plugx | 4470d04e7ddfe73366faf06ccbf50904961fe2999f4c8c23be35b820b6036209

Resubmissions

18-02-2021 10:24

210218-l1aaz1rfd6 10

17-02-2021 21:35

210217-2esapajnj2 10

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7v20201028
submitted
17-02-2021 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

keygen-step-4.exe
Size

6.8MB
MD5

38f1d6ddf7e39767157acbb107e03250
SHA1

dcb0d5feacb80c1e4cbb71a30cff7edf10a185e8
SHA256

97ada84ef77a3b45abd2e14caf519e06bbbad5a6ed180aa6ee543e38e9bce796
SHA512

3ba909b5001a3b995ebe8f9dbd4ddb6506a5c66612cf43e94a50f72c543a9aa4828bbba224db807de10076c5e70fabf7cc31bf8e442a3f4cf26d95c7f7094c2d

Score

10^/10

plugx raccoon redline 310b6bfba897d478c7212dc7fdbe942b00728875 bootkit discovery infostealer macro persistence spyware stealer trojan xlm

Malware Config

Extracted

Family

raccoon

Botnet

310b6bfba897d478c7212dc7fdbe942b00728875

Attributes

url4cnc
https://telete.in/j9ca1pel

rc4.plain

Signatures

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral7/memory/3032-144-0x0000000002430000-0x000000000245E000-memory.dmp	family_redline
behavioral7/memory/3032-150-0x00000000024C0000-0x00000000024EC000-memory.dmp	family_redline

Nirsoft 7 IoCs

Processes:

resource	yara_rule
\Program Files (x86)\gdiview\gdiview\GDIView.exe	Nirsoft
\Program Files (x86)\gdiview\gdiview\GDIView.exe	Nirsoft
\Program Files (x86)\gdiview\gdiview\GDIView.exe	Nirsoft
\Program Files (x86)\gdiview\gdiview\GDIView.exe	Nirsoft
\Program Files (x86)\gdiview\gdiview\GDIView.exe	Nirsoft
\Program Files (x86)\gdiview\gdiview\GDIView.exe	Nirsoft
C:\Program Files (x86)\gdiview\gdiview\GDIView.exe	Nirsoft

Executes dropped EXE 19 IoCs

Processes:

Setup.exe6489A2274AE24900.exe6489A2274AE24900.exemd2_2efs.exefile.exe4F2B.tmp.exe5045.tmp.exe4F2B.tmp.exeBTRSetp.exeinstaller.exe1696595.186179244.675678756.62GDIView.exegdrrr.exejfiag3g_gg.exeThunderFW.exeWindows Host.exejfiag3g_gg.exe

pid	process
1136	Setup.exe
520	6489A2274AE24900.exe
1460	6489A2274AE24900.exe
912	md2_2efs.exe
752	file.exe
2328	4F2B.tmp.exe
2352	5045.tmp.exe
2456	4F2B.tmp.exe
2592	BTRSetp.exe
2688	installer.exe
2968	1696595.18
2996	6179244.67
3032	5678756.62
3060	GDIView.exe
2252	gdrrr.exe
2240	jfiag3g_gg.exe
2432	ThunderFW.exe
1980	Windows Host.exe
2764	jfiag3g_gg.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gdiview.msi	office_xlm_macros

Loads dropped DLL 50 IoCs

Processes:

keygen-step-4.exeMsiExec.exeSetup.exefile.exeBTRSetp.exemsiexec.exegdrrr.exe6489A2274AE24900.exe6179244.675045.tmp.exe

pid	process
1152	keygen-step-4.exe
1152	keygen-step-4.exe
1152	keygen-step-4.exe
1152	keygen-step-4.exe
1380	MsiExec.exe
1136	Setup.exe
1136	Setup.exe
1152	keygen-step-4.exe
1152	keygen-step-4.exe
1152	keygen-step-4.exe
1152	keygen-step-4.exe
1152	keygen-step-4.exe
1152	keygen-step-4.exe
1152	keygen-step-4.exe
752	file.exe
752	file.exe
752	file.exe
752	file.exe
1152	keygen-step-4.exe
1152	keygen-step-4.exe
1152	keygen-step-4.exe
2592	BTRSetp.exe
2592	BTRSetp.exe
2592	BTRSetp.exe
2592	BTRSetp.exe
2592	BTRSetp.exe
268	msiexec.exe
1328
1328
1328
1328
1328
1152	keygen-step-4.exe
1152	keygen-step-4.exe
1152	keygen-step-4.exe
2252	gdrrr.exe
2252	gdrrr.exe
520	6489A2274AE24900.exe
2996	6179244.67
2996	6179244.67
2252	gdrrr.exe
2252	gdrrr.exe
2352	5045.tmp.exe
2352	5045.tmp.exe
2352	5045.tmp.exe
2352	5045.tmp.exe
2352	5045.tmp.exe
2352	5045.tmp.exe
2352	5045.tmp.exe
2352	5045.tmp.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

gdrrr.exe6179244.67

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gdrrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	6179244.67

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

46 api.ipify.org
53 ip-api.com

flow	ioc
46	api.ipify.org
53	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

Setup.exe6489A2274AE24900.exe6489A2274AE24900.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	6489A2274AE24900.exe
File opened for modification	\??\PhysicalDrive0	6489A2274AE24900.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Setup.exe

pid process

1136 Setup.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

6489A2274AE24900.exe4F2B.tmp.exe

description	pid	process	target process
PID 520 set thread context of 300	520	6489A2274AE24900.exe	firefox.exe
PID 520 set thread context of 556	520	6489A2274AE24900.exe	firefox.exe
PID 2328 set thread context of 2456	2328	4F2B.tmp.exe	4F2B.tmp.exe

Drops file in Program Files directory 3 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\gdiview\gdiview\GDIView.chm	msiexec.exe
File created	C:\Program Files (x86)\gdiview\gdiview\GDIView.exe	msiexec.exe
File created	C:\Program Files (x86)\gdiview\gdiview\readme.txt	msiexec.exe

Drops file in Windows directory 10 IoCs

Processes:

msiexec.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\f745d7b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f745d7c.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f745d7b.msi	msiexec.exe
File created	C:\Windows\Installer\f745d7c.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6039.tmp	msiexec.exe
File created	C:\Windows\Installer\f745d7e.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2944 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

752 taskkill.exe

pid	process
2944	timeout.exe

pid	process
752	taskkill.exe

Modifies data under HKEY_USERS 43 IoCs

Processes:

DrvInst.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe

Modifies system certificate store 2 TTPs 15 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

file.exe1696595.18Setup.exemd2_2efs.exe5045.tmp.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	1696595.18
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104610300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	md2_2efs.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 19000000010000001000000018e847daffeaedafa0faaea36340ea790f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104610300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd140000000100000014000000f8d0dc54367cf794020f8b92783a5d8a91251f9f2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	md2_2efs.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	5045.tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	1696595.18
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	md2_2efs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	5045.tmp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	1696595.18
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 140000000100000014000000f8d0dc54367cf794020f8b92783a5d8a91251f9f0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd0f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104612000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	md2_2efs.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

