azorult | ea2aba1a17de28fee1a6097e91c4ceb0f3887f6bbcce46dfe4d2e342b87bef9e

Target

b002c0162a0a0c83be1ebdb21c14c580.exe
Size

6.6MB
MD5

b002c0162a0a0c83be1ebdb21c14c580
SHA1

96d424d27ead82288ef68fb02e7a7205a4254068
SHA256

ea2aba1a17de28fee1a6097e91c4ceb0f3887f6bbcce46dfe4d2e342b87bef9e
SHA512

7df2fd40b14992ea1a09a9efc61ae91c2e5fe49272855dc00542096070a6804fd1e06d0978f39c8fa1d35af51b4c4cb2ff66674e29da8cb82076bbb0ef5b371c

Malware Config

Extracted

Family

socelars

http://www.kvubgc.com/

Extracted

Family

redline

Botnet

v2user1

88.99.35.59:63020

Attributes

auth_value
0cd1ad671efa88aa6b92a97334b72134

Extracted

Family

redline

Botnet

media17223

92.255.57.115:59426

Attributes

auth_value
0b27ce2a5b396987135b2ec499c63068

Extracted

Family

smokeloader

Version

2020

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

Extracted

Family

redline

Botnet

193.203.203.82:23108

Attributes

auth_value
52b37b8702d697840527fac8a6ac247d

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exerundll32.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5976	4576	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6128	4576	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5200	4576	rundll32.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3020-270-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/5184-279-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2764-348-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a85480177_Tue113068966df.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a85480177_Tue113068966df.exe	family_socelars

Suspicious use of NtCreateProcessExOtherParentProcess 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 4888 created 996	4888	WerFault.exe	setup_install.exe
PID 2424 created 4568	2424	WerFault.exe	61e6a84970fcb_Tue111204e9de49.exe
PID 1540 created 3348	1540	WerFault.exe	61e6a841abc9a_Tue1123c7e4cc.exe
PID 5160 created 3476	5160	WerFault.exe	61e6a8570e06b_Tue115f17fcf5.exe
PID 5240 created 4724	5240	WerFault.exe	61e6a85829009_Tue11835fdf.exe
PID 5504 created 3708	5504	WerFault.exe	61e6a85abc0d3_Tue114fbfb1.exe
PID 5660 created 3652	5660	WerFault.exe	61e6a85480177_Tue113068966df.exe
PID 6112 created 6012	6112	WerFault.exe	rundll32.exe
PID 5144 created 4792	5144	WerFault.exe	rundll32.exe
PID 4876 created 3912	4876	WerFault.exe	Conhost.exe

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M15
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M15
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata

OnlyLogger Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3348-266-0x0000000000750000-0x000000000079C000-memory.dmp	family_onlylogger

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\libcurlpp.dll	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 46 IoCs

Processes:

setup_installer.exesetup_install.exe61e6a85829009_Tue11835fdf.exe61e6a85246ad2_Tue11fb5020.exe61e6a85abc0d3_Tue114fbfb1.exe61e6a841abc9a_Tue1123c7e4cc.exe61e6a8594f5d8_Tue1149caf91.exe61e6a8570e06b_Tue115f17fcf5.exe61e6a85480177_Tue113068966df.exe61e6a84bf05e7_Tue11763442.exe61e6a84c9b4e6_Tue11f9d25bb.exe61e6a84db6e55_Tue11d0da3a20e6.exe61e6a84970fcb_Tue111204e9de49.exe61e6a84281ea3_Tue11b8eafb46.exe61e6a85a7165a_Tue11d0c6493.exe61e6a851890c2_Tue1182bb1d53fa.exe61e6a855abc56_Tue115500cf813.exe61e6a849b9e88_Tue11559920.exe61e6a84f88b87_Tue111029e151.exe61e6a851890c2_Tue1182bb1d53fa.tmp61e6a84c9b4e6_Tue11f9d25bb.exe61e6a851890c2_Tue1182bb1d53fa.exe61e6a84c9b4e6_Tue11f9d25bb.exe61e6a851890c2_Tue1182bb1d53fa.tmp11111.exe61e6a8594f5d8_Tue1149caf91.exeiULXFxDDiK_fXL1kGEnnEXCd.exe61e6a855abc56_Tue115500cf813.exe61e6a85246ad2_Tue11fb5020.exe11111.exe9btTk81Ra3rN1OK8J4mj2FSC.exeConhost.exeW2RcyFnzUBbOZJfa64X9Wopa.exeW2RcyFnzUBbOZJfa64X9Wopa.exe11111.exe11111.exe61e6a849b9e88_Tue11559920.exe123.Popup.Maker.v1.01.keygen.exekeygen-pr.exekeygen-step-1.exekeygen-step-5.exekeygen-step-6.exekeygen-step-4.exekey.exeLightCleaner532412.exe348cc79c-6271-4027-ab99-d03f97c338bf.exe

pid	process
1588	setup_installer.exe
996	setup_install.exe
4724	61e6a85829009_Tue11835fdf.exe
1412	61e6a85246ad2_Tue11fb5020.exe
3708	61e6a85abc0d3_Tue114fbfb1.exe
3348	61e6a841abc9a_Tue1123c7e4cc.exe
3592	61e6a8594f5d8_Tue1149caf91.exe
3476	61e6a8570e06b_Tue115f17fcf5.exe
3652	61e6a85480177_Tue113068966df.exe
4552	61e6a84bf05e7_Tue11763442.exe
4216	61e6a84c9b4e6_Tue11f9d25bb.exe
4224	61e6a84db6e55_Tue11d0da3a20e6.exe
4568	61e6a84970fcb_Tue111204e9de49.exe
4228	61e6a84281ea3_Tue11b8eafb46.exe
3624	61e6a85a7165a_Tue11d0c6493.exe
4152	61e6a851890c2_Tue1182bb1d53fa.exe
1200	61e6a855abc56_Tue115500cf813.exe
1148	61e6a849b9e88_Tue11559920.exe
4460	61e6a84f88b87_Tue111029e151.exe
2792	61e6a851890c2_Tue1182bb1d53fa.tmp
2240	61e6a84c9b4e6_Tue11f9d25bb.exe
1936	61e6a851890c2_Tue1182bb1d53fa.exe
872	61e6a84c9b4e6_Tue11f9d25bb.exe
1608	61e6a851890c2_Tue1182bb1d53fa.tmp
4864	11111.exe
5220	61e6a8594f5d8_Tue1149caf91.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
3020	61e6a855abc56_Tue115500cf813.exe
5184	61e6a85246ad2_Tue11fb5020.exe
5896	11111.exe
1960	9btTk81Ra3rN1OK8J4mj2FSC.exe
3912	Conhost.exe
2696	W2RcyFnzUBbOZJfa64X9Wopa.exe
5808	W2RcyFnzUBbOZJfa64X9Wopa.exe
4636	11111.exe
5932	11111.exe
2764	61e6a849b9e88_Tue11559920.exe
5092	123.Popup.Maker.v1.01.keygen.exe
4888	keygen-pr.exe
3560	keygen-step-1.exe
5172	keygen-step-5.exe
5084	keygen-step-6.exe
6384	keygen-step-4.exe
6504	key.exe
6536	LightCleaner532412.exe
6644	348cc79c-6271-4027-ab99-d03f97c338bf.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\11111.exe	upx
C:\Users\Admin\AppData\Local\Temp\11111.exe	upx

Loads dropped DLL 16 IoCs

Processes:

setup_install.exe61e6a851890c2_Tue1182bb1d53fa.tmp61e6a851890c2_Tue1182bb1d53fa.tmprundll32.exerundll32.exerundll32.exerundll32.exetaskmgr.exemsiexec.exe

pid	process
996	setup_install.exe
996	setup_install.exe
996	setup_install.exe
996	setup_install.exe
996	setup_install.exe
996	setup_install.exe
2792	61e6a851890c2_Tue1182bb1d53fa.tmp
1608	61e6a851890c2_Tue1182bb1d53fa.tmp
5676	rundll32.exe
5676	rundll32.exe
6012	rundll32.exe
4792	rundll32.exe
4072	rundll32.exe
4072	rundll32.exe
1896	taskmgr.exe
6492	msiexec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
2 ipinfo.io
32 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\WINDOWS\SYSTEM32\WINBIODATABASE\51F39552-1075-4199-B513-0C10EA185DB0.DAT svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

flow	ioc
2	ip-api.com
2	ipinfo.io
32	ipinfo.io

description	ioc	process
File opened for modification	C:\WINDOWS\SYSTEM32\WINBIODATABASE\51F39552-1075-4199-B513-0C10EA185DB0.DAT	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

WerFault.exe61e6a855abc56_Tue115500cf813.exe61e6a85246ad2_Tue11fb5020.exe61e6a849b9e88_Tue11559920.exe

description	pid	process	target process
PID 3592 set thread context of 5220	3592	WerFault.exe	61e6a8594f5d8_Tue1149caf91.exe
PID 1200 set thread context of 3020	1200	61e6a855abc56_Tue115500cf813.exe	61e6a855abc56_Tue115500cf813.exe
PID 1412 set thread context of 5184	1412	61e6a85246ad2_Tue11fb5020.exe	61e6a85246ad2_Tue11fb5020.exe
PID 1148 set thread context of 2764	1148	61e6a849b9e88_Tue11559920.exe	61e6a849b9e88_Tue11559920.exe

