Downloads.rar

General
Target

5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Filesize

139MB

Completed

19-11-2020 10:40

Score
10 /10
Malware Config

Extracted

Path C:\_readme.txt
Ransom Note
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-T9WE5uiVT6 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: blower@india.com Reserve e-mail address to contact us: blower@firemail.cc Your personal ID: 046Sdsd3273yifhsisySD60h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
Emails

blower@india.com

blower@firemail.cc
URLs

https://we.tl/t-T9WE5uiVT6
Signatures 16

Filter: none

Defense Evasion
Discovery
Persistence
  • Executes dropped EXE
    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

    Reported IOCs

    pidprocess
    24765da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    38285da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    40285da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    9085da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    38085da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    4285da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    36845da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    31685da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    32285da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    39165da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    23925da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    18605da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    22485da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    25045da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    36805da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    22685da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    28165da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    20565da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    22645da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    19925da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    31885da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    12685da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    15165da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    5845da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
  • Modifies Installed Components in the registry

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Modifies extensions of user files
    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File renamedC:\Users\Admin\Pictures\CompressConfirm.tif => C:\Users\Admin\Pictures\CompressConfirm.tif.kropun5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File renamedC:\Users\Admin\Pictures\RenameDebug.raw => C:\Users\Admin\Pictures\RenameDebug.raw.kropun5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File renamedC:\Users\Admin\Pictures\WriteExport.crw => C:\Users\Admin\Pictures\WriteExport.crw.kropun5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral5/files/0x000100000001ab6e-3.datupx
    behavioral5/files/0x000100000001ab6e-23.datupx
    behavioral5/files/0x000100000001ab6e-35.datupx
    behavioral5/files/0x000100000001ab6e-37.datupx
    behavioral5/files/0x000100000001ab6e-49.datupx
    behavioral5/files/0x000100000001ab6e-57.datupx
    behavioral5/files/0x000100000001ab6e-62.datupx
    behavioral5/files/0x000100000001ab6e-64.datupx
    behavioral5/files/0x000100000001ab6e-69.datupx
    behavioral5/files/0x000100000001ab6e-72.datupx
    behavioral5/files/0x000100000001ab6e-78.datupx
    behavioral5/files/0x000100000001ab6e-80.datupx
    behavioral5/files/0x000100000001ab6e-87.datupx
    behavioral5/files/0x000100000001ab6e-91.datupx
    behavioral5/files/0x000100000001ab6e-96.datupx
    behavioral5/files/0x000100000001ab6e-97.datupx
    behavioral5/files/0x000100000001ab6e-103.datupx
    behavioral5/files/0x000100000001ab6e-106.datupx
    behavioral5/files/0x000100000001ab6e-119.datupx
    behavioral5/files/0x000100000001ab6e-121.datupx
    behavioral5/files/0x000100000001ab6e-126.datupx
    behavioral5/files/0x000100000001ab6e-130.datupx
    behavioral5/files/0x000100000001ab6e-135.datupx
    behavioral5/files/0x000100000001ab6e-137.datupx
    behavioral5/files/0x000100000001ab6e-143.datupx
  • Modifies file permissions
    icacls.exe

    Tags

    TTPs

    File Permissions Modification

    Reported IOCs

    pidprocess
    204icacls.exe
  • Adds Run key to start application
    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe\" --AutoStart"5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
  • Drops desktop.ini file(s)
    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\Links\desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\Admin\Searches\desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\Admin\OneDrive\desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\Admin\Favorites\desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\Admin\Pictures\desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\Admin\Documents\desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\Admin\Music\desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\Admin\Pictures\Camera Roll\desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\Admin\Pictures\Saved Pictures\desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\Admin\Saved Games\desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\Admin\Favorites\Links\desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\Admin\Videos\desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\Admin\Downloads\desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\All Users\Microsoft\Windows\Start Menu Places\desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\Admin\Contacts\desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    File opened for modificationC:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    78api.2ip.ua
    84api.2ip.ua
    77api.2ip.ua
    53api.2ip.ua
    54api.2ip.ua
    60api.2ip.ua
    63api.2ip.ua
    41api.2ip.ua
    55api.2ip.ua
    69api.2ip.ua
    70api.2ip.ua
    27api.2ip.ua
    34api.2ip.ua
    79api.2ip.ua
    85api.2ip.ua
    10api.2ip.ua
    43api.2ip.ua
    61api.2ip.ua
    68api.2ip.ua
    86api.2ip.ua
    11api.2ip.ua
    18api.2ip.ua
    28api.2ip.ua
    29api.2ip.ua
    71api.2ip.ua
    76api.2ip.ua
    42api.2ip.ua
    47api.2ip.ua
    52api.2ip.ua
    62api.2ip.ua
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Program crash
    WerFault.exeWerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    39603036WerFault.exe
    39883604WerFault.exeexplorer.exe
  • Modifies system certificate store
    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