304 PING.EXE
1008 PING.EXE
2624 PING.EXE
284 PING.EXE
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

msiexec.exeGDIView.exejfiag3g_gg.exe1696595.185678756.62

pid process

268 msiexec.exe
268 msiexec.exe
3060 GDIView.exe
3060 GDIView.exe
2764 jfiag3g_gg.exe
2968 1696595.18
2968 1696595.18
3032 5678756.62
3032 5678756.62
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

GDIView.exe

pid process

3060 GDIView.exe

pid	process
304	PING.EXE
1008	PING.EXE
2624	PING.EXE
284	PING.EXE

pid	process
268	msiexec.exe
268	msiexec.exe
3060	GDIView.exe
3060	GDIView.exe
2764	jfiag3g_gg.exe
2968	1696595.18
2968	1696595.18
3032	5678756.62
3032	5678756.62

pid	process
3060	GDIView.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1532	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1532	msiexec.exe
Token: SeRestorePrivilege	268	msiexec.exe
Token: SeTakeOwnershipPrivilege	268	msiexec.exe
Token: SeSecurityPrivilege	268	msiexec.exe
Token: SeCreateTokenPrivilege	1532	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1532	msiexec.exe
Token: SeLockMemoryPrivilege	1532	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1532	msiexec.exe
Token: SeMachineAccountPrivilege	1532	msiexec.exe
Token: SeTcbPrivilege	1532	msiexec.exe
Token: SeSecurityPrivilege	1532	msiexec.exe
Token: SeTakeOwnershipPrivilege	1532	msiexec.exe
Token: SeLoadDriverPrivilege	1532	msiexec.exe
Token: SeSystemProfilePrivilege	1532	msiexec.exe
Token: SeSystemtimePrivilege	1532	msiexec.exe
Token: SeProfSingleProcessPrivilege	1532	msiexec.exe
Token: SeIncBasePriorityPrivilege	1532	msiexec.exe
Token: SeCreatePagefilePrivilege	1532	msiexec.exe
Token: SeCreatePermanentPrivilege	1532	msiexec.exe
Token: SeBackupPrivilege	1532	msiexec.exe
Token: SeRestorePrivilege	1532	msiexec.exe
Token: SeShutdownPrivilege	1532	msiexec.exe
Token: SeDebugPrivilege	1532	msiexec.exe
Token: SeAuditPrivilege	1532	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1532	msiexec.exe
Token: SeChangeNotifyPrivilege	1532	msiexec.exe
Token: SeRemoteShutdownPrivilege	1532	msiexec.exe
Token: SeUndockPrivilege	1532	msiexec.exe
Token: SeSyncAgentPrivilege	1532	msiexec.exe
Token: SeEnableDelegationPrivilege	1532	msiexec.exe
Token: SeManageVolumePrivilege	1532	msiexec.exe
Token: SeImpersonatePrivilege	1532	msiexec.exe
Token: SeCreateGlobalPrivilege	1532	msiexec.exe
Token: SeCreateTokenPrivilege	1532	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1532	msiexec.exe
Token: SeLockMemoryPrivilege	1532	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1532	msiexec.exe
Token: SeMachineAccountPrivilege	1532	msiexec.exe
Token: SeTcbPrivilege	1532	msiexec.exe
Token: SeSecurityPrivilege	1532	msiexec.exe
Token: SeTakeOwnershipPrivilege	1532	msiexec.exe
Token: SeLoadDriverPrivilege	1532	msiexec.exe
Token: SeSystemProfilePrivilege	1532	msiexec.exe
Token: SeSystemtimePrivilege	1532	msiexec.exe
Token: SeProfSingleProcessPrivilege	1532	msiexec.exe
Token: SeIncBasePriorityPrivilege	1532	msiexec.exe
Token: SeCreatePagefilePrivilege	1532	msiexec.exe
Token: SeCreatePermanentPrivilege	1532	msiexec.exe
Token: SeBackupPrivilege	1532	msiexec.exe
Token: SeRestorePrivilege	1532	msiexec.exe
Token: SeShutdownPrivilege	1532	msiexec.exe
Token: SeDebugPrivilege	1532	msiexec.exe
Token: SeAuditPrivilege	1532	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1532	msiexec.exe
Token: SeChangeNotifyPrivilege	1532	msiexec.exe
Token: SeRemoteShutdownPrivilege	1532	msiexec.exe
Token: SeUndockPrivilege	1532	msiexec.exe
Token: SeSyncAgentPrivilege	1532	msiexec.exe
Token: SeEnableDelegationPrivilege	1532	msiexec.exe
Token: SeManageVolumePrivilege	1532	msiexec.exe
Token: SeImpersonatePrivilege	1532	msiexec.exe
Token: SeCreateGlobalPrivilege	1532	msiexec.exe
Token: SeCreateTokenPrivilege	1532	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1532 msiexec.exe
1532 msiexec.exe

pid	process
1532	msiexec.exe
1532	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

keygen-step-4.exeSetup.exemsiexec.execmd.exe6489A2274AE24900.exe6489A2274AE24900.execmd.exe