Drops file in Program Files directory 3 IoCs

Processes:

61e6a851890c2_Tue1182bb1d53fa.tmp

description	ioc	process
File created	C:\Program Files (x86)\AtomTweaker\unins000.dat	61e6a851890c2_Tue1182bb1d53fa.tmp
File created	C:\Program Files (x86)\AtomTweaker\is-DED9I.tmp	61e6a851890c2_Tue1182bb1d53fa.tmp
File opened for modification	C:\Program Files (x86)\AtomTweaker\unins000.dat	61e6a851890c2_Tue1182bb1d53fa.tmp

Drops file in Windows directory 8 IoCs

Processes:

SystemSettings.exeUserOOBEBroker.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	SystemSettings.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	SystemSettings.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	SystemSettings.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	SystemSettings.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1576	996	WerFault.exe	setup_install.exe
2636	4568	WerFault.exe	61e6a84970fcb_Tue111204e9de49.exe
5288	3348	WerFault.exe	61e6a841abc9a_Tue1123c7e4cc.exe
5380	3476	WerFault.exe	61e6a8570e06b_Tue115f17fcf5.exe
5760	3652	WerFault.exe	61e6a85480177_Tue113068966df.exe
5688	3708	WerFault.exe	61e6a85abc0d3_Tue114fbfb1.exe
3592	6012	WerFault.exe	rundll32.exe
5532	4792	WerFault.exe
4800	3912	WerFault.exe	xwrAHusrn2bOtrPNGlPiBMlu.exe

Checks SCSI registry key(s) 3 TTPs 14 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SystemSettings.exetaskmgr.exe61e6a8594f5d8_Tue1149caf91.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	61e6a8594f5d8_Tue1149caf91.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	61e6a8594f5d8_Tue1149caf91.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	61e6a8594f5d8_Tue1149caf91.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000	SystemSettings.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeSystemSettings.exeWerFault.exeWerFault.exe348cc79c-6271-4027-ab99-d03f97c338bf.exeWerFault.exeWerFault.exeWerFault.exetaskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	348cc79c-6271-4027-ab99-d03f97c338bf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	348cc79c-6271-4027-ab99-d03f97c338bf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 23 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeSystemSettings.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Toolbar

Modifies data under HKEY_USERS 11 IoCs

Processes:

SecurityHealthService.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	SecurityHealthService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	SecurityHealthService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	SecurityHealthService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\NGC	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	SecurityHealthService.exe

Modifies registry class 64 IoCs

Processes:

61e6a84db6e55_Tue11d0da3a20e6.exe61e6a84f88b87_Tue111029e151.exeMiniSearchHost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000100000002000000050000000300000004000000ffffffff
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\26\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\26\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"
Set value (data)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\6\0\0\0\0 = a20031000000000034545573100054454d50315f7e312e5a49500000860009000400efbe34545573345455732e0000008eb50200000001000000000000000000000000000000c2392f00540065006d00700031005f003100320033002e0050006f007000750070002e004d0061006b00650072002e00760031002e00300031002e006b0065007900670065006e0020002800310029002e007a006900700000001c000000
Set value (data)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\6\0\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	61e6a84db6e55_Tue11d0da3a20e6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\25\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:PID = "0"
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1024x768x96(1).x = "4294967295"
Set value (data)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.SecHealthUI_8wekyb3d8bbwe\ApplicationFrame\Microsoft.SecHealthUI_8wekyb3d8bbwe!SecHealthUI\Positio = 2c0000000200000003000000ffffffffffffffffffffffffffffffff280000002000000058030000a1020000
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1024x768x96(1).x = "4294935296"
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"
Set value (data)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202020202020202020202020202
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\0\NodeSlot = "25"
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\25\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByDirection = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\27\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\FFlags = "18874369"
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1024x768x96(1).top = "34"
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\25
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\25\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\IconSize = "16"
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\26\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\ApplicationFrame
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy
Set value (data)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\27\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000070000001800000030f125b7ef471a10a5f102608c9eebac0a000000f000000030f125b7ef471a10a5f102608c9eebac04000000a0000000e0cc8de8b3b7d111a9f000aa0060fa310600000080000000e0cc8de8b3b7d111a9f000aa0060fa31020000005000000030f125b7ef471a10a5f102608c9eebac0c00000080000000e0cc8de8b3b7d111a9f000aa0060fa31040000005000000030f125b7ef471a10a5f102608c9eebac0e000000a0000000
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1024x768x96(1).bottom = "634"
Set value (data)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\6 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe1000000069397f3be27ed70104d468cae58ad701061df689090ed80114000000
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193"
Set value (data)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000
Set value (data)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000000000002000000050000000300000004000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\26
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\26\Shell\SniffedFolderType = "Downloads"
Set value (data)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\6\0\0\0\0\0 = 8e0032002ded7f00345456732000313233504f507e312e5a49500000720009000400efbe4d54c810345456732e00000090b50200000001000000000000000000000000000000bd4614013100320033002e0050006f007000750070002e004d0061006b00650072002e00760031002e00300031002e006b0065007900670065006e002e007a006900700000001c000000
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings	61e6a84f88b87_Tue111029e151.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\27\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\27\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\IconSize = "16"
Set value (data)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3 = 3a002e8005398e082303024b98265d99428e115f260001002600efbe1100000007fc833be27ed7013a426e9b090ed80125a3cf9b090ed80114000000
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209"
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1024x768x96(1).left = "161"
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2"
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\26\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Rev = "0"
Set value (data)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.SecHealthUI_8wekyb3d8bbwe\ApplicationFrame\Microsoft.SecHealthUI_8wekyb3d8bbwe!SecHealthUI\Preferr = f4010000f4010000
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\27\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\LogicalViewMode = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\25\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\FFlags = "18874369"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1024x768x96(1).right = "961"
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\25\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}
Set value (data)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\26\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\25\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Mode = "4"
Set value (data)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy = 8403000084030000
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1024x768x96(1).y = "4294967295"
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"
Set value (data)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\25\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1"
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\6\0\0
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\27\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"

NTFS ADS 4 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Temp1_123.Popup.Maker.v1.01.keygen (1).zip\123.Popup.Maker.v1.01.keygen.zip:Zone.Identifier
File opened for modification	C:\Users\Admin\Desktop\123.Popup.Maker.v1.01.keygen.exe:Zone.Identifier
File opened for modification	C:\Users\Admin\Downloads\123.Popup.Maker.v1.01.keygen.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\123.Popup.Maker.v1.01.keygen (1).zip:Zone.Identifier	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

900 PING.EXE
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

pid process

3292
3292

pid	process
900	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

61e6a849b9e88_Tue11559920.exepowershell.exeWerFault.exeWerFault.exe61e6a8594f5d8_Tue1149caf91.exeWerFault.exeWerFault.exepowershell.exeiULXFxDDiK_fXL1kGEnnEXCd.exeWerFault.exe11111.exeWerFault.exe

pid	process
1148	61e6a849b9e88_Tue11559920.exe
1148	61e6a849b9e88_Tue11559920.exe
4104	powershell.exe
4104	powershell.exe
1576	WerFault.exe
1576	WerFault.exe
2636	WerFault.exe
2636	WerFault.exe
5220	61e6a8594f5d8_Tue1149caf91.exe
5220	61e6a8594f5d8_Tue1149caf91.exe
5288	WerFault.exe
5288	WerFault.exe
5380	WerFault.exe
5380	WerFault.exe
3412	powershell.exe
3412	powershell.exe
4104	powershell.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5688	WerFault.exe
5688	WerFault.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5896	11111.exe
5896	11111.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5760	WerFault.exe
5760	WerFault.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe
5720	iULXFxDDiK_fXL1kGEnnEXCd.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

taskmgr.exemsiexec.exe

pid process

3292
1896 taskmgr.exe
6492 msiexec.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

61e6a8594f5d8_Tue1149caf91.exe

pid process

5220 61e6a8594f5d8_Tue1149caf91.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

