azorult | fd629388528491dab90afa484934c52d867fdb15651619569554418dca7096d6

Analysis

max time kernel
1312s
max time network
1778s
platform
windows7_x64
resource
win7v20201028
submitted
18-03-2021 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Microsoft_Windows_10_Pro_10_0_keygen_by_KeygenNinja.exe
Size

4.9MB
MD5

bf3cefaa46337f7b6302961e8d460b5b
SHA1

586b9ee9680830e10a777e443c4bbe2bc356eda2
SHA256

ee75f4415becbb00d89e1527a1af07f1782130278443bfe04c072697270215f7
SHA512

4d0839c5d999d88958045024bc6a58e33b5660b62244e87eabbe5059ea4a17774f1734a34da5efc418e23dde427af9042035e43e4112cc4f1b5159a81db036ec

Score

10^/10

azorult dcrat pony raccoon xmrig dfa7b4d385486b737f84d608857eb43733ffd299 discovery infostealer miner persistence rat spyware stealer trojan

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Extracted

Family

raccoon

Botnet

dfa7b4d385486b737f84d608857eb43733ffd299

Attributes

url4cnc
https://telete.in/j9ca1pel

rc4.plain

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 4 IoCs

miner

Processes:

resource	yara_rule
behavioral5/memory/1948-125-0x00000001402CA898-mapping.dmp	xmrig
behavioral5/memory/1948-124-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral5/memory/1948-127-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral5/memory/1948-128-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig

Executes dropped EXE 22 IoCs

Processes:

keygen-pr.exekeygen-step-1.exekeygen-step-3.exekeygen-step-4.exeSetup.exekey.exekey.exemultitimer.exeaskinstall20.exemultitimer.exefile.exeFC99.tmp.exeFDE2.tmp.exeFC99.tmp.exec7b24ba3..exec7b24ba3..exemd2_2efs.exegcttt.exejfiag3g_gg.exejfiag3g_gg.exejfiag3g_gg.exejfiag3g_gg.exe

pid	process
1572	keygen-pr.exe
1524	keygen-step-1.exe
1728	keygen-step-3.exe
816	keygen-step-4.exe
1588	Setup.exe
1304	key.exe
1684	key.exe
2044	multitimer.exe
1620	askinstall20.exe
1612	multitimer.exe
1904	file.exe
1284	FC99.tmp.exe
240	FDE2.tmp.exe
360	FC99.tmp.exe
748	c7b24ba3..exe
1948	c7b24ba3..exe
360	md2_2efs.exe
1616	gcttt.exe
604	jfiag3g_gg.exe
1712	jfiag3g_gg.exe
912	jfiag3g_gg.exe
820	jfiag3g_gg.exe

Loads dropped DLL 49 IoCs

Processes:

cmd.exekeygen-step-4.exekeygen-pr.exekey.exefile.exec7b24ba3..exegcttt.exeWerFault.exe

pid	process
616	cmd.exe
616	cmd.exe
616	cmd.exe
616	cmd.exe
616	cmd.exe
816	keygen-step-4.exe
816	keygen-step-4.exe
816	keygen-step-4.exe
816	keygen-step-4.exe
1572	keygen-pr.exe
1572	keygen-pr.exe
1572	keygen-pr.exe
1572	keygen-pr.exe
1304	key.exe
816	keygen-step-4.exe
816	keygen-step-4.exe
816	keygen-step-4.exe
816	keygen-step-4.exe
816	keygen-step-4.exe
816	keygen-step-4.exe
816	keygen-step-4.exe
1904	file.exe
1904	file.exe
1904	file.exe
1904	file.exe
1904	file.exe
748	c7b24ba3..exe
816	keygen-step-4.exe
816	keygen-step-4.exe
816	keygen-step-4.exe
816	keygen-step-4.exe
816	keygen-step-4.exe
816	keygen-step-4.exe
816	keygen-step-4.exe
1616	gcttt.exe
1616	gcttt.exe
1616	gcttt.exe
1616	gcttt.exe
324	WerFault.exe
324	WerFault.exe
324	WerFault.exe
324	WerFault.exe
324	WerFault.exe
324	WerFault.exe
324	WerFault.exe
1616	gcttt.exe
1616	gcttt.exe
1616	gcttt.exe
1616	gcttt.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c7b24ba3..exegcttt.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	c7b24ba3..exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwwupdat3 = "C:\\Users\\Admin\\AppData\\Roaming\\wwwupdat3.exe"	c7b24ba3..exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gcttt.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

46 api.ipify.org
81 ip-api.com

flow	ioc
46	api.ipify.org
81	ip-api.com

Drops file in System32 directory 4 IoCs

Processes:

file.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	file.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	file.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	file.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	file.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

key.exeFC99.tmp.exec7b24ba3..exe

description	pid	process	target process
PID 1304 set thread context of 1684	1304	key.exe	key.exe
PID 1284 set thread context of 360	1284	FC99.tmp.exe	FC99.tmp.exe
PID 748 set thread context of 1948	748	c7b24ba3..exe	c7b24ba3..exe

Drops file in Windows directory 2 IoCs

Processes:

multitimer.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

324 240 WerFault.exe FDE2.tmp.exe

pid	pid_target	process	target process
324	240	WerFault.exe	FDE2.tmp.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FC99.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	FC99.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FC99.tmp.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1624 taskkill.exe

pid	process
1624	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

file.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	file.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6CD91550-F1B8-44A7-B169-07A502AE3F35}\WpadDecisionTime = 204fa1f8351cd701	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	file.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 80d65bfc351cd701	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	file.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDetectedUrl	file.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6CD91550-F1B8-44A7-B169-07A502AE3F35}\WpadDecisionReason = "1"	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	file.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6CD91550-F1B8-44A7-B169-07A502AE3F35}\WpadDecisionTime = 80d65bfc351cd701	file.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6CD91550-F1B8-44A7-B169-07A502AE3F35}\32-e2-17-db-d2-77	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	file.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	file.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6CD91550-F1B8-44A7-B169-07A502AE3F35}	file.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6CD91550-F1B8-44A7-B169-07A502AE3F35}\WpadNetworkName = "Network"	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	file.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy = "1"	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	file.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\PegasPc	file.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	file.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6CD91550-F1B8-44A7-B169-07A502AE3F35}\WpadDecision = "0"	file.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 204fa1f8351cd701	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	file.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000004000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	file.exe

