nullmixer | a80595d5777175cd4da514edb06d38676888daf62608369b816b2f11b6aa9cc2

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-01-2024 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ba00a7f8bf0f2d0237bd01bb12a825b.exe
Size

3.3MB
MD5

7ba00a7f8bf0f2d0237bd01bb12a825b
SHA1

1af2a65956ba61ded056f90ef48e08abb7e4e6b5
SHA256

a80595d5777175cd4da514edb06d38676888daf62608369b816b2f11b6aa9cc2
SHA512

9b99656efbb22c6eb0e3cee3a5949d3f5cbf1e24821b30d3ee33bfcea5a0928cc96a05daf19cbf88041e75030f3168727045bb1630a0ddf2edd6d6465eab761b
SSDEEP

98304:JK0LsE9LvEbGRN0nM1BOhu3uiJgR2qpNeJ:JK4sIoGDhBuu8j8J

Score

10^/10

nullmixer privateloader risepro smokeloader vidar xmrig 706 pub6 aspackv2 backdoor dropper evasion loader miner spyware stealer trojan

Malware Config

Extracted

Family

nullmixer

http://znegs.xyz/

Extracted

Family

smokeloader

Botnet

pub6

Extracted

Family

vidar

Version

39.9

Botnet

706

https://prophefliloc.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	zaiqa_7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	zaiqa_7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	zaiqa_7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	zaiqa_7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	zaiqa_7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	zaiqa_7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	zaiqa_7.exe

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/memory/1372-240-0x0000000000240000-0x00000000002DD000-memory.dmp	family_vidar
behavioral1/memory/1372-253-0x0000000000400000-0x0000000002CC2000-memory.dmp	family_vidar

XMRig Miner payload 17 IoCs

miner

resource	yara_rule
behavioral1/memory/2376-463-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2376-464-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2376-465-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2376-466-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2376-467-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2376-468-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2376-469-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2376-470-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2376-471-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2376-474-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2376-476-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2376-481-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2376-482-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2376-480-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2376-479-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2376-483-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2376-484-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0006000000018b7e-42.dat	aspack_v212_v242
behavioral1/files/0x0006000000018b42-57.dat	aspack_v212_v242
behavioral1/files/0x0006000000018b20-58.dat	aspack_v212_v242
behavioral1/files/0x0006000000018b5f-64.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\International\Geo\Nation	zaiqa_7.exe

Executes dropped EXE 19 IoCs

pid	Process
3068	setup_installer.exe
2736	setup_install.exe
2888	zaiqa_2.exe
2664	zaiqa_1.exe
1588	zaiqa_8.exe
2988	zaiqa_9.exe
1672	zaiqa_7.exe
2484	zaiqa_5.exe
1372	zaiqa_3.exe
2004	zaiqa_1.exe
1224	zaiqa_6.exe
1204	zaiqa_4.exe
324	zaiqa_9.exe
1804	zaiqa_5.exe
2756	chrome2.exe
2824	setup.exe
2616	winnetdriv.exe
2960	services64.exe
2216	sihost64.exe