4528 msedge.exe
4528 msedge.exe
4528 msedge.exe
4528 msedge.exe
4528 msedge.exe
4528 msedge.exe
4528 msedge.exe
4528 msedge.exe
4528 msedge.exe

pid	process
5220	61e6a8594f5d8_Tue1149caf91.exe

pid	process
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

61e6a85480177_Tue113068966df.exe61e6a85abc0d3_Tue114fbfb1.exe61e6a849b9e88_Tue11559920.exe61e6a85246ad2_Tue11fb5020.exe61e6a855abc56_Tue115500cf813.exeWerFault.exepowershell.exe61e6a84281ea3_Tue11b8eafb46.exepowershell.exe

description	pid	process
Token: SeCreateTokenPrivilege	3652	61e6a85480177_Tue113068966df.exe
Token: SeAssignPrimaryTokenPrivilege	3652	61e6a85480177_Tue113068966df.exe
Token: SeLockMemoryPrivilege	3652	61e6a85480177_Tue113068966df.exe
Token: SeIncreaseQuotaPrivilege	3652	61e6a85480177_Tue113068966df.exe
Token: SeMachineAccountPrivilege	3652	61e6a85480177_Tue113068966df.exe
Token: SeTcbPrivilege	3652	61e6a85480177_Tue113068966df.exe
Token: SeSecurityPrivilege	3652	61e6a85480177_Tue113068966df.exe
Token: SeTakeOwnershipPrivilege	3652	61e6a85480177_Tue113068966df.exe
Token: SeLoadDriverPrivilege	3652	61e6a85480177_Tue113068966df.exe
Token: SeSystemProfilePrivilege	3652	61e6a85480177_Tue113068966df.exe
Token: SeSystemtimePrivilege	3652	61e6a85480177_Tue113068966df.exe
Token: SeProfSingleProcessPrivilege	3652	61e6a85480177_Tue113068966df.exe
Token: SeIncBasePriorityPrivilege	3652	61e6a85480177_Tue113068966df.exe
Token: SeCreatePagefilePrivilege	3652	61e6a85480177_Tue113068966df.exe
Token: SeCreatePermanentPrivilege	3652	61e6a85480177_Tue113068966df.exe
Token: SeBackupPrivilege	3652	61e6a85480177_Tue113068966df.exe
Token: SeRestorePrivilege	3652	61e6a85480177_Tue113068966df.exe
Token: SeShutdownPrivilege	3652	61e6a85480177_Tue113068966df.exe
Token: SeDebugPrivilege	3652	61e6a85480177_Tue113068966df.exe
Token: SeAuditPrivilege	3652	61e6a85480177_Tue113068966df.exe
Token: SeSystemEnvironmentPrivilege	3652	61e6a85480177_Tue113068966df.exe
Token: SeChangeNotifyPrivilege	3652	61e6a85480177_Tue113068966df.exe
Token: SeRemoteShutdownPrivilege	3652	61e6a85480177_Tue113068966df.exe
Token: SeUndockPrivilege	3652	61e6a85480177_Tue113068966df.exe
Token: SeSyncAgentPrivilege	3652	61e6a85480177_Tue113068966df.exe
Token: SeEnableDelegationPrivilege	3652	61e6a85480177_Tue113068966df.exe
Token: SeManageVolumePrivilege	3652	61e6a85480177_Tue113068966df.exe
Token: SeImpersonatePrivilege	3652	61e6a85480177_Tue113068966df.exe
Token: SeCreateGlobalPrivilege	3652	61e6a85480177_Tue113068966df.exe
Token: 31	3652	61e6a85480177_Tue113068966df.exe
Token: 32	3652	61e6a85480177_Tue113068966df.exe
Token: 33	3652	61e6a85480177_Tue113068966df.exe
Token: 34	3652	61e6a85480177_Tue113068966df.exe
Token: 35	3652	61e6a85480177_Tue113068966df.exe
Token: SeDebugPrivilege	3708	61e6a85abc0d3_Tue114fbfb1.exe
Token: SeDebugPrivilege	1148	61e6a849b9e88_Tue11559920.exe
Token: SeDebugPrivilege	1412	61e6a85246ad2_Tue11fb5020.exe
Token: SeDebugPrivilege	1200	61e6a855abc56_Tue115500cf813.exe
Token: SeRestorePrivilege	1576	WerFault.exe
Token: SeBackupPrivilege	1576	WerFault.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	4228	61e6a84281ea3_Tue11b8eafb46.exe
Token: SeDebugPrivilege	3412	powershell.exe
Token: SeShutdownPrivilege	3292
Token: SeCreatePagefilePrivilege	3292
Token: SeShutdownPrivilege	3292
Token: SeCreatePagefilePrivilege	3292
Token: SeShutdownPrivilege	3292
Token: SeCreatePagefilePrivilege	3292
Token: SeShutdownPrivilege	3292
Token: SeCreatePagefilePrivilege	3292
Token: SeShutdownPrivilege	3292
Token: SeCreatePagefilePrivilege	3292
Token: SeShutdownPrivilege	3292
Token: SeCreatePagefilePrivilege	3292
Token: SeShutdownPrivilege	3292
Token: SeCreatePagefilePrivilege	3292
Token: SeShutdownPrivilege	3292
Token: SeCreatePagefilePrivilege	3292
Token: SeShutdownPrivilege	3292
Token: SeCreatePagefilePrivilege	3292
Token: SeShutdownPrivilege	3292
Token: SeCreatePagefilePrivilege	3292
Token: SeShutdownPrivilege	3292

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

61e6a851890c2_Tue1182bb1d53fa.tmpmsedge.exetaskmgr.exe

pid	process
1608	61e6a851890c2_Tue1182bb1d53fa.tmp
3292
3292
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe
1896	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

pid	process
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

61e6a84c9b4e6_Tue11f9d25bb.exe61e6a84c9b4e6_Tue11f9d25bb.exe61e6a84c9b4e6_Tue11f9d25bb.exeSystemSettings.exeMiniSearchHost.exeCHXSmartScreen.exeSecHealthUI.exe

pid	process
4216	61e6a84c9b4e6_Tue11f9d25bb.exe
4216	61e6a84c9b4e6_Tue11f9d25bb.exe
2240	61e6a84c9b4e6_Tue11f9d25bb.exe
872	61e6a84c9b4e6_Tue11f9d25bb.exe
872	61e6a84c9b4e6_Tue11f9d25bb.exe
2240	61e6a84c9b4e6_Tue11f9d25bb.exe
3292
3696	SystemSettings.exe
3292
3292
6084	MiniSearchHost.exe
3292
3292
3292
3292
3292
3292
3308	CHXSmartScreen.exe
3292
3620	SecHealthUI.exe
3292

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b002c0162a0a0c83be1ebdb21c14c580.exesetup_installer.exesetup_install.execmd.execmd.exe

description	pid	process	target process
PID 2072 wrote to memory of 1588	2072	b002c0162a0a0c83be1ebdb21c14c580.exe	setup_installer.exe
PID 2072 wrote to memory of 1588	2072	b002c0162a0a0c83be1ebdb21c14c580.exe	setup_installer.exe
PID 2072 wrote to memory of 1588	2072	b002c0162a0a0c83be1ebdb21c14c580.exe	setup_installer.exe
PID 1588 wrote to memory of 996	1588	setup_installer.exe	setup_install.exe
PID 1588 wrote to memory of 996	1588	setup_installer.exe	setup_install.exe
PID 1588 wrote to memory of 996	1588	setup_installer.exe	setup_install.exe
PID 996 wrote to memory of 1956	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 1956	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 1956	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 3056	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 3056	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 3056	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 1988	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 1988	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 1988	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 1768	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 1768	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 1768	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 1668	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 1668	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 1668	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 2032	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 2032	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 2032	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 1696	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 1696	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 1696	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 2388	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 2388	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 2388	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 2496	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 2496	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 2496	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 2336	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 2336	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 2336	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 2396	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 2396	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 2396	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 2384	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 2384	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 2384	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 2420	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 2420	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 2420	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 2744	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 2744	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 2744	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 2068	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 2068	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 2068	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 3912	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 3912	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 3912	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 3040	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 3040	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 3040	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 3424	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 3424	996	setup_install.exe	cmd.exe
PID 996 wrote to memory of 3424	996	setup_install.exe	cmd.exe
PID 2068 wrote to memory of 4724	2068	cmd.exe	61e6a85829009_Tue11835fdf.exe
PID 2068 wrote to memory of 4724	2068	cmd.exe	61e6a85829009_Tue11835fdf.exe
PID 2068 wrote to memory of 4724	2068	cmd.exe	61e6a85829009_Tue11835fdf.exe
PID 2396 wrote to memory of 1412	2396	cmd.exe	61e6a85246ad2_Tue11fb5020.exe

C:\Users\Admin\AppData\Local\Temp\b002c0162a0a0c83be1ebdb21c14c580.exe
"C:\Users\Admin\AppData\Local\Temp\b002c0162a0a0c83be1ebdb21c14c580.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2072

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588

C:\Users\Admin\AppData\Local\Temp\7zS436B2492\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS436B2492\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61e6a8570e06b_Tue115f17fcf5.exe
4⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a8570e06b_Tue115f17fcf5.exe
61e6a8570e06b_Tue115f17fcf5.exe
5⤵
- Executes dropped EXE
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 244
6⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61e6a85abc0d3_Tue114fbfb1.exe
4⤵
PID:3424

C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a85abc0d3_Tue114fbfb1.exe
61e6a85abc0d3_Tue114fbfb1.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3708

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3708 -s 1960
6⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61e6a85a7165a_Tue11d0c6493.exe
4⤵
PID:3040