Modifies system certificate store 2 TTPs 17 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

c7b24ba3..exeSetup.exeaskinstall20.exefile.exeFDE2.tmp.exegcttt.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118	c7b24ba3..exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 1900000001000000100000000b6cd9778e41ad67fd6be0a6903710440300000001000000140000006252dc40f71143a22fde9ef7348e064251b181180b000000010000000e000000430065007200740075006d0000001d000000010000001000000096f98b6e79a74810ce7d398a82f977781400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded309000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703090f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad2000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	c7b24ba3..exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	c7b24ba3..exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	c7b24ba3..exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	c7b24ba3..exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	FDE2.tmp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	FDE2.tmp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703091400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000000300000001000000140000006252dc40f71143a22fde9ef7348e064251b181182000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	c7b24ba3..exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	gcttt.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	gcttt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	askinstall20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	file.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1380 PING.EXE
1816 PING.EXE

pid	process
1380	PING.EXE
1816	PING.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

key.exefile.exeFC99.tmp.exejfiag3g_gg.exeWerFault.exe

pid	process
1304	key.exe
1304	key.exe
1904	file.exe
1904	file.exe
1904	file.exe
1904	file.exe
360	FC99.tmp.exe
1712	jfiag3g_gg.exe
324	WerFault.exe
324	WerFault.exe
324	WerFault.exe
324	WerFault.exe
324	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

324 WerFault.exe

pid	process
324	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Setup.exeaskinstall20.exetaskkill.exekey.exe

description	pid	process
Token: SeDebugPrivilege	1588	Setup.exe
Token: SeCreateTokenPrivilege	1620	askinstall20.exe
Token: SeAssignPrimaryTokenPrivilege	1620	askinstall20.exe
Token: SeLockMemoryPrivilege	1620	askinstall20.exe
Token: SeIncreaseQuotaPrivilege	1620	askinstall20.exe
Token: SeMachineAccountPrivilege	1620	askinstall20.exe
Token: SeTcbPrivilege	1620	askinstall20.exe
Token: SeSecurityPrivilege	1620	askinstall20.exe
Token: SeTakeOwnershipPrivilege	1620	askinstall20.exe
Token: SeLoadDriverPrivilege	1620	askinstall20.exe
Token: SeSystemProfilePrivilege	1620	askinstall20.exe
Token: SeSystemtimePrivilege	1620	askinstall20.exe
Token: SeProfSingleProcessPrivilege	1620	askinstall20.exe
Token: SeIncBasePriorityPrivilege	1620	askinstall20.exe
Token: SeCreatePagefilePrivilege	1620	askinstall20.exe
Token: SeCreatePermanentPrivilege	1620	askinstall20.exe
Token: SeBackupPrivilege	1620	askinstall20.exe
Token: SeRestorePrivilege	1620	askinstall20.exe
Token: SeShutdownPrivilege	1620	askinstall20.exe
Token: SeDebugPrivilege	1620	askinstall20.exe
Token: SeAuditPrivilege	1620	askinstall20.exe
Token: SeSystemEnvironmentPrivilege	1620	askinstall20.exe
Token: SeChangeNotifyPrivilege	1620	askinstall20.exe
Token: SeRemoteShutdownPrivilege	1620	askinstall20.exe
Token: SeUndockPrivilege	1620	askinstall20.exe
Token: SeSyncAgentPrivilege	1620	askinstall20.exe
Token: SeEnableDelegationPrivilege	1620	askinstall20.exe
Token: SeManageVolumePrivilege	1620	askinstall20.exe
Token: SeImpersonatePrivilege	1620	askinstall20.exe
Token: SeCreateGlobalPrivilege	1620	askinstall20.exe
Token: 31	1620	askinstall20.exe
Token: 32	1620	askinstall20.exe
Token: 33	1620	askinstall20.exe
Token: 34	1620	askinstall20.exe
Token: 35	1620	askinstall20.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeImpersonatePrivilege	1304	key.exe
Token: SeTcbPrivilege	1304	key.exe
Token: SeChangeNotifyPrivilege	1304	key.exe
Token: SeCreateTokenPrivilege	1304	key.exe
Token: SeBackupPrivilege	1304	key.exe
Token: SeRestorePrivilege	1304	key.exe
Token: SeIncreaseQuotaPrivilege	1304	key.exe
Token: SeAssignPrimaryTokenPrivilege	1304	key.exe
Token: SeImpersonatePrivilege	1304	key.exe
Token: SeTcbPrivilege	1304	key.exe
Token: SeChangeNotifyPrivilege	1304	key.exe
Token: SeCreateTokenPrivilege	1304	key.exe
Token: SeBackupPrivilege	1304	key.exe
Token: SeRestorePrivilege	1304	key.exe
Token: SeIncreaseQuotaPrivilege	1304	key.exe
Token: SeAssignPrimaryTokenPrivilege	1304	key.exe
Token: SeImpersonatePrivilege	1304	key.exe
Token: SeTcbPrivilege	1304	key.exe
Token: SeChangeNotifyPrivilege	1304	key.exe
Token: SeCreateTokenPrivilege	1304	key.exe
Token: SeBackupPrivilege	1304	key.exe
Token: SeRestorePrivilege	1304	key.exe
Token: SeIncreaseQuotaPrivilege	1304	key.exe
Token: SeAssignPrimaryTokenPrivilege	1304	key.exe
Token: SeImpersonatePrivilege	1304	key.exe
Token: SeTcbPrivilege	1304	key.exe
Token: SeChangeNotifyPrivilege	1304	key.exe
Token: SeCreateTokenPrivilege	1304	key.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Microsoft_Windows_10_Pro_10_0_keygen_by_KeygenNinja.execmd.exekeygen-step-4.exekeygen-pr.exekeygen-step-3.exekey.execmd.exeSetup.exe

