

223eb1433f7cd227555d88fc906c439a
SHA1

0fdcb189fc89fffd45d686923e1dcd1c71f91444
SHA256

92e44ead94437a6f12bcd4bbf2e016be0099b547ca78146272fbb16363ac3310
SHA512

44689f5f849f2c7c1fb3af7919f42d5396006cbf5f12a79b186747e1710f6aaea52cd2985d5d7ae7f87ae63e070b7ed0bb9d1febd1954bcc90d4ee409b3492ca
SSDEEP

393216:3ppWYSq1A5Jm69mhzyoEsDU6iauKgdBGaSbLb0Kr+B2p9Zey0WThqji7l2D:ZpWYvkJH97oMTKKG1Lb01gpvdyi7i

Score

10^/10

asyncrat darkcomet quasar default netshare office15 discovery evasion rat spyware trojan

Malware Config

Extracted

Family

darkcomet

Botnet

netshare

novachrono.dyndns-ip.com:51399

Mutex

DC_MUTEX-6JFEBFK

Attributes

gencode
jJtniSTX6QWK
install
false
offline_keylogger
true
persistence
false

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

novachrono.dyndns-ip.com:51397

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_file
repair-win.exe
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.0

Botnet

Office15

novachrono.dyndns-ip.com:51396

Mutex

f855a54f-46fa-48dc-a390-f591a2e4bd98

Attributes

encryption_key
E5D6E7988D0C5E1B3786B30C1AE84CBBC1CF4B1E
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 11 IoCs

resource	yara_rule
behavioral1/memory/2836-100-0x0000000000400000-0x0000000000494000-memory.dmp	family_quasar
behavioral1/memory/2836-103-0x0000000000400000-0x0000000000494000-memory.dmp	family_quasar
behavioral1/memory/2836-132-0x0000000004690000-0x0000000004714000-memory.dmp	family_quasar
behavioral1/memory/2836-141-0x0000000000400000-0x0000000000494000-memory.dmp	family_quasar
behavioral1/memory/2536-844-0x0000000000400000-0x0000000000494000-memory.dmp	family_quasar
behavioral1/memory/1556-1022-0x00000000004A0000-0x0000000000524000-memory.dmp	family_quasar
behavioral1/memory/1556-1021-0x00000000004A0000-0x0000000000524000-memory.dmp	family_quasar
behavioral1/memory/1556-1033-0x0000000000400000-0x0000000000494000-memory.dmp	family_quasar
behavioral1/memory/980-1074-0x0000000000400000-0x0000000000494000-memory.dmp	family_quasar
behavioral1/memory/2944-1114-0x0000000000400000-0x0000000000494000-memory.dmp	family_quasar
behavioral1/memory/2168-1157-0x0000000000400000-0x0000000000494000-memory.dmp	family_quasar

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2900-131-0x00000000003F0000-0x0000000000402000-memory.dmp	family_asyncrat

Executes dropped EXE 50 IoCs

pid	Process
2744	data-com.exe
2052	netshare x86_644.exe
2608	Office155.exe
2824	win-tooll.exe
2836	Office155.exe
2900	win-tooll.exe
1728	netshare x86_644.exe
2952	driverfusionfreesetup.exe
1592	MSI9DFC.tmp
2688	MSIB16D.tmp
908	Office155.exe
2536	Office155.exe
2336	MSIC9BE.tmp
1200	MSIE22F.tmp
2528	Office155.exe
1556	Office155.exe
2612	MSIF5B0.tmp
1900	MSI941.tmp
616	Office155.exe
980	Office155.exe
2504	MSI21A2.tmp
2236	MSI3A03.tmp
800	Office155.exe
2944	Office155.exe
3044	MSI5264.tmp
1508	MSI6AC5.tmp
1704	Office155.exe
2168	Office155.exe
1636	MSI8336.tmp
2388	MSI96B7.tmp
1228	Office155.exe
1472	Office155.exe
2020	MSIAF18.tmp
332	MSIC788.tmp
1088	Office155.exe
1752	Office155.exe
3028	MSIDB09.tmp
2148	MSIF37A.tmp
2108	Office155.exe
848	Office155.exe
1968	MSI6FB.tmp
1532	MSI1F6C.tmp
2020	MSI32ED.tmp
2148	Office155.exe
3008	Office155.exe
3332	MSI4B4E.tmp
3464	MSI5EDE.tmp
3528	Office155.exe
3568	Office155.exe
3812	MSI773F.tmp

Loads dropped DLL 64 IoCs

pid	Process
2536	92E44EAD94437A6F12BCD4BBF2E016BE0099B547CA78146272FBB16363AC3310.exe
2744	data-com.exe
2744	data-com.exe
2744	data-com.exe
2744	data-com.exe
2744	data-com.exe
2744	data-com.exe
2744	data-com.exe
2744	data-com.exe
2744	data-com.exe
2744	data-com.exe
2744	data-com.exe
2744	data-com.exe
2824	win-tooll.exe
2608	Office155.exe
2052	netshare x86_644.exe
2608	Office155.exe
2824	win-tooll.exe
2052	netshare x86_644.exe
2536	92E44EAD94437A6F12BCD4BBF2E016BE0099B547CA78146272FBB16363AC3310.exe
2952	driverfusionfreesetup.exe
2952	driverfusionfreesetup.exe
2724	MsiExec.exe
2724	MsiExec.exe
2724	MsiExec.exe
2724	MsiExec.exe
2724	MsiExec.exe
2724	MsiExec.exe
2724	MsiExec.exe
2952	driverfusionfreesetup.exe
2952	driverfusionfreesetup.exe
1900	cmd.exe
908	Office155.exe
908	Office155.exe
2952	driverfusionfreesetup.exe
2952	driverfusionfreesetup.exe
620	cmd.exe
2528	Office155.exe
2528	Office155.exe
2952	driverfusionfreesetup.exe
2952	driverfusionfreesetup.exe
2320	cmd.exe
616	Office155.exe
616	Office155.exe
2952	driverfusionfreesetup.exe
2952	driverfusionfreesetup.exe
2800	cmd.exe
800	Office155.exe
800	Office155.exe
2952	driverfusionfreesetup.exe
2952	driverfusionfreesetup.exe
2860	cmd.exe
1704	Office155.exe
1704	Office155.exe
2952	driverfusionfreesetup.exe
2952	driverfusionfreesetup.exe
1384	cmd.exe
1228	Office155.exe
1228	Office155.exe
2952	driverfusionfreesetup.exe
2952	driverfusionfreesetup.exe
1756	cmd.exe
1088	Office155.exe
1088	Office155.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSI9DFC.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSIC9BE.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSI941.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSI6AC5.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSIDB09.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSIB16D.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSI3A03.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSI32ED.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSI4B4E.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSI5EDE.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSIE22F.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSIF5B0.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSI21A2.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSI8336.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSI96B7.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSIC788.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSI1F6C.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSI773F.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSI5264.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSIAF18.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSIF37A.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSI6FB.tmp

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	driverfusionfreesetup.exe
File opened (read-only)	\??\Y:	driverfusionfreesetup.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	driverfusionfreesetup.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	driverfusionfreesetup.exe
File opened (read-only)	\??\Q:	driverfusionfreesetup.exe
File opened (read-only)	\??\S:	driverfusionfreesetup.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	driverfusionfreesetup.exe
File opened (read-only)	\??\V:	driverfusionfreesetup.exe
File opened (read-only)	\??\A:	driverfusionfreesetup.exe
File opened (read-only)	\??\T:	driverfusionfreesetup.exe
File opened (read-only)	\??\X:	driverfusionfreesetup.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	driverfusionfreesetup.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	driverfusionfreesetup.exe
File opened (read-only)	\??\N:	driverfusionfreesetup.exe
File opened (read-only)	\??\U:	driverfusionfreesetup.exe
File opened (read-only)	\??\Z:	driverfusionfreesetup.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\G:	driverfusionfreesetup.exe
File opened (read-only)	\??\O:	driverfusionfreesetup.exe
File opened (read-only)	\??\P:	driverfusionfreesetup.exe
File opened (read-only)	\??\W:	driverfusionfreesetup.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	driverfusionfreesetup.exe
File opened (read-only)	\??\M:	driverfusionfreesetup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	driverfusionfreesetup.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Suspicious use of SetThreadContext 13 IoCs

description	pid	Process	procid_target
PID 2608 set thread context of 2836	2608	Office155.exe	34
PID 2824 set thread context of 2900	2824	win-tooll.exe	35
PID 2052 set thread context of 1728	2052	netshare x86_644.exe	36
PID 908 set thread context of 2536	908	Office155.exe	52
PID 2528 set thread context of 1556	2528	Office155.exe	62
PID 616 set thread context of 980	616	Office155.exe	71
PID 800 set thread context of 2944	800	Office155.exe	81
PID 1704 set thread context of 2168	1704	Office155.exe	91
PID 1228 set thread context of 1472	1228	Office155.exe	101
PID 1088 set thread context of 1752	1088	Office155.exe	111
PID 2108 set thread context of 848	2108	Office155.exe	120
PID 2148 set thread context of 3008	2148	Office155.exe	131
PID 3528 set thread context of 3568	3528	Office155.exe	139