C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a85a7165a_Tue11d0c6493.exe
61e6a85a7165a_Tue11d0c6493.exe
5⤵
- Executes dropped EXE
PID:3624

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Executes dropped EXE
PID:4864

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61e6a8594f5d8_Tue1149caf91.exe
4⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a8594f5d8_Tue1149caf91.exe
61e6a8594f5d8_Tue1149caf91.exe
5⤵
- Executes dropped EXE
PID:3592

C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a8594f5d8_Tue1149caf91.exe
61e6a8594f5d8_Tue1149caf91.exe
6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61e6a85829009_Tue11835fdf.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2068

C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a85829009_Tue11835fdf.exe
61e6a85829009_Tue11835fdf.exe
5⤵
- Executes dropped EXE
PID:4724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61e6a855abc56_Tue115500cf813.exe
4⤵
PID:2420

C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a855abc56_Tue115500cf813.exe
61e6a855abc56_Tue115500cf813.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a855abc56_Tue115500cf813.exe
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a855abc56_Tue115500cf813.exe
6⤵
- Executes dropped EXE
PID:3020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61e6a85480177_Tue113068966df.exe
4⤵
PID:2384

C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a85480177_Tue113068966df.exe
61e6a85480177_Tue113068966df.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 1392
6⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61e6a85246ad2_Tue11fb5020.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2396

C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a85246ad2_Tue11fb5020.exe
61e6a85246ad2_Tue11fb5020.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a85246ad2_Tue11fb5020.exe
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a85246ad2_Tue11fb5020.exe
6⤵
- Executes dropped EXE
PID:5184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61e6a851890c2_Tue1182bb1d53fa.exe
4⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a851890c2_Tue1182bb1d53fa.exe
61e6a851890c2_Tue1182bb1d53fa.exe
5⤵
- Executes dropped EXE
PID:4152

C:\Users\Admin\AppData\Local\Temp\is-QM01A.tmp\61e6a851890c2_Tue1182bb1d53fa.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QM01A.tmp\61e6a851890c2_Tue1182bb1d53fa.tmp" /SL5="$70082,140765,56832,C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a851890c2_Tue1182bb1d53fa.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792

C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a851890c2_Tue1182bb1d53fa.exe
"C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a851890c2_Tue1182bb1d53fa.exe" /SILENT
7⤵
- Executes dropped EXE
PID:1936

C:\Users\Admin\AppData\Local\Temp\is-TRNAQ.tmp\61e6a851890c2_Tue1182bb1d53fa.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TRNAQ.tmp\61e6a851890c2_Tue1182bb1d53fa.tmp" /SL5="$20220,140765,56832,C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a851890c2_Tue1182bb1d53fa.exe" /SILENT
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:1608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61e6a84f88b87_Tue111029e151.exe
4⤵
PID:2496

C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a84f88b87_Tue111029e151.exe
61e6a84f88b87_Tue111029e151.exe
5⤵
- Executes dropped EXE
- Modifies registry class
PID:4460

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\O9N10R8~.Cpl",
6⤵
PID:5340

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\O9N10R8~.Cpl",
7⤵
- Loads dropped DLL
PID:5676

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\O9N10R8~.Cpl",
8⤵
PID:4884

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\O9N10R8~.Cpl",
9⤵
- Loads dropped DLL
PID:4072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61e6a84db6e55_Tue11d0da3a20e6.exe
4⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a84db6e55_Tue11d0da3a20e6.exe
61e6a84db6e55_Tue11d0da3a20e6.exe
5⤵
- Executes dropped EXE
- Modifies registry class
PID:4224

C:\Users\Admin\Pictures\Adobe Films\iULXFxDDiK_fXL1kGEnnEXCd.exe
"C:\Users\Admin\Pictures\Adobe Films\iULXFxDDiK_fXL1kGEnnEXCd.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5720

C:\Users\Admin\Pictures\Adobe Films\9btTk81Ra3rN1OK8J4mj2FSC.exe
"C:\Users\Admin\Pictures\Adobe Films\9btTk81Ra3rN1OK8J4mj2FSC.exe"
6⤵
- Executes dropped EXE
PID:1960

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
- Executes dropped EXE
PID:4636

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
- Executes dropped EXE
PID:5932

C:\Users\Admin\Pictures\Adobe Films\xwrAHusrn2bOtrPNGlPiBMlu.exe
"C:\Users\Admin\Pictures\Adobe Films\xwrAHusrn2bOtrPNGlPiBMlu.exe"
6⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 304
7⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4800

C:\Users\Admin\Pictures\Adobe Films\W2RcyFnzUBbOZJfa64X9Wopa.exe
"C:\Users\Admin\Pictures\Adobe Films\W2RcyFnzUBbOZJfa64X9Wopa.exe"
6⤵
- Executes dropped EXE
PID:2696

C:\Users\Admin\Pictures\Adobe Films\W2RcyFnzUBbOZJfa64X9Wopa.exe
"C:\Users\Admin\Pictures\Adobe Films\W2RcyFnzUBbOZJfa64X9Wopa.exe" -u
7⤵
- Executes dropped EXE
PID:5808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61e6a84c9b4e6_Tue11f9d25bb.exe
4⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a84c9b4e6_Tue11f9d25bb.exe
61e6a84c9b4e6_Tue11f9d25bb.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4216

C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a84c9b4e6_Tue11f9d25bb.exe
"C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a84c9b4e6_Tue11f9d25bb.exe" -a
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2240

C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a84c9b4e6_Tue11f9d25bb.exe
"C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a84c9b4e6_Tue11f9d25bb.exe" -a
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61e6a84bf05e7_Tue11763442.exe
4⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a84bf05e7_Tue11763442.exe
61e6a84bf05e7_Tue11763442.exe
5⤵
- Executes dropped EXE
PID:4552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a84bf05e7_Tue11763442.exe" >> NUL
6⤵
PID:972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
- Executes dropped EXE
PID:3912

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
7⤵
- Runs ping.exe
PID:900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61e6a849b9e88_Tue11559920.exe
4⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a849b9e88_Tue11559920.exe
61e6a849b9e88_Tue11559920.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3412

C:\Users\Admin\AppData\Local\Temp\61e6a849b9e88_Tue11559920.exe
C:\Users\Admin\AppData\Local\Temp\61e6a849b9e88_Tue11559920.exe
6⤵
- Executes dropped EXE
PID:2764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61e6a84970fcb_Tue111204e9de49.exe
4⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a84970fcb_Tue111204e9de49.exe
61e6a84970fcb_Tue111204e9de49.exe
5⤵
- Executes dropped EXE
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 288
6⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61e6a84281ea3_Tue11b8eafb46.exe
4⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a84281ea3_Tue11b8eafb46.exe
61e6a84281ea3_Tue11b8eafb46.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61e6a841abc9a_Tue1123c7e4cc.exe /mixtwo
4⤵
PID:3056

C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a841abc9a_Tue1123c7e4cc.exe
61e6a841abc9a_Tue1123c7e4cc.exe /mixtwo
5⤵
- Executes dropped EXE
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 248
6⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
4⤵
PID:1956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 580
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 996 -ip 996
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4568 -ip 4568
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3348 -ip 3348
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3476 -ip 3476
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4724 -ip 4724
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5240

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 620 -p 3708 -ip 3708
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3652 -ip 3652
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5660

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:5976

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
- Loads dropped DLL
PID:6012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6012 -s 456
3⤵
- Suspicious use of SetThreadContext
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 6012 -ip 6012
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6112

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:6128

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
- Loads dropped DLL
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 448
1⤵
- Program crash
PID:5532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4792 -ip 4792
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3912 -ip 3912
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4876

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5200

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc
1⤵
PID:5944

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6084

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:2428

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:4732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:4528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7fff1ceb46f8,0x7fff1ceb4708,0x7fff1ceb4718
2⤵
PID:5424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1576,12053118383459162895,3057108806935982738,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
2⤵
PID:3944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1576,12053118383459162895,3057108806935982738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
2⤵
PID:4016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1576,12053118383459162895,3057108806935982738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
2⤵
PID:4168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1576,12053118383459162895,3057108806935982738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
2⤵
PID:4372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1576,12053118383459162895,3057108806935982738,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
2⤵
PID:1440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1576,12053118383459162895,3057108806935982738,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
2⤵
PID:4848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1576,12053118383459162895,3057108806935982738,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
2⤵
PID:1592

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1576,12053118383459162895,3057108806935982738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8
2⤵
PID:3804

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1576,12053118383459162895,3057108806935982738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8
2⤵
PID:5740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1576,12053118383459162895,3057108806935982738,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
2⤵
PID:1608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1576,12053118383459162895,3057108806935982738,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
2⤵
PID:5312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1576,12053118383459162895,3057108806935982738,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5112 /prefetch:8
2⤵
PID:4776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1576,12053118383459162895,3057108806935982738,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
2⤵
PID:4164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1576,12053118383459162895,3057108806935982738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4484 /prefetch:8
2⤵
- NTFS ADS
PID:5624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1576,12053118383459162895,3057108806935982738,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
2⤵
PID:5368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1576,12053118383459162895,3057108806935982738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 /prefetch:8
2⤵
- NTFS ADS
PID:5408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1576,12053118383459162895,3057108806935982738,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
2⤵
PID:5508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,12053118383459162895,3057108806935982738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5896 /prefetch:8
2⤵
PID:5080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1576,12053118383459162895,3057108806935982738,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6164 /prefetch:2
2⤵
PID:2108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,12053118383459162895,3057108806935982738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1248 /prefetch:8
2⤵
PID:6828