Loads dropped DLL 54 IoCs

pid	Process
2292	7ba00a7f8bf0f2d0237bd01bb12a825b.exe
3068	setup_installer.exe
3068	setup_installer.exe
3068	setup_installer.exe
3068	setup_installer.exe
3068	setup_installer.exe
3068	setup_installer.exe
2736	setup_install.exe
2736	setup_install.exe
2736	setup_install.exe
2736	setup_install.exe
2736	setup_install.exe
2736	setup_install.exe
2736	setup_install.exe
2736	setup_install.exe
2228	cmd.exe
2228	cmd.exe
1876	cmd.exe
1876	cmd.exe
2888	zaiqa_2.exe
2888	zaiqa_2.exe
2804	cmd.exe
2664	zaiqa_1.exe
2664	zaiqa_1.exe
2548	cmd.exe
836	cmd.exe
2664	zaiqa_1.exe
1884	cmd.exe
1672	zaiqa_7.exe
1672	zaiqa_7.exe
1840	cmd.exe
836	cmd.exe
1372	zaiqa_3.exe
1372	zaiqa_3.exe
1204	zaiqa_4.exe
1204	zaiqa_4.exe
764	WerFault.exe
764	WerFault.exe
764	WerFault.exe
2004	zaiqa_1.exe
2004	zaiqa_1.exe
764	WerFault.exe
1204	zaiqa_4.exe
1204	zaiqa_4.exe
2824	setup.exe
2192	WerFault.exe
2192	WerFault.exe
2192	WerFault.exe
2192	WerFault.exe
2192	WerFault.exe
2192	WerFault.exe
2192	WerFault.exe
2756	chrome2.exe
2960	services64.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
96	iplogger.org
97	iplogger.org
108	iplogger.org
328	raw.githubusercontent.com
329	raw.githubusercontent.com
358	pastebin.com
362	pastebin.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io
7	ipinfo.io
13	api.db-ip.com
14	api.db-ip.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2960 set thread context of 2376	2960	services64.exe	71

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\winnetdriv.exe	setup.exe
File opened for modification	C:\Windows\winnetdriv.exe	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
764	2736	WerFault.exe	29
2192	1372	WerFault.exe	47

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	zaiqa_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	zaiqa_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	zaiqa_2.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2816	schtasks.exe
2772	schtasks.exe