description	pid	process	target process
PID 1152 wrote to memory of 1136	1152	keygen-step-4.exe	Setup.exe
PID 1152 wrote to memory of 1136	1152	keygen-step-4.exe	Setup.exe
PID 1152 wrote to memory of 1136	1152	keygen-step-4.exe	Setup.exe
PID 1152 wrote to memory of 1136	1152	keygen-step-4.exe	Setup.exe
PID 1152 wrote to memory of 1136	1152	keygen-step-4.exe	Setup.exe
PID 1152 wrote to memory of 1136	1152	keygen-step-4.exe	Setup.exe
PID 1152 wrote to memory of 1136	1152	keygen-step-4.exe	Setup.exe
PID 1136 wrote to memory of 1532	1136	Setup.exe	msiexec.exe
PID 1136 wrote to memory of 1532	1136	Setup.exe	msiexec.exe
PID 1136 wrote to memory of 1532	1136	Setup.exe	msiexec.exe
PID 1136 wrote to memory of 1532	1136	Setup.exe	msiexec.exe
PID 1136 wrote to memory of 1532	1136	Setup.exe	msiexec.exe
PID 1136 wrote to memory of 1532	1136	Setup.exe	msiexec.exe
PID 1136 wrote to memory of 1532	1136	Setup.exe	msiexec.exe
PID 268 wrote to memory of 1380	268	msiexec.exe	MsiExec.exe
PID 268 wrote to memory of 1380	268	msiexec.exe	MsiExec.exe
PID 268 wrote to memory of 1380	268	msiexec.exe	MsiExec.exe
PID 268 wrote to memory of 1380	268	msiexec.exe	MsiExec.exe
PID 268 wrote to memory of 1380	268	msiexec.exe	MsiExec.exe
PID 268 wrote to memory of 1380	268	msiexec.exe	MsiExec.exe
PID 268 wrote to memory of 1380	268	msiexec.exe	MsiExec.exe
PID 1136 wrote to memory of 520	1136	Setup.exe	6489A2274AE24900.exe
PID 1136 wrote to memory of 520	1136	Setup.exe	6489A2274AE24900.exe
PID 1136 wrote to memory of 520	1136	Setup.exe	6489A2274AE24900.exe
PID 1136 wrote to memory of 520	1136	Setup.exe	6489A2274AE24900.exe
PID 1136 wrote to memory of 520	1136	Setup.exe	6489A2274AE24900.exe
PID 1136 wrote to memory of 520	1136	Setup.exe	6489A2274AE24900.exe
PID 1136 wrote to memory of 520	1136	Setup.exe	6489A2274AE24900.exe
PID 1136 wrote to memory of 1460	1136	Setup.exe	6489A2274AE24900.exe
PID 1136 wrote to memory of 1460	1136	Setup.exe	6489A2274AE24900.exe
PID 1136 wrote to memory of 1460	1136	Setup.exe	6489A2274AE24900.exe
PID 1136 wrote to memory of 1460	1136	Setup.exe	6489A2274AE24900.exe
PID 1136 wrote to memory of 1460	1136	Setup.exe	6489A2274AE24900.exe
PID 1136 wrote to memory of 1460	1136	Setup.exe	6489A2274AE24900.exe
PID 1136 wrote to memory of 1460	1136	Setup.exe	6489A2274AE24900.exe
PID 1136 wrote to memory of 1384	1136	Setup.exe	cmd.exe
PID 1136 wrote to memory of 1384	1136	Setup.exe	cmd.exe
PID 1136 wrote to memory of 1384	1136	Setup.exe	cmd.exe
PID 1136 wrote to memory of 1384	1136	Setup.exe	cmd.exe
PID 1384 wrote to memory of 304	1384	cmd.exe	PING.EXE
PID 1384 wrote to memory of 304	1384	cmd.exe	PING.EXE
PID 1384 wrote to memory of 304	1384	cmd.exe	PING.EXE
PID 1384 wrote to memory of 304	1384	cmd.exe	PING.EXE
PID 1152 wrote to memory of 912	1152	keygen-step-4.exe	md2_2efs.exe
PID 1152 wrote to memory of 912	1152	keygen-step-4.exe	md2_2efs.exe
PID 1152 wrote to memory of 912	1152	keygen-step-4.exe	md2_2efs.exe
PID 1152 wrote to memory of 912	1152	keygen-step-4.exe	md2_2efs.exe
PID 1460 wrote to memory of 1320	1460	6489A2274AE24900.exe	cmd.exe
PID 1460 wrote to memory of 1320	1460	6489A2274AE24900.exe	cmd.exe
PID 1460 wrote to memory of 1320	1460	6489A2274AE24900.exe	cmd.exe
PID 1460 wrote to memory of 1320	1460	6489A2274AE24900.exe	cmd.exe
PID 520 wrote to memory of 300	520	6489A2274AE24900.exe	firefox.exe
PID 520 wrote to memory of 300	520	6489A2274AE24900.exe	firefox.exe
PID 520 wrote to memory of 300	520	6489A2274AE24900.exe	firefox.exe
PID 520 wrote to memory of 300	520	6489A2274AE24900.exe	firefox.exe
PID 520 wrote to memory of 300	520	6489A2274AE24900.exe	firefox.exe
PID 520 wrote to memory of 300	520	6489A2274AE24900.exe	firefox.exe
PID 520 wrote to memory of 300	520	6489A2274AE24900.exe	firefox.exe
PID 520 wrote to memory of 300	520	6489A2274AE24900.exe	firefox.exe
PID 1320 wrote to memory of 752	1320	cmd.exe	taskkill.exe
PID 1320 wrote to memory of 752	1320	cmd.exe	taskkill.exe
PID 1320 wrote to memory of 752	1320	cmd.exe	taskkill.exe
PID 1320 wrote to memory of 752	1320	cmd.exe	taskkill.exe
PID 1152 wrote to memory of 752	1152	keygen-step-4.exe	file.exe

C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1532

C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 0011 installp1
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:520

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
4⤵
PID:300

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
4⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
4⤵
- Executes dropped EXE
PID:2432

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"
4⤵
PID:2828

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
5⤵
- Runs ping.exe
PID:284

C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 200 installp1
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
5⤵
- Kills process with taskkill
PID:752

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"
4⤵
PID:928

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
5⤵
- Runs ping.exe
PID:1008

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Runs ping.exe
PID:304

C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:912

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:752

C:\Users\Admin\AppData\Roaming\4F2B.tmp.exe
"C:\Users\Admin\AppData\Roaming\4F2B.tmp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2328

C:\Users\Admin\AppData\Roaming\4F2B.tmp.exe
"C:\Users\Admin\AppData\Roaming\4F2B.tmp.exe"
4⤵
- Executes dropped EXE
PID:2456

C:\Users\Admin\AppData\Roaming\5045.tmp.exe
"C:\Users\Admin\AppData\Roaming\5045.tmp.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:2352

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\5045.tmp.exe"
4⤵
PID:2956

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
5⤵
- Delays execution with timeout.exe
PID:2944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
3⤵
PID:2552

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:2624

C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592

C:\Users\Admin\AppData\Local\Temp\RarSFX1\installer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\installer.exe"
3⤵
- Executes dropped EXE
PID:2688

C:\ProgramData\1696595.18
"C:\ProgramData\1696595.18"
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2968

C:\ProgramData\6179244.67
"C:\ProgramData\6179244.67"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2996

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
5⤵
- Executes dropped EXE
PID:1980

C:\ProgramData\5678756.62
"C:\ProgramData\5678756.62"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3032

C:\Users\Admin\AppData\Local\Temp\RarSFX0\gdrrr.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\gdrrr.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2252

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:2240

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2764

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D0768C330ECEADC0B6DB9151DFA5B6F6 C
2⤵
- Loads dropped DLL
PID:1380

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1912

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "000000000000049C" "00000000000003A8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2304

C:\Program Files (x86)\gdiview\gdiview\GDIView.exe
"C:\Program Files (x86)\gdiview\gdiview\GDIView.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:3060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\gdiview\gdiview\GDIView.exe
MD5
292ce5c1baa3da54f5bfd847bdd92fa1

SHA1
4d98e3522790a9408e7e85d0e80c3b54a43318e1

SHA256
c49560f7a206b6b55d89c205a4631dfedd2b4a78ab81fea8706989a5627f95a1

SHA512
87df5d622d8f0685edf93f97b8213c893b203d1c6d064af238f0bdc0dc985c9968be6f0907aff4fb64a320b0886ef2bed2339694aca12f0bcd9502ce3d6f089d

Download Submit
C:\ProgramData\1696595.18
MD5
abdc365ce3238a8ad67a171ad464956a

SHA1
7aefb4e96b8ca389255dd95f4031db9593aacb82

SHA256
82497fae8fab8060641f6c8ad747518dd4793de3aa53bff233b759e7b2932e35

SHA512
8b1c87d14afcd781d5432cb6261d36c74921b89665308496135705ebdb2cdca212688f8cf8736d884bfd19d840345958a19c9e4323bfe7cf46233d535243e573

Download Submit
C:\ProgramData\1696595.18
MD5
abdc365ce3238a8ad67a171ad464956a

SHA1
7aefb4e96b8ca389255dd95f4031db9593aacb82

SHA256
82497fae8fab8060641f6c8ad747518dd4793de3aa53bff233b759e7b2932e35

SHA512
8b1c87d14afcd781d5432cb6261d36c74921b89665308496135705ebdb2cdca212688f8cf8736d884bfd19d840345958a19c9e4323bfe7cf46233d535243e573