    Tags

    TTPs

    Install Root CertificateModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B688518685da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f03000000010000001400000002faf3e291435468607857694df5e45b688518681d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e86045da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d5503000000010000001400000002faf3e291435468607857694df5e45b688518680400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e86045da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d5503000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e86045da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c0000000100000004000000000800000400000001000000100000001d3554048578b03f42424dbf20730a3f03000000010000001400000002faf3e291435468607857694df5e45b688518681d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e86045da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
  • Suspicious behavior: EnumeratesProcesses
    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exeWerFault.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exeWerFault.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

    Reported IOCs

    pidprocess
    40765da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    40765da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    25765da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    25765da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    10485da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    10485da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    4805da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    4805da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    39325da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    39325da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    24765da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    24765da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    3960WerFault.exe
    3960WerFault.exe
    3960WerFault.exe
    3960WerFault.exe
    3960WerFault.exe
    3960WerFault.exe
    3960WerFault.exe
    3960WerFault.exe
    3960WerFault.exe
    3960WerFault.exe
    3960WerFault.exe
    3960WerFault.exe
    3960WerFault.exe
    40285da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    40285da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    38285da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    38285da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    9085da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    9085da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    3988WerFault.exe
    3988WerFault.exe
    3988WerFault.exe
    3988WerFault.exe
    3988WerFault.exe
    3988WerFault.exe
    3988WerFault.exe
    3988WerFault.exe
    3988WerFault.exe
    3988WerFault.exe
    3988WerFault.exe
    3988WerFault.exe
    3988WerFault.exe
    38085da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    38085da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    36845da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    36845da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    4285da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    4285da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    31685da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    31685da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    32285da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    32285da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    39165da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    39165da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    23925da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    23925da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    18605da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    18605da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    22485da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    22485da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    25045da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    25045da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
  • Suspicious use of AdjustPrivilegeToken
    WerFault.exeexplorer.exeWerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3960WerFault.exe
    Token: SeShutdownPrivilege3604explorer.exe
    Token: SeCreatePagefilePrivilege3604explorer.exe
    Token: SeShutdownPrivilege3604explorer.exe
    Token: SeCreatePagefilePrivilege3604explorer.exe
    Token: SeShutdownPrivilege3604explorer.exe
    Token: SeCreatePagefilePrivilege3604explorer.exe
    Token: SeShutdownPrivilege3604explorer.exe
    Token: SeCreatePagefilePrivilege3604explorer.exe
    Token: SeShutdownPrivilege3604explorer.exe
    Token: SeCreatePagefilePrivilege3604explorer.exe
    Token: SeShutdownPrivilege3604explorer.exe
    Token: SeCreatePagefilePrivilege3604explorer.exe
    Token: SeShutdownPrivilege3604explorer.exe
    Token: SeCreatePagefilePrivilege3604explorer.exe
    Token: SeShutdownPrivilege3604explorer.exe
    Token: SeCreatePagefilePrivilege3604explorer.exe
    Token: SeShutdownPrivilege3604explorer.exe
    Token: SeCreatePagefilePrivilege3604explorer.exe
    Token: SeShutdownPrivilege3604explorer.exe
    Token: SeCreatePagefilePrivilege3604explorer.exe
    Token: SeShutdownPrivilege3604explorer.exe
    Token: SeCreatePagefilePrivilege3604explorer.exe
    Token: SeDebugPrivilege3988WerFault.exe
  • Suspicious use of FindShellTrayWindow
    explorer.exe

    Reported IOCs

    pidprocess
    3604explorer.exe
    3604explorer.exe
    3604explorer.exe
    3604explorer.exe
  • Suspicious use of SendNotifyMessage
    explorer.exe