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:1160

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:988

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1896

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:5668

C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe
"C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe" -ServerName:App.AppXk7vvv12h4qrkhkbvf6j86ja45mzj5km9.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3308

C:\Users\Admin\Desktop\123.Popup.Maker.v1.01.keygen.exe
"C:\Users\Admin\Desktop\123.Popup.Maker.v1.01.keygen.exe"
1⤵
- Executes dropped EXE
PID:5092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
PID:5848

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
PID:4888

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
4⤵
- Executes dropped EXE
PID:6504

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:6600

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:3560

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe
keygen-step-5.exe
3⤵
- Executes dropped EXE
PID:5172

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" -y .\WsF4B3wC.D
4⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:6492

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-6.exe
keygen-step-6.exe
3⤵
- Executes dropped EXE
PID:5084

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
PID:6384

C:\Users\Admin\AppData\Local\Temp\RarSFX2\LightCleaner532412.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\LightCleaner532412.exe"
4⤵
- Executes dropped EXE
PID:6536

C:\Users\Admin\AppData\Local\Temp\348cc79c-6271-4027-ab99-d03f97c338bf.exe
"C:\Users\Admin\AppData\Local\Temp\348cc79c-6271-4027-ab99-d03f97c338bf.exe"
5⤵
- Executes dropped EXE
- Checks processor information in registry
PID:6644

C:\Program Files\WindowsApps\Microsoft.SecHealthUI_1000.22000.1.0_neutral__8wekyb3d8bbwe\SecHealthUI.exe
"C:\Program Files\WindowsApps\Microsoft.SecHealthUI_1000.22000.1.0_neutral__8wekyb3d8bbwe\SecHealthUI.exe" -ServerName:SecHealthUI.AppX8tam42xc7v2czs3s1nt0nkxvfjtepzp9.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3620

C:\Windows\system32\SecurityHealthService.exe
C:\Windows\system32\SecurityHealthService.exe
1⤵
- Modifies data under HKEY_USERS
PID:1468

C:\Windows\System32\SecurityHealthHost.exe
\\?\C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
- Modifies data under HKEY_USERS
PID:3784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k WbioSvcGroup -s WbioSrvc
1⤵
- Drops file in System32 directory
PID:6052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
4b5398702d01657f4a4aec519651d7ce

SHA1
dcdb87dbaefea7f75ac431e03f66713a3526c8d7

SHA256
e55a53004548c6d97900f9772f55e99dec560ed4bb7d2822eb270e076d574b41

SHA512
101fa5a015b24ad6726ad4ad8cd9d5a2ea4206d3a5eabd69244f91cfc54eca0219ed250e4509fcf92464e6b8e18e984e7a5840a3d9f3ab0c6ea316b77ced2317

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111.exe
MD5
94989927a6611e1919f84e1871922b63

SHA1
b602e4c47c9c42c273b68a1ce85f0814c0e05deb

SHA256
6abf00e8457005606b0286fba4abc75bdb5d8d8267b17678d719122946db5c17

SHA512
ce69c1597f759efdb61ba441a5c16b587b77e3780e134c312dc832a502a1933b04f6b981e0e4b5c998c38d77b25763d2c2875cb790b142f44a416dcf75880b6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111.exe
MD5
94989927a6611e1919f84e1871922b63

SHA1
b602e4c47c9c42c273b68a1ce85f0814c0e05deb

SHA256
6abf00e8457005606b0286fba4abc75bdb5d8d8267b17678d719122946db5c17

SHA512
ce69c1597f759efdb61ba441a5c16b587b77e3780e134c312dc832a502a1933b04f6b981e0e4b5c998c38d77b25763d2c2875cb790b142f44a416dcf75880b6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a841abc9a_Tue1123c7e4cc.exe
MD5
96f88bbb976972419ae49d152b9aea63

SHA1
7b50d55c3e0a350891803e2cc6300d7a0b12e3d5

SHA256
68cf034305a6ee22a2295eecd87b200823695893c007fd40e8ded99c46180d7d

SHA512
3304f7664d0573cdf3bd0765844c185e174d310895f4a1522798c0c490ec9fc5ddc48b98e5feddcc536dc9862b977b2623a15a126b852f993115dfa7fa7fc79a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a841abc9a_Tue1123c7e4cc.exe
MD5
96f88bbb976972419ae49d152b9aea63

SHA1
7b50d55c3e0a350891803e2cc6300d7a0b12e3d5

SHA256
68cf034305a6ee22a2295eecd87b200823695893c007fd40e8ded99c46180d7d

SHA512
3304f7664d0573cdf3bd0765844c185e174d310895f4a1522798c0c490ec9fc5ddc48b98e5feddcc536dc9862b977b2623a15a126b852f993115dfa7fa7fc79a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a84281ea3_Tue11b8eafb46.exe
MD5
e01b875886c8c61e2246ba5c0e868e47

SHA1
c05487472da66cc683607e6f26d17ce05df1e152

SHA256
77f6cdc032565ba6086f89ebda608c681a0e8d2c6709ae00e852c2113e1fce0a

SHA512
2492c16ccb16d9588d4ef90ee55b0252bbc97cbe7cdef987848b7dee79ea2a6d7fbc15a231d9396e51d78c0041f6b388a38bb385f9faa5a95f87bc0cc016e0f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a84281ea3_Tue11b8eafb46.exe
MD5
e01b875886c8c61e2246ba5c0e868e47

SHA1
c05487472da66cc683607e6f26d17ce05df1e152

SHA256
77f6cdc032565ba6086f89ebda608c681a0e8d2c6709ae00e852c2113e1fce0a

SHA512
2492c16ccb16d9588d4ef90ee55b0252bbc97cbe7cdef987848b7dee79ea2a6d7fbc15a231d9396e51d78c0041f6b388a38bb385f9faa5a95f87bc0cc016e0f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a84970fcb_Tue111204e9de49.exe
MD5
60618faa42da851d0277f84181b89808

SHA1
48c65a3829d26424be928360e5158a78846f1fa4

SHA256
2f94f0f86ea4cd6d53b5878b766535c1ec79aa48179f37b58c8977005f89665d

SHA512
f42a873d3eae0bcac487e6109386155649e10b198724d60f79177f3dd324f3a87e00ebef9ac81a87ff068ca5552317604a31bb21e5f8b2f10e560df5b24a9685

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a84970fcb_Tue111204e9de49.exe
MD5
60618faa42da851d0277f84181b89808

SHA1
48c65a3829d26424be928360e5158a78846f1fa4

SHA256
2f94f0f86ea4cd6d53b5878b766535c1ec79aa48179f37b58c8977005f89665d

SHA512
f42a873d3eae0bcac487e6109386155649e10b198724d60f79177f3dd324f3a87e00ebef9ac81a87ff068ca5552317604a31bb21e5f8b2f10e560df5b24a9685

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a849b9e88_Tue11559920.exe
MD5
8e8f9ec2380e6bec8eddde2ed5640119

SHA1
05ba1959ac3c31d46b5707c2a98ec379e58ac0ec

SHA256
723e373934071cace27bebd6c8a8e3d72d96f84bf27e39b726cb28d731628ec5

SHA512
4aedcc14aeb3822b4c65055ff92f136713340809d2d9febca2e24583b8a9f20801eb954918bbf2952f06da31eef9757827a1725df2af1b69883ac9c93c69767b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a849b9e88_Tue11559920.exe
MD5
8e8f9ec2380e6bec8eddde2ed5640119

SHA1
05ba1959ac3c31d46b5707c2a98ec379e58ac0ec

SHA256
723e373934071cace27bebd6c8a8e3d72d96f84bf27e39b726cb28d731628ec5

SHA512
4aedcc14aeb3822b4c65055ff92f136713340809d2d9febca2e24583b8a9f20801eb954918bbf2952f06da31eef9757827a1725df2af1b69883ac9c93c69767b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a84bf05e7_Tue11763442.exe
MD5
b8ecec542a07067a193637269973c2e8

SHA1
97178479fd0fc608d6c0fbf243a0bb136d7b0ecb

SHA256
fc6b5ec20b7f2c902e9413c71be5718eb58640d86189306fe4c592af70fe3b7e

SHA512
730d74a72c7af91b10f06ae98235792740bed2afc86eb8ddc15ecaf7c31ec757ac3803697644ac0f60c2e8e0fd875b94299763ac0fed74d392ac828b61689893

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a84bf05e7_Tue11763442.exe
MD5
b8ecec542a07067a193637269973c2e8