Download Submit
C:\ProgramData\5678756.62
MD5
da4593494b26ec65c287f26cebc27010

SHA1
5546802928189cfbf525d6d3818ee68c635fcf64

SHA256
a76d664e82f034c435948554a163462d61a0c37ff2a2eb7408a539eb61913a1d

SHA512
dd91da3a22d0dfdddea32f7e76afdd074cf2e9da0dfea211f92f392b14e4c0da544549ab5c6023f1046c29b950f059db685c71117a38aacd4a0f16c178001bdd

Download Submit
C:\ProgramData\5678756.62
MD5
da4593494b26ec65c287f26cebc27010

SHA1
5546802928189cfbf525d6d3818ee68c635fcf64

SHA256
a76d664e82f034c435948554a163462d61a0c37ff2a2eb7408a539eb61913a1d

SHA512
dd91da3a22d0dfdddea32f7e76afdd074cf2e9da0dfea211f92f392b14e4c0da544549ab5c6023f1046c29b950f059db685c71117a38aacd4a0f16c178001bdd

Download Submit
C:\ProgramData\6179244.67
MD5
812106381d9d1e2b02a890710b56b47d

SHA1
e779d19559c8eb1a59be586a0309e559a0d175fa

SHA256
4dc2cda6da2e009dea089f085bb193c06e8fe6239788c7250e64b92c4130b25c

SHA512
cd4195284f26c76bcd67b2c08329c877325324dcf0137fe05224186f384180ed88ee9743cd0a984f8a7cefc93115d26accacc2b284a5090c4a9ec60f2d04e975

Download Submit
C:\ProgramData\6179244.67
MD5
812106381d9d1e2b02a890710b56b47d

SHA1
e779d19559c8eb1a59be586a0309e559a0d175fa

SHA256
4dc2cda6da2e009dea089f085bb193c06e8fe6239788c7250e64b92c4130b25c

SHA512
cd4195284f26c76bcd67b2c08329c877325324dcf0137fe05224186f384180ed88ee9743cd0a984f8a7cefc93115d26accacc2b284a5090c4a9ec60f2d04e975

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
e92176b0889cc1bb97114beb2f3c1728

SHA1
ad1459d390ec23ab1c3da73ff2fbec7fa3a7f443

SHA256
58a4f38ba43f115ba3f465c311eaaf67f43d92e580f7f153de3ab605fc9900f3

SHA512
cd2267ba2f08d2f87538f5b4f8d3032638542ac3476863a35f0df491eb3a84458ce36c06e8c1bd84219f5297b6f386748e817945a406082fa8e77244ec229d8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
7732da98439ed18e75931821a62e6e45

SHA1
55cea02fa0d2b2b490750e045bbd30ba93723978

SHA256
bd16ca67f32386d736dd06589411c98d7cd01f92be1aeda6a25592e0ad710c15

SHA512
237b431350cbc080236bdd4eb7c6ab1dc864af592bf81dae98401b806587d130fe809337e5a3455a02059090f5d80b0a69a6fb8ba08f17fdacc86e7ad905e241

Download Submit
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe
MD5
edeb50f0b803732a581ab558bf87d968

SHA1
35858ce564d4c8b080bae606bf67292f5b9b2201

SHA256
ee9743026ad49017735e58c3d9ee9198db87eb6a3ab77242aa9d15155a9504b6

SHA512
8c47a7964791452fc499046d60b08b99f7a986b3827cddeba88b20e91c0ff69475314f17662c33286f421d433fb507a9c673bcce75f0c5bb333ca6e58b219273

Download Submit
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe
MD5
edeb50f0b803732a581ab558bf87d968

SHA1
35858ce564d4c8b080bae606bf67292f5b9b2201

SHA256
ee9743026ad49017735e58c3d9ee9198db87eb6a3ab77242aa9d15155a9504b6

SHA512
8c47a7964791452fc499046d60b08b99f7a986b3827cddeba88b20e91c0ff69475314f17662c33286f421d433fb507a9c673bcce75f0c5bb333ca6e58b219273

Download Submit
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe
MD5
edeb50f0b803732a581ab558bf87d968

SHA1
35858ce564d4c8b080bae606bf67292f5b9b2201

SHA256
ee9743026ad49017735e58c3d9ee9198db87eb6a3ab77242aa9d15155a9504b6

SHA512
8c47a7964791452fc499046d60b08b99f7a986b3827cddeba88b20e91c0ff69475314f17662c33286f421d433fb507a9c673bcce75f0c5bb333ca6e58b219273

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1EF6.tmp
MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe
MD5
b2d8ce7b40730bc6615728b1b1795ce9

SHA1
5cf7a63f3ecc2184e7b2894c78538d89f7063fe1

SHA256
ee4b58514316c6fc928e60245384560a24723e690a3311e8c2dd9e8efd5de7ca

SHA512
cc79016627fb17a864ca3414f8bc598d52a9d17ec64ee1005b059a84597fe16493203879ff1c5a5ed46cf15a9e590098672a4b21a38852cace9bb02d8f1c531e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe
MD5
b2d8ce7b40730bc6615728b1b1795ce9

SHA1
5cf7a63f3ecc2184e7b2894c78538d89f7063fe1

SHA256
ee4b58514316c6fc928e60245384560a24723e690a3311e8c2dd9e8efd5de7ca

SHA512
cc79016627fb17a864ca3414f8bc598d52a9d17ec64ee1005b059a84597fe16493203879ff1c5a5ed46cf15a9e590098672a4b21a38852cace9bb02d8f1c531e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
MD5
edeb50f0b803732a581ab558bf87d968

SHA1
35858ce564d4c8b080bae606bf67292f5b9b2201

SHA256
ee9743026ad49017735e58c3d9ee9198db87eb6a3ab77242aa9d15155a9504b6

SHA512
8c47a7964791452fc499046d60b08b99f7a986b3827cddeba88b20e91c0ff69475314f17662c33286f421d433fb507a9c673bcce75f0c5bb333ca6e58b219273

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
MD5
edeb50f0b803732a581ab558bf87d968

SHA1
35858ce564d4c8b080bae606bf67292f5b9b2201

SHA256
ee9743026ad49017735e58c3d9ee9198db87eb6a3ab77242aa9d15155a9504b6

SHA512
8c47a7964791452fc499046d60b08b99f7a986b3827cddeba88b20e91c0ff69475314f17662c33286f421d433fb507a9c673bcce75f0c5bb333ca6e58b219273

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
MD5
26baf1dd4e0c44975cf943b6d5269b07

SHA1
4648e9a79c7a4fd5be622128ddc5af68697f3121

SHA256
9117de15747527123f93284c821ea2e681b574639112532e66ad37a8246d98c9

SHA512
57adccbf3424849a19291e9e4ec018a4f3b1ca5fbdfedd16592fadae5c7664249eafcff85e916dd2342ab47b6440ac314af63360aaafba1a11c7356c0f27fcef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
MD5
26baf1dd4e0c44975cf943b6d5269b07

