azorult | 1423053f90855d33858db47f354055b660943104c1c18f848c9b7b415979dc5f

Resubmissions

22-11-2023 17:02

231122-vkac9adg64 10

19-01-2021 19:24

210119-s26yznnqsn 10

19-11-2020 13:14

201119-s41ec6lt86 10

Analysis

max time kernel
1287s
max time network
1361s
platform
windows10_x64
resource
win10v20201028
submitted
19-11-2020 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DiskInternals_Uneraser_v5_keygen.exe

Score

10^/10

azorult pony socelars discovery evasion infostealer persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX2\searzar\searzar.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\RarSFX2\searzar\searzar.exe	family_socelars

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 1 IoCs

Processes:

CScript.exe

flow pid process

24 4324 CScript.exe

flow	pid	process
24	4324	CScript.exe

Executes dropped EXE 21 IoCs

Processes:

intro.exekeygen-pr.exekeygen-step-1.exekeygen-step-3.exekey.exekeygen-step-4.exekey.exesetup.upx.exeSetup.exe4.exepub4.exefile.exe002.exeFree.exeFree.tmpsearzar.exehjjgaa.exejfiag_gg.exejfiag_gg.exejfiag_gg.exejfiag_gg.exe

pid	process
2124	intro.exe
3948	keygen-pr.exe
2164	keygen-step-1.exe
492	keygen-step-3.exe
1156	key.exe
1672	keygen-step-4.exe
4036	key.exe
4176	setup.upx.exe
4248	Setup.exe
4576	4.exe
4588	pub4.exe
4656	file.exe
4180	002.exe
204	Free.exe
4528	Free.tmp
4392	searzar.exe
4612	hjjgaa.exe
2572	jfiag_gg.exe
4320	jfiag_gg.exe
4288	jfiag_gg.exe
3168	jfiag_gg.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX2\setup.upx.exe	upx
C:\Users\Admin\AppData\Local\Temp\RarSFX2\setup.upx.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe	upx

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4.exepub4.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	pub4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	pub4.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation cmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	cmd.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

4.exepub4.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Wine	4.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Wine	pub4.exe

Loads dropped DLL 2 IoCs

Processes:

Setup.exe

pid process

4248 Setup.exe
4248 Setup.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4248	Setup.exe
4248	Setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hjjgaa.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kissq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kissq.exe"	hjjgaa.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

52 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

4.exepub4.exe

pid process

4576 4.exe
4588 pub4.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

key.exe

description pid process target process

PID 1156 set thread context of 4036 1156 key.exe key.exe

flow	ioc
52	ip-api.com

pid	process
4576	4.exe
4588	pub4.exe

description	pid	process	target process
PID 1156 set thread context of 4036	1156	key.exe	key.exe

Drops file in Program Files directory 3 IoCs

Processes:

Setup.exe

description	ioc	process
File created	C:\Program Files (x86)\NextGen\lanret\pub4.exe	Setup.exe
File created	C:\Program Files (x86)\NextGen\lanret\pub4.vbs	Setup.exe
File created	C:\Program Files (x86)\NextGen\lanret\4.exe	Setup.exe

Drops file in Windows directory 1 IoCs

Processes:

MicrosoftEdge.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4.exepub4.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	pub4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	pub4.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3848 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5000 taskkill.exe