SHA1
97178479fd0fc608d6c0fbf243a0bb136d7b0ecb

SHA256
fc6b5ec20b7f2c902e9413c71be5718eb58640d86189306fe4c592af70fe3b7e

SHA512
730d74a72c7af91b10f06ae98235792740bed2afc86eb8ddc15ecaf7c31ec757ac3803697644ac0f60c2e8e0fd875b94299763ac0fed74d392ac828b61689893

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a84c9b4e6_Tue11f9d25bb.exe
MD5
e5a07be6c167ccf605ba9e6a0608e141

SHA1
d50547756f224ebaf38efc1b2e5134b6caa272ba

SHA256
449fb91c32af2d722f418ab4ee0747d0b7457ba69496b2d8f894e6045d69e1e4

SHA512
b66a844121bd42707aab3200f5e2a01765bd00ea3b958e09baeca9cd6856005a17474e72a9635184046d92205be3baf6677951fd8eb42ccebe687efb8b30f13b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a84c9b4e6_Tue11f9d25bb.exe
MD5
e5a07be6c167ccf605ba9e6a0608e141

SHA1
d50547756f224ebaf38efc1b2e5134b6caa272ba

SHA256
449fb91c32af2d722f418ab4ee0747d0b7457ba69496b2d8f894e6045d69e1e4

SHA512
b66a844121bd42707aab3200f5e2a01765bd00ea3b958e09baeca9cd6856005a17474e72a9635184046d92205be3baf6677951fd8eb42ccebe687efb8b30f13b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a84c9b4e6_Tue11f9d25bb.exe
MD5
e5a07be6c167ccf605ba9e6a0608e141

SHA1
d50547756f224ebaf38efc1b2e5134b6caa272ba

SHA256
449fb91c32af2d722f418ab4ee0747d0b7457ba69496b2d8f894e6045d69e1e4

SHA512
b66a844121bd42707aab3200f5e2a01765bd00ea3b958e09baeca9cd6856005a17474e72a9635184046d92205be3baf6677951fd8eb42ccebe687efb8b30f13b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a84c9b4e6_Tue11f9d25bb.exe
MD5
e5a07be6c167ccf605ba9e6a0608e141

SHA1
d50547756f224ebaf38efc1b2e5134b6caa272ba

SHA256
449fb91c32af2d722f418ab4ee0747d0b7457ba69496b2d8f894e6045d69e1e4

SHA512
b66a844121bd42707aab3200f5e2a01765bd00ea3b958e09baeca9cd6856005a17474e72a9635184046d92205be3baf6677951fd8eb42ccebe687efb8b30f13b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a84db6e55_Tue11d0da3a20e6.exe
MD5
8f70a0f45532261cb4df2800b141551d

SHA1
521bbc045dfb7bf9fca55058ed2fc03d86cf8d00

SHA256
aa2c0a9e34f9fa4cbf1780d757cc84f32a8bd005142012e91a6888167f80f4d5

SHA512
3ea19ee472f3c7f9b7452fb4769fc3cc7591acff0f155889d08dadbd1f6ae289eaa310e220279318ac1536f99ea88e43ff75836aee47f3b4fbe8aa477cb9d099

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a84db6e55_Tue11d0da3a20e6.exe
MD5
8f70a0f45532261cb4df2800b141551d

SHA1
521bbc045dfb7bf9fca55058ed2fc03d86cf8d00

SHA256
aa2c0a9e34f9fa4cbf1780d757cc84f32a8bd005142012e91a6888167f80f4d5

SHA512
3ea19ee472f3c7f9b7452fb4769fc3cc7591acff0f155889d08dadbd1f6ae289eaa310e220279318ac1536f99ea88e43ff75836aee47f3b4fbe8aa477cb9d099

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a84f88b87_Tue111029e151.exe
MD5
74e16393ee8e076939b700614484f224

SHA1
8ff8e7fe18297edaa1b08fb8c545e321ee9f44a5

SHA256
c13a791c0c9220fc9e67290c1ee22359eda1f12c3070d2f90500feaa39a8968e

SHA512
7208bd96cf159999ff04529fdb0fdd51b9e8519b7ef89c5e0db123612321159e58dd4638eed406b9391be39a8bd8e5a79f368feb366c437f1562f24cb4a19282

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a84f88b87_Tue111029e151.exe
MD5
74e16393ee8e076939b700614484f224

SHA1
8ff8e7fe18297edaa1b08fb8c545e321ee9f44a5

SHA256
c13a791c0c9220fc9e67290c1ee22359eda1f12c3070d2f90500feaa39a8968e

SHA512
7208bd96cf159999ff04529fdb0fdd51b9e8519b7ef89c5e0db123612321159e58dd4638eed406b9391be39a8bd8e5a79f368feb366c437f1562f24cb4a19282

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a851890c2_Tue1182bb1d53fa.exe
MD5
996061fe21353bf63874579cc6c090cc

SHA1
eeaf5d66e0ff5e9ddad02653c5bf6af5275e47e9

SHA256
b9dad89b3de1d7f9a4b73a5d107c74f716a6e2e89d653c48ab47108b37ad699a

SHA512
042ea077acfc0dff8684a5eb304af15177c4e6f54c774471b8091669b1ab16833894ca7a52917f8a6bbeacbb6532db521cea61d70ac4c5c992cb4896083d6c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a851890c2_Tue1182bb1d53fa.exe
MD5
996061fe21353bf63874579cc6c090cc

SHA1
eeaf5d66e0ff5e9ddad02653c5bf6af5275e47e9

SHA256
b9dad89b3de1d7f9a4b73a5d107c74f716a6e2e89d653c48ab47108b37ad699a

SHA512
042ea077acfc0dff8684a5eb304af15177c4e6f54c774471b8091669b1ab16833894ca7a52917f8a6bbeacbb6532db521cea61d70ac4c5c992cb4896083d6c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a851890c2_Tue1182bb1d53fa.exe
MD5
996061fe21353bf63874579cc6c090cc

SHA1
eeaf5d66e0ff5e9ddad02653c5bf6af5275e47e9

SHA256
b9dad89b3de1d7f9a4b73a5d107c74f716a6e2e89d653c48ab47108b37ad699a

SHA512
042ea077acfc0dff8684a5eb304af15177c4e6f54c774471b8091669b1ab16833894ca7a52917f8a6bbeacbb6532db521cea61d70ac4c5c992cb4896083d6c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a85246ad2_Tue11fb5020.exe
MD5
8e0bc14c20fd607593967f164bbf08b5

SHA1
f68dc21b6352302d36cb1953ac0065e30d1ca6b0

SHA256
af8fbb1b23a21d1be75abcbb8d7c8447ec0c3b309fcfb407a91576a06070dcfe

SHA512
71cb5f5cfc5bb858a3ec2b7cf94d1d0652b5b66c505c4016c9d86e19ba86352d5f8f332df11be163c4aa1d3d36fc892bcc5bd5f2fbd6a383cd4e36c9885c7639

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a85246ad2_Tue11fb5020.exe
MD5
8e0bc14c20fd607593967f164bbf08b5

SHA1
f68dc21b6352302d36cb1953ac0065e30d1ca6b0

SHA256
af8fbb1b23a21d1be75abcbb8d7c8447ec0c3b309fcfb407a91576a06070dcfe

SHA512
71cb5f5cfc5bb858a3ec2b7cf94d1d0652b5b66c505c4016c9d86e19ba86352d5f8f332df11be163c4aa1d3d36fc892bcc5bd5f2fbd6a383cd4e36c9885c7639

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a85480177_Tue113068966df.exe
MD5
435a69af01a985b95e39fb2016300bb8

SHA1
fc4a01fa471de5fcb5199b4dbcba6763a9eedbee

SHA256
d5cdd4249fd1b0aae17942ddb359574b4b22ff14736e79960e704b574806a427

SHA512
ea21ff6f08535ed0365a98314c71f0ffb87f1e8a03cdc812bbaa36174acc2f820d6d46c13504d9313de831693a3220c622e2ae244ffbcfe9befcbc321422b528

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a85480177_Tue113068966df.exe
MD5
435a69af01a985b95e39fb2016300bb8

SHA1
fc4a01fa471de5fcb5199b4dbcba6763a9eedbee

SHA256
d5cdd4249fd1b0aae17942ddb359574b4b22ff14736e79960e704b574806a427

SHA512
ea21ff6f08535ed0365a98314c71f0ffb87f1e8a03cdc812bbaa36174acc2f820d6d46c13504d9313de831693a3220c622e2ae244ffbcfe9befcbc321422b528

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a855abc56_Tue115500cf813.exe
MD5
c7f26d8e0ac6d899d6febd75f81f9cc3

SHA1
113fe52d0562fa3b591dffd633f0d3d6db4feee8

SHA256
762433792d60c6c384fca690a8b3b5ef9e2390fd18ad0abdec248229bd5d89bc

SHA512
6848bff0d6e6302598faf274e35cb46c5b076937098a15558a199fded52d65a6486a4ae7cb9f756ea01c5fe4a685759bb6d1bf60fcf794528548830683aaee64