SHA1
4648e9a79c7a4fd5be622128ddc5af68697f3121

SHA256
9117de15747527123f93284c821ea2e681b574639112532e66ad37a8246d98c9

SHA512
57adccbf3424849a19291e9e4ec018a4f3b1ca5fbdfedd16592fadae5c7664249eafcff85e916dd2342ab47b6440ac314af63360aaafba1a11c7356c0f27fcef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe
MD5
6f3b825f098993be0b5dbd0e42790b15

SHA1
cb6b13faf195f76f064c19d5b1a08b5d0633d3ea

SHA256
c6ee0d49bdb6580c6a972e1b087ba4973984843c94832082cb0454e17386ab2e

SHA512
bff72b5587ce20201e08919456726872aa253eceb7836884995f2807aaf1d6dc9ebd681c3aa6e34a56be18f1f3369bea4876df6836329dd43202103db7b7d34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe
MD5
6f3b825f098993be0b5dbd0e42790b15

SHA1
cb6b13faf195f76f064c19d5b1a08b5d0633d3ea

SHA256
c6ee0d49bdb6580c6a972e1b087ba4973984843c94832082cb0454e17386ab2e

SHA512
bff72b5587ce20201e08919456726872aa253eceb7836884995f2807aaf1d6dc9ebd681c3aa6e34a56be18f1f3369bea4876df6836329dd43202103db7b7d34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\installer.exe
MD5
874d5bd8807cebd41fd65ea12f4f9252

SHA1
d3833cf480b3d6bdd05be3e837cdebabfc6cdb5d

SHA256
2b1503e2375fcd64699867b513e8e51a6f15a1fbc461755249bff01adb658985

SHA512
b2e47db04d8bc92037e1d1492df161f1e66a75ef99e3c77b3ae6b9b74e270cb7b705f02b26ca9edf63a138244ca013fb4b7d41d4ade66404d1ec77433bbe1b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\installer.exe
MD5
874d5bd8807cebd41fd65ea12f4f9252

SHA1
d3833cf480b3d6bdd05be3e837cdebabfc6cdb5d

SHA256
2b1503e2375fcd64699867b513e8e51a6f15a1fbc461755249bff01adb658985

SHA512
b2e47db04d8bc92037e1d1492df161f1e66a75ef99e3c77b3ae6b9b74e270cb7b705f02b26ca9edf63a138244ca013fb4b7d41d4ade66404d1ec77433bbe1b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdiview.msi
MD5
7cc103f6fd70c6f3a2d2b9fca0438182

SHA1
699bd8924a27516b405ea9a686604b53b4e23372

SHA256
dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1

SHA512
92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128

Download Submit
C:\Users\Admin\AppData\Roaming\4F2B.tmp.exe
MD5
873c7b577537e85c011f35797b5928bd

SHA1
7d8c46d835298bd906cdac8259da7f5af18a4d24

SHA256
ead97ff79fc2db628a01194d5255138beb5ef01fcccce399fc4ad5769097718a

SHA512
d7160e2a211e370839c3713f1bf1d267b86f1e0ac520a1fee0af22764eb8f5f6499ba044ba8fa23be64534bac0d74c81a741e5c64cadd43a721ce9be96428584

Download Submit
C:\Users\Admin\AppData\Roaming\4F2B.tmp.exe
MD5
873c7b577537e85c011f35797b5928bd

SHA1
7d8c46d835298bd906cdac8259da7f5af18a4d24

SHA256
ead97ff79fc2db628a01194d5255138beb5ef01fcccce399fc4ad5769097718a

SHA512
d7160e2a211e370839c3713f1bf1d267b86f1e0ac520a1fee0af22764eb8f5f6499ba044ba8fa23be64534bac0d74c81a741e5c64cadd43a721ce9be96428584

Download Submit
C:\Users\Admin\AppData\Roaming\4F2B.tmp.exe
MD5
873c7b577537e85c011f35797b5928bd

SHA1
7d8c46d835298bd906cdac8259da7f5af18a4d24

SHA256
ead97ff79fc2db628a01194d5255138beb5ef01fcccce399fc4ad5769097718a

SHA512
d7160e2a211e370839c3713f1bf1d267b86f1e0ac520a1fee0af22764eb8f5f6499ba044ba8fa23be64534bac0d74c81a741e5c64cadd43a721ce9be96428584

Download Submit
C:\Users\Admin\AppData\Roaming\5045.tmp.exe
MD5
aa2fed72f707d75a62ff90c33d180e88

SHA1
908fa31c2a1e7621e382aec93e2255cda2f4ad76

SHA256
134a4ec0eea6bc50b58a12837dd035bcbfbfe766667ad79cfb87346a413ee22d

SHA512
bc1e53620b4951fddba69c9c46ac3e8079fa19acf99daadce3f0293d8964d688c789436bf13f74991faaa5cd4522116ea049053fe6b48eb2aa062e9c09bfc0c0

Download Submit
C:\Users\Admin\AppData\Roaming\5045.tmp.exe
MD5
aa2fed72f707d75a62ff90c33d180e88

SHA1
908fa31c2a1e7621e382aec93e2255cda2f4ad76

SHA256
134a4ec0eea6bc50b58a12837dd035bcbfbfe766667ad79cfb87346a413ee22d

SHA512
bc1e53620b4951fddba69c9c46ac3e8079fa19acf99daadce3f0293d8964d688c789436bf13f74991faaa5cd4522116ea049053fe6b48eb2aa062e9c09bfc0c0

Download Submit
\Program Files (x86)\gdiview\gdiview\GDIView.exe
MD5
292ce5c1baa3da54f5bfd847bdd92fa1

SHA1
4d98e3522790a9408e7e85d0e80c3b54a43318e1

SHA256
c49560f7a206b6b55d89c205a4631dfedd2b4a78ab81fea8706989a5627f95a1

SHA512
87df5d622d8f0685edf93f97b8213c893b203d1c6d064af238f0bdc0dc985c9968be6f0907aff4fb64a320b0886ef2bed2339694aca12f0bcd9502ce3d6f089d

Download Submit
\Program Files (x86)\gdiview\gdiview\GDIView.exe
MD5
292ce5c1baa3da54f5bfd847bdd92fa1

SHA1
4d98e3522790a9408e7e85d0e80c3b54a43318e1

SHA256
c49560f7a206b6b55d89c205a4631dfedd2b4a78ab81fea8706989a5627f95a1

SHA512
87df5d622d8f0685edf93f97b8213c893b203d1c6d064af238f0bdc0dc985c9968be6f0907aff4fb64a320b0886ef2bed2339694aca12f0bcd9502ce3d6f089d

Download Submit
\Program Files (x86)\gdiview\gdiview\GDIView.exe
MD5
292ce5c1baa3da54f5bfd847bdd92fa1

SHA1
4d98e3522790a9408e7e85d0e80c3b54a43318e1

SHA256
c49560f7a206b6b55d89c205a4631dfedd2b4a78ab81fea8706989a5627f95a1

SHA512
87df5d622d8f0685edf93f97b8213c893b203d1c6d064af238f0bdc0dc985c9968be6f0907aff4fb64a320b0886ef2bed2339694aca12f0bcd9502ce3d6f089d

Download Submit
\Program Files (x86)\gdiview\gdiview\GDIView.exe
MD5
292ce5c1baa3da54f5bfd847bdd92fa1