    Reported IOCs

    pidprocess
    3604explorer.exe
    3604explorer.exe
    3604explorer.exe
    3604explorer.exe
    3604explorer.exe
    3604explorer.exe
    3604explorer.exe
    3604explorer.exe
  • Suspicious use of WriteProcessMemory
    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4076 wrote to memory of 20440765da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exeicacls.exe
    PID 4076 wrote to memory of 20440765da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exeicacls.exe
    PID 4076 wrote to memory of 20440765da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exeicacls.exe
    PID 4076 wrote to memory of 257640765da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 4076 wrote to memory of 257640765da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 4076 wrote to memory of 257640765da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 2576 wrote to memory of 48025765da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 2576 wrote to memory of 48025765da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 2576 wrote to memory of 48025765da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 2576 wrote to memory of 104825765da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 2576 wrote to memory of 104825765da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 2576 wrote to memory of 104825765da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 480 wrote to memory of 39324805da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 480 wrote to memory of 39324805da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 480 wrote to memory of 39324805da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 2476 wrote to memory of 382824765da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 2476 wrote to memory of 382824765da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 2476 wrote to memory of 382824765da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 2476 wrote to memory of 402824765da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 2476 wrote to memory of 402824765da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 2476 wrote to memory of 402824765da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 3828 wrote to memory of 90838285da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 3828 wrote to memory of 90838285da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 3828 wrote to memory of 90838285da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 3808 wrote to memory of 42838085da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 3808 wrote to memory of 42838085da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 3808 wrote to memory of 42838085da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 3808 wrote to memory of 368438085da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 3808 wrote to memory of 368438085da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 3808 wrote to memory of 368438085da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 428 wrote to memory of 31684285da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 428 wrote to memory of 31684285da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 428 wrote to memory of 31684285da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 3228 wrote to memory of 391632285da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 3228 wrote to memory of 391632285da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 3228 wrote to memory of 391632285da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 3228 wrote to memory of 239232285da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 3228 wrote to memory of 239232285da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 3228 wrote to memory of 239232285da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 3916 wrote to memory of 186039165da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 3916 wrote to memory of 186039165da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 3916 wrote to memory of 186039165da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 2248 wrote to memory of 250422485da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 2248 wrote to memory of 250422485da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 2248 wrote to memory of 250422485da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 2248 wrote to memory of 368022485da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 2248 wrote to memory of 368022485da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 2248 wrote to memory of 368022485da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 2504 wrote to memory of 226825045da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 2504 wrote to memory of 226825045da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 2504 wrote to memory of 226825045da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 2816 wrote to memory of 205628165da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 2816 wrote to memory of 205628165da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 2816 wrote to memory of 205628165da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 2816 wrote to memory of 226428165da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 2816 wrote to memory of 226428165da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 2816 wrote to memory of 226428165da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 2056 wrote to memory of 199220565da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 2056 wrote to memory of 199220565da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 2056 wrote to memory of 199220565da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 3188 wrote to memory of 126831885da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 3188 wrote to memory of 126831885da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 3188 wrote to memory of 126831885da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    PID 3188 wrote to memory of 151631885da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Processes 33
  • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"
    Adds Run key to start application
    Modifies system certificate store
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:4076
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      Modifies file permissions
      PID:204
    • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Admin IsNotAutoStart IsNotTask
      Modifies extensions of user files
      Drops desktop.ini file(s)
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsNotTask
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        PID:480
        • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
          "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 480 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
          Suspicious behavior: EnumeratesProcesses
          PID:3932
      • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2576 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
        Suspicious behavior: EnumeratesProcesses
        PID:1048
  • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
    Executes dropped EXE
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:2476
    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3828
      • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 3828 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        PID:908
    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2476 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4028
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 3036 -s 6912
    Program crash
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    PID:3960
  • C:\Windows\explorer.exe
    explorer.exe
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    PID:3604
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3604 -s 2056
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3988
  • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
    Executes dropped EXE
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:3808
    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:428
      • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 428 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        PID:3168
    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 3808 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3684
  • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
    Executes dropped EXE
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:3228
    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3916
      • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 3916 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        PID:1860
    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 3228 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2392
  • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
    Executes dropped EXE
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2504
      • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2504 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
        Executes dropped EXE
        PID:2268
    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2248 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
      Executes dropped EXE
      PID:3680
  • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
    Executes dropped EXE
    Suspicious use of WriteProcessMemory
    PID:2816
    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2056 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
        Executes dropped EXE
        PID:1992
    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2816 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
      Executes dropped EXE
      PID:2264
  • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
    Executes dropped EXE
    Suspicious use of WriteProcessMemory
    PID:3188
    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
      Executes dropped EXE
      PID:1268
      • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 1268 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
        Executes dropped EXE
        PID:584
    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 3188 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
      Executes dropped EXE
      PID:1516
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads

                    • C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.kropun

                      MD5

                      08973c6103fe896a7802c9a2f8d01b9e

                      SHA1

                      f785bcd5ca3a0ea4d44ed47637e2f47c1e5ffd5d

                      SHA256

                      edae9a70e766f7c4a3d004045d580c5e8172264700119511723c83dc72aaed8d

                      SHA512

                      86b4180c7597264b150a71178bd7cc46cda52929815ca573205c066535687294961d93b90dfc5b5e2ecd59b979bbfaff9ce3d61c81d022e4bd7da22c1d457ad0

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

                      MD5

                      05644c5a0a63378cdc97ecaaa0b9efdd

                      SHA1

                      db53cd09636ca0edf9d2f4727730cb8031e1b408

                      SHA256

                      7cc6fcdbe0418add551b9f2538645e6c83a658129271080513c4f610dd07c2e2

                      SHA512

                      8d28b601040a0e01ada295a30f76fc2460bde5ddcd39c7e9a5704aef96df0d7636a1008180522426a2f2b3d91a959be7c969b8ba03851179bb0a7dc6493f527d

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

                      MD5

                      a21464808cedbf4f6ee449f962cc4e5f

                      SHA1

                      3e962b7602cd7980f88e91b445dc384612fcd26a

                      SHA256

                      bf43666949af1ef4775a97df2f6ead6035b42c4579467b5c76bac8b6f9b3e743

                      SHA512

                      45580abd9b295faeeb33a77f2bb2196c9ee689b91bc881001273adc3dc7a0b99822b2d0d7da5c84d007f96387e3757fce10f41b0144bb6c08d71270cb6a2cab2