description	pid	process	target process
PID 1812 wrote to memory of 616	1812	Microsoft_Windows_10_Pro_10_0_keygen_by_KeygenNinja.exe	cmd.exe
PID 1812 wrote to memory of 616	1812	Microsoft_Windows_10_Pro_10_0_keygen_by_KeygenNinja.exe	cmd.exe
PID 1812 wrote to memory of 616	1812	Microsoft_Windows_10_Pro_10_0_keygen_by_KeygenNinja.exe	cmd.exe
PID 1812 wrote to memory of 616	1812	Microsoft_Windows_10_Pro_10_0_keygen_by_KeygenNinja.exe	cmd.exe
PID 616 wrote to memory of 1572	616	cmd.exe	keygen-pr.exe
PID 616 wrote to memory of 1572	616	cmd.exe	keygen-pr.exe
PID 616 wrote to memory of 1572	616	cmd.exe	keygen-pr.exe
PID 616 wrote to memory of 1572	616	cmd.exe	keygen-pr.exe
PID 616 wrote to memory of 1572	616	cmd.exe	keygen-pr.exe
PID 616 wrote to memory of 1572	616	cmd.exe	keygen-pr.exe
PID 616 wrote to memory of 1572	616	cmd.exe	keygen-pr.exe
PID 616 wrote to memory of 1524	616	cmd.exe	keygen-step-1.exe
PID 616 wrote to memory of 1524	616	cmd.exe	keygen-step-1.exe
PID 616 wrote to memory of 1524	616	cmd.exe	keygen-step-1.exe
PID 616 wrote to memory of 1524	616	cmd.exe	keygen-step-1.exe
PID 616 wrote to memory of 1728	616	cmd.exe	keygen-step-3.exe
PID 616 wrote to memory of 1728	616	cmd.exe	keygen-step-3.exe
PID 616 wrote to memory of 1728	616	cmd.exe	keygen-step-3.exe
PID 616 wrote to memory of 1728	616	cmd.exe	keygen-step-3.exe
PID 616 wrote to memory of 816	616	cmd.exe	keygen-step-4.exe
PID 616 wrote to memory of 816	616	cmd.exe	keygen-step-4.exe
PID 616 wrote to memory of 816	616	cmd.exe	keygen-step-4.exe
PID 616 wrote to memory of 816	616	cmd.exe	keygen-step-4.exe
PID 816 wrote to memory of 1588	816	keygen-step-4.exe	Setup.exe
PID 816 wrote to memory of 1588	816	keygen-step-4.exe	Setup.exe
PID 816 wrote to memory of 1588	816	keygen-step-4.exe	Setup.exe
PID 816 wrote to memory of 1588	816	keygen-step-4.exe	Setup.exe
PID 1572 wrote to memory of 1304	1572	keygen-pr.exe	key.exe
PID 1572 wrote to memory of 1304	1572	keygen-pr.exe	key.exe
PID 1572 wrote to memory of 1304	1572	keygen-pr.exe	key.exe
PID 1572 wrote to memory of 1304	1572	keygen-pr.exe	key.exe
PID 1572 wrote to memory of 1304	1572	keygen-pr.exe	key.exe
PID 1572 wrote to memory of 1304	1572	keygen-pr.exe	key.exe
PID 1572 wrote to memory of 1304	1572	keygen-pr.exe	key.exe
PID 1728 wrote to memory of 1452	1728	keygen-step-3.exe	cmd.exe
PID 1728 wrote to memory of 1452	1728	keygen-step-3.exe	cmd.exe
PID 1728 wrote to memory of 1452	1728	keygen-step-3.exe	cmd.exe
PID 1728 wrote to memory of 1452	1728	keygen-step-3.exe	cmd.exe
PID 1304 wrote to memory of 1684	1304	key.exe	key.exe
PID 1304 wrote to memory of 1684	1304	key.exe	key.exe
PID 1304 wrote to memory of 1684	1304	key.exe	key.exe
PID 1304 wrote to memory of 1684	1304	key.exe	key.exe
PID 1304 wrote to memory of 1684	1304	key.exe	key.exe
PID 1304 wrote to memory of 1684	1304	key.exe	key.exe
PID 1304 wrote to memory of 1684	1304	key.exe	key.exe
PID 1304 wrote to memory of 1684	1304	key.exe	key.exe
PID 1304 wrote to memory of 1684	1304	key.exe	key.exe
PID 1304 wrote to memory of 1684	1304	key.exe	key.exe
PID 1304 wrote to memory of 1684	1304	key.exe	key.exe
PID 1304 wrote to memory of 1684	1304	key.exe	key.exe
PID 1304 wrote to memory of 1684	1304	key.exe	key.exe
PID 1304 wrote to memory of 1684	1304	key.exe	key.exe
PID 1304 wrote to memory of 1684	1304	key.exe	key.exe
PID 1304 wrote to memory of 1684	1304	key.exe	key.exe
PID 1304 wrote to memory of 1684	1304	key.exe	key.exe
PID 1452 wrote to memory of 1380	1452	cmd.exe	PING.EXE
PID 1452 wrote to memory of 1380	1452	cmd.exe	PING.EXE
PID 1452 wrote to memory of 1380	1452	cmd.exe	PING.EXE
PID 1452 wrote to memory of 1380	1452	cmd.exe	PING.EXE
PID 1588 wrote to memory of 2044	1588	Setup.exe	multitimer.exe
PID 1588 wrote to memory of 2044	1588	Setup.exe	multitimer.exe
PID 1588 wrote to memory of 2044	1588	Setup.exe	multitimer.exe
PID 816 wrote to memory of 1620	816	keygen-step-4.exe	askinstall20.exe
PID 816 wrote to memory of 1620	816	keygen-step-4.exe	askinstall20.exe

C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_10_Pro_10_0_keygen_by_KeygenNinja.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_10_Pro_10_0_keygen_by_KeygenNinja.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:616

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1572

C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe -txt -scanlocal -file:potato.dat
5⤵
- Executes dropped EXE
PID:1684

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:1524

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:1380

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:816

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588

C:\Users\Admin\AppData\Local\Temp\S0JZ3K42FI\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\S0JZ3K42FI\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2044

C:\Users\Admin\AppData\Local\Temp\S0JZ3K42FI\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\S0JZ3K42FI\multitimer.exe" 1 101
6⤵
- Executes dropped EXE
PID:1612

C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:1672

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1904

C:\Users\Admin\AppData\Roaming\FC99.tmp.exe
"C:\Users\Admin\AppData\Roaming\FC99.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1284

C:\Users\Admin\AppData\Roaming\FC99.tmp.exe
"C:\Users\Admin\AppData\Roaming\FC99.tmp.exe"
6⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:360

C:\Users\Admin\AppData\Roaming\FDE2.tmp.exe
"C:\Users\Admin\AppData\Roaming\FDE2.tmp.exe"
5⤵
- Executes dropped EXE
- Modifies system certificate store
PID:240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 240 -s 516
6⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:324