SHA1
4d98e3522790a9408e7e85d0e80c3b54a43318e1

SHA256
c49560f7a206b6b55d89c205a4631dfedd2b4a78ab81fea8706989a5627f95a1

SHA512
87df5d622d8f0685edf93f97b8213c893b203d1c6d064af238f0bdc0dc985c9968be6f0907aff4fb64a320b0886ef2bed2339694aca12f0bcd9502ce3d6f089d

Download Submit
\Program Files (x86)\gdiview\gdiview\GDIView.exe
MD5
292ce5c1baa3da54f5bfd847bdd92fa1

SHA1
4d98e3522790a9408e7e85d0e80c3b54a43318e1

SHA256
c49560f7a206b6b55d89c205a4631dfedd2b4a78ab81fea8706989a5627f95a1

SHA512
87df5d622d8f0685edf93f97b8213c893b203d1c6d064af238f0bdc0dc985c9968be6f0907aff4fb64a320b0886ef2bed2339694aca12f0bcd9502ce3d6f089d

Download Submit
\Program Files (x86)\gdiview\gdiview\GDIView.exe
MD5
292ce5c1baa3da54f5bfd847bdd92fa1

SHA1
4d98e3522790a9408e7e85d0e80c3b54a43318e1

SHA256
c49560f7a206b6b55d89c205a4631dfedd2b4a78ab81fea8706989a5627f95a1

SHA512
87df5d622d8f0685edf93f97b8213c893b203d1c6d064af238f0bdc0dc985c9968be6f0907aff4fb64a320b0886ef2bed2339694aca12f0bcd9502ce3d6f089d

Download Submit
\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe
MD5
edeb50f0b803732a581ab558bf87d968

SHA1
35858ce564d4c8b080bae606bf67292f5b9b2201

SHA256
ee9743026ad49017735e58c3d9ee9198db87eb6a3ab77242aa9d15155a9504b6

SHA512
8c47a7964791452fc499046d60b08b99f7a986b3827cddeba88b20e91c0ff69475314f17662c33286f421d433fb507a9c673bcce75f0c5bb333ca6e58b219273

Download Submit
\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe
MD5
edeb50f0b803732a581ab558bf87d968

SHA1
35858ce564d4c8b080bae606bf67292f5b9b2201

SHA256
ee9743026ad49017735e58c3d9ee9198db87eb6a3ab77242aa9d15155a9504b6

SHA512
8c47a7964791452fc499046d60b08b99f7a986b3827cddeba88b20e91c0ff69475314f17662c33286f421d433fb507a9c673bcce75f0c5bb333ca6e58b219273

Download Submit
\Users\Admin\AppData\Local\Temp\MSI1EF6.tmp
MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe
MD5
b2d8ce7b40730bc6615728b1b1795ce9

SHA1
5cf7a63f3ecc2184e7b2894c78538d89f7063fe1

SHA256
ee4b58514316c6fc928e60245384560a24723e690a3311e8c2dd9e8efd5de7ca

SHA512
cc79016627fb17a864ca3414f8bc598d52a9d17ec64ee1005b059a84597fe16493203879ff1c5a5ed46cf15a9e590098672a4b21a38852cace9bb02d8f1c531e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe
MD5
b2d8ce7b40730bc6615728b1b1795ce9

SHA1
5cf7a63f3ecc2184e7b2894c78538d89f7063fe1

SHA256
ee4b58514316c6fc928e60245384560a24723e690a3311e8c2dd9e8efd5de7ca

SHA512
cc79016627fb17a864ca3414f8bc598d52a9d17ec64ee1005b059a84597fe16493203879ff1c5a5ed46cf15a9e590098672a4b21a38852cace9bb02d8f1c531e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe
MD5
b2d8ce7b40730bc6615728b1b1795ce9

SHA1
5cf7a63f3ecc2184e7b2894c78538d89f7063fe1

SHA256
ee4b58514316c6fc928e60245384560a24723e690a3311e8c2dd9e8efd5de7ca

SHA512
cc79016627fb17a864ca3414f8bc598d52a9d17ec64ee1005b059a84597fe16493203879ff1c5a5ed46cf15a9e590098672a4b21a38852cace9bb02d8f1c531e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
MD5
edeb50f0b803732a581ab558bf87d968

SHA1
35858ce564d4c8b080bae606bf67292f5b9b2201

SHA256
ee9743026ad49017735e58c3d9ee9198db87eb6a3ab77242aa9d15155a9504b6

SHA512
8c47a7964791452fc499046d60b08b99f7a986b3827cddeba88b20e91c0ff69475314f17662c33286f421d433fb507a9c673bcce75f0c5bb333ca6e58b219273

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
MD5
edeb50f0b803732a581ab558bf87d968

SHA1
35858ce564d4c8b080bae606bf67292f5b9b2201

SHA256
ee9743026ad49017735e58c3d9ee9198db87eb6a3ab77242aa9d15155a9504b6

SHA512
8c47a7964791452fc499046d60b08b99f7a986b3827cddeba88b20e91c0ff69475314f17662c33286f421d433fb507a9c673bcce75f0c5bb333ca6e58b219273

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
MD5
edeb50f0b803732a581ab558bf87d968

SHA1
35858ce564d4c8b080bae606bf67292f5b9b2201

SHA256
ee9743026ad49017735e58c3d9ee9198db87eb6a3ab77242aa9d15155a9504b6

SHA512
8c47a7964791452fc499046d60b08b99f7a986b3827cddeba88b20e91c0ff69475314f17662c33286f421d433fb507a9c673bcce75f0c5bb333ca6e58b219273

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
MD5
edeb50f0b803732a581ab558bf87d968

SHA1
35858ce564d4c8b080bae606bf67292f5b9b2201

SHA256
ee9743026ad49017735e58c3d9ee9198db87eb6a3ab77242aa9d15155a9504b6

SHA512
8c47a7964791452fc499046d60b08b99f7a986b3827cddeba88b20e91c0ff69475314f17662c33286f421d433fb507a9c673bcce75f0c5bb333ca6e58b219273

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
MD5
26baf1dd4e0c44975cf943b6d5269b07

SHA1
4648e9a79c7a4fd5be622128ddc5af68697f3121

SHA256
9117de15747527123f93284c821ea2e681b574639112532e66ad37a8246d98c9

SHA512
57adccbf3424849a19291e9e4ec018a4f3b1ca5fbdfedd16592fadae5c7664249eafcff85e916dd2342ab47b6440ac314af63360aaafba1a11c7356c0f27fcef

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
MD5
26baf1dd4e0c44975cf943b6d5269b07

SHA1
4648e9a79c7a4fd5be622128ddc5af68697f3121

SHA256
9117de15747527123f93284c821ea2e681b574639112532e66ad37a8246d98c9

SHA512
57adccbf3424849a19291e9e4ec018a4f3b1ca5fbdfedd16592fadae5c7664249eafcff85e916dd2342ab47b6440ac314af63360aaafba1a11c7356c0f27fcef

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
MD5
26baf1dd4e0c44975cf943b6d5269b07