pid	process
3848	timeout.exe

pid	process
5000	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

browser_broker.exeMicrosoftEdgeCP.exeMicrosoftEdge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{2680A6B6-6F0D-4E4C-9D76-AD0776BF7ECC} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000a24ecb8fdcba8d3d1422b71d3fe898b202a2c93eb050e5b8b1b0f8b0b74c3b0eab44ed7bc7f899606c08bcae0655efffe1fa178c6d670f950b0d40a53a56f40cc6c7948caf8f8936b2e3ba95d695e8fb40c11fc4d5d5159b738b	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658B = 03000000010000001400000083da05a9886f7658be73acf0a4930c0f99b92f011400000001000000140000003656896549cb5b9b2f3cac4216504d91b933d79104000000010000001000000062455357dd57cb80c32ab295743cccc00f00000001000000200000006811c6215f18c75fdbe32cf56bd66248562a7fa3ba459cfee338745061e583941900000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d705c000000010000000400000000100000180000000100000010000000bb048f1838395f6fc3a1f3d2b7e976542000000001000000dc060000308206d8308204c0a003020102020a613fb718000000000004300d06092a864886f70d01010b0500308188310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e31323030060355040313294d6963726f736f667420526f6f7420436572746966696361746520417574686f726974792032303131301e170d3131313031383232353531395a170d3236313031383233303531395a307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f66742053656375726520536572766572204341203230313130820222300d06092a864886f70d01010105000382020f003082020a0282020100d00bc0a4a81981e236e5e2aae5f3b2155875beb4e549f1e084f9bb0d64ef85c18155b8f3e7f16d40553dce8b6ad18493f5757c5ba4d47410ca32f323d3aeeecf9e0458c2d947cbd17c004148711b01671718afc6fe73037ee4ef439cef01712a1f81264377985457739d552bf09e8e7d060eac1b54f326f7f82308228b9e061d3738fd72d2cae563c19a5a7db26db352a96ee9aeb5fc8b36f99efaf61c581b9756a511e5b752dbbbe9f054bfb4ff2c6cb85d26cea00ad7df93ed7fddacf12c731ad9193755badd22788ea1d49b09f807223171b094aee0b0e726445790819715ce61ec65e24bf185521632f8b578aa7ecd4dec8321a4a89bbe9a6a04e0a31ccd56186cfd6b2f423ee237f272abd07873727bdeec0058e52130a3083a99ef9fc3f77a169665b5c381aff4397049aff6a9f66a0038f9b40819e01a35a55676225f6af269ae3ead58464db854f68941441e72b1bc122753d2c1ffb2cd50981eb5f4bbb6c28239d9ac1bf23b27846ab0c6260bd73a10e7b3db7cd356ac534c0bfa3b313774d8592bf9007919067bfd1c1d42d4410d2f050ed56b4923ffcfcdf87a82cfda3c2ddfe8d8120418ba1e8877b8981f1007bbc8057e0b09bf6bdde34e5bb0f9c784a63bca4c9f5b6229f7c7a2a89588702ce5c13f3c52234f409ac33185832fbf29f11d508f219607ceeff280c2447d9b62ef2fc37789ab454d533e0279d30203010001a382014b30820147301006092b06010401823715010403020100301d0603551d0e041604143656896549cb5b9b2f3cac4216504d91b933d791301906092b0601040182371402040c1e0a00530075006200430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301f0603551d23041830168014722d3a02319043b914054ee1eaa7c731d1238934305a0603551d1f04533051304fa04da04b8649687474703a2f2f63726c2e6d6963726f736f66742e636f6d2f706b692f63726c2f70726f64756374732f4d6963526f6f436572417574323031315f323031315f30335f32322e63726c305e06082b0601050507010104523050304e06082b060105050730028642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b692f63657274732f4d6963526f6f436572417574323031315f323031315f30335f32322e637274300d06092a864886f70d01010b0500038202010041c861c1f55b9e3e9131f1b0c6bf0901b49db69074d709dba62e0d9fc8e7763446af0760894c81b33cd5f4123575c273a5f54d848ccba45dafbf92f617085742957265057679adeed1bab82e54a35107ac68eb210ce32581c2cd2af2c3ffcfc2bd49189ac7f084c5f914bc6b95e596efb342d253d54aa012c4ae12765309560e9df7d3a6498850f28a2c9720a2be4e78ef0565b74ba11688de31c70842247ca47b9e9dbc60005e6297e393fca7fe5b7b25dfe4537f4bbee63ef0db0179421c6e856c7db64430fba5379293b2a5ee20ad3f53d5c9f4286b57c1f81d6ab7562ab627811ca62d9fe7f4d0318397a82ab6acbe1b41f5e4895f56fbda5ad35e7d5594107e5357f44a3d402ac8bd679f84e110eefdda6b158249fc461dff4506749c4214edc539d3b3cd0b832790435192f24482ae6e9a1517b219fac7456c98017bbf37a9b088a492bc3838e01de47c97981a2e5fef3865b7352fbd7f4f21fac48cd26f06f94935eadf200f25aaea60ab2c1f4b89fcb7fa5c54904b3ea2284f6ce45265c1fd901c8582886ee9a655dd21287945b014e50acce65fc4bbdb6134699fac2638f7c1294108152e4ca0f7f90c3ede5fab08092d83acac348362f4c949428925b56eb247c5b339a0b1201b2cb18e046fa530491cd046e9405bf4ad6ebadb824a87124a80094ddbdf76b9055b1be0bb20705f0025c7d30efa16ad7b229e7108	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 5e01cfb676bed601	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "312607586"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI = "{88545E89-A7B7-4970-9DF9-7ED7BD8D8C40}"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = a01daf1ba9bed601	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	file.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

3676 PING.EXE
4372 PING.EXE
1776 PING.EXE

pid	process
3676	PING.EXE
4372	PING.EXE
1776	PING.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

key.exe4.exepub4.exefile.exeFree.tmpjfiag_gg.exejfiag_gg.exejfiag_gg.exe

pid	process
1156	key.exe
1156	key.exe
4576	4.exe
4576	4.exe
4588	pub4.exe
4588	pub4.exe
4656	file.exe
4656	file.exe
4656	file.exe
4656	file.exe
4528	Free.tmp
4528	Free.tmp
4320	jfiag_gg.exe
4320	jfiag_gg.exe
4288	jfiag_gg.exe
4288	jfiag_gg.exe
3168	jfiag_gg.exe
3168	jfiag_gg.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

4384 MicrosoftEdgeCP.exe

pid	process
4384	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

MicrosoftEdge.exekey.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exefile.exesearzar.exe

description	pid	process
Token: SeDebugPrivilege	3500	MicrosoftEdge.exe
Token: SeDebugPrivilege	3500	MicrosoftEdge.exe
Token: SeDebugPrivilege	3500	MicrosoftEdge.exe
Token: SeDebugPrivilege	3500	MicrosoftEdge.exe
Token: SeImpersonatePrivilege	1156	key.exe
Token: SeTcbPrivilege	1156	key.exe
Token: SeChangeNotifyPrivilege	1156	key.exe
Token: SeCreateTokenPrivilege	1156	key.exe
Token: SeBackupPrivilege	1156	key.exe
Token: SeRestorePrivilege	1156	key.exe
Token: SeIncreaseQuotaPrivilege	1156	key.exe
Token: SeAssignPrimaryTokenPrivilege	1156	key.exe
Token: SeImpersonatePrivilege	1156	key.exe
Token: SeTcbPrivilege	1156	key.exe
Token: SeChangeNotifyPrivilege	1156	key.exe
Token: SeCreateTokenPrivilege	1156	key.exe
Token: SeBackupPrivilege	1156	key.exe
Token: SeRestorePrivilege	1156	key.exe
Token: SeIncreaseQuotaPrivilege	1156	key.exe
Token: SeAssignPrimaryTokenPrivilege	1156	key.exe
Token: SeImpersonatePrivilege	1156	key.exe
Token: SeTcbPrivilege	1156	key.exe
Token: SeChangeNotifyPrivilege	1156	key.exe
Token: SeCreateTokenPrivilege	1156	key.exe
Token: SeBackupPrivilege	1156	key.exe
Token: SeRestorePrivilege	1156	key.exe
Token: SeIncreaseQuotaPrivilege	1156	key.exe
Token: SeAssignPrimaryTokenPrivilege	1156	key.exe
Token: SeDebugPrivilege	4540	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4540	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4540	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4540	MicrosoftEdgeCP.exe
Token: SeImpersonatePrivilege	1156	key.exe
Token: SeTcbPrivilege	1156	key.exe
Token: SeChangeNotifyPrivilege	1156	key.exe
Token: SeCreateTokenPrivilege	1156	key.exe
Token: SeBackupPrivilege	1156	key.exe
Token: SeRestorePrivilege	1156	key.exe
Token: SeIncreaseQuotaPrivilege	1156	key.exe
Token: SeAssignPrimaryTokenPrivilege	1156	key.exe
Token: SeImpersonatePrivilege	1156	key.exe
Token: SeTcbPrivilege	1156	key.exe
Token: SeChangeNotifyPrivilege	1156	key.exe
Token: SeCreateTokenPrivilege	1156	key.exe
Token: SeBackupPrivilege	1156	key.exe
Token: SeRestorePrivilege	1156	key.exe
Token: SeIncreaseQuotaPrivilege	1156	key.exe
Token: SeAssignPrimaryTokenPrivilege	1156	key.exe
Token: SeDebugPrivilege	4412	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4412	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4656	file.exe
Token: SeCreateTokenPrivilege	4392	searzar.exe
Token: SeAssignPrimaryTokenPrivilege	4392	searzar.exe
Token: SeLockMemoryPrivilege	4392	searzar.exe
Token: SeIncreaseQuotaPrivilege	4392	searzar.exe
Token: SeMachineAccountPrivilege	4392	searzar.exe
Token: SeTcbPrivilege	4392	searzar.exe
Token: SeSecurityPrivilege	4392	searzar.exe
Token: SeTakeOwnershipPrivilege	4392	searzar.exe
Token: SeLoadDriverPrivilege	4392	searzar.exe
Token: SeSystemProfilePrivilege	4392	searzar.exe
Token: SeSystemtimePrivilege	4392	searzar.exe
Token: SeProfSingleProcessPrivilege	4392	searzar.exe
Token: SeIncBasePriorityPrivilege	4392	searzar.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