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\data-com.exe	92E44EAD94437A6F12BCD4BBF2E016BE0099B547CA78146272FBB16363AC3310.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	data-com.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIC9BE.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIDB09.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI1F6C.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI773F.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driverfusionfreesetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIC788.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI21A2.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI3A03.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIF37A.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI9DFC.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIAF18.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI8336.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI32ED.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92E44EAD94437A6F12BCD4BBF2E016BE0099B547CA78146272FBB16363AC3310.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI6AC5.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIB16D.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI6FB.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI4B4E.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netshare x86_644.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 11 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2340	PING.EXE
2508	PING.EXE
1588	PING.EXE
2692	PING.EXE
1200	PING.EXE
3272	PING.EXE
3720	PING.EXE
1628	PING.EXE
648	PING.EXE
1548	PING.EXE
648	PING.EXE

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000019547-37.dat	nsis_installer_1
behavioral1/files/0x0008000000019547-37.dat	nsis_installer_2
behavioral1/files/0x00090000000195af-59.dat	nsis_installer_1
behavioral1/files/0x00090000000195af-59.dat	nsis_installer_2
behavioral1/files/0x00090000000195bb-72.dat	nsis_installer_1
behavioral1/files/0x00090000000195bb-72.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1068ddf70f57db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{31D1DC91-C303-11EF-BE2D-CA3CF52169FD} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000b5ff52700d9c02f57896848d3a39a2c622e6272271f836c04fe101a12d729470000000000e8000000002000020000000e7d3301e475a761fb30fa0c4d6100e463b41853d2da0dd5e6d405ae647d99b9590000000f837c942b405906c5a1fb3958b4a23bc15813a1d95c7832edf1dd33e29f4daf84bc03bad80fb4e5c1c00699a55cc45350ef3ccb26d5acc78b1dd58127fc152b26dc9143fd45ced33d08162ed4e8117ffd619aebda9afeab73a7d1f897458f844fdb3cfb7ed02d0d8098b87caf2313a342cdac461a2605330f0e11d862dde0cd4f1175dc9e4a434c8ed9c5d9c485ec84c40000000ef79e0f8b558fee23791c86f565400ea250b1e7b96d024bd31bf80ffd4fce45d9ba5ce80bbf75fa05e5b46d2b4e84b544ff45ad125849c045b47be0103b04768	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441322265"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000831852618db3b5671fa748b71596292838af028bd4f99ffa84bad31b10302504000000000e8000000002000020000000f658e385f9c7d16f3839c46c753ebdf9e039a686d3b247a742c7634a10ebc0fb20000000882221f5d40be66dd2e7a29480babb6b426d3a17592d42fa9c015a709ba1f84a40000000896298d366599e7c0be9ed197e4b6b23d8401e6bcbe3f62cea70bc4286b68c7a4e880d95552d10ebdc1cf3a7bf36d4a226654f6bfb41f2a687442e716ba3cd3c	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	driverfusionfreesetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	driverfusionfreesetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	driverfusionfreesetup.exe

Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery

T1018

pid	Process
3720	PING.EXE
2508	PING.EXE
1588	PING.EXE
1548	PING.EXE
1200	PING.EXE
648	PING.EXE
3272	PING.EXE
2340	PING.EXE
1628	PING.EXE
2692	PING.EXE
648	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2608	Office155.exe
2608	Office155.exe
2608	Office155.exe
2608	Office155.exe
2824	win-tooll.exe
2824	win-tooll.exe
2824	win-tooll.exe
2824	win-tooll.exe
2052	netshare x86_644.exe
2052	netshare x86_644.exe
2052	netshare x86_644.exe
2052	netshare x86_644.exe
908	Office155.exe
908	Office155.exe
908	Office155.exe
908	Office155.exe
2528	Office155.exe
2528	Office155.exe
2528	Office155.exe
2528	Office155.exe
2788	iexplore.exe
616	Office155.exe
616	Office155.exe
616	Office155.exe
616	Office155.exe
2788	iexplore.exe
2788	iexplore.exe
800	Office155.exe
800	Office155.exe
800	Office155.exe
800	Office155.exe
2788	iexplore.exe
1704	Office155.exe
1704	Office155.exe
1704	Office155.exe
1704	Office155.exe
2788	iexplore.exe
2788	iexplore.exe
1228	Office155.exe
1228	Office155.exe
1228	Office155.exe
1228	Office155.exe
2788	iexplore.exe
2788	iexplore.exe
2788	iexplore.exe
2788	iexplore.exe
2788	iexplore.exe
2788	iexplore.exe
2788	iexplore.exe
2788	iexplore.exe
1088	Office155.exe
1088	Office155.exe
1088	Office155.exe
1088	Office155.exe
2788	iexplore.exe
2788	iexplore.exe
2788	iexplore.exe
2788	iexplore.exe
2788	iexplore.exe
2788	iexplore.exe
2788	iexplore.exe
2788	iexplore.exe
2108	Office155.exe
2108	Office155.exe

Suspicious behavior: MapViewOfSection 13 IoCs

pid	Process
2608	Office155.exe
2824	win-tooll.exe
2052	netshare x86_644.exe
908	Office155.exe
2528	Office155.exe
616	Office155.exe
800	Office155.exe
1704	Office155.exe
1228	Office155.exe
1088	Office155.exe
2108	Office155.exe
2148	Office155.exe
3528	Office155.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1728	netshare x86_644.exe
Token: SeSecurityPrivilege	1728	netshare x86_644.exe
Token: SeTakeOwnershipPrivilege	1728	netshare x86_644.exe
Token: SeLoadDriverPrivilege	1728	netshare x86_644.exe
Token: SeSystemProfilePrivilege	1728	netshare x86_644.exe
Token: SeSystemtimePrivilege	1728	netshare x86_644.exe
Token: SeProfSingleProcessPrivilege	1728	netshare x86_644.exe
Token: SeIncBasePriorityPrivilege	1728	netshare x86_644.exe
Token: SeCreatePagefilePrivilege	1728	netshare x86_644.exe
Token: SeBackupPrivilege	1728	netshare x86_644.exe
Token: SeRestorePrivilege	1728	netshare x86_644.exe
Token: SeShutdownPrivilege	1728	netshare x86_644.exe
Token: SeDebugPrivilege	1728	netshare x86_644.exe
Token: SeSystemEnvironmentPrivilege	1728	netshare x86_644.exe
Token: SeChangeNotifyPrivilege	1728	netshare x86_644.exe
Token: SeRemoteShutdownPrivilege	1728	netshare x86_644.exe
Token: SeUndockPrivilege	1728	netshare x86_644.exe
Token: SeManageVolumePrivilege	1728	netshare x86_644.exe
Token: SeImpersonatePrivilege	1728	netshare x86_644.exe
Token: SeCreateGlobalPrivilege	1728	netshare x86_644.exe
Token: 33	1728	netshare x86_644.exe
Token: 34	1728	netshare x86_644.exe
Token: 35	1728	netshare x86_644.exe
Token: SeDebugPrivilege	2836	Office155.exe
Token: SeRestorePrivilege	2736	msiexec.exe
Token: SeTakeOwnershipPrivilege	2736	msiexec.exe
Token: SeSecurityPrivilege	2736	msiexec.exe
Token: SeCreateTokenPrivilege	2952	driverfusionfreesetup.exe
Token: SeAssignPrimaryTokenPrivilege	2952	driverfusionfreesetup.exe
Token: SeLockMemoryPrivilege	2952	driverfusionfreesetup.exe
Token: SeIncreaseQuotaPrivilege	2952	driverfusionfreesetup.exe
Token: SeMachineAccountPrivilege	2952	driverfusionfreesetup.exe
Token: SeTcbPrivilege	2952	driverfusionfreesetup.exe
Token: SeSecurityPrivilege	2952	driverfusionfreesetup.exe
Token: SeTakeOwnershipPrivilege	2952	driverfusionfreesetup.exe
Token: SeLoadDriverPrivilege	2952	driverfusionfreesetup.exe
Token: SeSystemProfilePrivilege	2952	driverfusionfreesetup.exe
Token: SeSystemtimePrivilege	2952	driverfusionfreesetup.exe
Token: SeProfSingleProcessPrivilege	2952	driverfusionfreesetup.exe
Token: SeIncBasePriorityPrivilege	2952	driverfusionfreesetup.exe
Token: SeCreatePagefilePrivilege	2952	driverfusionfreesetup.exe
Token: SeCreatePermanentPrivilege	2952	driverfusionfreesetup.exe
Token: SeBackupPrivilege	2952	driverfusionfreesetup.exe
Token: SeRestorePrivilege	2952	driverfusionfreesetup.exe
Token: SeShutdownPrivilege	2952	driverfusionfreesetup.exe
Token: SeDebugPrivilege	2952	driverfusionfreesetup.exe
Token: SeAuditPrivilege	2952	driverfusionfreesetup.exe
Token: SeSystemEnvironmentPrivilege	2952	driverfusionfreesetup.exe
Token: SeChangeNotifyPrivilege	2952	driverfusionfreesetup.exe
Token: SeRemoteShutdownPrivilege	2952	driverfusionfreesetup.exe
Token: SeUndockPrivilege	2952	driverfusionfreesetup.exe
Token: SeSyncAgentPrivilege	2952	driverfusionfreesetup.exe
Token: SeEnableDelegationPrivilege	2952	driverfusionfreesetup.exe
Token: SeManageVolumePrivilege	2952	driverfusionfreesetup.exe
Token: SeImpersonatePrivilege	2952	driverfusionfreesetup.exe
Token: SeCreateGlobalPrivilege	2952	driverfusionfreesetup.exe
Token: SeCreateTokenPrivilege	2952	driverfusionfreesetup.exe
Token: SeAssignPrimaryTokenPrivilege	2952	driverfusionfreesetup.exe
Token: SeLockMemoryPrivilege	2952	driverfusionfreesetup.exe
Token: SeIncreaseQuotaPrivilege	2952	driverfusionfreesetup.exe
Token: SeMachineAccountPrivilege	2952	driverfusionfreesetup.exe
Token: SeTcbPrivilege	2952	driverfusionfreesetup.exe
Token: SeSecurityPrivilege	2952	driverfusionfreesetup.exe
Token: SeTakeOwnershipPrivilege	2952	driverfusionfreesetup.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2952	driverfusionfreesetup.exe
2788	iexplore.exe