SHA1
4648e9a79c7a4fd5be622128ddc5af68697f3121

SHA256
9117de15747527123f93284c821ea2e681b574639112532e66ad37a8246d98c9

SHA512
57adccbf3424849a19291e9e4ec018a4f3b1ca5fbdfedd16592fadae5c7664249eafcff85e916dd2342ab47b6440ac314af63360aaafba1a11c7356c0f27fcef

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\gdrrr.exe
MD5
6a714c56525073f78181129ce52175db

SHA1
eb7a9356e9cc40368e1774035c23b15b7c8d792b

SHA256
57c417f53d9032a2f256cee17c274df2d411858abb14789406671c1dca6017c4

SHA512
04a183bddeeaa6fe316596fad52a6e707549ca2e93b2b294c618b4381018bf5791582e2ac08e0f5e5cea86ac980a56208e54e1e310945614e00524d50a00c550

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\gdrrr.exe
MD5
6a714c56525073f78181129ce52175db

SHA1
eb7a9356e9cc40368e1774035c23b15b7c8d792b

SHA256
57c417f53d9032a2f256cee17c274df2d411858abb14789406671c1dca6017c4

SHA512
04a183bddeeaa6fe316596fad52a6e707549ca2e93b2b294c618b4381018bf5791582e2ac08e0f5e5cea86ac980a56208e54e1e310945614e00524d50a00c550

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe
MD5
6f3b825f098993be0b5dbd0e42790b15

SHA1
cb6b13faf195f76f064c19d5b1a08b5d0633d3ea

SHA256
c6ee0d49bdb6580c6a972e1b087ba4973984843c94832082cb0454e17386ab2e

SHA512
bff72b5587ce20201e08919456726872aa253eceb7836884995f2807aaf1d6dc9ebd681c3aa6e34a56be18f1f3369bea4876df6836329dd43202103db7b7d34c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe
MD5
6f3b825f098993be0b5dbd0e42790b15

SHA1
cb6b13faf195f76f064c19d5b1a08b5d0633d3ea

SHA256
c6ee0d49bdb6580c6a972e1b087ba4973984843c94832082cb0454e17386ab2e

SHA512
bff72b5587ce20201e08919456726872aa253eceb7836884995f2807aaf1d6dc9ebd681c3aa6e34a56be18f1f3369bea4876df6836329dd43202103db7b7d34c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe
MD5
6f3b825f098993be0b5dbd0e42790b15

SHA1
cb6b13faf195f76f064c19d5b1a08b5d0633d3ea

SHA256
c6ee0d49bdb6580c6a972e1b087ba4973984843c94832082cb0454e17386ab2e

SHA512
bff72b5587ce20201e08919456726872aa253eceb7836884995f2807aaf1d6dc9ebd681c3aa6e34a56be18f1f3369bea4876df6836329dd43202103db7b7d34c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe
MD5
6f3b825f098993be0b5dbd0e42790b15

SHA1
cb6b13faf195f76f064c19d5b1a08b5d0633d3ea

SHA256
c6ee0d49bdb6580c6a972e1b087ba4973984843c94832082cb0454e17386ab2e

SHA512
bff72b5587ce20201e08919456726872aa253eceb7836884995f2807aaf1d6dc9ebd681c3aa6e34a56be18f1f3369bea4876df6836329dd43202103db7b7d34c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\installer.exe
MD5
874d5bd8807cebd41fd65ea12f4f9252

SHA1
d3833cf480b3d6bdd05be3e837cdebabfc6cdb5d

SHA256
2b1503e2375fcd64699867b513e8e51a6f15a1fbc461755249bff01adb658985

SHA512
b2e47db04d8bc92037e1d1492df161f1e66a75ef99e3c77b3ae6b9b74e270cb7b705f02b26ca9edf63a138244ca013fb4b7d41d4ade66404d1ec77433bbe1b48

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\installer.exe
MD5
874d5bd8807cebd41fd65ea12f4f9252

SHA1
d3833cf480b3d6bdd05be3e837cdebabfc6cdb5d

SHA256
2b1503e2375fcd64699867b513e8e51a6f15a1fbc461755249bff01adb658985

SHA512
b2e47db04d8bc92037e1d1492df161f1e66a75ef99e3c77b3ae6b9b74e270cb7b705f02b26ca9edf63a138244ca013fb4b7d41d4ade66404d1ec77433bbe1b48

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\installer.exe
MD5
874d5bd8807cebd41fd65ea12f4f9252

SHA1
d3833cf480b3d6bdd05be3e837cdebabfc6cdb5d

SHA256
2b1503e2375fcd64699867b513e8e51a6f15a1fbc461755249bff01adb658985

SHA512
b2e47db04d8bc92037e1d1492df161f1e66a75ef99e3c77b3ae6b9b74e270cb7b705f02b26ca9edf63a138244ca013fb4b7d41d4ade66404d1ec77433bbe1b48

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\installer.exe
MD5
874d5bd8807cebd41fd65ea12f4f9252

SHA1
d3833cf480b3d6bdd05be3e837cdebabfc6cdb5d

SHA256
2b1503e2375fcd64699867b513e8e51a6f15a1fbc461755249bff01adb658985

SHA512
b2e47db04d8bc92037e1d1492df161f1e66a75ef99e3c77b3ae6b9b74e270cb7b705f02b26ca9edf63a138244ca013fb4b7d41d4ade66404d1ec77433bbe1b48

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\installer.exe
MD5
874d5bd8807cebd41fd65ea12f4f9252

SHA1
d3833cf480b3d6bdd05be3e837cdebabfc6cdb5d

SHA256
2b1503e2375fcd64699867b513e8e51a6f15a1fbc461755249bff01adb658985

SHA512
b2e47db04d8bc92037e1d1492df161f1e66a75ef99e3c77b3ae6b9b74e270cb7b705f02b26ca9edf63a138244ca013fb4b7d41d4ade66404d1ec77433bbe1b48

Download Submit
\Users\Admin\AppData\Roaming\4F2B.tmp.exe
MD5
873c7b577537e85c011f35797b5928bd

SHA1
7d8c46d835298bd906cdac8259da7f5af18a4d24

SHA256
ead97ff79fc2db628a01194d5255138beb5ef01fcccce399fc4ad5769097718a

SHA512
d7160e2a211e370839c3713f1bf1d267b86f1e0ac520a1fee0af22764eb8f5f6499ba044ba8fa23be64534bac0d74c81a741e5c64cadd43a721ce9be96428584

Download Submit
\Users\Admin\AppData\Roaming\4F2B.tmp.exe
MD5
873c7b577537e85c011f35797b5928bd

SHA1
7d8c46d835298bd906cdac8259da7f5af18a4d24

SHA256
ead97ff79fc2db628a01194d5255138beb5ef01fcccce399fc4ad5769097718a

SHA512
d7160e2a211e370839c3713f1bf1d267b86f1e0ac520a1fee0af22764eb8f5f6499ba044ba8fa23be64534bac0d74c81a741e5c64cadd43a721ce9be96428584

Download Submit
\Users\Admin\AppData\Roaming\5045.tmp.exe
MD5
aa2fed72f707d75a62ff90c33d180e88