4.exeFree.tmp

pid process

4576 4.exe
4576 4.exe
4528 Free.tmp
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe002.exe

pid process

3500 MicrosoftEdge.exe
4384 MicrosoftEdgeCP.exe
4384 MicrosoftEdgeCP.exe
4180 002.exe
4180 002.exe

pid	process
4576	4.exe
4576	4.exe
4528	Free.tmp

pid	process
3500	MicrosoftEdge.exe
4384	MicrosoftEdgeCP.exe
4384	MicrosoftEdgeCP.exe
4180	002.exe
4180	002.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

DiskInternals_Uneraser_v5_keygen.execmd.exekeygen-pr.exekeygen-step-3.exekey.exekeygen-step-4.execmd.exesetup.upx.exeSetup.execmd.exe

description	pid	process	target process
PID 652 wrote to memory of 2224	652	DiskInternals_Uneraser_v5_keygen.exe	cmd.exe
PID 652 wrote to memory of 2224	652	DiskInternals_Uneraser_v5_keygen.exe	cmd.exe
PID 652 wrote to memory of 2224	652	DiskInternals_Uneraser_v5_keygen.exe	cmd.exe
PID 2224 wrote to memory of 2124	2224	cmd.exe	intro.exe
PID 2224 wrote to memory of 2124	2224	cmd.exe	intro.exe
PID 2224 wrote to memory of 2124	2224	cmd.exe	intro.exe
PID 2224 wrote to memory of 3948	2224	cmd.exe	keygen-pr.exe
PID 2224 wrote to memory of 3948	2224	cmd.exe	keygen-pr.exe
PID 2224 wrote to memory of 3948	2224	cmd.exe	keygen-pr.exe
PID 2224 wrote to memory of 2164	2224	cmd.exe	keygen-step-1.exe
PID 2224 wrote to memory of 2164	2224	cmd.exe	keygen-step-1.exe
PID 2224 wrote to memory of 2164	2224	cmd.exe	keygen-step-1.exe
PID 2224 wrote to memory of 492	2224	cmd.exe	keygen-step-3.exe
PID 2224 wrote to memory of 492	2224	cmd.exe	keygen-step-3.exe
PID 2224 wrote to memory of 492	2224	cmd.exe	keygen-step-3.exe
PID 3948 wrote to memory of 1156	3948	keygen-pr.exe	key.exe
PID 3948 wrote to memory of 1156	3948	keygen-pr.exe	key.exe
PID 3948 wrote to memory of 1156	3948	keygen-pr.exe	key.exe
PID 2224 wrote to memory of 1672	2224	cmd.exe	keygen-step-4.exe
PID 2224 wrote to memory of 1672	2224	cmd.exe	keygen-step-4.exe
PID 2224 wrote to memory of 1672	2224	cmd.exe	keygen-step-4.exe
PID 492 wrote to memory of 3364	492	keygen-step-3.exe	cmd.exe
PID 492 wrote to memory of 3364	492	keygen-step-3.exe	cmd.exe
PID 492 wrote to memory of 3364	492	keygen-step-3.exe	cmd.exe
PID 1156 wrote to memory of 4036	1156	key.exe	key.exe
PID 1156 wrote to memory of 4036	1156	key.exe	key.exe
PID 1156 wrote to memory of 4036	1156	key.exe	key.exe
PID 1156 wrote to memory of 4036	1156	key.exe	key.exe
PID 1156 wrote to memory of 4036	1156	key.exe	key.exe
PID 1156 wrote to memory of 4036	1156	key.exe	key.exe
PID 1156 wrote to memory of 4036	1156	key.exe	key.exe
PID 1156 wrote to memory of 4036	1156	key.exe	key.exe
PID 1156 wrote to memory of 4036	1156	key.exe	key.exe
PID 1156 wrote to memory of 4036	1156	key.exe	key.exe
PID 1156 wrote to memory of 4036	1156	key.exe	key.exe
PID 1156 wrote to memory of 4036	1156	key.exe	key.exe
PID 1156 wrote to memory of 4036	1156	key.exe	key.exe
PID 1156 wrote to memory of 4036	1156	key.exe	key.exe
PID 1156 wrote to memory of 4036	1156	key.exe	key.exe
PID 1672 wrote to memory of 1388	1672	keygen-step-4.exe	cmd.exe
PID 1672 wrote to memory of 1388	1672	keygen-step-4.exe	cmd.exe
PID 1672 wrote to memory of 1388	1672	keygen-step-4.exe	cmd.exe
PID 3364 wrote to memory of 3676	3364	cmd.exe	PING.EXE
PID 3364 wrote to memory of 3676	3364	cmd.exe	PING.EXE
PID 3364 wrote to memory of 3676	3364	cmd.exe	PING.EXE
PID 1672 wrote to memory of 4176	1672	keygen-step-4.exe	setup.upx.exe
PID 1672 wrote to memory of 4176	1672	keygen-step-4.exe	setup.upx.exe
PID 1672 wrote to memory of 4176	1672	keygen-step-4.exe	setup.upx.exe
PID 4176 wrote to memory of 4228	4176	setup.upx.exe	cmd.exe
PID 4176 wrote to memory of 4228	4176	setup.upx.exe	cmd.exe
PID 4176 wrote to memory of 4228	4176	setup.upx.exe	cmd.exe
PID 1672 wrote to memory of 4248	1672	keygen-step-4.exe	Setup.exe
PID 1672 wrote to memory of 4248	1672	keygen-step-4.exe	Setup.exe
PID 1672 wrote to memory of 4248	1672	keygen-step-4.exe	Setup.exe
PID 4248 wrote to memory of 4324	4248	Setup.exe	CScript.exe
PID 4248 wrote to memory of 4324	4248	Setup.exe	CScript.exe
PID 4248 wrote to memory of 4324	4248	Setup.exe	CScript.exe
PID 4228 wrote to memory of 4372	4228	cmd.exe	PING.EXE
PID 4228 wrote to memory of 4372	4228	cmd.exe	PING.EXE
PID 4228 wrote to memory of 4372	4228	cmd.exe	PING.EXE
PID 4248 wrote to memory of 4576	4248	Setup.exe	4.exe
PID 4248 wrote to memory of 4576	4248	Setup.exe	4.exe
PID 4248 wrote to memory of 4576	4248	Setup.exe	4.exe
PID 4248 wrote to memory of 4588	4248	Setup.exe	pub4.exe