Modifies system certificate store 2 TTPs 13 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	zaiqa_3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	zaiqa_6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	zaiqa_7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	zaiqa_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	services64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	zaiqa_3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	zaiqa_6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	zaiqa_6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	services64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	zaiqa_7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	zaiqa_7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	zaiqa_7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	zaiqa_6.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2888	zaiqa_2.exe
2888	zaiqa_2.exe
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2888	zaiqa_2.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1588	zaiqa_8.exe
Token: SeDebugPrivilege	1224	zaiqa_6.exe
Token: SeShutdownPrivilege	1208	Process not Found
Token: SeDebugPrivilege	2756	chrome2.exe
Token: SeDebugPrivilege	2960	services64.exe
Token: SeLockMemoryPrivilege	2376	explorer.exe
Token: SeLockMemoryPrivilege	2376	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 3068	2292	7ba00a7f8bf0f2d0237bd01bb12a825b.exe	28
PID 2292 wrote to memory of 3068	2292	7ba00a7f8bf0f2d0237bd01bb12a825b.exe	28
PID 2292 wrote to memory of 3068	2292	7ba00a7f8bf0f2d0237bd01bb12a825b.exe	28
PID 2292 wrote to memory of 3068	2292	7ba00a7f8bf0f2d0237bd01bb12a825b.exe	28
PID 2292 wrote to memory of 3068	2292	7ba00a7f8bf0f2d0237bd01bb12a825b.exe	28
PID 2292 wrote to memory of 3068	2292	7ba00a7f8bf0f2d0237bd01bb12a825b.exe	28
PID 2292 wrote to memory of 3068	2292	7ba00a7f8bf0f2d0237bd01bb12a825b.exe	28
PID 3068 wrote to memory of 2736	3068	setup_installer.exe	29
PID 3068 wrote to memory of 2736	3068	setup_installer.exe	29
PID 3068 wrote to memory of 2736	3068	setup_installer.exe	29
PID 3068 wrote to memory of 2736	3068	setup_installer.exe	29
PID 3068 wrote to memory of 2736	3068	setup_installer.exe	29
PID 3068 wrote to memory of 2736	3068	setup_installer.exe	29
PID 3068 wrote to memory of 2736	3068	setup_installer.exe	29
PID 2736 wrote to memory of 2228	2736	setup_install.exe	31
PID 2736 wrote to memory of 2228	2736	setup_install.exe	31
PID 2736 wrote to memory of 2228	2736	setup_install.exe	31
PID 2736 wrote to memory of 2228	2736	setup_install.exe	31
PID 2736 wrote to memory of 2228	2736	setup_install.exe	31
PID 2736 wrote to memory of 2228	2736	setup_install.exe	31
PID 2736 wrote to memory of 2228	2736	setup_install.exe	31
PID 2736 wrote to memory of 1876	2736	setup_install.exe	39
PID 2736 wrote to memory of 1876	2736	setup_install.exe	39
PID 2736 wrote to memory of 1876	2736	setup_install.exe	39
PID 2736 wrote to memory of 1876	2736	setup_install.exe	39
PID 2736 wrote to memory of 1876	2736	setup_install.exe	39
PID 2736 wrote to memory of 1876	2736	setup_install.exe	39
PID 2736 wrote to memory of 1876	2736	setup_install.exe	39
PID 2736 wrote to memory of 836	2736	setup_install.exe	38
PID 2736 wrote to memory of 836	2736	setup_install.exe	38
PID 2736 wrote to memory of 836	2736	setup_install.exe	38
PID 2736 wrote to memory of 836	2736	setup_install.exe	38
PID 2736 wrote to memory of 836	2736	setup_install.exe	38
PID 2736 wrote to memory of 836	2736	setup_install.exe	38
PID 2736 wrote to memory of 836	2736	setup_install.exe	38
PID 2736 wrote to memory of 1840	2736	setup_install.exe	32
PID 2736 wrote to memory of 1840	2736	setup_install.exe	32
PID 2736 wrote to memory of 1840	2736	setup_install.exe	32
PID 2736 wrote to memory of 1840	2736	setup_install.exe	32
PID 2736 wrote to memory of 1840	2736	setup_install.exe	32
PID 2736 wrote to memory of 1840	2736	setup_install.exe	32
PID 2736 wrote to memory of 1840	2736	setup_install.exe	32
PID 2736 wrote to memory of 1200	2736	setup_install.exe	37
PID 2736 wrote to memory of 1200	2736	setup_install.exe	37
PID 2736 wrote to memory of 1200	2736	setup_install.exe	37
PID 2736 wrote to memory of 1200	2736	setup_install.exe	37
PID 2736 wrote to memory of 1200	2736	setup_install.exe	37
PID 2736 wrote to memory of 1200	2736	setup_install.exe	37
PID 2736 wrote to memory of 1200	2736	setup_install.exe	37
PID 2736 wrote to memory of 1884	2736	setup_install.exe	36
PID 2736 wrote to memory of 1884	2736	setup_install.exe	36
PID 2736 wrote to memory of 1884	2736	setup_install.exe	36
PID 2736 wrote to memory of 1884	2736	setup_install.exe	36
PID 2736 wrote to memory of 1884	2736	setup_install.exe	36
PID 2736 wrote to memory of 1884	2736	setup_install.exe	36
PID 2736 wrote to memory of 1884	2736	setup_install.exe	36
PID 2736 wrote to memory of 2548	2736	setup_install.exe	35
PID 2736 wrote to memory of 2548	2736	setup_install.exe	35
PID 2736 wrote to memory of 2548	2736	setup_install.exe	35
PID 2736 wrote to memory of 2548	2736	setup_install.exe	35
PID 2736 wrote to memory of 2548	2736	setup_install.exe	35
PID 2736 wrote to memory of 2548	2736	setup_install.exe	35
PID 2736 wrote to memory of 2548	2736	setup_install.exe	35
PID 2736 wrote to memory of 2804	2736	setup_install.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7ba00a7f8bf0f2d0237bd01bb12a825b.exe
"C:\Users\Admin\AppData\Local\Temp\7ba00a7f8bf0f2d0237bd01bb12a825b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c zaiqa_1.exe
      4⤵
      Loads dropped DLL
      PID:2228
    - - C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\zaiqa_1.exe
        
        zaiqa_1.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2664
      - C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\zaiqa_1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\zaiqa_1.exe" -a
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2004
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c zaiqa_4.exe
      4⤵
      Loads dropped DLL
      PID:1840
    - - C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\zaiqa_4.exe
        
        zaiqa_4.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1204
      - C:\Users\Admin\AppData\Local\Temp\chrome2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        7⤵
        