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a855abc56_Tue115500cf813.exe
MD5
c7f26d8e0ac6d899d6febd75f81f9cc3

SHA1
113fe52d0562fa3b591dffd633f0d3d6db4feee8

SHA256
762433792d60c6c384fca690a8b3b5ef9e2390fd18ad0abdec248229bd5d89bc

SHA512
6848bff0d6e6302598faf274e35cb46c5b076937098a15558a199fded52d65a6486a4ae7cb9f756ea01c5fe4a685759bb6d1bf60fcf794528548830683aaee64

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a8570e06b_Tue115f17fcf5.exe
MD5
c3ed4d88847b0eef18a405d3685a1029

SHA1
c91b8ae650e35c0f8bff69db1df290ef205a3bb0

SHA256
895dbff074bacc5218633e3a6b44ff89d9af2b79b73c9a2d8aa6a6ca60d796ae

SHA512
425a5a767a01a118746ecdab3626572fc7b57336b7a071da5c0e583c8ceed16dd9ea3475176c2168d6e7e7c49f69a1dcb7a785994ad3bb52c6694f99dd60d55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a8570e06b_Tue115f17fcf5.exe
MD5
c3ed4d88847b0eef18a405d3685a1029

SHA1
c91b8ae650e35c0f8bff69db1df290ef205a3bb0

SHA256
895dbff074bacc5218633e3a6b44ff89d9af2b79b73c9a2d8aa6a6ca60d796ae

SHA512
425a5a767a01a118746ecdab3626572fc7b57336b7a071da5c0e583c8ceed16dd9ea3475176c2168d6e7e7c49f69a1dcb7a785994ad3bb52c6694f99dd60d55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a85829009_Tue11835fdf.exe
MD5
9b53a1df30cf7976e1c1bcc93097c9fd

SHA1
f45659cd2ea7d27a79eb5ba8a1176f0976bc4de5

SHA256
0abd4ff4d847dd9c8e3d80d3a8157d2ba57f16ac0603d2f0e98a7a56c5c7a4af

SHA512
4c1aad23328154b3a61de7b135bb97857895ce57dfbdb8c93d45664b67cbf1e07440911e35f89a0b6d08704364f1904a448f2718777be7b575efb783ddcec196

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a85829009_Tue11835fdf.exe
MD5
9b53a1df30cf7976e1c1bcc93097c9fd

SHA1
f45659cd2ea7d27a79eb5ba8a1176f0976bc4de5

SHA256
0abd4ff4d847dd9c8e3d80d3a8157d2ba57f16ac0603d2f0e98a7a56c5c7a4af

SHA512
4c1aad23328154b3a61de7b135bb97857895ce57dfbdb8c93d45664b67cbf1e07440911e35f89a0b6d08704364f1904a448f2718777be7b575efb783ddcec196

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a8594f5d8_Tue1149caf91.exe
MD5
4dd0463002fd3c1597da932850b24181

SHA1
652a59bd5dfe60270b7113dcc2c5449f2856fcfa

SHA256
3febff889bb4471d7f6c969facc5851e53c654346a29e6a4f74b302e2238cec2

SHA512
e6a95bebc20449b39638338643d59073dfe4d02e4d50c623410f42af273ecdd8b2df17180f1a65f25f5427a1cef727de5127b955d91d8dd643f80b707bf7b835

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a8594f5d8_Tue1149caf91.exe
MD5
4dd0463002fd3c1597da932850b24181

SHA1
652a59bd5dfe60270b7113dcc2c5449f2856fcfa

SHA256
3febff889bb4471d7f6c969facc5851e53c654346a29e6a4f74b302e2238cec2

SHA512
e6a95bebc20449b39638338643d59073dfe4d02e4d50c623410f42af273ecdd8b2df17180f1a65f25f5427a1cef727de5127b955d91d8dd643f80b707bf7b835

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a8594f5d8_Tue1149caf91.exe
MD5
4dd0463002fd3c1597da932850b24181

SHA1
652a59bd5dfe60270b7113dcc2c5449f2856fcfa

SHA256
3febff889bb4471d7f6c969facc5851e53c654346a29e6a4f74b302e2238cec2

SHA512
e6a95bebc20449b39638338643d59073dfe4d02e4d50c623410f42af273ecdd8b2df17180f1a65f25f5427a1cef727de5127b955d91d8dd643f80b707bf7b835

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a85a7165a_Tue11d0c6493.exe
MD5
79400b1fd740d9cb7ec7c2c2e9a7d618

SHA1
8ab8d7dcd469853f61ca27b8afe2ab6e0f2a1bb3

SHA256
556d5c93b2ceb585711ccce22e39e3327f388b893d76a3a7974967fe99a6fa7f

SHA512
3ed024b02d7410d5ddc7bb772a2b3e8a5516a16d1cb5fac9f5d925da84b376b67117daf238fb53c7707e6bb86a0198534ad1e79b6ebed979b505b3faf9ae55ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a85a7165a_Tue11d0c6493.exe
MD5
79400b1fd740d9cb7ec7c2c2e9a7d618

SHA1
8ab8d7dcd469853f61ca27b8afe2ab6e0f2a1bb3

SHA256
556d5c93b2ceb585711ccce22e39e3327f388b893d76a3a7974967fe99a6fa7f

SHA512
3ed024b02d7410d5ddc7bb772a2b3e8a5516a16d1cb5fac9f5d925da84b376b67117daf238fb53c7707e6bb86a0198534ad1e79b6ebed979b505b3faf9ae55ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a85abc0d3_Tue114fbfb1.exe
MD5
b505b6883c7d1d6b230d88a75030e633

SHA1
88561f52dec031d6134c6be7023522d9652c41ce

SHA256
949424b6244a96a2d4086c17274e579e112fcaf304b4f1340848b3b376322657

SHA512
3461a4f766afdd06fc8c29af217091604ccd090f19f3dc6493bff4217c571bb1d8c06595d89378cc005c89801063b44e407239268bee24a05cb1eabb651c7dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\61e6a85abc0d3_Tue114fbfb1.exe
MD5
b505b6883c7d1d6b230d88a75030e633

SHA1
88561f52dec031d6134c6be7023522d9652c41ce

SHA256
949424b6244a96a2d4086c17274e579e112fcaf304b4f1340848b3b376322657

SHA512
3461a4f766afdd06fc8c29af217091604ccd090f19f3dc6493bff4217c571bb1d8c06595d89378cc005c89801063b44e407239268bee24a05cb1eabb651c7dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\setup_install.exe
MD5
bc33b370b03e4d15525e6e24dfb3f3fb

SHA1
faa50310c645500f719c33ba3e51fbfde64ad703

SHA256
75721ec0cf5256499cd7cf2281fcb29eb018f21cfde0f6c918aa011e4c22788a

SHA512
0b8dc926e549969ed342508ca958d18e8826700a1f0c174df5587481bdedf8c076f8466fbb10436fa746d1fab463ddc45ec17af3cc8104da5955ce04921814c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS436B2492\setup_install.exe
MD5
bc33b370b03e4d15525e6e24dfb3f3fb

SHA1
faa50310c645500f719c33ba3e51fbfde64ad703

SHA256
75721ec0cf5256499cd7cf2281fcb29eb018f21cfde0f6c918aa011e4c22788a

SHA512
0b8dc926e549969ed342508ca958d18e8826700a1f0c174df5587481bdedf8c076f8466fbb10436fa746d1fab463ddc45ec17af3cc8104da5955ce04921814c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
9cf4803f539b6a0878817ae001351bf9

SHA1
f015c3f043945373279ca1bc509c97c4998016d0

SHA256
e6cde050dbb2c206b951b4e15509cdfee63c49505b183faa52696bdcfeb21bea

SHA512
4ee11255ba9cbf76509ea078ca68111854c2440f0ced4c3761340e555613169f87f8b69ca0e8b9f35baf08833e9a73f091ff3d0426dd74aad1aa792a5730cf29

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1KHBJ.tmp\idp.dll
MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O3C9S.tmp\idp.dll
MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QM01A.tmp\61e6a851890c2_Tue1182bb1d53fa.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QM01A.tmp\61e6a851890c2_Tue1182bb1d53fa.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TRNAQ.tmp\61e6a851890c2_Tue1182bb1d53fa.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TRNAQ.tmp\61e6a851890c2_Tue1182bb1d53fa.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
33c67dc052400e64affc86b036dd9adf

SHA1
4e6021d44c108ddb40931e3e6bb798adfbd4fa15

SHA256
9d041e046583608ade936202070b78ade35ea223faa63267a8cb899789ba83e4

SHA512
82ba8ee7a10ac35e75a3ee60be045ba57a2bfa3866d45daaf6ce70161954b9fbf0c27835bb1267b47078c6af9c88edfa7d23afcd3c8bd3aab673805cca724b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
33c67dc052400e64affc86b036dd9adf