Suspicious use of SetWindowsHookEx 60 IoCs

pid	Process
1728	netshare x86_644.exe
2836	Office155.exe
2788	iexplore.exe
2788	iexplore.exe
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
2568	IEXPLORE.EXE
2568	IEXPLORE.EXE
2568	IEXPLORE.EXE
2568	IEXPLORE.EXE
2056	IEXPLORE.EXE
2056	IEXPLORE.EXE
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE
1768	IEXPLORE.EXE
1768	IEXPLORE.EXE
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
2888	IEXPLORE.EXE
2888	IEXPLORE.EXE
2568	IEXPLORE.EXE
2568	IEXPLORE.EXE
2248	IEXPLORE.EXE
2248	IEXPLORE.EXE
2056	IEXPLORE.EXE
2056	IEXPLORE.EXE
1480	IEXPLORE.EXE
1480	IEXPLORE.EXE
1480	IEXPLORE.EXE
1480	IEXPLORE.EXE
1768	IEXPLORE.EXE
1768	IEXPLORE.EXE
1768	IEXPLORE.EXE
1768	IEXPLORE.EXE
2936	IEXPLORE.EXE
2936	IEXPLORE.EXE
2888	IEXPLORE.EXE
2888	IEXPLORE.EXE
2888	IEXPLORE.EXE
2888	IEXPLORE.EXE
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
2248	IEXPLORE.EXE
2248	IEXPLORE.EXE
2248	IEXPLORE.EXE
2248	IEXPLORE.EXE
2760	IEXPLORE.EXE
2760	IEXPLORE.EXE
2760	IEXPLORE.EXE
2760	IEXPLORE.EXE
2936	IEXPLORE.EXE
2936	IEXPLORE.EXE
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
3900	IEXPLORE.EXE
3900	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2744	2536	92E44EAD94437A6F12BCD4BBF2E016BE0099B547CA78146272FBB16363AC3310.exe	30
PID 2536 wrote to memory of 2744	2536	92E44EAD94437A6F12BCD4BBF2E016BE0099B547CA78146272FBB16363AC3310.exe	30
PID 2536 wrote to memory of 2744	2536	92E44EAD94437A6F12BCD4BBF2E016BE0099B547CA78146272FBB16363AC3310.exe	30
PID 2536 wrote to memory of 2744	2536	92E44EAD94437A6F12BCD4BBF2E016BE0099B547CA78146272FBB16363AC3310.exe	30
PID 2744 wrote to memory of 2052	2744	data-com.exe	31
PID 2744 wrote to memory of 2052	2744	data-com.exe	31
PID 2744 wrote to memory of 2052	2744	data-com.exe	31
PID 2744 wrote to memory of 2052	2744	data-com.exe	31
PID 2744 wrote to memory of 2608	2744	data-com.exe	32
PID 2744 wrote to memory of 2608	2744	data-com.exe	32
PID 2744 wrote to memory of 2608	2744	data-com.exe	32
PID 2744 wrote to memory of 2608	2744	data-com.exe	32
PID 2744 wrote to memory of 2824	2744	data-com.exe	33
PID 2744 wrote to memory of 2824	2744	data-com.exe	33
PID 2744 wrote to memory of 2824	2744	data-com.exe	33
PID 2744 wrote to memory of 2824	2744	data-com.exe	33
PID 2608 wrote to memory of 2836	2608	Office155.exe	34
PID 2608 wrote to memory of 2836	2608	Office155.exe	34
PID 2608 wrote to memory of 2836	2608	Office155.exe	34
PID 2608 wrote to memory of 2836	2608	Office155.exe	34
PID 2608 wrote to memory of 2836	2608	Office155.exe	34
PID 2824 wrote to memory of 2900	2824	win-tooll.exe	35
PID 2824 wrote to memory of 2900	2824	win-tooll.exe	35
PID 2824 wrote to memory of 2900	2824	win-tooll.exe	35
PID 2824 wrote to memory of 2900	2824	win-tooll.exe	35
PID 2824 wrote to memory of 2900	2824	win-tooll.exe	35
PID 2052 wrote to memory of 1728	2052	netshare x86_644.exe	36
PID 2052 wrote to memory of 1728	2052	netshare x86_644.exe	36
PID 2052 wrote to memory of 1728	2052	netshare x86_644.exe	36
PID 2052 wrote to memory of 1728	2052	netshare x86_644.exe	36
PID 2052 wrote to memory of 1728	2052	netshare x86_644.exe	36
PID 2536 wrote to memory of 2952	2536	92E44EAD94437A6F12BCD4BBF2E016BE0099B547CA78146272FBB16363AC3310.exe	37
PID 2536 wrote to memory of 2952	2536	92E44EAD94437A6F12BCD4BBF2E016BE0099B547CA78146272FBB16363AC3310.exe	37
PID 2536 wrote to memory of 2952	2536	92E44EAD94437A6F12BCD4BBF2E016BE0099B547CA78146272FBB16363AC3310.exe	37
PID 2536 wrote to memory of 2952	2536	92E44EAD94437A6F12BCD4BBF2E016BE0099B547CA78146272FBB16363AC3310.exe	37
PID 2536 wrote to memory of 2952	2536	92E44EAD94437A6F12BCD4BBF2E016BE0099B547CA78146272FBB16363AC3310.exe	37
PID 2536 wrote to memory of 2952	2536	92E44EAD94437A6F12BCD4BBF2E016BE0099B547CA78146272FBB16363AC3310.exe	37
PID 2536 wrote to memory of 2952	2536	92E44EAD94437A6F12BCD4BBF2E016BE0099B547CA78146272FBB16363AC3310.exe	37
PID 2736 wrote to memory of 2724	2736	msiexec.exe	40
PID 2736 wrote to memory of 2724	2736	msiexec.exe	40
PID 2736 wrote to memory of 2724	2736	msiexec.exe	40
PID 2736 wrote to memory of 2724	2736	msiexec.exe	40
PID 2736 wrote to memory of 2724	2736	msiexec.exe	40
PID 2736 wrote to memory of 2724	2736	msiexec.exe	40
PID 2736 wrote to memory of 2724	2736	msiexec.exe	40
PID 2836 wrote to memory of 1900	2836	Office155.exe	41
PID 2836 wrote to memory of 1900	2836	Office155.exe	41
PID 2836 wrote to memory of 1900	2836	Office155.exe	41
PID 2836 wrote to memory of 1900	2836	Office155.exe	41
PID 1900 wrote to memory of 2772	1900	cmd.exe	43
PID 1900 wrote to memory of 2772	1900	cmd.exe	43
PID 1900 wrote to memory of 2772	1900	cmd.exe	43
PID 1900 wrote to memory of 2772	1900	cmd.exe	43
PID 1900 wrote to memory of 2340	1900	cmd.exe	44
PID 1900 wrote to memory of 2340	1900	cmd.exe	44
PID 1900 wrote to memory of 2340	1900	cmd.exe	44
PID 1900 wrote to memory of 2340	1900	cmd.exe	44
PID 2952 wrote to memory of 1592	2952	driverfusionfreesetup.exe	45
PID 2952 wrote to memory of 1592	2952	driverfusionfreesetup.exe	45
PID 2952 wrote to memory of 1592	2952	driverfusionfreesetup.exe	45
PID 2952 wrote to memory of 1592	2952	driverfusionfreesetup.exe	45
PID 2952 wrote to memory of 1592	2952	driverfusionfreesetup.exe	45
PID 2952 wrote to memory of 1592	2952	driverfusionfreesetup.exe	45
PID 2952 wrote to memory of 1592	2952	driverfusionfreesetup.exe	45