C:\Users\Admin\AppData\Local\Temp\c7b24ba3..exe
"C:\Users\Admin\AppData\Local\Temp\c7b24ba3..exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies system certificate store
PID:748

C:\Users\Admin\AppData\Local\Temp\c7b24ba3..exe
-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50
6⤵
- Executes dropped EXE
PID:1948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
5⤵
PID:628

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:1816

C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"
4⤵
- Executes dropped EXE
PID:360

C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
PID:1616

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:604

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1712

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:912

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5
8c19ddc7cba756dabfdf580493969c84

SHA1
e25f9e4b9278f6f01bab7ced704c0d77a5f7db98

SHA256
c478f117a5bcdfddffd99c8ba8779dc6d777a9ce44fae4adf64405a20eca675b

SHA512
da9b82e596b6cfef35441747198317527bafde2e58d8ede785f5090889b5add23ee2f2153be9986e144c1275128f2adb78304272675e2501a3938723add96862

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5EE9003E3DC4134E8CF26DC55FD926FA

MD5
d3a8cea413d41092d9dd463ea5878345

SHA1
79d29dc1b1375116f2a6b9800d236a1bcda5fecc

SHA256
69bdbe5d97c81b207f5b1089f18014a9ca6f276a91ecc213df917debe62ccd4e

SHA512
abc0849efc4a2ba196b213b6cede086ffb970de8a206e4311b595d999ead6df8ab515509f513a4f816e300d704c4228527d1554e511b4543cba1a654985c84bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5
61a03d15cf62612f50b74867090dbe79

SHA1
15228f34067b4b107e917bebaf17cc7c3c1280a8

SHA256
f9e23dc21553daa34c6eb778cd262831e466ce794f4bea48150e8d70d3e6af6d

SHA512
5fece89ccbbf994e4f1e3ef89a502f25a72f359d445c034682758d26f01d9f3aa20a43010b9a87f2687da7ba201476922aa46d4906d442d56eb59b2b881259d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
00dce674e69d868738126653ed6361c9

SHA1
8e5c4d6c70962df0a290e907f0178e1f4746acaa

SHA256
26c5310ed67aeb8b45baecf5ebe40a7fad3a0f4c353ae62d38a614ce989645d6

SHA512
7bf177602a70215d7c095eebc350d3c5a672b337bdfacddd71b5565466fd4d3c6d7c5aabb0df558085da5e7a1406aecdf4eaa697144844b51b0ff2cded2721a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5
c873bd53638f3ef5b192ad503ace084b

SHA1
c7dbf15cbf480e04bd1cc26734dc9495e3657073

SHA256
b5755bd5433877ad76ea69071d0b96014c1a4b47042e831f8e9693f121438bb0

SHA512
06af2c6269b8e36703e8d45ca4c34c8df1ccfbb68da52a197007fee42818685541880bdb2802431c0750842281b39d7706d0fc4b457bad47e06b0f133f29d65a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5EE9003E3DC4134E8CF26DC55FD926FA

MD5
4b967dc80a385a6c1a8be001bcc34b97

SHA1
dbc211cbfea229390be46e96e9815cce7490d3a8

SHA256
37daedfa12dd7050ce0c7b1ccfb4303b377aeae116c31e3e1cc5d0d6fb3a2705

SHA512
1b802bc02f896c26e29ea8823280b4976e04576c14ee871ea57add7b633b17b5ea7c564854ad331a0ab81e25b5c443128e495a46d68439f9aed6cc33c166db9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
489ac9cb32678c1296a94dc3c2cdc8e4

SHA1
0ae3ffd526477bba40ee67b1e2bc4e3e86f60584

SHA256
8c34290a94182fd76c440ae2ce203824670b93e03ed5b56e5d8d56c54c504d28

SHA512
c145093aa29aafa93292f870ce4fb5484559ba4254c31f17ab73be605310b720e8c3d2cf7e1bffa44dd1827faf37ecddc2e7821b12ae5582ca6977ed0f8c4920

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
b94e64a8a000fde5dd05a4c79eea86e9

SHA1
e85ff1a4f9344e660e1dd4c7d42c08d7710d5e4e

SHA256
14d44c5caaa1ed19b53f0cfb0bbbd3422322aea4024df81c1ed1f5d44bd1834a

SHA512
3191d6f1b67333852629df63581eec3a7291b8c4c9c587a869a0d0b7e5854ee45f35284ad04b2f6bcc2cd8dccf87a9672d759a993f87f4f123e9c1d7d93140d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe

MD5
65b49b106ec0f6cf61e7dc04c0a7eb74

SHA1
a1f4784377c53151167965e0ff225f5085ebd43b

SHA256
862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

SHA512
e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe

MD5
65b49b106ec0f6cf61e7dc04c0a7eb74

SHA1
a1f4784377c53151167965e0ff225f5085ebd43b

SHA256
862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

SHA512
e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe

MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe

MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe

MD5
9aaafaed80038c9dcb3bb6a532e9d071

SHA1
4657521b9a50137db7b1e2e84193363a2ddbd74f

SHA256
e019f9e9da75b4b108fd9a62853e5966d13a33fc13718b8248041204316edff5

SHA512
9d69afc8c16ddc2261b46cc48e7ca2176e35a19534d82c6245baa6318b478fd63d1235a8418c07bf11cb5386aa0ee9879db90866b88251b16b959880d6ab0996

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe

MD5
9aaafaed80038c9dcb3bb6a532e9d071

SHA1
4657521b9a50137db7b1e2e84193363a2ddbd74f

SHA256
e019f9e9da75b4b108fd9a62853e5966d13a33fc13718b8248041204316edff5

SHA512
9d69afc8c16ddc2261b46cc48e7ca2176e35a19534d82c6245baa6318b478fd63d1235a8418c07bf11cb5386aa0ee9879db90866b88251b16b959880d6ab0996

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe

MD5
86517bb0c311eda5489502b583e84db3

SHA1
c911a79ccc7b159cc86e750e711e78e1b0931677

SHA256
e6fc7a964b504e67c7cfdf3358eb23ede56971f7633e8332342ddc30b6c0bf38

SHA512
e8553c58d3338a04d518be763564dff0d6ce41dadce0c5bec43ba165a434cbfe3b48c5c27e2dc1d57050108a224428e1f506430ba7cde0b0756c3eb01679292f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe

MD5
86517bb0c311eda5489502b583e84db3

SHA1
c911a79ccc7b159cc86e750e711e78e1b0931677

SHA256
e6fc7a964b504e67c7cfdf3358eb23ede56971f7633e8332342ddc30b6c0bf38

SHA512
e8553c58d3338a04d518be763564dff0d6ce41dadce0c5bec43ba165a434cbfe3b48c5c27e2dc1d57050108a224428e1f506430ba7cde0b0756c3eb01679292f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat

MD5
f2632c204f883c59805093720dfe5a78

SHA1
c96e3aa03805a84fec3ea4208104a25a2a9d037e

SHA256
f9458a661ecd6c7e8fae669be72497288472a11ac3e823d3074e58f7fe98cd68

SHA512
5a19c4a777899889381be64f190e50a23cceee0abb78776b6d041e2384ba88e692972e40cefa34c03ca1b7d029475a0afbc5ce006ce833a1665e52008671bae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe

MD5
c61d297fba0e0ad6886085ec2a1f29c1

SHA1
db4c68108161d166d86f4dc2abea537921367f5f

SHA256
1868cf9255bcc1aef43d091b4eab66e7a3afbf795893caa84ef36e8f0f241e10

SHA512
342228725f6c20486f6c68c7bf9eb9deacd3d780d8187a82e67a8b73728efce6fff06d82026211b4858d44995d201330aea301f1d714c1bbeadd7b8340c67152

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe

MD5
c61d297fba0e0ad6886085ec2a1f29c1

SHA1
db4c68108161d166d86f4dc2abea537921367f5f

SHA256
1868cf9255bcc1aef43d091b4eab66e7a3afbf795893caa84ef36e8f0f241e10

SHA512
342228725f6c20486f6c68c7bf9eb9deacd3d780d8187a82e67a8b73728efce6fff06d82026211b4858d44995d201330aea301f1d714c1bbeadd7b8340c67152

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe

MD5
ddb548139464a741cee54ff0e235a359

SHA1
22e2ad0430ce1fffd6c3956d8c5155b3b12cc2d6

SHA256
fbf1edf334f8ffaa66d5bb237e060b8aa6070207ee766fcb62e9e0f5d68de570

SHA512
8879f080353d9c03d7b4aa2c552495494ff71b6dc4b1f921e520891c38a73581f822596e1c58c6b72f70c0b034521db8f4b824da6c4a4c9e931ab5369a43f647

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe

MD5
1743533d63a8ba25142ffa3efc59b50b

SHA1
c770a27df5e4f002039528bf639cca1ce564b8f5

SHA256
e17f635114df8991b10f9611c3b1fcfaee87a98a11ad9623e894df9492c5a09e

SHA512
c5f9e2463598ab49b9f4ec87c7e8b427de52982b1bb7fc27c4182f36fcd27127fe4da11dbf44ad00e320169144cd3732dc8d62861403f57b8321010a1ab59b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe

MD5
1743533d63a8ba25142ffa3efc59b50b

SHA1
c770a27df5e4f002039528bf639cca1ce564b8f5

SHA256
e17f635114df8991b10f9611c3b1fcfaee87a98a11ad9623e894df9492c5a09e

SHA512
c5f9e2463598ab49b9f4ec87c7e8b427de52982b1bb7fc27c4182f36fcd27127fe4da11dbf44ad00e320169144cd3732dc8d62861403f57b8321010a1ab59b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\JOzWR.dat

MD5
12476321a502e943933e60cfb4429970

SHA1
c71d293b84d03153a1bd13c560fca0f8857a95a7

SHA256
14a0fbd7eab461e49ee161ac3bd9ad8055086dbe56848dbaba9ec2034b3dea29

SHA512
f222de8febc705146394fd389e6cece95b077a0629e18eab91c49b139bf5b686435e28a6ada4a0dbb951fd24ec3db692e7a5584d57ffd0e851739e595f2bbfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe

MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe

MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe

MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\potato.dat

MD5
235c88fb4c9754f96c17207831c1163d

SHA1
188f22d57a834a01345936fd7ba569ec26df49a2

SHA256
90438881a2e9f8f223c0863e40d332fa2c3a514851e5813e2571c9366df3a5ea

SHA512
051ea06b5ec73c3b88079c11f61192dafd8268cdbb55904118e5210e8f2f5543f3d32bffa1e2863ba52cd2486cdc30d0deb54ca435bf4bc2fa5d6e019d3bb636

Download Submit
C:\Users\Admin\AppData\Local\Temp\S0JZ3K42FI\multitimer.exe

MD5
e4c3216345cb789d88f5b7c5a6784f77

SHA1
eeddcdf2369d959f1244c187e161c1000c8238bc

SHA256
373703dbd89d0d10c5532dde395d6379ee65ecc6e6b50d227aec2e1fc579fd62

SHA512
8f4f4823758ff987fa274308033374e66d0e64a6fd7e8f712c4f1285e2030c19e498904b2cd9af1e54a989626e172e8397c85e36faff251a3e8c1a514e21afe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\S0JZ3K42FI\multitimer.exe

MD5
e4c3216345cb789d88f5b7c5a6784f77

SHA1
eeddcdf2369d959f1244c187e161c1000c8238bc

SHA256
373703dbd89d0d10c5532dde395d6379ee65ecc6e6b50d227aec2e1fc579fd62

SHA512
8f4f4823758ff987fa274308033374e66d0e64a6fd7e8f712c4f1285e2030c19e498904b2cd9af1e54a989626e172e8397c85e36faff251a3e8c1a514e21afe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\S0JZ3K42FI\multitimer.exe

MD5
e4c3216345cb789d88f5b7c5a6784f77

SHA1
eeddcdf2369d959f1244c187e161c1000c8238bc

SHA256
373703dbd89d0d10c5532dde395d6379ee65ecc6e6b50d227aec2e1fc579fd62

SHA512
8f4f4823758ff987fa274308033374e66d0e64a6fd7e8f712c4f1285e2030c19e498904b2cd9af1e54a989626e172e8397c85e36faff251a3e8c1a514e21afe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\S0JZ3K42FI\multitimer.exe.config