C:\Users\Admin\AppData\Local\Temp\DiskInternals_Uneraser_v5_keygen.exe
"C:\Users\Admin\AppData\Local\Temp\DiskInternals_Uneraser_v5_keygen.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2224

C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe
intro.exe 1EQy87
3⤵
- Executes dropped EXE
PID:2124

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
5⤵
- Executes dropped EXE
PID:4036

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:2164

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:492

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3364

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:3676

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX2\DreamTrips.bat" "
4⤵
- Checks computer location settings
PID:1388

C:\Users\Admin\AppData\Local\Temp\RarSFX2\setup.upx.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\setup.upx.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX2\setup.upx.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:4228

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
6⤵
- Runs ping.exe
PID:4372

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\SysWOW64\CScript.exe
"C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\NextGen\lanret\pub4.vbs" //e:vbscript //B //NOLOGO
5⤵
- Blocklisted process makes network request
PID:4324

C:\Program Files (x86)\NextGen\lanret\4.exe
"C:\Program Files (x86)\NextGen\lanret\4.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\M1tlUhzGrZDa & timeout 2 & del /f /q "C:\Program Files (x86)\NextGen\lanret\4.exe"
6⤵
PID:4552

C:\Windows\SysWOW64\timeout.exe
timeout 2
7⤵
- Delays execution with timeout.exe
PID:3848

C:\Program Files (x86)\NextGen\lanret\pub4.exe
"C:\Program Files (x86)\NextGen\lanret\pub4.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\odtlwymjmfk.exe"
6⤵
PID:4356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\iifuexm.exe"
6⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
5⤵
PID:1464

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:1776

C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4180

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Free.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Free.exe"
4⤵
- Executes dropped EXE
PID:204

C:\Users\Admin\AppData\Local\Temp\is-PODCO.tmp\Free.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PODCO.tmp\Free.tmp" /SL5="$402C0,680561,121344,C:\Users\Admin\AppData\Local\Temp\RarSFX2\Free.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4528

C:\Users\Admin\AppData\Local\Temp\RarSFX2\searzar\searzar.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\searzar\searzar.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
7⤵
PID:2436

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
8⤵
- Kills process with taskkill
PID:5000

C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4612

C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
5⤵
- Executes dropped EXE
PID:2572

C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4320

C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4288

C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3168

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3500

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2616

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4384

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4500

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\NextGen\lanret\4.exe
MD5
d8cb14e637834c8544ad437f575c1a09

SHA1
b121ed32e62df6cb6a9205b47e29863329123b24

SHA256
5c8a71b30aaccc7b13bdbf58eb1a266ba218300dad7739c95715bb377d14ae96

SHA512
75fad7d1b162ebfb7e6cb6d0c53c702f0842a1875252d8caf09cdac1e60216314e72e8fc9da6224a0e67ba90bb736eb6805cecba0e475785ea46115f5a83e0b5

Download Submit
C:\Program Files (x86)\NextGen\lanret\4.exe
MD5
d8cb14e637834c8544ad437f575c1a09

SHA1
b121ed32e62df6cb6a9205b47e29863329123b24

SHA256
5c8a71b30aaccc7b13bdbf58eb1a266ba218300dad7739c95715bb377d14ae96

SHA512
75fad7d1b162ebfb7e6cb6d0c53c702f0842a1875252d8caf09cdac1e60216314e72e8fc9da6224a0e67ba90bb736eb6805cecba0e475785ea46115f5a83e0b5

Download Submit
C:\Program Files (x86)\NextGen\lanret\pub4.exe
MD5
eb5c1dcd0bae8e2d6226022d3778b3d7

SHA1
252f43c1d7ddb18132bb428f9ba78790c4239adc

SHA256
687f51a56dcbdf94bcb4b6d0521be68db240d82b3cdc40c9082363472a1a2a97

SHA512
aec8bedfff2c94be10ddb791cd4ebe3505f57cd63c9c676ec14027f527265ef2de5cb8c6a5c4ec1b3a782a3e8086e8436c9df7288fb7bb28af0d9766a90eece2

Download Submit
C:\Program Files (x86)\NextGen\lanret\pub4.exe
MD5
eb5c1dcd0bae8e2d6226022d3778b3d7