C:\Users\Admin\AppData\Local\Temp\92E44EAD94437A6F12BCD4BBF2E016BE0099B547CA78146272FBB16363AC3310.exe
"C:\Users\Admin\AppData\Local\Temp\92E44EAD94437A6F12BCD4BBF2E016BE0099B547CA78146272FBB16363AC3310.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Program Files (x86)\Common Files\data-com.exe
  "C:\Program Files (x86)\Common Files\data-com.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Users\Admin\AppData\Local\Temp\netshare x86_644.exe
    "C:\Users\Admin\AppData\Local\Temp\netshare x86_644.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Users\Admin\AppData\Local\Temp\netshare x86_644.exe
      "C:\Users\Admin\AppData\Local\Temp\netshare x86_644.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1728
- - C:\Users\Admin\AppData\Local\Temp\Office155.exe
    "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\Office155.exe
      "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dRqbyN1akOhc.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1900
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2340
      - C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aiVL5Y5COVH1.bat" "
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:620
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Q9X0BEW9sTuU.bat" "
        11⤵
        Loads dropped DLL
        
        PID:2320
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        13⤵
        Executes dropped EXE
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SsYARIj6s82S.bat" "
        14⤵
        Loads dropped DLL
        
        PID:2800
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1404
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        16⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\S197muYP66je.bat" "
        17⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ui01nlLyekPW.bat" "
        20⤵
        Loads dropped DLL
        
        PID:1384
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jtAKEycc8Xdf.bat" "
        23⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        25⤵
        Executes dropped EXE
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eGtKODSLEJ70.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jpuNhEqOiPgD.bat" "
        29⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QpeNlbeqHrnh.bat" "
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:3216
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:3264
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QodzbbMMGHoA.bat" "
        35⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        36⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        36⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3720
- - C:\Users\Admin\AppData\Local\Temp\win-tooll.exe
    "C:\Users\Admin\AppData\Local\Temp\win-tooll.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\win-tooll.exe
      "C:\Users\Admin\AppData\Local\Temp\win-tooll.exe"
      4⤵
      Executes dropped EXE
      PID:2900
- C:\Users\Admin\AppData\Local\Temp\driverfusionfreesetup.exe
  "C:\Users\Admin\AppData\Local\Temp\driverfusionfreesetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Users\Admin\AppData\Local\Temp\MSI9DFC.tmp
    "C:\Users\Admin\AppData\Local\Temp\MSI9DFC.tmp" https://treexy.com/products/driver-fusion/
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    PID:1592
- - C:\Users\Admin\AppData\Local\Temp\MSIB16D.tmp
    "C:\Users\Admin\AppData\Local\Temp\MSIB16D.tmp" https://treexy.com/products/driver-fusion/
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    PID:2688
- - C:\Users\Admin\AppData\Local\Temp\MSIC9BE.tmp
    "C:\Users\Admin\AppData\Local\Temp\MSIC9BE.tmp" https://treexy.com/products/driver-fusion/
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    PID:2336
- - C:\Users\Admin\AppData\Local\Temp\MSIE22F.tmp
    "C:\Users\Admin\AppData\Local\Temp\MSIE22F.tmp" https://treexy.com/products/driver-fusion/
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:1200
- - C:\Users\Admin\AppData\Local\Temp\MSIF5B0.tmp
    "C:\Users\Admin\AppData\Local\Temp\MSIF5B0.tmp" https://treexy.com/products/driver-fusion/
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:2612
- - C:\Users\Admin\AppData\Local\Temp\MSI941.tmp
    "C:\Users\Admin\AppData\Local\Temp\MSI941.tmp" https://treexy.com/products/driver-fusion/
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:1900
- - C:\Users\Admin\AppData\Local\Temp\MSI21A2.tmp
    "C:\Users\Admin\AppData\Local\Temp\MSI21A2.tmp" https://treexy.com/products/driver-fusion/
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    PID:2504
- - C:\Users\Admin\AppData\Local\Temp\MSI3A03.tmp
    "C:\Users\Admin\AppData\Local\Temp\MSI3A03.tmp" https://treexy.com/products/driver-fusion/
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    PID:2236
- - C:\Users\Admin\AppData\Local\Temp\MSI5264.tmp
    "C:\Users\Admin\AppData\Local\Temp\MSI5264.tmp" https://treexy.com/products/driver-fusion/
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:3044
- - C:\Users\Admin\AppData\Local\Temp\MSI6AC5.tmp
    "C:\Users\Admin\AppData\Local\Temp\MSI6AC5.tmp" https://treexy.com/products/driver-fusion/
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    PID:1508
- - C:\Users\Admin\AppData\Local\Temp\MSI8336.tmp
    "C:\Users\Admin\AppData\Local\Temp\MSI8336.tmp" https://treexy.com/products/driver-fusion/
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    PID:1636
- - C:\Users\Admin\AppData\Local\Temp\MSI96B7.tmp
    "C:\Users\Admin\AppData\Local\Temp\MSI96B7.tmp" https://treexy.com/products/driver-fusion/
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:2388
- - C:\Users\Admin\AppData\Local\Temp\MSIAF18.tmp
    "C:\Users\Admin\AppData\Local\Temp\MSIAF18.tmp" https://treexy.com/products/driver-fusion/
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    PID:2020
- - C:\Users\Admin\AppData\Local\Temp\MSIC788.tmp
    "C:\Users\Admin\AppData\Local\Temp\MSIC788.tmp" https://treexy.com/products/driver-fusion/
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    PID:332
- - C:\Users\Admin\AppData\Local\Temp\MSIDB09.tmp
    "C:\Users\Admin\AppData\Local\Temp\MSIDB09.tmp" https://treexy.com/products/driver-fusion/
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    PID:3028
- - C:\Users\Admin\AppData\Local\Temp\MSIF37A.tmp
    "C:\Users\Admin\AppData\Local\Temp\MSIF37A.tmp" https://treexy.com/products/driver-fusion/
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    PID:2148
- - C:\Users\Admin\AppData\Local\Temp\MSI6FB.tmp
    "C:\Users\Admin\AppData\Local\Temp\MSI6FB.tmp" https://treexy.com/products/driver-fusion/
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    PID:1968
- - C:\Users\Admin\AppData\Local\Temp\MSI1F6C.tmp
    "C:\Users\Admin\AppData\Local\Temp\MSI1F6C.tmp" https://treexy.com/products/driver-fusion/
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    PID:1532
- - C:\Users\Admin\AppData\Local\Temp\MSI32ED.tmp
    "C:\Users\Admin\AppData\Local\Temp\MSI32ED.tmp" https://treexy.com/products/driver-fusion/
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    PID:2020
- - C:\Users\Admin\AppData\Local\Temp\MSI4B4E.tmp
    "C:\Users\Admin\AppData\Local\Temp\MSI4B4E.tmp" https://treexy.com/products/driver-fusion/
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    PID:3332
- - C:\Users\Admin\AppData\Local\Temp\MSI5EDE.tmp
    "C:\Users\Admin\AppData\Local\Temp\MSI5EDE.tmp" https://treexy.com/products/driver-fusion/
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:3464
- - C:\Users\Admin\AppData\Local\Temp\MSI773F.tmp
    "C:\Users\Admin\AppData\Local\Temp\MSI773F.tmp" https://treexy.com/products/driver-fusion/
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    PID:3812

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C15E32035C49DFA05186D03F25F5DF74 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2724

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2788
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2788 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2712
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2788 CREDAT:537615 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1988
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2788 CREDAT:275481 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2568
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2788 CREDAT:996369 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2056
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2788 CREDAT:930842 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1768
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2788 CREDAT:603186 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2888
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2788 CREDAT:799820 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2248
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2788 CREDAT:799845 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1480
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2788 CREDAT:603250 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2936
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2788 CREDAT:865381 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2740
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2788 CREDAT:668766 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2760
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2788 CREDAT:734335 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
79c6981eec78bb1d4bb1c511f4018387

SHA1
b9814770fe805794569df2842c480880ec7bf68f

SHA256
ae31c368361ef181266fea55f36364dde9bfac3d58034d60fe1b675a65e53640

SHA512
340ca9c860e7a1ea9c7c605dabc6cf68f5e9a9c782b2a169424b7063f7164464f1fb063ce62dc4b553de3afbc63204a95736c7f7f2bd82538d5ab9113b79239d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
acfd5c13c24edc49c043c1e751789dc9