SHA1
908fa31c2a1e7621e382aec93e2255cda2f4ad76

SHA256
134a4ec0eea6bc50b58a12837dd035bcbfbfe766667ad79cfb87346a413ee22d

SHA512
bc1e53620b4951fddba69c9c46ac3e8079fa19acf99daadce3f0293d8964d688c789436bf13f74991faaa5cd4522116ea049053fe6b48eb2aa062e9c09bfc0c0

Download Submit
\Users\Admin\AppData\Roaming\5045.tmp.exe
MD5
aa2fed72f707d75a62ff90c33d180e88

SHA1
908fa31c2a1e7621e382aec93e2255cda2f4ad76

SHA256
134a4ec0eea6bc50b58a12837dd035bcbfbfe766667ad79cfb87346a413ee22d

SHA512
bc1e53620b4951fddba69c9c46ac3e8079fa19acf99daadce3f0293d8964d688c789436bf13f74991faaa5cd4522116ea049053fe6b48eb2aa062e9c09bfc0c0

Download Submit
memory/268-15-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

Filesize
8KB

Download
memory/284-168-0x0000000000000000-mapping.dmp

Download
memory/300-45-0x000000013F2D8270-mapping.dmp

Download
memory/300-49-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/300-47-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/304-29-0x0000000000000000-mapping.dmp

Download
memory/520-38-0x0000000010000000-0x000000001033D000-memory.dmp

Filesize
3.2MB

Download
memory/520-21-0x0000000000000000-mapping.dmp

Download
memory/520-42-0x0000000003800000-0x0000000003CAF000-memory.dmp

Filesize
4.7MB

Download
memory/556-57-0x000000013FBC8270-mapping.dmp

Download
memory/752-46-0x0000000000000000-mapping.dmp

Download
memory/752-53-0x0000000000000000-mapping.dmp

Download
memory/752-55-0x0000000000020000-0x000000000002D000-memory.dmp

Filesize
52KB

Download
memory/752-74-0x0000000002390000-0x00000000023DA000-memory.dmp

Filesize
296KB

Download
memory/912-39-0x0000000073560000-0x0000000073703000-memory.dmp

Filesize
1.6MB

Download
memory/912-34-0x0000000000000000-mapping.dmp

Download
memory/928-58-0x0000000000000000-mapping.dmp

Download
memory/1008-60-0x0000000000000000-mapping.dmp

Download
memory/1136-11-0x0000000010000000-0x000000001033D000-memory.dmp

Filesize
3.2MB

Download
memory/1136-7-0x0000000000000000-mapping.dmp

Download
memory/1152-2-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download
memory/1196-48-0x000007FEF72E0000-0x000007FEF755A000-memory.dmp

Filesize
2.5MB

Download
memory/1320-44-0x0000000000000000-mapping.dmp

Download
memory/1380-16-0x0000000000000000-mapping.dmp

Download
memory/1384-28-0x0000000000000000-mapping.dmp

Download
memory/1460-43-0x00000000034F0000-0x000000000399F000-memory.dmp

Filesize
4.7MB

Download
memory/1460-25-0x0000000000000000-mapping.dmp

Download
memory/1532-112-0x00000000024E0000-0x00000000024E4000-memory.dmp

Filesize
16KB

Download
memory/1532-12-0x0000000000000000-mapping.dmp

Download
memory/1980-160-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/1980-156-0x0000000000000000-mapping.dmp

Download
memory/1980-164-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/1980-158-0x0000000073000000-0x00000000736EE000-memory.dmp

Filesize
6.9MB

Download
memory/2240-137-0x0000000000000000-mapping.dmp

Download
memory/2252-133-0x0000000000000000-mapping.dmp

Download
memory/2328-83-0x0000000000840000-0x0000000000885000-memory.dmp

Filesize
276KB

Download
memory/2328-66-0x0000000000000000-mapping.dmp

Download
memory/2328-77-0x0000000000A30000-0x0000000000A41000-memory.dmp

Filesize
68KB

Download
memory/2352-76-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2352-75-0x0000000000220000-0x00000000002B2000-memory.dmp

Filesize
584KB

Download
memory/2352-72-0x0000000006BF0000-0x0000000006C01000-memory.dmp

Filesize
68KB

Download
memory/2352-70-0x0000000000000000-mapping.dmp

Download
memory/2432-142-0x0000000000000000-mapping.dmp

Download
memory/2456-80-0x0000000000401480-mapping.dmp

Download
memory/2456-79-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2456-84-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2552-85-0x0000000000000000-mapping.dmp

Download
memory/2592-89-0x0000000000000000-mapping.dmp

Download
memory/2624-90-0x0000000000000000-mapping.dmp

Download
memory/2688-102-0x000007FEF4AA0000-0x000007FEF548C000-memory.dmp

Filesize
9.9MB

Download
memory/2688-111-0x00000000003E0000-0x00000000003FE000-memory.dmp

Filesize
120KB

Download
memory/2688-113-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2688-125-0x000000001AEF0000-0x000000001AEF2000-memory.dmp

Filesize
8KB

Download
memory/2688-99-0x0000000000000000-mapping.dmp

Download
memory/2688-110-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2688-108-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/2764-165-0x0000000000000000-mapping.dmp

Download
memory/2828-167-0x0000000000000000-mapping.dmp

Download
memory/2944-170-0x0000000000000000-mapping.dmp

Download
memory/2956-169-0x0000000000000000-mapping.dmp

Download
memory/2968-120-0x0000000073000000-0x00000000736EE000-memory.dmp

Filesize
6.9MB

Download
memory/2968-143-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/2968-115-0x0000000000000000-mapping.dmp

Download
memory/2968-155-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/2968-159-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2968-157-0x0000000000330000-0x0000000000364000-memory.dmp

Filesize
208KB

Download
memory/2968-148-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2996-122-0x0000000073000000-0x00000000736EE000-memory.dmp

Filesize
6.9MB

Download
memory/2996-149-0x00000000002C0000-0x00000000002CB000-memory.dmp

Filesize
44KB

Download
memory/2996-153-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/2996-118-0x0000000000000000-mapping.dmp

Download
memory/2996-145-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/3032-150-0x00000000024C0000-0x00000000024EC000-memory.dmp

Filesize
176KB

Download
memory/3032-154-0x0000000004CE3000-0x0000000004CE4000-memory.dmp

Filesize
4KB

Download
memory/3032-152-0x0000000004CE2000-0x0000000004CE3000-memory.dmp

Filesize
4KB

Download
memory/3032-144-0x0000000002430000-0x000000000245E000-memory.dmp

Filesize
184KB

Download
memory/3032-141-0x0000000073000000-0x00000000736EE000-memory.dmp

Filesize
6.9MB

Download
memory/3032-163-0x0000000004CE4000-0x0000000004CE6000-memory.dmp

Filesize
8KB

Download
memory/3032-140-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3032-139-0x00000000003B0000-0x00000000003E7000-memory.dmp

Filesize
220KB

Download
memory/3032-151-0x0000000004CE1000-0x0000000004CE2000-memory.dmp

Filesize
4KB

Download
memory/3032-136-0x0000000002350000-0x0000000002361000-memory.dmp

Filesize
68KB

Download
memory/3032-135-0x0000000000A40000-0x0000000000A51000-memory.dmp

Filesize
68KB

Download
memory/3032-123-0x0000000000000000-mapping.dmp

Download