SHA1
252f43c1d7ddb18132bb428f9ba78790c4239adc

SHA256
687f51a56dcbdf94bcb4b6d0521be68db240d82b3cdc40c9082363472a1a2a97

SHA512
aec8bedfff2c94be10ddb791cd4ebe3505f57cd63c9c676ec14027f527265ef2de5cb8c6a5c4ec1b3a782a3e8086e8436c9df7288fb7bb28af0d9766a90eece2

Download Submit
C:\Program Files (x86)\NextGen\lanret\pub4.vbs
MD5
bc65c7cbbae16b684415cc2828cbbf28

SHA1
95f5a7ec797a9f1e9c8a4b457b2a15f836fe0a8e

SHA256
cdd1ed87c79e64a3f9b2fc84ef78d7734ecf2542092cfbff192f21d48abd0fe3

SHA512
ee0cbc6598e0d5651319062b252ce866b81d915459c17d4c6a9f80b137d8a5e0fafb90cb946e9dd904ada63ab7096dab3a7848d72669cbd056d9b743ff0fcaf0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1FC0448E6D3D5712272FAF5B90A70C5E
MD5
ce16928d38d0901c418aff44b227cedb

SHA1
9007bff6afc91daad3e817b4286130781a6542b1

SHA256
c2ab6b4ebd1b078712e9bf8ce2d5966763525edf4063dc367afba3be13690d14

SHA512
2941e3a6e20f59f0001c3ecadcbad19bcf3f271637cc26eea35d6a7fc66c5916afc19040918f5f44e253d514ca2f76f949c0bb46328788ef76d08225e92fd792

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
MD5
081d36f197084f70fea789af4c4c3437

SHA1
2bde05c8344d838c1766e1f6d03d7194a0c95953

SHA256
b09b06f04df6e235dddede2c5d9e85782e733dc057e1afd58963ca020cc0f4a5

SHA512
a6dff92c0b473c25ac82e8382b35fb7c73ed61e8469863e5baed0ae6c8f84448c9e4ca52b1bef06103946f2bfeee128ab22e9d71b8653c62db782a1ba4135bcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1FC0448E6D3D5712272FAF5B90A70C5E
MD5
c8d86ad622a490df83c73a5609496189

SHA1
90e3f955f349ce161e91829c39cf287fa9f65ccd

SHA256
550045b04d205047ef83aad3cf620b69e5aac4068a62c57a7defb4525cb18108

SHA512
6cf1be8bffa479cd3a7126d5a3860b82abc936b9fe94b56fc5d2dc0049630af696a5baefa5ef4c39ec73df03f8db712342de476e4f235a6847c5adf5f61184eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
MD5
4738c655b261d021c4438cbb9d9594f4

SHA1
22f912b246e195e3d2cb69b10e5de5277ba7fe1e

SHA256
a1c195dcaf8360b5d3789eb03a009b207e074b87c15452ecbea91e8c1e2c193b

SHA512
5ac9d7ee07456a3ad89717d781b1f9d757a7e556e0911326c8064ce695fd2fc6ad6b16c036aebef67356afd752e9de7606b43228638b1be0ef56d5c276f01205

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\83D2IC8A.cookie
MD5
afdb020cb2d5e87c7dc488ba2b6a9cb3

SHA1
3a873eb39386d85c87bebb4497c6a4c58764d9ab

SHA256
df4b99ce3d30efae2439519728a6687615b0efe9415e1bcd35983b821a0b6cf0

SHA512
df2d2b9f7cbc73c994bdb38170fad647f987edb76b20c5e10944440c4c02fe07c2dd0cab25d61dcb367954e787b8a9555927199f6c554450c4a83b8b2d855ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\RE0EHFGC.cookie
MD5
8c02282efdd3ce9155041fe30a0bfbb7

SHA1
255f23aa59de638eb423ced3e086aa2444465627

SHA256
fd3b764936ef101011478dffec407deae7422de5350665b2443b2e7f6c860680

SHA512
49981c3fcce5076361bcce61f0df7f415c60f3c8b9bc2a2770f7c7f837e956e5e2535c4b72de2f8e076e8f370a2817e7d7d7bab9948f644e0dac080f7e47112e

Download Submit
C:\Users\Admin\AppData\Local\Temp\M1tlUhzGrZDa\CNONNT~1.ZIP
MD5
7a243a36b7ec2b4f6ea70ac094e0a05d

SHA1
ac45e81e31efb079713858bb6fd57be0d9c352c9

SHA256
6670394934db1c85453e51293d10c04e38d8ff6fa33a008ed15928eba28863c1

SHA512
224a38f4487e13a4131e258a60b14ba04fe94168b09873eb8521bb8ea03a0affdf4ce1fb3c92a016058580c253979f190253367d7740e184ab6adc869ff191e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\M1tlUhzGrZDa\J2QHRD~1.ZIP
MD5
866de6b0ab99fb9c37d31af5a0d77dfa

SHA1
3f59693c0e86aa255c89ba3e10f7ae80ce18d34c

SHA256
7b7e29b7fac504a76fd28477066c31d5c010cb83a0ac4e0f482fcbaebb3a4715

SHA512
9638bcbe54f237edd051f7caafa5faf583319c15e929e49987bcc856e977e8f61a742affea8691bb3e3a0fa3e7bb77d604a1cc0de689e430130586ca5516afee

Download Submit
C:\Users\Admin\AppData\Local\Temp\M1tlUhzGrZDa\_Files\_INFOR~1.TXT
MD5
cca3a2a4604aab18351731fe44dfe2e9

SHA1
455b065f875dddf3c91bf4307d242e8313cd40fa

SHA256
8365a53ff39b7a686fdd42a633c1e2b4e2a39aebb5e9a7fc058702546cbaab96

SHA512
c7314a7a4fe1afd2a951aa600b48faf1cd164b114eddf2125d2120c8e00d898952904dc769389ea55672e14caeb4fb5884a552cc0bacf3db71972ccc321175e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\M1tlUhzGrZDa\_Files\_SCREE~1.JPE
MD5
52fd88f0e12f8cd7a081fdfadf470363