SHA1
e7327297c26e8dfa9fbadd9731dc90c56ff090d7

SHA256
aa01f1d81953dcf6324e820abd0e36ae0e377c823c0d5a11127dd79ffadf83e8

SHA512
7c9704de80e9ef6becc20afb8580c6df018563aa9da7ce2bacdf18d59406b2148ecea2ae84ab597ca8c08d98b9bbd82a757921247ae6470320d250c448103e78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1045128e9c05110af8196469973af4bd

SHA1
9122011bac683069c4f6a39a655c3bede1017413

SHA256
ef0efe4211216b07dd87586608854563c03361d36fac7c790a51e6e1db00e4a8

SHA512
d7c352e289cf1c8e679e6cefd4b1d6edd2d890e0fea65522c394a16f8bfdaa62df026e352bbaf6e6193d3837cc2f7969f0b8ff5dbd08d97a16a004ae68dd6869

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6837285b6be80448475e095ac207102f

SHA1
ef367414f8e8973f756f71bf820a1597d0aa1116

SHA256
9153e0b0744f5c303f2939672bff236558d5bffdcdf89988b6f64f64fb599871

SHA512
4289dd38e71e5085c2a3fac46a36b935013023dfe11ffc3e399624a582abd022b074350daaa0230a646be962b7b8e8168f8842e5bf313a1bc17ca6c2418509cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d0ee80c1c102827425059fe4dfcc3be

SHA1
02e0ca9bc74b649c52b6f0f4b1c337c9f0f28ccc

SHA256
305d13a305b57327485c725884012bc3e47ec7ae7632ba684dce3186dea6ed3c

SHA512
0c3e1272f721b011a9429db384e160dcda12f2a7f9e01b84b1a554d4b10ba6a84d3a8c0b2d530b23b4038acd53b392670d53a0653a574cd08c83224200243348

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1780a2b495e63fecf5175492a48e048e

SHA1
341b1f852986747877da5076173e9d9cc993b742

SHA256
b7e433cfd424f3a0f837054d06d49e4ea6294bd865b93a0f0bdaec4dcda58dd2

SHA512
a90acb7d9ddd3f8b5ebf55c97511909311eb17e9262a4cbd2c2c4de91087376d699966496eab6132e6b893ccf4f783a2b89f02bbbe64db8a143096c4cf2e7bd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a3f54a69e63a791cb42fc8208703f56

SHA1
ad48ecfcd6dc03c6d02170fade36f93d5d1ffb54

SHA256
366f9c0fc678a324838853fe67b34d08cfa8f054d85fa85a92644732a925c653

SHA512
5183affb7b554db8c97c5f063b7e467ae73f123f96a7acd00306a9431cce80ccdfe00ae2eb794e999a708513691f3a8edac30082e8e6b71bbfb16306059cb29c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98d1a36e039a4f8bf18be188fdf46d4e

SHA1
052562f164ee89e1087f7edd88ad6b0f1e95fdf6

SHA256
a8fdc197f21a05dabeaf62eee4fc9e47ec0d906dab8b6aded9c5847a2b3e1537

SHA512
e6d92a6d0c25e8b6188759bd6889f4c857f2b33388826657abe0d0446605a37a3ee6ab4d62b4b7f34963ee9f50222f4a753ca6616329d329d84e34b79666a3ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
852c49610d5b2b0b5f917b09e5e7f2de

SHA1
cfe51569e0a53debe188eddb9034f8b95b50e229

SHA256
6f91be01bfcdbbf0c65a08d1afa576db1ebddb4dcfe93df6608c0722818c102d

SHA512
7b1339391f4e07bf9df0ea5bde627e28a5b1933982567bafeb6fcc9079f0f37395e48ec7d7e36f1d3c45164390e85966ee4ff0e9067ddbeaf13ab78d73170c0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e9ab8c3e492f95372e011776fb6bb59

SHA1
a3efbc03632559d6d27f90133b689a3a97ae6619

SHA256
cc12a9b09f467c52fc404588d19f112ef200276eaaffd1cdba8f6b45a3e506e1

SHA512
f7ff8f35bf63c3913fe6f741d93c8fd46e1efcfed71d10184a365ea5a84676ef31e64e7f4e7f4e6a26004114c551265d4b053ca1b442b71d0861d379d077c17a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
318e83edeeb372866c7fac28e3faf551

SHA1
93854dde6ee84be0cae7f207d733646421f93978

SHA256
00902f93263e733014b08876b255c95670c3b08dfd93bd7ab6140c90a523f49b

SHA512
64437208c720d882260ab850887a2668698c66f3445b00f788e768702af3143fe47f1a0475e06df1eb2587f6ab8bb7962034cf894748ffd3f40198f555719ff0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a66f47551dfc043255a3626e9945f03

SHA1
ec7d2bcb8d119f0666c7947b239cb0054fd80ca1

SHA256
9297128b2a4153e85bfb87c1751615df37944633939e531a3cf941e367527785

SHA512
9100d9bde1705353563815c745e7a06f2975439981acd322f10813d7106c3a227bd9e921b53c1391f4343d4eeede307a532d2796f0cc9634768464f4ee78a21f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3a5fd0906d8329bdb9ae4afbfdfc250

SHA1
475ce1c2e971eb0fc7dbcfe1b76346813e795b43

SHA256
a0f3825385eb39f38ac31b606e3b6f5958673368e9b6745d596b088e75927ac0

SHA512
10e7db0b76acd0917c96c505bd8d4349b9a20ec00e216a0da35e4514e6b430073a7175ca8d6750aff4129790b4e18b64c550ae74fc0d3e633868f02f06ffad56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a421c232866f8531d1f646ce3cdc0ba5

SHA1
8c24b336adbe8b2624f221c8128f3c1e067a7838

SHA256
055823a26df86edc719f2544e1cec4dfa01f9ada7c4d848de6d4c9c80d4c1690

SHA512
9ea37acdffbc0eb37d5d5eb2dcb118378d9f7e7b633fd79425cd9166af9f4940c09100c971015fa56c8a7f7a7ac74e66f52c0264fae06b2de9e85aa4eebd2f33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb11e2f200d7f49786afa7d048b4e425

SHA1
073a54950eba1775392bde99d4d121d62fa506e9

SHA256
697309d7ae8e3891e69425b6d581deccfd345c82804c1ca5f8fd3fe35a81d08f

SHA512
e3a3c0262f6f746efe5adb19e9d59c861d4770a820580dd72e086840dbf03acabc8f12105b40f6f67a621b47707f21d71e1bf7bd47f7e64e0f117ccb53bec250

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e30494c455083e8a386215aaa217590f

SHA1
494d798e695031141fdb591e2c884c22f9f81e1f

SHA256
698d75817899128ec807f915542edf550e906646528b1b675cecd03ae8c61e54

SHA512
10d12a4886be342137eeb7b9c42875dbcf657704e929b787b27d0d945cb3b31b6ab248440050a1f444703a8ac87daba14200888717786bc670057ddf6f2c4f11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e19b6dbd04b51a51cd49a68386ff4d5

SHA1
bc626858dfc18b095c2653cfdbbbf4e3b217f49d

SHA256
72f3f65ab41607a3c8433e8e195e445219942a700a8fbde62206ea762f3398e9

SHA512
5e8e0fa4df19d1f20f596fc474c56ac06d2e44ddb203ec24cdd8e20c2cbec67120409d419c77b728c3ea723c85b5be8595a934f72603c0833d1e02ee60a6bdfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67b0c95d321896d46ce3b4e1f8c0870f

SHA1
85cb2e4f3d428d03db95c30134642214622f7d3a

SHA256
51764e7925522fa830ea63aa28f87b17d6fab0fd18494a5a2e487adbb255a04e

SHA512
8db4db0ee99b54591a0a5aa36c958cff158358c185c8a7428df20e1ad8ac1d1b7d46e6a5efd6152fbf18aa6639e28567e7469b9f88bbeaa1712964472ca3ba4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a87cd8a0ed85edf94d17515c7851a4c

SHA1
ba8c9ade11b8879b75850d60195d113235b0bafa

SHA256
afdd3acc17f14738b9e7abff0b20321b76422e841ee939242f33c6306d389f52

SHA512
dc21062f2070fc9cbb71d22986217a766b67d46a65a476999441cb1546a0bc48254fbcefad6c32dc7488ea3da18f422bfb0bbf1c05eb77e6f85c2bafb85c80fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c49cc8d9f72a25044cdbec157ab05624

SHA1
eb07a649442677c9005c28d3c30314456bcb5c48

SHA256
b1bc0bcdef554c365c10f3c89593f238b64891cb0855300235b2f7f2e2c097f8

SHA512
df1e6051d4820efad1217efebd3cd3c64c49a8d28253aa75c232f590f5cc3cbb21eb391864815a3a5c5f9a3c9e56ac3f5c1d3b06393a420ac4f7b64479a2067a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33fffde3ace4b2e8c875ccdf31cf0836