                      Download Submit

                    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

                      MD5

                      ead18f3a909685922d7213714ea9a183

                      SHA1

                      1270bd7fd62acc00447b30f066bb23f4745869bf

                      SHA256

                      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

                      SHA512

                      6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

                      Download Submit

                    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

                      MD5

                      ead18f3a909685922d7213714ea9a183

                      SHA1

                      1270bd7fd62acc00447b30f066bb23f4745869bf

                      SHA256

                      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

                      SHA512

                      6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

                      Download Submit

                    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

                      MD5

                      ead18f3a909685922d7213714ea9a183

                      SHA1

                      1270bd7fd62acc00447b30f066bb23f4745869bf

                      SHA256

                      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

                      SHA512

                      6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

                      Download Submit

                    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

                      MD5

                      ead18f3a909685922d7213714ea9a183

                      SHA1

                      1270bd7fd62acc00447b30f066bb23f4745869bf

                      SHA256

                      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

                      SHA512

                      6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

                      Download Submit

                    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

                      MD5

                      ead18f3a909685922d7213714ea9a183

                      SHA1

                      1270bd7fd62acc00447b30f066bb23f4745869bf

                      SHA256

                      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

                      SHA512

                      6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

                      Download Submit

                    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

                      MD5

                      ead18f3a909685922d7213714ea9a183

                      SHA1

                      1270bd7fd62acc00447b30f066bb23f4745869bf

                      SHA256

                      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

                      SHA512

                      6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

                      Download Submit

                    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

                      MD5

                      ead18f3a909685922d7213714ea9a183

                      SHA1

                      1270bd7fd62acc00447b30f066bb23f4745869bf

                      SHA256

                      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

                      SHA512

                      6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

                      Download Submit

                    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

                      MD5

                      ead18f3a909685922d7213714ea9a183

                      SHA1

                      1270bd7fd62acc00447b30f066bb23f4745869bf

                      SHA256

                      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

                      SHA512

                      6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

                      Download Submit

                    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

                      MD5

                      ead18f3a909685922d7213714ea9a183

                      SHA1

                      1270bd7fd62acc00447b30f066bb23f4745869bf

                      SHA256

                      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

                      SHA512

                      6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

                      Download Submit

                    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

                      MD5

                      ead18f3a909685922d7213714ea9a183

                      SHA1

                      1270bd7fd62acc00447b30f066bb23f4745869bf

                      SHA256

                      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

                      SHA512

                      6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

                      Download Submit

                    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

                      MD5

                      ead18f3a909685922d7213714ea9a183

                      SHA1

                      1270bd7fd62acc00447b30f066bb23f4745869bf

                      SHA256

                      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

                      SHA512

                      6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

                      Download Submit

                    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

                      MD5

                      ead18f3a909685922d7213714ea9a183

                      SHA1

                      1270bd7fd62acc00447b30f066bb23f4745869bf

                      SHA256

                      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

                      SHA512

                      6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

                      Download Submit

                    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

                      MD5

                      ead18f3a909685922d7213714ea9a183

                      SHA1

                      1270bd7fd62acc00447b30f066bb23f4745869bf

                      SHA256

                      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

                      SHA512

                      6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

                      Download Submit

                    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

                      MD5

                      ead18f3a909685922d7213714ea9a183

                      SHA1

                      1270bd7fd62acc00447b30f066bb23f4745869bf

                      SHA256

                      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

                      SHA512

                      6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

                      Download Submit

                    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

                      MD5

                      ead18f3a909685922d7213714ea9a183

                      SHA1

                      1270bd7fd62acc00447b30f066bb23f4745869bf

                      SHA256

                      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

                      SHA512

                      6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

                      Download Submit

                    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

                      MD5

                      ead18f3a909685922d7213714ea9a183

                      SHA1

                      1270bd7fd62acc00447b30f066bb23f4745869bf

                      SHA256

                      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

                      SHA512

                      6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

                      Download Submit

                    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

                      MD5

                      ead18f3a909685922d7213714ea9a183

                      SHA1

                      1270bd7fd62acc00447b30f066bb23f4745869bf

                      SHA256

                      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

                      SHA512

                      6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

                      Download Submit

                    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

                      MD5

                      ead18f3a909685922d7213714ea9a183

                      SHA1

                      1270bd7fd62acc00447b30f066bb23f4745869bf

                      SHA256

                      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

                      SHA512

                      6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

                      Download Submit

                    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

                      MD5

                      ead18f3a909685922d7213714ea9a183

                      SHA1

                      1270bd7fd62acc00447b30f066bb23f4745869bf

                      SHA256

                      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

                      SHA512

                      6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

                      Download Submit

                    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

                      MD5

                      ead18f3a909685922d7213714ea9a183

                      SHA1

                      1270bd7fd62acc00447b30f066bb23f4745869bf

                      SHA256

                      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

                      SHA512

                      6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

                      Download Submit

                    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

                      MD5

                      ead18f3a909685922d7213714ea9a183

                      SHA1

                      1270bd7fd62acc00447b30f066bb23f4745869bf

                      SHA256

                      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

                      SHA512

                      6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

                      Download Submit

                    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

                      MD5

                      ead18f3a909685922d7213714ea9a183

                      SHA1

                      1270bd7fd62acc00447b30f066bb23f4745869bf

                      SHA256

                      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

                      SHA512

                      6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

                      Download Submit

                    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

                      MD5

                      ead18f3a909685922d7213714ea9a183

                      SHA1

                      1270bd7fd62acc00447b30f066bb23f4745869bf

                      SHA256

                      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

                      SHA512

                      6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

                      Download Submit

                    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

                      MD5

                      ead18f3a909685922d7213714ea9a183

                      SHA1

                      1270bd7fd62acc00447b30f066bb23f4745869bf

                      SHA256

                      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

                      SHA512

                      6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

                      Download Submit

                    • C:\Users\Admin\AppData\Local\226b110d-d0d5-4063-9bb2-475e8ab8c9cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

                      MD5

                      ead18f3a909685922d7213714ea9a183

                      SHA1

                      1270bd7fd62acc00447b30f066bb23f4745869bf

                      SHA256

                      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

                      SHA512

                      6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

                      Download Submit

                    • C:\Users\All Users\Microsoft\Windows\Caches\cversions.2.db

                      MD5

                      87c90c4befd14f8c50d0609e06ba7d32

                      SHA1

                      bbf0a3691f4c81749aa28001b308d9fdae48a3e7

                      SHA256

                      c850fb6391115e6544cf0ba0fce32edfe9c0f9f88834d0f25743229f3617988f

                      SHA512

                      42f368e884f54752ce9fd1b2fff62b060b0cc5e75143b36373c6ea851be0c154b2939f2da1b2cd353500a9cc7d5583f389a35aeb59cc7daa48811214becb2e3e

                      Download Submit

                    • C:\Users\All Users\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db

                      MD5

                      08973c6103fe896a7802c9a2f8d01b9e

                      SHA1

                      f785bcd5ca3a0ea4d44ed47637e2f47c1e5ffd5d

                      SHA256

                      edae9a70e766f7c4a3d004045d580c5e8172264700119511723c83dc72aaed8d

                      SHA512

                      86b4180c7597264b150a71178bd7cc46cda52929815ca573205c066535687294961d93b90dfc5b5e2ecd59b979bbfaff9ce3d61c81d022e4bd7da22c1d457ad0