SHA1
20f9656540ec64e1744c3212f523c369e1b4efa3

SHA256
1472992c4b46bf710f994d93caf6fc921fcec212c53bd1de16a73d539c86b484

SHA512
834e8d2fe192629048f477b05a47d90db2c9dcbec589a70fc50c2b3f79022f56d451734b2552e4a2383e66d7822af3539895da2f5798e503ae4886a523b0a7ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\M1tlUhzGrZDa\files_\SCREEN~1.JPG
MD5
52fd88f0e12f8cd7a081fdfadf470363

SHA1
20f9656540ec64e1744c3212f523c369e1b4efa3

SHA256
1472992c4b46bf710f994d93caf6fc921fcec212c53bd1de16a73d539c86b484

SHA512
834e8d2fe192629048f477b05a47d90db2c9dcbec589a70fc50c2b3f79022f56d451734b2552e4a2383e66d7822af3539895da2f5798e503ae4886a523b0a7ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\M1tlUhzGrZDa\files_\SYSTEM~1.TXT
MD5
87314d84952e5088c111817856c9cdee

SHA1
6259d29d6b2da133e5013b10b2b87a37c41c53cf

SHA256
37896071e8945a15b443e7cdc6efb88bb737c47b3d1619078f58b9509c8a363a

SHA512
e9cc930da4fee4c6f6e0713f809f4d2ed6deb3e8144c8cb91a6710e5e67bf6c9f06277878fd6312878d5b54afd62c869e63fb899eb63b2a3014934ef6d40b6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe
MD5
a58a58c8dd956563b2abe51a90f272a4

SHA1
92e15e45ce97f1f2c5fb1019812367c515fe9dab

SHA256
5e9529306216f5741fc05fceacda78663c2a6d5b6fd66af06c01cab83b77b9af

SHA512
7db7c6f997298f7d49cbb8660ceb9c021baa5f4dcf1ab6ec1cb91472786ed1addebdfb1cb535323d3f95af9ada46ce746c61b26b1fe44905b4d8831fe435bd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe
MD5
a58a58c8dd956563b2abe51a90f272a4

SHA1
92e15e45ce97f1f2c5fb1019812367c515fe9dab

SHA256
5e9529306216f5741fc05fceacda78663c2a6d5b6fd66af06c01cab83b77b9af

SHA512
7db7c6f997298f7d49cbb8660ceb9c021baa5f4dcf1ab6ec1cb91472786ed1addebdfb1cb535323d3f95af9ada46ce746c61b26b1fe44905b4d8831fe435bd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
MD5
65b49b106ec0f6cf61e7dc04c0a7eb74

SHA1
a1f4784377c53151167965e0ff225f5085ebd43b

SHA256
862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

SHA512
e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
MD5
65b49b106ec0f6cf61e7dc04c0a7eb74

SHA1
a1f4784377c53151167965e0ff225f5085ebd43b

SHA256
862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

SHA512
e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
MD5
c5a24c408b319a4429e9343fd8a1ff5f

SHA1
c1094b5fc5ba7bba71907e9fd8973f593c8aa0cb

SHA256
b9b51ac451e3775737503ccecdacb08027cdb34232085ad2847c6d9a63b6051a

SHA512
1390323bd5714222bef36a02bc6c736c0e0df448500e2b926cc306813fcb88584a400d4042732b16918d337c9d4a1d4dfe756086cf20b962f9e294e8ca211ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
MD5
c5a24c408b319a4429e9343fd8a1ff5f

SHA1
c1094b5fc5ba7bba71907e9fd8973f593c8aa0cb

SHA256
b9b51ac451e3775737503ccecdacb08027cdb34232085ad2847c6d9a63b6051a

SHA512
1390323bd5714222bef36a02bc6c736c0e0df448500e2b926cc306813fcb88584a400d4042732b16918d337c9d4a1d4dfe756086cf20b962f9e294e8ca211ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
MD5
dab172a125e579492be1dee1b388c20b

SHA1
047921e3b002d5a17bc268322772635da6720b81

SHA256
a47919ec9bdbfefcb196e371db0480d29a416ba639fea7a7faf305a6d6180492

SHA512
5eecdc1b2a959437a627e1fe767f89899645de971251066c4814e2a9a309adb86cdba3bb7ea395c7985451e9250606258a730e405621137f927120a600a51252

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
MD5
dab172a125e579492be1dee1b388c20b

SHA1
047921e3b002d5a17bc268322772635da6720b81

SHA256
a47919ec9bdbfefcb196e371db0480d29a416ba639fea7a7faf305a6d6180492

SHA512
5eecdc1b2a959437a627e1fe767f89899645de971251066c4814e2a9a309adb86cdba3bb7ea395c7985451e9250606258a730e405621137f927120a600a51252

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat
MD5
c095100ec79051c0b883b769e9dcedda

SHA1
49cdb72fffec13b3f8d8613b00efe401ddc1fd69

SHA256
660c4d903f5fb3b7cd7c56eab9222ed9c79af7c9b402981b1ff9a0ea08ad6327

SHA512
d2ffaed547417a1b2faff4821c4920969a1abf3132bcc730a77d8faa0d7db47b216363cef4ebc47bd345551f979dcbd63304c378818568a0f1e25011ec3c9a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\JOzWR.dat
MD5
12476321a502e943933e60cfb4429970

SHA1
c71d293b84d03153a1bd13c560fca0f8857a95a7

SHA256
14a0fbd7eab461e49ee161ac3bd9ad8055086dbe56848dbaba9ec2034b3dea29

SHA512
f222de8febc705146394fd389e6cece95b077a0629e18eab91c49b139bf5b686435e28a6ada4a0dbb951fd24ec3db692e7a5584d57ffd0e851739e595f2bbfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\potato.dat
MD5
7c1851ab56fec3dbf090afe7151e6af4