        PID:1204
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        8⤵
        Creates scheduled task(s)
        
        PID:2816
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:392
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:2772
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        8⤵
        Executes dropped EXE
        
        PID:2216
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.main/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BJ+edII5Fll530cZ/+msGEWovb73nU3RrOnuNmRoFcg" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
      - C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2824
        
        C:\Windows\winnetdriv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe" 1706400079 0
        7⤵
        Executes dropped EXE
        
        PID:2616
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c zaiqa_9.exe
      4⤵
      PID:2852
    - - C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\zaiqa_9.exe
        
        zaiqa_9.exe
        5⤵
        Executes dropped EXE
        
        PID:2988
    - - C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\zaiqa_9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\zaiqa_9.exe"
        5⤵
        Executes dropped EXE
        
        PID:324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c zaiqa_8.exe
      4⤵
      Loads dropped DLL
      PID:2804
    - - C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\zaiqa_8.exe
        
        zaiqa_8.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c zaiqa_7.exe
      4⤵
      Loads dropped DLL
      PID:2548
    - - C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\zaiqa_7.exe
        
        zaiqa_7.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:1672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c zaiqa_6.exe
      4⤵
      Loads dropped DLL
      PID:1884
    - - C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\zaiqa_6.exe
        
        zaiqa_6.exe
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c zaiqa_5.exe
      4⤵
      PID:1200
    - - C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\zaiqa_5.exe
        
        zaiqa_5.exe
        5⤵
        Executes dropped EXE
        
        PID:2484
    - - C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\zaiqa_5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\zaiqa_5.exe"
        5⤵
        Executes dropped EXE
        
        PID:1804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c zaiqa_3.exe
      4⤵
      Loads dropped DLL
      PID:836
    - - C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\zaiqa_3.exe
        
        zaiqa_3.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:1372
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 960
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c zaiqa_2.exe
      4⤵
      Loads dropped DLL
      PID:1876
    - - C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\zaiqa_2.exe
        
        zaiqa_2.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2888
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 428
      4⤵
      Loads dropped DLL
      Program crash
      PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\zaiqa_1.txt

Filesize
56KB

MD5
3263859df4866bf393d46f06f331a08f

SHA1
5b4665de13c9727a502f4d11afb800b075929d6c

SHA256
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2

SHA512
58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\zaiqa_2.txt

Filesize
188KB

MD5
44dc205a5701b53f391a3a750c2c4712

SHA1
14e82b1f6bb987d8f2783db2ab5f82dd9ab8eacc

SHA256
508c41442ba856a3266b3e58a31fe8c4b0ad7491e04dfead265daaa028efd768

SHA512
02890434c81867499e0911e8062797bf7fc184e05b6de2ab14ffa6f95c48f88e07250b4e5a7ff565bbf45d66d8d7cb5c1009b85085ee3a6bbdac218f356c5749

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\zaiqa_3.txt

Filesize
555KB

MD5
8595f5515fac09b73ff463056cb07a15

SHA1
80f39da9a52cffb70edaa4d7de82f543ba4d417e

SHA256
8223619e305ec5063e9e2c1490fa25f6e924c317b08fd5eed938bb5de2e57de1

SHA512
26f0a15484a8780fedcea91f9d90ab4b81a91598fad4cad54f45fd18eccf73914215851909bf8acadeafc7b89c656c98ec988a46aa43e17a364b39b5d8ac477a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\zaiqa_4.txt