SHA1
c0b45c81fb05f13e950116e0ab01f6b6abe71af0

SHA256
124c53d32760b7b231a6a0f629560dbc48993da44fed761f59427c544d000ff9

SHA512
f5b14196ee6084df0b1e804577fe9870a3fe630a458c544b4abaf7ec076c03ba1818fde8a94399142a05078b6935d0ded3d7ff365df7ea0e601f9633ba5fb9d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
a9b596dd7a231cd44a3e5cb8c6edcb33

SHA1
8d0c062e789231e24c004fe07eed6a6f05d2c8aa

SHA256
91332771969223a4a48e8f108a4244b9c89bfda77a814751e3355f7f8fef48e0

SHA512
56bbc46d53ea7eb65d35870fc6b47a7d9a7603e7343dd9ab3c6b23d0625c8d578d38ed463b719530bf1544cbccae0794367cbba747a158b371c4b83ef899bcbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BCOPU31\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8P9TO0C6\dnserror[1]

Filesize
1KB

MD5
73c70b34b5f8f158d38a94b9d7766515

SHA1
e9eaa065bd6585a1b176e13615fd7e6ef96230a9

SHA256
3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

SHA512
927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\NewErrorPageTemplate[1]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0002.tmp

Filesize
5.0MB

MD5
05b1aaf5b9e8081a45e58c20ddcfc3a8

SHA1
9ddcc738e83f35549dba1afeef34c7a17ff07d9d

SHA256
f14cfca76541c6bf9216be41985c162c32ee4b910a6d83c244e1ffb618f75185

SHA512
b865b7e879245c74bfd0cd7c9c0c500abc9ef9e1d5297ed6c6951cfffa409d7455316f12039b453e48be1ad7f13d9ffff04e41d4c6104da25f37d2242a1f3e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2952\PreparePrereqDlgProgress.gif

Filesize
24KB

MD5
f550f449baed1315c7965bd826c2510b

SHA1
772e6e82765dcfda319a68380981d77b83a3ab1b

SHA256
0ee7650c7faf97126ddbc7d21812e093af4f2317f3edcff16d2d6137d3c0544d

SHA512
7608140bc2d83f509a2afdaacd394d0aa5a6f7816e96c11f4218e815c3aaabf9fc95dd3b3a44b165334772ebdab7dfa585833850db09442743e56b8e505f6a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2952\backbutton

Filesize
404B

MD5
50e27244df2b1690728e8252088a253c

SHA1
b84ad02fd0ed3cb933ffbd123614a2495810442b

SHA256
71836c56ec4765d858dc756541123e44680f98da255faf1ece7b83d79809b1c3

SHA512
ba3d3535bfd2f17919e1a99e89fdb1c9a83507ff3c2846c62770e210a50aee1281445d510858d247cc9619861089aaf20f45b0b7c39f15c0ea039ac5498fa03e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2952\backgroundprepare

Filesize
134B

MD5
a0efb0e7b9cee25b09e09a1a64e96ba6

SHA1
0c1e18f6f5e6e5e6953e9fb99ca60fdec35d6e39

SHA256
f044f542bc46464054084c63596877f06c6e2c215c0e954c4ace9787ced82787

SHA512
7e53f9f564aaa529b3b15035671957c2923ec98ddee93758ea7a4c8645ee9058962078771b853e3490290fde1f57030dff5092d40d69418776ffee89f79c8a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2952\frame_bottom_left.bmp

Filesize
66B

MD5
1fb3755fe9676fca35b8d3c6a8e80b45

SHA1
7c60375472c2757650afbe045c1c97059ca66884

SHA256
384ebd5800becadf3bd9014686e6cc09344f75ce426e966d788eb5473b28aa21

SHA512
dee9db50320a27de65581c20d9e6cf429921ebee9d4e1190c044cc6063d217ca89f5667dc0d93faf7dcc2d931fe4e85c025c6f71c1651cbd2d12a43f915932c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2952\frame_bottom_mid.bmp

Filesize
66B

MD5
71fa2730c42ae45c8b373053cc504731

SHA1
ef523fc56f6566fbc41c7d51d29943e6be976d5e

SHA256
205209facdebf400319dbcb1020f0545d7564b9415c47497528593e344795afd

SHA512
ea4415619720cc1d9fb1bb89a14903bfd1471b89f9c4847df4839084aae573d49b4969d3799ad30ff25b71f6e31f8d9f30701e1240d3cd6a063819c04873f21f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2952\frame_caption.bmp

Filesize
206B

MD5
8641f45594b8d413bf1da25ce59f1207

SHA1
afebb23f5a55d304d028ca9942526b3649cddb52

SHA256
0403ed31d75dcc182dd98f2b603da4c36b6325e9d159cac4371e1448244bb707

SHA512
86a5f959f8462f866466dc706d3ae627b1fb019b8a33ee7fe48e3b69f92bf33dc0f1417c0d5116552b25b488bcb5d9050a33773e6883ebe08410267d95b2353a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2952\frame_left.bmp

Filesize
66B

MD5
30384472ae83ff8a7336b987292d8349

SHA1
85d3e6cffe47f5a0a4e1a87ac9da729537783cd0

SHA256
f545ec56bc9b690a6b952471669a8316e18274d64e2ebc9e365fcf44363a125a

SHA512
7611f930a0a1089cc5004203ec128c916f0c2aedae3a6fcc2eaffa8cd004dcbf154714e401947921a06896ca77c77daec7f9bda82369aacd3bb666f8a0331963

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2952\frame_left_inactive.bmp

Filesize
66B

MD5
4b84f29fbce81aab5af97a311d0e51e2

SHA1
60723cf4b91c139661db5ecb0964deca1fc196ea

SHA256
c93be5a7c979c534274fc1a965d26c126efa5d58c14066b14937e5aba3b9eb55

SHA512
775eadccc44fddbd1e0d4231bc90d222f0a9749199e1963449ad20285ea92941a5685cdc12c0cd8c0ef0a21e10bdacaf139e5c69cd5e402cc110679323c23df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2952\frame_top_left.bmp

Filesize
154B

MD5
1966f4308086a013b8837dddf88f67ad

SHA1
1b66c1b1ad519cad2a273e2e5b2cfd77b8e3a190

SHA256
17b5cd496d98db14e7c9757e38892883c7b378407e1f136889a9921abe040741

SHA512
ec50f92b77bca5117a9a262ba1951e37d6139b838099e1546ab2716c7bafb0fc542ce7f1993a19591c832384df01b722d87bb5a6a010091fc880de6e5cfa6c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2952\frame_top_mid.bmp

Filesize
66B

MD5
4e0ac65606b6aacd85e11c470ceb4e54

SHA1
3f321e3bbde641b7733b806b9ef262243fb8af3b

SHA256
1d59fe11b3f1951c104f279c1338fc307940268971d016ebe929a9998a5038ee

SHA512
7b28bcb4e76af3b863a7c3390b6cd3316c4631434e1d1e2df8d6e0eb9987a61a4f1a24de59567394e346d45e332403a0817ed0b0b64d7a624dbe48e30db9bb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2952\logo.png

Filesize
58KB

MD5
78b8486b89c4e3d214731ec1d13f466b

SHA1
d2792f1b48698f3c05f7a834c20b6f699e4d5b5c

SHA256
b068891ee9e1496d1da40e521f3d8243adf58910ee44a5feece91e6f9c8615c1

SHA512
e38f2aad280e6a21f042c9b725442ad6845e8a20b6ee121fbb226ee61a1ddcfa774ceb0b1a337f018e798edf5b747f2e154d656eba34396db80ca869c1fd9d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2952\metrobuttonimage

Filesize
404B

MD5
17368ff7073a6c7c2949d9a8eb743729

SHA1
d770cd409cf1a95908d26a51be8c646cace83e4c

SHA256
16e6e7662f3a204061c18090a64a8679f10bc408be802abd2c7c0e9fe865cbb4

SHA512
cbc3a378335f131d0146e5fe40cea38a741a0754a26304daebfda6f82c394cf0e151654782c6c8c7bbf7c354fcb72a2c66a77a87df528c2a3fa87c88f204059d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2952\nextcancelbuttons

Filesize
404B

MD5
583580e2c651f5c230fb3235b7ca0e3b

SHA1
a9bd6aeef43a6f4c0c00d1ecd98a585d7eb0aaa3

SHA256
65172283ee04f2fa18d0e57b21471be2e68017d1f61816aaaa6be070b446346f

SHA512
6c61e6c06c883113a7a0efbd352120354c070f5c17d770b6b821c42cb9d9ca895992842b29b51bd3e569b0c95e93709dd7c1c2a26bcff0ad425079f5302670ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2952\sys_close_normal.png