SHA1
b12478307cb0d4121a6e4c213bb3b56e6f9a815d

SHA256
327c8ded6efafede3acc4603fe0b17db1df53f5311a9752204cc2c18a8e54d19

SHA512
528b85bfc668bbdd673e57a72675877cd5601e8345f1a88c313238496a5647ab59d2c6dfb630d2da496809678404650f029c6a68805e1859c2eceb0f24990a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe
MD5
ddd8a43c5cd1d648af5bfbd67c718261

SHA1
37c915768cb12f54b60eac36cd4c008d7b3340b6

SHA256
159d88ddd564a79129ae91354087369b36d27cad9bde5cc66ac50becae5e7786

SHA512
08268136b5d1245ae4e828205ae4d6efec6845b4ed1507f44520a94f5746837781baddee3910f4b0b0c102b49e4ceceefd8cace686ca8dfed6605af4cf967efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe
MD5
ddd8a43c5cd1d648af5bfbd67c718261

SHA1
37c915768cb12f54b60eac36cd4c008d7b3340b6

SHA256
159d88ddd564a79129ae91354087369b36d27cad9bde5cc66ac50becae5e7786

SHA512
08268136b5d1245ae4e828205ae4d6efec6845b4ed1507f44520a94f5746837781baddee3910f4b0b0c102b49e4ceceefd8cace686ca8dfed6605af4cf967efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\DreamTrips.bat
MD5
89a35259c47244f4f9f666774ef2c446

SHA1
b5300a5398128e9a27ae762ec652b5242e7aef4d

SHA256
42446adb3d0c4b91fe2657dc1566d39599f8494a847a2dfea0351b9290a0a148

SHA512
48ebfd8210e9c40b66f00c33bdae70dd979eaa00a89503ec6c823b43f5da210e596fa5bd3800815974c091d28ecb576444fdcfafd4f78c14f9548ea9475fbdd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Free.exe
MD5
28d2b5233db11fb15d47576c7fce937c

SHA1
1cba316afc3c76d84f95a0f6e1d5bb61dd0356a3

SHA256
99e44262f35aeaca90c303485b5f01aa42cdeab6909f011dd61f28ca9586aeca

SHA512
7185216e98475cf748de9c136270f27a13dde3aee2f26df27b116d76fff8aecce31dbd6fdfd8ee3a0c71fd77f013f54d3da8799bd597e2b9b302e1603e8356fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Free.exe
MD5
28d2b5233db11fb15d47576c7fce937c

SHA1
1cba316afc3c76d84f95a0f6e1d5bb61dd0356a3

SHA256
99e44262f35aeaca90c303485b5f01aa42cdeab6909f011dd61f28ca9586aeca

SHA512
7185216e98475cf748de9c136270f27a13dde3aee2f26df27b116d76fff8aecce31dbd6fdfd8ee3a0c71fd77f013f54d3da8799bd597e2b9b302e1603e8356fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
MD5
c5923ce399bf4aabb888e7a9985ae4c8

SHA1
ac34aa90d11da034c6a1b091dd2960d6b9770e9e

SHA256
c4a1c9a00633f92dbfdf8e6f76f3e4d90a1de6112d7850090d2f79828cd66fed

SHA512
aa7703d1b1b5c2fdaf537a761e2300cfd81781624636f7787224d2d692425f7b28df59b8fa5d6d400ee5c90d393286bedaadfd206d39ec804ab8c1b10a509a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
MD5
c5923ce399bf4aabb888e7a9985ae4c8

SHA1
ac34aa90d11da034c6a1b091dd2960d6b9770e9e

SHA256
c4a1c9a00633f92dbfdf8e6f76f3e4d90a1de6112d7850090d2f79828cd66fed

SHA512
aa7703d1b1b5c2fdaf537a761e2300cfd81781624636f7787224d2d692425f7b28df59b8fa5d6d400ee5c90d393286bedaadfd206d39ec804ab8c1b10a509a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
MD5
7f6e60001d89e148fabb62ae3b5301ed

SHA1
02679bae2da92b2fc28e5e5e7905fcdeb3382202

SHA256
708a840263c9db1015413c9f186cc52f965d15d26337ecc5c7110b44db955939

SHA512
1bc54d09b1b413676b4e952a80602791e06f64622b7eb81eb50de005c86d9c5c3c49e45bc09cf077ebb94a69db5f8b129c2cac286a96ab3091ffa38b103d4e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
MD5
7f6e60001d89e148fabb62ae3b5301ed

SHA1
02679bae2da92b2fc28e5e5e7905fcdeb3382202

SHA256
708a840263c9db1015413c9f186cc52f965d15d26337ecc5c7110b44db955939

SHA512
1bc54d09b1b413676b4e952a80602791e06f64622b7eb81eb50de005c86d9c5c3c49e45bc09cf077ebb94a69db5f8b129c2cac286a96ab3091ffa38b103d4e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe
MD5
c4fe3eb06cd79313cb195936ad065e93

SHA1
f23ddb86ad6e815a78628a8240b887a20675bc0a

SHA256
0a555ef24202b34e93a96272e88830cc444401303bec00d9122263cabbb02946

SHA512
8ec6fecf53f014cad855ecad62dcb8e2397b19dfd2e222e88e64ad5e88513726a7fc69f4d9b6cc8cb4af093f8dae354109aab37c20246f7507751922f058af77

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe
MD5
c4fe3eb06cd79313cb195936ad065e93

SHA1
f23ddb86ad6e815a78628a8240b887a20675bc0a

SHA256
0a555ef24202b34e93a96272e88830cc444401303bec00d9122263cabbb02946

SHA512
8ec6fecf53f014cad855ecad62dcb8e2397b19dfd2e222e88e64ad5e88513726a7fc69f4d9b6cc8cb4af093f8dae354109aab37c20246f7507751922f058af77

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\searzar\searzar.exe
MD5
7f9a498cc692f9f3f0cfe241c80e8ad8

SHA1
b5c3f7322da2c8b8ce0f473a26b54d057593162e

SHA256
953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489

SHA512
8fa1b099c07e5aa352a6c5d0288ffd1ce0c5208fda361bb0129c03fbc16d3a84d12fa6067d143e82795343d9c3c847e35ec6b6638373329467d9025933766db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\searzar\searzar.exe
MD5
7f9a498cc692f9f3f0cfe241c80e8ad8