Filesize
923KB

MD5
13a289feeb15827860a55bbc5e5d498f

SHA1
e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad

SHA256
c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775

SHA512
00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\zaiqa_5.exe

Filesize
704KB

MD5
0762a475f350cc17a46ed8320781d0ec

SHA1
5b2aaf8f0bb21c80e8a2636b6140b7e45f6c5e37

SHA256
22f70483c6ae56927bb38d2c293d2f6ca976ae213c4bc1c0382c4c2ede17885d

SHA512
4c497e291f2dc6b6c11388128e652e90eabb233efe1f52a5676567a5520ce8ce3ab9175206976a4a759cc368ecdd2ab8decca364928d5b243f8daaffa9f3e96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\zaiqa_5.txt

Filesize
512KB

MD5
10b3f7a975488b8e3d0c540fa6d44a42

SHA1
86146e10f14047d0eae27971c94b60774c4f01f9

SHA256
108358a985cf609ddba5dbfc7ee4417b106add86d67767d5307e55aa3fc535bc

SHA512
94bba2f0000e6eaca3cd3245c50db758c929285aaa34097e29f97870d222c1b807871b9bd0befe07e39ecf7cc92c760cbf8098f7ebb775e9624c65a2e2b245e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\zaiqa_6.txt

Filesize
186KB

MD5
28e40b1adae683f70b178d025ea7bf64

SHA1
24851934bbb9a67c6d07e48503e6296c91fff502

SHA256
1cde227af526781ff9553ffef5d3eb52bc5e78240150d8bddd20644f4bf80af5

SHA512
f02b499b6e10411affba70caf96694f6297f6b754c00b6a179421f5aa21a21bb8f8863d87fea358a280979dfede22a06188abc695e5be4ed578bb60d73aada57

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\zaiqa_7.exe

Filesize
1.7MB

MD5
80367fe443bf040a73dc4a5a4203a7a4

SHA1
db4e842f234e4e2fb21e6c07e7976d34e7e2418a

SHA256
50112e9f9403398d1f1e756b45e477a8b262056e8a60ad73fa767c86574facf2

SHA512
e2be537585fb9b525c45d73f96522c282c6ee6a1ae96ed889a5aefd881a663e8a4000c1decfd294066f5b57214fb773cca7788ac4c280b1f3d0fd74feec197e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\zaiqa_7.txt

Filesize
1.1MB

MD5
2b70d31d0e630ec225b49fd5ad4f6a33

SHA1
ef1fffceee68a328733640e65c7b5c1e785b3951

SHA256
b12173520ad40b27278d1912ac46fd0e5dcd7026f24b33707aefc19448fda88f

SHA512
ca3cdc3fd68815d926c74ca7a703d5988546bb903ff588c45741c83fb1f74b66a5cba1599f93d6134b45038864d84a0af8ac8628eeb6c5f4be73d94c01427a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\zaiqa_8.txt

Filesize
8KB

MD5
c85639691074f9d98ec530901c153d2b

SHA1
cac948e5b1f9d7417e7c5ead543fda1108f0e9ed

SHA256
55701c6e51fb6a9820d8f9d2ae9db412b60f51c80d288e8baf0ea50e2d03cce4

SHA512
4911ce27e56bac29b247840e6c9de78e875210fd0588d11d9e3a3eae39764bfdd14b56de5de4cf535674a2ba0810c9d823f42b339f650dedb7af42f8b3fd4c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCFB28C96\zaiqa_9.txt

Filesize
900KB

MD5
5c2e28dedae0e088fc1f9b50d7d28c12

SHA1
f521d9d8ae7381e3953ae5cf33b4b1b37f67a193

SHA256
2261a3d740572f9d0ee42faad5b0d405df16506e104bd912e7c7b24d7fddcc5f

SHA512
f6f100508acb77af5b3442673c9d01a6a16cc39521b618eebccd482bf9f50b3991109f82b97e48e8c3cc0221f0be9e164867ba79ac2f2bc4e25cbdb5f7daa15f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabABCB.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarACE7.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\services64.exe