Filesize
225B

MD5
8ba33e929eb0c016036968b6f137c5fa

SHA1
b563d786bddd6f1c30924da25b71891696346e15

SHA256
bbcac1632131b21d40c80ff9e14156d36366d2e7bb05eed584e9d448497152d5

SHA512
ba3a70757bd0db308e689a56e2f359c4356c5a7dd9e2831f4162ea04381d4bbdbef6335d97a2c55f588c7172e1c2ebf7a3bd481d30871f05e61eea17246a958e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7B98.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI871B.tmp

Filesize
380KB

MD5
2160822ba37161cbacff695771afa2ed

SHA1
87b5fd899791d245b1ed7eb5a7f0f0e8ec5cf79f

SHA256
6c7fa74530bb1140309ba0803cb240bc3e54e507c4abd790cf2dd49834435bcb

SHA512
061454ee65ad95f19890f7336278a72538a805f565ae80a0fe5eabca546d401eae18cf08c2274733ccc755439b7c8d8925919d0131ec0a28789e6c3bc2614011

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8874.tmp

Filesize
860KB

MD5
e922ff8f49a4734f442bcd26b4a05ba8

SHA1
13e0dcc761282b31a9e21118035768cf75145045

SHA256
f2fd2ccb8d8412753ca7aa3d402f29b8280bbd4f7170d53f613e05f742f13a22

SHA512
0d395483f4ac9af3f011990612517641d4e6734e184faa0f17b4525aab729350ad5b9737a1c0f0164ec81775a41fb21dc90b72609a7ab25a37c4d2a19f253a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q9X0BEW9sTuU.bat

Filesize
206B

MD5
d6a5b6c6ad07203e6e0ae675e99ba0d2

SHA1
ab109a7e9368c5b22046b7d4ef93ccc48114a55c

SHA256
2ee49e1d27d495f9f0a634b4f03765c7cd16466e64cf7a4d462affd4efde5385

SHA512
2e340e12d5d36e7fe26c0dea9ff703427cb1aced9c8edf9ebdfc6da0d918dabb00482edc27e11c36c9133a93de3d486561701c4821d27edace36855838625a9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QodzbbMMGHoA.bat

Filesize
206B

MD5
0407cbc50176489dd6a13d7abdc943d2

SHA1
a417e9dbe3a63668c561ff86058bbb83c60e95b4

SHA256
36f5e0776055c1475fdab9719824a809aa6f1131b9f61afabeb35a75af444bca

SHA512
c3552fffbaca4dfc84c91c60e66297dc26c39c4e93c6e73cf1076d5095005c361f11fbb677846bf6d290dbdfc5d48ee8466354a2515b34a60514293c12fa6ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QpeNlbeqHrnh.bat

Filesize
206B

MD5
1fb2ffd00c3bfdd45e3a5644ea36d385

SHA1
fe05e7ee262c694d00abbabdf8f5bf1f1f651a8d

SHA256
9fb61b07a2433efab80259c6b47c8ef4aa438a92b1dda78c7f1f881fbc4fc4f2

SHA512
474a68d2f1e70a730ac4d6485705cd13f683fe91f10a307bc1a48905aed20d46d0e2d997cd514d802e2bfe25155f455cbe4dd9573e96d752d398969587d053fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\S197muYP66je.bat

Filesize
206B

MD5
e1103ba0c0a84feb4cda4fb8a0556ae3

SHA1
df3f4f3eb980c1ae9c835745e0a63c83631c4e91

SHA256
ba237d2843452be5e1d85ff8e82be77b42d3bcf3ce31acdcf63d2d74d1102799

SHA512
83c92164b3c4869aaf8cf2d9729d7c53ee6e82424dfcb126afbbeb9ca9f5814bc16a7ba084f1488b4e540a54eb01651d17706ab0bb23d578459db4a46cad52fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsYARIj6s82S.bat

Filesize
206B

MD5
346b4bdea6e002feddcbf2398fbef22b

SHA1
1284d30eb31a9687e7ada4a069d5e90e6d94d183

SHA256
bf5259c07bc95ac28fa9d3143301571490a495edd02d0822df25ffda12b7a5aa

SHA512
9f97d645fb674a02c4829a086ecc0c106bd120457ef28dc88bfcd4f67ef6a956bf6a749ea1f7fb23bfa90126d80a65fa12b6b26f92ca9ec4fceab9d2fb8d2b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7CC3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\URL9E52.url

Filesize
68B

MD5
38b8e980cbcd862f757ca8f8c37127b1

SHA1
1dd580d8e01ca1fdd57558612ad8dba221abc9aa

SHA256
5964310c78ca9e8d0d91e8b5fe3110c880662eb444dd468fc5eab0fbe207229e

SHA512
e0a9bb8d6f07738114463474448e8736638dc5611942369cd1a47a3b7f7d5e2874c23f6aa4dbd094d666cf9f133d473a00f923f48297e1b06a1847aec88fe409

Download Submit
C:\Users\Admin\AppData\Local\Temp\aiVL5Y5COVH1.bat

Filesize
206B

MD5
f028f0c854e234dd5c0e4b5c9b3051c5

SHA1
b9a8deb6ab2f6717f7e808ffa2d717631348e405

SHA256
509e8319d2c3907d2ce03c1bbcb18a0bfcf050407e8f44e61b9ec5f0554fbd2d

SHA512
9299e2481c97717d5f1eb581d955740a484ef9f9ab197d7a46744a523bdc1608715bb64a7abd803874ba6c3a24ad45b9b4145ebb078ff30205b4701718f52938

Download Submit
C:\Users\Admin\AppData\Local\Temp\dRqbyN1akOhc.bat

Filesize
206B

MD5
522d3be913f9a70eb14fdd763dbfeec7

SHA1
39a706d70aa02c7407208e0deef1d3f2f8aa3cdd

SHA256
43e8457f6a6294165e24a92d78866e439c7419880f0fa1e390617414fd7feeec

SHA512
d120955a479f2f0aa96238fd93fb1f1a22fcf97350838c370bbbf8280f6a9c2bfb0959efe235196539b75a04335db13148feae2204f12d67d98fb6ec001fc993

Download Submit
C:\Users\Admin\AppData\Local\Temp\driverfusionfreesetup.exe

Filesize
27.2MB

MD5
135ce5f33b23823bc4f5726a17274995

SHA1
028cd3a0cf53da5284c117be9ccc9d23aac57fdd

SHA256
b1a5b35572e3060001d9813a126463d564b2e43eea0d3dba658f3ef46f79f680

SHA512
31f7ac2f5154b5c265cf81ab45ea91f6a9dc1d264ca434a1ecb392ec3ea119231abc6742851441108de0e18b40daf375ecca8e97d80287e0cb0aafed4e96d39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eGtKODSLEJ70.bat

Filesize
206B

MD5
49e5067c157a800b61866dd4ef886b42

SHA1
5637a8bb7acc2db48610c885deb168cf9332569c

SHA256
8bbd78ef6168041f249eb65dc2d3b5fafb2be4b8bf4147f2919a5d894d5f8c2e

SHA512
3969876d16bbf8a59610f83a5bb280640df3367e25fe14bf8f7a247b3bf4da2630ebd54e62d3a71d84af7d4fa9dc5c4c979308f7179837a3ae8156a7359de5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpuNhEqOiPgD.bat

Filesize
206B

MD5
447e69085d8310cf9688ea46681d9033

SHA1
01e5a7af5923b36397cba7c3c65cee98ecaee4c9

SHA256
54a2622e173f3f58aeae23df3f20f6c4c0c6abe93a98f7001bf3bf6168393203

SHA512
1a438c618b699a26fdd5465e0153da8642cc4e69367e25fa944a53926b4b38e0bb516555abe5cc7b6a2245fdc007a00e7e8233bb22d4dc81abf3916fbd9d9154

Download Submit
C:\Users\Admin\AppData\Local\Temp\jtAKEycc8Xdf.bat

Filesize
206B

MD5
bf4fea88b44d2caad49844fba799e24f

SHA1
0e50b4ec05506cdebc9919824572e71319f1e410

SHA256
7f2dbd324e4ff62cd6fbcdfb0c41633b19005009a6ed73232fea371d9cbfdbf7

SHA512
ef46dead7941019aff44816d24259462e4dfe4424260508501ac9670192bf1f158c86349ab124614f3da6bd74571ba2d27e22631f266833e775f616be31bd451

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse499F.tmp\7aew68vt0q.dll

Filesize
586KB

MD5
fd826e8cb4ced9c11498351c5d602c35

SHA1
81295b8b5146668e5b1e97ed414cd5807c5b83a4

SHA256
8202d16efc125121e836db33f3a71b265a87740c1407a79b2e6ba796c028a9e8

SHA512
00b2a3c2a392844680819d7106b70e586ff207de9d5c7c90290fbfba72fa4b6e9a5ac59164cc67026e7a1467c69feb2e796440078dcf48e75f61c6ece922b9ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4931.tmp\t7f2wc.dll