                      Download Submit

                    • C:\Users\All Users\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_28cfa8b3d0f0ccca608b49d257b92547f98ab5ba_41822faa_cab_000eec50\Report.wer

                      MD5

                      eaae16aa7caf112844fb54713c0a5129

                      SHA1

                      e687d59d367e1b0f7850f0ff9e0fb265089d8212

                      SHA256

                      22fe94581982ba2c24ff7be6f5990624abecff1b2895e27872bba4fded8ae157

                      SHA512

                      bbb59ef34a736b2ae82654187a0c69de387018f839a298094d5d1633043d6dded48186f33c74666101316651c3d76eaf57e25a9a7827d0a3d6c9a1f14df79b5e

                      Download Submit

                    • C:\Users\All Users\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_28cfa8b3d0f0ccca608b49d257b92547f98ab5ba_41822faa_cab_000eec50\WEREAF8.tmp.WERInternalMetadata.xml

                      MD5

                      e6311ac8c355e9913dbf92463dd15a9c

                      SHA1

                      71e3a7d418a6de328bb56ffc33a80c79890217b6

                      SHA256

                      c88b585e6b18fcd106f768b15775ae5df82742213ac404e013ca5130ab5c1879

                      SHA512

                      3db1689236ca5c845b22537017e3f501d7b68c41a8b0436ec1bda639e24104757fe9d9a907a848942a5fee2763f99ef493b15cee88eb256c1cdefc6b55284216

                      Download Submit

                    • C:\Users\All Users\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_28cfa8b3d0f0ccca608b49d257b92547f98ab5ba_41822faa_cab_000eec50\WEREB17.tmp.csv

                      MD5

                      4ff9f156f7190d49abfa7626b270c560

                      SHA1

                      e6358ac53049589c95a632d1147d821f507404e1

                      SHA256

                      584a93ffe8eb9c13b76357621c53381cda095089fbd9caf9e50a7996bfebd713

                      SHA512

                      2a4168c7ff4164f4effe4030fd7f2ad33619dbd40a01655a5ce28b9ee5efdfb3ea7dccf26055e51283c056a5220083bb7cf2556251fc9bd1fff96de4024013aa

                      Download Submit

                    • C:\Users\All Users\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_28cfa8b3d0f0ccca608b49d257b92547f98ab5ba_41822faa_cab_000eec50\WEREB28.tmp.txt

                      MD5

                      8d110add5384eafd53bc24d97454ac08

                      SHA1

                      5414674238bbce7f0ee0b2d83f25258b464eaaf9

                      SHA256

                      d1b7ea1c0860fb0a51ddcdf2dc86321fd899ef2e5e0c41f84eb9aba1a9af5a19

                      SHA512

                      aaec3dbb1473fedb50ae2a98926fd5994607285e2da7e0839f03ab45b1dbaaeb30383d5623534db647c996f6de51052414c3636bced1a0efc31c8e0c3a9450dd

                      Download Submit

                    • C:\Users\All Users\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_28cfa8b3d0f0ccca608b49d257b92547f98ab5ba_41822faa_cab_000eec50\WEREC04.tmp.appcompat.txt

                      MD5

                      eface37a5f6d83741bdd222c3ac88789

                      SHA1

                      cd417255730af80b55605c757f24e860ee9c7f01

                      SHA256

                      9e67a1e1e9b532095d442a9c467e9fc2c38cce9bfa4863046874c29574b8e366

                      SHA512

                      7ab26446b1686a5245b452156a994ba5a57585988e475909c3ecfdaa66eccf4cca93e1d16b28b3300ba24b3d1858a7edb408e59ccd88887ea049111a5f6a5880

                      Download Submit

                    • C:\Users\All Users\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_28cfa8b3d0f0ccca608b49d257b92547f98ab5ba_41822faa_cab_000eec50\memory.hdmp

                      MD5

                      03e0f829cb3e676959a2d1943c1e6379

                      SHA1

                      aaa6297a9d8fd3d2ee34f2d96d09530bb225908f

                      SHA256

                      9339839ed78d21e883670e316e0c0abd49642b926c7bfc594becfe1780ce7cd2

                      SHA512

                      ae0c8e8e65ba30d7a3d72f773f630b8ba14d3cdc351502bebfc1c32bb0d7acd0a886f15dd6ade38c971ec2c8a0967e16fba573fd21ad425e3469234f259ce741

                      Download Submit

                    • C:\Users\All Users\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_28cfa8b3d0f0ccca608b49d257b92547f98ab5ba_41822faa_cab_000eec50\minidump.mdmp