Filesize
43KB

MD5
ad0aca1934f02768fd5fedaf4d9762a3

SHA1
0e5b8372015d81200c4eff22823e854d0030f305

SHA256
dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388

SHA512
2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

Download Submit
C:\Windows\winnetdriv.exe

Filesize
869KB

MD5
01ad10e59fa396af2d5443c5a14c1b21

SHA1
f209a4f0bb2a96e3ee6a55689e7f00e79c04f722

SHA256
bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137

SHA512
1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02

Download Submit
\Users\Admin\AppData\Local\Temp\7zSCFB28C96\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
\Users\Admin\AppData\Local\Temp\7zSCFB28C96\setup_install.exe

Filesize
287KB

MD5
a52a590e1f8f93cd1d4108293415975c

SHA1
49db2a15b6f32c6189f24a8ae6e4bb33d0485f05

SHA256
12d2f007dcc8cb316493fe0f61fd330fdec70f872ae81693e12f9fcc47590149

SHA512
47893f8117466821b89b29836e638bc76d2ee93e57179ba49d2242eb066fa01ff4e0033f194099065e29278b4d4ba653cca00e270f85ccd6cb91b7d3285d6161

Download Submit
\Users\Admin\AppData\Local\Temp\7zSCFB28C96\zaiqa_4.exe

Filesize
704KB

MD5
29150ce1ac3b79a8073cfcf615f21fd2

SHA1
85511aac1f6c99ade0e9d3ebd6d770400e79b84f

SHA256
8d0dc5b844edb128f506982d542567a3c98e5c35f08ec78ecdab3d1acb04ef2b

SHA512
5c5b97cdbb38a171831a9015e547207d5ee375a28f15b20ffa508abb49c5dc089596237e03fbdb12e41e5886a499795c47325b7a194cd48fd9ac963e9cf1aaf8

Download Submit
\Users\Admin\AppData\Local\Temp\7zSCFB28C96\zaiqa_7.exe

Filesize
1.4MB

MD5
a273517848efdb57ef6f9164ce927f42

SHA1
16885f246752260bde7d5cd9493dda4d8dd43266

SHA256
d3702451b675d2f03b4b563a68274a84b25f5862183fce9111ab665f2c80e76b

SHA512
09cff0f3cc7aa1e114b177d6fe118109dc75d6b59284d7c6ce818fa1228640e81e00ad6b7043a7738afeb97ed9cd2e0682c81d31dbb0c8d01faf8a9901591248

Download Submit
\Users\Admin\AppData\Local\Temp\7zSCFB28C96\zaiqa_7.exe

Filesize
768KB

MD5
d7dbc9c93368452075eb732e6dffe5fc

SHA1
b7fdef95e21abd6f673a93a33a099c90e4549e06

SHA256
62eb58cdab7ed7a9e5bee095330aa56e15b65c508923c646ab2f36920ccfd2bc

SHA512
0cf049e761465ef4adb3bb7bf2c72c10c682130bff06fb1ba77be9ac1270bbd701a516a11022a40dd7a82c9c9ffe55ba784e2a44e52111c6ec9f3d1e968d0f40

Download Submit
\Users\Admin\AppData\Local\Temp\7zSCFB28C96\zaiqa_7.exe

Filesize
576KB

MD5
94964371c59593e05aebec3f55fdf774

SHA1
f476b596691ba99a32b4fc9f5360b1efc1931e55

SHA256
bc081a2e1865472f7a0356a2ccca9b0134b4932466400d14c6edf84580d541f6

SHA512
1fd0da954632fd44178f3b0f92def98c10c08f0d448081ed114257b6a0e8cb911886078b17af5be4f05bc0eb5afba432ecb6db271042195b70a7a21fbb6f8f1a