Filesize
129KB

MD5
0e2d5c75d97e0ea879e12dacbf91a6df

SHA1
a61ffac27eca63ebb0075e842a460e80326a5092

SHA256
d40c71ea25575e573284a6763e5530cfd395b3b75a45db4cff8f7a298e84cc74

SHA512
08acde739b4e1caa22fcdfaab508d2ef3b6db78191b0f4a2cedc1d5c0a1de68fb9d8dff72b8de2e129ef011073abd18bdcbf172a99e862bca76e71c7046bab51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy497F.tmp\8x0pq8gq9j.dll

Filesize
669KB

MD5
2064ea94df92b42740c547aa2c610dd1

SHA1
9ad300e310ce27c2a0d94131ca182fd74edb5f62

SHA256
cd43f332905d74b8d8926ae6288888cf843666db0a5b703f2123afbd63c5f2cd

SHA512
607f19c5cc1eb57a1bb81c82aefc84761f532df08c3538140db94b06005163678199e7841e9e78cf457e289ea307f96c78507e948d6bd9137a756e7ff74d3090

Download Submit
C:\Users\Admin\AppData\Local\Temp\ui01nlLyekPW.bat

Filesize
206B

MD5
9da5d88943c7827bd26575c088a5e6bd

SHA1
81babe4f1d2dd4d9e51762865c78650787d9cb78

SHA256
ff262dd1a9dc3fd90b626dd7c8b7701f7f945f989f79678a4c4b720b8cd7981c

SHA512
40ecd43a7693d0c7ac0d1200e71dd3d6275760f7cd2a4080ceb551de0ee4d47ce7356d1086cac4eadef638937010f9affea72a7bf2d179373d5de9bac838423c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

Filesize
3KB

MD5
8b724e84a70fe52447cbdfb4760cc9a6

SHA1
ba17690672e5bcdc9bac7be07e013d88aeccdcf8

SHA256
0641e168ba45b5601c807aacc5c932a1440b3973a93fd33f44e050b5fe12eb3a

SHA512
67c68dff6c4eceedde6d37ae32b2f5a31266be69c1a00b050ac259b65628636a77ee38481ae5ea2bceac5e0b10ff76bd3630b4ea1b52982b2333cd93be7579f4

Download Submit
C:\Users\Admin\AppData\Roaming\Treexy\Driver Fusion 9.0.0.1\install\40073A7\setup-free.msi

Filesize
6.0MB

MD5
eef753b9d53cb04360a3c012cc6013dc

SHA1
79567cbd5202303598e77ec296e86e76bb43bdba

SHA256
1cf1b339dfaa725132a1378a1fba96eb12246bbe18f9a56d9c112a70e1c654b3

SHA512
123d309d6af9d127459e566d30114604eeb27f025bdbc6dcb2199e879d0ae71ca7d8fad0e95ef7715d330767b37cb10d19962e039f4156572e4a94b4a6e64449

Download Submit
\Program Files (x86)\Common Files\data-com.exe

Filesize
1.7MB

MD5
11ce0a152fdbf1997778a2a0d11200aa

SHA1
b728d7df96a888eb6b61a20d4daa4e71445bab68

SHA256
dcaf19328afff04eb26fa9d8edcbe16fe0ede4785830a6a8b66b68e9e23290f8

SHA512
5f3e889de15dddc4d77715b5a90c6db736ac045384fa03b604e9f9bf64e961d522a4ce1057fbcdf766fac7d01344c6fd1cbd2db085c9e2b8d4d7e833d579eceb

Download Submit
\Users\Admin\AppData\Local\Temp\MSI9DFC.tmp

Filesize
391KB

MD5
7b344cf64d727aa30d30c79721f90750

SHA1
44de9cd2752fe8971b0bfb78cff40170526031ab

SHA256
95a3515e35c6fea01646a9e392df731bf38d40a4dc52f4292fcfcda9042a46e7

SHA512
cbb0740c25a7d37f8ffc9b40adf23885e07abe60e82ba34b735bb0adad4d82bc9229f12478c089b4dd005a4757007dd0db1b54200a4d8ceef302f20130088419

Download Submit
\Users\Admin\AppData\Local\Temp\Office155.exe

Filesize
650KB

MD5
e1719a774dafed6ca894ec6b1d0fd457

SHA1
13651637cf5477d3103410cf9829999285d9eebe

SHA256
78474b2f484a98ec6375e8389adb097afd942181fef9dfc2550f54ece30edcbf

SHA512
38ecde8ec5833c1f3ad207dfe14ff71792632b29c9ee6ea954563243020b755bc1fe8547d54eeb91bc25d7f32f204d891f6c865735af781049741efa15e1baee

Download Submit
\Users\Admin\AppData\Local\Temp\netshare x86_644.exe

Filesize
718KB

MD5
7443707310e3a6b120beb1e61b34d25a

SHA1
1fa6806ee6553931532cc6e2bb49e42d8655734d

SHA256
afe09a1fd24c633424b2ba1aa1df9cc80431c6f9558a48b933063fd18d055fb1

SHA512
37f673558b6d4953f807f18bf14a6a1fde7d39fa3d82c733e98809c7732d30591ac52b17dcb9a80d87418d8b797bec67fa511b1666ad18a5afb276d64f07a721

Download Submit
\Users\Admin\AppData\Local\Temp\win-tooll.exe

Filesize
177KB

MD5
cb7cac7a65b31662f2116d75d65d010a

SHA1
92869d6a5a06114c2c571fe583d744708b401be4

SHA256
dfcff668b6a257948fd604e9346b570d91d8e1602d8058548d2141f0e7c5ac2b

SHA512
6cf8db0a4a54d0cd6d2c85135173cf520a1b574e111babc42d154325251bf7ef0ba2b4adaa071492adc85039e96204f6893ab7e1f7f526062bde0103869bbc4f

Download Submit
\Users\Admin\AppData\Roaming\Treexy\Driver Fusion 9.0.0.1\install\decoder.dll

Filesize
182KB

MD5
fddee40c512e40f05ed565f1a00e85f1

SHA1
2f0096e7418d19d8df8515f9899e87ca6671b517

SHA256
f7ab1e969edfece0c89bd4d79ce3cc70ff46e460da4d9d90b1ef91f3a0716265

SHA512
6845cb0f841572e7c516b8401eab4aadcdd492613ffb09ccd07ce254d6748ddde4b3b566b3e8fb2ea841c8fd5977d6f1fddaadda81e0f39d8736323e750c8127

Download Submit
memory/616-1065-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/616-1062-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/800-1105-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/908-527-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/908-521-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/980-1074-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1088-1776-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1088-1773-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1200-1008-0x0000000001030000-0x0000000001032000-memory.dmp

Filesize
8KB

Download
memory/1228-1390-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1228-1485-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1508-1136-0x0000000000FE0000-0x0000000000FE2000-memory.dmp

Filesize
8KB

Download
memory/1556-1033-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1556-1021-0x00000000004A0000-0x0000000000524000-memory.dmp

Filesize
528KB

Download
memory/1556-1022-0x00000000004A0000-0x0000000000524000-memory.dmp

Filesize
528KB

Download
memory/1592-499-0x0000000000F00000-0x0000000000F02000-memory.dmp

Filesize
8KB

Download
memory/1636-1166-0x0000000001070000-0x0000000001072000-memory.dmp

Filesize
8KB

Download
memory/1704-1148-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1728-834-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1728-113-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1728-143-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1728-1024-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1728-1056-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1728-490-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1728-110-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1728-1130-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1728-122-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1728-1735-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1728-121-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1728-1087-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1728-1165-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1900-1050-0x0000000002640000-0x0000000002642000-memory.dmp

Filesize
8KB

Download
memory/2052-112-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2052-97-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2108-1818-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2148-1874-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2168-1157-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2236-1093-0x0000000002320000-0x0000000002322000-memory.dmp

Filesize
8KB

Download
memory/2336-998-0x0000000002200000-0x0000000002202000-memory.dmp

Filesize
8KB

Download
memory/2388-1176-0x00000000024C0000-0x00000000024C2000-memory.dmp

Filesize
8KB

Download
memory/2504-1081-0x0000000002360000-0x0000000002362000-memory.dmp

Filesize
8KB

Download
memory/2528-1019-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2536-844-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2536-119-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2608-94-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2608-104-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2612-1040-0x0000000000670000-0x0000000000672000-memory.dmp

Filesize
8KB

Download
memory/2688-512-0x00000000009D0000-0x00000000009D2000-memory.dmp

Filesize
8KB

Download
memory/2824-107-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2824-89-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2836-132-0x0000000004690000-0x0000000004714000-memory.dmp

Filesize
528KB

Download
memory/2836-141-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2836-103-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2836-100-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2900-105-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2900-109-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2900-131-0x00000000003F0000-0x0000000000402000-memory.dmp

Filesize
72KB

Download
memory/2900-142-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2944-1114-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3044-1121-0x00000000027D0000-0x00000000027D2000-memory.dmp

Filesize
8KB

Download
memory/3528-1913-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download