SHA1
b5c3f7322da2c8b8ce0f473a26b54d057593162e

SHA256
953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489

SHA512
8fa1b099c07e5aa352a6c5d0288ffd1ce0c5208fda361bb0129c03fbc16d3a84d12fa6067d143e82795343d9c3c847e35ec6b6638373329467d9025933766db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\setup.upx.exe
MD5
010ebf726b3cc67e92eb91d7afbfbd59

SHA1
02db1d5bf39903099612ddb12d4b8918657f0ec0

SHA256
a7e98ba4e9b3149d35cbf64b09bc727b5136ec8375a366ca42d66d1c4fc9e25c

SHA512
84c00731b0724a09d82410c5b0fe40d910c62076ae9fa10a385d084d4dffad5b194b38fd92d48b5fa1991b2fd6e8a370d5f4c43e7f09b424c65c41356ff48f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\setup.upx.exe
MD5
010ebf726b3cc67e92eb91d7afbfbd59

SHA1
02db1d5bf39903099612ddb12d4b8918657f0ec0

SHA256
a7e98ba4e9b3149d35cbf64b09bc727b5136ec8375a366ca42d66d1c4fc9e25c

SHA512
84c00731b0724a09d82410c5b0fe40d910c62076ae9fa10a385d084d4dffad5b194b38fd92d48b5fa1991b2fd6e8a370d5f4c43e7f09b424c65c41356ff48f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PODCO.tmp\Free.tmp
MD5
f897ff6640b2528ae0e3211e9240e79f

SHA1
dc6e47b975423894cb812552bb4aa00c6a57b214

SHA256
24f28a4003cdbd3c50eea654213bb12ae94edcfab5e35fad23e72637b2e86640

SHA512
14ccbac9f018268c19a116d9c4478201d6a5a9a086dce3e5d2e3dac9353c015ccaf624ac7f999ddb41fc59b9c7601d096723eb7129d5859d1147b7540a2b6851

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PODCO.tmp\Free.tmp
MD5
f897ff6640b2528ae0e3211e9240e79f

SHA1
dc6e47b975423894cb812552bb4aa00c6a57b214

SHA256
24f28a4003cdbd3c50eea654213bb12ae94edcfab5e35fad23e72637b2e86640

SHA512
14ccbac9f018268c19a116d9c4478201d6a5a9a086dce3e5d2e3dac9353c015ccaf624ac7f999ddb41fc59b9c7601d096723eb7129d5859d1147b7540a2b6851

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
\Users\Admin\AppData\Local\Temp\nsw6265.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\nsw6265.tmp\nsExec.dll
MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
memory/204-140-0x0000000000000000-mapping.dmp

Download
memory/492-16-0x0000000000000000-mapping.dmp

Download
memory/492-15-0x0000000000000000-mapping.dmp

Download
memory/1156-19-0x0000000000000000-mapping.dmp

Download
memory/1388-31-0x0000000000000000-mapping.dmp

Download
memory/1464-135-0x0000000000000000-mapping.dmp

Download
memory/1672-24-0x0000000000000000-mapping.dmp

Download
memory/1672-23-0x0000000000000000-mapping.dmp

Download
memory/1776-139-0x0000000000000000-mapping.dmp

Download
memory/2124-3-0x0000000000000000-mapping.dmp

Download
memory/2124-5-0x0000000000000000-mapping.dmp

Download
memory/2164-12-0x0000000000000000-mapping.dmp

Download
memory/2164-11-0x0000000000000000-mapping.dmp

Download
memory/2224-1-0x0000000000000000-mapping.dmp

Download
memory/2436-149-0x0000000000000000-mapping.dmp

Download
memory/2572-154-0x0000000000000000-mapping.dmp

Download
memory/3168-176-0x0000000000000000-mapping.dmp

Download
memory/3364-27-0x0000000000000000-mapping.dmp

Download
memory/3676-33-0x0000000000000000-mapping.dmp

Download
memory/3848-171-0x0000000000000000-mapping.dmp

Download
memory/3948-9-0x0000000000000000-mapping.dmp

Download
memory/3948-7-0x0000000000000000-mapping.dmp

Download
memory/4036-29-0x000000000066C0BC-mapping.dmp

Download
memory/4036-28-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/4036-32-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/4176-35-0x0000000000000000-mapping.dmp

Download
memory/4180-136-0x0000000000000000-mapping.dmp

Download
memory/4228-38-0x0000000000000000-mapping.dmp

Download
memory/4248-39-0x0000000000000000-mapping.dmp

Download
memory/4248-42-0x0000000073130000-0x00000000731C3000-memory.dmp

Filesize
588KB

Download
memory/4288-172-0x0000000000000000-mapping.dmp

Download
memory/4304-163-0x0000000000000000-mapping.dmp

Download
memory/4320-158-0x0000000000000000-mapping.dmp

Download
memory/4324-45-0x0000000000000000-mapping.dmp

Download
memory/4356-162-0x0000000000000000-mapping.dmp

Download
memory/4372-46-0x0000000000000000-mapping.dmp

Download
memory/4392-146-0x0000000000000000-mapping.dmp

Download
memory/4528-143-0x0000000000000000-mapping.dmp

Download
memory/4552-164-0x0000000000000000-mapping.dmp

Download
memory/4576-64-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/4576-53-0x0000000000000000-mapping.dmp

Download
memory/4576-57-0x0000000073130000-0x00000000731C3000-memory.dmp

Filesize
588KB

Download
memory/4576-65-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/4588-54-0x0000000000000000-mapping.dmp

Download
memory/4588-60-0x0000000073130000-0x00000000731C3000-memory.dmp

Filesize
588KB

Download
memory/4588-66-0x00000000044B0000-0x00000000044B1000-memory.dmp

Filesize
4KB

Download
memory/4588-67-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/4612-150-0x0000000000000000-mapping.dmp

Download
memory/4656-61-0x0000000000000000-mapping.dmp

Download
memory/5000-153-0x0000000000000000-mapping.dmp

Download