SHA1
4e6021d44c108ddb40931e3e6bb798adfbd4fa15

SHA256
9d041e046583608ade936202070b78ade35ea223faa63267a8cb899789ba83e4

SHA512
82ba8ee7a10ac35e75a3ee60be045ba57a2bfa3866d45daaf6ce70161954b9fbf0c27835bb1267b47078c6af9c88edfa7d23afcd3c8bd3aab673805cca724b44

Download Submit
memory/996-168-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/996-167-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/996-269-0x000000006494A000-0x000000006494F000-memory.dmp

Filesize
20KB

Download
memory/996-268-0x0000000064941000-0x000000006494F000-memory.dmp

Filesize
56KB

Download
memory/996-265-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/996-162-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/996-163-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/996-267-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/996-164-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/996-263-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/996-165-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/996-166-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/996-169-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/996-272-0x000000006494C000-0x000000006494F000-memory.dmp

Filesize
12KB

Download
memory/1148-229-0x00000000066D0000-0x0000000006C76000-memory.dmp

Filesize
5.6MB

Download
memory/1148-286-0x0000000072A0E000-0x0000000072A0F000-memory.dmp

Filesize
4KB

Download
memory/1148-301-0x0000000005BF0000-0x0000000005BF1000-memory.dmp

Filesize
4KB

Download
memory/1148-212-0x0000000000FD0000-0x0000000001170000-memory.dmp

Filesize
1.6MB

Download
memory/1148-221-0x0000000005E90000-0x0000000006116000-memory.dmp

Filesize
2.5MB

Download
memory/1148-215-0x0000000005B60000-0x0000000005BC6000-memory.dmp

Filesize
408KB

Download
memory/1200-220-0x0000000004B10000-0x0000000004B86000-memory.dmp

Filesize
472KB

Download
memory/1200-211-0x0000000000160000-0x00000000001EA000-memory.dmp

Filesize
552KB

Download
memory/1412-209-0x00000000009B0000-0x0000000000A3A000-memory.dmp

Filesize
552KB

Download
memory/1412-224-0x0000000005310000-0x000000000532E000-memory.dmp

Filesize
120KB

Download
memory/1412-281-0x0000000072A0E000-0x0000000072A0F000-memory.dmp

Filesize
4KB

Download
memory/1936-228-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2764-348-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3020-277-0x0000000005040000-0x0000000005052000-memory.dmp

Filesize
72KB

Download
memory/3020-280-0x0000000005170000-0x000000000527A000-memory.dmp

Filesize
1.0MB

Download
memory/3020-270-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3020-274-0x0000000005520000-0x0000000005B38000-memory.dmp

Filesize
6.1MB

Download
memory/3020-275-0x0000000072A0E000-0x0000000072A0F000-memory.dmp

Filesize
4KB

Download
memory/3020-289-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/3292-298-0x0000000001520000-0x0000000001536000-memory.dmp

Filesize
88KB

Download
memory/3348-264-0x0000000000720000-0x000000000074A000-memory.dmp

Filesize
168KB

Download
memory/3348-266-0x0000000000750000-0x000000000079C000-memory.dmp

Filesize
304KB

Download
memory/3476-276-0x00000000005F0000-0x00000000005F9000-memory.dmp

Filesize
36KB

Download
memory/3476-273-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/3592-253-0x00000000006F0000-0x00000000006F9000-memory.dmp

Filesize
36KB

Download
memory/3592-252-0x00000000006E0000-0x00000000006E9000-memory.dmp

Filesize
36KB

Download
memory/3696-358-0x0000021553180000-0x0000021553181000-memory.dmp

Filesize
4KB

Download
memory/3696-359-0x0000021553180000-0x0000021553181000-memory.dmp

Filesize
4KB

Download
memory/3696-354-0x0000021553180000-0x0000021553181000-memory.dmp

Filesize
4KB

Download
memory/3696-351-0x0000021553180000-0x0000021553181000-memory.dmp

Filesize
4KB

Download
memory/3696-353-0x0000021553180000-0x0000021553181000-memory.dmp

Filesize
4KB

Download
memory/3696-361-0x0000021553180000-0x0000021553181000-memory.dmp

Filesize
4KB

Download
memory/3696-356-0x0000021553180000-0x0000021553181000-memory.dmp

Filesize
4KB

Download
memory/3696-357-0x0000021553180000-0x0000021553181000-memory.dmp

Filesize
4KB

Download
memory/3696-360-0x0000021553180000-0x0000021553181000-memory.dmp

Filesize
4KB

Download
memory/3708-278-0x00007FFF1C4A3000-0x00007FFF1C4A5000-memory.dmp

Filesize
8KB

Download
memory/3708-300-0x000000001B210000-0x000000001B212000-memory.dmp

Filesize
8KB

Download
memory/3708-205-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/3944-387-0x00007FFF40420000-0x00007FFF40421000-memory.dmp

Filesize
4KB

Download
memory/4072-375-0x000000002FC70000-0x000000002FD0C000-memory.dmp

Filesize
624KB

Download
memory/4072-341-0x0000000004B30000-0x000000002F6BD000-memory.dmp

Filesize
683.6MB

Download
memory/4072-374-0x000000002FBC0000-0x000000002FC70000-memory.dmp

Filesize
704KB

Download
memory/4104-247-0x00000000078E0000-0x0000000007C37000-memory.dmp

Filesize
3.3MB

Download
memory/4104-292-0x0000000072A0E000-0x0000000072A0F000-memory.dmp

Filesize
4KB

Download
memory/4104-285-0x00000000082D0000-0x000000000831C000-memory.dmp

Filesize
304KB

Download
memory/4104-282-0x0000000007D90000-0x0000000007DAE000-memory.dmp

Filesize
120KB

Download
memory/4104-235-0x0000000006B90000-0x0000000006BB4000-memory.dmp

Filesize
144KB

Download
memory/4104-217-0x00000000065C0000-0x00000000065F6000-memory.dmp

Filesize
216KB

Download
memory/4104-302-0x00000000065B0000-0x00000000065B1000-memory.dmp

Filesize
4KB

Download
memory/4104-222-0x0000000006C30000-0x000000000725A000-memory.dmp

Filesize
6.2MB

Download
memory/4104-246-0x0000000007870000-0x00000000078D6000-memory.dmp

Filesize
408KB

Download
memory/4104-242-0x0000000007780000-0x00000000077E6000-memory.dmp

Filesize
408KB

Download
memory/4104-240-0x0000000006BF0000-0x0000000006C12000-memory.dmp

Filesize
136KB

Download
memory/4152-230-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4152-207-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4228-213-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/4228-295-0x00000000004F3000-0x00000000004F4000-memory.dmp

Filesize
4KB

Download
memory/4228-208-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4228-303-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/4228-296-0x00000000004F6000-0x00000000004F7000-memory.dmp

Filesize
4KB

Download
memory/4228-293-0x00000000004F1000-0x00000000004F2000-memory.dmp

Filesize
4KB

Download
memory/4228-290-0x0000000000940000-0x000000000097B000-memory.dmp

Filesize
236KB

Download
memory/4228-216-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4228-249-0x00000000052E0000-0x0000000005372000-memory.dmp

Filesize
584KB

Download
memory/4228-294-0x00000000004F2000-0x00000000004F3000-memory.dmp

Filesize
4KB

Download
memory/4228-291-0x0000000000401000-0x00000000004F1000-memory.dmp

Filesize
960KB

Download
memory/4228-304-0x00000000004ED000-0x00000000004EE000-memory.dmp

Filesize
4KB

Download
memory/4228-299-0x00000000004F7000-0x00000000004F8000-memory.dmp

Filesize
4KB

Download
memory/4228-248-0x0000000002E40000-0x0000000002E4A000-memory.dmp

Filesize
40KB

Download
memory/4228-236-0x0000000000B60000-0x0000000000B78000-memory.dmp

Filesize
96KB

Download
memory/4568-231-0x0000000000948000-0x0000000000968000-memory.dmp

Filesize
128KB

Download
memory/4568-262-0x00000000021D0000-0x0000000002208000-memory.dmp

Filesize
224KB

Download
memory/4568-261-0x0000000000948000-0x0000000000968000-memory.dmp

Filesize
128KB

Download
memory/4724-254-0x0000000000710000-0x000000000073B000-memory.dmp

Filesize
172KB

Download
memory/4724-256-0x0000000000740000-0x0000000000779000-memory.dmp

Filesize
228KB

Download
memory/5184-288-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/5184-283-0x0000000072A0E000-0x0000000072A0F000-memory.dmp

Filesize
4KB

Download
memory/5184-287-0x0000000004DA0000-0x0000000004DDC000-memory.dmp

Filesize
240KB

Download
memory/5184-284-0x0000000004F50000-0x0000000005050000-memory.dmp

Filesize
1024KB

Download
memory/5184-279-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5220-250-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5220-297-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5676-335-0x00000000301C0000-0x000000003025C000-memory.dmp

Filesize
624KB

Download
memory/5676-334-0x0000000030110000-0x00000000301C0000-memory.dmp

Filesize
704KB

Download
memory/5676-271-0x00000000050A0000-0x000000002FC2D000-memory.dmp

Filesize
683.6MB

Download