                      MD5

                      f7bde45303a1b012315bc81bde8b1179

                      SHA1

                      6618449539172d05993972ec4de0b44fedcd0adc

                      SHA256

                      1dfd80a059e5ca808b80a1109c0287872053149ca089b3df7b9dd28f472c64f6

                      SHA512

                      f23f419421a23e9691d2a6dd84eaabb33cce7ba135ae368b0a52a4e1cfdf13db855fea746874996befc139869bd33a70f2ad97c7b9eda0a3bd864d8165f0c3da

                      Download Submit

                    • \??\PIPE\wkssvc

                      MD5

                      d41d8cd98f00b204e9800998ecf8427e

                      SHA1

                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                      SHA256

                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                      SHA512

                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                      Download Submit

                    • memory/204-2-0x0000000000000000-mapping.dmp

                      Download

                    • memory/428-67-0x00000000005D0000-0x0000000000610000-memory.dmp

                      Download

                    • memory/428-63-0x0000000002240000-0x0000000002241000-memory.dmp

                      Download

                    • memory/428-60-0x0000000000000000-mapping.dmp

                      Download

                    • memory/480-18-0x00000000006B0000-0x00000000006F0000-memory.dmp

                      Download

                    • memory/480-14-0x0000000000000000-mapping.dmp

                      Download

                    • memory/480-16-0x0000000002110000-0x0000000002111000-memory.dmp

                      Download

                    • memory/584-142-0x0000000000000000-mapping.dmp

                      Download

                    • memory/584-144-0x00000000022A0000-0x00000000022A1000-memory.dmp

                      Download

                    • memory/584-145-0x0000000000550000-0x0000000000590000-memory.dmp

                      Download

                    • memory/908-48-0x0000000000000000-mapping.dmp

                      Download

                    • memory/908-50-0x00000000023C0000-0x00000000023C1000-memory.dmp

                      Download

                    • memory/908-51-0x0000000000740000-0x0000000000780000-memory.dmp

                      Download

                    • memory/1048-19-0x0000000000670000-0x00000000006B0000-memory.dmp

                      Download

                    • memory/1048-15-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1268-139-0x0000000000770000-0x00000000007B0000-memory.dmp

                      Download

                    • memory/1268-136-0x0000000002180000-0x0000000002181000-memory.dmp

                      Download

                    • memory/1268-133-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1516-134-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1516-141-0x0000000000660000-0x00000000006A0000-memory.dmp

                      Download

                    • memory/1516-138-0x0000000002280000-0x0000000002281000-memory.dmp

                      Download

                    • memory/1860-90-0x0000000000630000-0x0000000000670000-memory.dmp

                      Download

                    • memory/1860-86-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1860-88-0x0000000002060000-0x0000000002061000-memory.dmp

                      Download

                    • memory/1992-128-0x00000000007A0000-0x00000000007E0000-memory.dmp

                      Download

                    • memory/1992-125-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1992-127-0x0000000002130000-0x0000000002131000-memory.dmp