MD5
3f1498c07d8713fe5c315db15a2a2cf3

SHA1
ef5f42fd21f6e72bdc74794f2496884d9c40bbfb

SHA256
52ca39624f8fd70bc441d055712f115856bc67b37efb860d654e4a8909106dc0

SHA512
cb32ce5ef72548d1b0d27f3f254f4b67b23a0b662d0ef7ae12f9e3ef1b0a917b098368b434caf54751c02c0f930e92cffd384f105d8d79ee725df4d97a559a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7b24ba3..exe

MD5
27c9ee224e38ceedc70bac371874e017

SHA1
59423df9c57092d0aeadb4d543c56d79f6428920

SHA256
08cd03414a9c59f440367226c2a3e684c3ceaf03c284b9458a2101e43ebd9f0c

SHA512
1cb8d57ac624208003bd4891cb4a2899341b2504c9427721e8aee3115a5a9d7992f3c3504e95e0228ed68275fe950eca3352a7bf7c629bb8a405966d6fbaa073

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7b24ba3..exe

MD5
27c9ee224e38ceedc70bac371874e017

SHA1
59423df9c57092d0aeadb4d543c56d79f6428920

SHA256
08cd03414a9c59f440367226c2a3e684c3ceaf03c284b9458a2101e43ebd9f0c

SHA512
1cb8d57ac624208003bd4891cb4a2899341b2504c9427721e8aee3115a5a9d7992f3c3504e95e0228ed68275fe950eca3352a7bf7c629bb8a405966d6fbaa073

Download Submit
C:\Users\Admin\AppData\Roaming\FC99.tmp.exe

MD5
fae534a7994ec4e7e504f0ee8ff7fa48

SHA1
e7ba152544029de9534da87ab76b230376aa45dd

SHA256
af2288636f0e8367e0d38d3c64222b7f2fe51e415add77b0975a9b1f7ceeef85

SHA512
8c4b6ca528a59f01e6f8726ab1de73912b21b4daae20e70865e56d4c7d1cbb5bb135bc73954bc29ca661c32bcc522bb60ecf86022b02994af449b06f16eed5ae

Download Submit
C:\Users\Admin\AppData\Roaming\FC99.tmp.exe

MD5
fae534a7994ec4e7e504f0ee8ff7fa48

SHA1
e7ba152544029de9534da87ab76b230376aa45dd

SHA256
af2288636f0e8367e0d38d3c64222b7f2fe51e415add77b0975a9b1f7ceeef85

SHA512
8c4b6ca528a59f01e6f8726ab1de73912b21b4daae20e70865e56d4c7d1cbb5bb135bc73954bc29ca661c32bcc522bb60ecf86022b02994af449b06f16eed5ae

Download Submit
C:\Users\Admin\AppData\Roaming\FC99.tmp.exe

MD5
fae534a7994ec4e7e504f0ee8ff7fa48

SHA1
e7ba152544029de9534da87ab76b230376aa45dd

SHA256
af2288636f0e8367e0d38d3c64222b7f2fe51e415add77b0975a9b1f7ceeef85

SHA512
8c4b6ca528a59f01e6f8726ab1de73912b21b4daae20e70865e56d4c7d1cbb5bb135bc73954bc29ca661c32bcc522bb60ecf86022b02994af449b06f16eed5ae

Download Submit
C:\Users\Admin\AppData\Roaming\FDE2.tmp.exe

MD5
96ade483b17f119fc6719d3103502272

SHA1
53b44d5bea8d4538b8eb456665a25ebf7ff3ab54

SHA256
d23a49439b5ae4a19fd58b0599b443b8f446bd1f0255504a32792535e73add67

SHA512
12261a92ed4a72ef5bbad9b182e3d92fda9fa97aa55d9c227e630eda14b3d4d81f0a2df529b54908c7c1ce9a3fc71b4c7dd20fc70702eff02384d5705fc4be2c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe

MD5
65b49b106ec0f6cf61e7dc04c0a7eb74

SHA1
a1f4784377c53151167965e0ff225f5085ebd43b

SHA256
862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

SHA512
e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe

MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe

MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe

MD5
9aaafaed80038c9dcb3bb6a532e9d071

SHA1
4657521b9a50137db7b1e2e84193363a2ddbd74f

SHA256
e019f9e9da75b4b108fd9a62853e5966d13a33fc13718b8248041204316edff5

SHA512
9d69afc8c16ddc2261b46cc48e7ca2176e35a19534d82c6245baa6318b478fd63d1235a8418c07bf11cb5386aa0ee9879db90866b88251b16b959880d6ab0996

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe

MD5
86517bb0c311eda5489502b583e84db3

SHA1
c911a79ccc7b159cc86e750e711e78e1b0931677

SHA256
e6fc7a964b504e67c7cfdf3358eb23ede56971f7633e8332342ddc30b6c0bf38

SHA512
e8553c58d3338a04d518be763564dff0d6ce41dadce0c5bec43ba165a434cbfe3b48c5c27e2dc1d57050108a224428e1f506430ba7cde0b0756c3eb01679292f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe

MD5
c61d297fba0e0ad6886085ec2a1f29c1

SHA1
db4c68108161d166d86f4dc2abea537921367f5f

SHA256
1868cf9255bcc1aef43d091b4eab66e7a3afbf795893caa84ef36e8f0f241e10

SHA512
342228725f6c20486f6c68c7bf9eb9deacd3d780d8187a82e67a8b73728efce6fff06d82026211b4858d44995d201330aea301f1d714c1bbeadd7b8340c67152

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe

MD5
c61d297fba0e0ad6886085ec2a1f29c1

SHA1
db4c68108161d166d86f4dc2abea537921367f5f

SHA256
1868cf9255bcc1aef43d091b4eab66e7a3afbf795893caa84ef36e8f0f241e10

SHA512
342228725f6c20486f6c68c7bf9eb9deacd3d780d8187a82e67a8b73728efce6fff06d82026211b4858d44995d201330aea301f1d714c1bbeadd7b8340c67152

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe

MD5
c61d297fba0e0ad6886085ec2a1f29c1

SHA1
db4c68108161d166d86f4dc2abea537921367f5f

SHA256
1868cf9255bcc1aef43d091b4eab66e7a3afbf795893caa84ef36e8f0f241e10

SHA512
342228725f6c20486f6c68c7bf9eb9deacd3d780d8187a82e67a8b73728efce6fff06d82026211b4858d44995d201330aea301f1d714c1bbeadd7b8340c67152