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
3.3MB

MD5
8765c39cc6647adc171220b11942422b

SHA1
5a45fd626dcf26b1f933e5a18db138fe1df64444

SHA256
f52e34603c58c806081a09fc4ba38eabe1e3f12b7a57a75353ecf593177fa7ef

SHA512
8c5bf35e5d6dc7aab1bff4836ef00e44d7e158d4b8d3f9bcf9ebb39a02b21078c5879f061ac926aa52b9a0f9a83752f322db1d98c1a2908a9ec5eed60919fa65

Download Submit
memory/1204-205-0x0000000000EB0000-0x0000000000F9E000-memory.dmp

Filesize
952KB

Download
memory/1208-264-0x0000000002AC0000-0x0000000002AD6000-memory.dmp

Filesize
88KB

Download
memory/1224-216-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp

Filesize
9.9MB

Download
memory/1224-228-0x0000000000260000-0x0000000000288000-memory.dmp

Filesize
160KB

Download
memory/1224-441-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp

Filesize
9.9MB

Download
memory/1224-191-0x0000000000310000-0x0000000000348000-memory.dmp

Filesize
224KB

Download
memory/1224-204-0x0000000000250000-0x0000000000256000-memory.dmp

Filesize
24KB

Download
memory/1224-242-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/1224-226-0x000000001ADE0000-0x000000001AE60000-memory.dmp

Filesize
512KB

Download
memory/1372-238-0x0000000002E30000-0x0000000002F30000-memory.dmp

Filesize
1024KB

Download
memory/1372-240-0x0000000000240000-0x00000000002DD000-memory.dmp

Filesize
628KB

Download
memory/1372-253-0x0000000000400000-0x0000000002CC2000-memory.dmp

Filesize
40.8MB

Download
memory/1588-129-0x0000000000B20000-0x0000000000B28000-memory.dmp

Filesize
32KB

Download
memory/1588-225-0x000000001AF70000-0x000000001AFF0000-memory.dmp

Filesize
512KB

Download
memory/1588-206-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp

Filesize
9.9MB

Download
memory/2216-457-0x000000013F930000-0x000000013F936000-memory.dmp

Filesize
24KB

Download
memory/2376-472-0x000007FFFFFDC000-0x000007FFFFFDD000-memory.dmp

Filesize
4KB

Download
memory/2376-469-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2376-476-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2376-474-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2376-481-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2376-482-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2376-471-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2376-480-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2376-479-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2376-462-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2376-470-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2376-478-0x0000000000170000-0x0000000000190000-memory.dmp

Filesize
128KB

Download
memory/2376-468-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2376-461-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2376-467-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2376-460-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2376-466-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2376-465-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2376-483-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2376-464-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2376-463-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2376-484-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2616-280-0x00000000004E0000-0x00000000005C4000-memory.dmp

Filesize
912KB

Download
memory/2736-88-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2736-75-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2736-53-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2736-59-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2736-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2736-254-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2736-255-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2736-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2736-244-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2736-73-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2736-72-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2736-70-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2736-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2736-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2736-90-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2736-89-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2736-87-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2736-86-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2736-85-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2736-83-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2736-82-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2736-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2736-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2756-453-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp

Filesize
9.9MB

Download
memory/2756-448-0x0000000000750000-0x000000000075E000-memory.dmp

Filesize
56KB

Download
memory/2756-259-0x000000013FA10000-0x000000013FA20000-memory.dmp

Filesize
64KB

Download
memory/2824-267-0x00000000009F0000-0x0000000000AD4000-memory.dmp

Filesize
912KB

Download
memory/2888-239-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/2888-241-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2888-243-0x0000000000400000-0x0000000002C66000-memory.dmp

Filesize
40.4MB

Download
memory/2888-277-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/2888-265-0x0000000000400000-0x0000000002C66000-memory.dmp

Filesize
40.4MB

Download
memory/2960-477-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp

Filesize
9.9MB

Download
memory/2960-452-0x000000013F7B0000-0x000000013F7C0000-memory.dmp

Filesize
64KB

Download
memory/3068-45-0x00000000027B0000-0x00000000028CD000-memory.dmp

Filesize
1.1MB

Download