                      Download

                    • memory/2056-124-0x0000000000620000-0x0000000000660000-memory.dmp

                      Download

                    • memory/2056-120-0x0000000002160000-0x0000000002161000-memory.dmp

                      Download

                    • memory/2056-117-0x0000000000000000-mapping.dmp

                      Download

                    • memory/2248-93-0x00000000005C0000-0x0000000000600000-memory.dmp

                      Download

                    • memory/2248-92-0x0000000002300000-0x0000000002301000-memory.dmp

                      Download

                    • memory/2264-123-0x0000000000660000-0x00000000006A0000-memory.dmp

                      Download

                    • memory/2264-118-0x0000000000000000-mapping.dmp

                      Download

                    • memory/2268-104-0x0000000002010000-0x0000000002011000-memory.dmp

                      Download

                    • memory/2268-102-0x0000000000000000-mapping.dmp

                      Download

                    • memory/2268-105-0x00000000005C0000-0x0000000000600000-memory.dmp

                      Download

                    • memory/2392-85-0x0000000000870000-0x00000000008B0000-memory.dmp

                      Download

                    • memory/2392-77-0x0000000000000000-mapping.dmp

                      Download

                    • memory/2476-25-0x000000000075A000-0x000000000079A000-memory.dmp

                      Download

                    • memory/2476-24-0x0000000002190000-0x0000000002191000-memory.dmp

                      Download

                    • memory/2504-94-0x0000000000000000-mapping.dmp

                      Download

                    • memory/2504-101-0x00000000005D0000-0x0000000000610000-memory.dmp

                      Download

                    • memory/2504-99-0x00000000022B0000-0x00000000022B1000-memory.dmp

                      Download

                    • memory/2576-7-0x0000000002220000-0x0000000002221000-memory.dmp

                      Download

                    • memory/2576-6-0x0000000000780000-0x00000000007C0000-memory.dmp

                      Download

                    • memory/2576-5-0x0000000002220000-0x0000000002221000-memory.dmp

                      Download

                    • memory/2576-4-0x0000000000000000-mapping.dmp

                      Download

                    • memory/2816-108-0x00000000005C0000-0x0000000000600000-memory.dmp

                      Download

                    • memory/2816-107-0x0000000002380000-0x0000000002381000-memory.dmp

                      Download

                    • memory/3168-71-0x00000000007F0000-0x0000000000830000-memory.dmp

                      Download

                    • memory/3168-68-0x0000000000000000-mapping.dmp

                      Download

                    • memory/3168-70-0x00000000022D0000-0x00000000022D1000-memory.dmp

                      Download

                    • memory/3188-131-0x0000000002250000-0x0000000002251000-memory.dmp

                      Download

                    • memory/3188-132-0x00000000005B1000-0x00000000005F1000-memory.dmp

                      Download

                    • memory/3228-73-0x00000000020E0000-0x00000000020E1000-memory.dmp

                      Download

                    • memory/3228-75-0x00000000020E0000-0x000000000213B000-memory.dmp

                      Download

                    • memory/3228-74-0x0000000000650000-0x0000000000690000-memory.dmp

                      Download

                    • memory/3680-100-0x00000000007C0000-0x0000000000800000-memory.dmp

                      Download

                    • memory/3680-95-0x0000000000000000-mapping.dmp

                      Download

                    • memory/3684-61-0x0000000000000000-mapping.dmp

                      Download

                    • memory/3684-66-0x0000000000690000-0x00000000006D0000-memory.dmp

                      Download

                    • memory/3684-65-0x0000000002200000-0x0000000002201000-memory.dmp

                      Download

                    • memory/3808-59-0x00000000006D1000-0x0000000000711000-memory.dmp

                      Download

                    • memory/3808-58-0x0000000002340000-0x0000000002341000-memory.dmp

                      Download

                    • memory/3828-46-0x00000000005E0000-0x0000000000620000-memory.dmp

                      Download

                    • memory/3828-33-0x0000000000000000-mapping.dmp

                      Download

                    • memory/3828-36-0x0000000002370000-0x0000000002371000-memory.dmp

                      Download

                    • memory/3916-79-0x0000000002000000-0x0000000002001000-memory.dmp

                      Download

                    • memory/3916-76-0x0000000000000000-mapping.dmp

                      Download

                    • memory/3916-84-0x0000000000520000-0x0000000000560000-memory.dmp

                      Download

                    • memory/3932-21-0x0000000002390000-0x0000000002391000-memory.dmp

                      Download

                    • memory/3932-22-0x00000000007C0000-0x0000000000800000-memory.dmp

                      Download

                    • memory/3932-20-0x0000000000000000-mapping.dmp

                      Download

                    • memory/3960-27-0x000001E3A6770000-0x000001E3A6771000-memory.dmp

                      Download

                    • memory/3960-26-0x000001E3A6770000-0x000001E3A6771000-memory.dmp

                      Download

                    • memory/3960-32-0x000001E3B2DE0000-0x000001E3B2DE1000-memory.dmp

                      Download

                    • memory/3960-31-0x000001E3A8480000-0x000001E3A8481000-memory.dmp

                      Download

                    • memory/3960-30-0x000001E3A7DE0000-0x000001E3A7DE1000-memory.dmp

                      Download

                    • memory/3960-29-0x000001E3A7DE0000-0x000001E3A7DE1000-memory.dmp

                      Download

                    • memory/3988-56-0x000001CD26B30000-0x000001CD26B31000-memory.dmp

                      Download

                    • memory/3988-53-0x000001CD25DC0000-0x000001CD25DC1000-memory.dmp

                      Download

                    • memory/4028-34-0x0000000000000000-mapping.dmp

                      Download

                    • memory/4028-47-0x0000000000700000-0x0000000000740000-memory.dmp

                      Download

                    • memory/4028-38-0x0000000002300000-0x0000000002301000-memory.dmp

                      Download

                    • memory/4076-0-0x0000000002240000-0x0000000002241000-memory.dmp

                      Download

                    • memory/4076-1-0x00000000006BA000-0x00000000006FA000-memory.dmp

                      Download