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe

MD5
c61d297fba0e0ad6886085ec2a1f29c1

SHA1
db4c68108161d166d86f4dc2abea537921367f5f

SHA256
1868cf9255bcc1aef43d091b4eab66e7a3afbf795893caa84ef36e8f0f241e10

SHA512
342228725f6c20486f6c68c7bf9eb9deacd3d780d8187a82e67a8b73728efce6fff06d82026211b4858d44995d201330aea301f1d714c1bbeadd7b8340c67152

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe

MD5
ddb548139464a741cee54ff0e235a359

SHA1
22e2ad0430ce1fffd6c3956d8c5155b3b12cc2d6

SHA256
fbf1edf334f8ffaa66d5bb237e060b8aa6070207ee766fcb62e9e0f5d68de570

SHA512
8879f080353d9c03d7b4aa2c552495494ff71b6dc4b1f921e520891c38a73581f822596e1c58c6b72f70c0b034521db8f4b824da6c4a4c9e931ab5369a43f647

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe

MD5
ddb548139464a741cee54ff0e235a359

SHA1
22e2ad0430ce1fffd6c3956d8c5155b3b12cc2d6

SHA256
fbf1edf334f8ffaa66d5bb237e060b8aa6070207ee766fcb62e9e0f5d68de570

SHA512
8879f080353d9c03d7b4aa2c552495494ff71b6dc4b1f921e520891c38a73581f822596e1c58c6b72f70c0b034521db8f4b824da6c4a4c9e931ab5369a43f647

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe

MD5
ddb548139464a741cee54ff0e235a359

SHA1
22e2ad0430ce1fffd6c3956d8c5155b3b12cc2d6

SHA256
fbf1edf334f8ffaa66d5bb237e060b8aa6070207ee766fcb62e9e0f5d68de570

SHA512
8879f080353d9c03d7b4aa2c552495494ff71b6dc4b1f921e520891c38a73581f822596e1c58c6b72f70c0b034521db8f4b824da6c4a4c9e931ab5369a43f647

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe

MD5
ddb548139464a741cee54ff0e235a359

SHA1
22e2ad0430ce1fffd6c3956d8c5155b3b12cc2d6

SHA256
fbf1edf334f8ffaa66d5bb237e060b8aa6070207ee766fcb62e9e0f5d68de570

SHA512
8879f080353d9c03d7b4aa2c552495494ff71b6dc4b1f921e520891c38a73581f822596e1c58c6b72f70c0b034521db8f4b824da6c4a4c9e931ab5369a43f647

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe

MD5
1743533d63a8ba25142ffa3efc59b50b

SHA1
c770a27df5e4f002039528bf639cca1ce564b8f5

SHA256
e17f635114df8991b10f9611c3b1fcfaee87a98a11ad9623e894df9492c5a09e

SHA512
c5f9e2463598ab49b9f4ec87c7e8b427de52982b1bb7fc27c4182f36fcd27127fe4da11dbf44ad00e320169144cd3732dc8d62861403f57b8321010a1ab59b3b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe

MD5
1743533d63a8ba25142ffa3efc59b50b

SHA1
c770a27df5e4f002039528bf639cca1ce564b8f5

SHA256
e17f635114df8991b10f9611c3b1fcfaee87a98a11ad9623e894df9492c5a09e

SHA512
c5f9e2463598ab49b9f4ec87c7e8b427de52982b1bb7fc27c4182f36fcd27127fe4da11dbf44ad00e320169144cd3732dc8d62861403f57b8321010a1ab59b3b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe

MD5
1743533d63a8ba25142ffa3efc59b50b

SHA1
c770a27df5e4f002039528bf639cca1ce564b8f5

SHA256
e17f635114df8991b10f9611c3b1fcfaee87a98a11ad9623e894df9492c5a09e

SHA512
c5f9e2463598ab49b9f4ec87c7e8b427de52982b1bb7fc27c4182f36fcd27127fe4da11dbf44ad00e320169144cd3732dc8d62861403f57b8321010a1ab59b3b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe

MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe

MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe

MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe

MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe

MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
\Users\Admin\AppData\Local\Temp\c7b24ba3..exe

MD5
27c9ee224e38ceedc70bac371874e017

SHA1
59423df9c57092d0aeadb4d543c56d79f6428920

SHA256
08cd03414a9c59f440367226c2a3e684c3ceaf03c284b9458a2101e43ebd9f0c

SHA512
1cb8d57ac624208003bd4891cb4a2899341b2504c9427721e8aee3115a5a9d7992f3c3504e95e0228ed68275fe950eca3352a7bf7c629bb8a405966d6fbaa073

Download Submit
\Users\Admin\AppData\Local\Temp\c7b24ba3..exe

MD5
27c9ee224e38ceedc70bac371874e017

SHA1
59423df9c57092d0aeadb4d543c56d79f6428920

SHA256
08cd03414a9c59f440367226c2a3e684c3ceaf03c284b9458a2101e43ebd9f0c

SHA512
1cb8d57ac624208003bd4891cb4a2899341b2504c9427721e8aee3115a5a9d7992f3c3504e95e0228ed68275fe950eca3352a7bf7c629bb8a405966d6fbaa073

Download Submit
\Users\Admin\AppData\Roaming\FC99.tmp.exe

MD5
fae534a7994ec4e7e504f0ee8ff7fa48

SHA1
e7ba152544029de9534da87ab76b230376aa45dd

SHA256
af2288636f0e8367e0d38d3c64222b7f2fe51e415add77b0975a9b1f7ceeef85

SHA512
8c4b6ca528a59f01e6f8726ab1de73912b21b4daae20e70865e56d4c7d1cbb5bb135bc73954bc29ca661c32bcc522bb60ecf86022b02994af449b06f16eed5ae

Download Submit
\Users\Admin\AppData\Roaming\FC99.tmp.exe

MD5
fae534a7994ec4e7e504f0ee8ff7fa48

SHA1
e7ba152544029de9534da87ab76b230376aa45dd

SHA256
af2288636f0e8367e0d38d3c64222b7f2fe51e415add77b0975a9b1f7ceeef85

SHA512
8c4b6ca528a59f01e6f8726ab1de73912b21b4daae20e70865e56d4c7d1cbb5bb135bc73954bc29ca661c32bcc522bb60ecf86022b02994af449b06f16eed5ae

Download Submit
\Users\Admin\AppData\Roaming\FDE2.tmp.exe

MD5
96ade483b17f119fc6719d3103502272

SHA1
53b44d5bea8d4538b8eb456665a25ebf7ff3ab54

SHA256
d23a49439b5ae4a19fd58b0599b443b8f446bd1f0255504a32792535e73add67

SHA512
12261a92ed4a72ef5bbad9b182e3d92fda9fa97aa55d9c227e630eda14b3d4d81f0a2df529b54908c7c1ce9a3fc71b4c7dd20fc70702eff02384d5705fc4be2c

Download Submit
\Users\Admin\AppData\Roaming\FDE2.tmp.exe

MD5
96ade483b17f119fc6719d3103502272

SHA1
53b44d5bea8d4538b8eb456665a25ebf7ff3ab54

SHA256
d23a49439b5ae4a19fd58b0599b443b8f446bd1f0255504a32792535e73add67

SHA512
12261a92ed4a72ef5bbad9b182e3d92fda9fa97aa55d9c227e630eda14b3d4d81f0a2df529b54908c7c1ce9a3fc71b4c7dd20fc70702eff02384d5705fc4be2c

Download Submit
memory/240-108-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/240-102-0x0000000000000000-mapping.dmp

Download
memory/240-107-0x0000000002C10000-0x0000000002CA1000-memory.dmp

Filesize
580KB

Download
memory/240-104-0x0000000002C10000-0x0000000002C21000-memory.dmp

Filesize
68KB

Download
memory/324-142-0x0000000000000000-mapping.dmp

Download
memory/324-143-0x00000000021F0000-0x0000000002201000-memory.dmp

Filesize
68KB

Download
memory/324-146-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/324-144-0x00000000021F0000-0x0000000002201000-memory.dmp

Filesize
68KB

Download
memory/360-111-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/360-116-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/360-112-0x0000000000401480-mapping.dmp

Download
memory/360-135-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/360-134-0x0000000073440000-0x00000000735E3000-memory.dmp

Filesize
1.6MB

Download
memory/360-131-0x0000000000000000-mapping.dmp

Download
memory/552-41-0x000007FEF79D0000-0x000007FEF7C4A000-memory.dmp

Filesize
2.5MB

Download
memory/604-138-0x0000000000000000-mapping.dmp

Download
memory/616-3-0x0000000000000000-mapping.dmp

Download
memory/628-130-0x0000000000000000-mapping.dmp

Download
memory/748-121-0x000007FEFBA41000-0x000007FEFBA43000-memory.dmp

Filesize
8KB

Download
memory/748-118-0x0000000000000000-mapping.dmp

Download
memory/816-21-0x0000000000000000-mapping.dmp

Download
memory/820-149-0x0000000000000000-mapping.dmp

Download
memory/912-147-0x0000000000000000-mapping.dmp

Download
memory/1284-98-0x0000000000000000-mapping.dmp

Download
memory/1284-114-0x0000000000220000-0x0000000000265000-memory.dmp

Filesize
276KB

Download
memory/1284-109-0x0000000002370000-0x0000000002381000-memory.dmp

Filesize
68KB

Download
memory/1304-37-0x0000000000000000-mapping.dmp

Download
memory/1304-43-0x00000000023A0000-0x000000000253C000-memory.dmp

Filesize
1.6MB

Download
memory/1304-80-0x0000000000090000-0x00000000000AB000-memory.dmp

Filesize
108KB

Download
memory/1304-79-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1304-68-0x0000000002BF0000-0x0000000002CDF000-memory.dmp

Filesize
956KB

Download
memory/1380-50-0x0000000000000000-mapping.dmp

Download
memory/1452-44-0x0000000000000000-mapping.dmp

Download
memory/1524-13-0x0000000000000000-mapping.dmp

Download
memory/1572-7-0x0000000000000000-mapping.dmp

Download
memory/1588-53-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/1588-29-0x0000000000000000-mapping.dmp

Download
memory/1588-32-0x000007FEF5240000-0x000007FEF5C2C000-memory.dmp

Filesize
9.9MB

Download
memory/1588-55-0x000000001B2F0000-0x000000001B2F2000-memory.dmp

Filesize
8KB

Download
memory/1612-74-0x0000000000000000-mapping.dmp

Download
memory/1612-78-0x0000000000A60000-0x0000000000A62000-memory.dmp

Filesize
8KB

Download
memory/1612-77-0x000007FEEE6C0000-0x000007FEEF05D000-memory.dmp

Filesize
9.6MB

Download
memory/1612-76-0x000007FEEE6C0000-0x000007FEEF05D000-memory.dmp

Filesize
9.6MB

Download
memory/1616-136-0x0000000000000000-mapping.dmp

Download
memory/1620-63-0x0000000000000000-mapping.dmp

Download
memory/1624-73-0x0000000000000000-mapping.dmp

Download
memory/1672-72-0x0000000000000000-mapping.dmp

Download
memory/1684-52-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/1684-47-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/1684-48-0x000000000066C0BC-mapping.dmp

Download
memory/1712-140-0x0000000000000000-mapping.dmp

Download
memory/1728-17-0x0000000000000000-mapping.dmp

Download
memory/1812-2-0x0000000076241000-0x0000000076243000-memory.dmp

Filesize
8KB

Download
memory/1816-133-0x0000000000000000-mapping.dmp

Download
memory/1904-106-0x0000000000DD0000-0x0000000000E14000-memory.dmp

Filesize
272KB

Download
memory/1904-84-0x0000000000000000-mapping.dmp

Download
memory/1904-86-0x0000000000020000-0x000000000002D000-memory.dmp

Filesize
52KB

Download
memory/1948-127-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/1948-129-0x00000000001F0000-0x0000000000210000-memory.dmp

Filesize
128KB

Download
memory/1948-128-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/1948-126-0x0000000000170000-0x0000000000184000-memory.dmp

Filesize
80KB

Download
memory/1948-124-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/1948-125-0x00000001402CA898-mapping.dmp

Download
memory/2044-67-0x000007FEEE6C0000-0x000007FEEF05D000-memory.dmp

Filesize
9.6MB

Download
memory/2044-69-0x0000000000B70000-0x0000000000B72000-memory.dmp

Filesize
8KB

Download
memory/2044-70-0x000007FEEE6C0000-0x000007FEEF05D000-memory.dmp

Filesize
9.6MB

Download
memory/2044-56-0x0000000000000000-mapping.dmp

Download